Identity theft risk at Births Deaths and Marriages

An audit has found gaps in data security at the NSW Registry of Births Deaths and Marriages that could lead to identity theft and fraud.

NSW Auditor General Margaret Crawford.

The report by the NSW Auditor General says there are “significant gaps” in the controls against unauthorised access to the register.

It also found a lack of systems to prevent the unauthorised distribution of information from the register, a failure to actively monitor user activity, and insufficient assurances of database security.

Addressing these gaps is necessary to ensure the integrity of information in the register and prevent identity theft, auditor Margaret Crawford says.

She makes nine recommendations including increased monitoring of people with access to the data base and strengthened security controls.

Third party host

Since 1856 the NSW Registry of Births Deaths and Marriages has been responsible for maintaining information about  births, deaths and marriages in the state as well as registering adoptions, changes of names, changes of sex and relationships.

The Department of Customer Service has had responsibility for BD&M since machinery of government changes last year but the Department of Communities and Justice (DCJ) continues to manage the registry’s databases as well the LifeLink app which is used to amend and update the register.

DCJ is also responsible for the security of the databases, which are hosted by a third party vendor.

The auditor says BD&M has no direct oversight of the database environment that houses the register, and relies on the DCJ’s management of the host to provide security assurance.

DCJ has not taken any independent action to guarantee the effectiveness of the vendor’s IT controls, the report says.

Access by third parties

Midwives, hospital staff, funeral directors and marriage celebrants have access to the registry via an online portal, as do Service NSW call centre staff.

“Some Service NSW call centre staff have read-only access to LifeLink and can view any record in the system,” the audit says. “They can also download and print information obtained through the search function in LifeLink. This means that there is the potential for unauthorised access or misuse of records.”

It says there are audit trails of all user activity, but these are not routinely monitored, which creates a risk that unauthorised activity will go undetected, the audit says.

It also says there are insufficient restrictions on the ability of staff to export and distribute information from LifeLink.

“This increases the risk of unauthorised access to, and misuse of LifeLink data and creates the risk that information may be sent to unauthorised third parties.”

It says neither BD&M nor DCJ regularly review users who have access to the register’s databases or monitor user activity.

Labor spokeswoman on Better Public Services Sophie Cotsis says it’s essential to maintain the register’s integrity.

“This register provides the cornerstone for people’s identity, and any gaps in security could be exploited by criminals to perpetrate identity fraud and other crimes,” she said.

“The government must quickly implement all of the Auditor-General’s recommendations to safeguard the integrity of people’s identities.”

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at  

Sign up to the Government News newsletter

2 thoughts on “Identity theft risk at Births Deaths and Marriages

  1. Surely this article INCREASES the risk. WHY NOT HOLD OFF reporting this until after the issues have been addressed?

  2. In order to overcome these problems you will require the use of experienced qualified Records and Information Management people working in collaboration with your IT people.They have a wealth of knowledge and experience in these areas which in many instances is under utilised. They also deal with governance issues all day long in their processes and protocols and are well aware of the damage these issues cause to Department and therefore Government and the publics trust. The other thing is if control of the register is not with RIM people already it should be.

Leave a comment:

Your email address will not be published. All fields are required