The Auditor-General for New South Wales, Margaret Crawford, released a report today examining the effectiveness of Service NSW’s handling of customers’ personal information to ensure its privacy.

The audit found that Service NSW is not effectively handling personal customer and business information to ensure its privacy. Service NSW continues to use business processes that pose a risk to the privacy of personal information. This includes the routine emailing of personal information between Service NSW service centres and other agencies, which is one of the processes that contributed to the data breach earlier this year. The audit found that previously identified risks and recommended solutions had not been implemented on a timely basis.

The Auditor-General made eight recommendations aimed at ensuring improved processes, technologies, and governance arrangements for how Service NSW handles customers’ personal information.

The Hon. Victor Dominello, MP, Minister for Customer Service, requested this audit under section 27(B)(3)(c) of the Public Finance and Audit Act 1983 following public reports in May 2020 of a cyber security attack which had led to a breach of Service NSW customer information. This audit also included the Department of Customer Service which supports Service NSW with privacy, risk and governance functions.

Service NSW was established in 2013 with the intention that it would, over time, 'become the primary interaction point for customers accessing New South Wales Government transaction services'.

Service NSW's functions are set out in the Service NSW (One stop Access to Government Services) Act 2013. This legislation allows for other NSW Government agencies to delegate to and enter into agreements with the Chief Executive Officer of Service NSW in order for Service NSW to undertake service functions for the agency.

Service NSW now has agreements with 36 NSW Government client agencies to facilitate over 1,200 types of interactions and transactions for the community.

The nature of each agreement between Service NSW and its client agencies varies. Some client agencies have delegated authority to allow Service NSW staff to conduct transactions on their behalf in the agencies' systems. Other arrangements do not include the same degree of delegation. In these cases, Service NSW provides services such as responding to enquiries and validating documents.

In addition, Service NSW conducts transactions for its own programs, such as the Seniors Card. Personal information for these programs, as well as information for customers' MyServiceNSW accounts, are stored by Service NSW on its Salesforce Customer Relationship Management (CRM) system.

In March 2020, Service NSW suffered two cyber security attacks in short succession. Technical analysis undertaken by the Department of Customer Service (DCS) concluded that these attacks resulted from a phishing exercise through which external threat actors gained access to the email accounts of 47 staff members. These attacks resulted in the breach of a large amount of personal customer information that was contained in these email accounts. See Section 1.1 for further details.

This audit is being conducted in response to a request from the Hon. Victor Dominello, Minister for Customer Service, under section 27B(3)(c) of the Public Finance and Audit Act 1983. Minister Dominello requested that the Auditor General conduct a performance audit in relation to Service NSW's handling of sensitive customer and business information.

This audit assessed how effectively Service NSW handles personal customer and business information to ensure its privacy.

It addressed the following:

• Does Service NSW have processes and governance in place to identify and manage risks to the privacy of personal customer and business information?
• Does Service NSW have policies, processes and systems in place that support the effective handling of personal customer and business information to ensure its privacy?
• Has Service NSW effectively implemented its policies, processes and systems for managing personal customer and business information?

1. Key findings

Service NSW identifies privacy risks, but the controls and processes it put in place to mitigate these privacy risks were not adequate to prevent or limit the extent of the data breach that occurred in March 2020

Service NSW’s approach to risk management is framed by its Risk Management Guideline, which defines 'privacy and compliance' as one of the key types of risk for the agency. Service NSW's enterprise risk register identifies four strategic privacy related risks. Service NSW has set out a zero level appetite for privacy risk in its risk appetite statement.

Service NSW has assessed the adequacy of its controls for privacy risks as needing improvement. To be fully effective, the Risk Management Guideline says that these controls should have a focus that is ‘largely preventative and address the root causes’.

One of the business processes that was a key contributing factor to the data breach was the emailing of personal information by Service NSW staff to client agencies.

This process had been identified as a risk prior to the breach and some steps had been put in place to mitigate the risk. In particular, staff were required to manually delete emails that contained personal information. However, these measures were ineffective in preventing the breach, as the external threat actors still gained access to 47 staff email accounts that contained a large amount of personal information.

It is unclear why Service NSW did not effectively mitigate this risk prior to the breaches. However, Service NSW has advised that it implemented measures in June and October 2020 to automatically archive emails likely to contain personal information. This is expected to limit the quantity of information retained in email accounts for extended periods.

Service NSW has not put in place any technical or other solutions to avoid Service NSW staff having to scan and email personal information to some client agencies. Urgent action is needed to remove the requirement for staff to email personal information to client agencies, thereby mitigating the risk inherent in sending and storing this information using email.

