What the report is about

This audit assessed the effectiveness of NSW Government agencies’ coordination of the response to COVID-19, with a focus on the Delta variant outbreak in the Dubbo and Fairfield Local Government Areas (LGA) between June and November 2021. We audited five agencies - the Department of Premier and Cabinet, NSW Health, the NSW Police Force, Resilience NSW and the Department of Customer Service.

The audit also considered relevant planning and preparation activities that occurred prior to June 2021 to examine how emergency management and public health responses learned from previous events.

What we found

Prior to Delta, agencies developed capability to respond to COVID-19 related challenges.

However, lessons learned from prior reviews of emergency management arrangements, and from other jurisdictions, had not been implemented when Delta emerged in June 2021. As a result, agencies were not as fully prepared as they could have been to respond to the additional challenges presented by Delta.

Gaps in emergency management plans affected agencies' ability to support individuals, families and businesses impacted by restrictions to movement and gathering such as stay-at-home orders. In LGAs of concern, modest delays of a few days had a significant impact on people, especially those most vulnerable.

On 23 July 2021, the NSW Government established a cross-government coordinating approach, the Delta Microstrategy, which complemented existing emergency management arrangements, improved coordination between NSW Government agencies and led to more effective local responses.

Where possible, advice provided to government was supported by cross-government consultation, up-to-date evidence and insights. Public Health Orders were updated as the response to Delta intensified or to address unintended consequences of previous orders. The frequency of changes hampered agencies' ability to effectively communicate changes to frontline staff and the community in a rapidly evolving situation.

The NSW Government could provide greater transparency and accountability over decisions to apply Public Health Orders during a pandemic.

What we recommended

The audit made seven recommendations intended to improve transparency, accountability and preparedness for future emergency events.

This audit assessed the effectiveness of NSW Government agencies’ coordination (focused on the Department of Premier and Cabinet, NSW Health, the NSW Police Force, Resilience NSW and the Department of Customer Service) of the COVID-19 response in selected Local Government Areas (Fairfield City Council and Dubbo Regional Council) between June and November 2021.

As noted in this report, Resilience NSW was responsible for the coordination of welfare services as part of the emergency management arrangements. On 16 December 2022, the NSW Government abolished Resilience NSW.

During the audited period, Resilience NSW was tasked with supporting the needs of communities subject to stay-at-home orders or stricter restrictions and it provided secretariat support to the State Emergency Management Committee (SEMC). The SEMC was, and remains, responsible for the coordination and oversight of emergency management policy and preparedness.

Our work for this performance audit was completed on 15 November 2022, when we issued the final report to the five audited agencies. While the audit report does not make specific recommendations to Resilience NSW, it does include five recommendations to the State Emergency Management Committee. On 8 December 2022, the then Commissioner of Resilience NSW provided a response to the final report, which we include as it is the formal response from the audited entity at the time the audit was conducted.

The community of New South Wales has experienced significant emergency events during the past three years. COVID-19 first emerged in New South Wales after bushfire and flooding emergencies in 2019–20. The pandemic is now into its third year, and there have been further extreme weather and flooding events during 2021 and 2022.

Lessons taken from the experience of these events are important to informing future responses and reducing future risks to the community from emergencies.

This audit focuses on the NSW Government's response to the COVID-19 pandemic, and in particular, the Delta variant (Delta) that occurred between June and November 2021. The response to the Delta represents six months of heightened challenges for the NSW Government.

Government responses to emergencies are guided by legislation. The State Emergency and Rescue Management Act 1989 (SERM Act) establishes emergency management arrangements in New South Wales and covers:

• coordination at state, regional and local levels through emergency management committees
• emergency management plans, supporting plans and functional areas including the State Emergency Management Plan (EMPLAN)
• operations centres and controllers at state, regional and local levels.

This audit focuses on the activities of five agencies during the audit period:

• The NSW Police Force led the emergency management response and was responsible for coordinating agencies across government in providing the tactical and operational elements that supported and enhanced the health response to the pandemic. The NSW Police Force also led the compliance response which enforced Public Health Orders and included household checks on those required to isolate at home after testing positive to COVID-19. In some parts of NSW, they were supported by the Australian Defence Force in this role.
• NSW Health was responsible for leading the health response which coordinated all parts of the health system, initially to prevent, and then to manage, the pandemic.
• Resilience NSW coordinated welfare services as part of the emergency management arrangements and provided secretariat support to the State Emergency Management Committee (SEMC). The SEMC is responsible for the coordination and oversight of emergency management policy and preparedness. Resilience NSW was also tasked with supporting the needs of communities subject to stay-at-home orders or stricter restrictions.
• The Department of Customer Service (DCS) was responsible for the statewide strategic communications response.
• The Department of Premier and Cabinet (DPC) held a key role in providing policy and legal services, as well as supporting the coordination of activity across a range of functional areas and decision-making by our State’s leaders.

This audit assessed the effectiveness of NSW Government agencies’ coordination (focused on the Department of Premier and Cabinet, NSW Health, the NSW Police Force, Resilience NSW and the Department of Customer Service) of the COVID-19 response in selected Local Government Areas (LGA) (Fairfield City Council and Dubbo Regional Council) after June 2021.

The audit investigated whether:

• government decisions to apply LGA-specific Public Health Orders were supported by effective crisis management governance and planning frameworks
• agencies effectively coordinated in the communication (and enforcement) of Public Health Orders.

While focusing on the coordination of NSW Government agencies’ response to the Delta variant in June through to November 2021, the audit also considered relevant planning and preparation activities that occurred prior to June 2021 to examine how emergency management and public health responses learned from previous events.

This audit does not assess the effectiveness of other specific COVID-19 responses such as business support. It refers to the preparedness, planning and delivery of these activities in the context of supporting communities in selected LGAs. NSW Health's contribution to the Australian COVID-19 vaccine rollout was also subject to a separate audit titled 'New South Wales COVID-19 vaccine rollout' tabled in NSW Parliament on 7 December 2022. 

This audit is part of a series of audits which have been completed, or are in progress, regarding the New South Wales COVID-19 emergency response. The Audit Office of New South Wales '2022–2025 Annual Work Program' details the ongoing focus our audits will have on providing assurance on the effectiveness of emergency responses.

In this document Aboriginal refers to the First Nations peoples of the land and waters now called Australia, and includes Aboriginal and Torres Strait Islander peoples.

The COVID-19 pandemic arrived in Australia in late January 2020 as the bushfire and localised flooding emergencies were in their final stages. Between 2020 and mid-2021, agencies responded to the initial variants of COVID-19, managed a border closure with Victoria that lasted nearly four months and dealt with localised ‘flare-ups’ that required postcode-based restrictions on mobility in northern parts of Sydney and regional New South Wales. During this period, New South Wales had the opportunity to learn from events in Victoria which imposed strict restrictions on mobility across the State and the growing emergence of the Delta variant (Delta) across the Asia Pacific.

This section of the report assesses how emergency management and public health responses adapted to these lessons and determined preparedness for, and responses to, widespread community transmission of Delta in New South Wales.

The previous chapter discusses how agencies had refined the existing emergency management arrangements to suit the needs of a pandemic and describes some gaps that were not addressed. This chapter explores the first month of Delta (mid-June to mid-July 2021). It explores the areas where agencies were prepared and responses in place for the outbreak. It also discusses the impact of the gaps that were not addressed in the period prior to Delta and other issues that emerged.

NSW Health provided advice on the removal of restrictions based on up-to-date advice

The NSW Government discussed the gradual process for removing restrictions using the Doherty Institute modelling provided to National Cabinet on 10 August 2021. NSW Health highlighted the importance of maintaining a level of public health and safety measure bundles to further suppress case numbers. This was based on additional modelling from the Doherty Institute.

The Department of Regional NSW led discussion and planning around reopening with a range of proposal through August and September 2021. The Department of Premier and Cabinet and NSW Health jointly developed a paper to provide options on the restrictions when the State reached a level of 70% double dose vaccinations.

The roadmap to reopening was originally published on 9 September 2021. However, by 11 October 2021, the restrictions were relaxed when the 70% double dose threshold was reached to allow:

• up to ten fully vaccinated visitors to a home (increased from five)
• up to 30 fully vaccinated people attending outdoor gatherings (increased from 20)
• weddings and funerals limits increased to 100 people (from 50)
• the reopening of indoor pools for training, exercise and learning purposes only.

On the same day, the NSW Government announced further relaxation of restrictions once the 80% double dose threshold was reached. These restrictions were further relaxed on 8 November 2021. This included the removal of capacity restrictions to the number of visitors to a private residence, indoor pools to reopen for all purposes and density limits of one person for every two square metres, dancing allowed in nightclubs and 100% capacity in major stadia.

The NSW Government allowed workers in regional areas who received one vaccination dose to return to their workplace from 11 October 2021.

The Premier extended the date of easing of restrictions for unvaccinated people aged over 16 from 1 December to 15 December 2021.

Many agencies have undertaken reviews of their response to the Delta outbreak but a whole-of-government review has yet to be conducted

Various agencies and entities associated with the response to the Delta outbreak conducted after-action review processes. These processes assessed the achievements delivered, lessons learned and opportunities for improvement. However, a whole-of-government level review has not been conducted. This limits the New South Wales public service's ability to improve how it coordinates responses in future emergencies.

The agencies/entities that conducted reviews included:

• South West Metropolitan region, Western NSW region, Fairfield Local Emergency Management Committee (LEMC), Dubbo Local Emergency Operations Controller (LEOCON), which were collated centrally by the State Emergency Operations Centre (SEOC)
• Aboriginal Affairs NSW assessed representation and relevance of the emergency management arrangements for Aboriginal communities following the 2019 bushfires
• Resilience NSW developed case studies to capture improved practice with regard to food security and supply chains
• a community support and empowerment-focused after-action review undertaken by the Pillar 5 workstream of the Microstrategy.

