Reports
Service NSW's handling of personal information
The Auditor-General for New South Wales, Margaret Crawford, released a report today examining the effectiveness of Service NSW’s handling of customers’ personal information to ensure its privacy.
The audit found that Service NSW is not effectively handling personal customer and business information to ensure its privacy. Service NSW continues to use business processes that pose a risk to the privacy of personal information. This includes the routine emailing of personal information between Service NSW service centres and other agencies, which is one of the processes that contributed to the data breach earlier this year. The audit found that previously identified risks and recommended solutions had not been implemented on a timely basis.
The Auditor-General made eight recommendations aimed at ensuring improved processes, technologies, and governance arrangements for how Service NSW handles customers’ personal information.
The Hon. Victor Dominello, MP, Minister for Customer Service, requested this audit under section 27(B)(3)(c) of the Public Finance and Audit Act 1983 following public reports in May 2020 of a cyber security attack which had led to a breach of Service NSW customer information. This audit also included the Department of Customer Service which supports Service NSW with privacy, risk and governance functions.
Service NSW was established in 2013 with the intention that it would, over time, 'become the primary interaction point for customers accessing New South Wales Government transaction services'.
Service NSW's functions are set out in the Service NSW (One stop Access to Government Services) Act 2013. This legislation allows for other NSW Government agencies to delegate to and enter into agreements with the Chief Executive Officer of Service NSW in order for Service NSW to undertake service functions for the agency.
Service NSW now has agreements with 36 NSW Government client agencies to facilitate over 1,200 types of interactions and transactions for the community.
The nature of each agreement between Service NSW and its client agencies varies. Some client agencies have delegated authority to allow Service NSW staff to conduct transactions on their behalf in the agencies' systems. Other arrangements do not include the same degree of delegation. In these cases, Service NSW provides services such as responding to enquiries and validating documents.
In addition, Service NSW conducts transactions for its own programs, such as the Seniors Card. Personal information for these programs, as well as information for customers' MyServiceNSW accounts, are stored by Service NSW on its Salesforce Customer Relationship Management (CRM) system.
In March 2020, Service NSW suffered two cyber security attacks in short succession. Technical analysis undertaken by the Department of Customer Service (DCS) concluded that these attacks resulted from a phishing exercise through which external threat actors gained access to the email accounts of 47 staff members. These attacks resulted in the breach of a large amount of personal customer information that was contained in these email accounts. See Section 1.1 for further details.
This audit is being conducted in response to a request from the Hon. Victor Dominello, Minister for Customer Service, under section 27B(3)(c) of the Public Finance and Audit Act 1983. Minister Dominello requested that the Auditor General conduct a performance audit in relation to Service NSW's handling of sensitive customer and business information.
This audit assessed how effectively Service NSW handles personal customer and business information to ensure its privacy.
It addressed the following:
- Does Service NSW have processes and governance in place to identify and manage risks to the privacy of personal customer and business information?
- Does Service NSW have policies, processes and systems in place that support the effective handling of personal customer and business information to ensure its privacy?
- Has Service NSW effectively implemented its policies, processes and systems for managing personal customer and business information?
ConclusionService NSW is not effectively handling personal customer and business information to ensure its privacy. It continues to use business processes that pose a risk to the privacy of personal information. These include routinely emailing personal customer information to client agencies, which is one of the processes that contributed to the March 2020 data breach. Previously identified risks and recommended solutions had not been implemented on a timely basis.Service NSW identifies privacy as a strategic risk in both its Risk Management Guideline and enterprise risk register and sets out a zero level appetite for privacy risk in its risk appetite statement. That said, the governance, policies, and processes established by Service NSW to mitigate privacy risk are not effective in ensuring the privacy of personal customer and business information. While Service NSW had risk identification and management processes in place at the time of the March 2020 data breach, these did not prevent the breach occurring. Some of the practices that contributed to the data breach are still being followed by Service NSW staff. For example, business processes still require Service NSW staff to scan and email personal information to some client agencies. The lack of multi factor authentication has been identified as another key contributing factor to the March 2020 data breach as this enabled the external threat actors to gain access to staff email accounts once they had obtained the user account details through a phishing exercise. Service NSW had identified the lack of multi factor authentication on its webmail platform as a risk more than a year prior to the breach and had committed to addressing this by June 2019. It was not implemented until after the breach occurred. There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce Customer Relationship Management (CRM) system, which holds the personal information of over four million NSW residents.Internal audits carried out by Service NSW, including one completed in August 2020, have identified significant weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system. These include deficiencies in the management of role based access, monitoring and audit of user access, and partitioning of program specific transaction information. These deficiencies create an increased risk of unauthorised access to the personal information of over four million customers held in the system. Lines of responsibility for meeting privacy obligations are not clearly drawn between Service NSW and its client agencies.Service NSW has agreements in place with client agencies. However, the agreements lack detail and clarity about the roles and responsibilities of the agencies in relation to the collection, storage and security of customer's personal information. This lack of clarity raises the risk that privacy obligations will become confused and missed between the agencies. Service NSW carries out privacy impact assessments for major new projects but does not routinely review existing processes and systems.Service NSW carries out privacy impact assessments as part of its routine processes for implementing major new projects, ensuring that privacy management is considered as part of project design. Service NSW does not regularly undertake privacy impact assessments or reviews of existing or legacy processes and systems, which has resulted in some processes continuing despite posing significant risks to the privacy of personal information, such as the scanning, emailing, and storing of identification documents. |
1. Key findings
Service NSW identifies privacy risks, but the controls and processes it put in place to mitigate these privacy risks were not adequate to prevent or limit the extent of the data breach that occurred in March 2020
Service NSW’s approach to risk management is framed by its Risk Management Guideline, which defines 'privacy and compliance' as one of the key types of risk for the agency. Service NSW's enterprise risk register identifies four strategic privacy related risks. Service NSW has set out a zero level appetite for privacy risk in its risk appetite statement.
