26 September 2023

Auditor goes public on privacy shortfall

Start the conversation

A special report by the Auditor-General into the effectiveness of Service NSW’s handling of customers’ private personal information has found it ineffective in its handling of it.

In her report, Service NSW’s handling of personal information, Auditor-General Margaret Crawford said the audit was requested by the Minister for Customer Service following public reports in May of a cyber security attack which led to a breach of Service NSW’s customer information.

“Service NSW continues to use business processes that pose a risk to the privacy of personal information,” Ms Crawford said.

“This includes the routine emailing of personal information between Service NSW service centres and other Agencies, which is one of the processes that contributed to the data breach earlier this year,” she said.

“The audit found that previously identified risks and recommended solutions had not been implemented on a timely basis.”

Ms Crawford said Service NSW identified privacy as a strategic risk in both its Risk Management Guideline and enterprise risk register and set out a zero-level appetite for privacy risk in its risk appetite statement.

“That said, the governance, policies, and processes established by Service NSW to mitigate privacy risk are not effective in ensuring the privacy of personal customer and business information,” the Auditor-General said.

“While Service NSW had risk identification and management processes in place at the time of the March 2020 data breach, these did not prevent the breach occurring,” she said.

Ms Crawford said the lack of multi factor authentication had been identified as a key contributing factor to the data breach and there were weaknesses in the general IT and security controls implemented by Service NSW over its Customer Relationship Management (CRM) system, which held the personal information of over four million NSW residents.

She made eight recommendations aimed at ensuring improved processes, technologies, and governance arrangements for how Service NSW handles customers’ personal information.

The Auditor-General’s 37-page report can be accessed at this PS News link.

Start the conversation

Be among the first to get all the Public Sector and Defence news and views that matter.

Subscribe now and receive the latest news, delivered free to your inbox.

By submitting your email address you are agreeing to Region Group's terms and conditions and privacy policy.