Key lessons collated from the after-action reviews include:

• the impact of variation in capability across agencies on the management of key aspects of the response including welfare support and logistics
• issues with boundary differences between NSW Police Force regions, local government areas (LGA and local health districts (LHD) caused issues in delivering and coordinating services in an emergency situation 
• the need to improve relationships between state and local Government outside of acute emergency responses to improve service delivery 
• issues arising from impediments to information sharing between agencies and jurisdictions, such as:
  • timeliness and accuracy of data used to direct compliance activities
  • the impact of insufficient advance notice on changes to Public Health Orders
  • timely access to data across public sector agencies and other jurisdictions to inform decision-making, analysis and communications
  • gaps in data around ethnicity, geolocation of recent positive cases and infection/vaccination rates in Aboriginal communities.
• the lack of Aboriginal community representation on many LEMCs
• compared with the response to COVID-19 in 2020, improved coordination of communications with Culturally and Linguistically Diverse (CALD) populations with a reduction in overlapping messages and over-communication
• improved attendance from agency representatives in LEMCs, and regional emergency operations centres (REOC) to improve interagency communications, planning, capability development and community engagement issues
• deficiencies in succession planning and fatigue management practices
• the potential for REOC Welfare/Well-being subgroups to be included as part of the wider efforts to community needs during emergencies.

NSW Health commenced a whole of system review of its COVID-19 response in May 2022. At the time of writing, the completion due date for the debrief is 7 November 2022. This debrief is expected to explore:

• governance
• engagement 
• innovation and technology 
• community impact 
• workforce impact
• system impact and performance.

NSW Health is also undertaking a parallel Intra-Action Review that is focused on the public health aspects of the response with finalisation estimated for the end of November 2022. At the time of completing this performance audit report, NSW Health had not finalised these reviews and, as a result, we cannot validate their findings against our own observations.

Recent inquiries are likely to impact the governance of emergency management in New South Wales

In March 2022, the NSW Government established an independent inquiry to examine and report on the causes of, preparedness for, response to and recovery from the 2022 floods. The Flood Inquiry report made 28 recommendations, which the NSW Government supported in full or in principle. Some of the recommendations relate directly to the governance and leadership of emergency management arrangements in New South Wales. 

The State Emergency Management Committee (SEMC) will likely be involved in, and impacted by, the recommendations arising from the Flood Inquiry with potential changes to its membership and reshaping of functional areas and agencies. At the same time, the SEMC may have a role in overseeing the changes that emerge from the SEOC consolidated after-action reviews. This can also extend to ensuring local and regional bodies have incorporated the required actions. There is a risk that the recommendations from the pandemic-based after-action reviews may not be considered due to the priority of action resulting from the Flood Inquiry.

Furthermore, there is potential for the SEMC to work with NSW Health during its system-wide review. Such an approach is likely to improve preparedness for future events.

Appendix one – Response from agencies

Appendix two – Chronology 2020–2021

Appendix three – About the audit

Appendix four – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #371 - released 20 December 2022

What the report is about

The Australian Government led and implemented the Australian COVID-19 vaccine rollout, with the support of state and territory governments. As part of the Australian Government's vaccine rollout, NSW Health launched its vaccination program on 22 February 2021, with responsibility for distributing and administering COVID-19 vaccine stock provided by the Australian Government.

This audit examined the period 1 January 2021 to 31 December 2021 and focused on NSW Health's contribution to the Australian Government led vaccine roll out in four Local Health Districts (LHDs), in particular the administration of two doses of vaccine to people aged 16 and over.

What we found

On 16 October 2021, NSW Health, in partnership with the Australian Government's vaccination program, achieved its first objective to fully vaccinate 80% of people in NSW aged 16 and over. Demand for the vaccine reduced in December 2021, and NSW Health did not reach its target of 95% fully vaccinated for people aged 16 and over until June 2022.

Despite challenges such as uncertain supply and changes to clinical advice affecting vaccine eligibility, NSW Health's overall delivery of vaccination services was effective and efficient.

During the audit period, NSW Health implemented effective strategies to allocate vaccines and reduce wastage to optimise the number of vaccines available.

NSW Health implemented its own booking system after it identified that the Australian Government's system would not manage bookings. There were problems with NSW Health's interim vaccine booking system, and NSW Health fully resolved these issues by September 2021.

As at 19 October 2022, vaccination rates for Aboriginal peoples and culturally and linguistically diverse people remained below the 95% target.

What we recommended

By June 2023, NSW Health should conduct a comprehensive review of the COVID-19 vaccine rollout and incorporate lessons learned into pandemic response plans.

The first three cases of COVID-19 in New South Wales were diagnosed in January 2020. By 30 June 2021, 128 people were being treated in hospital and one person was in intensive care. By the end of December 2021, 187,504 total cases and 663 deaths were reported in New South Wales. As at 27 October 2022, NSW Health reported more than three million total cases and 5,430 deaths.

The COVID-19 pandemic continues to have a significant impact on the people and the health sector of New South Wales. The Australian, state, territory, and local governments have directed significant resources towards health responses and economic recovery.

On 13 November 2020, National Cabinet (comprised of the Australian, state, and territory governments) endorsed the Australian COVID-19 Vaccination Policy. Australia's vaccination program was launched on 21 February 2021 with the goal of providing safe and effective vaccines to the people who most needed them as quickly as possible, to support the physical, mental and economic wellbeing of the nation.

The Australian Government led and implemented the Australian vaccine rollout, with the support of state and territory governments. As part of the Australian Government's vaccine rollout, NSW Health launched its vaccination program on 22 February 2021, with responsibility for distributing and administering COVID-19 vaccine stock provided by the Australian Government.

The overall objective of this audit was to assess the effectiveness and efficiency of NSW Health’s contribution to the Australian COVID-19 vaccine rollout. It is important to note that in New South Wales, primary care providers (GPs and pharmacies) and aged care providers administered the majority of vaccines. Primary care providers and aged care providers are the responsibility of the Australian Government.

The audit had a particular focus on whether NSW Health:

• set clear vaccination targets underpinned and/or guided by evidence
• managed the rollout of the vaccination program effectively and efficiently
• managed demand of vaccines effectively and efficiently.

The audit examined the period 1 January 2021 to 31 December 2021 and focused on NSW Health's contribution to the Australian Government led vaccine rollout in four Local Health Districts (LHDs), in particular the administration of two doses of vaccine to people aged 16 and over. We did not audit the subsequent rollout for ages five to 15, or the booster rollout (third and fourth doses) as these activities mostly occurred outside the date of our review.

This audit also did not assess the Australian Government’s allocation of vaccine supplies to New South Wales because we do not audit the Australian Government's activities. On 17 August 2022, the Australian National Audit Office completed a performance audit which assessed the Australian Department of Health and Aged Care's effectiveness in the planning and implementation of Australia's COVID-19 vaccine rollout.

This audit is one of a series of audits that have been completed or are in progress regarding the New South Wales COVID-19 emergency response. This includes the planned performance audit ‘Coordination of the response to COVID-19 (June to November 2021)’, and financial audit assurance activities focusing on Local Health District processes and controls to manage the receipt, distribution and inventory management of vaccine stock. The Audit Office New South Wales '2022–25 Annual Work Program' details the ongoing focus our audits will have on providing assurance on the effectiveness of emergency responses.

Appendix one – Response from agency

Appendix two – Australian audits on the vaccine rollouts

Appendix three – Committee members 

Appendix four – About the audit 

Appendix five – Performance auditing 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #369 - released 7 December 2022

What the report is about

Poor attendance at school is related to poor student outcomes, particularly once patterns of non-attendance have been established.

This report examined how the NSW Department of Education (the department) is managing student attendance in NSW government schools.

What we found

Around a third of students in Years 1–10 attended school less than 90% of the time in semester one, 2021. Missing more than 10% of school may put a student's educational outcomes at risk.

Since 2018, the department has improved the quality of student attendance data, analysis and reporting. However, there are still gaps in understanding the reasons for absence at a system level.

The department set state-wide and school-level targets to increase the proportion of students attending school at least 90% of the time. This emphasis risks diverting attention away from students with very low attendance rates.

There are gaps in central programs to support schools in lifting student attendance. Schools are taking a variety of approaches to this work.

There is a large gap in attendance between Aboriginal and non-Aboriginal students, which has increased since 2018.

What we recommended

The Department of Education should:

• set new state-wide and school level attendance targets
• evaluate its attendance support programs
• update its attendance strategies and programs
• publish the attendance level for each school in their annual reports
• improve internal analysis and reporting of attendance data
• finalise the review of the attendance policy, procedure and codes
• review programs supporting Aboriginal student attendance and address any gaps
• review the approach to enforcing compulsory school attendance.

Regular attendance at school is important for academic and other long-term outcomes. Students who do not attend regularly are less likely to complete school and more likely to experience poorer long-term health and social outcomes. A range of factors influence student attendance including student engagement and wellbeing, family and community factors and the school environment.

The NSW Department of Education's (the department's) Strategic Plan for 2018–2022 identifies improving student attendance as a priority. It has identified 95% as its expected level of attendance. It set targets to increase the proportion of students attending school at least 90% of the time, from 79.4% to 82% in primary schools and 64.5% to 70% for secondary schools.

This report focuses on attendance data for semester one of 2018, 2019 and 2021. Unless otherwise noted, attendance data refers to Years 1–10 in alignment with national reporting conventions. Changes in recording systems and definitions mean attendance data prior to 2018 is not comparable. Attendance data for semester one of 2020 and 2022 was significantly affected by COVID-related disruptions, which prevented many students across the State from attending school. Data for semester one of 2021 is considered relatively less affected by COVID-related disruptions.

The Education Act 1990 (the Act) sets out the responsibilities of students, parents and the department for ensuring students receive compulsory schooling. The department has developed policies, procedures and guidance to assist schools in managing their responsibilities to promote regular attendance. In this report, we define 'regular' attendance as at least 90% of the time. This is equivalent to missing one day of school each fortnight or four weeks of school across a school year.

The objective of this audit was to assess whether student attendance is effectively managed in NSW government schools for students from kindergarten to Year 10. In making this assessment, the audit examined whether:

• there are effective systems and policies for managing student attendance
• the department effectively supports schools to manage student attendance
• schools are effectively managing student attendance.

This chapter considers the effectiveness of systems to accurately collect, analyse and report student attendance data. It also considers the effectiveness of policies and procedures to support attendance and central oversight of attendance issues.

This chapter considers the effectiveness of the department's strategies to improve student attendance and the support it provides to schools to achieve this. It also considers the effectiveness of school-level strategies and actions for students with low attendance.

Appendix one – Response from agency

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #368 - released 27 September 2022

What the report is about

The Aboriginal Land Rights Act 1983 (NSW) (the Act) provides land rights over certain Crown land for Aboriginal Land Councils in NSW.