Service NSW has assessed the adequacy of its controls for privacy risks as needing improvement. To be fully effective, the Risk Management Guideline says that these controls should have a focus that is ‘largely preventative and address the root causes’.
One of the business processes that was a key contributing factor to the data breach was the emailing of personal information by Service NSW staff to client agencies.
This process had been identified as a risk prior to the breach and some steps had been put in place to mitigate the risk. In particular, staff were required to manually delete emails that contained personal information. However, these measures were ineffective in preventing the breach, as the external threat actors still gained access to 47 staff email accounts that contained a large amount of personal information.
It is unclear why Service NSW did not effectively mitigate this risk prior to the breaches. However, Service NSW has advised that it implemented measures in June and October 2020 to automatically archive emails likely to contain personal information. This is expected to limit the quantity of information retained in email accounts for extended periods.
Service NSW has not put in place any technical or other solutions to avoid Service NSW staff having to scan and email personal information to some client agencies. Urgent action is needed to remove the requirement for staff to email personal information to client agencies, thereby mitigating the risk inherent in sending and storing this information using email.
There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system, which holds the personal information of over four million customers
There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system. These weaknesses include deficiencies in governance of role based access, monitoring and audit of staff access, and partitioning of program specific transaction information. These deficiencies create an increased risk of unauthorised access to the personal information of over four million customers which is stored in this system.
In addition, there is an absence of important controls to safeguard customers' privacy, such as multi factor authentication and reviewable logs of access history to their information. Such controls, when properly implemented, would enhance the control that customers are able to exercise over their personal information.
A privacy impact assessment conducted on Service NSW’s Salesforce CRM system in 2015 recommended that the system include the ability for customers to review access history to their personal information, as well as the option for customers to apply multi factor authentication to their accounts. While both these recommendations appeared positively received by Service NSW, neither have been implemented.
Since its inception, Service NSW’s use of Salesforce has extended to storing transaction data, particularly for transactions for which Service NSW is responsible, such as the Seniors Card. It also holds details of over four million MyServiceNSW account holders, including name, email address and phone number, and optional address details. It was not originally intended for the system to hold this volume and nature of customer information.
Lines of responsibility for meeting privacy obligations are unclear between Service NSW and its client agencies
Service NSW's privacy management plan does not clearly set out the privacy obligations of Service NSW and its client agencies. It sets out that 'compliance with the privacy principles will primarily be the responsibility of that [client] agency'. However, Service NSW has its own obligations under the security principles of the Privacy and Personal Information Protection Act 1998 (PPIP Act) to take reasonable steps to prevent unauthorised access to personal information, which is not made clear in the privacy management plan.
The agreements between Service NSW and client agencies reviewed for this audit only include general and high level references to privacy. Most do not include details of each parties' privacy responsibilities such as: which agency will provide the customer with a privacy notice explaining how their personal information will be handled, how personal information will be kept secure, how long Service NSW will retain information, what processes will be followed for internal reviews, and what specific planning is in place to respond to data breaches.
Service NSW's privacy management plan has not been updated to include new programs and governance changes
Service NSW's privacy management plan includes most of the matters required by law or good practice, with some exceptions. It does not explain any exemptions that the agency commonly relies on under the PPIP Act and does not address any health information that Service NSW may handle. It had also not been updated to reflect governance changes and the fact that, at the time this audit commenced, Service NSW was disclosing the content of internal review applications (the formal expression for 'complaints') to the Department of Customer Service (DCS). These governance changes were part of the centralisation of Service NSW's corporate support functions into DCS in late 2019, though internal review staff were seconded back into Service NSW during the course of this audit.
The current July 2019 privacy management plan has also not been updated since the rollout of a number of major new initiatives in 2020. These include 2019–20 bushfire emergency recovery initiatives (such as small business grants) and COVID 19 pandemic response initiatives (such as small business grants, border permits and the COVID safe check in app).
Service NSW routinely conducts privacy impact assessments for new initiatives, though privacy risks remain in legacy systems and processes
Service NSW routinely conducts privacy impact assessments for major new initiatives and the assessments reviewed for this audit largely accorded with good practice guidance.