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system, which holds the personal information of over four million customers

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system. These weaknesses include deficiencies in governance of role based access, monitoring and audit of staff access, and partitioning of program specific transaction information. These deficiencies create an increased risk of unauthorised access to the personal information of over four million customers which is stored in this system.

In addition, there is an absence of important controls to safeguard customers' privacy, such as multi factor authentication and reviewable logs of access history to their information. Such controls, when properly implemented, would enhance the control that customers are able to exercise over their personal information.

A privacy impact assessment conducted on Service NSW’s Salesforce CRM system in 2015 recommended that the system include the ability for customers to review access history to their personal information, as well as the option for customers to apply multi factor authentication to their accounts. While both these recommendations appeared positively received by Service NSW, neither have been implemented.

Since its inception, Service NSW’s use of Salesforce has extended to storing transaction data, particularly for transactions for which Service NSW is responsible, such as the Seniors Card. It also holds details of over four million MyServiceNSW account holders, including name, email address and phone number, and optional address details. It was not originally intended for the system to hold this volume and nature of customer information.

Lines of responsibility for meeting privacy obligations are unclear between Service NSW and its client agencies

Service NSW's privacy management plan does not clearly set out the privacy obligations of Service NSW and its client agencies. It sets out that 'compliance with the privacy principles will primarily be the responsibility of that [client] agency'. However, Service NSW has its own obligations under the security principles of the Privacy and Personal Information Protection Act 1998 (PPIP Act) to take reasonable steps to prevent unauthorised access to personal information, which is not made clear in the privacy management plan.

The agreements between Service NSW and client agencies reviewed for this audit only include general and high level references to privacy. Most do not include details of each parties' privacy responsibilities such as: which agency will provide the customer with a privacy notice explaining how their personal information will be handled, how personal information will be kept secure, how long Service NSW will retain information, what processes will be followed for internal reviews, and what specific planning is in place to respond to data breaches.

Service NSW's privacy management plan has not been updated to include new programs and governance changes

Service NSW's privacy management plan includes most of the matters required by law or good practice, with some exceptions. It does not explain any exemptions that the agency commonly relies on under the PPIP Act and does not address any health information that Service NSW may handle. It had also not been updated to reflect governance changes and the fact that, at the time this audit commenced, Service NSW was disclosing the content of internal review applications (the formal expression for 'complaints') to the Department of Customer Service (DCS). These governance changes were part of the centralisation of Service NSW's corporate support functions into DCS in late 2019, though internal review staff were seconded back into Service NSW during the course of this audit.

The current July 2019 privacy management plan has also not been updated since the rollout of a number of major new initiatives in 2020. These include 2019–20 bushfire emergency recovery initiatives (such as small business grants) and COVID 19 pandemic response initiatives (such as small business grants, border permits and the COVID safe check in app).

Service NSW routinely conducts privacy impact assessments for new initiatives, though privacy risks remain in legacy systems and processes

Service NSW routinely conducts privacy impact assessments for major new initiatives and the assessments reviewed for this audit largely accorded with good practice guidance.

Service NSW does not routinely review existing processes and systems to ensure that they are effective in ensuring the privacy of customer personal information. Business processes that create the highest risk to privacy, such as emailing of personal information, are more common in these longstanding legacy systems.

Service NSW's significant and rapid growth has outpaced the establishment of a robust control environment which has exacerbated privacy risks

Since it was established in 2013, Service NSW has experienced significant growth in the number and diversity of the types of transactions it provides, as well as the number of client agencies with which it works. The pace and extent of this growth has contributed to important controls not being properly implemented on a timely basis, which has heightened privacy risks, particularly in regard to existing, legacy systems and processes.

The pace of change and increasing demand for new program implementation has limited the opportunity for Service NSW, in collaboration with its client agencies, to revisit and redesign legacy business practices which pose a greater privacy risk. This includes the scanning and emailing of personal information.

While 2019–20 has seen additional demands placed on Service NSW in responding to the 2019–20 bushfire emergency and COVID 19 pandemic, it is the nature of the agency’s work that it operates in a fast paced and complex environment, where it is required to respond to multiple client agencies and stakeholders. Ensuring customer privacy should be integral to Service NSW’s business as usual operations.

2. Recommendations

Service NSW commissioned a number of external reviews and investigations stemming from the data breaches. The Auditor General's recommendations below have taken these other reviews into account. In order to offer assurance that it is appropriately protecting the privacy of its customers, Service NSW should address the full breadth of findings and recommendations made across all relevant reviews.

