
Reports
Actions for Regulation of the land titles registry
Regulation of the land titles registry
About this report
The land titles registry is a collection of registers established under the Real Property Act 1900 and related legislation. It is the source of truth for land and property ownership in NSW and underpins significant economic activity.
The registry is owned by the NSW Government. From 1 July 2017, a private operator has operated and maintained the registry under a 35-year concession granted by the NSW Government.
The Office of the Registrar General is the regulator of the private operator’s activity under the concession. It is a business unit in the Department of Customer Service.
This audit examined the effectiveness of the regulator in overseeing and monitoring the operation and maintenance of the registry to ensure its integrity and security.
Conclusion
The Office of the Registrar General has implemented an effective system and supporting processes to oversee and monitor the integrity and security of the land titles registry.
However, the audit found opportunities for the Office of the Registrar General to improve how it conducts its regulatory functions.
Recommendations
The audit recommended that the Office of the Registrar General should:
- develop and publish its approach to exercising its regulatory functions and powers
- publish a regulatory charter to ensure greater regulatory transparency
- review the skills and capabilities required to regulate the land titles registry
- ensure greater clarity on the rights to use data, and the application of privacy legislation
- ensure compliance with the NSW Cyber Security Policy, including the requirements relating to third parties
- perform an audit of the subscriber compliance process.
The land titles registry is a collection of registers that record property-related information
The registers collectively referred to in this report as the ‘land titles registry’ include the:
- Torrens Title Register – the primary register for land held in NSW under the Real Property Act 1900
- Register of Plans – comprises plans, that is a representation of a property’s boundary, submitted for registration by registered surveyors
- General Register of Deeds – established under the Registration of Deeds Act 1825, this was the first land register in NSW recording deeds in the system used prior to the introduction of the Torrens Title System, and includes the register of Causes Writs and Orders, Bills of Sale, Register of Resumptions, Powers of Attorney and other miscellaneous deeds
- Central Register of Restrictions – where participating organisations maintain up to date information about possible, or actual, interests they hold against NSW properties (for example for heritage or infrastructure reasons).
The 35-year concession for a private company to operate and maintain the land titles registry
In April 2017, the NSW Government granted a 35-year concession2 to a private operator to operate and maintain the titling and registry services business area of NSW Land and Property Information (LPI). The private operator paid the State $2.6 billion for the concession, as well as committed to pay $8 million (indexed) annually in consideration for the ORG to perform the regulatory and enabling functions contemplated by the concession deed.
The private operator has the right to generate revenue by selling land information products and services, including through search and subscription fees, as well as by charging administrative fees, such as for registering land titles and other transactions. Each year, the operator facilitates over four million searches on titles and images, records 900,000 updates to land title records and creates 50,000 new titles.
NSW Treasury managed the bidding process for the concession and prepared the enabling legislation, the Land and Property Information NSW (Authorised Transaction) Act 2016. The concession deed was executed between the Minister for Finance, the Registrar General and the successful bidder.
The successful bidder was Australian Registry Investments (ARI), which in turn established NSW Land Registry Services (NSW LRS or ‘the private operator’) as a private, single purpose company to operate and maintain the land titles registry. ARI is a consortium of institutional investors and superannuation funds, which at the time of this audit included Aware Super, Macquarie Infrastructure Fund and UTA Registry Investments Trust.
The NSW Government retains ownership of the land titles registry, including the information it contains.
The land titles registry is a critical information asset for NSW as it is the basis of private ownership of property, which in turn supports property-related economic activity. In 2016, it was estimated that the land titles system underpinned over $130 billion dollars of economic activity in NSW each year. As of 2023, the total value of land in NSW was approximately $2.8 trillion.
The land titles registry is a ‘crown jewel’ IT asset under the NSW Government Cyber Security Policy. The land and titling information maintained by the private operator is provided to other government departments and agencies, such as Revenue NSW, Spatial Services and the Valuer General.
A key assurance provided by the NSW Government when granting the concession was that the ORG would be responsible for the regulation of the performance of the private operator under the concession deed. The ORG is a business unit in the Fair Trading and Regulatory Services division of the Department of Customer Service (‘the department’). The Registrar General is a statutory position and has a range of responsibilities, including under the Real Property Act 1900. The establishment of an ‘office’ to support the Registrar General accompanied the granting of the concession in 2017.
The ORG is not a separate auditable entity under the Government Sector Audit Act 1983. As such, the auditee for this performance audit is formally the Department of Customer Service.
NSW Treasury is also an auditee as it managed the scoping study, bidding process, legislation development process and the development of the concession arrangements. NSW Treasury does not have an ongoing role in the routine oversight and monitoring of the land titles registry. The audit has made no recommendations for NSW Treasury and the agency has elected not to provide a formal response to the audit.
Objectives of the concession
The concession deed includes a statement of the Government’s objectives for the concession. These objectives include achieving the following:
a) maintaining the security, integrity, performance and availability of the registers, core assets and core services
b) ensuring the registers are accurate and up-to-date, including that they accurately reflect all registered documents, plans and other matters that are required to be recorded in them
c) maintaining the confidence of the affected parties and the NSW public in the registers and the core services
d) promoting improvements, innovation and increased efficiency, and utilising greater expertise and investment in technology, in the delivery of the core services
e) minimising Torrens Assurance Fund Payments and
f) protecting current competition and the opportunities for future competition in the supply of downstream services by ensuring fair, transparent, predictable and non-discriminatory dealing by the operator with customers and prospective customers.
The deed also includes the private operator’s acknowledgment and agreement that its achievement of these objectives is of critical importance to NSW.
Regulation of the land titles system, including under the concession deed
The ORG has described its role as ‘... a regulator, advisor and litigator, working to ensure the integrity of NSW’s land title system’. While the ORG directly regulates the private operator of the land titles registry under the concession deed (as well as in accordance with any applicable legislation and delegations made by the Registrar General), the system of land titles is a complex one, with many different participants. These participants include:
- ELNOs – which provide the means for transacting parties to collaborate electronically on the preparation of registry instruments; there are currently two ELNOs operating in NSW, although PEXA is by far the dominant market participant compared to its competitor, Sympli
- subscribers – a person or business authorised to complete electronic conveyancing transactions using an ELNO, such as financial institutions, solicitors and licensed conveyancers
- government agencies – selected NSW government agencies and local governments are authorised to obtain information from the system, including Revenue NSW, Valuation NSW, the Surveyor General and local councils
- registered surveyors – who are responsible for conducting survey plans of property boundaries and lodging those plans for registration with the private operator
- information brokers – there are 12 wholesale information brokers with which the private operator has entered into agreements under the concession deed to provide access to NSW titling information held by the private operator
- users of the Central Register of Restrictions – including selected NSW government agencies and non-government entities, such as utility companies providing electricity, water and gas and the Commonwealth Department of Defence.
The data flows within the system are complex and interdependent. Many of the participants are critical to maintaining the integrity and security of the land titles registry. Each class of participant has different governance arrangements and controls for their participation. As shown in Figure 1, the ORG regulates and oversees, to varying degrees, this system of multi-layered rules, relationships and arrangements, with the concession deed between the NSW Government and private operator being at the core of the system.
In granting the concession, the government committed to a ‘robust regulatory regime’ and a ‘tight regulatory framework’ overseen by a ‘strong regulator’
In granting the 35-year concession to the private operator, the NSW Government committed to ensuring that the monopoly functions of providing titling and registry services would be ‘appropriately regulated’.
In commencing the process of granting the concession, the NSW Government set out what it described as a ‘robust regulatory regime’ that would apply to the concession. Of particular relevance to this audit, the government also established that:
- the Registrar General would monitor and enforce the operator’s compliance with regulatory requirements, including the terms of the concession deed
- the Registrar General would have a general power to direct the private operator to perform tasks ‘… in the public interest’.
In the September 2016 second reading speech accompanying the passage of the enabling legislation for the concession through NSW Parliament, the then Treasurer further highlighted that:
- the service standards defined in the concession would include ‘… a penalty regime should the private operator fail to comply’
- the Registrar General would have regulatory oversight of ensuring that the private operator adopted ‘appropriate data security and fraud detection practices’.
The second reading speech also highlighted the role of the Registrar General in overseeing how other participants in the land titling and registry system should perform. This included approving the standard terms on which the concession holder is to deal with its wholesale customers and intermediaries (including ‘subscribers’ to the operator’s services, such as banks, conveyancers and solicitors).
In January 2017, the then Registrar General explained his view that the arrangements for the concession would ensure that the ORG would be able to provide an ‘… independent, credible, stable and well mandated regulatory framework [that] will give confidence to customers and the business itself’. He further explained that:
… an effective monopoly operator requires effective regulation … Customer interests are served by a strong regulator to ensure the monopoly operator is not letting down consumers. But equally, the private operator will benefit from stability and the knowledge that it can use its expertise to make decisions without unwarranted government intervention. |
On 6 April 2017, the then Registrar General further said that his office would follow a ‘modern regulatory approach’, which would include a ‘… focus on material things – where an operator’s actions are not in the spirit of the deed’s objectives’. The audit did not find evidence of how the ORG assesses deviation from the ‘spirit of the deed’s objectives’.
On 12 April 2017, the Premier and the Treasurer jointly announced the successful bidder for the concession. In doing so, their media release drew attention to the:
- ‘tight regulatory framework’
- ‘rigorous legislative and contractual safeguards around the concession to ensure the continued security of property rights and data’
- establishment of a ‘… new external regulator – the Registrar General – to enforce [the operator’s] performance during the concession, with power to monitor and audit performance, and even resume control of the LPI business if required’.
The Registrar General was not a newly established statutory position, although the role was provided with new regulatory functions and powers under the concession deed.
The task of overseeing and monitoring a private company operating and maintaining a monopoly service that uses government-owned systems (and where title is government-guaranteed) poses new and complex challenges for a regulator like the ORG, which previously performed stable and mature administrative and regulatory functions.
The ORG has made only limited use of the compliance and enforcement tools available to it under the concession deed
Seven years into the concession, the ORG is still in the relatively formative stages of settling its approach to the use of its regulatory powers under the concession deed.
The ORG has an experienced and highly qualified workforce, with substantial capability in areas such as property law, as well as a directorate focused on cadastral integrity. It has substantial capacity to administer its longstanding and relatively wide-ranging pre-concession responsibilities. This includes actioning matters under the Torrens Assurance Fund, conducting compliance audits of property plans prepared by registered surveyors and providing advice to government on relevant policy and reform.
In comparison to these longstanding, well-organised and well-understood responsibilities outlined above, the ORG is still forming its approach to exercising the full spectrum of its compliance and enforcement powers under the regulator–operator model. In some instances, this has limited its effectiveness in resolving regulatory issues raised later in this report.
The ORG has eight regulatory compliance and enforcement options available to it under the concession deed and the enabling legislation. The options are listed below, ranked according to their seriousness and frequency, with step-in and termination powers being both the most serious and least likely option to be applied:
- raise issues at governance forums
- informal letters escalating to formal letters
- approvals with conditions attached
- audit and review powers
- financial penalties for breach of service levels
- reserve power directions
- corrective action plans
- step-in and termination powers.
These options can be specific to circumstances and not all are available for all matters. For example, the ORG does have not a broad-based power to issue financial penalties for performance gaps except where specified in the concession deed.
Since the commencement of the concession, most issues with the private operator’s performance have been addressed without escalation beyond the exchange of formal letters. However, this approach has not always led to adequate or timely resolution.
A number of longstanding issues have been raised by the ORG regarding plan examination and subscriber compliance audits, as set out in section 5 of this report. Despite their significant importance to the integrity of the land titles registry and the potential for errors with financial and personal impacts on customers, these matters have not generally been escalated beyond discussions or letters.
The ORG does not have a formalised approach to how it will routinely and effectively exercise its compliance and enforcement functions and powers
The audit assessed whether the ORG has a clear statement of its regulatory posture or its approach to regulation on which to base its regulatory decision making. In its ‘Regulation insights’ report (March 2024), the Audit Office of NSW highlighted that regulators need clear escalation thresholds and enforcement policies to promote credible and proportionate regulatory actions. The concession deed sets out that the materiality of service level breaches is determined based on the operator’s culpability, the impact on the customer and whether the breach has occurred previously.
The ORG lacks a clear approach to how it would effectively exercise the regulatory tools available to it under the concession, such as:
- requiring ad hoc reports that are prepared in a timely manner and to an adequate standard
- issuing penalties for non-compliance
- conducting its own audits
- conducting a major review of the concession (the prospect of which was raised by the ORG with the private operator in 2022 but has not proceeded).
This is despite assurances (as described earlier) from the NSW Government at the commencement of the concession that these tools would be available and used by the regulator.
In September 2023, the ORG developed an initial approach to the use of concession deed levers to provide a ‘practical and proportionate approach’ to exercising its monitoring and oversight functions for the concession. However, neither these principles, nor any alternative, have been drawn upon to inform a codified regulatory or enforcement policy. The ORG advised that it is developing an approach to escalating matters through the hierarchy of available regulatory and enforcement tools.
The ORG is spending less on its regulatory functions than the fee paid by the private operator to support those functions
Under the concession, the private operator provides an annual indexed fee to fund the services delivered by the regulator. The concession deed says that this fee is paid ‘… in consideration for the [Registrar General] performing the regulatory and enabling functions contemplated by this Deed’.
In 2017–18, $8 million was allocated in the NSW Budget ‘… to be spent on regulating the operator of the NSW land title and registry system, ensuring its security and stability while enhancing service levels’.
In 2023–24, the department requested from NSW Treasury a budget of $8.26 million for the ORG, ($260,000 more than the 2017–18 allocation). This was also around 25% less than the mandatory fee paid by the private operator under the concession deed, which was $10.49 million. The balance of the fee paid by the private operator is retained by the NSW Government in the Consolidated Fund for general purposes.
The ORG undertakes a range of policy and reform projects that it tracks separately from its ‘business as usual’ activities. Not all these projects were envisaged when the concession was granted. For example, the interoperability project to support the introduction of national competition in the electronic lodgment network (ELN) is a substantial and complex national reform that has been led by the ORG on behalf of NSW.
NSW’s contribution to this project-based work is undertaken effectively within the same budget parameters and staffing as established when the concession was granted. At the time of the audit, the ORG’s project workplan includes 32 distinct projects, with one additional recent project being reclassified as ‘business as usual’ and two previous projects put on hold. The project plan includes activities relating to significant government reforms such as interoperability and digital survey plans reform, as well as matters that are regulatory in nature or which support regulatory priorities.
The audit heard from some stakeholders that the ORG’s focus on project-based work, including government reform initiatives, risks reducing resources available for its functions to monitor and oversee participants in the land titles registry system to the degree anticipated by government when the concession was granted.
As discussed in sections 6 and 9 of this report, this audit found that the ORG has capability and capacity gaps in specialist skills, particularly in strategic IT and regulatory policy and implementation. It is beyond the scope of this audit to consider whether these gaps could be addressed within the existing funding or whether the ORG required a revised budget that more closely aligns with the fee paid by the private operator.
The complexity of the land titles system limits the extent to which the ORG can oversee potential integrity and security risks on a whole of system basis
The ORG has varying approaches, powers and functions to regulate different participants in the land titles system, the complexity of which is increased by various third-party users and reseller arrangements that apply to land titles data. As discussed later, this complexity limits the ORG’s direct monitoring and oversight of potential risks or non-performance by system participants other than the private operator.
Table 1 provides further information on the regulatory arrangements for stakeholders accessing and informing the land titles registry.
Participant | Governance instruments | Role of the ORG |
Subscribers such as solicitors, conveyancers and banks provide documents to ELNOs (as intermediaries) to lodge on registers. | The concession deed details the operator’s requirements to conduct subscriber audits and inform the Registrar General of their outcomes. The private operator is required to carry out audits of subscriber compliance with the NSW Participation Rules. NSW Participation Rules are set by the Registrar General and detail the requirements for subscribers to be eligible for, and to use, the ELN. The Participation Rules require, among other things, subscribers to:
The Electronic Conveyancing (Adoption of National Law) Act 2012 requires subscribers to comply with the Participation Rules set by the Registrar General and provides the Registrar General with the power to conduct investigations. The Registrar General sets the Participation Rules under s. 23 of the Electronic Conveyancing (Adoption of National Law) Act 2012. | The ORG oversees the private operator’s subscriber compliance program that is carried out according to the national subscriber compliance program agreed by Australian Registrars National Electronic Conveyancing Council (ARNECC). The private operator may refer subscribers to the ORG where it identifies potential non-compliance; the ORG then directly investigates potential non-compliance with the NSW Participation Rules. The Electronic Conveyancing (Adoption of National Law) Act 2012 states that the Registrar General may undertake an investigation ‘receiving a request or complaint from any person or on the Registrar’s own initiative’ to ascertain compliance with the NSW Participation Rules or to investigate suspected or alleged misconduct in using an ELN. The ORG has the power to suspend or cancel subscriber access. |
Registered Surveyors lodge plans to the private operator for registration. The land titles registry is updated once the plans are registered. The lodged plans must comply with relevant legislation and standards to be registered. | Cadastral Integrity Unit Audit Survey Procedures sets out responsibilities and procedures for implementing the ORG's survey audit program, which includes examining plans to assess compliance with requirements and providing a process for referring cases of sustained non-compliance to the Board of Surveying and Spatial Information (BOSSI). The Surveying and Spatial Information Regulation 2017 regulates the activity of surveyors, including the requirements for plans that are lodged with the private operator on behalf of the Registrar General. | Conducts its own active audit program of plans that have been registered by the private operator through desktop and field-based audits. The Cadastral Integrity Unit Audit Survey Procedures detail the risk-based selection approach used in identifying plans. Matters of potential serious non-compliance can be referred to BOSSI, which is responsible for investigating complaints and undertaking disciplinary action against registered surveyors. |
Electronic Lodgment Network Operators (ELNOs) are the intermediary between subscribers and the registries maintained and operated by the operator. | The Electronic Conveyancing (Adoption of National Law) Act 2012 adopts the Electronic Conveyancing National Law in NSW, which details compliance requirements for subscribers and ELNOs and the powers of the ORG in approving the operation of ELNOs. The Act requires ELNOs to comply with operating requirements determined by the Registrar General. The Electronic Conveyancing Enforcement Act 2022 provides the Registrar General with powers to penalise ELNOs, including through financial penalties that range from $250,000 to a maximum of $10,000,000. General Conditions are standard operating conditions that apply to ELNOS that have been approved for operation in NSW. This includes requirements to report any problem or incident affecting the security, integrity or performance of the ELNO. | The ORG directly regulates ELNOs through conditions of participation in NSW. It has the power to undertake compliance examinations of ELNOs under the Electronic Conveyancing (Adoption of National Law) Act 2012 and can penalise ELNOs through the application of financial penalties under the Electronic Conveyancing Enforcement Act 2022. The ORG participates in an annual review of ELNOs’ self-assessed compliance as part of the ARNECC. |
Information brokers have read only access to the registry and provide fee paying customers with access to NSW land titling information. | The Services Broker Agreement, a part of the concession deed, details the operator’s powers, and requirements for information brokers. This includes:
| The private operator is primarily responsible for managing information brokers and requires annual reports on them regarding compliance. The private operator has the power to suspend access to information on the land titles registry to any information broker where it is of the opinion that breaches or failures in digital safeguarding has occurred. As part of the concession deed, the ORG also reviews the criteria used by the operator to approve information brokers. The ORG has the power to conduct an audit of an information broker’s use and delivery of property information for the purposes of ensuring compliance with the agreement. |
Government and non-government organisations | A range of individual governance arrangements apply across individual government and non-government agencies, including memoranda of understanding and management deeds. Where a NSW Government agency has rights to access land titles registry data under the concession deed it is not mandatory for it to enter into a memorandum of understanding, although it is considered good practice governance. | The ORG and operator directly negotiate and oversee these agreements, with varying levels of oversight depending on the individual arrangement. |
Source: Audit Office analysis.
The ORG does not have a longer-term strategic plan for proactive compliance activities
Since December 2018, the ORG has issued the private operator an annual letter setting out ‘joint priorities’ for the forward year. While each letter is signed and issued by the Registrar General, the private operator has the opportunity to comment on proposed ‘joint’ priorities.
The annual priority letters are not issued under the terms of the concession deed and are statements of the regulator’s expectations, rather than binding obligations on the operator. The priorities are derived primarily from internal staff consultation, but also consider external stakeholders, existing or emerging reform topics, and progress achieved in meeting previous priorities. While the letters set out annual priorities, they are also intended to ‘… track progress on long-term objectives’.
These annual priority letters are effective in demonstrating a considered approach to articulating the regulator’s expectations of the private operator for that period. The ORG sets out specific ‘success measures’ (usually in the form of milestone progress or completion dates) for how priorities will be assessed.
The priorities set out in the annual letters are subsequently discussed and tracked at various governance meetings, as required under the concession deed. However, there have been few consequences if the private operator does not meet its priorities. Over the course of the concession, a number of reoccurring priorities point to intractable issues, about which the ORG has been dissatisfied. This has included matters that go directly to the integrity of the registers, such as the examination of submitted plans and subscriber compliance (particularly as assessed by the subscriber compliance examination process).
Until recently, the ORG did not include its own annual priorities in these letters. Rather, yearly priority letters to the private operator referenced government or joint priorities. In comparison, the most recent priority letter for 2025 provided a clearer articulation of the rationale between the annual priorities and the intended outcomes of the concession deed. The audit did not source evidence that the ORG set longer-term or strategic priorities for how it will proactively exercise its regulatory functions, such as a forward program of compliance activity, ad hoc reviews or audits.
The ORG ensures that the private operator meets its obligations to provide service level performance reporting
The concession deed provides for extensive performance reporting by the private operator against defined service levels or KPIs. While government statements at the commencement of the concession suggested there were 55 KPIs, this is inaccurate as it includes numerous sub-measures. Currently, 14 service level KPIs are reported quarterly on the ORG’s website. The publishing of service level performance has been explained by the ORG as bringing ‘… a new level of transparency to the NSW’s land titles registry’ to better hold to account the private operator and be a feature of the new regulator–operator model.
The private operator exceeded all published services for each of 24 consecutive quarters from the start of the concession until January–March 2024. This may suggest that the existing published service levels are not sufficiently challenging to support continuous improvement in the future. In addition, as discussed below, not all service level KPIs are published.
The ORG has proposed a review of service levels to identify those no longer relevant. This considers the substantial reforms to the land titles registry system have occurred since the concession commenced, including the move to 100% electronic conveyancing. Stakeholders also expressed a view to the audit that the existing published service levels are too focused on time measures, and do not sufficiently address quality and client satisfaction. It was also understood between the regulator and private operator early in the concession that ‘… as we move forward, customer behaviour will change, along with what is important to customers’.
The ORG has granted penalty relief for service level breaches, although there has been no public transparency about these decisions
There have been instances where the ORG has elected not to issue financial penalties where the private operator breached required service levels. While this discretion is a matter for the regulator to exercise, public transparency is lacking as to the underlying breach or the penalty decision. Service levels not achieved are not included among those published on the ORG’s website.
For example, from October 2020 to September 2023, the ORG granted penalty relief for 33 breaches of the private operator’s obligation to ensure specific data feeds to NSW Government agencies and local councils occurred within specified timeframes.3 A series of data feed failures in a legacy IT system was the catalyst for the private operator’s failure to meet the service level. The audit notes that the private operator’s interpretation of the relevant service level varied from the ORG’s interpretation, and suggested a smaller number of breaches than the 33 assessed by the regulator.
This penalty relief was initially granted in October 2020, then extended in May 2022 until September 2023. The ORG granted the penalty relief:
- in recognition of the private operator’s commitment to upgrade the legacy IT system causing the data feed failures
- because the ORG considered the impact on affected customers to be negligible.
As early as December 2019, the ORG had identified to the private operator that upgrading the legacy IT system was a priority. In August 2020, the ORG described the upgrade as ‘… critical to ensure accurate and complete data is provided to customers’ and asked the private operator to ensure that it is completed ‘… without further delay’.
The ORG did not extend its penalty relief beyond 30 September 2023. No breaches were reported to have occurred after this time. The upgrade to the legacy IT system is expected to be completed no earlier than January 2025.
The service level that was not met on up to 33 occasions is not included among the 14 service levels reported publicly on the ORG’s website. There was no public transparency about the operator’s non-compliance, or the ORG’s decision to provide penalty relief to the operator. The ORG did not publish a notice that it had afforded penalty relief to the operator, nor was this mentioned in the department’s annual report. The ORG’s view is that publication of these service level breaches was not required as they only affected government agencies.
