An audit has found significant gaps in the controls over unauthorised access the NSW Registry of Births Deaths and Marriages (BD&M), leading to increased risk of unauthorised information leaks.

The Register is accessed, added to and amended through the LifeLink application. Most BD&M staff use LifeLink as part of their day-to-day work.

BD&M moved from the former Department of Justice to the Department of Customer Service (DCS) on 1 July 2019 as part of NSW Machinery of Government changes.

The Department of Communities and Justice (DCJ) manages the databases that sit behind LifeLink and contain all the data in the Register. This means that DCJ manages the controls which protect the databases from unauthorised access. While DCJ is responsible for managing the databases, a third-party vendor hosts the databases on their servers.

BD&M authorises midwives and other hospital staff, funeral directors and marriage celebrants to have access to eRegistry; an online portal that enables them to upload registration and supporting documentation relating to birth, death and marriage registrations.

BD&M routinely audits LifeLink user access for both BD&M and Service NSW staff to confirm whether staff members are assigned the appropriate level of access and to ensure that access has been disabled where required. BD&M policy is that access is removed on an employee's last day or when staff are due to take at least four weeks of leave.

During the audit period there were 12 staff members who left BD&M and there were two instances where LifeLink access was not removed on the staff member’s last working day. For these staff, user access was removed three and five days later.

The auditors found that there are currently insufficient restrictions placed on the ability of staff to export and distribute information from LifeLink.

“Although some BD&M staff are required to export and distribute information as part of their regular duties, it is important to have controls in place to mitigate the risk of unauthorised access to and misuse of information from the Register.”

The report makes nine recommendations including increased monitoring of people with access to the database and strengthened security controls.

The full report is available HERE