As a matter of urgency, Service NSW should:

1. in consultation with relevant client agencies and the Department of Customer Service, implement a solution for a secure method of transferring personal information between Service NSW and client agencies

2. review the need to store scanned copies of personal information and, if still required, implement a more secure method of storing this information and regular deletion of material.

By March 2021, Service NSW should:

3. ensure that all new agreements entered into with client agencies from 1 April 2021 address the deficiencies identified in this audit, including that they provide clarity on:

• the content and provision of privacy collection notices
• the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
• steps that will be taken by each agency to ensure that personal information is kept secure
• the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
• how identified breaches of privacy will be handled between agencies

4. in collaboration with the Department of Customer Service, review its privacy management plan to address the deficiencies raised in this audit, including:

• to clarify Service NSW's understanding of how responsibility for meeting privacy obligations are delineated between Service NSW and client agencies
• to better reflect the full scope and complexity of personal information handled by Service NSW
• to better explain how applications for internal review are handled between Service NSW and the Department of Customer Service
• to ensure regular ongoing review, either according to a schedule or when Service NSW experiences substantial change to its programs and handling of personal information

5. in consultation with the Department of Customer Service, review its policies and processes for the management of privacy risks, including to:

• ensure that there are appropriate mechanisms to escalate identified privacy risks from business units to the Executive Leadership Team
• ensure that there are action plans to address strategic privacy risks that are assessed as having ineffective controls.

By June 2021, Service NSW should:

6. address deficiencies in the controls over, and security for, its Salesforce customer relationship management and related systems that hold customer personal information, including:

• establish policies and processes for regular access reviews and monitoring of user activity in these systems, including for privileged users
• enable partitioning and role based access restrictions to personal information collected for different programs
• provide customers the choice to use multi factor authentication to further secure their MyServiceNSW accounts
• enable customers to view the transaction history of their personal information to detect possible mishandling.

By December 2021, Service NSW should:

7. ensure that all existing agreements with client agencies address the deficiencies identified in this audit, including that they provide clarity on:

• the content and provision of privacy collection notices
• the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
• steps that will be taken by each agency to ensure that personal information is kept secure
• the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
• how identified breaches of privacy will be handled between agencies

8. carry out a risk assessment of all processes, systems and transactions that involve the handling of personal information and undertake a privacy impact assessment for those that:

• are identified as high risk and have not previously had a privacy impact assessment
• have had major changes or updates since the privacy impact assessment was completed.

Appendix one – Responses from agencies

Appendix two – About the audit

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

The Auditor-General for New South Wales, Margaret Crawford, released a report today reviewing the additional entitlements claimed by Members of the New South Wales Parliament (Members) under the Parliamentary Remuneration Tribunal’s Determination (the Determination).

The Auditor-General found three material instances of Member non-compliance with the Determination. The Department of Parliamentary Services has subsequently requested the three Members repay amounts incorrectly claimed.

The report also acknowledges that the Department has worked with the Tribunal to address two of the three recommendations made in the 2019 Auditor-General’s review. These are now reflected in the 2020 Determination. The Department expects to address the third recommendation in the 2021 Determination.

The Auditor General has reviewed the compliance of the Members of the NSW Parliament (Members) with certain requirements outlined in the Parliamentary Remuneration Tribunal's Determination (the Determination) for the year ended 30 June 2020.

The Auditor General's review of Members' compliance with the Determination analyses claims made by Members during the 2019–20 financial year by testing a sample of transactions. Our sample included 66 claims submitted by 43 of the 136 Members.

Results

Our review identified three instances of material non compliance with the Determination for the year ended 30 June 2020:

• one Member claimed the General Travel Allowance for the full cost of a charter flight used to both attend a family event and perform the Member's parliamentary duties instead of estimating and claiming only the cost related to the Member's parliamentary duties
• one Member claimed the Communications Allowance for the same expenditure twice
• one Member elected to repay the allowance claimed in lieu of providing evidence to support their claims. The Member claimed the Sydney Daily Allowance and advised that they did not have records to support that the purpose of the travel related to their parliamentary duties.

The Determination requires Members to maintain appropriate records of expenditure for the purpose of any audit or assurance engagements. Repeated reviews have identified Members who elect to repay the allowances claimed in lieu of providing supporting documents. Justifying a claim for an allowance with supporting documents should not rely on the Auditor-General's review. Last year, we recommended the Department of Parliamentary Services (the Department) work with the Tribunal to provide additional guidance to Members to clarify the definition of parliamentary duties, the activities that meet the definition and the requirements for retaining documents. The recommendation is currently being considered by the Department.