This audit has not assessed the merits of the ORG’s evaluation of the service level breaches or its decision to extend penalty relief for non-compliance. The concession deed allows the ORG to make these types of decisions. However, when the concession commenced, the NSW Government stated that a consumer benefit of the concession would be ‘increased transparency’ due to the regulator being able to:
… publicly report on the operator’s performance including service levels, breaches of the concession terms and statistics in relation to TAF [Torrens Assurance Fund] claims. |
Prior to the concession, it was already the Registrar General’s practice to publish statistics about claims and payments under the Torrens Assurance Fund in the department’s annual reports. Since the concession, the only opportunity for increased transparency is through reporting on service levels and breaches, including about how the ORG responds to breaches, such as by extending penalty relief over extended periods of time.
When the concession commenced, the NSW Government also highlighted that, as the regulator, the ORG would have a range of regulatory options including ‘… a penalty regime should the private operator fail to comply’. The community and stakeholders were not told that the ORG could choose to waive penalties in response to breaches. Nor were the community and stakeholders told the circumstances in which such relief might be extended. This underscores the importance of the ORG being publicly transparent when it makes these decisions, including to explain their justification, so as to ensure that community trust and confidence in the regulator is maintained.
The ORG’s monitoring and oversight of how the private operator manages legacy IT systems is discussed further in section 6.
The detailed terms of the concession are not publicly available and there is a statutory presumption against their disclosure under the Government Information (Public Access) Act 2009
Much of the substantive detail about the regulatory requirements for granting the concession is contained in the concession deed document that was executed between the NSW Government and the private operator. This document is not public. Moreover, the enabling legislation for the concession included an amendment to the Government Information (Public Access) Act 2009. This amendment established that it is to be conclusively presumed that there is an overriding public interest against disclosure of information contained in any document ‒ including the concession deed ‒ prepared for the purposes of, or in connection with, the authorised transaction unless approved by the NSW Treasurer. NSW Treasury was not able to provide an explicit reason why this provision was included in the enabling legislation, other than to note that a similar provision was included in the 2015 electricity network transaction enabling legislation.
Key elements of the concession deed were modelled on the arrangements for the franchising of the Sydney ferries service, including:
- the model for service levels and penalties
- the transfer of administrative powers and functions to the operator
- the approach of adopting minimalist legislation supported by a detailed contract.
This framework is also similar to that adopted for the Greater Sydney Bus Contract. Both contracts (ferries and buses) are publicly available on Transport for NSW’s website (with redactions where necessary to maintain commercial confidentiality).
During consultation on the enabling legislation for the concession, external stakeholders noted that the delegation of key provisions to a confidential document detracts from promoting transparency and community confidence in the regulatory arrangements for the concession.
The ORG has not published a ‘regulatory charter’ as provided for under the concession deed
Clause 29.1(b) of the concession deed provides that the ORG may publish a ‘regulatory charter’ that contains:
- the division of responsibilities between the ORG and the private operator
- ring fencing and non-discrimination requirements
- dispute resolution processes
- the ORG’s rights in relation to reserve power directions
- the ‘customer terms’
- obligations in respect of ELNOs
- complaint handling arrangements.
The ORG has not published a regulatory charter, although some of the content envisaged by clause 29.1(b) is available across the ORG’s website. For example, the ORG’s website provides information about how individuals may apply to have a decision of the private operator reviewed by the ORG.
The ORG reviews an annual customer satisfaction survey conducted by the private operator, which has reported increased rates of satisfaction over the term of the concession
Regarding other measures of performance, the concession deed requires the private operator to conduct an annual customer satisfaction survey. The private operator has reported to the ORG improved levels of customer satisfaction with its services. While the audit has not assessed the survey data, the private operator has reported in its most recent survey that 71% of respondents were satisfied, up from around 50% at the start of the concession. Over the duration of the concession to date, these surveys have been run both internally by the private operator, and more recently by an external survey provider commissioned by the operator.
The private operator is also required to submit at regular intervals (annually or up to 18 months) updates to its technology roadmap and business plan. These documents are assessed by relevant subject matter experts within the ORG or the wider department and feedback is provided to the private operator on their adequacy. For example, a range of annual reporting requirements for FY23 relating to fraud and crime prevention, error reports, business continuity and incident management, and the technology roadmap were provided to Department of Customer Service IT for review.
The ORG has implemented an effective governance structure to support its regulation of the land titles registry system
The ORG has implemented a series of forums with the private operator to discuss strategic and operational matters. As required by the concession deed, these are:
- a Joint Consultation Committee (JCC)
- an Operations and Performance Committee (OPC)
- an Information Technology sub-committee (ITC).
The concession deed specifies that this governance framework is intended to:
- guide and monitor the performance of the concession
- oversee compliance with specified service levels
- resolve issues as required
- establish a framework to maintain an effective relationship between key personnel of the ORG and the operator.
These committees have clear terms of reference, which have been subject to review. The ORG has demonstrated, through meeting papers and minutes, that these committees meet regularly, consider substantive matters as envisaged by the concession deed, and are effectively administered and recorded.
The ORG has also established a stakeholder forum that includes senior representatives of key stakeholder groups. This forum is intended to foster multilateral communication between the regulator, operator and stakeholders. Some stakeholders expressed the view to the audit that the focus of this forum has evolved to facilitate feedback and updates from the regulator and operator, rather than provide opportunities for industry stakeholders to ask questions or raise issues. Notwithstanding, the ORG did provide evidence that issues raised by stakeholders at this forum were subsequently escalated to JCC or OPC meetings.
The ORG also has a series of bilateral regular engagements with key stakeholders, as well as specialist or project based working groups with the private operator and other system participants.
The ORG appropriately manages potential conflicts of interest
The ORG has recognised that the separation of the former Land and Property Information unit of the Department of Customer Service into separate regulator and operator entities meant that staff working in each entity may have close pre-existing professional and personal relationships. This heightens the need to identify and manage potential conflicts of interest to ensure credible and transparent regulation.
The ORG manages conflicts of interest by following applicable department policies. The audit reviewed conflict of interest declarations made by all ORG managers at NSW public service clerk levels 11/12 and above for the past three years. The audit found that declarations had been submitted and any conflicts addressed.
3 The breaches were of the ‘Core Data for Government Agencies Service Level’, which measures the number and availability of Core Data supplied to certain Government agencies that the operator successfully provides within required timeframes and hours of availability.
The land titles registry system is multi-party, with different powers and tools available to the ORG for each party. In summary, the ORG can address non-performance to varying degrees over:
- the private operator, through the multi-tiered framework described under section one of this report
- the ELNOs, which may be subject to suspension or termination (neither of which are practical options if the system is to function), as well as compliance examinations, remedial directions and application to the NSW Supreme Court for financial penalties
- authorised subscribers, who may have their access to the ELN suspended or cancelled (this regime is currently under review to broaden the Registrar General’s enforcement options)
- registered surveyors, who may be referred to the Board of Surveying and Spatial Information (BOSSI) for professional disciplinary action.
The number of claims and the total annual payments under the Torrens Assurance Fund have declined since 2014–15
The Torrens Assurance Fund (TAF) is a statutory compensation scheme designed to compensate people who, through no fault of their own, suffer loss or damage as a result of the operation of the Real Property Act 1900. This loss or damage can be a result of an error, misdescription or omission in the register. When granting the concession to the private operator, the government gave the assurance that the TAF would continue to operate and be administered by the ORG. The ORG has a longstanding function to receive and determine claims made under the TAF.
Relative to the number and value of matters addressed by the land titles system, the number of claims and total payments paid under the TAF is relatively small. As shown in Figure 2, between 2014–15 and 2022–23, the number of claims varied between seven and 40, while the payments paid under the TAF varied between $93,032.21 and $3,168,143.
This audit has focused on two primary processes when considering how the ORG obtains reasonable assurance about the quality of information held on the registers maintained by the private operator. These are:
- the examination and registration of plans by the private operator
- the registration of dealings by the private operator.
The concession deed requires that the private operator, in undertaking these functions, must, among other things, act in good faith, as well as act reasonably and on reasonable grounds. In each case, plans and documents must be entered promptly and accurately onto the relevant register.
These two processes and their role in supporting the integrity of the land titles registry are discussed in turn below.
The land titles registry is one of the department’s IT ‘crown jewels’
As the principal department for the ORG, the Department of Customer Service has identified the IT system supporting the land titles registry as a ‘crown jewel’ under the NSW Government Cyber Security Policy. Classification as a crown jewel provides the land titles registry with priority within the department when investment, fixes, patching and resource allocation are considered.
The ORG receives dedicated cyber security support from the department’s Office of the Chief Information Security Officer in the form of an identified business support officer. During the audit there did not appear to be a similar dedicated resource from the department’s general ICT division. The ORG has stated that the lack of dedicated support in this area risks that ‘institutional technology expertise is not built up or retained within Government to effectively monitor the [operator’s] management of this asset’.
However, from October 2024, DCS ICT has provided the ORG with a dedicated business partner who attends monthly meetings to discuss ICT matters and attends ICT Committee meetings on an as-needed basis.
While the IT system supporting the land titles registry is a critical IT asset, it is unclear how roles and responsibility are assigned for ensuring compliance with the NSW Government Cyber Security Policy
The NSW Cyber Security Policy provides guidance and mandatory requirements for agencies relating to cyber security. The ORG could not clarify whether it, or the department more widely, is responsible for ensuring compliance with the NSW Cyber Security Policy, as well as the role expected by the private operator. This creates a potential risk that protections contained in the policy will not be extended to the land titles registry and that there may be gaps in accountability.
The 2023–24 version of the policy contains three requirements relating specifically to crown jewels:
- agencies to identify and document external upstream and downstream dependencies of enterprise ICT (including cloud), operational technology and Internet of Things assets (specific requirement 1.6.4)
- agencies must assess and identify crown jewels and classify systems (mandatory requirement 1.7)
- agencies must conduct periodic reconciliation of data assets against data retention requirements (specific requirement 1.8.2).
The department appears to have complied with mandatory requirement 1.7, in that it has identified the land titles registry as a crown jewel. However, it explained that it did not have visibility or control over the upstream and downstream systems used by the private operator. Accordingly, to the extent that it may be responsible, the department acknowledged that it does not comply with specific requirement 1.6.4. While it was not specifically examined, the audit did not receive any evidence that the department complied with specific requirement 1.8.2.
While the department is not fully compliant with the requirements of the NSW Cyber Security Policy, its view is that:
- the concession deed requires the private operator to maintain technical and organisational measures that are no less rigorous than those that applied prior to the concession
- the cyber security measures taken surpass those that would apply under Department of Customer Service policies
- the regulator retains oversight of the private operator’s compliance with its requirements under the concession.
Notwithstanding these assurances, neither the department, nor the ORG itself, provided any evidence demonstrating that the protections provided by the private operator have been reconciled against all the requirements of the NSW Cyber Security Policy, including the specific clauses that apply to crown jewels. As discussed below, neither the department nor the ORG have considered the implications of the private operator being deemed a ‘third-party service provider’ under the NSW Cyber Security Policy.
The NSW Cyber Security Policy allows that not all its requirements must be uniformly implemented across the agency. However, where an agency seeks an exception to the policy, it should ensure that the exception is ‘… documented and approved by an appropriate authority through a formal process’. The ORG did not provide evidence that any exception to the requirements of the Cyber Security Policy (such as non-compliance with specific requirement 1.6.4) had been documented and approved.
The ORG has determined that the private operator is a third-party service provider under the NSW Cyber Security Policy, although the implications of this have not been fully examined by the ORG or the department
During this audit, in November 2024, the ORG obtained advice from Cyber Security NSW that the private operator is a ‘third-party service provider’ under the NSW Cyber Security Policy. The policy has a number of specific requirements relating to third-parties.
Mandatory requirement 1.10 of the NSW Cyber Security Policy requires agencies to ‘identify and manage third-party service provider risks, including shared ICT services supplied by other NSW Government agencies’.
Section 6.12 of the Cyber Security Policy provides agencies with guidance on their responsibilities for managing the cyber security requirements and risks posed by third-party providers to assist agencies implement mandatory requirement 1.10. This section includes responsibilities such as:
- ensuring third-party risks are considered in enterprise risk management processes
- conducting regular management of third-party risks through ongoing risk-based reviews to verify compliance with contractual agreements and security measures.
The designation of the operator as a third-party service provider to the ORG is a recent classification and the implications of this have not been fully considered by the ORG or the department.
The ORG has ensured that cyber security obligations are included in the private operator’s arrangements with its own contractors
The audit also considered what assurance the department or the ORG has obtained regarding the adequacy of cyber security provided by contractors to the private operator. Clause 39 of the concession deed establishes that:
- the private operator must ensure that its third-party service providers and subcontractors comply with all terms of the deed relevant to the operator’s obligations, including to maintain adequate cyber security
- the private operator is liable for all acts and omissions of its subcontractors.
The ORG and the private operator have agreed to a process whereby the latter notifies the regulator when new subcontractors are engaged and provides assurance that subcontractors comply with the requirements of clause 39.
The ORG has also approved a table of clauses that must be included in any subcontracting agreements that the private operator makes with its own third parties. These clauses include obligations for adequate cyber security.
The ORG has ensured security testing is conducted on the core systems and services of the land titles registry
The concession deed imposes requirements on the private operator relating to the security of the land titles registry, including that the private operator must:
- ‘… establish, maintain, enforce and continuously improve reasonable technical and organisational measures’ across a range of specific areas aimed at protecting data and preventing unauthorised access and use
- maintain technical and organisational measures that are no less rigorous than those the land registry was subject to prior to the concession
- engage in third-party audits in relation to its compliance with the applicable information security standard (ISO 27001), and provide these reports to the ORG.
The ORG has relied on subject matter expert advice from within the wider department to determine that the private operator is satisfying these requirements, including by providing third-party certification of its compliance with ISO 27001. The ORG provided evidence of this certification.
Clause 25.1 of the concession deed requires that the private operator must, to the extent reasonably requested by the ORG, test and evaluate the performance of core systems and services, which may include security testing such as ‘… vulnerability testing, penetration testing, manual configuration tests and reviews, self-assurance testing and other vulnerability and threat assessment testing’. This testing and evaluation has included assessment of the operator’s controls relevant to the System and Organisation Control 2 (SOC 2) Security and Availability Trust Services Criteria.
The ORG has ensured that the private operator has completed ISO2001 certification and has conducted SOC 2 assessments. Relevant materials are reviewed by subject matter experts from both the ORG and broader department and discussed at ITC meetings. This audit reviewed a sample of SOC 2 documents and found no significant weaknesses.
Consistent with clause 25.1 of the concession deed, the ORG has also required the private operator to conduct a program of penetration tests on its systems. Penetration testing is a useful mechanism for assessing the potential vulnerabilities of an IT system. However, penetration testing does not offer assurance of the security of a system. Reasonable assurance can only be derived by the effectiveness of security controls, including those implemented to address any vulnerabilities identified by penetration testing.
The ORG assesses and monitors how the private operator responds to vulnerabilities identified by its penetration testing program. The ORG reviewed test reports and discussed these with the private operator during ITC meetings. However, the effectiveness of this monitoring has been hampered by the ORG’s lack of a central registry of issues or vulnerabilities. This limits the ability of the regulator to easily monitor trends and risks or review historic issues.
The concession deed does not specify minimum acceptable standards for the conduct of penetration testing or other forms of system test. Moreover, it is the private operator that is responsible for conducting the testing. When the ORG reviews the results of the operator’s security testing, it also has the opportunity to assess the adequacy of the design and conduct of the tests (including to ensure that the scope and timing of each test provides adequate assurance that vulnerabilities have been identified).
However, as security testing is a requirement of the concession deed, the ORG – as the regulator and consistent with regulatory good practice – should be clear about its expectations for what constitutes appropriately rigorous test methods. These expectations should be effectively and proactively communicated to the private operator, and not left to be raised in retrospective review comments.
The ORG has become increasingly focused on potential risks posed by aging legacy IT systems and how any risks should be mitigated
When granting the concession, the NSW Government’s stated expectation was that the private sector would ‘… have strong incentives to invest in new technology, resulting in significant improvements to the system, and benefits for consumers’. There was an expectation at the outset of the transaction that the successful bidder would, at some time, ‘refresh’ the existing legacy IT systems on which the land titles system operates. While unspecific at the time, a system refresh could include either upgrade or replacement.
However, it was not clear in the bidding documents exactly when and how a successful bidder would be required to address the risks from legacy IT systems. The Information Memorandum provided by NSW Treasury to potential bidders noted that the expected response of the successful bidder:
… could range from a limited refresh of technology components (e.g. graphical user interface front end, etc.) or extend to a complete re-platforming and redevelopment of ITS [Integrated Titling System] as reported by other jurisdictions. |
Commitments to replace legacy systems were included in the private operator’s business plan and technology roadmap submitted as part of its bid, with the business plan committing to the ‘decommissioning of legacy systems by the end of 2019’.
The private operator has ‘de-risked’ some parts of the legacy environment, including the Historical Land Records Viewer and its website, and is currently working (albeit to a delayed schedule) to upgrade a key system, the Integrated Property Warehouse (IPW). However, the replacement of legacy systems ITS (Integrated Titling System) and DIIMS (Document and Integrated Imaging Management System) was removed from the operator’s 2023–24 technology roadmap. An external strategic technology review commissioned by the ORG in 2023 recommended to the regulator that the operator should be asked to re-include this work in future roadmaps. This was so that a ‘complete risk assessment and project complexity, cost and delivery schedule’ could be understood.
While the matter had been raised previously, it appears that since 2023, the ORG has become increasingly concerned about the private operator’s management of legacy IT systems. The ORG has noted that the private operator has not conducted discovery work or risk assessments on these systems. In 2023, the ORG assessed the removal of ITS discovery work from the 2023–24 technology roadmap as ‘highly concerning’ and noted that it would, in response, ‘… consider the full range of levers under the Concession Deed’.
In July 2024, after considering an ‘escalated regulatory response’ to the operator’s perceived reluctance to conduct its own risk assessment, the ORG determined to initiate its own risk-based review of the longevity of the legacy core systems in conjunction with Department of Customer Service ICT personnel.
This performance audit has not assessed the risks posed by legacy IT systems and notes that such questions can raise complex technical issues. It is not necessarily the case that a legacy system is inherently insecure and there is evidence that the private operator has conducted work to insulate the core legacy systems from potential risks. Accordingly, the audit has made no finding about any level of risk posed by the legacy systems underpinning the land titles registry.
The approach taken by the ORG from July 2024 seems consistent with guidance published by the Australian Signals Directorate and the Australian Cyber Security Centre. This guidance highlights the need for agencies to implement a sound strategy to manage legacy IT, starting with developing an understanding of the business and security risks posed by such systems.
The ORG has recognised the importance of privacy to retaining confidence in the land titles system and actively addresses privacy issues with the private operator
The registers operated and maintained under the concession deed are public registers. That is, they can be accessed by anyone (in some circumstances, after the payment of a fee). While there are public interest reasons for this information to be publicly available, public registers can create a tension with individual privacy, where the information held in a register is personal identifiable information about an individual.
This tension can be exacerbated when it is compulsory to record information in a public register, thereby reducing the individual’s choice and control over their personal information. In some circumstances, it has been found that community concerns are exacerbated where public registers are operated and maintained by the private sector, for example, when the UK Government considered privatising its land titles registry.
In its privacy policy, the private operator of the NSW land titles system explains that the personal information that it may collect can include:
- name, address, age or date of birth, contact details
- information collected in connection with maintaining the various registers, including information about an individual’s property dealings, such as transfer and leasehold documents
- information related to the operator’s products or services, such as credit card or bank account details
- verification of identity information, such as passport information, rates notices, Medicare card details and drivers licence details.
In recognition of the privacy risks inherent to public registers, and the potential volume of personal information collected, privacy issues are recognised and discussed between the ORG and the private operator, including at JCC meetings between the Registrar General and the chief executive officer of the private operator.
For example, the ORG recognised a potential privacy risk in how the private operator was collecting information for its subscriber compliance audit process. This resulted in the ORG requiring the private operator to put in place a more secure method for collecting this information. Similarly, the private operator itself identified a potential privacy issue regarding the length of time it retained personal information for the same process.
As discussed below, privacy is also considered by the ORG in regard to new non-core service proposals from the private operator.
New services proposed by the private operator are subject to approval by the Registrar General and have been subject to privacy impact assessments
Privacy risks inherent to public registers can become greater where there are pressures to use that information for purposes unrelated to the original purpose of the public register (‘function creep’).
It was explicit in the NSW Government’s announcement regarding the granting of the concession that it was expected, not just permitted, that the private operator would identify, develop and deliver additional services using information collected for the purposes of the registry, while ensuring appropriate recognition of potential privacy concerns.
The concession deed has a mechanism requiring ORG approval of proposed new ‘non-core services’ by the operator. Since the concession was made, there have been four additional non-core services approved. These have each been accompanied by a privacy impact assessment prepared by the private operator and at the instigation of the operator. The ORG does not have standards for an acceptable privacy impact assessment other than the assessment should be prepared by a ‘reputable organisation’. Guidance published by the NSW Privacy Commissioner is that, where possible, privacy impact assessments should be published, which has not been the case for those assessed by the ORG (although commercial and competition issues around potential new information products could offer a justification for not publishing).
The audit assessed a sample of privacy impact assessments submitted to the ORG by the private operator. Consistent with the NSW Privacy Commissioner’s guidance, the assessments were found to be fit for purpose, in that their size and scope appeared consistent with the inherent assessed risk. The same guidance highlights that privacy impact assessments should be more than just compliance checks. This good practice advice is similar to that published by the Australian Office of the Information Commissioner.
The ORG has developed a template for assessing new non-core services. The template requires ORG staff to consider a range of issues, including privacy, when new non-core services are proposed by the private operator.
The ORG has limited visibility of how effectively other system participants ensure privacy of personal information
The ORG maintains a regulatory role over the operator. However, there are numerous other system participants who could adversely impact the integrity and security of the registry, including by impacting the privacy of personal information (whether deliberately or incidentally). The extent of the ORG’s regulatory oversight and powers varies according to the type of system participant.
For example, the ORG has powers under the concession deed to regulate the private operator directly, although it relies on the private operator to conduct compliance activities for subscribers. Its range of regulatory enforcement options also vary between system participants. Similarly, the concession deed provides for the ORG to issue penalties against the private operator, although not against subscribers or surveyors for non-compliance with their respective obligations.
In December 2018, the then Registrar General nominated a ‘joint comprehensive review of all potential privacy risks to LRS’ as a priority for the coming year to be completed by December 2019. By July 2019, minutes of the JCC record this priority as ‘deferred’. Subsequently, a comprehensive review of privacy risks has not been conducted. Such a review may assist in better understanding any potential system-wide privacy risks to the land titles system.
The ORG and NSW Treasury offered strong public assurance at the start of the concession that statutory privacy protections would apply to the land titles registry
The handling of personal information by NSW Government agencies is regulated by the Privacy and Personal Information Protection Act 1988 (PPIP Act). As well as setting out privacy principles with which NSW government agencies are required to comply, the PPIP Act also provides a statutory right for individuals to take complaints about the handling of their personal information to the NSW Privacy Commissioner, who may make binding decisions on agencies. The PPIP Act does not generally extend to private sector companies.
While NSW government agencies are covered by the PPIP Act, most private sector companies in Australia (as well as most Commonwealth government agencies) are covered by the Commonwealth Privacy Act 1988 (Privacy Act). The Privacy Act contains similar protections to the PPIP Act, although the regulator and dispute handler is the Australian Privacy Commissioner. Unlike the NSW Privacy Commissioner, the Australian Privacy Commissioner may make an enforceable determination requiring that a complainant be paid compensation for financial or non-financial loss. Section 39 of the enabling legislation for the transaction that underpinned the concession established that:
The authorised operator is deemed to be a [NSW government] public sector agency for the purposes of the Privacy and Personal Information Protection Act 1998 in relation to the exercise of titling and registry functions. |
This was made clear in the second reading speech to the bill for the enabling legislation, which stated that the PPIP Act ‘… applies to the private operator as if it were a public sector agency in the same way that it currently applies to LPI titling and registry Services’.
