The Department of Local Government and Communities (the Department) is responsible for managing the Western Australian Seniors Card system, and ensuring that card holders remain eligible.
In May 2014, the Department purchased a new Customer Relationship Management system. The Department customised this system to manage the Seniors Cards. The system is used to collect and store applicant information. Seniors cards are printed using this information.
Approximately 360 000 seniors hold a Seniors Card in Western Australia. The card provides WA senior citizens with a range of government concessions, rebates and discounts such as free public transport, driver’s licences and car registration discounts, rebates on personal safety devices as well as discounts at over 500 businesses in WA.
The value of Seniors Card concessions and rebates on government services is over $20 million a year, a figure which should rise as the Department expects the number of people qualifying for a card to increase, despite a tightening of the eligibility criteria.
During the period of audit, applicants for a Seniors Card were assessed against the following criteria:
- aged 60 years or more
- a permanent resident of Western Australia
- works 25 hours or less per week, averaged over the year.
Card holders are not required to renew the card but they are required to inform the Department if their circumstances change and they become ineligible for the card.
A consequence of the Department’s role in administering the Seniors Card is that they are required to hold sensitive information on thousands of WAs senior citizens. Securing this information is an important obligation on the Department.
A range of control weaknesses impact on the security of information contained in the Seniors Card system. These weaknesses increases the risk of inappropriate access to and potential misuse of Seniors Card holder’s personal information and could expose seniors to fraudsters either online, by phone, mail or in person. Weaknesses in the eligibility assessment process means that ineligible persons could obtain a Seniors Card and receive payments and benefits for which they are not entitled.
The Department is improving its management of the Seniors Card system. A review of the Seniors Cards terms and conditions is also underway to ensure that only eligible Seniors Card holders receive benefits.
The integrity of the system is at risk from false or inaccurate information
The Department does not routinely check the accuracy of information contained in Seniors Card application forms. The entering of false and inaccurate information into the system could lead to inaccurate records, and to the issue of Seniors Cards to ineligible applicants.
The Department accepts applications by post, email and in person. The applications are required to include some form of identification, though copies of identification documents are accepted. Identification can include a Driver’s Licence, Aged Pensioner Concession Card, Passport, Birth and Marriage Certificates or Proof of Age Card.
As copied identification is not certified, there is a real risk of the Department receiving false information from an applicant and of inappropriate concessions and rebates being made. We have raised this issue with the Department for some years and have ‘qualified’ our opinion on their financial statements. However, the Department is addressing the risk with a new requirement that from 1 July 2015, all new applicants must satisfy a 100 point identity check.
We have also been concerned for some years about the lack of any validation of claims by applicants that they work less than 25 hours a week averaged over a year and that this ongoing requirement is met in the years following the granting of a card.
Before implementing the new system in May 2014, the Department had to transfer information from the old system to the new. During this process, it did not try to detect and correct corrupt or inaccurate records by using data cleansing. In addition, it could not load some historic unknown payment information into the new database. This means that these payments cannot be reconciled as the information is not readily available.
Security of senior’s personal information needs improvement
The database for the Seniors Card system had a number of security weaknesses. This database holds sensitive information for seniors, including their full name, date of birth, address, contact numbers and bank account details, so it is important to keep it secure.
Some of the weaknesses we noted were:
- Passwords are not changed often enough – There is no policy that requires staff to update passwords regularly. For example, we saw one administrator password that was over a year old. This increases the risk that it will become known and misused. If someone did acquire the password, enforcing regular password updates limits the period they are able to use it for malicious purposes.
- Database access and changes are not recorded – The Department does not track any database access and changes. This makes it harder to detect unauthorised changes or access to sensitive information. If there was a breach the Department would not be able to track who accessed what information.
- Basic security updates are not applied – The database does not have the recommended security updates, which help to protect systems against cyber-threats and malware. To minimise the risk of known threats, security updates need to be assessed and applied in a timely manner.
Additional data stores increase the risk of information loss
The test and development environments within the Department contain the same data found in the Seniors Card system. This increases the risk that sensitive information will be compromised as these environments do not have the same security controls applied and the information they contain is available to individuals that may not need ‘live’ information.
The old Seniors Card system was decommissioned in 2014 but still contains a significant amount of personal information. A number of staff still have access to this application. The old system is not updated with the latest security patches. This creates an unnecessary risk of inappropriate access to this personal information.
Manual processes increase the risk of errors
The Department processes approximately 500 new application forms each week. Information from each of the Seniors Card application forms is entered manually into the system. A random sample of records are selected from the system each day for checking against the corresponding application form. A small number of errors are found during these checks. In addition, the system does not accommodate some formats of information, such as foreign certificates. This forces manual work arounds that may increase the risk of incorrect information in the system.
The Seniors Card system requires information to be exported and sent to a third party application on a dedicated computer before cards can be printed. During the audit, we noted that users logged onto this computer using a generic account and that the login details were attached to the keyboard. The Department immediately removed the login details when we brought it to their attention. Nevertheless, this manual process and use of a generic account does create a risk that unauthorised or unintentional modification or misuse of the system and key data may occur.
When producing reports for management, staff collect information from the Seniors Card and phone system to create reports using spreadsheets. This process requires several staff and is labour intensive. The manual compilation of reports is inefficient and increases the risk of input errors, affecting the reliability of reporting. Unreliable reports increase the risk that management make incorrect decisions based on this information.
The Department is currently reviewing these processes and are planning to automate them where appropriate.
- By the end of 2015, the Department of Local Government and Communities should:
a) collaborate with agencies that can verify card applicant’s information, to ensure the correct information is captured and processed
b) ensure appropriate access controls are in place and maintained across all environments containing senior’s information
c) apply security updates to systems in a timely fashion
d) consider how to best use their reporting function to prepare suitable reports for Seniors Card information.
The Department of Local Government and Communities accepts the Auditor General’s Summary of Findings in relation to the WA Seniors Card System, noting that a number of these findings were in the process of being addressed.
The department has taken steps to strengthen the integrity of the system, including the verification of card holder details against databases held by the Western Australian Electoral Commission and the Department of Transport. This led to the suspension of unverified card holders. The department has also strengthened the certification and validation of applicant information to prevent risk of false or inaccurate information.
The department is reviewing the criterion relating to working hours and its implementation.
Upon assuming responsibility for the system after the audit, the department has addressed the findings in relation to information security by applying and maintaining security and software updates, deleting old systems and encrypting backups. Current security protocols have been maintained and generic accounts deleted.
The department is developing a new Seniors Card web portal, with applicants entering their data directly through the new portal. This will eliminate the need for manual processing. The new web portal will ensure data integrity, data privacy, and meet audit and management reporting requirements.
The Department of Local Government and Communities is committed to the continued improvement of the Seniors Card System.
 On 1 July 2015, the age criteria for new WA Seniors Card applications will change. New applicants must be at least 61 years old to be eligible. The age eligibility for the WA Seniors Card will increase by one year every two years to 65 years old by 2023-24. Existing Seniors Card holders will not be affected by the change.