Service NSW thanks the NSW Auditor-General for her report into its handling of personal information, commissioned by the Minister for Customer Service Victor Dominello, and has committed to fulfilling all recommendations detailed in the report by March 2022.
Service NSW has commenced – and in some cases completed – work on many of the improvements among the Auditor-General’s recommendations. This includes establishing new policies and procedures regarding accessing of data and monitoring user activity; reducing the length of time the agency stores personal information; and working with our agency partners to improve secure data transfer methods.
Central to many of these changes is a move away from paper-based processes for the capture and transfer of customer information.
Since the cyber attack on 47 staff email accounts earlier this year, Service NSW has also completed several privacy management improvements and commenced an organisation-wide program of enduring changes and improvements to the way we manage personal information. This includes:
- Implementing Multi-Factor Authentication on several critical applications, to reduce the risk of unauthorised access to email accounts and key software
- Strengthening information security practices for increased volumes of staff working remotely
- Reducing the amount of personal information at risk, with 92% less data held in staff mailboxes
- Appointing a Chief Risk Officer and Chief Privacy Officer to lead significant and enduring reforms to drive continuous improvement in managing personal information and privacy risk.
Cyber Security NSW will also conduct a feasibility study into online identity recovery for customers. The service could make use of identity credentials managed across the public sector to offer customers a way to more safely manage their digital identity. The feasibility study is set for early 2021.
In 2021, Service NSW customers can also expect their MyServiceNSW accounts to have multi-factor authentication enabled, as well as gain access to their transaction history. We will also introduce tailored, role-based privacy training for staff.
Throughout our response to this cyber attack, Service NSW’s focus has been on customers, and helping them on a case-by-case basis through our Hypercare team.
On Tuesday, we announced that ongoing analysis into the methods used in the cyber attack has revealed significantly fewer customers are affected than originally thought. This does not diminish the experience for our customers who did have data stolen in this cyber attack and our commitment to helping them continues.