In April 2017, NSW Treasury published a fact sheet offering ‘consumer assurance’ that:
Like all companies that collect personal information, the private operator must keep personal data private in accordance with NSW and Australian law. |
Similarly, in March and April 2017, the then Registrar General made public presentations highlighting that the private operator was subject to statutory privacy obligations:
… the operator will only be able to use data to perform its obligations and must comply with obligations contained in Commonwealth and NSW privacy legislation’ Stakeholders have suggested a private operator will be less respectful of privacy and that individual data might be mis-used. I note that the private operator must comply with obligations contained in Commonwealth and NSW privacy legislation, just at it has to now. And the private operator will only be able to use data to perform its obligations to deliver core services. |
Accordingly, there appears to have been clear intention to offer assurance to the community that statutory privacy protections would apply to the land titles registry once the concession was made.
The ORG has not obtained assurance whether the private operator is covered by the Commonwealth Privacy Act
Despite the strong public assurances outlined above, there was uncertainty when the concession was granted about whether and how the Commonwealth Privacy Act applied to the operator.
As outlined above, the Commonwealth Privacy Act does not cover NSW government agencies. While it does generally cover private sector businesses (such as the private operator), there is an exemption for private sector contract service providers to NSW Government agencies for the purpose of providing services under their contract. Specifically, s. 7B(5) provides that the ‘acts or practices’ of private sector organisation are exempt where:
- the organisation is a contracted service provider for a state contract
- the act is done, or the practice is engaged in for the purposes of meeting (directly or indirectly) an obligation under the contract.
This was recognised in an information memorandum provided to bidders during the bid process for the concession. The information memorandum explained that the successful bidder may be subject to the Commonwealth Privacy Act, including to the exemption available ‘… as a provider of services to State Government’. The information memorandum concluded that ‘Compliance with the Commonwealth Privacy Act will be a matter for the private operator to assess’.
Accordingly, notwithstanding the confidence inherent in government public statements around the time that the concession was made, it appears unclear whether (and to what extent) Commonwealth privacy legislation applies to the land titles registry operator.
The ORG has not clarified whether an individual would complain about a privacy breach to the NSW or Australian Privacy Commissioner
Part 6 of the PPIP Act provides specific provisions for ‘public registers’ operated and maintained by NSW government agencies (noting that the private operator is deemed to be a NSW government agency by s. 39 of the enabling legislation for the transaction).
Part 6 of the PPIP Act sets out two specific protections for public registers held by NSW government agencies, these being:
- an agency keeping a public register must not disclose any personal information kept in the register unless the agency is satisfied that it is to be used for a purpose relating to the purpose of the register or the Act under which the register is kept
- an individual may request that their personal information be suppressed from a public register if they can establish that its open inclusion would affect their safety or well-being.
However, clause 7 of the Privacy and Personal Information Protection Regulation 2019 exempts public sector agencies responsible for keeping certain prescribed public registers from the requirements set out in Part 6 of the PPIP Act. The registers operated and maintained under the land titles registry are included in the list of the public registers that are exempt from Part 6.
Accordingly, the two statutory protections specifically focused on public registers in the PPIP Act do not apply to the land titles registry.
While there are equivalent contractual restrictions in the concession deed, these measures are not accompanied by a statutory right for individuals to complain to the NSW Privacy Commissioner if their personal information is handled in a manner that would otherwise breach Part 6. In these same circumstances, for the reasons discussed above, it is also unclear whether an individual could complain to the Australian Privacy Commissioner if the potential breach relates to the private operator performing functions as a contract service provider to the NSW Government.
This jurisdictional complexity is further complicated by the private operator collecting different types of personal information, namely:
- personal information that must be collected onto registers to meet titling and registry legal requirements, such as the name of the title owner or mortgage information
- personal information that is collected by the private operator to support the operation and maintenance of the register and other products offered by the operator, such as payment and identity verification information.
The private operator publishes a detailed privacy policy on its website. This policy states that the private operator is required to comply with both the PIPP Act and Privacy Act, and to the extent of any inconsistency, it would comply with the latter. While this demonstrates a clear intention to ensure compliance with legislative privacy obligations, further clarity is required as to how this intention can be reconciled with the issues outlined above.
As the lead agency in managing the transaction and overseeing the preparation of its enabling legislation and concession arrangements, NSW Treasury could not provide evidence that the NSW Privacy Commissioner had been consulted during the drafting of either the enabling legislation for the concession transaction or the concession deed document.
The ORG has detailed policy and procedures for ordering the suppression of personal information on the land titles registry, although third-party information reseller arrangements mean that the ORG cannot ensure that personal information will be fully suppressed
The ORG may direct the private operator, as well as other parties, such as specific government agencies that use land registry information, to suppress personal information held on the land titles registry. Information about this option is provided on the ORG website. A suppression may be ordered in response to a request from a member of the public advising that their well-being or safety is at risk because the register may disclose their whereabouts.
In the 12 months to July 2024:
- 107 applications to suppress personal information were assessed
- 60 were accepted
- 47 were declined.
Due to the critical nature of name suppressions and the potential danger to the individual, it is a requirement that a suppression application be actioned on the day it is received by the private operator (when received during business hours).
The ORG has detailed policy and process documents for the suppression of personal information. These documents detail the information that is required to be provided by an applicant, as well as describing the decision-making process and how an accepted application will be actioned. The Suppression Policy requires the private operator and a specific government agency that uses and distributes land registry information to complete the suppression request within one business day.
Analysis performed by the ORG in September and October 2019 found that action in response to at least six suppression applications had been delayed by periods between three and six days. The ORG’s policy on the suppression of personal information now specifies that its privacy contact officer will actively monitor the action time of a suppression direction to ensure that the private operator actions any suppression order within one working day. For a sample period of January to June (inclusive) 2024, the ORG reported that the performance measure was met for each month. However, the complex flows of land titles information, and the multiple parties who may handle it, mean that it could reasonably be expected to take up to two weeks for suppression orders to be given full effect.
The audit reviewed a small sample of successful and unsuccessful suppression applications that had been received and determined during 2023–24. These are discussed below.
A sample of five successful applications highlighted the difficulties that the complexity of the land titles system poses in managing data. From the sample, it was found that the private operator actioned suppression orders in a timely manner. However, the time taken to action suppression orders was longer in the case of the government user.
When the government user receives a suppression notice from the ORG, it informs its seven data customers that they (and in turn their own unknown number of customers or resellers) have seven days to ‘remove all elements of personal information including the property sales information from any record held’. As the ORG is not a party to this data sharing arrangement and has no visibility of the agreements between the various parties, it has no mechanism to offer assurance about the effectiveness of the suppression process.
The ORG was able to demonstrate that the sample of unsuccessful suppression applications had been handled in accordance with its policy, including by explaining the process to the unsuccessful applicant and affording them the opportunity to provide further information.
The ORG is preparing a policy to explain the rights of the private operator, government agencies and other third parties to use land titles registry data for new services and products
The concession deed sets out a number of clearly defined ‘core services’ that the private operator is required to provide. In addition, the private operator may apply to the ORG for permission to use land titles registry data for other ‘non-core’ services. These non-core services can generate revenue for the private operator.
The NSW Government made clear when granting the concession that a policy objective was to promote innovation and improved customer service, including by permitting the private operator to develop new services, while also ensuring that the principles of the NSW Government Open Data policy were maintained. An objective of the Open Data policy is to promote the release of government data ‘… for use by the community, research, business and industry’ and to ‘inform the design of policy, programs and procurement’. The Open Data Policy is not a ‘free data’ policy but is based on the principle of ‘free, where appropriate’.
Under the concession deed, the private operator is entitled to claim compensation for prescribed ‘compensation events’. In broad terms, compensation events include where the private operator loses its exclusive right to maintain and operate the NSW land titles registry, including to facilitate authoritative searches of titles.
On 28 September 2021, the private operator submitted a claim for compensation under the concession deed. This claim concerned the use of data by the Spatial Services business unit of the department to create the NSW Spatial Digital Twin (‘Spatial Digital Twin’).
The Spatial Digital Twin is described by the department as ‘… a cross-sector, collaborative digital workbench for whole-of-government use, that will visualise location information, in a 4D model of the real world (3D plus time)’. It brings together many data elements from multiple sources across government, including information from strata plans registered in the land titles registry.
On 23 October 2021, the NSW Government rejected the private operator’s compensation claim. However, while rejected, the claim has not been withdrawn. The department has assessed the claim as being unfounded and, consistent with financial audit standards, it is not recorded as a liability in the department’s financial accounts. However, the department does include the claim in its ‘emerging issues return’ that agencies are required to provide to NSW Treasury.
It was beyond the scope of this audit to assess the merits of this specific claim. However, at a general level, the matter highlights that there may be different interpretations of the concession deed in regard to the permitted uses of land titles registry data and the related compensation provisions. This includes NSW Government agencies that had existing pre-concession rights to obtain data for specific purposes, as well as other system participants that obtain land titles data, such as ELNOs. If a common understanding is not established, then there are dual risks that:
- the potential for compensation claims may mute innovation in how NSW government agencies, and potentially others, use land titles registry data
- current or further claims for compensation by the private operator for uses of data by third parties may create financial liabilities for the State.
The concession deed includes provisions that permit certain government agencies to obtain land registry data. Those agencies may also enter into individual memoranda of understanding (MOU) with the ORG. These MOUs set out details about how and for what purposes each agency may obtain data. Consistent with the deed, the MOUs also permit agencies to use land titles registry data for ‘similar governmental purposes’ to those purposes specified in the concession deed. There is no guidance on the interpretation of ‘similar governmental purposes’.
The ORG first formally proposed an approach to resolve this matter in August 2021. However, it remains a live issue. The ORG’s annual priorities letter to the private operator for 2023–24 identified the need to achieve ‘clarity around the use of land registry data’, explaining that:
… the rules and roles around land registry data need to be clearly settled, to support government policy development; and to enable innovation for both government and the private sector to deliver new products to customers. |
Achieving greater clarity in this matter remains one of the ORG’s annual priorities for both itself and the private operator for 2024–25. The ORG is developing a data use policy intended to assist in addressing risks around data use by clearly communicating to stakeholders the ORG's position on the use of data from the various registers operated under the concession. This policy was still in draft form during this audit.
The ORG has ensured that business continuity and recovery planning has been prepared for the land titles registry
The private operator is required by the concession deed to develop, submit and test a business continuity plan. During the concession, the private operator has met this requirement by providing the ORG with required and related documents, including its Business Continuity Plan, Business Continuity Management System and Disaster Recovery Strategy, as well as a third-party assessment of the adequacy of the planning.
The private operator is required to annually test its continuity planning. The audit team sighted evidence of third-party testing of the business continuity plan, as well as ORG feedback on the adequacy of business continuity plans and engagement with tests.
The audit team assessed a sample of business continuity plans provided by the private operator to the ORG against the applicable international standard (ISO 22332). In addition, a sample of incident management and recovery plans were assessed against both ISO 22332: 2022 and ISO 27035.1:2017.
The audit team found that while the plans did not expressly claim to be prepared in accordance with any formal standard, they were broadly consistent with the requirements of the standards. For example:
- there was evidence that sampled plans had been reviewed annually or as required as a result of organisational changes or post incident review
- assumptions for the operation of the plan, and intersections with other key documents were clear
- specific roles and team members, including alternates where available, were identified with defined roles and responsibilities
- where scenarios were detailed, there were specific steps and tasks clearly outlined
- plans contained rating frameworks that defined the criticality of events, and the subsequent recovery objectives.
The private operator also has a business continuity management framework that sits across business continuity plans for specific functions, as well as a disaster recovery strategy. These higher-level documents also provide detail on the operator’s requirements for more specific plans and processes to be tested. The business continuity management framework, for example, requires annual business continuity exercises to take place.
The ORG has a local business unit continuity plan, although this has not been tested
As part of Department of Customer Service business continuity planning, the ORG has a local business continuity plan for its own business unit. This plan addresses three specific critical business functions:
- managing the concession
- administering the TAF
- regulating ELNOs.
Each of these critical business functions has a maximum acceptable outage time of one day, with a recovery time objective of three days. The ORG has not tested these recovery time objectives, or the operation of continuity plans for critical business functions.
The alignment of regulator and operator response and recovery plans is a recent improvement that has been identified through joint scenario testing
A joint exercise was conducted in November 2023. An external cyber security consultant was commissioned to design and deliver a cyber incident response exercise between the department, the ORG and the private operator.
The consultant produced a report that identified strengths across the engaged stakeholders, including the collaborative culture with clear decision-making protocols, awareness of the current threat landscape, and active involvement and identification of areas of improvement.
The report broadly identified the need for interconnected communication plans, harmonised incident response plans and pre-defined authority to act as key opportunities for improvement. This was due to uncertainty regarding who should initiate contact with different parties, the need for enhanced coordination and uncertainty during the exercise about who had the authority to engage with the threat actor.
This seems to be the only joint exercise that has been conducted between the regulator and operator to date. No further joint exercises are currently planned.
The ORG has not tested whether it could use back-up data to operationally manage the land titles registry
The concession deed requires the private operator to provide the ORG with a daily back-up of the ‘core data’ contained in the land titles registry (except for core imaging repository data, which is subject to weekly back-up). This is consistent with pre-concession disaster recovery arrangements where core databases and transaction logs were replicated to an off-site disaster recovery centre daily.
The ORG has taken steps to ensure that the back-up data provided by the operator is reliable. The content of the back-ups provided by the private operator was validated by Department of Customer Service ICT in August 2024, with a regular automated testing protocol now in place. This was not always the case, as ORG audits of back-up data had identified deficiencies earlier in the concession.
While the ORG has access to accurate back-up data, the value of the back-ups and whether the ORG can effectively restore the state back-up (for example, if it is ever required to exercise its step-in powers) has not been determined. The audit was told ‘there is no guarantee’ that existing back-ups could be used to restore the system.
The appropriate use, utility and purpose of the state back-up is a current issue for the ORG. This issue was also identified in the 2023 strategic technology review, which noted the potential for developing a real time replica of the land titles registry data. As a result of this review, the ORG is reviewing best practice for the use of the state back-up, including analysing its purpose, situational need and methods to audit and assess back-ups in the future. These findings are due in mid-2025. Any changes to state back-up arrangements will likely require changes to the concession deed.
If future circumstances require the ORG to rely on the state back-up of the registry data, the ability of the ORG to use the state back-up would be critical, including if there was a technical or operational failure with the private operator. The ORG has commenced initial analysis on the required documentation, procedures and scenarios required to exercise its step-in powers. However, the ORG has not tested how effectively it could restore the state back-up, or how it would use the back-up data in practice, if it was needed.
There is evidence that the ORG has taken steps to identify regulatory weaknesses and areas for improvement
The ORG has several internal processes to identify and review issues around its own performance. These include weekly and fortnightly team meetings at various levels, quarterly executive meetings, and an annual team development day. The ORG also notes that a weekly email identifies good regulatory practice, however there is no formalised approach in terms of a framework that benchmarks the ORG’s performance in comparison to similar regulators or guides its continuous improvement processes.
The ORG has identified several internal improvement areas. These include workforce capability or capacity gaps and managing the risk of regulatory capture.
- Workforce capability: while the ORG has a small IT team, it does not have senior or strategic IT expertise. Workforce capability in this area is a key risk to the long-term regulation of the land titles registry. It was raised by several stakeholders in interviews with the audit team and identified as a risk in both the Strategic Technology Review, and the ORG’s 2023 annual team development day.
- Regulatory capture: ORG staff should refrain from becoming involved in discussions with the private operator and surveyors about plan issues, due to its role as the decision-making authority in administrative reviews.
The ORG is addressing a gap in strategic technology and regulatory practice capability to ensure it can effectively regulate the land titles registry in the long term
The land titles registry is an increasingly technology-focused system, having transitioned since the early 1980s from a paper-based system, where documents were submitted or searched for in-person, to a digital system with remote online access. This means that the ORG is increasingly regulating technology solutions and operations.
While the ORG has identified strategic technology expertise as a gap, it does not yet have a long-term capability development and retention plan. It has also not mapped its existing skills base to ongoing requirements of overseeing the concession deed and regulating the land titles registry. Its existing workforce plans respond to workforce survey findings and focus on developing and retaining its current workforce.
To address this capability gap in the immediate term, the ORG has engaged an external consultant to address strategic technology skills, reallocated its spending on consultancies to fund ongoing roles and requested support from Department of Customer Service ICT.
In 2024, as part of Fair Trading and Regulatory Services, the ORG was provided with a dedicated business information support officer from the department’s cyber security area who supports it with advice related to cyber security. Prior to this the ORG was also able to receive advice from the department’s Chief Information Security Officer. Advice has included risk assessments, responses to ad hoc requests and formal advice on reporting required from the operator. There is a potential risk in relation to this key role being outside the ORG’s structure and therefore not able to be fully managed by the ORG.
Broader Department of Customer Service ICT support has been more limited outside of cyber security. Leadership meetings have occurred inconsistently, for example, limiting ORG’s ability to influence the department’s ICT support.
The NSW Public Service Commission (now located within the Premier’s Department) has published a Strategic Workforce Planning Framework that provides guidance for agencies to understand and prepare for their future workforce needs. This framework identifies three levels of workforce planning.
- Strategic workforce planning: identifies actions and addresses challenges, risks and opportunities, entailing longer term planning covering a 3–5 year period. The framework notes that strategic planning is not ‘resource management to fill immediate operational needs’.
- Tactical workforce planning: specifies how work should be done in a specific area to efficiently achieve goals outlined in the strategic workforce plan.
- Operational workforce planning: Ensures daily work is done effectively.
ORG activity to address this capability gap is mainly tactical and operational. Quarterly executive meetings review resourcing needs with an 18-month time horizon, while the Strategic Workforce Planning Framework recommends a longer time horizon. Executive review assesses anticipated workload and, in addition to specific technological capability, has identified the need for additional capacity across the ORG in the areas of policy, regulation and cadastral integrity.
The ORG advises that it is currently reviewing the most effective approach to engaging strategic technology expertise and relies on expertise from within the Department of Customer Service for guidance on workforce planning.
The ORG’s wider regulatory context also creates capability needs in regulatory policy and practice. The ORG performs regulatory functions over a complex and multi-participant system. Its primary regulated entity, the private operator, has unique characteristics, being a monopoly exercising important titling functions using an asset that remains the property of the NSW Government.
At the same time, there are a range of other system participants, such as lawyers, conveyancers, surveyors and banks, who are primarily regulated by other bodies. The other main group of participants, the ELNOs, are themselves subject to new and dynamic market pressures as the industry evolves from a monopoly to a competitive market. The Australian Registrars' National Electronic Conveyancing Council has described a future-state in which multiple ELNOs inter-operate, resulting in a ‘growing compliance burden for government’ within ten years.
The concession deed contains mechanisms to support continuous improvement in the operation of the concession, including an optional five-year major review clause that has not yet been exercised
The concession deed provides for the ORG to conduct:
- ‘annual reviews’ of the operator’s performance, including its achievement of service levels and a review of its latest business plan, as well as a broad range of other matters
- ‘ad hoc and other reviews’, whereby the ORG may review or ‘spot check’ the operator’s performance of any core service provided under the concession
- a ‘major review’ of the operator’s performance under the deed no more than once every five years, including the extent to which the operator is acting consistently with the objectives of the concession and a broad range of other matters – a major review may also consider whether any changes are required under the concession deed.
The ORG conducts annual reviews of the private operator’s performance, including by reviewing and providing feedback on iterations of the private operator’s business plan. As discussed earlier, the ORG has also required the private operator to provide ad hoc reports on two occasions relating to the quality of the private operator’s plan examinations. While the annual priority letters described earlier in this report (see section 3) also encompass an element of performance review, that process is not a function of the concession deed.
To date, the ORG has not exercised its option to conduct a major review of the concession. The ORG did consider conducting a major review in 2022, but it was determined at the time that progressively evolving the concession using iterative contract variations agreed with the private operator was an adequate course of action.
The range of matters anticipated by the major review mechanism is substantial and would prompt consideration of matters that may not emerge iteratively or ad hoc, including matters that are more than simply routine or operational. For example, the major review mechanism provides for the review of significant and strategic matters, including those ‘… that were not anticipated as at the execution date, but which ought to be addressed having regard to the objectives’. Notwithstanding the long duration of the concession, and the complex and evolving environment in which it operates, the ORG has not commenced preparatory work to scope when, or in what circumstances, a major review would be appropriate.
Appendix 1 – Response from Department of Customer Service
Appendix 4 – Performance auditing
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #403 released 12 February 2025.
Actions for State agencies 2024
State agencies 2024
About this report
Results and key themes from our audits of the state agencies’ financial statements for the year ended 30 June 2024.
It also includes observations on the following areas of focus:
- risk management
- capital projects
- shared service arrangements.
Findings
The Treasurer did not table the audited Total State Sector Accounts (TSSA) in Parliament as required by the Government Sector Finance Act 2018, and Responsible Ministers did not table 16 annual reports in Parliament by the required date.
Audit results
Unqualified opinions were issued for all but one agency. The quality of financial statements submitted for audit improved, with reported misstatements down to a gross value of $3.9 billion in 2023–24, compared to $10.8 billion in 2022–23.
Key themes
Errors in accounting for assets led to financial statements adjustments of $1.4 billion.
Our audits identified deficiencies in key controls across financial management, payroll, contract management and procurement.
Risk management
Risk management maturity is low across most agencies. Some of the largest 40 agencies self-assess their risk maturity as requiring improvement.
Capital projects
There is a lack of transparency in the NSW budget papers relating to significant capital projects. The estimated total costs for some major projects are not published as the amounts are considered commercially sensitive. The budget papers do not provide a complete and accurate reflection of the actual costs of large infrastructure projects.
Shared service arrangements
Three of the five agencies that provide shared services to 108 customer agencies did not obtain independent assurance over the effectiveness of their control environment.
Recommendations
The report makes recommendations to agencies to improve controls and processes in relation to:
- financial reporting
- financial management
- risk management
- shared service arrangements
- capital projects.
Financial reporting is an important element of good governance. Confidence in, and transparency of, public sector decision making is enhanced when financial reporting is accurate and timely.
This chapter outlines our audit observations relating to the financial reporting of State Government agencies.
Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are also essential for quality and timely decision making.
This chapter outlines observations and insights from our audits of financial statements of the 40 largest agencies in the State sector. These agencies are listed in Appendix 3.
This chapter outlines audit observations, conclusions and recommendations from our review of agencies’ risk maturity, assessment processes, governance, systems and culture across the 40 largest agencies in the state sector. These agencies are listed in Appendix 3.
This chapter outlines observations, conclusions and recommendations from our review of the 15 most significant capital projects in the State.
Shared service arrangements can centralise corporate services functions such as finance, human resources, procurement and information technology (IT). Across NSW Government agencies, many business processes and IT functions are provided on a shared services model, that is, one agency operates a business function or IT platform that is used by other agencies rather than each agency maintaining their own. These services are shared by several agencies (‘customers’), but generally are operated and managed by one agency or department (‘provider’).
This chapter outlines audit observations, conclusions and recommendations from our review of shared service arrangements provided and received by the 40 largest agencies in the state sector. These agencies are listed in Appendix 3.
This report outlines the findings on shared service arrangements.
Appendix 1 – Status of audits of consolidated entities
Appendix 2 – Status of audits of non-consolidated entities
Appendix 3 – Forty largest State agencies contents
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Actions for Road asset management in local government
Road asset management in local government
About this report
Local councils in NSW manage a large proportion of roads across the state. Roads often represent a significant proportion of total council
expenditure.
How councils manage roads is impacted by their revenue, local conditions, and the needs of residents, businesses and other road users.
This audit was undertaken within the wider context of natural disasters and weather events that have significantly impacted the road network in NSW in recent years.
It assessed whether three councils had effectively managed their road assets to meet the needs of their communities, makes detailed findings and recommendations to each audited council, and identifies key lessons for the wider local government sector.
Key findings
All councils can improve how they link community consultation with planned service levels. Formalising these processes could help better demonstrate how current service levels meet community needs.
Clarence Valley Council
- has established a strategic priority for road asset management but not formal governance arrangements or a long-term capital works program
- is delivering and reporting on its work to respond to natural disasters but does not report against targets for road asset quality and service
- has set benchmarks for road asset maintenance, replacement and renewal but needs clear service levels.
Gwydir Shire Council
- did not have aligned, up-to-date asset plans during the audit period
- did not have a long-term capital works program but adopted a prioritisation program for capital works in August 2024
- did not effectively implement formal governance, or coordinate management oversight, to manage its road assets.