Service NSW does not routinely review existing processes and systems to ensure that they are effective in ensuring the privacy of customer personal information. Business processes that create the highest risk to privacy, such as emailing of personal information, are more common in these longstanding legacy systems.
Service NSW's significant and rapid growth has outpaced the establishment of a robust control environment which has exacerbated privacy risks
Since it was established in 2013, Service NSW has experienced significant growth in the number and diversity of the types of transactions it provides, as well as the number of client agencies with which it works. The pace and extent of this growth has contributed to important controls not being properly implemented on a timely basis, which has heightened privacy risks, particularly in regard to existing, legacy systems and processes.
The pace of change and increasing demand for new program implementation has limited the opportunity for Service NSW, in collaboration with its client agencies, to revisit and redesign legacy business practices which pose a greater privacy risk. This includes the scanning and emailing of personal information.
While 2019–20 has seen additional demands placed on Service NSW in responding to the 2019–20 bushfire emergency and COVID 19 pandemic, it is the nature of the agency’s work that it operates in a fast paced and complex environment, where it is required to respond to multiple client agencies and stakeholders. Ensuring customer privacy should be integral to Service NSW’s business as usual operations.
2. Recommendations
Service NSW commissioned a number of external reviews and investigations stemming from the data breaches. The Auditor General's recommendations below have taken these other reviews into account. In order to offer assurance that it is appropriately protecting the privacy of its customers, Service NSW should address the full breadth of findings and recommendations made across all relevant reviews.
As a matter of urgency, Service NSW should:
1. in consultation with relevant client agencies and the Department of Customer Service, implement a solution for a secure method of transferring personal information between Service NSW and client agencies
2. review the need to store scanned copies of personal information and, if still required, implement a more secure method of storing this information and regular deletion of material.
By March 2021, Service NSW should:
3. ensure that all new agreements entered into with client agencies from 1 April 2021 address the deficiencies identified in this audit, including that they provide clarity on:
- the content and provision of privacy collection notices
- the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
- steps that will be taken by each agency to ensure that personal information is kept secure
- the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
- how identified breaches of privacy will be handled between agencies
4. in collaboration with the Department of Customer Service, review its privacy management plan to address the deficiencies raised in this audit, including:
- to clarify Service NSW's understanding of how responsibility for meeting privacy obligations are delineated between Service NSW and client agencies
- to better reflect the full scope and complexity of personal information handled by Service NSW
- to better explain how applications for internal review are handled between Service NSW and the Department of Customer Service
- to ensure regular ongoing review, either according to a schedule or when Service NSW experiences substantial change to its programs and handling of personal information
5. in consultation with the Department of Customer Service, review its policies and processes for the management of privacy risks, including to:
- ensure that there are appropriate mechanisms to escalate identified privacy risks from business units to the Executive Leadership Team
- ensure that there are action plans to address strategic privacy risks that are assessed as having ineffective controls.
By June 2021, Service NSW should:
6. address deficiencies in the controls over, and security for, its Salesforce customer relationship management and related systems that hold customer personal information, including:
- establish policies and processes for regular access reviews and monitoring of user activity in these systems, including for privileged users
- enable partitioning and role based access restrictions to personal information collected for different programs
- provide customers the choice to use multi factor authentication to further secure their MyServiceNSW accounts
- enable customers to view the transaction history of their personal information to detect possible mishandling.
By December 2021, Service NSW should:
7. ensure that all existing agreements with client agencies address the deficiencies identified in this audit, including that they provide clarity on:
- the content and provision of privacy collection notices
- the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
- steps that will be taken by each agency to ensure that personal information is kept secure
- the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
- how identified breaches of privacy will be handled between agencies
8. carry out a risk assessment of all processes, systems and transactions that involve the handling of personal information and undertake a privacy impact assessment for those that:
- are identified as high risk and have not previously had a privacy impact assessment
- have had major changes or updates since the privacy impact assessment was completed.
Appendix one – Responses from agencies
Appendix two – About the audit
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Health 2020
This report analyses the results of our audits of financial statements of the Health cluster for the year ended 30 June 2020. The table below summarises our key observations.