If a claim is made over Crown land (land owned and managed by government) and meets other criteria under the Act, ownership of that land is to be transferred to the Aboriginal Land Council.

This process is intended to provide compensation for the dispossession of land from Aboriginal people in NSW. It is a different process to the recognition of native title rights under Commonwealth law.

We examined whether relevant agencies are effectively facilitating and administering Aboriginal land claim processes. The relevant agencies are:

• Department of Premier and Cabinet (DPC)
• Department of Planning and Environment (DPE)
• NSW Aboriginal Land Council (NSWALC).

We consulted with Local Aboriginal Land Councils (LALCs) and other Aboriginal community representative groups to hear about their experiences.

What we found

Neither DPC nor DPE have established the resources required for the NSW Government to deliver Aboriginal land claim processes in a coordinated way, and which transparently commits to the requirements and intent of the Act.

Delays in determining land claims result in Aboriginal Land Councils being denied the opportunity to realise their statutory right to certain Crown land. Delays also create risks due to uncertainty around the ownership, use and development of Crown land.

DPC has not established governance arrangements to ensure accountability for outcomes under the Act, and effective risk management.

DPE lacks clear performance measures for the timely and transparent delivery of its claim assessment functions. DPE also lacks a well-defined framework for prioritising assessments.

LALCs have concerns about delays, and lack of transparency in the process.

Reviews since at least 2014 have recommended actions to address numerous issues and improve outcomes, but limited progress has been made.

The database used by DPC (Office of the Registrar) for the statutory register of land claims has not been upgraded or fully validated since the 1990s.

In 2020, DPE identified the transfer of claimable Crown land to LALCs to enable economic and cultural outcomes as a strategic priority. DPE has some activities underway to do this, and to improve how it engages with Aboriginal Land Councils – but DPE still lacks a clear, resourced strategy to process over 38,000 undetermined claims within a reasonable time.

What we recommended

In summary:

• DPC should lead strategic governance to oversee a resourced, coordinated program that is accountable for delivering Aboriginal land claim processes
• DPE should implement a resourced, ten-year plan that increases the rate of claim processing, and includes an initial focus on land grants
• DPE and DPC should jointly establish operational arrangements to deliver a coordinated interagency program for land claim processes
• DPC should plan an interagency, land claim spatial information system, and the Office of the Registrar should remediate and upgrade the statutory land claims register
• DPC and NSWALC should implement an education program (for state agencies and the local government sector) about the Act and its operations
• DPE should implement a five-year workforce development strategy for its land claim assessment function
• DPE should finalise updates to its land claim assessment procedures
• DPE should enhance information sharing with Aboriginal Land Councils to inform their claim making
• NSWALC should enhance information sharing and other supports to LALCs to inform their claim making and build capacity.

The return of land under the Aboriginal Land Rights Act 1983 (NSW) (the Act) is intended to provide compensation for the dispossession of land from Aboriginal people in New South Wales. A claim on Crown land¹ made by an Aboriginal Land Council that meets criteria under the Act is to be transferred to the claimant council as freehold title. The 2021 statutory review of the Act recognises the spiritual, social, cultural and economic importance of land to Aboriginal people.

The Minister for Aboriginal Affairs administers the Act, with support from Aboriginal Affairs NSW (AANSW) in the Department of Premier and Cabinet (DPC). AANSW also leads the delivery of Opportunity, Choice, Healing, Responsibility and Empowerment (OCHRE), the NSW Government's plan for Aboriginal affairs, and assists the Minister to implement the National Agreement on Closing the Gap – which includes a target for increasing the area of land covered by Aboriginal and Torres Strait Islander people's legal rights or interests.

The Act gives responsibility for registering land claims to an independent statutory officer, the Registrar of the Aboriginal Land Rights Act (the Registrar), whose functions are supported by the Office of the Registrar (ORALRA) which is resourced by AANSW.²

The Land and Environment Court of New South Wales has stated that there is an implied obligation for land claims to be determined within a reasonable time. The Minister administering the Crown Land Management Act 2016 (NSW) is responsible for determining land claims. This function is supported by the Department of Planning and Environment (DPE),³ whose staff assess and recommend claims for determination based on the criteria under section 36(1) of the Act. There is also a mechanism under the Act for land claims to be negotiated in good faith through an Aboriginal Land Agreement.

The NSW Aboriginal Land Council (NSWALC) is a statutory corporation constituted under the Act with a mandate to provide for the development of land rights for Aboriginal people in NSW, in conjunction with the network of 120 Local Aboriginal Land Councils (LALCs). LALCs are constituted over specific areas to represent Aboriginal communities across NSW. Both NSWALC and LALCs can make land claims.

DPC and DPE are responsible for governance and, in partnership with NSWALC, operational and information-sharing activities that are required to coordinate Aboriginal land claim processes. LALCs, statutory officers, government agencies, local councils, and other parties need to be engaged so that these processes are coordinated effectively and managed in a way that is consistent with the intent of the Act, and other legislative requirements.

The first land claim was lodged in 1983. The number of undetermined land claims has increased over time, and at 31 December 2021 DPE data shows 38,257 undetermined claims.

The issue of undetermined land claims has been publicly reported by the Audit Office since 2007. Recommendations to agencies to better facilitate processes and improve how functions are administered have been made in multiple reviews, including two Parliamentary inquiries in 2016.

The objective of this audit was to assess whether relevant agencies are effectively facilitating and administering Aboriginal land claim processes. In making this assessment, we considered whether:

• agencies (DPE, DPC (AANSW and ORALRA) and NSWALC) coordinate information and activities to effectively facilitate Aboriginal land claim processes
• agencies (DPE and DPC (ORALRA)) are effectively administering their roles in the Aboriginal land claim process.

We consulted with LALCs to hear about their experiences and priorities with respect to Aboriginal land claim processes and related outcomes. We have aimed to incorporate their insights into our understanding of their expectations of government with respect to delivering requirements, facilitating processes, and identifying opportunities for improved outcomes. 

Since 1983, 53,861 Aboriginal land claims have been lodged with the Registrar.²⁵

The Land and Environment Court of New South Wales has stated there is an implied obligation on the Crown Lands Minister to determine land claims within a reasonable time.²⁶

As at 31 December 2021, DPE has processed less than a third (31 per cent) of these land claims: 14,273 were determined by the Crown Lands Minister (that is, granted or refused, in whole or part) and 2,562 were withdrawn. This amounts to 16,835 claims processed, including the negotiated settlement of 15 claims through three Aboriginal Land Agreements. As a result, DPE reports that approximately 163,900 hectares of Crown land has been granted to Aboriginal Land Councils since 1983 up to 31 December 2021.

There are 38,257 land claims awaiting determination, which cover about 1.12 million hectares of Crown land.

The 2017 report on the statutory review of the Act noted that the land claims ‘backlog’ was one of the ‘Top 5’ priorities identified by LALCs during consultations. The importance of this issue is consistent with findings from our consultations with LALCs in 2021 (see Exhibit 7).

Delays in delivering on the statutory requirement to determine land claims, and limited use of other mechanisms to process claims in consultation or agreement with NSWALC and LALCs, undermines the beneficial and remedial intent of Aboriginal land rights under the Act. It also:

• impacts negatively on DPE’s ability to comply with the statutory requirement to determine land claims, because often the older a claim becomes the more difficult it can be to gather the evidence required to assess it
• creates uncertainty around the ownership, use and development of Crown land, which can have financial impacts on Aboriginal Land Councils, government agencies, local councils and developers.

Risks that arise in the context of undetermined claims are discussed further in section 3.3.

NSW Treasury describes public sector governance as providing strategic direction, ensuring objectives are achieved, and managing risks and the use of resources responsibly with accountability.

Consistent with the NSW Treasury’s Risk Management Toolkit (TPP-12-03b), governance arrangements for Aboriginal land claim processes should ensure their effective facilitation and administration. That is, arrangements are expected to contribute to and oversee the performance of administrative processes and service delivery towards outcomes, and ensure that legal and policy compliance obligations are met consistent with community expectations of accountability and transparency.

DPC and DPE are responsible for governance and, in partnership with NSWALC, operational and information-sharing activities required to coordinate Aboriginal land claim processes. LALCs, statutory officers, government agencies, local councils, and other parties (such as native title groups and those with an interest in development on Crown land) need to be engaged so that these processes are coordinated effectively with risks managed – consistent with the intent of the Act, and other legislative requirements.

Policy commitments to Aboriginal people and communities made by the NSW Government in the OCHRE Plan and Closing the Gap priority reforms establish an expectation for culturally informed governance.

The Crown Lands Minister, supported by DPE, is required to determine whether Aboriginal land claims meet the criteria to be ‘claimable Crown lands’ under section 36(1) of the Act. DPE staff within its Crown Lands division are responsible for assessing land claims and preparing recommendation briefs to the Crown Lands Minister, or their delegate, on determination outcomes. That is, on whether to grant or refuse the claim.³⁸ DPE staff also make decisions about which land claims within the large number of undetermined claims should be processed first.

Appendix one – Response from agencies

Appendix two – About the audit

Appendix three – Performance auditing

Banner image used with permission.
Title: Forces of Nature
Artist: Lee Hampton – Koori Kicks Art

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #365 - released 28 April 2022.

What the report is about

The term ‘machinery of government’ refers to the way government functions and responsibilities are organised.

The decision to make machinery of government changes is made by the Premier. Changes may be made for a range of reasons, including to support the policy and/or political objectives of the government of the day.

Larger machinery of government changes typically occur after an election or a change of Premier.

This report assessed how effectively the Department of Planning, Industry and Environment (DPIE) and the Department of Regional NSW (DRNSW) managed their 2019 and 2020 machinery of government changes, respectively. It also considered the role of the Department of Premier and Cabinet (DPC) and NSW Treasury in overseeing machinery of government changes.

What we found

The anticipated benefits of the changes were not articulated in sufficient detail and the achievement of benefits has not been monitored. The costs of the changes were not tracked or reported.

DPC and NSW Treasury provided principles to guide implementation but did not require departments to collect or report information about the benefits or costs of the changes.

The implementation of the machinery of government changes was completed within the set timeframes, and operations for the new departments commenced as scheduled.

Major implementation challenges included negotiation about the allocation of corporate support staff and the integration of complex corporate and ICT systems.

