TfNSW fails to safeguard driver data

Share

An audit has revealed that Transport for NSW has not effectively minimised the risk of personal information in its driver and vehicle management systems being misused. DRIVES includes information on over 6.2 million driver licences and over seven million vehicle registrations, generating $5 billion in revenue for the state government annually.

The data includes personal details such as home addresses for the majority of adults in NSW, as well as sensitive health information and biometric data. “TfNSW has been slow to reduce the risk of misuse of personal information held in DRIVES,” auditor General Margaret Crawford says in her report released on Tuesday.

 “With its delivery partner Service NSW, TfNSW has also been slow to develop and implement automatic monitoring of access.”

The report is released three years following an investigation by ICAC into the criminal misuse of information from the database.

Revamping DRIVES system

DRIVES was first launched in 1999 and is now nearing the end of its lifespan as TfNSW works on migrating it to a newer system. Nevertheless, it continues to be a crucial service for Service NSW and the NSW Police Force, as well as being utilised by Commonwealth agencies, local councils, and non-government organisations with minimal or no transport-related ties.

A total of 141 users utilise DRIVES, including commercial insurers, national regulators, and individual citizens who can access it to renew a registration or book driver knowledge tests. Ms. Crawford’s evaluation revealed that TfNSW is not effectively managing DRIVES and the transition to a new system.

TfNSW has invested $36 million in developing three business cases for a new system but has failed to learn from previous errors, according to the source.

“Too much of its planning effort has been wasted and the agency continues to operate a system which should have been replaced in the 2010s,” report concludes.

Delayed implementation of recommendations

The ICAC recently released a series of recommendations following its investigation into the criminal misuse of DRIVES data in May 2021. One key recommendation is the establishment of a risk-based system to enhance the detection of unauthorised access to personal information. An investigation revealed that a Service NSW officer was involved in significant corrupt behaviour.

“People with access to DRIVES can still misuse personal information held in the system in ways similar to those investigated by the NSW Independent Commission Against Corruption in May 2021 (Operation Mistral),” Ms Crawford says.

According to her, TfNSW and Service NSW are aiming to roll out automatic detection of suspicious access to DRIVES by March this year.

“This is nearly three years after the ICAC recommendation was made,” she notes.

“This is a slow response particularly considering the detection capability was estimated to cost only $200,000 to $300,000, and require approximately six months to implement.”

Transport Secretary Josh Murray has confirmed that all recommendations from the auditor general have been accepted. According to him, TfNSW has enhanced security measures around DRIVES in recent years.

“We at TfNSW take seriously the need to maintain privacy and security of DRIVES, to protect our digital assets generally and the information of those we serve,” he said.