1. Financial reporting
| Financial reporting |
Unqualified financial audit opinions The financial statements of NSW Health and its 25 controlled entities received unqualified opinions. The number of corrected and uncorrected misstatements increased from the prior year. Misstatements related predominantly to the implementation of new accounting standards, asset revaluations and accounting for new revenue streams to cover the cost of HSW Health’s response to the COVID-19 pandemic. Qualified compliance audit opinion We issued a qualified audit opinion for the Ministry of Health’s Annual Prudential Compliance Statement for aged care facilities operated by NSW Health. We identified 18 instances of material non-compliance with the Fees and Payments Principles 2014 (No. 2) (the Principles) in 2019–20 (30 in 2018–19). |
| Financial performance |
NSW Health received an additional $3.3 billion in funding to cover costs associated with its response to the COVID-19 pandemic. The impacts of the COVID-19 pandemic on the cluster were significant for health entities and included changes to operations, increased revenues, expenditure, assets and liabilities. Cancellation of elective surgery and decreased emergency department presentations meant that despite the pandemic, activity levels at many health entities decreased. Health Pathology and HealthShare were notable exceptions. In the period to the 30 June 2020, NSW Health reported that over 900,000 COVID-19 tests were conducted. Health Pathology conducted over 500,000 of these tests. Health Pathology's surge requirements were enhanced through arrangements with 13 private sector providers. HealthShare purchased $864.2 million of personal protective equipment. Overall, NSW Health recorded an operating surplus of $3.1 billion in 2019–20, an increase of $2.0 billion from 2018–19. As in previous years, the surplus largely resulted from additional revenue received to fund capital projects including the construction of new facilities, upgrades and redevelopments. In 2019–20 additional Commonwealth and State funding for the purchase and stockpiling of personal protective equipment also contributed to the operating surplus. |
| Overtime payments | The Ambulance Service of NSW’s (NSW Ambulance) reduced their overtime payments to $79.7 million in 2019–20 ($83.1 million in 2018–19). Overtime payments in 2019–20 included $6.8 million related to the response to the 2019–20 bushfire season. NSW Ambulance overtime payments represent 16.8 per cent of total overtime payments in the cluster. |
2. Audit observations
| Internal control deficiencies |
We identified more internal control deficiencies in 2019–20. The number of repeat issues from prior years also remains high. NSW Health addressed 18 out of the 25 information system control deficiencies during the year. Several key agreements lacked formal documentation. This included agreements between the Ministry and health entities, between health entities and agencies in other clusters and between the Ministry and health departments in other jurisdictions. |
| Infrastructure delivery | NSW Health had 44 ongoing major capital projects at 30 June 2020 with a total revised budget of $12.3 billion. The revised total budget of $12.3 billion is $2.0 billion more than the original budget. NSW Health revises budgets when it combines project stages. |
This report provides parliament and other users of the Health cluster’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:
- financial reporting
- audit observations.
The impacts of the COVID-19 pandemic on the cluster were significant and included changes to the operations of the health entities and increased revenue, expenditure, assets and liabilities.
As a part of this year's audits of health entities, we have considered:
- financial implications of the COVID-19 emergency at both health entity and cluster levels
- changes to agencies' operating models
- agencies' access to technology and the maturity of systems and controls to prevent unauthorised and fraudulent access to data.
Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.
The response to the COVID-19 pandemic primarily impacted the financial reporting of NSW Health through:
- additional revenue from the State government in the form of grants and stimulus payments
- additional revenue from the Commonwealth government under the National Partnership Agreement for COVID-19 to cover part of the cost of responding to the COVID-19 pandemic
- increased expenses, largely due to increased payments to private health operators to maintain their viability during the COVID-19 pandemic and later to assist with public patient elective surgery waitlists and increased cleaning costs
- increased purchases of personal protective equipment.
Chapter one outlines the impacts of NSW Health’s response to the COVID-19 pandemic. This chapter outlines our other audit observations related to the financial reporting of agencies in the Health cluster for 2020.
Section highlights
- Unqualified audit opinions were issued for all health entities’ financial statements, although more misstatements were identified than last year.
- NSW Health recorded an operating surplus of $3.1 billion, an increase of $2.0 billion from 2018–19. This is largely due to additional capital grants for new facilities, upgrades and redevelopments and additional Commonwealth and State funding for the purchase of personal protective equipment.
- NSW Health’s expenses increased by 5.5 per cent in 2019–20 (7.0 per cent in 2018–19) despite the impact of the COVID-19 pandemic. The primary causes for the growth in expenses are increases in:
- employee related expenses due to higher employee numbers, increased overtime and a 2.5 per cent award increase
- payments to private health operators to maintain their viability during the COVID-19 pandemic and later to assist with public patient elective surgery waitlists
- payments to private health operators due to the first full year of operation of the Northern Beaches hospital.
- The Ambulance Service of NSW (NSW Ambulance) continued to report higher overtime payments than other health entities. However, despite the response to the 2019–20 bushfire season, their overtime payments were lower than last year. NSW Ambulance paid $79.7 million in overtime payments in 2019–20 ($83.1 million in 2018–19).
- A qualified audit opinion was issued for the Ministry of Health’s Annual Prudential Compliance Statement for aged care facilities operated by NSW Health. There were 18 instances of material non-compliance with the Fees and Payments Principles 2014 (No. 2) (the Principles) in 2019–20 (30 in 2018–19)
Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.
The primary impact of the COVID-19 pandemic on the effectiveness of the internal controls of NSW Health and health entities relates to the effectiveness of controls implemented by HealthShare relating to the stocktake of personal protective equipment inventories. Inventory managed by HealthShare increased by 2,746 per cent during 2019–20. HealthShare’s inventory controls did not maintain pace with the sudden, significant increase.
The impacts of NSW Health’s response to the COVID-19 pandemic are outlined in chapter one. This chapter outlines other observations and insights from our financial statement audits of agencies in the Health cluster.
Section highlights
- The number of internal control deficiencies has increased since 2018–19. More than a third of control deficiencies are repeat issues.