What we recommended

DPC and NSW Treasury should:

• consolidate existing guidance on machinery of government changes into a single document that is available to all departments and agencies
• provide guidance for departments and agencies to use when negotiating corporate services staff transfers as a part of machinery of government changes, including a standard rate for calculating corporate services requirements
• progress work to develop and implement common processes and systems for corporate services in order to support more efficient movement of staff between departments and agencies.

The term ‘machinery of government’ refers to the way government functions and responsibilities are allocated and structured across government departments and agencies. A machinery of government change is the reorganisation of these structures. This can involve establishing, merging or abolishing departments and agencies and transferring functions and responsibilities from one department or agency to another.

The decision to make machinery of government changes is made by the Premier. These changes may be made for a range of reasons, including to support the policy and/or political objectives of the government of the day. Machinery of government changes are formally set out in Administrative Arrangements Orders, which are prepared by the Department of Premier and Cabinet, as instructed by the Premier, and issued as legislative instruments under the Constitution Act 1902.

The heads of agencies subject to machinery of government changes are responsible for implementing them. For more complex changes, central agencies are also involved in providing guidance and monitoring progress.

The NSW Government announced major machinery of government changes after the 2019 state government election. These changes took place between April and June 2019 and involved abolishing five departments (Industry; Planning and Environment; Family and Community Services; Justice; and Finance, Services and Innovation) and creating three new departments (Planning, Industry and Environment; Communities and Justice; and Customer Service). This also resulted in changes to the 'clusters' associated with departments. The NSW Government uses clusters to group certain agencies and entities with related departments for administrative and financial management. Clusters do not have legal status. Most other departments that were not abolished had some functions added or removed as a part of these machinery of government changes. For example, the functions relating to regional policy and service delivery in the Department of Premier and Cabinet were moved to the new Department of Planning, Industry and Environment.

Our Report on State Finances 2019, tabled in October 2019, outlined these changes and identified several issues that can arise from machinery of government changes if risks are not identified early and properly managed. These include: challenges measuring the costs and benefits of machinery of government changes; disruption to services due to unclear roles and responsibilities; and disruption to control environments due to staff, system and process changes.

In April 2020, the Department of Regional NSW was created in a separate machinery of government change. This involved moving functions and agencies related to regional policy and service delivery from the Department of Planning, Industry and Environment into a standalone department.

This audit assessed how effectively the Department of Planning, Industry and Environment (DPIE) and the Department of Regional NSW (DRNSW) managed their 2019 and 2020 machinery of government changes, respectively. It also considered the role of the Department of Premier and Cabinet and NSW Treasury in overseeing machinery of government changes. The audit investigated whether:

• DPIE and DRNSW have integrated new responsibilities and functions in an effective and timely manner
• DPIE and DRNSW can demonstrate the costs of the machinery of government changes
• The machinery of government changes have achieved or are achieving intended outcomes and benefits.

Appendix one – Response from agencies

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #359 - released (17 December 2021).

What the report is about

This audit examined a state-wide program to provide small-group tuition to students disadvantaged by the move to learning from home during 2020.

The audit assessed the design and implementation of the program.

What we found

The program design was based on research and data showing learning loss during 2020. 

The department rapidly planned and developed the policy design and guidelines for schools. 

Governance arrangements matured during program delivery.

The department changed the models for funding schools but did not clearly explain the reasons for doing so.

Government schools with over 900 students were disadvantaged by the funding model compared to smaller schools. 

Guidelines, resources and professional learning helped schools implement the program.

Staff eligibility for the program was expanded after reported difficulties in recruiting qualified teachers in some areas. 

Online tuition and third-party provider options were developed throughout the program.

There were issues with the quality and timeliness of data used to monitor school progress. 

Evaluation arrangements were developed early in the program.

Data limitations mean the evaluation will not be able to fully assess all program objectives.

What we recommended

1. Distributing funds between schools more equitably and improving communication of the funding methods. 
2. Clearer communication about the intended targeted group of students.
3. Reviewing the time needed to administer the program.
4. Improve support for educators other than qualified teachers.
5. Offer the online tuition program to more schools.
6. Analysis of the effects of learning from home during 2021 across equity groups and geographic areas.
7. Working with universities to increase use of pre-service teachers in the program.

The report also identifies lessons learned for future programs.
 

The NSW Government announced the COVID Intensive Learning Support Program on 10 November 2020, as part of the 2020–21 NSW Budget. The primary goal of the $337 million program was to deliver intensive small group tuition for students who were disadvantaged by the move to remote and/or flexible learning, helping to close the equity gap. It included:

• $306 million to provide small-group tuition for eligible students across every NSW Government primary, secondary and special purpose school
• $31.0 million for around 400 non-government schools to provide small-group tuition to students with the greatest levels of need.

The objective of this audit was to assess the effectiveness of the design and implementation of the COVID Intensive Learning Support Program (the program). To address this objective, the audit assessed whether the Department of Education (the department):

• effectively designed the program and supporting governance arrangements
• is effectively implementing the program.

This audit focuses on activities between October 2020 and August 2021, which aimed to address the first session of learning from home in New South Wales. From August to October 2021, students in many areas of New South Wales were learning from home again, but this second period has not been a focus of this audit. On 18 October 2021, the NSW Government announced the program would be extended into 2022.

This chapter considers how effectively the COVID Intensive Learning Support Program (the program) was designed and planned for implementation.

This chapter considers how effectively the COVID Intensive Learning Support Program was implemented over our period of review (Terms 1 and 2, 2021).

Appendix one – Response from agency

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #358 - released (15 December 2021).

What the report is about

This audit assessed nine agencies’ compliance with the NSW Cyber Security Policy (CSP) including whether, during the year to 30 June 2020, the participating agencies:

• met their reporting obligations under the CSP
• reported accurate self-assessments of their level of maturity implementing the CSP’s requirements including the Australian Cyber Security Centre’s (ACSC) Essential 8.

What we found

Key elements to strengthen cyber security governance, controls and culture are not sufficiently robust and not consistently applied. The CSP is not achieving the objectives of improved cyber governance, controls and culture because:

• the CSP does not specify a minimum level for agencies to achieve in implementing the 'mandatory requirements' or the Essential 8
• the CSP does not require agencies to report their target levels, nor does it require risk acceptance decisions to be documented or formally endorsed
• each participating agency had implemented one or more of the mandatory requirements in an ad hoc or inconsistent basis
• none of the participating agencies had implemented all of the Essential 8 controls
• agencies tended to over-assess their cyber security maturity - all nine participating agencies were unable to support all of their self-assessments with evidence
• there is no monitoring of the adequacy or accuracy of agencies' self-assessments.

What we recommended

In this report, we repeat recommendations made in the 2019 and 2020 Central Agencies reports, that Cyber Security NSW and NSW Government agencies need to prioritise improvements to cyber security resilience as a matter of urgency.

Cyber Security NSW should:

• monitor and report compliance with the CSP
• require agencies to report the target and achieved levels of maturity
• require agencies to justify why it is appropriate to target a low level of maturity
• require the agency head to formally accept the residual risk
• challenge agencies' target maturity levels.

Agencies should resolve discrepancies between their reported level of maturity and the level they are able to support with evidence.

Separately, the agencies we audited requested that we not disclose our audit findings. We reluctantly agreed to anonymise our findings, even though they are more than 12 months old. We are of the view that transparency and accountability to the Parliament of New South Wales are part of the solution, not the problem.

The poor levels of agency cyber security maturity are a significant concern. Improvement requires leadership and resourcing.

This report assesses whether state government agencies are complying with the NSW Cyber Security Policy. The audit was based on the level of compliance reported at 30 June 2020.

Our audit identified non-compliance and significant weaknesses against the government’s policy.

Audited agencies have requested that we not report the findings of this audit to the Parliament of New South Wales, even though the findings are more than 12 months old, believing that the audit report would expose their weaknesses to threat actors.

I have reluctantly agreed to modify my report to anonymise agencies and their specific failings because the vulnerabilities identified have not yet been remedied. Time, leadership and prioritised action should have been sufficient for agencies to improve their cyber safeguards. I am of the view that transparency and accountability to the Parliament is part of the solution, not the problem.

The poor levels of cyber security maturity are a significant concern. Improvement requires dedicated leadership and resourcing. To comply with some elements of the government’s policy agencies will have to invest in technical uplift and some measures may take time to implement. However, other elements of the policy do not require any investment in technology. They simply require leadership and management commitment to improve cyber literacy and culture. And they require accountability and transparency. Transparent reporting of performance is a key means to improve performance.

Cyber security is increasingly a focus of governments around Australia. The Australian Cyber Security Centre (ACSC) is the Australian Government’s lead agency for cyber security and is part of the Australian Signals Directorate, a statutory authority within the Australian Government’s Defence portfolio. The ACSC has advised that government agencies at all levels, as well as individuals and other organisations were increasingly targeted over the 2021 financial year¹. The ACSC received over 67,500 cybercrime reports, a 13 per cent increase on the previous year. This equates to one reported cyber attack every eight minutes. They also noted that attacks by cyber criminals and state actors are becoming increasingly sophisticated and complex and that the attacks are increasingly likely to be categorised as ‘substantial’ in impact.

High profile attacks in Australia and overseas have included a sustained malware campaign targeted at the health sector², a phishing campaign deploying emotet malware, spear phishing campaigns targeting people with administrator or other high-level access, and denial of service attacks. The continuing trend towards digital delivery of government services has increased the vulnerability of organisations to cyber threats.

The COVID-19 pandemic has increased these risks. It has increased Australian dependence on the internet – to work remotely, to access services and information, and to communicate and continue our daily lives. Traditional security policies within an organisation’s perimeter are harder to enforce in networks made up of home and other private networks, and assets the organisation does not manage. This has increased the cyber risks for NSW Government agencies.

In March 2020, Service NSW suffered two cyber security incidents in short succession. Technical analysis undertaken by the Department of Customer Service (DCS) concluded that these cyber breaches resulted from a phishing exercise through which external threat actors gained access to the email accounts of 47 staff members. These attacks resulted in the breach of a large amount of personal customer information contained in these email accounts. These attacks were the subject of the Auditor-General's report on Service NSW's handling of personal information tabled on 18 December 2020.

This audit also follows two significant performance audits. Managing cyber risks, tabled on 13 July 2021 found Transport for NSW and Sydney Trains were not effectively managing their cyber security risks. Integrity of data in the Births, Deaths and Marriages Register, tabled 7 April 2020 found that although there are controls in place to prevent and detect unauthorised access to, and activity in the register, there were significant gaps in these controls.