Our review also identified 22 other departures from the administrative requirements of the Determination:

• two Members did not make the required authorisations and attributions on a publication to claim the expenditure from the Communications Allowance
• seven reconciliations for the Sydney Allowance were submitted after the due date
• 13 Members' claims were not submitted to the Department for payment within 60 days of receipt or occurrence of the expense.

Our audit procedures identified three other departures from the Department's administrative guidelines, which support the application of the Determination. Three Members submitted their annual loyalty scheme declarations after the due date specified in the guidelines (31 July 2020). The Declaration is important because it affirms that loyalty scheme benefits accrued using the Member's parliamentary allowances and entitlements were not used for private purposes.

Background

The Parliamentary Remuneration Tribunal (the Tribunal) determines the salary and additional entitlements of Members of NSW Parliament (Members), which are set out in the Tribunal's annual Determination

Appendix one – Response from Department of Parliamentary Service

A report has been tabled on the findings and recommendations from the annual review of the additional entitlements claimed by the Members of the New South Wales Parliament (Members) under the Parliamentary Remuneration Tribunal’s Determination (the Determination).

Members claimed $21.5 million of additional entitlements in 2018–19, 2.7 per cent less than the previous year. The decrease is largely attributable to the period in the lead up to the New South Wales State Election, from 26 January to 23 March 2019, during which Members are not permitted to use their Communications Allowance.  In addition, Parliament did not sit from 23 November 2018 until 6 May 2019.

The review found one instance of material non‑compliance with the Determination relating to a Member who claimed the General Travel Allowance but did not provide evidence that the travel related to their parliamentary duties.

14 other departures from the administrative requirements of the Determination, mostly relating to the timing of Members’ claims were identified. The review also found two instances where it was unclear whether reimbursement of Members’ claims had been made strictly in accordance with the Determination.

The report makes three recommendations to the Department of Parliamentary Services to work with the Tribunal to clarify specific wording and requirements in the Determination.  

The Auditor-General has reviewed the compliance of the Members of the NSW Parliament (Members) with certain requirements outlined in the Parliamentary Remuneration Tribunal's Determination (the Determination) for the year ended 30 June 2019.

The Auditor-General's review is designed to provide parliament with limited assurance about Members' compliance with the Determination. We analysed all claims made by Members during the 2018–19 financial year and tested a sample of transactions that we identified as having a greater risk of non-compliance in more detail. Our sample included claims submitted by 59 of the 159 Members.

Results

Our review identified one instance of material non-compliance with the Determination for the year ended 30 June 2019 relating to a Member who claimed the General Travel Allowance but did not provide evidence that the travel related to their parliamentary duties.

Our audit procedures identified 14 other departures from the administrative requirements of the Determination:

• 8 Members submitted their reconciliations for the Sydney Allowance after the due date
• 1 Member who elected to receive their Sydney Allowance as an annual payment, returned their unspent Sydney Allowance to the Department after the 30 September 2019 due date
• 5 Members' claims were not submitted to the Department for payment within 60 days of receipt or occurrence of the expense.

Our audit procedures identified two instances where it was unclear whether Members had been reimbursed for their costs in accordance with the Determination:

• The Determination specifies the Electorate to Sydney Travel Allowance is for travel between Members’ electorates and Sydney. In administering the allowance, the Department permitted Members’ claims for travel to and from their residence, which may be outside of their electorate. The Tribunal confirmed that this accords with the intent of the Determination.
• The Determination specifies the Communications Allowance reimburses Members for the cost of producing communications. One Member chartered flights to film materials used to produce communications and to perform parliamentary duties. The Member claimed the cost of flights under the General Travel Allowance, without apportioning any part to the Communications Allowance. The flights and the communication of the filmed material to constituents occurred during the blackout period, during which Members are not permitted to use their Communications Allowance. The Department determined that all travel costs can be claimed under the General Travel Allowance, even if the travel related to the production of communications during the blackout period.

Our audit procedures identified 25 other departures from the Department's administrative guidelines, which support the Determination. Twenty-five Members submitted their annual loyalty scheme declarations after the 31 July 2019 due date specified in the Department's administrative requirements. Their declarations stated that loyalty scheme benefits accrued using their parliamentary allowance and entitlements were not used for private purposes.

Background

The Parliamentary Remuneration Tribunal (the Tribunal) determines the salary and additional entitlements of Members of NSW Parliament (Members), which are set out in the Tribunal's annual Determination.