- Control deficiencies that relate to managing employees’ leave and employee’s time recording continue to be difficult for entities to resolve, particularly during the ongoing response to the COVID-19 pandemic.
- Several key agreements were undocumented. These included agreements between the Ministry and the health entities, between health entities, and between the Ministry and entities in other clusters and jurisdictions. These related to:
- a loan arrangement between the Ministry and HealthShare for $319 million.
- Northern Sydney Local Health District's use of land and buildings owned by the Graythwaite Charitable Trust
- agreements for the treatment of New South Wales residents while they are interstate, and interstate residents receiving treatment while they are in New South Wales from Queensland, Victoria, South Australia and the ACT for both 2019–20 and 2018–19.
- NSW Health reported that they completed nine major capital projects during 2019–20. As at 30 June 2020 there were 44 ongoing major capital health projects in NSW. The revised capital budget for these projects in total was $2.0 billion more than the original budget of $10.3 billion. NSW Health reported the budget revisions are largely the result of combining project stages.
Appendix one – List of 2020 recommendations
Appendix two – Status of 2019 recommendations
Appendix three – Financial data
Appendix four – Analysis of financial indicators
Appendix five – Analysis of performance against budget
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Auditor-General’s Report to Parliament
Health 2020
11 December 2020
This corrigendum has been prepared to amend the following text within the Auditor-General’s Report to Parliament on Health 2020, dated 10 December 2020.
NSW Health emergency department treatment times
On page five the original text was as follows:
NSW Health also measures the percentage of patients whose clinical care in emergency departments is completed within four hours. The measure is used as an indicator of accessibility to public hospital services.
NSW Health aims to complete clinical care in the emergency department for 81 per cent of patients within four hours. In 2019–20 NSW Health reports it completed clinical care within four hours for 72.1 per cent of patients (a 7.3 per cent decrease from 2018–19).
At Western Sydney Local Health District, 59 per cent of patients were treated within the targeted timeframe. NSW Health attribute this to the profile of patients presenting in emergency departments and additional time taken processing COVID-19 patients to ensure staff safety.
The original text has now been changed to:
NSW Health also measures the percentage of patients with total time in the emergency department of four hours or less for each local health district. The measure is used as an indicator of accessibility to public hospital services.
| Local Health Districts | Target % (2019–20) | Actual % (2019–20) |
| Central Coast | 77.0 | 59.9 |
| Far West | 90.2 | 86.6 |
| Hunter New England | 81.0 | 72.5 |
| Illawarra Shoalhaven | 79.0 | 60.2 |
| Mid North Coast | 82.0 | 76.7 |
| Murrumbidgee | 85.3 | 81.9 |
| Nepean Blue Mountains | 79.0 | 65.5 |
| Northern NSW | 81.0 | 78.2 |
| Northern Sydney | 79.0 | 73.9 |
| South Eastern Sydney | 78.0 | 70.3 |
| South Western Sydney | 78.0 | 61.2 |
| Southern NSW | 85.0 | 83.0 |
| Sydney | 76.0 | 70.9 |
| Sydney Children’s Hospitals Network | 80.0 | 72.1 |
| Western NSW | 85.9 | 81.0 |
| Western Sydney | 78.0 | 59.0 |
| St Vincent's Health Network* | 75.0 | 65.4 |
The above changes will be reflected in the version of the report published on the Audit Office website and should be considered the true and accurate version.
CBD South East Sydney Light Rail: follow-up performance audit
This is a follow-up to the Auditor-General's November 2016 report on the CBD South East Sydney Light Rail project. This follow-up report assessed whether Transport for NSW has updated and consolidated information about project costs and benefits.
The audit found that Transport for NSW has not consistently and accurately updated project costs, limiting the transparency of reporting to the public.
The Auditor-General reports that the total cost of the project will exceed $3.1 billion, which is above the revised cost of $2.9 billion published in November 2019. $153.84 million of additional costs are due to omitted costs for early enabling works, the small business assistance package and financing costs attributable to project delays.
The report makes four recommendations to Transport for NSW to publicly report on the final project cost, the updated expected project benefits, the benefits achieved in the first year of operations and the average weekly journey times.
The CBD and South East Light Rail is a 12 km light rail network for Sydney. It extends from Circular Quay along George Street to Central Station, through Surry Hills to Moore Park, then to Kensington and Kingsford via Anzac Parade and Randwick via Alison Road and High Street.
Transport for NSW (TfNSW) is responsible for planning, procuring and delivering the Central Business District and South East Light Rail (CSELR) project. In December 2014, TfNSW entered into a public private partnership with ALTRAC Light Rail as the operating company (OpCo) responsible for delivering, operating and maintaining the CSELR. OpCo engaged Alstom and Acciona, who together form its Design and Construct Contractor (D&C).
On 14 December 2019, passenger services started on the line between Circular Quay and Randwick. Passenger services on the line between Circular Quay and Kingsford commenced on 3 April 2020.
In November 2016, the Auditor-General published a performance audit report on the CSELR project. The audit found that TfNSW would deliver the CSELR at a higher cost with lower benefits than in the approved business case, and recommended that TfNSW update and consolidate information about project costs and benefits and ensure the information is readily accessible to the public.