The NSW Cyber Security Policy (CSP) was issued by Cyber Security NSW, a business unit within the Department of Customer Service, and took effect from 1 February 2019. It applies to all NSW Government departments and public service agencies, including statutory authorities. Of the 104 agencies in the NSW public sector that self-assessed their maturity implementing the mandatory requirements, only five assessed their maturity at level three or above (on the five point maturity scale). This means that, according to their own self-assessments, 99 agencies practiced requirements within the framework in what the CSP’s maturity model describes as an ad hoc manner, or they did not practice the requirement at all. Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cybersecurity and resilience as a matter of priority.

This audit looks specifically at the compliance of nine key agencies with the CSP. It looks at their achievement implementing the requirements of the policy, the accuracy of their self-assessments and the attestations they made as to their compliance with the CSP.

The CSP outlines the mandatory requirements to which all NSW Government departments and public service agencies must adhere. It seeks to ensure cyber security risks to agencies’ information and systems are appropriately managed. The key areas of responsibility for agencies are:

• Lead - Agencies must implement cyber security planning and governance and report against the requirements outlined in the CSP and other cyber security measures.
• Prepare - Agencies must build and support a cyber security culture across their agency and NSW Government more broadly.
• Prevent - Agencies must manage cyber security risks to safeguard and secure their information and systems.
• Detect/Respond/Recover - Agencies must improve their resilience including their ability to rapidly detect cyber incidents and respond appropriately.
• Report - Agencies must report against the requirements outlined in the CSP and other cyber security measures.

DCS has only recommended, but not mandated the CSP for state owned corporations, local councils and universities.

NSW Government agencies must include an attestation on cyber security in their annual report and provide a copy to Cyber Security NSW by 31 August each year stating whether, for the preceding financial year, the agency has:

• assessed its cyber security risks
• appropriately addressed cyber security at agency governance forums
• a cyber incident response plan that is integrated with the security components of business continuity arrangements, and the response plan has been tested during the previous 12 months (involving senior business executives)
• certified the agency’s Information Security Management System (ISMS) or confirmed the agency’s Cyber Security Framework (CSF)
• a plan to continuously improve the management of cyber security governance and resilience.

The purpose of the attestation is to focus the agency's attention on its cyber risks and the mitigation of those risks.

Agencies assess their level of compliance in accordance with a maturity model. The CSP does not mandate a minimum maturity threshold for any requirement, including implementation of the Australian Cyber Security Centre's (ACSC) Essential 8 Strategies to Mitigate Cyber Security Incidents (Essential 8).

Agencies are required to set a target maturity level based on their risk appetite for each requirement, seek continual improvement in their maturity, and annually assess their maturity on an ascending scale of one to five for all requirements (refer to Appendix two for the maturity model). Each control within the Essential 8 is assessed on an ascending scale of zero to three reflecting the agency's level of alignment with the strategy (refer to Appendix three for the maturity model).

Scope of this audit

We assessed whether agencies had provided accurate reporting on their level of maturity implementing the requirements of the CSP in a documented way and covering all their systems.

The scope of this audit covered nine agencies (the participating agencies). These agencies were selected because they are the lead agency in their cluster, or have a significant digital presence within their respective cluster. The list of participating agencies is in section 1.2. The audit aimed to determine whether, during the year to 30th June 2020, the participating agencies:

• met their reporting obligations under the CSP
• provided accurate reporting in self-assessments against the CSP’s mandatory requirements, including their implementation of the Australian Cyber Security Centre’s (ACSC) Essential 8
• achieved implementation of mandatory requirements at maturity levels which meet or exceed the ‘level three - defined’ threshold (i.e. are documented and practiced on a regular and consistent basis).

While the audit does assess the accuracy of agency self-assessed ratings, the audit did not assess the appropriateness of the maturity ratings.

1. Key findings

The CSP allows agencies to determine their own level of maturity to implement the 'mandatory requirements', which can include not practicing a policy requirement or implementing a policy requirement on an ad hoc basis. These determinations do not need to be justified

Agencies can decide not to implement requirements of the CSP, or they can decide to implement them only in an informal or ad-hoc manner. The CSP allows agencies to determine their desired level of maturity in implementing the requirements on a scale of one to five - level one being 'initial – not practiced' and level five being 'optimised'. The desired level of maturity is determined by the agency based on their own assessment of the risk of the services they provide and the information they hold.

The reporting template for the 2019 version of the CSP stated that level three maturity - where a policy requirement is practiced on a regular and consistent basis and its processes are documented - was required for compliance with the CSP. This requirement was removed in the 2020 revision of the reporting template.

This CSP does not require the decisions on risk tolerance, or the timeframes agencies have set to implement requirements to be documented or formally endorsed by the agency head. There is no requirement to report these decisions to Cyber Security NSW.

Some comparable jurisdictions require formal risk acceptance decisions where requirements are not implemented. The NSW CSP does not have a similar formal requirement

Some jurisdictions, with a similar policy framework to NSW, require agencies to demonstrate reasons for not implementing requirements, and require agency heads to formally acknowledge the residual risk. The NSW CSP does not require these considerations to be documented, nor does it require an explicit acknowledgement and acceptance of the residual risk by the agency head or Cyber Security NSW. The NSW CSP does not require that the records of how agencies considered and decided which measures to adopt to be documented and auditable, limiting transparency and accountability of decisions made.

All of the participating agencies had implemented one or more of the mandatory requirements in an ad hoc or inconsistent basis

All of the participating agencies had implemented one or more of the mandatory requirements at level one or two. Maturity below level three typically means not all elements of the requirement have been implemented, or the requirements have been implemented on an ad-hoc or inconsistent basis.

None of the participating agencies has implemented all of the Essential 8 controls at level one – that is, only partly aligned with the intent of the mitigation strategy

Eight of the nine agencies we audited had not implemented any of the Essential 8 strategies to level three – that is, fully aligned with the intent of the mitigation strategy. At the time of this audit the ACSC advised that:

as a baseline organisations should aim to reach to reach Maturity Level Three for each mitigation strategy³.

The Australian Signals Directorate⁴ currently advises that, with respect to the Essential 8:

[even] level three maturity will not stop adversaries willing and able to invest enough time, money and effort to compromise a target. As such, organisations still need to consider the remainder of the mitigation strategies from the Strategies to Mitigate Cyber Security Incidents and the Australian Government Information Security Manual

All agencies failed to reach even level one maturity for at least three of the Essential 8.

Cyber Security NSW modified the ACSC model for implementation of the Essential 8

The NSW maturity model used for the Essential 8 does not fully align with the ACSC’s model. At the time of this audit the major difference was the inclusion of level zero in the NSW CSP maturity scale. Level zero broadly means that the relevant cyber mitigation strategy is not implemented or is not applied consistently. Level zero had been removed by the ACSC in February 2019 and was not part of the framework at the time of this audit. It was re-introduced in July 2021 when the ACSC revised the detailed criteria for each element of the essential 8 maturity model. The indicators to reach level one on the new ACSC model are more detailed, specific and rigorous than those currently prescribed for NSW Government agencies. Cyber Security NSW asserted the level zero on the CSP maturity scale:

is not identical to the level zero of the ACSC’s previous Essential 8 maturity model, but is a NSW-specific inclusion designed to prevent agencies incorrectly assessing as level one when they have not achieved that level.

Attestations did not accurately reflect whether agencies implemented the requirements

Of the nine participating agencies, seven did not modify the proforma wording in their attestation to reflect their actual situation. Despite known gaps in their implementation of mandatory requirements, these agencies stated that they had 'managed cyber security risks in a manner consistent with the Mandatory Requirements set out in the NSW Government Cyber Security Policy'. Only two agencies modified the wording of the attestation to reflect their actual situation.

Attestations should be accurate so that agencies’ and the government’s response to the risk of cyber attack is properly informed by an understanding of the gaps in agency implementation of the policy requirements and the Essential 8. Without accurate information about these gaps, subsequent decisions as to prioritisation of effort and deployment of resources are unlikely to effectively mitigate the risks faced by NSW Government agencies.

Participating agencies were not able to support all of their self-assessments with evidence and had overstated their maturity assessments, limiting the effectiveness of agency risk management approaches

Seven of the nine participating agencies reported levels of maturity against both the mandatory requirements and the Essential 8 that were not supported by evidence.

Each of the nine participating agencies for this audit had overstated their level of maturity against at least one of the 20 mandatory requirements. Seven agencies were not able to provide evidence to support their self-assessed ratings for the Essential 8 controls.

Where agency staff over-assess the current state of their cyber resilience, it can undermine the effectiveness of subsequent decision making by Agency Heads and those charged with governance. It means that actions taken in mitigating cyber risks are less likely to be appropriate and that gaps in implementing cyber security measures will remain, exposing them to cyber attack.

Agencies' self-assessments across government exposed poor levels of maturity in implementing the mandatory requirements and the Essential 8 controls

We reviewed the data 104 NSW agencies provided to Cyber Security NSW. The 104 agencies includes nine audited agencies referred to in more detail in this report. Our review of the 104 agency self-assessment returns submitted to Cyber Security NSW highlighted that, consistent with previous years, there remains reported poor levels of cyber security maturity. We reported the previous years’ self-assessments in the Central Agencies 2019 Report to Parliament and the Central Agencies 2020 Report to Parliament.

Only five out of the 104 agencies self-assessed that they had implemented all of the mandatory requirements at level three or above (against the five point scale). Fourteen agencies self-assessed that they had implemented each of the Essential 8 controls at level one maturity or higher (using Cyber NSW’s four point scale). The remainder reported at level zero for implementation of one or more of the Essential 8 controls, meaning that for the majority of agencies the cyber mitigation strategy has not been implemented, or is applied inconsistently.

Where agencies had reported in both 2019 and 2020, agencies’ self-assessments showed little improvement over the previous year’s self-assessments:

• 14 agencies reported improvement across both the Essential 8 and the mandatory requirements
• 8 agencies reported a net decline in both the Essential 8 and the mandatory requirements.

The poor levels of maturity in implementing the Essential 8 over the last couple of years is an area of significant concern that requires better leadership and resourcing to prioritise the required significant improvement in agency cyber security measures.