Wollondilly Shire Council
- has a strategic framework for road asset management and has used long-term plans to guide its asset capital and maintenance works
- has reported asset management outcomes against a planned capital works program but could improve how it uses KPIs to demonstrate performance.
Key observations of good practiceThis report identifies that effective road asset management is best supported when councils have:
|
This is the first performance audit of the local government sector that I am tabling in Parliament as Auditor-General for New South Wales.
Our performance audits are designed to provide valuable information to parliamentarians, sector stakeholders and the public. Ultimately, our aim is to ensure transparency, a principle that underpins effective and efficient use of public resources.
The management of roads and associated assets is a critical issue for local councils across the state. In recent years, many councils have had to contend with the immediate and ongoing effects of natural disasters.
These natural disasters, along with increased community expectations, population changes and complex regulatory obligations all contribute to financial sustainability risks for councils. Some councils have used short-term funding allocations (including emergency relief grants) to cover the costs of managing long-term assets. These councils do not have the capacity to generate sufficient income from their own sources, and therefore depend on assistance from other levels of government. Councils’ ability to plan and budget for the long term has also been disrupted by the need for new or restored infrastructure outside asset life cycles.
Several reports and inquiries in recent years have highlighted these significant financial sustainability risks. The parliamentary inquiry into the ‘Ability of local governments to fund infrastructure and services’,1 due to be tabled soon, will be a critical input to a long-term solution.
The three councils audited in this report – Clarence Valley, Gwydir Shire and Wollondilly Shire –each experienced significant natural disasters, including fires, storms and floods during the audit period. Despite this, each audited council was able to deliver a large volume of road asset management works.
This report provides valuable lessons from these audited councils that can help all councils manage their roads more effectively in the face of evolving risks and competing resource demands.
I acknowledge this has been a difficult time for some councils across NSW. This report supports councils with practical steps to manage their roads as effectively as possible, improve their resilience to climate challenges and meet legislative requirements.
1 The inquiry into the ‘Ability of local governments to fund infrastructure and services’ by the NSW Legislative Council Standing Committee on State Development commenced on 14 March 2024 to inquire into, and report on, the ability of local governments to fund infrastructure and services.
Background
Local councils in New South Wales (NSW) manage over 180,000 km of local and regional roads combined. These roads are crucial to travel within local government areas and across the state, improving community accessibility. Reliable roads ensure commercial and public transport can run on time, increase safety and keep the environment clean.
As roads age and deteriorate, they become more expensive to repair. Road surfaces and formations are vulnerable to both extreme heat and water exposure. These kinds of exposure have varying effects on the ways roads degrade, depending on the amount of traffic and the kinds of vehicles that use them.
Local conditions, business and road-user needs, and the impacts of natural disasters vary between councils and influence the way each council manages its roads. Regularly maintaining roads can keep roads functional and safe and prevent costly, unbudgeted repairs and replacements.
In the 2022–23 financial year (FY2022–23), the estimated total replacement cost of council road assets across NSW was around $102 billion. In the same year, local councils reported collective road asset maintenance expenditure of around $1 billion.
Since 2017, financial audits of local councils have identified asset management-related issues, including gaps in asset management processes, governance and systems. The Audit Office’s ‘Local Government 2023’ report outlined 266 asset management-related findings across the local government sector, including gaps in revaluation processes, maintenance of information in asset management systems and accounting practices.
Councils also provide a wide range of other services and infrastructure, including water and sewer infrastructure and services, waste management, environmental protection, housing, and community transport. Through integrated planning and reporting, councils determine how they will allocate resources to their services and infrastructure. Understanding community expectations for assets and services, alongside technical requirements, supports effective planning for function, cost and quality.
Audit objective
This audit assessed how effectively three councils – Clarence Valley Council, Gwydir Shire Council and Wollondilly Shire Council – are managing their road assets to meet the needs of their communities.
The audit assessed whether the selected councils:
- have a strategic framework in place for managing their road assets
- have effective governance, data and systems for road asset management
- are managing their road assets in line with planned service levels and quality outcomes.
Overview of findings
This audit assessed how effectively Clarence Valley Council, Gwydir Shire Council and Wollondilly Shire Council managed their road assets to meet the needs of their communities.
In assessing each Council’s performance, this audit concluded:
Clarence Valley Council has effectively established a strategic priority for road asset management, but delivery of this priority was not supported by formal governance arrangements or a long-term capital works program. While the Council is delivering and reporting on a large volume of road asset works in response to natural disasters, it does not report on consolidated targets for road asset quality and service. The Council has set benchmarks for maintenance, replacement and renewal of roads. It now needs to enhance this with clear service levels to ensure community needs and expectations are met.
Detailed conclusions and recommendations for the Council are outlined in sections 2.2 and 2.3. Recommendations include that Clarence Valley Council:
- updates and implements its asset management plan and associated improvement actions
- reviews and implements key performance indicators (KPIs)
- captures lessons learned from its natural disaster responses
- implements a long-term capital works program.
Gwydir Shire Council did not have aligned, up-to-date long-term asset management plans to support a strategic framework for road asset management across the audit period. The Council did not effectively implement formal governance and coordinated management oversight for its road assets. The Council implemented updates to its asset management plans in June 2024 and governance arrangements in July 2024.
The Council has reported on the large volume of works it is delivering, including in response to natural disasters, but is not reporting in the context of information about targets and quality benchmarks. The Council does not have a long-term capital works program, but adopted a prioritised rolling program of works in August 2024 to guide its priorities and efforts over time.
Detailed conclusions and recommendations for the Council are outlined in sections 3.2 and 3.3. Recommendations include that Gwydir Shire Council:
- implements its asset management plans and associated improvement actions
- formalises and documents community priorities and service level expectations for roads
- captures lessons learned from its natural disaster responses.
Wollondilly Shire Council has effectively applied a coordinated and strategic framework to deliver road asset management. The Council has long-term plans to guide its efforts and uses data to inform its approach. The Council has delivered a large volume of works in response to natural disasters during the audit period. The Council is reporting its road asset management outcomes and can demonstrate progress against a clearly defined capital works program, but its use of performance indicators could be improved.
Detailed conclusions and recommendations for the Council are outlined in sections 4.2 and 4.3. Recommendations include that Wollondilly Shire Council:
- finalises and implements its transport asset management plan
- reviews performance indicators for road assets
- formalises and documents community priorities within its integrated planning and reporting (IP&R) and asset management frameworks.
Key observations of good practice
While each council was separately audited, this report also identifies practices that contribute to effective road asset management across all local councils.
These include:
- a good understanding and articulation of the community’s vision, priorities and purpose for local roads
- asset management documents that are current and aligned with broader strategies and financial plans
- long-term capital works planning that considers associated ongoing costs, and is supported by systematic prioritisation of works
- clear and documented decision making processes
- transparent performance reporting on progress and outcomes
- reliable, accurate and assured data and systems
- continuous improvement through both formal reviews and capturing lessons learned
- resilience and responsiveness to natural disasters with a planned approach to disaster recovery.
Further lessons for local government can be found in Appendix 3.
Appendix 1 – Response from entity
Appendix 2 – Council expenditure profile
Appendix 3 – Lessons for local government road asset management
Appendix 5 – Performance auditing
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #401 - released 21 November 2024.
Actions for Government advertising 2022-23
Government advertising 2022-23
About this report
The Government Advertising Act 2011 requires the Auditor-General to undertake a performance audit of the activities of one or more government agencies in relation to government advertising campaigns in each financial year.
This year, we examined two campaigns run by Transport for New South Wales (TfNSW) - 'Don't trust your tired self' (DTYTS) and 'Saving lives on country roads' (SLCR).
The audit assessed whether they were carried out effectively, economically, and efficiently, and complied with regulatory and policy requirements.
Audit findings
The DTYTS campaign complied with all requirements set out in the Act, the Regulation, and Government Advertising Guidelines - except for the requirement to complete an approved and complying cost-benefit analysis (CBA), as per the Guidelines.
The campaign had a clear target audience. It achieved many of its stated objectives and other performance measures and represented an economical and efficient spend.
However, TfNSW has not measured the campaign's long-term impact and this, combined with the lack of a complying CBA, meant that TfNSW could not confidently demonstrate the campaign's effectiveness.
The SLCR campaign (which commenced in 2017) was last run fully in 2021–22. TfNSW could have improved the formal documentation of its decision-making process when it cancelled the SLCR campaign.
TfNSW continued to run state-wide advertising campaigns – with regional components - to address road safety in regional NSW.
Recommendations
By 31 October 2024, TfNSW should implement processes that ensure:
- CBAs prepared for government advertising campaigns comply with the Government Advertising Guidelines
- long-term impacts of advertising campaigns are evaluated
- strategic and operational decision-making about advertising campaigns, such as starting, stopping or significantly changing a campaign, is well-documented and follows good practice.
The Government Advertising Act 2011 (the Act) sets out requirements that must be followed by a government agency when it carries out a government advertising campaign. The requirements prohibit any political advertising and require a peer review and cost-benefit analysis to be completed before the campaign commences. The accompanying Government Advertising Regulation 2018 (the Regulation) and 2012 NSW Government Advertising Guidelines (the Guidelines) address further matters of detail.
Section 14 of the Act requires the Auditor-General to conduct a performance audit on the activities of one or more government agencies in relation to government advertising campaigns in each financial year. The performance audit must assess whether a government agency (or agencies) has carried out activities in relation to government advertising campaigns in an effective, economical and efficient manner and in compliance with the Act, the Regulation, other laws and the Guidelines.
This audit examined Transport for NSW's (TfNSW) advertising campaigns 'Don't Trust Your Tired Self' and 'Saving Lives on Country Roads' for the 2022–23 financial year.
TfNSW is the NSW Government agency responsible for leading the development of safe, integrated and efficient transport systems for the people of New South Wales.
The Don't Trust Your Tired Self (DTYTS) campaign, which cost $3.04 million in 2022–23, aimed to educate drivers on how to avoid driving tired and encouraged them to consider how tired they were before driving.
The Saving Lives on Country Roads (SLCR) campaign, which commenced in December 2017, aimed to encourage country drivers1 to re-think the common excuses used to justify their behaviour on the road. In early 2024, after the audit commenced, the Department of Customer Service (DCS) advised the audit team that TfNSW did not run the SLCR campaign in 2022–23. This was subsequently confirmed by TfNSW. Instead, the SLCR branding was used for the regional element of the state-wide drink driving campaign. As a result, this audit examined the reasons and decision-making process for its cancellation.
The SLCR campaign cost $3.11 million in 2021–22, the last full year in which it was run, and $17,038 in 2022–23.
This part of the report sets out key aspects of Transport for NSW's (TfNSW) compliance with the Government Advertising regulatory framework for Don't Trust Your Tired Self (DTYTS). It considers whether the agency complied with the:
- Government Advertising Act 2011 (the Act)
- Government Advertising Regulation 2018 (the Regulation)
- NSW Government Advertising Guidelines 2012 (the Guidelines) and other relevant policy.
This part of the report considers whether Transport for NSW's (TfNSW) advertising campaign Don't Trust Your Tired Self (DTYTS) was carried out in an effective, efficient and economical manner.
This part of the report examines the cancellation of the Saving Lives on Country Roads (SLCR) campaign. It focuses on the decision-making process and evidence for the cancellation of this campaign following its last delivery in 2021–22. It also draws out key implications.
Appendix one – Response from agencies
Appendix two – About the campaigns
Appendix three – About the audit
Appendix four – Performance auditing
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #396 released 25 June 2024.
Actions for Workers compensation claims management
Workers compensation claims management
What this report is about
Workers compensation schemes in NSW provide compulsory workplace injury insurance. The effective management of workers compensation is important to ensure injured workers are provided with prompt support to ensure timely, safe and sustainable return to work.
Insurance and Care NSW (icare) manages workers compensation insurance. The State Insurance Regulatory Authority (SIRA) regulates workers compensation schemes. NSW Treasury has a stewardship role but does not directly manage the schemes.
This audit assessed the effectiveness and economy of icare’s management of workers compensation claims, and the effectiveness of SIRA’s oversight of workers compensation claims.
Findings
icare is implementing major reforms to its approach to workers compensation claims management - but it is yet to demonstrate if these changes are the most effective or economical way to improve outcomes.
icare’s planning and assurance processes for its reforms have not adequately assessed existing claims models or analysed other reform options.
icare's activities have not focused enough on its core responsibilities of improving return to work and maintaining financial sustainability.
SIRA has improved the effectiveness of its workers compensation regulatory activities in recent years. Prior to 2019, SIRA was mostly focussed on developing regulatory frameworks and was less active in its supervision of workers compensation schemes.
NSW Treasury's role in relation to workers compensation has been unclear, which has limited its support for performance improvements.
Recommendations
icare should:
- Ensure that its annual Statement of Business Intent clearly sets out its approach to achieving its legislative objectives.
- Monitor and evaluate its workers compensation scheme reforms.
- Develop a quality assurance program to ensure insurance claim payments are accurate.
NSW Treasury should:
- Work with relevant agencies to improve public sector workers compensation scheme outcomes.
- Engage with the icare Board to ensure icare's management is in line with relevant NSW Treasury policies.
SIRA should:
- Address identified gaps in its fraud investigation.
- Develop a co-ordinated research strategy.
Workers compensation schemes in New South Wales provide workplace injury insurance for around 4.7 million workers. The effective management of workers compensation is important to ensure injured workers are appropriately supported and provided with prompt treatment to ensure timely, safe and sustainable return to work. There were around 110,000 injured workers compensation claims in 2022–23.
The two main workers compensation schemes in NSW are the Nominal Insurer (NI), which is for the private sector and is funded by premiums paid by employers, and the Treasury Managed Fund (TMF) which covers public sector workers and is funded by the NSW Government.
Insurance and Care NSW (icare) is responsible for managing the provision of workers compensation insurance, as well as several other insurance schemes. The State Insurance Regulatory Authority (SIRA) is responsible for regulating workers compensation and other insurance schemes. NSW Treasury has an oversight and monitoring role but does not directly manage or regulate workers compensation schemes.
icare outsources the management of workers compensation claims to several external insurance agents, which it refers to as claims service providers (CSPs). Tasks completed by CSPs include registering and assessing workers compensation claims, managing payments to injured workers, and liaising with injured workers, employers, and medical providers to support injury management and return to work.
The objective of this audit was to assess the effectiveness and economy of icare’s management of workers compensation claims, and the effectiveness of SIRA’s oversight of workers compensation claims. To address this objective, the audit considered whether icare’s reforms to its workers compensation claims management models are effective and economical, and whether there is an effective performance and accountability framework for the NI and TMF.
icare did not assess its existing claims management model or conduct a comprehensive options analysis assessing alternative claims management models before selecting its new claims management model for the Nominal Insurer
In 2021, icare decided to change the claims management model for the Nominal Insurer (NI) from a single outsourced claims service provider (CSP) to a model using multiple CSPs. icare did not conduct a detailed analysis of options before deciding on its new claims management model for the NI. icare did not complete a business case or undertake analysis of costs and benefits of the chosen model compared to other options, such as in-house provision of services by icare, a hybrid delivery model, or remaining with a single-provider model with improved support and performance incentives.
icare completed a procurement strategy which acknowledged a potential alternative model based on icare delivering claims management services. However, there was no detailed analysis or costing of this or other models for comparison with the outsourced model that had been chosen. The in-house provision option was not recommended because it was stated that ‘competition between external service providers can drive better performance than what icare could achieve’. The 2019 Independent Review Report on the NI recommended that icare use additional providers to reduce the pressure on its single provider. It was appropriate for icare to consider this recommendation when developing its new claims model, but it does not remove the need for icare to conduct its own detailed analysis to support decision making on major projects.
The absence of a business case or other similar detailed analysis reduces icare’s accountability for improved outcomes. It also means the stated benefits and costs of icare’s claims services model have not been fully tested. Introducing competition and performance-based payments to CSPs might improve return to work and financial sustainability outcomes but could create perverse incentives or increase the risk of CSPs withdrawing from contracts. A business case would have also provided information that could have been used to inform an evaluation framework for the new claims services model, including interim measures to help assess whether intended benefits are on track.
A business case is the primary document to outline the case for change and analysis of alternative options, as well as the costs, benefits and financial viability of the proposal. icare’s procurement policy does not require the development of a business case, but the NSW Procurement Strategy and NSW Treasury Business Case Guidelines require agencies to demonstrate value for money by submitting a business case to NSW Treasury for investment proposals over $10 million. At the point when icare sought approval from the icare Board to commence the procurement process, the maximum total contract value for the engagement of the six providers was estimated at between $3.7 billion and $6.4 billion over ten years.
icare conducted a comprehensive procurement process to select CSPs for its new NI claims management model
The procurement process for new providers for the NI involved an open market process that included extensive engagement with potential CSPs. This allowed icare to improve its understanding of the capacity and capability of providers and work collaboratively to refine the details of its claims management model.
icare developed a detailed procurement strategy that outlined the objectives of the new model, expected costs, services sought, governance framework, and an evaluation plan. icare provided regular updates to the icare Board on the progress of the procurement process and sought approval for key decisions about the changes being made.
icare met its planned timeframe for having contracts with multiple CSPs in place by 1 January 2023. icare’s contracts provide it with flexibility to adjust the performance measures after three years if required. The contracts also require 12 months’ notice from the CSP if they wish to withdraw from the contract. This helps icare to manage the risk of a reduction in capacity to manage claims if an existing CSP withdraws.
icare is implementing a new remuneration structure for CSPs which aims to provide better financial incentives to improve performance
The icare Board approved the introduction of a multiple provider model as part of its NI Improvement Program in December 2021. As a part of planning for the change, icare developed a different remuneration structure for the new CSP contracts that aim to create stronger incentives for innovation to improve performance. The previous remuneration model for providers involved a guaranteed fee that was set at 110% of the estimated cost of providing the service and had no financial penalties if CSPs did not meet performance targets. The new remuneration model splits the fees paid to CSPs into three categories:
- a base fee, a guaranteed fixed fee which covers 95% of a benchmarked cost agreed by icare and CSPs (this was the estimated cost of providing the service in an efficient way)
- a quality fee, which may be positive (up to ten per cent of the benchmarked cost) or negative (up to five per cent) depending on the CSP’s performance against the quality measures specified in the contract. These are mostly related to compliance with claims management processes such as timeliness, accuracy, and record keeping
- an outcome fee up to 50% of the benchmarked cost depending on the CSP’s performance against the outcome measures specified in the contract. These relate to the key performance measures in the system such as return to work rates, claim payments made, and medical costs. The outcomes fee can only be earned if the CSP achieves acceptable performance in the quality measures.
This remuneration model aims to provide CSPs with financial incentives to improve performance. Setting the 'base fee' at slightly below the expected cost of providing the service should mean that CSPs need to meet their quality measures to ensure they cover costs and would need to exceed performance targets in order to increase its profit margin. The success of this model will depend on factors including the appropriateness of the base fee and performance targets, and the behaviour of CSPs. These changes are not yet fully implemented and icare is taking a staged approach to the transition of new CSPs, so it is too early to judge their effectiveness.
icare’s new remuneration structure will increase payments to CSPs for the NI without initially requiring improved performance
The new provider model is expected to cost up to $100 million more per year compared to icare’s previous, single provider model. This fee increase depends on the extent to which CSPs achieve its outcome targets. For example, if all CSPs improve their performance to a level where they meet all of their performance targets, the full $100 million would be paid to CSPs. A lower amount would be paid if some CSPs did not achieve outcome targets. icare’s modelling indicates that the extra costs in payments to CSPs would be offset by reductions in payments to injured workers as a result of improvements in return to work rates.
For at least the first year of the new model, icare has committed to paying a proportion of the outcome fees to CSPs even if they do not achieve their performance targets. This is intended to support CSPs to invest in their systems with the goal of achieving better longer-term performance. However, it means that icare will initially pay higher fees for similar or potentially lower performance.
icare lowered the return to work rate targets in 2023 compared to 2022 to account for the impact of the transition to the new multiple provider claims management model. Exhibit 9 shows the differences between the targets in 2021–22 and 2022–23.
Business Plan FY22 (%) | Business Plan FY23 (%) | Change | |
Return to work targets | 4-week: 70.0% 13-week: 85.0% 26-week: 87.8% 52-week: 89.8%
| 4-week: 65.4% 13-week: 77.5% 26-week: 82.1% 52-week: 85.6% | 4-week: -4.6% 13-week: -7.5% 26-week: -5.7% 52-week: -4.2% |
Source: icare planning documents (unpublished).
CSP remuneration has increased from around $251 million in 2018–19 to almost $379 million in 2022–23, an increase of more than 50%. CSP remuneration has increased in each financial year during this period (Exhibit 10).
icare’s focus for reforming the TMF is not based on addressing key strategic challenges for the scheme
icare initiated a ‘TMF transformation program’ in 2022. The business case for the TMF transformation program did not include an assessment of the key strategic challenges for the TMF or describe how the transformation would improve return to work rates. Instead, it focused predominantly on the implementation of a single IT platform for managing workers compensation claims. While a single IT platform may be an important technological enabler for claims management, it does not address the underlying strategic issues that contributed to a decline in claims management performance and increase in costs in the TMF.
icare’s analysis indicates that the implementation of the new IT system will cause a short-term decline in return to work rates for the TMF. Reducing performance in return to work rates, even if only temporarily, can have a long-term impact on outcomes for affected workers and for scheme costs. icare’s internal modelling indicates that if the early stages of a claim are not managed well, claimants are much more likely to have a long-term claim.
The primary purpose of the workers compensation scheme is to optimise return to work outcomes for injured workers and to maintain the financial sustainability of the schemes. Previous reviews have stated that icare should apply a return to work focus for all its activities because this is the outcome on which it is judged by Parliament, workers, employers and the community.
icare has commenced a procurement process for the TMF without conducting detailed analysis of its claims management model
In December 2023, icare completed a procurement strategy for approval by the icare Board to guide its procurement of CSPs for the TMF. The TMF procurement strategy refers to the broader improvement objectives for the TMF, which include improving return to work performance and increasing capability to manage psychological injury claims. It contains a brief analysis of an in-house claims management model compared to an out-sourced approach. However, it does not include detailed analysis of options for its claims management model. This analysis contained a similar amount of detail as the procurement strategy for the NI (see Chapter 2). It did not include any evaluation of the outsourced model that icare has used previously and did not assess options for hybrid models that use a mixture of in-house and outsourced services. icare has had the same claims management model for the TMF, using the same three CSPs prior to its establishment in 2015. icare inherited contractual arrangements with three CSPs that had commenced in 2010. Its most recent procurement process for CSPs took place in 2019. Before commencing this procurement, icare did not evaluate the effectiveness of the arrangements that were in place from 2010 to 2019 or analyse alternative options for claims management models.
icare plans to draw on the work done for the NI procurement of CSPs in 2022 by using clauses in the NI contracts to extend them to cover TMF work. icare has also commenced an open expression of interest process to engage with other potential CSPs for the TMF.
The TMF procurement strategy sets out options for a revised performance and remuneration framework for CSPs in the TMF. This is based on the work done for the NI procurement and has the same goal of providing stronger financial incentives for CSPs to improve their claims management performance.
icare’s analysis estimates that these changes will lead to savings because the new remuneration model will improve CSP performance, which will reduce overall scheme costs. However, the estimates presented in the TMF procurement strategy, which was presented to the icare Board for approval, do not have supporting analysis or completed modelling of costs. A key gap is the details used to estimate the actual costs for CSPs to deliver the services, which underpins the payment amounts under the revised remuneration framework. The strategy also does not include analysis of risks, such as impacts to return to work rates because of the transition to a new model. Without these details, icare cannot demonstrate that its planned approach is likely to deliver value for money.
Fees paid to CSPs for the TMF have increased significantly in recent years despite previous forecasts of reductions in fees paid and improvements in performance
icare’s payments to CSPs managing TMF claims has increased by around 30% in the last five years, rising from around $90 million in 2018–19 to around $125 million in 2022–23. This increase in payments to CSPs occurred during a period when return to work performance declined by two percentage points and the total payments for workers compensation claims increased by around 60%. The number of claims received also increased significantly in this time, as noted in Chapter 1.
