An audit has found gaps in data security at the NSW Registry of Births Deaths and Marriages that could lead to identity theft and fraud.

The report by the NSW Auditor General says there are “significant gaps” in the controls against unauthorised access to the register.

It also found a lack of systems to prevent the unauthorised distribution of information from the register, a failure to actively monitor user activity, and insufficient assurances of database security.

Addressing these gaps is necessary to ensure the integrity of information in the register and prevent identity theft, auditor Margaret Crawford says.

She makes nine recommendations including increased monitoring of people with access to the data base and strengthened security controls.

Third party host

Since 1856 the NSW Registry of Births Deaths and Marriages has been responsible for maintaining information about  births, deaths and marriages in the state as well as registering adoptions, changes of names, changes of sex and relationships.

The Department of Customer Service has had responsibility for BD&M since machinery of government changes last year but the Department of Communities and Justice (DCJ) continues to manage the registry’s databases as well the LifeLink app which is used to amend and update the register.

DCJ is also responsible for the security of the databases, which are hosted by a third party vendor.

The auditor says BD&M has no direct oversight of the database environment that houses the register, and relies on the DCJ’s management of the host to provide security assurance.

DCJ has not taken any independent action to guarantee the effectiveness of the vendor’s IT controls, the report says.

Access by third parties

Midwives, hospital staff, funeral directors and marriage celebrants have access to the registry via an online portal, as do Service NSW call centre staff.

“Some Service NSW call centre staff have read-only access to LifeLink and can view any record in the system,” the audit says. “They can also download and print information obtained through the search function in LifeLink. This means that there is the potential for unauthorised access or misuse of records.”

It says there are audit trails of all user activity, but these are not routinely monitored, which creates a risk that unauthorised activity will go undetected, the audit says.

It also says there are insufficient restrictions on the ability of staff to export and distribute information from LifeLink.

“This increases the risk of unauthorised access to, and misuse of LifeLink data and creates the risk that information may be sent to unauthorised third parties.”

It says neither BD&M nor DCJ regularly review users who have access to the register’s databases or monitor user activity.

Labor spokeswoman on Better Public Services Sophie Cotsis says it’s essential to maintain the register’s integrity.

“This register provides the cornerstone for people’s identity, and any gaps in security could be exploited by criminals to perpetrate identity fraud and other crimes,” she said.

“The government must quickly implement all of the Auditor-General’s recommendations to safeguard the integrity of people’s identities.”