2. Recommendations

Cyber Security NSW should:

1. monitor and report compliance with the CSP by:

• obtaining objective assurance over the accuracy of self-assessments
• requiring agencies to resolve inaccurate or anomalous self-assessments where these are apparent

2. require agencies to report:

• the target level of maturity for each mandatory requirement they have determined appropriate for their agency
• the agency head's acceptance of the residual risk where the target levels are low

3. identify and challenge discrepancies between agencies' target maturity levels and the risks of the information they hold and services they provide

4. more closely align their policy with the most current version of the ACSC model.

Participating agencies should:

5. resolve the discrepancies between their reported level of maturity and the level they are able to demonstrate with evidence, and:

• compile and retain in accessible form the artefacts that demonstrate the basis of their self-assessments
• refer to the CSP guidance when determining their current level of maturity
• ensure the attestations they make refer to departures from the CSP
• have processes whereby the agency head and those charged with governance formally accept the residual cyber risks.

Repeat recommendation from the 2019 Central Agencies report and the 2020 Central Agencies report

6. Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cyber security and resilience as a matter of urgency.

The objective of the CSP is to ensure cyber security risks are appropriately managed. However, meeting this objective depends on the requirements being implemented at all agencies to a level of maturity that addresses their specific cyber security risks. Agency systems and data are increasingly interconnected. If an agency does not implement the requirements, or implements them only in an ad-hoc or informal way, an agency is more susceptible to their systems and data being compromised, which may affect the confidentiality of citizens' data and the reliability of services, including critical infrastructure services.

Agencies determine their own target level of maturity, which may mean the requirement is not addressed, or is addressed in an ad hoc or inconsistent way

While the CSP is mandatory for all agencies, it does not set a minimum maturity threshold for agencies to meet.

The reporting template issued in 2019 stated that agencies were required to reach level three maturity in order to comply with the CSP. The 2020 revision⁶ of the CSP and guidance indicates that level three maturity may not be sufficient to mitigate risks. It advises the agency may determine the level to which it believes it is suitable to implement the requirements, and allows for an agency to aim for a target level of maturity less than level three. The agency can set its optimal maturity level with reference to its risk tolerance with the objective that that aim ‘to be as high as possible’. However, ‘as high as possible’ does not necessarily mean ‘fully implemented’. The CSP contemplates that a lower level of maturity is sufficient if it aligns with the agency's risk tolerance.

The Department of Customer Service asserts that while the quotes above were part of their annual templates and policy documents, their documents were incorrect. They assert that the policy has never required a minimum level of maturity to be reached. They have responded to our enquiries that:

…a level three maturity was not a requirement of the Policy or Maturity Model’ and ‘it is misleading to suggest it was a requirement of the Policy.

This audit found that, based on the 2020 reporting template there is no established minimum baseline. Consequently, because the Department of Customer Service had not established a minimum baseline agencies are able to target lower levels (providing they were within the agency’s own risk appetite), which includes targeting to not practice a CSP policy requirement, or to practice a CSP policy requirement on an ad hoc basis.

Where requirements are not implemented, documentation of formal acceptance of the residual risks by the agency head is not required

The New Zealand Government has an approach that is not dissimilar to NSW, in that it also identifies 20 mandatory requirements and allows for a risk based approach to implementation. However, the New Zealand approach puts more rigor around risk acceptance decisions.

The New Zealand Government requires that agencies that do not implement the requirements must demonstrate that a measure is not relevant for them. It requires agencies to document the rationale for not implementing the measure, including explicit acknowledgement of the residual risk by the agency head. They require these records to be auditable.

A security measure with a ‘must’ or ‘must not’ compliance requirement is mandatory. You must implement or follow mandatory security measures unless you can demonstrate that a measure is not relevant in your context.

Not using a security measure without due consideration may increase residual risk for your organisation. This residual risk needs to be agreed and acknowledged by your organisation head.

A formal auditable record of how you considered and decided which measures to adopt is required as part of the governance and assurance processes within your organisation.

The NSW CSP does not require these considerations to be documented or auditable and does not require an explicit acknowledgement or acceptance of the residual risk by the agency head.

None of the participating agencies achieved level three implementation for all mandatory risk prevention and mitigation requirements

Maturity level three is the minimum level whereby an agency has implemented documented processes that are practiced on a regular basis across their environment. An agency has not reached level three if the requirement is implemented on an ad-hoc or inconsistent basis, or if not all elements of the requirement have been implemented.

None of the participating agencies achieved level three implementation for all mandatory requirements.

The requirements of the CSP are organised into five sections. Agency implementation of these requirements is discussed in the next five sections of this report.

• Lead: Planning and governance requirements. Section 2.1
• Prepare: Cyber security culture requirements. Section 2.2
• Prevent: Managing cyber incident prevention requirements. Section 2.3
• Detect/Respond/Recover: Resilience requirements. Section 2.4
• Report: Reporting requirements. Section 2.5.

Appendix one – Response from agencies

Appendix two – The maturity model for the mandatory requirements

Appendix three – Essential 8 maturity model

Appendix four – About the audit

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

What the report is about

The movement of freight contributes $66 billion annually to the NSW economy. Two thirds of all freight in NSW moves through Greater Sydney, and the volume of freight moving through Greater Sydney is expected to increase by 48 per cent by 2036.

This audit assessed the effectiveness of transport agencies in improving the use of rail freight capacity in Greater Sydney, and to meet current and future freight demand.

What we found

Transport agencies do not have strategies or targets in place to improve the efficiency or capacity of the metropolitan shared rail network for freight.

The transport agencies acknowledge that they do not have sufficient information to achieve the most efficient freight outcomes and they do not know how to use the shared rail network to maximise freight capacity without compromising passenger rail services.

The Freight and Ports Plan 2018-2023 contains one target for rail freight - to increase the use of rail at Port Botany to 28 per cent by 2021. However, Transport for NSW (TfNSW)'s data indicates this target will not be met.

Sydney Trains records data on train movements and collects some data on delays and incidents. TfNSW collects data for the construction of the Standard Working Timetable and third-party contracts.

However, a lack of clarity around what data is gathered and who has ownership of the data makes data sharing difficult and limits its analysis and reporting.

The Freight and Ports Plan 2018-2023 includes the goal of 'Reducing avoidable rail freight delays', but the transport agencies do not have any definition for an avoidable delay and, as a result, do not measure or report them.

TfNSW and Sydney Trains are appointed to manage and deliver the Transport Asset Holding Entity of New South Wales (TAHE)'s obligations to allow rail freight operators to use the shared rail network. There are no performance measures in rail freight operator contracts or inter-agency agreements. This limits transport agencies' ability to improve performance.

TfNSW’s Freight Branch is working on four freight-specific strategies; a review of the Plan, a freight rail strategy, a port efficiency strategy and a freight data strategy.

TfNSW has not yet determined the timeframes or intended outcomes of these strategies.

What we recommended

Transport agencies should:

• commit, as part of the review of Future Transport 2056, to delivering the freight-specific strategies currently in development and develop whole-of-cluster accountability for this work including timeframes, specific targets and clear roles and responsibilities 
• improve the collection and sharing of freight data
• develop a plan to reduce avoidable freight delays
• systematically collect data on the management of all delays involving and/or impacting rail-freight
• develop and implement key performance indicators for the agreements between the transport agencies.

The movement of freight contributes $66.0 billion annually to the New South Wales economy — or 13 per cent of the Gross State Product. Two thirds of all freight in New South Wales moves through Greater Sydney, and the volume of freight moving through Greater Sydney is expected to increase by 48 per cent by 2036. This increasing demand is driven by increasing population and economic growth.

The sequence of activities required to move goods from their point of origin to the eventual consumer (the supply chain) is what matters most to shippers and consumers. Road can provide a single-mode door-to-door service, whereas conveying goods by rail typically involves moving freight onto road at some point. In Greater Sydney, 80 per cent of all freight is moved on road. Freight often passes through intermodal terminals (IMTs) as it transitions from one mode of transport to the next.

In 2016, Transport for NSW (TfNSW) released Future Transport 2056 - the NSW Government's 40-year vision for transport in New South Wales, which is intended to guide investment over the longer term. In Future Transport 2056, TfNSW noted that New South Wales will struggle to meet increasing demand for freight movements unless rail plays a larger role in the movement of freight.

Sydney Trains manages the metropolitan shared rail network, which is made up of rail lines that are used by both passenger and freight trains. The Transport Administration Act 1988 requires that, for the purposes of network control and timetabling, NSW Government transport agencies give ‘reasonable priority’ to passenger trains on shared lines. As the Greater Sydney population and rail patronage continue to grow, so too will competition for access to the shared rail network. See Appendix two for details of the area encompassed by Greater Sydney.

Freight operators can also use dedicated rail freight lines operated by the Australian Rail Track Corporation (ARTC - an Australian Government statutory-owned corporation). As the metropolitan shared rail network connects with dedicated freight lines, freight operators often use both to complete a journey.

TfNSW, Sydney Trains and the Transport Asset Holding Entity (TAHE) work in conjunction with other rail infrastructure owners and private sector entities, including port operators, privately operated IMTs and freight-shipping companies. TfNSW and Sydney Trains are responsible for managing the movement of freight across the metropolitan shared rail network. TAHE is the owner of the rail infrastructure that makes up the metropolitan shared rail network. The NSW Government established TAHE, a NSW Government state-owned corporation, on 1 July 2020 to replace the former rail infrastructure owner - RailCorp. The Auditor-General for New South Wales has commenced a performance audit on TAHE which is expected to table in 2022.

On 1 July 2021, TAHE entered into new agreements with TfNSW and Sydney Trains to operate, manage and maintain the metropolitan shared rail network. Until 30 June 2021, and in accordance with TAHE's Implementation Deed, TAHE operated under the terms of RailCorp's existing arrangements and agreements.

This audit assessed the effectiveness of TfNSW, Sydney Trains and TAHE in improving the use of rail freight capacity in Greater Sydney, and to meet current and future freight demand.

The audit focused on:

• the monitoring of access to shared rail lines
• the management of avoidable delays of rail freight movements
• steps to increase the use of rail freight capacity in Greater Sydney.

Appendix one - Response from agencies

Appendix two - The Greater Sydney region

Appendix three - TfNSW strategic projects 

Appendix four - Sydney Trains path priority principles 

Appendix five - Sydney Trains delay management

Appendix six - About the audit 

Appendix seven - Performance auditing
 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #357 - released (19 October 2021).

What the report is about

This audit assessed whether adults in custody have effective access to health services. The audit examined the activities of Justice Health and Corrective Services NSW.