Some of icare’s reform activities aim to improve return to work and financial sustainability
One of the stated goals of icare’s NI improvement program is ‘getting injured workers back to work sooner’ and the improvement program includes implementing a new claims management model for the NI (discussed in Chapter 2). Alongside this program, icare has made other changes that aim to improve the day-to-day claims management processes. In recent years icare has begun working to clarify roles and responsibilities for the claims management process. This has included consultation with CSPs and producing written documents that specify which issues should be handled by CSPs and which should be referred to icare.
icare has also developed a Professional Standards Framework that aims to provide a consistent set of standards that case managers are expected to adhere to. This framework sets out minimum standards and capability expected of CSP staff. It is a contractual requirement for NI providers to comply with the framework through its recruitment and training for staff. The framework is intended to also apply to the TMF but is not yet included in TMF provider contracts. Since 2021, icare has also provided training material to CSPs focussing on key aspects of claims management. Training covers topics that have previously been identified as areas of weakness, such as the calculation of weekly payments, initial contact, and injury management.
icare’s accountability for achieving scheme outcomes is not clear enough
While the practical changes discussed have the potential to help improve claims management performance, icare’s acceptance of overall accountability for scheme outcomes remains unclear. In 2021, icare considered several ‘business models’ that would guide its overall approach to reforming its workers compensation claims models. It decided to adopt what it described as a ‘platform’ model, which positioned icare as a facilitator and focused on self-direction and choice for employers and employees. Among the models that it chose not to adopt was a ‘scheme administrator’ model, which was characterised by transparency and clear accountability for performance.
This underlying approach can be seen in icare’s reforms to the claims management model for the NI. Some elements of the reforms target improvements in return to work outcomes, such as the introduction of performance-based payments to CSPs (discussed in Chapter 2). However, icare described the goal of the reforms as creating a competitive market of CSPs that would provide choice to employers, which indicates icare taking accountability for implementing system changes but not for the achievement of outcomes. icare’s plans for reforms to the TMF are similarly focused on icare’s accountability for providing support systems for workers compensation schemes, rather than accepting responsibility for ensuring the key outcomes are achieved.
The management of workers compensation schemes is a complex task. There are external factors outside icare’s control that influence the key performance measures of return to work and scheme financial viability. However, as the provider of workers compensation schemes, icare is primarily accountable for improving return to work rates for the NI and TMF and its strategies and activities should be focused accordingly. icare’s most recent corporate strategy documents described its current phase of its organisational strategy as ‘increase focus on those we serve’. This is a positive change from the previous year when the same phase was described as ‘simplify for improved outcomes’.
icare has committed significant resources to internal organisational improvement programs
icare has committed significant resources to an organisational improvement program in recent years. The program responds to the recommendations of previous external reviews (summarised in Chapter 1). These reviews made a combined total of 107 recommendations. Of these, 98 related to ‘enterprise improvement’, covering internal processes such as governance, procurement and risk management. The focus of the recommendations on internal processes reflects the terms of reference for these reviews. As a result, icare’s improvement program has a focus on internal organisational change, rather than a broader strategic assessment of the key challenges to the performance of workers compensation schemes, such as the rise in psychological injury claims.
The program has been overseen by an external advisor and quarterly reports have been published that outline progress, with the first report published in December 2021 and the most recent in August 2023. Accountability for implementing recommendations of external reviews is important. However, the strong focus on internal organisational projects has contributed to increases in icare’s operating expenses without fully addressing the strategic challenges to the key legislative objectives of workers compensation schemes – optimising return to work outcomes and ensuring financial sustainability.
icare’s employee and other operating expenses have increased significantly during a period when workers compensation scheme performance has not improved
According to its annual financial reports, icare’s total employee expenses have increased significantly in recent years. The total number of employees at icare increased from 1,431 in 2020–21 to 1,756 in 2022–23, an increase of 23%. icare’s budget for 2023–24 includes a further increase in staff numbers to 1,800.
There has been a corresponding increase in icare’s employee expenses, with staff costs increasing by 29%, from $214 million in 2020–21 to $276 million in 2022–23. icare did not take on any new functions during this period and the performance of the NI and TMF did not improve, as described in Chapter 1. Over the past three years icare has added the highest number of new employee positions in the ‘digital and transformation’ area. Additional staff positions have also been created in corporate areas including people and culture and risk and governance. Many of these positions relate to icare’s improvement program.
icare’s other operating expenses have also increased in recent years, rising from $699 million in 2020–21 to $814 million in 2022–23. The majority of icare’s other operating expenses are fees paid to CSPs. However, icare has also spent a significant amount on contractors, contingent workers, and consultants in recent years, despite also increasing its permanent staff numbers. Some of these contractor and consultant expenses related to icare’s improvement program discussed above. Over the last three years, icare spent an average of more than $100 million per year on hired labour, comprised of:
- $60 million per year on contractors
- $35 million per year on contingent workers
- $8 million per year on consultants.
icare completed a review of its corporate expenses in September 2023 and reported the results of this review to the icare Board. icare’s review stated that it had reduced its expenses by a total of $88 million from 2019–20 to 2021–22. This included a reported decrease of $40 million in spending on contractors and contingent workers, which is in contrast to its annual financial reporting data which shows an increase of $25 million during this period. icare’s expenses review used management reporting data which categorises expenses differently to the way expenses are categorised in annual financial statements. For example, a large proportion of expenditure on contractors and contingent workers was categorised as project expenditure in icare’s management reporting. While this may be appropriate for management reporting purposes, it resulted in icare reporting lower expenditure on contractors and contingent workers in its expenses review compared to its annual reporting.
The number of icare senior executives in the top pay band for the NSW public service increased from two in 2021–22 to eight in 2022–23. The average remuneration of icare’s senior executives in 2022–23 was $652,000. This is more than double the average remuneration for the two senior executives that were in the highest pay band at the former WorkCover Authority, icare’s predecessor agency, in its last year of operation in 2014–15. It is also approximately double the average remuneration for senior executives at icare’s equivalent entities in comparable jurisdictions. The average remuneration for the ten senior executives at WorkSafe Queensland in 2022–23 was $285,000 and the average remuneration for the 11 senior executives at WorkSafe Victoria was $276,000.
icare spent at least $470 million on projects that were intended to improve the operations of the workers compensation schemes between 2016–17 and 2019–20. This includes the implementation of a single provider claims management model and the introduction of a new IT platform but does not include the cost of contractors and consultants who worked on these projects. Previous external reviews of icare found that these projects did not achieve their objectives and contributed to a deterioration in performance against the key legislative objectives for workers compensation of return to work and financial sustainability. icare spent another $45 million on moving back to a multiple provider model for the NI from 2023.
icare’s reporting on the performance of workers compensation schemes has not provided a clear indication of performance in its core areas of responsibility
icare’s public reporting has not provided transparency in the key areas of return to work and financial sustainability of workers compensation schemes. Prior to 2019–20, icare did not report publicly on its return to work rate targets in the NI. icare did not report on a TMF return to work target until 2022–23. icare’s four most recent annual reports have included an ‘enterprise performance scorecard’. In 2021–22 this scorecard had 11 measures, with only four that related to insurance scheme performance (return to work rate in the NI, net results in NI, net results in TMF and investments). The scorecard had seven measures that related to icare’s internal processes in that year, such as staff engagement scores, risk management, and internal audit. In 2022–23, the scorecard included five measures that related to insurance scheme performance. However, the measure relating to return to work performance for the NI had changed from the previous years. As a part of its reforms to the NI, icare plans to publish more information about workers compensation scheme outcomes on its website. It commenced this reporting in December 2023.
The key document outlining icare’s strategic approach to managing its operations is the Statement of Business Intent (SBI). The measure icare has used for reporting on return to work targets for the NI in its SBI has changed in each of the last four years. Exhibit 13 shows icare’s internal reporting on NI return to work targets since 2020–21. The frequent changes to the way icare has reported on its key performance measures make it difficult to track its performance over time.
Financial year | Reporting measure for return to work in SBI |
2020–21 | Return to work rate measured at 26 weeks after claim made |
2021–22 | Return to work rate measured at 4, 13, 26 and 52 weeks after claim mad |
2022–23 | Return to work rate measured at 13 weeks after claim made |
2023–24 | Return to work rate measured as ‘working rate’ (using a different methodology) |
SIRA has recently updated its strategic framework to improve the effectiveness of its regulatory activities
One of SIRA's principal legislative objectives is to provide effective supervision of the workers compensation system. SIRA updated its strategic framework in 2021. The strategy outlines guiding considerations across four ‘pillars’ of SIRA’s regulatory work: scheme design, licensing, supervision, and enforcement.
SIRA has increased its focus on supporting improvements to return to work outcomes in recent years. It commissioned a research paper to inform SIRA's system-wide strategy to improve return to work rates. This paper provides a summary of the current evidence relating to factors most likely to support better return to work outcomes. This research has been used to inform SIRA's strategies and plans. For example:
- SIRA has a return to work action plan which outlines ten actions aimed at supporting improvements in return to work rates. Actions include reviewing insurers’ return to work practices in 2022, developing a return to work standard of practice, and targeting compliance work to employers identified as higher risk.
- SIRA advises it is currently developing a ‘Recover Through Work Strategy’ which expected to replace its action plan. The draft strategy covers research, promotion and education activities related to early intervention, psychological injuries, and additional data and insights relating to return to work.
- SIRA developed a mental health recovery and support action plan in 2021 based on research it had commissioned.
SIRA has used regulatory instruments including written directions and letters of censure to icare when it has identified issues that require remediation, as noted in Chapter 2. SIRA’s ability to regulate the workers compensation scheme is limited by the fact that it cannot impose licence conditions on the NI or other entities, which limits its ability to escalate its regulatory responses if needed.
A previous review of the legislative arrangements for workers compensation recommended that SIRA should be given additional powers to ensure it can fully perform its regulatory functions for workers schemes. The review also found the roles and responsibilities between icare and SIRA were unclear in some areas. For example, workers compensation legislation allocates operational functions to SIRA which has created duplication and inefficiencies as noted in this chapter. The review recommended government consider amending legislation to state clearly the powers and functions of each entity. Both issues are yet to be addressed.
SIRA was mostly focussed on developing regulatory guidelines and frameworks in the years after it was established
SIRA was created in late 2015 and was tasked with regulating multiple insurance schemes and establishing operational frameworks to supervise each insurance scheme within its remit. In the initial years of SIRA’s establishment, SIRA developed guidelines and standards around the management of workers compensation. For example, SIRA’s first Standards of Practice was issued in 2018 and contained broad claims management principles to guide insurer conduct and support the achievement of scheme legislative objectives. SIRA also first published an Insurer Supervision Model in 2017 which outlined SIRA’s approach to monitoring and supervising the performance across workers compensation insurers. The model contained compliance and performance indicators to help SIRA identify and address risks in the areas of conduct, claims management and financial sustainability. SIRA advises this supervision model assisted it to identify a significant decline in the performance of the NI in 2018, which led SIRA to commission its first independent review of the NI in 2018–19.
SIRA has become more active in its regulation of the NI but only recently started actively supervising the TMF
SIRA increased its monitoring and supervision of the NI following the findings of the 2019 review, with SIRA commencing quarterly compliance and performance audit of claims management of the NI from July 2020. SIRA’s reviews of the NI had a strong focus on compliance with specific legislative requirements, in response to concerns about a lack of capability among claims managers at the time. Some of SIRA's more recent reviews of the NI have selected a strategic focus area, such as compliance with the ‘early intervention’ requirements of claims management. This theme was selected based on research evidence indicating that the management of a claim in the first four weeks has a significant impact on return to work outcomes. SIRA advises that future audits will use a risk-based approach and focus on areas in which low compliance has been identified and there is evidence that the compliance requirement is based on better outcomes, such as injury management planning.
SIRA has issued two penalty notices as a result of its increased oversight on the NI:
- The penalty notice issued on 6 September 2019 totalled $132,000. The penalties were imposed for icare’s failure in 24 instances to commence weekly workers compensation payments within seven days of initial notification of the injury to the insurer.
- The penalty notice issued on 22 January 2020 totalled $82,500. The penalties were issued for icare’s failure in ten instances to ensure employer’s premium rate does not increase by more than 30% from the previous policy year, as required in SIRA’s premium guidelines. icare’s failure to comply with the capping requirement led to impacted policy holders paying an additional premium totalling over $700,000.
SIRA began regularly reporting to government on NI financial sustainability in 2016–17, with its first report provided to government in August 2018. The 2016–17 report noted generally that a new claims model had been implemented from January 2018 which may impact claims experience and make future treatment and costs more complicated. However, the report did not provide further details of these risks, such as potential impacts on the key areas of return to work or related cost impacts due to the transition. SIRA’s annual reports from the years up to and including 2018–19 did not draw attention to any performance concerns for the NI or the TMF and did not provide detailed information on SIRA’s supervision activities for the schemes. The reports focused mostly on other areas of SIRA’s responsibility, particularly the implementation of reforms to the compulsory third party insurance scheme during 2017.
In January 2020, SIRA commenced investigations into the management of three Corrective Services NSW (CSNSW) claims in the TMF following reports it received around claims mismanagement. The report outlined several actions, including that SIRA undertake a broader review of the compliance and performance of the TMF and a larger audit of CSNSW workers compensation claims with a focus on psychological injuries. In August 2022, SIRA commenced a review of 100 CSNSW claims to assess the compliance of these claims against legislative and regulatory requirements. During the audit, SIRA advised these reviews led to SIRA developing the evidence base for undertaking its broader review of the TMF in 2023. The 2023 TMF review has a focus on managing psychological injury claims.
The audit did not see evidence of SIRA taking a strategic approach to the regulation of the TMF in earlier years despite the outcomes of SIRA’s initial CSNSW investigations, deteriorating return to work performance, increasing costs, and the emerging strategic risk of the rise in psychological injury claims. Given these issues, a more active regulatory presence from SIRA would have been justified.
Any decline in return to work rates, even if only temporary, can have a long-term impact on outcomes for affected workers and for scheme costs. For example, research indicates that injured workers who are not working for a longer period become progressively less likely to ever return to work and are more likely to develop a secondary psychological injury associated with their initial injury. As a result, the poor performance of workers compensation schemes in previous years is having an ongoing impact on scheme performance today.
SIRA began focussing on improving compliance of employers with workers compensation obligations from 2020, but did not have a strategy or active program prior to this
In 2020, SIRA created an Employer Supervision and Return to Work Directorate as part of a broader organisational restructure. The Directorate was created to strengthen the focus and regulatory approach for employers and support the development of an employer supervision strategy and framework. The strategy and framework for employers were finalised in 2022. These are consistent with its organisation-wide regulatory framework and outlines SIRA’s approach to planning and conducting regulatory activities in identified areas of highest risk.
In December 2021, SIRA also established an inspectorate to undertake employer education activities and conduct reviews of employer compliance with workers compensation obligations, in addition to those conducted by SafeWork NSW. Prior to this, SIRA did not have a dedicated employer supervision and compliance strategy or function, although it did provide educational resources for employers. It relied on SafeWork inspectors to conduct workplace inspections on its behalf, which were guided by SIRA’s modelling work.
SIRA has legislative powers to enter workplaces to gather evidence, conduct audits and reviews, and impose penalties for non-compliance. SIRA targets its employer inspections primarily through a predictive data analysis tool, with a smaller number of inspections in response to complaints or referrals. The predictive tool assesses new workers compensation claims made and identifies those that are at higher risk of a poor return to work outcome, based on factors including the type of claim and employer or industry.
SIRA has not allocated sufficient resources to investigate and prosecute fraud
SIRA has a legislative responsibility to assist in measures to deter and detect fraud within workers compensation schemes. In February 2023, SIRA engaged an internal review to assess its capability and structure in enforcement and prosecution in all schemes it oversees, including the Compulsory Third Party scheme and the Home Building Compensation Fund. The review found there was a backlog of high-risk fraud referrals. This could indicate that cases of fraud in the workers compensation system may have gone undetected or unaddressed in recent years. The review recommended SIRA expand its investigations team to reduce the backlog of matters and ensure all icare referrals are investigated.
During the audit, SIRA advised that while it has not fully responded to these recommendations yet, it has engaged additional resources for the employer investigations team and will consider additional resourcing in 2024–25. SIRA also advised it had taken other actions to reduce fraud risks, including initiating regular meetings with icare to discuss new fraud referrals and working with icare on a Memorandum of Understanding to strengthen fraud investigations and prosecutions. However, these actions are unlikely to address the issues relating to resourcing that were identified in the review.
Some of SIRA's research and pilot programs duplicate or overlap with those of icare
SIRA has a legislative function to 'to initiate and encourage research to identify efficient and effective strategies for the prevention and management of work injury and for the rehabilitation of injured workers'. In 2019, SIRA commissioned a review of its research strategy on workers compensation and other insurance schemes which it oversees. The review found, among other things, additional work was needed to coordinate SIRA's research program to avoid duplication. The review recommended SIRA improve collaboration with icare, SafeWork and other stakeholders and develop a model for knowledge translation to ensure evidence informs practice.
SIRA and icare's research and pilot programs still overlap in several areas, especially workplace mental health-related research. For example:
- icare has a ‘Front of Mind’ program that is focussed on developing and testing mental health platforms, like development of apps and education programs. SIRA has a 'Recovery Boost' program which provides grants to universities and private service providers to research and develop programs related to mental health.
- icare has also developed a 'Design for Care' program in partnership with Curtin University to research work design impacting mental health. Similarly, SIRA has funded various research projects on workplace mental health, including Monash University's work-connected interventions for psychological injuries, and Black Dog Institute's two-year research fellowship on recovery after psychological injury.
- icare has reported it would be developing a mental health strategy and action plan in 2022–23. SIRA has also developed action plans and strategies on mental health.
SIRA revised its research strategy in response to the review's findings and recommendations. SIRA's Research Strategy 2022–25 outlines its research objectives, actions, and measures of success. Actions include working with stakeholders to co-design research projects and working with stakeholders to prioritise research based on level of impact. Measures of success include creating opportunities for CSPs and other stakeholders to engage with SIRA's programs and increasing the number of research partnerships targeting personal injury evidence gaps.
NSW Treasury’s role in overseeing icare is not clearly defined, limiting its ability to support performance improvements in workers compensation
NSW Treasury does not have a legislated role in the management of workers compensation. icare is directly accountable to the icare Board and the icare Board is accountable to the responsible minister for icare achieving its statutory objectives. The TMF is funded by the NSW Government and has a direct impact on the NSW budget, so NSW Treasury has a role in advising the Treasurer on the performance and operations of the TMF. NSW Treasury also supports the minister responsible for icare, so has a role in advising the responsible minister in relation to icare's management of the NI. This includes reviewing and advising the minister on icare’s annual Statement of Business Intent, which icare must submit to the responsible minister and the Treasurer.
NSW Treasury has monitored icare’s financial and operational performance and has reported regularly on this to the responsible Minister and the Treasurer. However, NSW Treasury has not taken action to address issues that it is aware of. For example, when reviewing icare’s Statement of Business Intent (SBI) in 2022–23, NSW Treasury stated that it had concerns about the performance and financial sustainability of workers compensation schemes. Its response was to advise the responsible minister and the Treasurer to note its concern about these issues. In this review, NSW Treasury also advised that icare had not achieved its own forecasts from previous years for improvements to the financial position of the NI but did not propose any action in response to this. Similarly, NSW Treasury noted in another ministerial brief that icare made changes to its targets for return to work rates in 2020–21 that only required performance to be maintained or improve marginally. It expressed concern that this represented an acceptance of ongoing performance at lower than historical levels but did not propose any actions. NSW Treasury’s lack of specific responses to these issues reflects its limited powers to influence icare’s actions.
Recent changes to icare’s governing legislation allow the Treasurer or the Secretary of NSW Treasury to require icare to provide information relating to its activities. This may help NSW Treasury to be more active in its oversight of icare’s key decisions and activities. In November 2023, icare’s responsible minister announced that NSW Treasury will conduct a review of icare focusing on its operational costs.
This audit has identified several gaps in icare’s management of workers compensation schemes. For example, icare proceeded with changes to its claims management model for the NI that involve a multi-billion dollar procurement process without completing detailed options or benefit-cost analysis, as discussed in Chapter 2. icare has also focused significant resources and attention on internal corporate improvement activities that do not directly contribute to the achievement of the key legislative objectives of workers compensation schemes. Both of these issues have led to significant increases in icare’s costs without improved return to work outcomes in recent years. Stronger engagement from NSW Treasury with the icare Board could help improve icare's performance by providing advice and challenge in areas in which icare has consistently under-performed.
Appendix one – Responses from audited agencies
Appendix two – About the audit
Appendix three – Performance auditing
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #393 - released 2 April 2024
Actions for Regulation insights
Regulation insights
What this report is about
In this report, we present findings and recommendations relevant to regulation from selected reports between 2018 and 2024.
This analysis includes performance audits, compliance audits and the outcomes of financial audits.
Effective regulation is necessary to ensure compliance with the law as well as to promote positive social and economic outcomes and minimise risks with certain activities.
The report is a resource for public sector leaders. It provides insights into the challenges and opportunities for more effective regulation.
Audit findings
The analysis of findings and recommendations is structured around four key themes related to effective regulation:
- governance and accountability
- processes and procedures
- data and information management
- support and guidance.
The report draws from this analysis to present insights for agencies to promote effective regulation. It also includes relevant examples from recent audit reports.
In this report, we also draw out insights for agencies that provide a public sector stewardship role.
The report highlights the need for agencies to communicate a clear regulatory approach. It also emphasises the need to have a consistent regulatory approach, supported by robust information about risks and accompanied with timely and proportionate responses.
The report highlights the need to provide relevant support to regulated parties to facilitate compliance and the importance of transparency through reporting of meaningful regulatory information.
I am pleased to present this report, Regulation insights. This report highlights themes and generates insights about effective regulation from the last six years of audit.
Effective regulation is necessary to ensure compliance with the law. Effective regulation also promotes social, economic, and environmental outcomes, and minimises risks or negative impacts associated with certain activities. But regulation can be challenging and costly for governments to implement. It can also involve costs and impact on the regulated parties, including other public sector and private entities, and individuals. As such, effective regulation needs to be administered efficiently, and with integrity.
Having a clearly articulated and communicated regulatory approach is essential to achieving this outcome, particularly when this promotes voluntary compliance and sets performance standards that are informed by community expectations. A consistent approach to exercising regulatory powers is important: it should be supported by robust information about regulatory risks and issues, and accompanied with timely, proportionate responses. Providing relevant support to the regulated parties and coordinating activities to facilitate compliance and performance can generate efficiencies.
Finally, transparency matters. It matters so that government has oversight of and can be held accountable for its leadership of public sector compliance, and in regulating the activities of third parties. Transparency also matters because it can provide insights into the effective exercise of government power. To achieve this, meaningful regulatory information needs to be reported.
While these issues are most pertinent for government agencies that exercise traditional regulatory functions, they are also relevant to lead government agencies that provide a stewardship role in promoting compliance and performance by other government agencies in relation to particular areas of risk.
Over the past six years, our audit work has found many common and repeat performance gaps, creating risks, inefficiencies, and limiting outcomes of regulatory activities. In considering these gaps, this report provides public sector leaders with insights into the challenges and opportunities they may encounter when aiming for more effective regulation, including the good governance of regulatory activities. This includes insights for lead agencies that provide a public sector stewardship role. Through applying these insights and maximising regulatory effectiveness, unintended impacts on the people and sectors government serves and protects can be avoided or at the very least minimised.
Margaret Crawford PSM
Auditor-General for NSW
This report brings together key findings and recommendations relevant to regulation from selected performance and compliance audits between 2018 and early 2024 (19 in total), and from two reports that summarise results of financial audits during the same period. It aims to provide insights into the challenges and opportunities the public sector may encounter when aiming to enhance regulatory effectiveness.
The report is structured in two sections, each setting out insights from relevant audits and providing summaries as illustrative examples.
Section 3 is focused on insights from audits of agencies that administer regulatory powers and functions over other entities or activities (typically known as 'regulators'). The powers and functions of regulators are defined in law, and often relate to issuing approvals (e.g., licensing) for certain activities, and/or monitoring allowable activities within certain limits. Regulators often have compliance and enforcement powers that can be exercised in particular circumstances, such as when a regulated entity has not complied with relevant requirements.
Agencies may be primarily established as regulators or perform regulatory activities alongside other functions. Depending on the context, the regulated activity may relate to other state agencies, local government entities, non-government entities or individuals.
