Concerns have been raised over how Australian law enforcement and integrity agencies access telecommunications data and store information.
Authorities must comply with strict safeguards over how the data is obtained under the Telecommunications Interception and Access Act.
The Commonwealth Ombudsman reviewed how 21 agencies use their powers and found Victoria Police was the "most prolific" agency to authorise employees to access data for purposes not covered by the law.
"We identified a high number of authorisations that did not demonstrate that the access to data was for enforcing the criminal law or locating a missing person," the Covert Electronic Surveillance report stated.
"We also identified a significant number of authorisations where the alleged offences referenced incorrect legislation."
It said this was a repeat finding for Victoria Police.
"The incorrect use of authorisation provisions risks the legality of the data accessed by (Victoria Police) and the accuracy of their ministerial reporting," the report said.
Victoria Police said it was working towards full compliance with the requirements of the act.
"We acknowledge there have been a small number of circumstances where this has not occurred," a spokesperson said.
"Over the past two years we have undertaken a number of steps across the organisation to ensure police are fully educated in relation to their requirements and responsibilities in relation to these requests.”
Overall, the report found fewer instances of agencies not complying with the rules in 2022/23 compared the previous year but still identified issues including a lack of record-keeping and insufficient training for staff.
Ombudsman Iain Anderson said a "mature culture of compliance" was needed for responsible management of covert law enforcement operations.
"While most agencies have improved their policies and procedures to manage their use of these powers, I remain concerned about the consistency with which these are applied in practice," Mr Anderson said.
The report also highlighted "risks" that other agencies could access data on Queensland Police's system.
However, report stated it was unclear what data had been disclosed to the agencies and whether it was for a reason allowed under the Act.
It noted the force "immediately" addressed any non-compliance.
Queensland Police said its current record management system, QPRIME, was the most appropriate place to record the data.
A spokesperson said its system can only be accessed by law enforcement agencies.
"All access to records in QPRIME are auditable meaning it is possible to audit access to particular records and identify users who made that access," the spokesperson said.
The report noted all agencies were receptive to findings, while calling on regular and targeted training so officers complied with the law.