IT workarounds threaten privacy of children in care: Qld Auditor

Queensland’s Audit Office has complained that hard-to-use information systems within the state’s child protection services have undermined the privacy of the state’s most vulnerable children, with legacy IT circumvented by staff and highly sensitive data stored in unprotected spreadsheets and on personal storage devices.

Auditor General Andrew Greaves yesterday handed in his report (pdf) on the information management competence of the state’s Department of Communities, Child Safety and Disability Services and its network of community-based service providers.

He found that “the department has yet to get the balance right between security and availability of child safety data”.

For the past ten years, the department has spent $85 million building and operating its integrated client management system (ICMS), including what the QAO has described as “appropriate” layers of security.

But the inefficiency of the system is forcing staff to invent insecure workarounds, such as exporting data into Excel spreadsheets accessible to anyone on the department’s network.

The ICMS does not have the capacity to transfer information between other organisation's systems, meaning many child protection staff are also transmitting this sensitive data via email, putting its security at risk and creating duplicate and inconsistent records for the same children across the breadth of the system.

“Service providers re-create subsets of the same information in electronic and physical forms,” the report found.

“The result is that service providers do not always receive important information about children on time.”

The QAO report also discovered:

• Nearly 20 percent of DCCSDS records on school age children showed discrepancies to the same children’s records in the Department of Education’s OneSchool system,
• Roughly 30 percent of children in care are registered as living at a different address in the DCCDSD system to the OneSchool system,
• Staff who are not authorised to access protected systems can access data extracted from those systems and saved in Excel spreadsheets,
• One NGO partner was identified as being vulnerable to hackers,
• Two NGO partners use Telstra and Microsoft cloud services but do not have contractual agreements ensuring that information is hosted onshore in line with the state Privacy Act,
• NGO staff store emails containing sensitive information on personal devices with no data encryption.

The QAO has insisted that it is critical to the safety of the state’s vulnerable children that the department and its providers streamline information sharing so risks can be identified.

The Office has recommended that the department invest into “contemporary information systems”.

In response to the 2012 Carmody report into the child safety system, the state government pledged $52.865 million over five years to IT measures.

“It is essential that the suite of new systems promotes collaboration between all involved in the service chain, no matter how complex the relationships are,” said the report.

It also recommended the Department encrypt all email communications and prohibit data from being exported from the ICMS onto external storage devices.