Service NSW has been told to improve its access management processes after a customer service officer misused the state’s driver and vehicle registration system.
The Independent Commission Against Corruption (ICAC) made the recommendation following its investigation [pdf] into the “serious corrupt conduct” of Diana Benyamin.
It found that Benyamin agreed to alter records in the driver and vehicle IT system (DRIVES) restricted database for financial benefit in her role at a Wetherill Park service centre.
The investigation began after NSW Police intercepted a number of phone calls and text messages between Benyamin and Fahad Al-Dakak, a family friend.
The report reveals that Benyamin agreed to transfer a vehicle registration for an associate of Al-Dakak when asked to do so during a late-night phone conversation in January 2019.
She also provided Al-Dakak with the wording for a false statutory declaration and instructed him on how to ensure she dealt with the transaction at the service centre.
Benyamin is also said to have agreed to disclose the address of the owner of the vehicle for $5000, though there is no evidence to suggest this information was ever accessed.
Several months later in May 2019, access logs show that she improperly accessed the personal information of another individual and intentionally disclosed it to her sister.
Information sourced from the DRIVES system – which was accessed 46 times over the course of an hour – included the individual’s residential address and licence plate number.
In another instance, Benyamin asked one of her colleagues to access her sister’s record on DRIVES, as she was aware that doing so herself would breach the conflict of interest policy.
The report indicates that each time a customer service officer accesses DRIVES their keystroke/screen access is recorded against their unique login.
She told ICAC that the colleague – described as an “innocent party” – “would not have known that accessing [DRIVES] on her behalf was unrelated to official functions”.
While no financial benefit was ultimately received from accessing DRIVES, ICAC found that what Benyamin and Al-Dakak had contemplated was wrong.
“It would involve compromising a citizen’s right to privacy," ICAC said in a report released on Tuesday, adding that this is inconsistent with Benyamin’s obligations at Service NSW.
ICAC has urged Service NSW to improve detection of unauthorised access of personal data, including by using “analytics of access logs across” systems.
It said that while the one-stop shop had “some measures in place to manage the risk of unauthorised access, they were ineffective at preventing Ms Benyamin’s misuse of DRIVES”.
“The commission understands that Service NSW only requests DRIVES access-log information from Transport for NSW on ad hoc occasions, such as when investigating specific allegations,” it said.
“This means that the value of the access log as a detective control is greatly reduced, as it can only ‘detect’ what is already alleged.
“Moreover, because affected parties can be unaware their personal information has been accessed or disclosed, not all instances of unauthorised access will be the subject of relevant allegations.
Service NSW has made an in-principle agreement to engage Transport for NSW, which owns the system, to improve risk-based monitoring and compliance.
It will also consider the “possible inclusion of real-time alerts in DRIVES to help promptly identity anomalous use”, though notes that all other possible measures are in place.
ICAC, however, noted that “the DRIVES restricted database could be further segmented to prevent users from accessing particular types of information”.
“Circumstances, systems and organisations change constantly and there are always additional measures that could be considered or ways to improve on existing practices relating to privacy and data protection,” it said.
ICAC has also asked Service NSW to establish a “single electronic family and friends register” to help detect circumstance where officers have acted partially towards family or friends.
In addition, ICAC said Service NSW should seek advice from the Director of Public Prosecutions (DPP) regarding potential criminal charges, or otherwise consider taking other disciplinary action against Benyamin.
