What this report is about
Transport for NSW (TfNSW) uses the Driver vehicle System (DRIVES) to support its regulatory functions. The system covers over 6.2 million driver licences and over seven million vehicle registrations.
DRIVES first went live in 1991 and has been significantly extended and updated since, though is still based around the same core system. The system is at end of life but has become an important service for Service NSW and the NSW Police Force.
DRIVES now includes some services to other parts of government and non-government entities which have little or no connection to transport. There are 141 users of DRIVES in total, including commercial insurers, national regulators, and individual citizens.
This audit assessed whether TfNSW is effectively managing DRIVES and planning to transition it to a modernised system.
TfNSW has not effectively planned the replacement of DRIVES.
It is now working on its third business case for a replacement system but has failed to learn lessons from its past attempts.
In the meantime, TfNSW has not taken a strategic approach to managing DRIVES’ growth.
TfNSW has been slow to reduce the risk of misuse of personal information held in DRIVES. With its delivery partner Service NSW, TfNSW has also been slow to develop and implement automatic monitoring of access.
TfNSW uses recognised processes for managing most aspects of DRIVES, but has not kept the system consistently available for users. TfNSW has lacked accurate service availability information since June 2022, when it changed its technology support provider.
TfNSW needs to significantly prioritise cyber security improvements to DRIVES. TfNSW is seeking to lift DRIVES’ cyber defences, but it will not achieve its stated target safeguard level until December 2025.
Even then, one of the target safeguards will not be achieved in full until DRIVES is modernised.
- implement a service management framework including insight into the views of DRIVES users, and ensuring users can influence the service
- ensure it can accurately and cost effectively calculate when DRIVES is unavailable due to unplanned downtime
- ensure implementation of a capability to automatically detect anomalous patterns of access to DRIVES
- ensure that DRIVES has appropriate cyber security and resilience safeguards in place as a matter of priority
- develop a clear statement of the future role in whole of government service delivery for the system
- resolve key issues currently faced by the DRIVES replacement program including by:
- clearly setting out a strategy and design for the replacement
- preparing a specific business case for replacement.
Parliamentary reference - Report number #388 - released 20 February 2024