Data access orders are issued where a suspect is in possession of a phone or other device, and refuses to provide the police the PIN code to enable access to the data stored on the device.
A ‘data access order’ is an order that is issued by a Magistrate, after an application for the order is made to them by a police officer or public officer. The order will be sought where a police officer wants access to a ‘data storage device’ that the person the subject of the data access order is believed to be able to access. The orders are provided for under sections 57-61 of the Criminal Investigation Act 2006 (CIA), but there are also federal data access orders available.
A ‘data storage device’ is a thing that contains, or is designed to contain, data and it doesn’t matter:
- if the thing is a fixed or removable part of another thing; or
- if the data it contains can be used or retrieved by the thing itself or not; or
- if the thing is separate from, but the data it contains can be used or retrieved by, another thing.
Typical examples of ‘data storage devices’ are mobile phones and computer hard-drives, both internal and external such as USB hard-drives.
The order is typically an order that the person named in the order, provide information or assistance that is reasonable and necessary to allow the applicant (Ie the police officer who sought the order) to do any or all of the following:
- gain access to any data the device may contain;
- copy any such data to another data storage device; &
- reproduce any such data on paper.
While typically issued in the context of drug trafficking, or sexual offences, they have also been issued in other cases such as those involving a group of protesters charged with burglary.
Legal requirements for issue of a data access order
Application on oath
Before a data access order can be issued by a Magistrate, an application must be made in accordance with section 13 of the CIA. This is the same section relating to applying for search warrants and other orders. The police officer seeking the data access order must make an application in person before the Magistrate, unless the order is needed urgently. The application must be made in writing and on oath, unless the application is made by remote communication and it is impracticable to send the Magistrate written material.
An application can only be made with respect to data on a data storage device that is relevant to a ‘serious offence’. This is an offence with a maximum penalty of at least 5 years imprisonment. The application to the Magistrate must state how the data relates to the serious offence.
There are various other requirements set out in s 58(3) CIA which must be included in the application. The Magistrate must be satisfied that each of those requirements has been complied with. Further, the Magistrate must be satisfied:
- the applicant (Ie the police officer) has lawful possession of or lawful access to the target device; &
- that the target person (the person the subject of the order) has knowledge relevant to gaining access to any data the target device may contain.
When defending a charge of breaching a data access order, whether the target person in fact had any knowledge relevant to gaining access to the target device, can commonly be the reason for a ‘reasonable excuse’ defence to the charge. See further below.
The data access order, once made by the Magistrate, must be served personally on the person to whom it applies as soon as practicable after it is issued. Whether the order was served within the required period may be a potential defence to a charge of breaching a data access order, as failing to properly serve the order renders it invalid.
Compliance with a data access order
Consequences for breach
If you are served with a data access order, you must comply with it according to its contents. The order typically requires a person to provide the password or PIN code to a device such as a phone, within a time period stated in the order.
If you do not comply with the order, you may be charged with an offence of failing to comply with the order. This carries a maximum penalty of 5 years imprisonment on indictment, or 2 years imprisonment and a $24,000 fine in the Magistrates Court.
It is a defence to charge of breaching a data access order, that you had a ‘reasonable excuse’ for not obeying it.
The onus of proving that you had a reasonable excuse is on you. You must establish this defence on the balance of probabilities. Typically this will require calling evidence, such as an accused giving oral evidence, in their defence to the charge.
Some examples of a reasonable excuse might be:
- That the phone was not yours and you had not been told the PIN by the owner of the phone; or
- That the phone or other device is an old device and you have forgotten the PIN code or password to it.
It is not a defence to a charge of breaching a data access order, that information required to be given under the data access order would or may have incriminated the accused. Indeed the police are typically seeking such information when they apply for the order.
Sentencing for breaching a data access order can vary depending on the consequences that were avoided by the breach of the order. If, for example, breaching the order meant that you escaped punishment for a serious crime, then the sentence can include imprisonment, which may be cumulative on any sentence imposed for the actual offence that the data access order related to. If on the other hand the breach was inadvertent and the device contained nothing incriminating, a fine may be considered to be appropriate.
A charge of breaching a data access order can be a complex one, both in terms of defending the charge and also the likely sentence. We recommend you contact James Jackson Criminal Defence today if you are facing such a charge.