Three key agencies are not fully complying with the NSW Procurement Board’s Direction for engaging probity practitioners, according to a report released today by the Acting Auditor-General for New South Wales, Ian Goodwin. They also do not have effective processes to achieve compliance or assure that probity engagements achieved value for money.

Probity is defined as the quality of having strong moral principles, honesty and decency. Probity is important for NSW Government agencies as it helps ensure decisions are made with integrity, fairness and accountability, while attaining value for money.

Probity advisers provide guidance on issues concerning integrity, fairness and accountability that may arise throughout asset procurement and disposal processes. Probity auditors verify that agencies' processes are consistent with government laws and legislation, guidelines and best practice principles. 

According to the NSW State Infrastructure Strategy 2018-2038, New South Wales has more infrastructure projects underway than any state or territory in Australia. The scale of the spend on procuring and constructing new public transport networks, roads, schools and hospitals, the complexity of these projects and public scrutiny of aspects of their delivery has increased the focus on probity in the public sector. 

A Procurement Board Direction, 'PBD-2013-05 Engagement of probity advisers and probity auditors' (the Direction), sets out the requirements for NSW Government agencies' use and engagement of probity practitioners. It confirms agencies should routinely take into account probity considerations in their procurement. The Direction also specifies that NSW Government agencies can use probity advisers and probity auditors (probity practitioners) when making decisions on procuring and disposing of assets, but that agencies:

• should use external probity practitioners as the exception rather than the rule
• should not use external probity practitioners as an 'insurance policy'
• must be accountable for decisions made
• cannot substitute the use of probity practitioners for good management practices
• not engage the same probity practitioner on an ongoing basis, and ensure the relationship remains robustly independent. 

The scale of probity spend may be small in the context of the NSW Government's spend on projects. However, government agencies remain responsible for probity considerations whether they engage external probity practitioners or not.

The audit assessed whether Transport for NSW, the Department of Education and the Ministry of Health:

• complied with the requirements of ‘PBD-2013-05 Engagement of Probity Advisers and Probity Auditors’
• effectively ensured they achieved value for money when they used probity practitioners.

These entities are referred to as 'participating agencies' in this report.

We also surveyed 40 NSW Government agencies with the largest total expenditures (top 40 agencies) to get a cross sector view of their use of probity practitioners. These agencies are listed in Appendix two.

There are no professional standards and capability requirements for probity practitioners

NSW Government agencies use probity practitioners to independently verify that their procurement and asset disposal processes are transparent, fair and accountable in the pursuit of value for money. 

Probity practitioners are not subject to regulations that require them to have professional qualifications, experience and capability. Government agencies in New South Wales have difficulty finding probity standards, regulations or best practice guides to reference, which may diminish the degree of reliance stakeholders can place on practitioners’ work.

The NSW Procurement Board provides direction for the use of probity practitioners

The NSW Procurement Board Direction 'PBD-2013-15 for engagement of probity advisers and probity auditors' outlines the requirements for agencies' use of probity practitioners in the New South Wales public sector. All NSW Government agencies, except local government, state owned corporations and universities, must comply with the Direction when engaging probity practitioners. This is illustrated in Exhibit 1 below.

Appendix one – Response from agencies

Appendix two – List of selected agencies

Appendix three – About the audit

The Auditor-General, Margaret Crawford, today released a report on the annual review of additional entitlements claimed by Members of the New South Wales Parliament under the Parliamentary Remuneration Tribunal’s Determination. The review analysed all claims made by Members and tested a sample of claims paid for the year ended 30 June 2018 in more detail.

The review found one Member of Parliament did not materially comply with the Determination. The Member made two unsupported claims for the Electorate to Sydney Travel allowance during the year ended 30 June 2018. The Department of Parliamentary Services has asked the Member to repay these amounts. 

A further 20 departures from the administrative requirements of the Determination were identified, all relating to the timing of Members’ claims. 

The Auditor-General recommended the Department work with the Tribunal to provide more detailed guidance on the activities that meet the definition of 'parliamentary duties' and the documents Members should retain to comply with the Determination.

The Auditor General has reviewed the compliance of the Members of the NSW Parliament (Members) with certain requirements outlined in the Parliamentary Remuneration Tribunal's Determination (the Determination) for the year ended 30 June 2018.

The Auditor General's review is designed to provide Parliament with limited assurance about Members' compliance with the Determination. We analysed all claims made by Members during the 2017-18 financial year and tested a sample of transactions that we identified as having a greater risk of non compliance in more detail. Our sample included claims submitted by 60 of the 140 Members.

Appendix one - Response from Department of Parliamentary Services