Section 4 summarises insights from a selection of audits of agencies that provide a stewardship role in promoting compliance by and performance of other state agencies and local government entities in relation to specific regulations or policies. These policies may or may not be mandatory and, unlike a more traditional regulator, the coordinating agency may not have enforcement powers to ensure compliance.
These policies, and accompanying guidelines and frameworks, are typically issued by ‘central agencies’ such as the Premier's Department that have a public sector stewardship role. They can also be issued by agencies with a leadership role in particular policy areas ('lead agencies'). While individual agencies and local government entities implementing these policies are responsible for their own compliance and performance, lead and central agencies have an oversight role including by promoting accountability and coordinating activities towards achieving compliance and performance outcomes across the public sector.
Readers are encouraged to view the full reports for further information. Links to versions published on our website are provided throughout this document, and a full list is in Appendix one. An overview of the rationale for selecting these audits and the approach to developing this report is in Appendix two.
The status of agencies' responses to audit recommendations
Findings from the audits referred to in this report were current at the time each respective report was published. In many cases, agencies accepted audit recommendations, as reflected in the letters from agency heads that are included in the appendix of each audit report.
The Public Accounts Committee of the NSW Parliament has a role in reporting on and ensuring that agencies respond appropriately to audit recommendations. Readers are encouraged to review the Public Accounts Committee's inquiries on agencies' implementation of audit recommendations, which can be found on the Committee's website.
Actions for Effectiveness of SafeWork NSW in exercising its compliance functions
Effectiveness of SafeWork NSW in exercising its compliance functions
What this report is about
This report assesses how effectively SafeWork NSW, a part of the Department of Customer Service (DCS), has performed its regulatory compliance functions for work health and safety in New South Wales.
The report includes a case study examining SafeWork NSW's management of a project to develop a real-time monitoring device for airborne silica in workplaces.
Findings
There is limited transparency about SafeWork NSW's effectiveness as a regulator. The limited performance information that is available is either subsumed within DCS reporting (or other sources) and is focused on activity, not outcomes.
As a work health and safety (WHS) regulator, SafeWork NSW lacks an effective strategic and data-driven approach to respond to emerging WHS risks.
It was slow to respond to the risk of respirable crystalline silica in manufactured stone.
SafeWork NSW is constrained by an information management system that is over 20 years old and has passed its effective useful life.
While it has invested effort into ensuring consistent regulatory decisions, SafeWork NSW needs to maintain a focus on this objective, including by ensuring that there is a comprehensive approach to quality assurance.
SafeWork NSW's engagement of a commercial partner to develop a real-time silica monitoring device did not comply with key procurement obligations.
There was ineffective governance and process to address important concerns about the accuracy of the real-time silica monitoring device.
As such, SafeWork NSW did not adequately manage potential WHS risks.
Recommendations
The report recommended that DCS should:
- ensure there is an independent investigation into the procurement of the research partner for the real-time silica detector
- embed a formal process to review and set its annual regulatory priorities
- publish a consolidated performance report
- set long-term priorities, including for workforce planning and technology uplift
- improve its use of data, and start work to replace its existing complaints handling system
- review its risk culture and its risk management framework
- review the quality assurance measures that support consistent regulatory decisions
SafeWork NSW is the work health and safety regulator in New South Wales. It was established by the State Insurance and Care Governance Act 2015.
As the regulator, SafeWork NSW is responsible for, among other things, enforcing compliance with the Work Health and Safety Act 2011 (the WHS Act) and the Work Health and Safety Regulation 2017. The regulator’s full functions are set out in section 152 of the WHS Act.
SafeWork NSW’s operations are guided by seven regulatory priorities for 2023, which contribute to three strategic outcomes:
- Workers understand their rights and responsibilities.
- Employers ensure that work is healthy and safe, with no advantage for cutting corners.
- Regulation is fair and efficient.
This audit assesses the effectiveness of SafeWork NSW in monitoring and enforcing compliance with the WHS Act, through the examination of three lines of inquiry:
- Does SafeWork NSW have evidence-based processes to set its objectives and priorities for monitoring and enforcing compliance?
- How effectively does SafeWork NSW measure and report its performance in monitoring and enforcing compliance against the WHS Act?
- Are SafeWork NSW's policies and procedures for monitoring and enforcing compliance applied consistency across different sectors?
As SafeWork NSW is part of the NSW Department of Customer Service (DCS), the department is the auditee. Prior to 2019, SafeWork NSW was located in the former Department of Finance, Services and Innovation. Unless otherwise stated, any reference to SafeWork NSW should be read as including the broader department in which it sits.
This chapter considers whether SafeWork NSW has evidence-based processes to set its objectives and priorities, including how it takes into account operational feedback and expertise. It also includes how existing and emerging risks are assessed as part of the priority-setting process, and how planning and prioritisation takes into account resourcing, including workforce skills and capacity.
SafeWork NSW's operating model is now based on annual regulatory priorities, rather than longer-term priorities
From 2016 to 2022, SafeWork NSW worked under a six-year Work Health and Safety Roadmap (‘the Roadmap’). The Roadmap was revised in August 2018 and included the following statements:
The WHS Roadmap for NSW, along with the BRD Strategic Plan, provides a clear line of sight between our strategic objectives and the activities that will allow us to deliver our overall outcomes. This Roadmap spans 2016-2022 but it will be refreshed and released every two years to ensure it stays relevant. |
In addition to the Roadmap, SafeWork NSW operated under its 2019–20 Strategic Business Plan.
After SafeWork NSW was moved into DCS, the Roadmap was subject to a mid-term evaluation by ARTD Consultants in 2020. SafeWork NSW management subsequently accepted all nine recommendations of that mid-term evaluation, which included the following:
- Strengthen business intelligence data systems to allow managers and inspectors to access to real-time data on safety incidents and workers compensation claim data (Rec 5).
- Improve evidence available to assess Roadmap outcomes in 2022 (Rec 9).
In 2023, SafeWork NSW replaced its six-year Roadmap with a model of setting annual regulatory priorities. Seven regulatory priorities were set for 2023. These priorities were:
- gig economy – increase safety and WHS compliance in the sector, particularly food delivery riders and health care
- safety around moving plant – reduce workplace safety incidents, particularly forklifts
- seasonal workplaces – increase WHS compliance to support itinerant workers, particularly in the agricultural sector and those working with amusement devices
- psychological safety – reduce the prevalence of psychological injury at workplaces, with a focus on mental health and well being
- respect at work – reduce the incidence of bullying, sexual harassment, and customer aggression in the workplace, particularly in make dominated sectors and healthcare
- exposure to harmful substances – reduce the incidence of worker exposure to dangerous substances in the workplace, particularly silica and dangerous chemicals
- falls – reduce the incidence of falls from heights with a particular focus on construction.
These priorities are intended 'to deliver on three strategic outcomes’:
- Workers understand their rights and responsibilities.
- Employers ensure that work is healthy and safe, with no advantage for cutting corners.
- Regulation is efficient and fair.
As SafeWork NSW works to deliver on these outcomes, the focus is on priority or vulnerable groups of workers – these being younger workers, workers from culturally and linguistically diverse backgrounds (especially newly arrived workers), and Aboriginal people.
Shorter-term priorities are intended to enable SafeWork NSW to be more responsive to work health and safety risks and were developed in consultation with operational staff
The adoption of shorter-term priority-setting is intended to enable a more agile approach to regulation that, according to DCS, is better able to adapt to changes in risk profiles and industries. It was put to the audit by some interviewees that the six-year plan was less able to respond to rapid changes in the economy that may lead to quickly emerging work health safety risks. An example commonly cited was the significant increase in gig economy workers, including in areas such as food delivery workers and personal care workers. It was put to the audit that this example highlighted new WHS risks unique to those emerging workplaces.
According to DCS, in addition to being more agile and responsive to macro changes in the workforce, the annual priorities are intended to enhance accountability by creating a more timely and contemporaneous link between activities and outcomes. The more immediate nature of annual priorities is also designed to provide a more immediate and tangible link to SafeWork NSW’s activities and ensure better accountability for delivery.
The annual priorities are intended to complement SafeWork NSW’s commitments under the national Australian Work Health and Safety Strategy 2023-33. This strategy sets a high-level vision and goal for Australia’s work health and safety regulators, including to address agreed persistent challenges, such as psychosocial risks, vulnerable workers, and ensuring that small businesses are adequately supported to meet their work health and safety obligations.
The process for developing regulatory priorities for 2023 involved internal consultation with SafeWork NSW executive directors, directors, managers, inspectors, project leads, as well as consultation with external stakeholders and experts. There is evidence that SafeWork NSW considered the feedback it received, including from its inspectors.
SafeWork NSW staff identified potential risks that SafeWork NSW will need to manage as the process for developing regulatory priorities continues to develop
The audit team interviewed almost all SafeWork NSW executive directors, directors, and team managers, particularly those performing regulatory functions. These interviews revealed a strong level of commitment to the purpose and functions of SafeWork NSW, as well as a shared desire to see the organisation fulfil its potential.
In regard to the annual priorities, senior executives and the majority of team managers we interviewed supported the adoption of annual priorities and expressed confidence that establishing annual priorities would improve the effectiveness of SafeWork NSW in delivering its compliance functions. It was noted by SafeWork NSW that the shift towards regulatory priorities 'brings us to a level of maturity mirroring the approach of regulators such as ASIC and the ACCC'.
While most staff interviewed during this audit welcomed the sharper focus and greater flexibility afforded by shorter-term priorities, others identified a range of risks. Some experienced people managers in SafeWork NSW expressed significant doubts about the pursuit of annual regulatory priorities. Risks identified during audit interviews included:
- That the short-term focus had prevented SafeWork NSW from establishing a longer-term goal or vision.
- That the annual priorities were simplistic and lacked sufficient detail to engage the regulator, industry, and the community.
- That short-term priorities would make it difficult to meaningfully measure and report progress, especially for activities and initiatives that may take longer to achieve demonstratable change.
- That the process of considering the next annual priorities may need to commence well before initiatives for the current year have been completed (or even commenced), hindering how effectively lessons can be incorporated into future planning.
- That frequent changes in regulatory priorities may make it difficult to ensure that the SafeWork NSW workforce has appropriate capability and capacity, particularly for potentially complex emerging threats such as artificial intelligence in workplaces.
In response to these risks, SafeWork NSW has noted that:
- SafeWork NSW has a separate vision in addition to the regulatory priorities. This is 'healthy, safe and productive working lives'.
- A review process will occur to understand what went well and what did not from the first year of regulatory priorities before finalising priorities for 2024.
- Planning will improve over time as the process reoccurs, and lessons learned will be linked to future priorities.
The inability to achieve full ‘buy-in’ from experienced people managers in SafeWork NSW suggests that change management, including consultative and communication processes, has not been completely successful. SafeWork NSW advised that this initiative was a significant shift for all its staff and in particular middle management. Given this, the leadership of SafeWork NSW should prioritise investment in effective change management processes, especially if the annual regulatory priorities are anticipated to change in 2024.
Importantly, the SafeWork NSW leadership team should undertake strategic planning to ensure that a meaningful set of longer-term priorities underpin their investment decision-making on organisational fundamentals, such as a capable and sustainable workforce and fit-for purpose technology systems. Without this, there is a real risk that the regulator's business needs and priorities will be overtaken by the priorities of a much bigger department.
SafeWork NSW consulted with external stakeholders in determining its 2023 annual regulatory priorities
SafeWork NSW developed a discussion paper in 2022 for external stakeholders as a precursor to consultation on its 2023 annual priorities. This discussion paper outlined an intent by SafeWork NSW to develop a new strategy that would prioritise activities that were the biggest points of leverage to drive material change and were the biggest risks and most important trends affecting WHS in NSW.
SafeWork NSW considered expert feedback and expertise in the development of its regulatory priorities through this process. A summary document detailing the rationale for its regulatory priorities provides evidence that feedback from external stakeholders, such as unions and industry groups, were taken into account.
SafeWork NSW has not established a formal process for determining its regulatory priorities for 2024 and beyond
SafeWork NSW has an indicative timeline for preparing its 2024 priorities which provides that the priorities will not be settled until March 2024 and will be based on the results of the previous year’s priorities to December 2023. However, no ongoing process for determining annual priorities in each future year was settled at the time of writing this report. Some priorities might be expected to remain relatively constant, especially persistent challenges such as preventing falls from heights. However, if the annual priorities model is to meet the expectation of being agile, then new and emerging priorities will need to be identified, understood, scoped, and responded to with relatively short notice.
Elements of the 2023 regulatory priorities will overlap with any new or revised priorities, such as the monitoring and evaluation framework, and the three-year Construction Services Blueprint. SafeWork NSW explains that these longer-term initiatives are 'intended to support the delivery of priorities that are likely to run over many years, providing more granular detail on specific drivers of harm, regulatory responses and targets'.
SafeWork NSW does not effectively use data to inform its priority-setting or assessment of risk, despite adopting the recommendations from the 2020 mid-term Roadmap evaluation
SafeWork NSW states that it chose its regulatory priorities in 2023 based on the following factors - potential for serious harm or death, new or emerging risks, and increases in the frequency of an issue. An emerging issue is where:
A hazard and/or risk to health and safety relating to a new or existing product, process or service was not previously known or fully realised and SafeWork NSW intervenes to address the workplace health and safety risks for example, guidance material, training, regulatory change. |
SafeWork NSW has a substantial data repository, with over 20 years of case and activity data contained in its Workplace Services Management System (WSMS). However, SafeWork NSW does not effectively interrogate this data to provide an evidence base for its regulatory functions.
SafeWork NSW has only recently established a data governance committee. SafeWork NSW also advised that a data science function was created within the Centre for Work Health and Safety during 2023, repurposing existing resources and supported by a business intelligence working group comprising of inspector representatives from operational directorates.
While this data science function is newly created, SafeWork NSW does not have a strategic business intelligence function that is both recognised and understood across each directorate and team, and the ability of its technology infrastructure to deliver sophisticated strategic and operational data intelligence has been limited.
As a result of this lack of central coordination and capability, directorates have sought to develop their own data analysis capability, with inconsistent, fragmented and potentially duplicative results. The audit did find specific (albeit isolated) examples of data being used to inform decision-making, though these efforts were disparate and uncoordinated at the directorate level.
SafeWork NSW said that data is used to inform leadership discussions at the quarterly SafeWork NSW Leadership Meetings, and monthly operational executive meetings. The audit did not review the agenda papers for these meetings.
At the 2020–21 NSW Parliament Budget Estimates Committee hearing, SafeWork NSW stated that it:
…used predictive analytics and machine learning to generate a WHS rating system leveraging a large dataset to aid decision-making. The WHS rating supports an evidence-based approach to identifying high risk workplaces and provides additional data-based evidence to assist in decision-making'. |
SafeWork NSW has started to use artificial intelligence to interrogate historical compliance data to rate the risk of different employers. However, this is used inconsistently across SafeWork NSW and there is limited evidence about its effectiveness. A similar tool does not exist for industry or product-related trends or relationships that may assist SafeWork to proactively identify high-risk workplaces and issues.
Outdated technology and uncertainty in planning its replacement is limiting SafeWork NSW's ability to effectively use its data for analytics and insights
SafeWork NSW uses WSMS to manage work health and safety data. This system has been in place for over 20 years. It was noted in interviews conducted during this audit that this data system is at the end of its effective life.
Issues noted by users of WSMS include:
The lack of governance associated with data management of WSMS. There is no data custodian, and a formalised data quality assurance process does not exist. This means that data can be extracted from the system with no controls on the accuracy of the analysis.
Access to WSMS cannot be tracked (and is therefore not auditable).
- Data quality is variable, depending on the quality of notes provided by inspectors (with individuals noting that these notes could be full of speculation), and inconsistent approaches to entering information into the system. At the same time, inspectors noted that entering information into the system can be an administrative burden due to duplication and time requirements.
- Analysis cannot readily be undertaken on a geographic basis (for example, all high-risk employers within a particular region).
- As WSMS does not track information about the directors of companies, it is unable to identify risks associated with 'phoenixing', where directors of wound-up businesses establish new entities, or other forms of related-entity risk. The audit team linked WSMS data with ASIC data to match company directors with company and notice data. This was done in order to understand the additional intelligence that could be used to inform risk-based decision-making. As an example, the audit found that there is a large number of companies that have not received notices from SafeWork NSW but may be at higher risk due to the conduct of their directors:
- There were approximately 151,000 companies with directors that were also linked to at least one other company that had received at least one type of notice from SafeWork NSW.
- There were approximately 24,500 companies with directors that were also linked to one or more companies that had cumulatively received over 100 notices from SafeWork NSW.
- There were approximately 8,600 companies with directors that were also linked to one or more other companies that had cumulatively received over 400 notices from SafeWork NSW.
In addition to the feedback provided by WSMS users within SafeWork NSW, the audit team also found related data quality issues during the course of our own analysis, including:
- Industry analysis is more challenging to perform because specific industry data points and grouping details are not captured in WSMS.
- There was no systematic method to identify all silica-related incidents. The search terms were not standardised and relied on judgement, for example: ‘silic’ (potentially capturing both ‘silica’ and ‘silicosis’) and ‘benchtop’, though SafeWork NSW advised that consultation with subject matter experts informed these searches. There is a high-risk of false positives and incomplete analysis without time intensive manual review of each identified case. WSMS was not readily able to provide data on silica-related complaints without workarounds and manual file review (which proved unreliable) and requiring significant effort from data staff in both the Audit Office and SafeWork NSW.
- Test data is captured in production systems, rather than in test systems. These records do not have a unique identifier and are difficult to identify and isolate for business intelligence analysis.
- Data validations are not enforced (for example, on Australian Business Number, Australian Company Number columns). Instead, the data entry fields allow for incorrect details to be captured or left blank without explanation from the staff entering the data.
SafeWork NSW provided advice to the audit team that an upgrade of WSMS was planned as part of the broader e-regulation program across DCS (that is, the single digital platform for all 28 business regulators). However, this upgrade is now uncertain as there is no funding for SafeWork NSW to be onboarded to the new platform. This means that for the foreseeable future SafeWork NSW will be constrained by the limitations inherent to WSMS.
SafeWork NSW took around eight years to actively and sufficiently respond to the emerging risk of respirable crystalline silica in manufactured stone
Silicosis is a progressive, occupational lung disease resulting from inhalation of respirable crystalline silica (RCS). Silicosis is one of the oldest known occupational diseases, particularly affecting industries like mining. In Australia, silicosis has been a known cause of death and disability for over 100 years. This disease is preventable through appropriate workplace practices in a hierarchy of controls, which includes the use of correct personal protective equipment.
The use of manufactured stone for applications such as kitchen benchtops became popular in Australia in the early 2000s. Other substances that contain silica, such as rock, stone, clay, gravel, concrete and brick, may contain between 2% and 40% silica. In contrast, manufactured stone contains up to 95% silica. Workers exposed to respirable crystalline silica from manufactured stone are more likely to develop severe silicosis (and other serious lung diseases), and more quickly, than workers exposed to silica from other sources.
In 2010, international research was published that pointed to the specific heightened risk posed by the high silica content of manufactured stone used primarily for kitchen countertops and bathroom fixtures. This was confirmed by subsequent research published in 2012, which concluded that, in regard to a documented outbreak of silicosis among manufactured stone workers in Israel:
This silicosis outbreak is important because of the worldwide use of this and similar high-silica-content, artificial stone products. Further cases are likely to occur unless effective preventive measures are undertaken and existing safety practices are enforced. |
This research was relevant to Australia as the sample of workers was derived from the same Israeli-based manufacturer and exporter of manufactured stone that supplies the majority of the product used in Australia.
The first identified group of related workers who contracted silicosis in NSW was reported in literature in 2015. Further cases have been reported in the media since 2015. These included examples of relatively young workers developing silicosis, presumptively from inhaling silica dust derived from manufactured stone.
In 2017, SafeWork NSW listed RCS as one of the top ten priority chemicals in its 2017–2022 Hazardous Chemicals and Materials Exposures Baseline and Reduction Strategy (dated October 2017).
A legislatively-mandated case finding study conducted by SafeWork NSW in 20213 reported that screening conducted by icare between 2017–18 and 2019–20 found an average of 29 cases per year of silicosis among workers in the manufactured stone industry.4 Despite the relatively small size of this workforce, this was three times the number of cases of all workers engaged in all other at-risk industries.
While the heightened risk posed by respirable crystalline silica in manufactured stone was first published in research in 2010 and detected in cases from 2015, SafeWork NSW’s first substantial practical response commenced in 2018–19.
From July 2018, SafeWork NSW convened a Manufactured Stone Industry Taskforce, including representatives from industry, unions, health, education and other government agencies. During the term of this taskforce (which ended at 30 June 2019), SafeWork NSW conducted 523 visits to 246 manufactured stone sites. These inspections resulted in 656 improvement notices being issued, along with 43 prohibition notices (this included matters not related to silica). Prior to this, the extent of SafeWork NSW’s active response to the emerging risk was to conduct a limited inspection program of six work sites in May 2017 (one site) and August 2017 (five sites). The results of these six workplace visits were incorporated into a research project report that was finalised in August 2018.
In the period from 2012 to 2018, SafeWork NSW also received complaints about silica-related matters, including matters not related to manufactured stone. These are detailed in Exhibit 1 below. The number of complaints was a relatively small proportion of all complaints received, though the number increased after 2018. This increase may be a result of increased community and industry awareness through media reporting and SafeWork NSW’s proactive audit work.5 The majority of these complaints did not result in further regulatory action by SafeWork NSW beyond preliminary inquiries and, in some cases, site visits. The right-hand column of the below table shows key events leading up to and shortly after SafeWork NSW’s first regulatory interventions.
Year | Number | Silica-related activity and events |
2012 | 55 | International published research reiterates 2010 findings of a link between manufactured stone and silicosis. |
2013 | 52 | |
2014 | 55 | |
2015 | 38 | First NSW case series linked to manufactured stone industry. |
2016 | 54 | Youngest known case of silicosis in NSW admitted to hospital. |
2017 | 70 | Crystalline silica listed as the second priority chemical (out of 10 priority chemicals) by SafeWork NSW. Media reporting on the ABC. |
2018 | 104 | SafeWork NSW commences proactive work. Manufactured Stone Industry Taskforce commenced. Media reporting on the ABC, The Project and Daily Mail on silicosis. |
2019 | 173 | NSW Parliamentary Dust Diseases Review. Probable first Australian death from silicosis caused by manufactured stone. |
2020 | 210 | Silicosis becomes notifiable, fines introduced, workplace exposure standard halved. |
2021 | 174 | Respirable crystalline silica exposure in the NSW manufactured stone industry case finding study undertaken. Media reporting by The Project and ABC 7.30 Report. |
2022 | 193 | |
2023* | 381 | |
TOTAL | 1559 |
* 2023 data are to 30 November 2023.
Note: Complaints received by SafeWork NSW where the issue description includes ‘silic*’ or ‘benchtop’. This will include silica derived from sources other than manufactured stone, including relating to those products listed in the Safe Work Australia 2020 national guide.
Source: Audit Office analysis of WSMS data.
High-profile media reporting in 2018, 2021, and early 2023 appeared to provide impetus to SafeWork NSW’s regulatory actions. SafeWork NSW subsequently conducted further rounds of proactive compliance, education and awareness activities among identified workplaces. This work increasingly targeted high-risk workplaces. Since 2018–19, SafeWork NSW has conducted three rounds of workplace inspections that have progressively focused on the highest risk workplaces. This program has adopted a strategic and evidence-based approach.
Since October 2019, 17 matters were progressed to further investigation with a view to prosecution. Five silica-related matters have been filed in court for prosecution. Three of these matters were still in court at the time of this audit, and two matters have been finalised.
In 2020, NSW introduced a range of legislative reforms including:
- Banning the practice of dry cutting engineered stone containing crystalline silica. Maximum penalty of $30,000 for a body corporate and $6,000 for an individual, with on-the-spot fines for uncontrolled dry processing of engineered stone.
- Halving the Workplace Exposure Standard from 0.1mg/m3 to 0.05 mg/m3 (ahead of the national deadline to implement it).
- Silicosis becoming a notifiable disease requiring clinicians to report each case of silicosis diagnosed in NSW. Those notifications are shared with SafeWork NSW to manage a NSW Dust Disease Register. An annual report is tabled in Parliament and published on the NSW Government website www.nsw.gov.au (NSW Silica Dashboard) alongside some information on compliance activities.