What we found

The majority of custodial patients receive timely health care, but a small proportion of patients are not receiving care within target timeframes.

Eleven per cent of scheduled health appointments are not attended, and agencies can do more to understand the reasons for non-attendance.

Demand for mental health care exceeds service capacity and some patients are held in environments not appropriate for their needs.

Justice Health's information systems do not support the effective transfer of medical records as patients move around the prison network.

Not all patients are released from custody with a discharge plan.

Justice Health's system managers do not receive sufficiently detailed reports to understand strategic risks or opportunities to improve access to health services.

Public and private prison health operators do not report against consistent performance measures.

Justice Health is mandated to assess health services in private prisons. This conflicts with its role as a contracted provider of health services in the private prison system.

What we recommended

Enhanced reporting on patient access to health services, to identify risks and challenges across key service areas.

Identification and implementation of the improvements required for information to be shared across the custodial network and with external health providers.

Development of a framework to govern and monitor costs for patient health escorts and movements.

Development of a framework to govern responsibilities for mental health services.

Progression of infrastructure plans that address the lack of specialist accommodation for mental health patients and aged and frail patients.

Collaboration to align the performance measures to enable benchmarking between public and private prison health services.

Action to remediate the conflicting monitoring arrangements of public and private prison health operators.

Access to health services in custody

This audit examined whether adults in the New South Wales public prison system have effective access to health services. In making this assessment, we considered whether Justice Health and Corrective Services NSW effectively cooperate and coordinate so that patients have timely access to health services, systems and practices support continuity of care, and access to health services is monitored and reviewed.

As part of this audit, we assessed actions undertaken by Justice Health and Corrective Services NSW in managing the first COVID-19 outbreak in 2020. However, due to the timing of this audit report, this audit does not report on the agencies’ response to managing the current outbreak of COVID-19 in September 2021.

Health services in New South Wales prisons are delivered by both public and private operators. The public prison system is made up of 33 correctional centres and the Long Bay Hospital. All health services in the public prison system are delivered by the Justice Health and Forensic Mental Health Network (Justice Health).

In the public prison system, Justice Health is responsible for the clinical care of patients with physical and mental illnesses. Clinicians provide health assessments, treatments, medication management, and some counselling services in prison health clinics. Patients are triaged by primary health nurses and if they require treatments or medication, they are referred to prison‑based doctors including specialists or other clinicians. Patients requiring complex or emergency care are transferred to hospitals or other specialty services outside the prison complex.

Private operators deliver health services in three private prisons through contract arrangements with Corrective Services NSW. Justice Health delivers health care at one correctional centre via a contract arrangement with Corrective Services NSW. In total, contracted health service operators deliver health care to approximately 25 per cent of the New South Wales prison population.

Justice Health is required by law to monitor the performance of contracted health service providers in New South Wales prisons, including services provided at the John Morony Correctional Centre. The Auditor‑General’s mandate does not permit a direct examination of information held by private sector entities, however this audit does assess the effectiveness of Justice Health's role in monitoring health services in private prisons.

Corrective Services NSW is responsible for security in public prisons, including the facilitation of patient access to health care at prison health clinics and the transfer of patients to hospitals and other health services outside of the prison environment. Corrective Services NSW also delivers behaviour‑based psychology services. Some are delivered as behaviour modification courses that aim to reduce criminal and offending activity amongst the prison population. These programs may be linked to parole or other custodial conditions. Other psychology services include counselling for people with self‑harming or suicidal behaviours.

Research from the Australian Institute of Health and Welfare indicates that people in custody are more likely than the general population to be affected by chronic and acute illnesses, including higher rates of mental illness and communicable diseases¹. In March 2021, there were 13,063 adults in custody in New South Wales.

The objective of this performance audit was to assess whether adults in the public prison system have effective access to health services. In making this assessment, we considered whether Justice Health and Corrective Services NSW effectively cooperate and coordinate so that:

• patients have timely access to health services
• systems and practices support the continuity of health care
• access to health services is monitored, reviewed, and reported across the network. 

1. Key findings

The majority of custodial patients receive timely health care, but a small proportion of patients with priority appointments are not receiving care within target timeframes

Approximately half of all health care provided by Justice Health is immediate. It is delivered to 'walk‑in' patients as soon as they present at prison health clinics. Most of these patients are receiving daily medications, while a small proportion require urgent or immediate care for injuries or illnesses. The other half of prison health care is delivered via scheduled appointments. Patients waiting for health appointments are given a priority rating according to the time within which they should be seen by a clinician.

Patients requiring the most time‑critical care are given a Priority 1 rating. These patients should receive treatment within one to three days. In December 2020, the average wait time for Priority 1 treatment was five and a half days, almost double the target. This is an improvement on wait times in June 2019, when the average wait time was just over 13 days. Justice Health does not assess or measure the impacts of delayed care on these patients.

According to Justice Health, the high numbers of ‘walk‑ins’ contribute to increased wait times for medical appointments. In addition, some specialty health clinics operate weekly, which means that patients cannot be seen by specialists within a one to three‑day timeline. Security events such as prison lockdowns can also contribute to increased wait times, as they limit the access that patients have to prison health clinics during out‑of‑cell hours.

If patients need emergency medical treatment, they are transferred to hospitals in line with Justice Health's policy. In 2020, just over 1,000 patients were transferred to hospital for emergency medical care.

A significant proportion of prison health appointments are not attended, and not enough is being done to understand the reasons, or to improve attendance rates

In 2020, 11 per cent of all scheduled health appointments in prison clinics were not attended. This amounts to approximately 60,000 appointments over the year. Non‑attended appointments have flow‑on impacts on wait times and backlogs for scheduled health appointments. Understanding why they occur is necessary to improve efficiencies in scheduling and patient access to health services.

In 2020, the most common reason for non‑attended health appointments was: 'patient unable to attend'. Justice Health clinicians use this when patients do not arrive at the prison health clinic at the scheduled time, and clinicians lack any other information to explain the non‑attendance.

The second most common recorded reason for non‑attended appointments was: 'cancelled by Corrective Services NSW'. These cancellations are due to operational or security reasons, including prison lockdowns. Data from Justice Health indicates that in 2020, there were an average of 12 lockdowns per week across New South Wales prisons.

A range of factors can impact on patient attendance at appointments, some of which are unavoidable. That said, more can be done to understand and reduce non‑attendance. For example, there is potential for Corrective Services NSW to implement tighter protocols to update information about patient availability on the daily movement lists. This might include checking whether patients are willing to attend appointments. Similarly, there is potential for Justice Health clinicians to implement tighter protocols to check patient lists ahead of scheduled appointments, and to re‑schedule appointments where patients are unavailable.

Demand for mental health care exceeds service capacity and some patients are held in environments that are not appropriate for their needs

There is a high demand for mental health services in New South Wales prisons. In March 2021, at least 143 mental health patients were waiting for access to an acute or sub‑acute mental health unit across the New South Wales prison system. The average wait time for a mental health facility was 43 days. Seventeen patients had wait times of over 100 days. Patients waiting for sub‑acute mental health services had longer wait times than those waiting for acute mental health services.

There are limited mental health beds for women across the New South Wales prison network. There are ten allocated beds for women at the Mental Health Screening Unit at Silverwater Correctional Complex, and no allocated beds for women at Long Bay Hospital.

A lack of bed availability in the Forensic Hospital means that, as of February 2021, 63 forensic patients were being held in mental health facilities in mainstream prisons, when they should have been accommodated in the Forensic Hospital. Some of these forensic patients have been held in mainstream prison facilities for decades.

Cross‑agency co‑operation and planning is required to identify and build infrastructure that will reduce wait times for mental health beds. Over several years, Justice Health has developed, reviewed, and worked to progress a strategic plan for NSW Forensic Mental Health that includes enhanced mental health bed capacity across the NSW system. The latest version of this strategic plan remains in draft and has yet to be approved by the NSW Ministry of Health.

In 2016, Corrective Services NSW commenced a Prison Bed Capacity Program. It was focussed on enhancing capacity across the prison system and did not include specialist health beds. More recently, Corrective Services NSW has been developing a business case to improve the provision of specialist health care facilities across the network, including mental health facilities.

Justice Health's clinical information systems do not support the effective transfer of health appointments or medication records as patients are moved to new prison locations

Justice Health's clinical information systems are multiple and complex. There are five health information systems that include a mix of electronic and paper‑based records. Information management systems contain clinical records, appointment information, medication records, dental records, and specialist health information. Corrective Services NSW maintain separate information systems relating to prison records and psychology treatment information.

The transfer of people across different correctional centres is a frequent occurrence. In 2020, there were over 41,000 movements between correctional centres. People are transferred for a range of reasons including for security purposes, or to be located closer to hospitals or specialist health services.

Justice Health receives a list of patient transfers one day prior to transfer. Nurses are required to prepare medications and clinical handovers for patients with complex health conditions. These handovers are verbal, however short timeframes mean that handover is not always possible.

While each patient's electronic health records are available across the network, transfer of appointment waitlists must be done manually. There is no automatic alert within the information systems to tell staff that a patient has been moved to another prison. There is a risk that if appointment records are not manually updated, or if staff at destination clinics are not contacted, then appointments will be overlooked.

Justice Health is working with eHealth NSW to develop an improved Electronic Medication Management (EMM) program with expected delivery in late 2021. The EMM has potential to improve the transfer of patient medication records, but it will not fully remediate all inefficiencies of the current systems.

Corrective Services NSW and Justice Health do not engage in sufficient joint planning to improve efficiencies in transports or escorts to health services

Corrective Services NSW and Justice Health do not engage in joint system‑level planning to mitigate the risks and the costs associated with transferring patients to health clinics in prisons, or non‑prison‑based health care. There are no protocols, and limited sharing of information to improve efficiencies in planning and coordinating patient transfers.

Corrective Services NSW does not collate or report on the costs of transporting patients to hospitals and specialist care. While there is data on the overall cost of medical escorts, estimated to be $19.9 million in 2020, Corrective Services NSW is not able to disaggregate this data to determine the reasons for transfers or the system‑level costs. For example, Corrective Services NSW does not know how many prison lockdowns occur when hospital transfers are required.

Medical escorts to specialist health services and hospitals increase the costs to the prison system and contribute to risks in prison management. Medical escorts contributed to 16 per cent of metropolitan prison lockdowns at the peak in 2018, though escort numbers have since been declining. Some Local Health Districts report significant concerns around safety incidents and assaults on staff during medical escorts to hospital.

