TfNSW not protecting personal info in massive driver database

Transport for NSW has failed to reduce the risk of personal information contained in its driver and vehicle management system being misued, an audit has found.

NSW Auditor General Margaret Crawford.

DRIVES covers over 6.2 million driver licences and more than seven million vehicle registrations, and garners the state government $5 billion in revenue each year.

It contains personal information including home addresses for most of the NSW adult population, sensitive health information, and biometric data.

“TfNSW has been slow to reduce the risk of misuse of personal information held in DRIVES,” auditor General Margaret Crawford says in her report released on Tuesday.

 “With its delivery partner Service NSW, TfNSW has also been slow to develop and implement automatic monitoring of access.”

The report comes three years after an ICAC investigation into criminal misuse of information from the database.

Modernising DRIVES

DRIVES first went live in 1999 is currently at the end of its life, with TfNSW in the process of transitioning it to a more modern system.

However it remains an important service for Service NSW and the NSW Police Force and is also used by Commonwealth agencies and local councils, as well as non-government entities with little or no connection to transport.

There are 141 users of DRIVES in total, including commercial insurers, national regulators, and individual citizens who can access it to renew a registration or book driver knowledge tests.

After assessing whether TfNSW is effectively managing DRIVES and the  transition to a  system, Ms Crawford found it had not.

TfNSW has spent $36 million working on three attempted business cases for a replacement system, yet hasn’t learned from past mistakes, she says.

Too much of its planning effort has been wasted and the agency continues to operate a system which should have been replaced in the 2010

Auditor General Margaret Crawford

“Too much of its planning effort has been wasted and the agency continues to operate a system which should have been replaced in the 2010s,” report concludes.

Slow to implement recommendations

The ICAC made a raft of recommendations arising its May 2021 investigation into criminal misuse of DRIVES data, including the implementation of a risk-based system to improve detection of unauthorised access to personal information.

Josh Murray: Security upgraded

It also found a Service NSW officer had engaged in serious corrupt conduct.

“People with access to DRIVES can still misuse personal information held in the system in ways similar to those investigated by the NSW Independent Commission Against Corruption in May 2021 (Operation Mistral),” Ms Crawford says.

She said TfNSW and Service NSW, are targeting March this year to implement automatic detection of suspicious access to DRIVES.

“This is nearly three years after the ICAC recommendation was made,” she notes.

“This is a slow response particularly considering the detection capability was estimated to cost only $200,000 to $300,000, and require approximately six months to implement.”

In a response to the auditor general, Transport Secretary Josh Murray says all recommendations have been accepted.

He says TfNSW has improved security around DRIVES in recent years.

“We at TfNSW take seriously the need to maintain privacy and security of DRIVES, to protect our digital assets generally and the information of those we serve,” he said.

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at  

Sign up to the Government News newsletter

Leave a comment:

Your email address will not be published. All fields are required