The intelligence watchdog is concerned ASIO may be holding onto electronic data it should be destroying.
The Inspector-General of Intelligence and Security has concerns about the agency's power to hold on to data it collects as part of its investigations, suggesting it's not getting the balance between privacy and security right.
Appearing before a parliamentary inquiry into the government's proposed new data retention laws, Vivienne Thom said there were provisions that required ASIO to destroy non-relevant data within five years. But she's not sure whether ASIO is complying with the requirements.
"I'm not sure that they're choosing to retain it. I think they're not choosing to destroy it," she told the hearing in Canberra.
Dr Thom asked that the matter be investigated as part of a review into the Attorney-General's Guidelines for ASIO, launched last year as part of an overhaul of Australia's national security laws.
"The balance between security and privacy in my view requires that this information should not be retained indefinitely," she said.
"I think that the general public would expect that material that is found not to be relevant to security would be deleted after a period of time."
The government's new laws would give security agencies greater investigative powers and, most controversially, would require telecommunications companies to retain metadata for at least two years.
Telstra told the committee on Thursday that the metadata it would have to store under the proposed changes would be an attractive target for hackers, including foreign spy agencies.
Michael Burgess, Telstra's chief information security officer, says such a store would be a "pot of gold" for intruders who would otherwise have to work their way through Telstra's complex IT system to access the sama data.
"I know that because if I was in a foreign intelligence service wanting to hack Telstra's network, this new proposed system would be where I would go," he said.
The Australian Securities and Investment Commission said the country's vast superannuation pool could be at greater risk if the financial watchdog's access to stored telecommunications data is curtailed.
Australian Securities and Investment Commission commissioner Greg Tanzer says ASIC regularly uses so-called metadata in investigations - including in more than 80 per cent of insider trading cases.
But under the government's metadata law ASIC isn't listed as an approved agency with the same access powers as police and ASIO.
The Australian Commission for Law Enforcement Integrity backed the measures, saying metadata was crucial to its investigations of corrupt cops.
"Telecommunications data is essential to finding corrupt conduct and can be crucial to a successful prosecution," Integrity Commissioner Michael Griffin said.