Corrective Services NSW does not know if transport costs have increased since the 2016 Prison Bed Capacity Program which expanded prison beds in regional New South Wales. To date, there has been no assessment of the cost of taking patients to tertiary hospitals or specialist services. Corrective Services NSW has identified this as an area for improvement.

Justice Health's system managers do not receive sufficiently detailed reports on wait times for health care, to understand strategic risks or opportunities for system improvement

Justice Health's senior executives receive monthly reports on patient wait times for services in prison health clinics. These reports contain headline data about the numbers of days that patients wait for scheduled health appointments by their allocated priority level. Wait time data are averaged across all New South Wales prison health clinics. With some exceptions, almost all executive level reports describe system‑wide appointment wait times without offering further specific detail. For example, there is limited information which would allow managers to understand the performance of specialty health groups, or to make any comparative analysis of the performance of different prison facilities.

Executive reports are also not detailed enough to indicate whether prisons with particular security classifications offer greater or lesser access to health services. It is not possible to assess whether patients in metropolitan or regional prisons have different levels of health service access. This prevents managers from identifying strategic risks across the prison network, targeting resources to the areas of greatest risk, and making strategic improvements in system performance.

Trend data on wait times for the different health specialty areas is also required to enable senior managers to compare wait times across prison facilities, security classifications, and localities.

In response to the preliminary findings of this audit, Justice Health has made some improvements to its executive‑level wait time reports. This includes additional detail on health appointment wait times by prison facilities and wait times by health specialty areas.

It is not possible to compare or benchmark the performance of public and private prison health operators or to compare prison health against community health standards

It is not possible to compare or benchmark the performance of the public and private prison health operators in New South Wales using the current Key Performance Indicator (KPI) data. KPI data do not correlate across the public and private systems.

Justice Health reports to the Ministry of Health on 44 prison health KPIs. The 44 KPIs for the public prison system do not align with the seven KPIs the private health operators report against in their contracts with Corrective Services NSW. This means that public and private operators focus on different service areas. For example, private operators have a performance measure for ensuring that custodial patients are provided with release plans. Justice Health does not have a similar measure.

The KPI specifications for the private prison health system were developed by Corrective Services NSW with input from the Ministry of Health. The KPI specifications for the public prison health system were developed by the Ministry of Health in collaboration with Justice Health. There is no rationale for the difference in performance indicators across the public and private systems.

Private providers currently deliver prison services to 25 per cent of the prison population of New South Wales. This proportion has been increasing since 2016. Public and private health operators deliver comparable health services so there is scope to compare performance across the systems.

Justice Health aligns its standard for prison health services with a 'community’ standard of health care access. However, with existing health monitoring measures, it is not possible to assess how well Justice Health is tracking against community health standards with available data from most health specialties.

There is an inherent conflict of interest in Justice Health's monitoring role of health services in private prisons, as Justice Health is also a provider of health services in a private prison

There is a legislated requirement for Justice Health to monitor the performance of private health operators in New South Wales prisons. This monitoring role is described in the Crimes (Administration of Sentences) Act 1999.

Justice Health's monitoring role includes the collection and analysis of health performance data from private health operators, and periodic site visits to assess health service performance. Justice Health reports the findings of monitoring activities to Corrective Services NSW, the contract manager for private prisons.

Justice Health's monitoring role commenced in the late 1990s. In recent years, this role has expanded as the NSW Government has increased the number of privately managed prisons across the state. Justice Health now monitors health services in four private prisons, accounting for approximately one quarter of all custodial patients in the New South Wales prison system.

In 2018, Justice Health was awarded a contract to provide health services at the John Morony Correctional Centre. Justice Health also monitors the health services this Correctional Centre. The timing of the 1999 legislation did not anticipate that Justice Health would be a provider of the services it is required to monitor.

Justice Health has taken steps to maintain independence and transparency in its monitoring role by establishing a number of arms‑length governance arrangements. Justice Health set up a Commissioning Unit that operates independently from its service delivery operations. Justice Health also established an alternative reporting chain via a Board subcommittee to oversee the performance of health providers in private prisons.

Despite all actions to establish independence, the monitoring role confers dual responsibilities on the Chief Executive of Justice Health as both an operational manager of health services in a private prison and as a manager responsible for monitoring these same services. As a result, the Chief Executive of Justice Health has access to information about the overall performance of the private prison health system in New South Wales.

As a competitor for the provision of health services in privately operated prisons, Justice Health has access to information to which other private health providers do not. This potentially gives Justice Health a competitive advantage over other private health operators.

2. Recommendations

By December 2022, Justice Health should:

1. enhance reporting on patient access to health services to ensure that system managers can identify risks, challenges, and system improvements across key areas of its service profile

2. in collaboration with the NSW Ministry of Health, identify and implement the required improvements to its health information management systems that will enable effective transfers of patient clinical records and appointment information across the custodial network and with external health providers.

By December 2022, Justice Health and Corrective Services NSW should:

3. develop a joint framework to govern and monitor the costs of their common and connected responsibilities for patient health movements across the prison network and to external health services

4. develop a joint framework to govern their common and connected responsibilities for mental health services.

By December 2022, Justice Health and Corrective Services NSW, in collaboration with the NSW Ministry of Health, should:

5. progress infrastructure plans and projects that address the lack of specialist accommodation for mental health patients and aged and frail patients

6. standardise and align the key performance indicators that monitor the performance of health operators in public and private prisons so that system‑wide benchmarking is possible.

By December 2022, the NSW Ministry of Health should:

7. take action to remediate the conflicting monitoring arrangements of public and private prison health operators.

Appendix one – Response from agencies

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #356 - released (23 September 2021).

What the report is about

This report assessed how effectively the Department of Planning, Industry and Environment (DPIE) and NSW Treasury have supported state agencies to manage climate risks to their assets and services.

Climate risks that can impact on state agencies' assets and services include flooding, bushfires, and extreme temperatures. Impacts can include damage to transport, communications and energy infrastructure, increases in hospital admissions, and making social housing or school buildings unsuitable.

NSW Treasury estimates these risks could have significant costs.

What we found

DPIE and NSW Treasury’s support to agencies to manage climate risks to their assets and services has been insufficient.

In 2021, key agencies with critical assets and services have not conducted climate risk assessments, and most lack adaptation plans.

DPIE has not delivered on the NSW Government commitment to develop a state-wide climate change adaptation action plan. This was to be complete in 2017.

There is also no adaptation strategy for the state. These have been released in all other Australian jurisdictions. The NSW Government’s draft strategic plan for its Climate Change Fund was also never finalised.

DPIE’s approach to developing climate projections is robust, but it hasn’t effectively educated agencies in how to use this information to assess climate risk.

NSW Treasury did not consistently apply dedicated resourcing to support agencies' climate risk management until late 2019.

In March 2021, DPIE and NSW Treasury released the Climate Risk Ready NSW Guide and Course. These are designed to improve support to agencies.

What we recommended

DPIE and NSW Treasury should, in partnership:

• enhance the coordination of climate risk management across agencies
• implement climate risk management across their clusters.

DPIE should:

• update information and strengthen education to agencies, and monitor progress
• review relevant land-use planning, development and building guidance
• deliver a climate change adaptation action plan for the state.

NSW Treasury should:

• strengthen climate risk-related guidance to agencies
• coordinate guidance on resilience in infrastructure planning
• review how climate risks have been assured in agencies’ asset management plans.

According to the Intergovernmental Panel on Climate Change in 2021, each of the last four decades has been successively warmer and surface temperatures will continue to increase until at least the mid-century. The Commonwealth Scientific and Industrial Research Organisation (CSIRO) and the Bureau of Meteorology (BoM) have reported that extreme weather across Australia is more frequent and intense, and there have been longer-term changes to weather patterns. They also report sea levels are rising around Australia increasing the risk of inundation and damage to coastal infrastructure and communities.

According to the Department of Planning, Industry and Environment (the department), in New South Wales the impacts of a changing climate, and the risks associated with it, will be felt differently across regions, populations and economic sectors. The department's climate projections indicate the number of hot days will increase, rainfall will vary across the state, and the number of severe fire days will increase.

The NSW Government is a provider of essential services, such as health care, education and public transport. It also owns and manages around $365 billion in physical assets (as at June 2020). More than $180 billion of its assets are in major infrastructure such as roads and railway lines.

In NSW, climate risks that could directly impact on state agencies' assets and services include flooding, bushfires, and extreme temperatures. In recent years, natural hazards exacerbated by climate change have damaged and disrupted government transport, communications and energy infrastructure. As climate risks eventuate, they can also increase hospital admissions when people are affected by poorer air quality, and make social housing dwellings or schools unsafe and unusable during heatwaves. The physical impacts of a changing climate also have significant financial costs. Taking into account projected economic growth, NSW Treasury has estimated that the fiscal and economic costs associated with natural disasters due to climate change will more than triple per year by 2061.

The department and NSW Treasury advise that leading practice in climate risk management includes a process that explicitly identifies climate risks and integrates these into existing risk management, monitoring and reporting systems. This is in line with international risk management and climate adaptation standards. For agencies to manage the physical risks of climate change to their assets and services, leading practice identified by the department means that they need to:

• use robust climate projection information to understand the potential climate impacts
• undertake sound climate risk assessments, within an enterprise risk management framework
• implement adaptation plans that reduce these risks, and harness opportunities.

Adaptation responses that could be planned for include: controlling development in flood-prone locations; ensuring demand for health services can be met during heatwaves; improving thermal comfort in schools to support student engagement; proactive asset maintenance to reduce disruption of essential services, and safeguarding infrastructure from more frequent and intense natural disasters.

According to NSW Treasury policy, agencies are individually responsible for risk management systems appropriate to their context. The department and NSW Treasury have key roles in ensuring that agencies are supported with robust information and timely, relevant guidance to help manage risks to assets and services effectively, especially for emerging risks that require coordinated responses, such as those posed by climate change.

This audit assessed whether the department and NSW Treasury are effectively supporting NSW Government agencies to manage climate risks to their assets and services. It focused on the management of physical risks to assets and services associated with climate change.

Appendix one – Response from agencies

Appendix two – Timeline of key activities 

Appendix three – About the audit 

Appendix four – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #355 - released (7 September 2021).