An audit has assessed that the Department of Justice now has key controls in place over its system for housing births, deaths, marriage and change-of-name information.
The move follows audit findings in 2019 that were so concerning for the Auditor General at the time that she didn’t table them in Parliament as part of her office’s annual information systems report.
“I considered that publishing the significant findings at that time, when the most serious system vulnerabilities still existed, could expose the system and its dataset to deliberate harm,” Auditor-General Caroline Spencer said.
“Knowledge of weaknesses in this system would be of keen interest to those with malicious intent who seek financial or other gains from the alteration or access to foundational identity records of West Australians,” she said.
In her latest report, Western Australian Registry System – Application Controls Audit, Ms Spencer said she was pleased the Department had now taken action to address many of the vulnerabilities.
She listed some of the original weaknesses that prevented publication of the 2019 report.
These included inadequate control of system access; 11 third party vendor staff having full access to the database; inadequate logging and audit trails; and no data encryption to protect confidential information.
“It was deeply concerning to find such serious shortcomings in a system that houses such sensitive information,” Ms Spencer said.
Her latest report includes recommendations for the Department to continue improving various aspects of the system, as well as to develop a disaster recovery plan and review and enhance its vulnerability management process.
“It is important to recognise that outsourcing system development and maintenance to third parties does not absolve any public sector entity of the responsibility for strong data governance,” Ms Spencer said.
The Auditor-General’s 15-page report can be accessed at this PS News link and the audit team was Jordan Langford-Smith, Aloha Morrissey, Kamran Aslam and Paul Tilbrook.