- On 27 October 2020, silicosis became a notifiable disease requiring clinicians to report each case of silicosis diagnosed in NSW. Those notifications are shared with SafeWork NSW to manage a NSW Dust Disease Register. In August 2021, SafeWork NSW published the first NSW Dust Disease Register Annual Report, detailing diagnosed cases of silicosis, asbestosis, and mesothelioma in NSW during 2020–21 and the Case Finding Study Report on silica exposure in the Manufactured Stone Industry. The Annual Report is tabled in Parliament and published on the NSW Government website www.nsw.gov.au (NSW Silica Dashboard) alongside some information on compliance activities.
Also in 2020, SafeWork NSW released the NSW Dust Strategy 2020-2022, which identified silica as one of three focus areas for the regulator.
In February 2022, New South Wales introduced the NSW Code of Practice – Managing the risks of respirable crystalline silica from engineered stone in the workplace, based on the National Model Code that was finalised in late 2021. The Code provides practical information on how to manage health and safety risks associated with respirable crystalline silica from engineered stone in the workplace.
Silica continues to be a priority for SafeWork NSW in 2023 under the SafeWork NSW regulatory priority: Exposure to harmful substances - Reduce the incidence of worker exposure to dangerous substances in the workplace, particularly silica and dangerous chemicals.
The online NSW Silica Dashboard provides members of the public with information on SafeWork NSW’s silica workplace visit program that commenced in 2018 through to 30 September 2023.
Organisational silos within SafeWork NSW contribute to inconsistent regulatory decision-making, duplication of effort, and inefficient practices
There is evidence indicating that SafeWork NSW works in silos, with limited communication, collaboration, and awareness of activities across functions.
We note the finding made by the South Australian Independent Commission Against Corruption in reviewing SafeWork SA:
A failure to ensure adequate and appropriate communication within an agency can result in duplication of effort, inconsistent approaches to the same function and the creation of unique risks. |
The existence of silos was evidenced by the audit team through:
- The inconsistent application of policies and procedures. For example, performance management practices differ between directorates and individual teams. This is further discussed in Chapter 4.
- How data is used across SafeWork NSW. While there are pockets of effective data analysis, they often seem to operate in isolation from each other, resulting in duplication and a failure to achieve economies of scale and the benefits of synergies.
- Limited feedback loops across SafeWork NSW. SafeWork NSW does not have an overarching continuous improvement framework, and communication surrounding decision-making is limited. For example, where the Investigations and Emergency Response team decide to discontinue an investigation, there is no requirement to inform the referring inspector that this has occurred, or the rationale behind the decision.
Similar findings on the existence of silos, and the need to improve teamwork and collaboration, have been made by SafeWork NSW in internal reviews undertaken as part of restructuring activities.
This audit also found broader issues of concern regarding organisational structure. SafeWork NSW staff frequently expressed reservations about the effectiveness of the current structure and compared it unfavourably to the regulator’s previous form. In particular, some SafeWork NSW staff said that the existing structure:
- reduced SafeWork NSW’s profile as the regulator for work health and safety in NSW
- confused lines of accountability for senior strategic leadership
- diluted the regulator’s focus and the cohesion of the staff.
The Independent Review of SafeWork NSW being conducted by Mr Robert McDougall KC is examining organisational structural issues. In the interim, the decision has been made by DCS that SafeWork NSW will transition out of the Better Regulation Division of DCS from 1 December 2023, to become a standalone division within DCS.
Organisational restructuring and any uncertainty that it involves in the short- to medium-term could impact on the SafeWork NSW's progress in achieving desired policy outcomes, especially if the change management process is not effective.
The lack of a strategic approach to data and intelligence by SafeWork NSW hampers effective targeting and prioritisation of proactive compliance activity
Effective proactive compliance work is an important part of an effective regulatory approach. For SafeWork NSW, these activities range from dedicated state-wide programs over extended periods through to specific, localised ‘blitzes’ of targeted workplaces. These activities are performed alongside 'reactive compliance activities' such as responding to incidents, complaints, or requests by ‘persons conducting a business or undertaking’ (PCBUs) for education and awareness-building activities.
In accordance with Safe Work Australia’s National Compliance and Enforcement Policy, proactive compliance activities are intended to be:
…conducted in line with the activities of assessed highest risk and the strategic enforcement priorities. |
SafeWork NSW’s proactive compliance activity is intended to be based on:
- SafeWork NSW’s annual regulatory priorities
- data and insights on high-risk harms, industries or businesses
- the identification of new or emerging risks
- targeted programs focused on reducing the greatest harms.
As discussed earlier in this section, SafeWork NSW does not effectively use data to inform priorities or to assess risk.
While managers at SafeWork NSW referred to an overall target for proactive work (it was commonly suggested that between 60% and 70% of regulatory activities should be proactive), we were informed by the Head of SafeWork NSW (and Deputy Secretary of the Better Regulation Division) that there was no specific target.
In practice, there is significant variation in the mix of proactive and reactive compliance activities between directorates and teams, with some teams doing either largely proactive or largely reactive activities. This can depend on the nature of the industry sectors and geographic areas in which they function, and the extent of teams’ non-discretionary reactive workload.
Planning, implementing and evaluating proactive compliance work is inconsistently done across SafeWork NSW, making it hard to assess whether resources are being used effectively
The audit team found widely differing approaches to how directorates and even individual teams within the same directorate used evidence to identify and target risk areas for proactive work programs, such as blitzes. While there was evidence that data was used to inform how activities would be targeted, this was not consistent. For example, some teams draw on intelligence generated by dedicated interventions staff in their directorates, while others rely entirely on opportunistically identifying potential worksites for proactive work by driving or walking past sites. The audit found examples of effective use of data and intelligence to plan proactive activities.
There is also no consistent approach to planning, implementing, or evaluating proactive compliance work across SafeWork NSW. Even within the same directorate, there can be significant differences in approach. Some of these differences can be explained by the different types of matters and circumstances that apply to PCBUs across different industries. However, inconsistencies extended to fundamental aspects of proactive compliance work such as:
- the rigour of evidence and intelligence by which priorities are determined and targeted, which was partly reflected by directorates having different levels of internal data capability
- the degree of project management capability and resourcing, including where some directorates have dedicated specialist project management skills, while others rely on inspectors to perform project management
- the extent to which different directorates and teams had a clear approach to how programs would be evaluated, beyond simply measuring activity, something which appears undermined by the absence of an evaluation framework
- whether the strategic intent of programs and blitz activities are to drive meaningful behavioural change or just, as some interviewees expressed it, to ‘make sure they tick some boxes.’
These material differences and lack of consistency in approaches to proactive compliance makes it difficult to assess whether these activities are effective and efficient regulatory interventions. While there was strong support for proactive compliance activity among both managers and inspectors (indeed, most thought that there should be more proactive activity), there were relatively few who could provide an evidence base to justify the significant staff resources that they consume.
The Centre for Work Health and Safety has a function to improve data, research, and evidence to support risk identification
The Centre for Work Health and Safety (CWHS), a functional unit within SafeWork NSW, was established in December 2017 under the WHS Roadmap 2016-2022. Among other things, it has an insights and analytics function. Its establishment was driven by the recognition that SafeWork NSW was not effectively using data and evidence to support its decision-making and activities.
Two pieces of work undertaken by the CWHS are intended to provide SafeWork NSW with greater capability in identifying and addressing risk in both strategic and operational contexts.
First, the WHS Radar project is intended to deliver ‘…regular and actionable insights about WHS in an Australian context.’ Conducted twice a year, the WHS Radar synthesises information about work health and safety by drawing on five sources of evidence:
- existing data, including incidents, worker’s compensation, ABS, and prosecutions
- analysis of grey literature (non-peer reviewed sources, such as government reports, some conference papers, and reports from academic, business and industry bodies)
- social media listening
- nationwide survey of WHS inspectors and experts
- nationwide survey of Australian workers across all industries.
The WHS Radar is intended to reduce the extent to which SafeWork NSW is dependent on lag data, by actively collecting more contemporaneous data from multiple sources. The first WHS Radar report was released publicly in April 2023.
A second piece of work delivered by the CWHS is the WHS Risk Rating tool for a PCBU.6 This tool attributes a rating to many businesses in NSW based on assessment of their future risk of non-compliance with WHS legislation. The WHS Risk Rating is intended to:
- support existing SafeWork NSW Triage decision-making
- support IDMP decision-making
- select high-risk profiles during blitz operations
- proactively screen and target high-risk profiles.
While some managers in SafeWork NSW did use the WHS Risk Rating tool, others were less confident in its value, expressing doubts about the accuracy and completeness of the data, or were not aware of it at all. These inconsistent views between different managers and directors, between those who use the WHS Risk Rating tool and those who do not use it or do not even have awareness about it, suggests that its purpose and functionalities have not been fully communicated to the wider inspectorate.
The governance of the CWHS, and particularly its relationship to SafeWork NSW, is somewhat unclear. While the Centre sits under the Executive Director, Regulatory Engagement, it identifies on its website as ‘A division of the Department of Customer Service’. Structurally, it is equivalent to a directorate under the Regulatory Engagement business area of SafeWork NSW, rather than a division of the department.
SafeWork NSW's inspectors are its core asset, and its ability to recruit, train and retain inspectors is key to fully performing its functions and meeting the internationally recognised benchmark
SafeWork NSW is funded to fully operate with up to 370 inspectors, though with 352 inspectors at August 2023 it has not recruited to full capacity.
Staff retention within the inspectorate has been a historic strength of the regulator. However, there has been a recent increase in inspector turnover. SafeWork NSW notes that from 2020 to 2022 attrition rates doubled from 5.3% to 10.6% within the inspectorate, which – due to the average age of its workers – was anticipated. Nearly one-third of inspectors were 56 years or older in the 2021–22 financial year. SafeWork NSW also experienced a general increase in resignations since the COVID-19 pandemic.
Increased recruitment activity is intended to mitigate the impact of ongoing attrition due to retirement. However, given the training requirements for new inspectors, there is a significant lag time between recruitment and the utility of inspectors in the field to progress regulatory priorities. SafeWork NSW notes however that inspectors receive authorisations to use their powers throughout the 12-month training period, with individuals assessed at a number of stages based on individual competence.
Where there have been capacity limitations, there have been localised responses such as the sharing of inspectors between teams, or the change in resourcing profile of investigations where instead of one inspector working on a case, a case is assigned to a team.
The International Labour Organization sets a benchmark of one labour inspector per 10,000 workers in industrial market economies. This benchmark is considered the number of inspectors deemed sufficient to ensure the effective discharge of the duties of the inspectorate. In October 2022, SafeWork NSW reported at the Parliamentary Budget Estimates Committee hearings that recruiting the full contingent of 370 inspectors would have meant that there was one SafeWork NSW inspector for every 10,000 workers, allowing it to meet this benchmark.
SafeWork NSW provided advice to the audit team that forecast increases in the number of workers and workplaces in New South Wales will result in 471 inspectors being required to meet the International Labour Organization benchmark by 2027.
SafeWork NSW inspectors can take up to two years to be considered ready to be fully utilised, due to training requirements and variations in their experience
Once recruitment is completed and new inspectors commence employment, they will start the New Inspector Training Program (NITP). The NITP is a 12-month comprehensive training program which prepares new Inspectors to perform the duties required of an Inspector within SafeWork NSW as well as providing training and assessment required for the PSP50116 Diploma of Government (Workplace Inspection) qualification. Inspectors will be fully trained after 12 months.
They will be issued with their instrument of appointment (authorities) to use their powers throughout the 12 month course. However it was noted throughout interviews with the inspectorate that it can take up to two years for new inspectors to be deployed in the field on their own and confidently making decisions. SafeWork NSW notes that the level of mentoring and support provided to individual inspectors, and access to a variety of experiences to build a range of skills contributes to variations in new inspectors building their confidence.
SafeWork NSW also provides:
- a structured framework for new inspector onboarding and capacity-building, including in May 2023 formalising requirements for accompanied field visits, and delivering the NITP, delivered by the SafeWork NSW Registered Training Organisation (RTO) and utilising experienced inspectors from across the directorate to deliver training across the 12-month period
- a SafeWork NSW Inspectorate and Manager Continuing Professional Development Program Policy
- formal processes for Inspectorate Continuing Professional Development and Manager Continuing Professional Development, including recognition of prior learning through credit transfer from other registered training organisations
- a formalised procedure for inspectors to progress to senior inspector and principal inspector.
While it was beyond the scope of this audit to assess the effectiveness of this training and capability development framework, it was recognised by interviewees that the commitment of time and resources provided by SafeWork NSW to training inspectors was significant. This underscores the importance of ensuring the effective use of inspectors.
There are inconsistent expectations around the responsibilities of SafeWork NSW inspectors and managers for identifying new and emerging issues
Inspectors may apply to the Inspector Progression Panel of SafeWork NSW to progress from Inspector to the level of Senior Inspector, or Senior Inspector to the level of Principal Inspector. In addition to the overarching requirements of the (Department of Customer Service – SafeWork NSW Inspectors 2007) Reviewed Award, this process is governed by a formal written procedure.
This procedure sets out that in considering applications for progression, the panel should take into account whether the applicant has fulfilled the responsibilities of their current role. The procedure specifies that inspectors and principal inspectors are accountable to:
Identify trends and emerging issues and provide advice to inform decision making.’ |
It is unclear why inspectors and principal inspectors have this responsibility, but not the intermediate level of senior inspectors. It is also unclear whether people managers, such as team managers, directors, and executive directors, also have similar formal obligations to proactively identify emerging issues.
Moreover, as senior inspectors are not accountable for identifying trends and emerging issues, inspectors are not assessed against this accountability when seeking progression to the senior inspector level. In contrast, when seeking progression from senior inspector to principal inspector, the applicant is required to provide evidence of how they meet this accountability, even though it is not an accountability specified for senior inspectors.
The accuracy of SafeWork NSW’s workforce planning is uncertain
Workload capacity is managed at the directorate level, with a forecasting report on the capacity across all teams discussed quarterly at the SafeWork NSW Leadership Group. Inspectors do not fill out timesheets, instead, this is based on time estimates for specific activities undertaken by inspectors. Directorates are also responsible for leading or supporting work against specific regulatory priorities, requiring directorates to discuss workforce capacity as part of planning proactive work.
SafeWork NSW has a 'workload management treatment model' that provides operation guidance once certain thresholds are reached within this forecasting report. These mechanisms include the reallocation of resources within the directorate at 125% of capacity reached, sharing and reallocation of work between equivalent portfolios at 150% of capacity reached, and cross directorate sharing of work and resources as well as the cessation or deference of work at 175% of capacity reached.
The actual allocation of inspectors to individual directorates is determined at the executive level when vacancies arise, with SafeWork NSW noting that 'consideration is given to the demand for regulatory services (current and expected future) across all teams to determine which directorate and office location a replacement position should be allocated'.
Audit interviews identified some concern that the calculations the forecasting reports are based on were not accurate, overestimated time, and that the data was used inconsistently and as a method to 'grab for resources'. While this audit did not examine SafeWork NSW's forecasting methodology in detail, a sample of the workforce forecasting report for April to June 2023 showed average capacity ranging from 9% to 390%, which may indicate under-utilised or over-utilised teams, or under or overweighted activities.
While there are mechanisms in place to review operational capacity, longer-term strategic workforce planning does not seem to form part of these review processes.
As part of developing its regulatory priorities, SafeWork NSW released a discussion paper that noted broader trends affecting workplaces and communities that it regulates, for example the rise in mental health issues in the workplace, automation, and the return of regional on-shore manufacturing. SafeWork NSW has a SafeWork Inspectorate and Manager Continuing Professional Development Program Policy, however this policy was only finalised in July 2023.
3 This study, conducted by a third-party, stemmed from a recommendation made by the NSW Parliament’s 2019 Dust Disease Review to amend the WHS Act to require SafeWork NSW to ensure that a case finding study was carried out:
to investigate respirable crystalline silica exposure in the manufactured stone industry, and
to gather information to improve the identification and assessment of workers at risk of exposure.
The purpose of this recommendation was to ‘to improve the identification and assessment of workers at risk of exposure.
4 The authors of this case finding study identified significant data limitations, which meant that it was not possible to estimate with confidence the complete number of workers potentially affected by silicosis.
5 Because of the lag period between when a worker is exposed to risky work practices and when they may develop silicosis, complaint data is not necessarily a useful tool to identify the emerging risk, especially where awareness of the risk is low. Unlike with risks that pose a more immediate and direct harm – such as falling off an insecure elevated platform - individuals may be less conscious to complain about a risk where the potential injury is not immediately visible.
6 A person conducting a business or undertaking has the primary duty of care for work health and safety.
This chapter considers how effectively SafeWork NSW measures and reports its performance in monitoring and enforcing compliance with the WHS Act. This includes whether it has meaningful performance measures, whether its performance is transparent to all stakeholders, and whether it uses performance information to support continuous improvement and quality assurance.
Performance measurement and reporting are essential to demonstrating a regulator's effectiveness
The Audit Office’s 2022 Audit Insights 2018–22 report noted that:
Defining measurable outcomes, tracking and reporting performance are core to delivering system stewardship, and to ensure effective and economical use of public funds.’ |
The same report also observed that government activity should:
…be supported by performance frameworks that provide structure for agencies to set performance targets, assess performance gaps, measure outcomes achieved, and benefits realised, capture lessons learned, and implement continuous improvement. |
Relatedly, the Organisation for Economic Co-Operation and Development has said that it is important for regulators to be aware of the impacts of their regulatory actions and decisions, and that this:
…helps drive improvements and enhance systems and processes internally. It also demonstrates the effectiveness of the regulator to whom it is accountable and helps to build confidence in the regulatory system. |
SafeWork NSW reports its activities and performance against certain KPIs, along with equivalent regulators in other Australian jurisdictions
Safe Work Australia, the national policy body for work health and safety, collects, analyses and publishes data across jurisdictions. SafeWork NSW provides data on regulatory activities such as the volume of proactive and reactive regulatory work, and performance measures such as injuries and fatalities. This is contained in the Safe Work Australia Comparative Performance Monitoring – Work Health and Safety Performance, and Work Health and Safety Compliance and Enforcement Activities reports.
The data published by Safe Work Australia provides comparative and longitudinal performance data relating to workplace injuries, fatalities, and compliance activities. This is ‘lag’ data, often 12 months or more in arrears. SafeWork NSW notes that due to the currency of data, it is not useful for planning purposes.
The ability to directly compare jurisdictional activities to form a view on the effectiveness of each regulator is limited, due to differences in how each work health and safety regulator works and the scope of their powers and responsibilities. For example, unlike in other states and territories, SafeWork NSW is not responsible for claims management or return to work matters.
Data reported by SafeWork NSW to Safe Work Australia indicates that, while fatalities have decreased, SafeWork NSW may not have had meaningful impact on the rates of serious injuries and disease claims since 2016–17
The data provided to Safe Work Australia shows that SafeWork NSW has presided over a period where there has been an increase in the incident rate of serious injury and disease claims in New South Wales. While SafeWork NSW is not responsible for workers compensation, the payment of workers compensation necessitates that a workplace injury has occurred.
The audit team has not seen evidence that SafeWork NSW has interrogated the root cause data trends since 2016–17 (discussed below). While the causes of workplace injury are often complex and multifaceted, the data suggests that SafeWork NSW may not be having a meaningful impact on reducing rates of serious injuries, but the poor data quality means that we cannot be sure. It was beyond the scope of this audit to specifically examine serious injuries and disease claims, or the root cause(s) for the upward trend.
An extract of one performance indicator is shown in Exhibit 2 below. It shows serious injury and disease claim data from 2012–13 through to 2020–21 (where 2020–21p stands for preliminary data). The 2015–16 financial year is highlighted to indicate the establishment phase of SafeWork NSW.
This chapter considers selected policies and procedures that SafeWork NSW has implemented to ensure that it performs its compliance functions in a manner that is consistent with regulatory good practice. This includes that regulatory decisions are fair, consistent, predictable, transparent and in accordance with any laws or government policy. This extends to how complaints and incidents are initially triaged, the decisions inspectors make in response to complaints or incidents, and decisions made about whether a matter is referred to investigation for possible prosecution.
SafeWork NSW has made significant efforts to promote consistency in regulatory decision-making
A core element of an effective compliance regime is that the regulator’s behaviour and decision-making should be consistent and predictable. This encourages trust and confidence in the regulator, while promoting clarity and certainty among regulated entities.
SafeWork NSW faces particular challenges to achieving consistency in regulatory outcomes without fettering the legislative decision-making authority of individual inspectors. The audit was made aware of cases where stakeholders could not understand the rationale by which decisions were made, including in matters raised in Parliamentary Budget Estimates Committee hearings.
The reasons for the lack of consistency, whether perceived or actual, includes such matters as:
- the unique circumstances that may apply to individual risks, hazards, or incidents
- the wide variation in characteristics of PCBUs, including in regard to matters that might affect their culpability for non-compliance, such as their size or compliance history
- varying levels of experience across inspectors
- potential differences between individual inspectors in risk appetite, regulatory posture and attitudes to varying regulatory interventions.
These complexities have received heightened attention by SafeWork NSW since the 2020 findings of the NSW Ombudsman’s inquiry into SafeWork NSW and the Blue Mountains City Council. Among other things, in this inquiry the Ombudsman found that:
- only inspectors had the authority to form a ‘reasonable belief’ that non-compliance with the WHS Act or regulation had occurred
- where an inspector forms a ‘reasonable belief’ of non-compliance, then they must issue a regulatory notice
- instances had occurred where inspectors had issued notices without forming the necessary ‘reasonable belief’ that valid grounds existed for those notices
- inspectors had issued notices without forming their own requisite ‘reasonable belief’ because they had been directed to issue notices by management.
Notwithstanding these challenges, SafeWork NSW was able to demonstrate that it has implemented measures aimed at promoting consistency in regulatory decision-making. These measures include:
- extensive guidance in exercising discretionary decision-making
- inspector practice notes
- directorate and team level discussions intended to promote consistency in decision-making.
These measures are primarily focused at encouraging consistency in the application of the law prospectively. There was less evidence that decisions were consistently, formally, and robustly reviewed retrospectively, such as by:
- peer review
- internal audit or quality assurance of decisions
- managerial coaching and mentoring.
The audit found varying practices and processes across SafeWork NSW teams and directorates for these sorts of retrospective and reflexive learning processes. Some managers and directors were able to describe regular review activities, either through one-on-one case reviews with individual inspectors, or through team meetings, though the evidence was that these activities were not consistent across regulatory decision-making areas of SafeWork NSW.
Such retrospective mechanisms would not be aimed at varying decisions already made, but at contributing to standardising how inspectors make future decisions by promoting consistency through setting precedents for responding to substantively similar matters.
Staff performance management is inconsistent across SafeWork NSW, which may hinder consistent practices, behaviours and outcomes
The use of organisational performance management and planning systems can be an important tool for promoting consistent behaviours, understandings and outcomes.
This audit included a survey of all members of the inspectorate, excluding team managers. Approximately 60% the inspectorate responded to the survey. The survey of found that:
- 36% said that they did not have an annual performance agreement – almost one in every two inspectors (46%) in the two metropolitan focused directorates said they did not have performance agreements that set out what was required of them
- the Investigation and Emergency Response directorate had a comparatively higher rate of reported performance agreements in place (80%) than all the other directorates that comprised SafeWork NSW (57%) – the reasons for this were not examined by the survey.
Findings from a survey of the inspectorate highlight the role of discretion in decision-making, and how these factors can be inconsistently applied
The survey conducted by the audit also asked inspectors about how different factors might affect their decision to issue a penalty notice for a breach of the WHS Act (excluding the most serious categories of matters that would ordinarily be immediately referred to full investigation and possible prosecution).
The discretionary factors that were included in the survey included:
- a sample taken from SafeWork NSW's written procedure for issuing penalty notices (shown in Exhibit 5 below)
- a small number that had been raised with the audit team by SafeWork NSW staff during interviews, namely: current regulatory priorities, media or political interest, and the size of the PCBU (specifically, whether or not a hypothetical PCBU was a small, family-owned business).
Factors that are considered relevant to the exercise of discretion to issue a penalty notice are:
|
Source: SafeWork NSW, Penalty Notice Procedure.
Inspectors were asked whether a range of selected factors were in general more, less, or not at all likely to influence their decision to issue a penalty notice.
As shown in Exhibit 6 below, the survey found that the most common response to most of the factors was that they made it neither more nor less likely that an inspector would issue a penalty notice in response to non-compliance. In some cases, this is probably to be expected.