In November 2018, the Public Accounts Committee (PAC) examined TfNSW's actions taken in response to our 2016 performance audit report on the CSELR project. The PAC recommended that the Auditor-General consider undertaking a follow-up audit on the CSELR project. The purpose of this follow-up performance audit is to assess whether TfNSW has effectively updated and consolidated information about project costs and benefits for the CSELR project.
Conclusion
Transport for NSW has not consistently and accurately updated CSLER project costs, limiting the transparency of reporting to the public. In line with the NSW Government Benefits Realisation Management Framework, TfNSW intends to measure benefits after the project is completed and has not updated the expected project benefits since April 2015.Between February 2015 and December 2019, Transport for NSW (TfNSW) regularly updated capital expenditure costs for the CSELR in internal monthly financial performance and risk reports. These reports did not include all the costs incurred by TfNSW to manage and commission the CSELR project.
Omitted costs of $153.84 million for early enabling works, the small business assistance package and financing costs attributable to project delays will bring the current estimated total cost of the CSELR project to $3.147 billion.
From February 2015, TfNSW did not regularly provide the financial performance and risk reports to key CSELR project governance bodies. TfNSW publishes information on project costs and benefits on the Sydney Light Rail website. However, the information on project costs has not always been accurate or current.
TfNSW is working with OpCo partners to deliver the expected journey time benefits. A key benefit defined in the business plan was that bus services would be reduced owing to transfer of demand to the light rail - entailing a saving. However, TfNSW reports that the full expected benefit of changes to bus services will not be realised due to bus patronage increasing above forecasted levels.
Appendix one – Response from agency
Appendix two – Governance and reporting arrangements for the CSELR
Appendix three – 2018 CSELR governance changes
Appendix four – About the audit
Appendix five – Performance auditing
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #335 - released 11 June 2020
Train station crowding
This report focuses on how Transport for NSW and Sydney Trains manage crowding at selected metropolitan train stations.
The audit found that while Sydney Trains has identified platform crowding as a key strategic risk, it does not have an overarching strategy to manage crowding in the short to medium term. Sydney Trains 'do not have sufficient oversight to know if crowding is being effectively managed’, the Auditor-General said.
Sydney Trains' operational response to crowding involves restricting customer access to platforms or station entries before crowding reaches unsafe levels or when it impacts on-time running. Assuming rail patronage increases, it is likely that Sydney Trains will restrict more customers from accessing platforms or station entries, causing customer delay. ‘Restricting customer access to platforms or station entries is not a sustainable approach to manage station crowding’, said the Auditor-General.
The Auditor-General made seven recommendations to improve Transport for NSW and Sydney Trains' management of station crowding. Transport for NSW have accepted these recommendations on behalf of the Transport cluster.
Public transport patronage has been impacted by COVID-19. This audit was conducted before these impacts occurred.
Sydney Trains patronage has increased by close to 34 per cent over the last five years, and Transport for NSW (TfNSW) expects the growth in patronage to continue over the next 30 years. As patronage increases there are more passengers entering and exiting stations, moving within stations to change services, and waiting on platforms. As a result, some Sydney metropolitan train stations are becoming increasingly crowded.
There are three main causes of station crowding:
- patronage growth exceeding the current capacity limits of the rail network
- service disruptions
- special events.
Crowds can inhibit movement, cause discomfort and can lead to increased health and safety risks to customers. In the context of a train service, unmanaged crowds can affect service operation as trains spend longer at platforms waiting for customers to alight and board services which can cause service delays. Crowding can also prevent customers from accessing services.
Our 2017 performance audit, ‘Passenger Rail Punctuality’, found that rail agencies would find it hard to maintain train punctuality after 2019 unless they significantly increased the capacity of the network to carry trains and people. TfNSW and Sydney Trains have plans to improve the network to move more passengers. These plans are set out in strategies such as More Trains, More Services and in the continued implementation of new infrastructure such as the Sydney Metro. Since 2017, TfNSW and Sydney Trains have introduced 1,500 more weekly services to increase capacity. Additional network capacity improvements are in progress for delivery from 2022 onwards.
In the meantime, TfNSW and Sydney Trains need to use other ways of managing crowding at train stations until increased capacity comes on line.
This audit examined how effectively TfNSW and Sydney Trains are managing crowding at selected metropolitan train stations in the short and medium term. In doing so, the audit examined how TfNSW and Sydney Trains know whether there is a crowding problem at stations and how they manage that crowding.
TfNSW is the lead agency for transport in NSW. TfNSW is responsible for setting the standard working timetable that Sydney Trains must implement. Sydney Trains is responsible for operating and maintaining the Sydney metropolitan heavy rail passenger service. This includes operating, staffing and maintaining most metropolitan stations. Sydney Trains’ overall responsibility is to run a safe rail network to timetable.