For example, whether or not a non-compliant PCBU is a NSW government agency should probably not affect whether it is issued with a penalty notice. This was the case for 80% of respondents (though notably, 20% of inspectors responded that it would affect their decision, including 3% who responded that they would be much more likely to issue a penalty notice).
Other variations seem less intuitive to explain. This is particularly the case when a factor is written in policy or procedures. For example, 44% of inspectors responded that their decision would not be affected by whether or not the PCBU had prior notice of the risk, even though prior notice is prescribed in the SafeWork NSW procedure as a factor that should be taken into account (see item 7 of Exhibit 5).
The role played by SafeWork NSW regulatory priorities is also uncertain. On the one hand, 62% of inspectors said that they would be more (39%) or much more (23%) likely to issue a penalty if the non-compliance related to a regulatory priority, while 38% said it would have no impact.
The survey also found noticeable variations in responses between directorates regarding when penalty notices would be more or less likely to be issued. This included in regard to:
- whether a non-compliant PCBU was a small business or not
- the role of PCBU culpability
- whether non-compliance related to a matter of media or political interest.
This chapter presents a case study that arose during the course of this audit. The case study demonstrates issues discussed in earlier chapters of this report, particularly in relation to the management of risk and the proper application of policies and procedures to ensure SafeWork NSW’s effectiveness as a regulator.
About the case study
The case study concerns the activities of the Department of Customer Service and SafeWork NSW, the latter of which is located within the department. Neither the case study nor this performance audit generally examined the activities of the commercial partner (including any related companies) referenced in the case study, including Trolex Ltd (UK), Trolex Nome Australia Pty Ltd., or Trolex Sensors Pty Ltd. No findings have been made, either express or implied, in relation to the commercial partner.
The case study was based on a review of evidentiary documents, primarily in the form of emails sourced from SafeWork NSW. To avoid compromising other processes, interviews were not held.
SafeWork NSW’s respirable crystalline silica real-time detection project
As discussed earlier, silicosis is a progressive, occupational lung disease resulting from inhalation of respirable crystalline silica. In recent years, there has been high profile attention to respirable crystalline silica exposure from manufactured stone products (such as kitchen benchtops), though these risks had been published in international research since at least 2010. Unlike asbestos, respirable crystalline silica from manufactured stone can lead to the development of silicosis and other lung diseases after relatively short exposure and latency periods, resulting in relatively young workers developing serious diseases.
From 2016 to 2022, SafeWork NSW’s Work Health and Safety Roadmap included a target to reduce workplace exposure to priority hazardous chemicals and materials by 30%. This focus was retained in SafeWork NSW's regulatory priorities for 2023, which included the aim of reducing the incidence of worker exposure to harmful substances such as silica.
In 2018, SafeWork NSW commenced a project to fund a ‘research partner’ to develop a device that would detect in real-time the presence of respirable crystalline silica in workplaces. This project was led by the Centre for Work Health and Safety within SafeWork NSW.
Following a selection process, Trolex, a private company from the United Kingdom, was selected as the research partner. Trolex developed a device intended to meet the objective of the project. This device is called the Air XS and sells for approximately $18,500 AUD. The Air XS device was launched on 7 April 2022. The first-generation of the Air XS devices are no longer on the market, however up to 60 second-generation devices are currently in use across Australia.
In December 2022, this research project won the DCS Secretary’s Award for Excellence in Digital Innovation and was also one of the department’s nominees for a Premier’s Award in 2022.
As part of understanding SafeWork NSW’s response to the work health and safety risks of respirable crystalline silica from manufactured stone products, the audit examined this research project to procure a 'research partner' to develop a respirable crystalline silica real-time detection device. The findings of this examination are set out below.
SafeWork NSW’s processes were ineffective in responding to and mitigating risk and in ensuring compliance
As detailed below, our examination of this project found significant governance failings in SafeWork NSW, including the absence of key documentation, which created risks relating to whether the project would deliver its objective and whether it complied with procurement requirements. Concerns about whether the Air XS device would satisfy project objectives were not properly addressed.
We also found non-compliance with mandatory procurement policies. The failure to ensure compliance with procurement requirements leaves open the risk that value for money was not achieved, or that the procurement was not fair, transparent, consistent with promoting competition, or free from corruption or maladministration.
As a result of the Audit Office raising these issues with the Head of SafeWork NSW, the regulator undertook to enter into discussions with the CSIRO to conduct further testing of the real-time RCS detection device.
Concerns were raised by staff about the accuracy of the Air XS devices, though these concerns were not escalated beyond Director-level staff
Both before and after the launch of the Air XS device, concerns were raised by technical staff within SafeWork NSW about the accuracy of the devices and the rigour with which they had been tested during development.
It should be noted that the manufacturer, in correspondence with SafeWork NSW, defended the accuracy of the Air XS devices. It was beyond the scope of the audit to reconcile apparently conflicting technical assessments. Rather, the audit examined how SafeWork NSW managed the potential project delivery risk when these material concerns were raised.
Toward the end of 2021, concerns first emerged about the accuracy of the Air XS devices in emails between staff in the Regulatory Engagement business area of SafeWork NSW. These emails outlined concerns that the Air XS devices were not sufficiently accurate in detecting respirable crystalline silica. These views were derived from testing performed outside of any technical assurance process. At the time, these concerns were not shared with executive-level staff, including with any relevant Directors.
By the end of March 2022, the Centre for Work Health and Safety had requested and received from Trolex testing reports on the Air XS device. Two technical staff in the Testing Services directorate of SafeWork NSW were asked to review the testing reports. They were given five days to conduct these reviews.
On 5 April 2022, two days before the product was launched, one of the technical staff emailed the Director, Testing Services, advising that each of the two technical staff had independently prepared assessments and that their conclusions were ‘…not what DCS will want to hear’.
The internal assessment reports were subsequently provided to the Director, Testing Services, and to the Centre for Work Health and Safety. One of the reports stated that the product was not ‘market ready’ and that further testing was required. The audit did not find evidence that these conclusions were escalated to the Executive Director, Regulatory Engagement.
On 6 April 2022, the research project manager was advised by a staff member in the Centre for Work Health and Safety that an independent expert’s report (commissioned by the Centre for Work Health and Safety) concluded that ‘…there isn’t enough data to assess the validity of the device’.
Despite these concerns, the product launch occurred on 7 April 2022.
The audit found that concerns were again documented on at least two occasions after the product was launched. First, in September 2022, a senior technical staff member in the Centre for Work Health and Safety expressed concerns to colleagues, including the Director, Testing Services, that the staff member was uncomfortable promoting the Air XS without further testing being conducted.
Secondly, in May 2023, an internal test report prepared within the Testing Services business unit highlighted specific concerns about the accuracy of a first-generation Air XS device. This internal test report was provided to the Director, Testing Services, and was conducted with at least the knowledge of the Director, Research and Evaluation.
In both cases (September 2022 and May 2023), there are gaps in the evidence concerning how widely these internal concerns were shared. The audit found no evidence of:
- any material response by SafeWork NSW management to address the concerns that had been raised
- any assessment of risks posed to SafeWork NSW and other stakeholders
- any escalation of the concerns to the relevant Executive Director or to the Head of SafeWork NSW.
This apparent lack of management action was despite the potential risks to the work health and safety of workers who may have relied on the Air XS, and to the reputation of the regulator.
Some SafeWork NSW staff were hesitant to raise concerns about the Air XS device
Some staff reported to us that they did not raise these risks with their managers due to concerns that to do so might affect their employment. In the Auditor-General’s 2018 audit report Managing risks in the NSW public sector: risk culture and capability, it was noted that:
Effective risk management is essential to good governance, and supports staff at all levels to make informed judgements and decisions. |
The report also observed that it is now widely accepted that organisational culture is a key element of risk management because it influences how people recognise and engage with risk. This includes ensuring that agencies have a culture of open communication so that all employees feel comfortable speaking openly about risks.
In this case, SafeWork NSW lacked the risk processes and culture to encourage all staff to identify, raise, escalate, and respond to risk appropriately. While the department does have a mechanism (via dedicated phone and email contacts) for staff to report integrity concerns, this mechanism was not used.
Concerns about the Air XS device were also raised by an external user of the device, though there is no evidence that these concerns were substantively addressed
On 21 August 2023, a senior manager from an external user emailed staff in SafeWork NSW’s Testing Services Directorate to advise that they had told the local distributor that they no longer wished to conduct further testing, nor purchase any Air XS devices. The senior manager stated that:
…the claim that the Air XS Silica monitor ‘delivers highly accurate, continuous, real-time silica detection’ could not be validated by the distributor despite many requests and efforts in the field to test the monitors and validate the data. |
The senior manager further stated that they were:
…disappointed that SafeWork NSW promotes the monitors with no evidence, known and/or held by them, that the monitors deliver the promoted monitor outcomes. |
The audit found no evidence that these concerns were meaningfully addressed by SafeWork NSW.
The process of procuring a ‘research partner’ to develop the Air XS device was flawed, in that there was non-compliance with procurement obligations and inadequate record keeping
The cost of procuring the Air XS research partner increased from an initial estimated cost of $200,000 when the request for tender was issued in May 2019 to $1.34 million when the final contract was executed in August 2019.
The audit found non-compliance in the process undertaken by the CWHS to procure the research partner. This non-compliance related to the requirements of the applicable departmental procurement manual, as well as with DCS financial delegations, and with the tender evaluation plan prepared for the process.
Examples of non-compliance and other poor practices are outlined below.
- The Director, Research and Evaluation, was a voting member of the evaluation committee and also signed the acceptance letter for the successful proposal. This contravened the department’s procurement requirement that an approving delegate may not also evaluate tender responses. At the time, the estimated cost of the engagement was $200,000 and was therefore within the Director’s financial delegation.
- The evaluation of the submitted tenders included an assessment provided by a designated non-voting member of the tender evaluation committee who had a declared conflict of interest.
- One member of the tender evaluation committee lodged a strong objection to the preferred provider. SafeWork NSW could not provide documentation about how this objection was addressed.
- When the final cost of the engagement increased to $1.34 million by August 2019, the Director, Research and Evaluation, no longer had the necessary delegation to approve the engagement of Trolex. Under the delegations issued by the DCS Secretary on 29 August 2019, the approval of an Executive Director was required for contracts valued between $500,000 and $2 million.
- The scoring in the tender evaluation committee’s (unsigned) evaluation report did not comply with the approach set out in the tender evaluation plan. This was material as, had the tender evaluation plan been followed, two tenders would have been assessed as having the same successful score.
- SafeWork NSW was unable to provide:
- a signed and dated copy of an approval to issue the initial request for tender
- a signed and dated copy of an approval for SafeWork NSW to enter into a formal agreement with Trolex
- a final tender evaluation report signed by all members of the tender evaluation panel
- evidence of any approval to increase the value of the contract from the $200,000 anticipated in the initial request for tender up to the $1.34 million final value of the contract.
Such non-compliance can contribute to the risk of maladministration in procurement activities, including by undermining probity and challenging whether value for money is achieved.
Appendix one – Response from agency
Appendix two – About the audit
Appendix Three – Performance auditing
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #390 - released 27 February 2024
Actions for Driver vehicle system
Driver vehicle system
What this report is about
Transport for NSW (TfNSW) uses the Driver vehicle System (DRIVES) to support its regulatory functions. The system covers over 6.2 million driver licences and over seven million vehicle registrations.
DRIVES first went live in 1991 and has been significantly extended and updated since, though is still based around the same core system. The system is at end of life but has become an important service for Service NSW and the NSW Police Force.
DRIVES now includes some services to other parts of government and non-government entities which have little or no connection to transport. There are 141 users of DRIVES in total, including commercial insurers, national regulators, and individual citizens.
This audit assessed whether TfNSW is effectively managing DRIVES and planning to transition it to a modernised system.
Audit findings
TfNSW has not effectively planned the replacement of DRIVES.
It is now working on its third business case for a replacement system but has failed to learn lessons from its past attempts.
In the meantime, TfNSW has not taken a strategic approach to managing DRIVES’ growth.
TfNSW has been slow to reduce the risk of misuse of personal information held in DRIVES. With its delivery partner Service NSW, TfNSW has also been slow to develop and implement automatic monitoring of access.
TfNSW uses recognised processes for managing most aspects of DRIVES, but has not kept the system consistently available for users. TfNSW has lacked accurate service availability information since June 2022, when it changed its technology support provider.
TfNSW needs to significantly prioritise cyber security improvements to DRIVES. TfNSW is seeking to lift DRIVES’ cyber defences, but it will not achieve its stated target safeguard level until December 2025.
Even then, one of the target safeguards will not be achieved in full until DRIVES is modernised.
Audit recommendations
TfNSW should:
- implement a service management framework including insight into the views of DRIVES users, and ensuring users can influence the service
- ensure it can accurately and cost effectively calculate when DRIVES is unavailable due to unplanned downtime
- ensure implementation of a capability to automatically detect anomalous patterns of access to DRIVES
- ensure that DRIVES has appropriate cyber security and resilience safeguards in place as a matter of priority
- develop a clear statement of the future role in whole of government service delivery for the system
- resolve key issues currently faced by the DRIVES replacement program including by:
- clearly setting out a strategy and design for the replacement
- preparing a specific business case for replacement.
The DRIver VEhicle System1 (often known as DRIVES) is the Transport for NSW (TfNSW) system which is used to manage over 6.2 million driver licences and over seven million vehicle registrations in New South Wales.
DRIVES first went live in 1991 and has been significantly extended and enhanced over the past 33 years. DRIVES is a significant NSW Government information system — containing personal information such as home addresses for most of the NSW adult population, sensitive health information such as medical conditions, and biometric data in photographs.
Service NSW, part of the Department of Customer Service, is the NSW Government's 'one stop shop' for services to NSW citizens and businesses. It uses DRIVES when it delivers many transport-related services to NSW citizens such as licence renewals and checks the identity information stored in DRIVES as part of other services delivered to NSW citizens, such as a 'working with children check'.
DRIVES supports TfNSW's regulatory functions and the collection of more than $5 billion in revenue annually for the NSW Government. The system is also used by many organisations outside of the NSW Government including commercial insurers and national regulators, as well as individual citizens who access DRIVES for services such as 'Renew my registration' or 'Book a driver knowledge test'.
TfNSW owns and manages DRIVES. It intends to replace DRIVES with a modernised system to improve its cost, performance, and security.
The objective of this performance audit was to assess whether TfNSW is effectively:
- managing the current system, and
- planning to transition DRIVES to a modernised system.
The auditee is TfNSW. We have consulted with the Department of Customer Service as a key stakeholder during the audit process.
This part of the report considers whether Transport for NSW (TfNSW) is effectively managing the current system. It considers DRIVES’:
- role in NSW Government service delivery
- ease of use and appropriateness for a modern system
- mechanisms to ensure the service is available for users.
This part of the report considers whether Transport for NSW (TfNSW) is effectively planning to transition DRIVES to a modernised system. It makes findings on the:
- effort to develop a business case to fund the replacement of DRIVES
- issues which have contributed to the slow progress of the replacement program.
Appendix one – Response from entity
Appendix two – Statutory and regulatory framework related to DRIVES
Appendix three – About the audit
Appendix four – Performance auditing
Parliamentary reference - Report number #388 - released 20 February 2024.
Actions for Procurement of services for the Park'nPay app
Procurement of services for the Park'nPay app
What this report is about
The report assesses whether the Department of Customer Service (the department) complied with legislation and NSW government policy when it directly negotiated with Duncan Solutions to procure backend services relating to the Park'nPay app.
The Park'nPay app, developed by the department, enables users to locate and pay for parking remotely using their smart mobile device.
The audit found
The department failed to establish the grounds for entering a direct negotiation procurement strategy, without any competitive tendering, for services for the Park'nPay app. It rushed a decision to trial the app in The Rocks, without considering how this might affect its procurement obligations.
There is no evidence that the procurement achieved value for money. Despite being required by legislation, as well as mandatory NSW government policy, the department did not consider how it would ensure value for money, nor did it demonstrate an adequate understanding of what is meant by value for money on this occasion.
The department failed to implement key probity requirements. There was no effective management of conflicts of interest. Key decisions were not documented. There was a lack of clarity, transparency, and oversight of the relationship between the Minister's office and staff in the department.
The audit made recommendations about
- making and retaining complete and accurate records, particularly on decisions to commit or expend public money
- ensuring department staff understand how to exercise their financial delegations and procurement processes
- ensuring that only staff with appropriate delegations are committing or approving the spending of public money
- consistency with the contract extension provisions of the NSW Government Procurement Policy Framework, particularly regarding ensuring value for money
- protocols to guide the interactions between department staff and Minister and Minister's staff
- the need for proper management and oversight of contingent workers, such as contractors.
On 27 February 2019 the then Minister for Finance, Services and Property announced the commencement of a Park’nPay app trial in The Rocks precinct of Sydney.
The app was intended to enable users to locate and pay for parking remotely, using their smart mobile device such as a phone or tablet, rather than needing to physically be at a parking meter.
In July 2019, following a direct negotiation procurement conducted by the then Department of Finance, Services and Innovation, a contract was executed with Duncan Solutions for an estimated value of $1,260,600 over three-years, with three single-year options to extend. The contract required Duncan Solutions to provide development services to link the Park'nPay app to its Parking Enterprise Management System platform and to provide ongoing software support services.
This audit assessed whether the department complied with the procurement obligations that applied at the time it procured these services from Duncan Solutions.
This audit focussed on the department's processes and decision-making relating to:
- the direct negotiation with Duncan Solutions at the exclusion of any other potential supplier
- the negotiation, execution and management of the contract with Duncan Solutions.
As this audit focusses on the department's procurement and contract management processes, it does not comment on the activities of Duncan Solutions. The detailed audit objective, criteria and audit approach are in Appendix three.
The auditee is the Department of Customer Service. As a result of machinery of government changes, the Department of Finance, Services, and Innovation became the Department of Customer Service from 1 July 2019. To avoid confusion, this report simply uses ‘the department’ to refer to either. Where the report refers to the Minister, it relates to the former Minister in office at the time.
Conclusion
The department failed to establish the grounds for entering a direct negotiation procurement strategy for services for the Park'nPay app. It rushed a decision to trial the app in The Rocks, without considering how this might affect its procurement requirements.
As part of a direct negotiation process, the department was required to, but did not:
- undertake a comprehensive analysis of the market and all relevant factors to demonstrate that a competitive process does not need to be conducted
- conduct a risk assessment for the procurement approach
- follow the internal delegation process, including obtaining approval of the department's delegate and endorsement of the Chief Procurement Officer.
There is no evidence that the procurement to support Park'nPay represented value for money. Despite it being required by legislation, as well as mandatory NSW Government policy, the department did not consider how to ensure value for money, nor demonstrate an adequate understanding of what is meant by value for money in this case.
The department issued no tender or expression of interest documents against which any proposal could be assessed, and it had no tender evaluation plan, committee, or criteria. Without any objective standards against which the supplier's proposal could be assessed, it was not possible for the department to determine if value for money was achieved, and no value for money has been demonstrated.
The department failed to implement key probity requirements. There was no effective management of conflicts of interest. Key decisions were not documented. There was a lack of clarity, transparency, and oversight of the relationship between the Minister's office and staff in the department.
No conflict of interest declarations were made by staff until almost one year after the direct negotiations commenced and even then they were not made by all members of the negotiation team and key decision-makers.
The department did not document the reasons for its decisions or minute key meetings, such as when, why and by whom the decision was made to transform the procurement from a 'trial' to a contract of up to six years duration. The department had no policies guiding the interactions between the Minister, the Minister's office and staff in the department (including contractors) in relation to this initiative, resulting in blurred and uncertain roles, responsibilities, and accountabilities.
The department initially sought to withhold information from the Audit Office pertaining to Park'nPay. When questions were raised through external scrutiny, there was little evidence of genuine inquiry or review into its practices to ensure improvement and compliance.
The department deliberately sought to withhold information from the Audit Office of NSW when initial inquiries were lawfully made about the Park'nPay project in the context of the audit of the department's financial statements in May 2021.
There is also limited evidence to demonstrate the department has reviewed the decisions and practices around the Park'nPay project, despite receiving internal legal advice at the time that questioned the characterisation of the procurement as a 'pilot', and external scrutiny via the NSW Parliament's Budget Estimates Committee hearings. This indicates a risk that opportunities to review and improve the department's procurement practices based on learnings from this process have been missed.
Appendix one – Response from auditee
Appendix two – Key requirements of the department's procurement manual
Appendix three – About the audit
Appendix four– Performance auditing
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #387 - released 14 December 2023
Actions for Enterprise, Investment and Trade 2023
Enterprise, Investment and Trade 2023
What this report is about
Results of the Enterprise, Investment and Trade portfolio of financial statement audits for the year ended 30 June 2023.
What we found
Unqualified audit opinions were issued for all completed Enterprise, Investment and Trade portfolio agencies.
An 'other matter' paragraph was included in the Jobs for NSW Fund's 30 June 2022 independent auditor's report to reflect the non-compliance with the Jobs for NSW Act 2015 (the Act). The Act requires the board to consist of seven members that include the Secretary of the Treasury, the Secretary of the Premier's Department, and five ministerial appointments. The board has consisted of two secretaries since 24 May 2019 when the independent members resigned. The remaining five members have not been appointed by the ministers as required by section 5(2) of the Act.
Financial statements were not prepared for the Responsible Gambling Fund, a special deposit account. Financial statements should be prepared unless NSW Treasury releases a Treasurer's Direction under section 7.8 of the GSF Act that will exempt the SDA from financial reporting requirements.
What the key issues were
The number of issues reported to management decreased from 65 in 2021–22 to 44 in 2022–23. Forty-six per cent of issues were repeated from the prior year.
Two high-risk issues were identified across the portfolio. One was a repeat issue where the Jobs for NSW Fund did not comply with legislation. The other high-risk issue was first identified in 2022–23 when the Department for Enterprise, Investment and Trade incorrectly recorded grants that did not meet the requirements of Australian Accounting Standards.
What we recommended
The Department should develop a robust model to ensure it only provides for grants that meet the eligibility criteria.
This report provides Parliament and other users of the Enterprise, Investment and Trade portfolio of agencies’ financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:
- financial reporting
- audit observations.
Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.
This chapter outlines our audit observations related to the financial reporting of agencies in the Enterprise, Investment and Trade portfolio of agencies (the portfolio) for 2023.
Section highlights
- Unqualified audit opinions were issued on all completed portfolio agencies’ 2022–23 financial statements.
- An ‘other matter’ paragraph was included for the Jobs for NSW Fund’s 30 June 2022 financial report to reflect non-compliance with the Jobs for NSW Act 2015.
- The Act requires the board to consist of seven members that include the Secretary of the Treasury, the Secretary of the Department of Premier and Cabinet (or their nominees) and five ministerial appointments, one of whom is to be appointed as Chair of the board. The board has consisted of the two secretaries since 24 May 2019 when the independent members resigned. The remaining five members have not been appointed by the ministers as required by section 5(2) of the Act.
- An ‘emphasis of matter’ paragraph was included in the Jobs for NSW Fund’s 30 June 2022 financial report to draw attention to the financial report being prepared for the purpose of fulfilling the Jobs for NSW Fund’s financial reporting responsibilities as requested by the Treasurer’s delegate.
- The total number of errors (including corrected and uncorrected) in the financial statements increased by 12% compared to the prior year.
- The Responsible Gambling Fund (Special Deposit Account) did not prepare financial statements for the year ended 30 June 2023. Financial statements should be prepared unless NSW Treasury releases a Treasurer’s Direction under section 7.8 of the GSF Act that will exempt the Fund from financial reporting requirements.
Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.
This chapter outlines our observations and insights from our financial statement audits of agencies in the Enterprise, Investment and Trade portfolio.
Section highlights
- The audits identified two high-risk and 20 moderate risk issues across the portfolio. Of these, one was a high-risk repeat issue and ten were moderate-risk repeat issues.
- One of the high-risk matters related to the Jobs for NSW Fund audit for the year ended 30 June 2022.
- The other high-risk matter related to overstating grants relating to the Jobs Plus Program as the criteria to pay the grant was not met at 30 June 2023.
- The total number of findings decreased from 65 to 44 with 2022–23 findings mainly related to deficiencies in accounting for property, plant and equipment and agencies having outdated policies.
Appendix one – Misstatements in financial statements submitted for audit
Appendix two – Early close procedures
Appendix three – Timeliness of financial reporting
Appendix four – Financial data
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.