ConclusionSydney Trains has identified platform crowding as a key strategic risk, but does not have an overarching strategy to manage crowding in the short to medium term. TfNSW and Sydney Trains devolve responsibility for managing crowding at stations to Customer Area Managers, but do not have sufficient oversight to know if crowding is being effectively managed. TfNSW is delivering a program to influence demand for transport in key precincts but the effectiveness of this program and its impact on station crowding is unclear as Transport for NSW has not evaluated the outcomes of the program. TfNSW and Sydney Trains do not directly measure or collect data on station crowding. Data and observation on dwell time, which is the time a train waits at a platform for customers to get on and off trains, inform the development of operational approaches to manage crowding at stations. Sydney Trains has KPIs on reliability, punctuality and customer experience and use these to indirectly assess the impact of station crowding. TfNSW and Sydney Trains only formally assess station crowding as part of planning for major projects, developments or events. Sydney Trains devolve responsibility for crowd management to Customer Area Managers, who rely on frontline Sydney Trains staff to understand how crowding affects individual stations. Station staff at identified key metropolitan train stations have developed customer management plans (also known as crowd management plans). However, Sydney Trains does not have policies to support the creation, monitoring and evaluation of these plans and does not systematically collect data on when station staff activate crowding interventions under these plans. Sydney Trains stated focus is on providing a safe and reliable rail service. As such, management of station crowding is a by-product of its strategies to manage customer safety and ensure on-time running of services. Sydney Trains' operational response to crowding involves restricting customer access to platforms or stations before crowding reaches unsafe levels, or when it impacts on-time running. As rail patronage increases, it is likely that Sydney Trains will need to increase its use of interventions to manage crowding. As Sydney Trains restrict more customers from accessing platforms or station entries, it is likely these customers will experience delays caused by these interventions. Since 2015, TfNSW has been delivering the 'Travel Choices' program which aims to influence customer behaviour and to manage the demand for public transport services in key precincts. TfNSW is unable to provide data demonstrating the overall effectiveness of this program and the impact the program has on distributing public transport usage out of peak AM and PM times. TfNSW and Sydney Trains continue to explore initiatives to specifically address crowd management. |
ConclusionTfNSW and Sydney Trains do not directly measure or collect data on station crowding. There are no key performance indicators directly related to station crowding. Sydney Trains uses performance indicators on reliability, punctuality and customer experience to indirectly assess the impact of station crowding. Sydney Trains does not have a routine process for identifying whether crowding contributed to minor safety incidents. TfNSW and Sydney Trains formally assess station crowding as part of planning for major projects, developments or events. |
ConclusionSydney Trains has identified platform crowding as a strategic risk but does not have an overarching strategy to manage station crowding. Sydney Trains' stated focus is on providing a safe and reliable rail service. As such, management of station crowding is a by-product of its strategies to manage customer safety and ensure on-time running of services. Sydney Trains devolve responsibility for managing crowding at stations to Customer Area Managers but does not have sufficient oversight to know that station crowding is effectively managed. Sydney Trains does not have policies to support the creation, monitoring or evaluation of crowd management plans at key metropolitan train stations. The use of crowding interventions is likely to increase due to increasing patronage, causing more customers to experience delays directly caused by these activities. TfNSW and Sydney Trains have developed interventions to influence customer behaviour and to manage the demand for public transport services but are yet to evaluate these interventions. As such, their impact on managing station crowding is unclear. |
Appendix one – Response from agency
Appendix two – Sydney rail network
Appendix three – Rail services contract
Appendix four – Crowding pedestrian modelling
Appendix five – Airport Link stations case study
Appendix six – About the audit
Appendix seven – Performance auditing
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #333 - released 30 April 2020
Local Schools, Local Decisions: needs-based equity funding
The Auditor-General for New South Wales, Margaret Crawford, released a report today examining the Department of Education’s (the department’s) support and oversight of school planning and use of needs-based funding under the Local Schools, Local Decisions reform.
The report found the department has not had adequate oversight of how schools are using needs-based funding to improve student outcomes since it was introduced in 2014.
The department had not set measures or targets for needs-based equity funding. It had also not been clear enough in how it expected schools to report on the outcomes of additional funding. This means it has not been able to effectively demonstrate the impact of funding at a school, or state-wide level.
To assist with the transition to greater local decision-making, the department provided schools with guidance materials, additional resources and systems support. However, guidance material was not clear enough on the purpose of funding, school budgeting systems were not fit-for-purpose when initially introduced, and support for schools was spread across different areas of the department.
The department has recently increased executive oversight of progress to improve educational outcomes for Aboriginal students and students from a low socio-economic background. It has also developed a consistent set of school-level targets to be implemented from 2020. This may help the department more reliably monitor progress in lifting outcomes for students with additional learning needs.
The report makes eight recommendations aimed at clarifying requirements of schools, better coordinating support and strengthening oversight of the use of needs-based equity funding.
The Local Schools, Local Decisions reform was launched in 2012 to give public schools more authority to make local decisions about how best to meet the needs of their students. A major element of the reform was the introduction of a new needs-based school funding model. Core elements of the model address staffing and operational requirements, while needs-based elements reflect the characteristics of schools and students within them. This includes equity funding designed to support students with additional needs. The four categories of equity funding are:
- socio-economic background
- Aboriginal background
- English language proficiency
- low-level adjustment for disability.
Around $900 million in equity funding was allocated in 2019. School principals decide how to use these funds and account for them through their school annual reports. The Department of Education (the department) supports schools in making these choices with tools and systems, guidelines, and good practice examples.
The objective of this audit was to assess the department's support and oversight of school planning and use of needs-based funding under the Local Schools, Local Decisions reform. To address this objective, the audit examined whether:
- effective accountability arrangements have been established
- effective support is provided to schools.
ConclusionThe department has not had adequate oversight of how schools are using needs-based equity funding to improve student outcomes since it was introduced in 2014. While it provides guidance and resources, it has not set measures or targets to describe the outcomes expected of this funding, or explicit requirements for schools to report outcomes from how these funds were used. Consequently, there is no effective mechanism to capture the impact of funding at a school, or state-wide level. The department has recently developed a consistent set of school-level targets to be implemented from 2020. This may help it to better hold schools accountable for progress towards its strategic goal of reducing the impact of disadvantage. A significant amount of extra funding has been provided to schools over recent years in recognition of the additional learning needs of certain groups of students facing disadvantage. Under the Local Schools, Local Decisions reform, schools were given the ability to make decisions about how best to use the equity funding in combination with their overall school resources to meet their students’ needs. However, multiple guidelines provided to schools contain inconsistent advice on how the community should be consulted, how funding could be used, and how impact should be reported. Because of this, it is not clear how schools have used equity funding for the benefit of identified groups. School annual reports we reviewed did not fully account for the equity funding received, nor adequately describe the impact of funding on student outcomes. To help in the transition to greater local decision-making, the department provided extra support by; establishing peer support for new principals, increasing the number of directors, developing data analysis and financial planning systems, targeted training and showcasing good practice. Multiple roles and areas of the department provide advice to schools in similar areas and this support could be better co-ordinated. Financial planning systems designed to help schools budget for equity and other funding sources were not fit-for-purpose when originally introduced. Schools reported a lack of trust in their budget figures and so were not fully spending their allocated funding. Since then, the department developed and improved a budgeting tool in consultation with stakeholder and user groups. It provided extra funding for administrative support and one-to-one training to help schools develop their capabilities. Despite this, schools we spoke to reported they were not yet fully confident in using the system and needed ongoing training and support. |
Appendix one – Response from agency
Appendix two – About the audit
Appendix three – Performance auditing
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #331 - released 8 April 2020.
Reducing Ambulance Turnaround Time at Hospitals
NSW Health has put in place initiatives to reduce the time ambulance crews have to wait at a hospital before they are able to leave and attend to other calls. Despite these actions, ambulance crews are waiting longer at NSW hospitals. Crews now wait on average nearly 32 minutes at a hospital before handing over a patient, up from about 24 minutes seven years ago.
Parliamentary reference - Report number #233 - released 24 July 2013
Managing Operating Theatre Efficiency for Elective Surgery
Waiting times for elective surgery will continue to increase if NSW Health does not improve its management of operating theatres. On the positive side NSW public hospitals are performing more elective surgery than in previous years and are treating patients substantially within national clinical timeframes. However, more operations will be needed as targets are getting tighter and demand is growing.
Parliamentary reference - Report number #232 - released 17 July 2013
Visiting medical officers and staff specialists
We found that hospitals are generally able to deploy their VMOs and staff specialists to be at the place and time required. However, a hospital’s ability to manage supply and demand at a local level is limited. This limitation will become more critical with the current national health reforms when public hospital funding will depend on their ability to set and meet activity targets and priorities. NSW Health cannot be sure that all payments made to VMOs are for agreed and delivered services. Across the hospitals visited we found limited checking of VMO claims for payment, limited quality information on staff specialist activities and limited hospital-level analysis of trends or inconsistencies in activities and treatments.
Parliamentary reference - Report number #219 - released 14 December 2011
Responding to Domestic and Family Violence
Organisations generally work together to improve the safety of victims when there is an overt and serious crisis, particularly where children are involved. There are no standard ways for victims and perpetrators to access help that might prevent ongoing violence and address underlying issues. This is particularly problematic where there are repeat victims and perpetrators, many of whom have complex mental health, drug and alcohol problems and are difficult to work with. New South Wales has trialled a number of projects to improve the way that organisations work together to support vulnerable people in particular communities.
Parliamentary reference - Report number #218 - released 8 November 2011
Solar Bonus Scheme
A NSW Auditor General’s Report has found that the NSW Government and its agencies grossly underestimated the cost and number of people that would install systems under the Solar Bonus Scheme.
By October 2010, the estimated cost of the Scheme, if it continued the way it was going, would have reached $3.988 billion. More than ten times the original estimate of $362 million. In response to the increased cost, the gross tariff for new applicants was reduced from 60 to 20 cents reducing the estimated cost to $1.954 billion.
It was a statutory requirement that when 50 mega watts of installed capacity was reached, the Government would review the Scheme. By the time the review was completed the installed capacity had reached 101 mega watts.
