Background

CrimTrac was announced by the Prime Minister in 1998, as a major initiative to help combat crime in Australia through the establishment of a national crime information system.

The agency was to replace the National Exchange of Police Information Agreement (the NEPI Agreement) that was established as a National Common Police Service in 1990. CrimTrac ‘contributes to Australian law enforcement through the specification, development, delivery and maintenance of modern, high-quality, rapid access, electronic police information services and investigative tools'.

CrimTrac was established through an Inter-Governmental Agreement (IGA) signed by the Australian Government Minister for Justice and Customs and State and Territory Police Ministers, on behalf of their respective governments, on 13 July 2000. CrimTrac was initially an executive agency under the Australian Government Attorney-General's portfolio. It also became a prescribed agency on 1 July 2002.

The Australian Government agreed to ‘host' the new agency and provided $50 million in one-off funding for the development of new systems. The new systems listed as the key deliverables under the IGA include:

• a new National Automated Fingerprint Identification System (NAFIS);
• a National Criminal Investigation DNA Database (NCIDD);
• a National Child Sex Offender System (NCSOS); and
• rapid access to national operational policing data (CrimTrac Police Reference System (CPRS) Capability Development programme).

Objectives of the audit

The overall objective of the audit was to assess CrimTrac's progress in achieving the key deliverables it was established to provide, given that the agency had been in operation for some three years. The Australian Government provided $50 million for the implementation of CrimTrac, with an expectation that significant progress would be made within the first three years. The audit further examined whether CrimTrac had progressed the key deliverables efficiently and effectively, and whether the data either held by CrimTrac, or accessed through CrimTrac, for matching purposes is secure.

Key findings

Progress against the key deliverables under the IGA (Chapter 2)

The ANAO acknowledges that CrimTrac has faced significant challenges in its role of developing and delivering information technology (IT) solutions to service nine¹ police jurisdictions with varying approaches and systems, and with each operating under the constraints of differing Australian Government, State and Territory legislation. In addition to this, CrimTrac has continued to deliver and maintain the former NEPI mainframe systems, as well as bringing into place the accountability and reporting mechanisms required to fulfil its obligations as a new Australian Government prescribed agency.

CrimTrac has allocated the funding in accordance with the Australian Government's intentions, but the rate of progress of the key deliverables and, hence, expenditure, has been slower than was originally envisaged. At the time of the audit, some $17.1 million of the $50 million remained unspent. CrimTrac has obtained approval to extend its drawdown of Australian Government monies.

NAFIS was delivered early in CrimTrac's operation. Feedback from the jurisdictions confirms that the system works well, and has enhanced policing operations in this area of forensic science.

NCIDD is ‘developed', but is not yet operationally ‘deployed'. Cross-jurisdictional DNA matching is yet to occur, because of legislative and jurisdictional processes. CrimTrac advised it was hopeful that this will happen by the end of 2003–04 and estimates that over 100 000 profiles will eventually be uploaded. The ANAO acknowledges that the issues leading to the slower than anticipated progress with the NCIDD were due to factors that were not within CrimTrac's control.

The third deliverable, NCSOS, a child sex offender system, was in the concept development stage at the time of the audit. It had been replaced by the concept of a national child protection register, known as the Australian National Child Offender Register (ANCOR) Project, where the jurisdictional registers are centrally hosted at CrimTrac using a common application.

Notwithstanding that the new suite of systems to allow rapid access to national policing information, the CPRS Capability Development Programme, was intended for delivery after the NAFIS and NCIDD, progress appears to be slow, and the costs not yet fully determined. The first CPRS system was at a pilot stage with two jurisdictions participating.

As well as its identified key deliverables, CrimTrac continues to provide information to accredited third parties under the National Criminal History Record Checking (NCHRC) Programme and has made enhancements to the systems involved in this Programme.

The ANAO notes that the IGA did not specify particular timeframes for delivery. However, it was expected that significant progress would be made during the first three years, and that the majority of the funds allocated by the Commonwealth of Australia would be spent within this time.

In summary, CrimTrac's progress in implementing its key deliverables has been variable. One database is fully operational; one system is constructed but yet to be loaded with all jurisdictions' data; and two other projects are at the pilot and design phase. CrimTrac has made significant efforts to initiate each of the key deliverables specified in the IGA, with resultant pressures on the resources of the agency.

Achievement of the broader objectives of the IGA (Chapter 3)

The ANAO considered the strategic and operational context of the agency. The police jurisdictions, as well as being the users of the CrimTrac systems, are also partners under the IGA and, as such, are also involved in the design and development of the projects and systems. The various jurisdictions provide a significant source of the funding for CrimTrac's operations.

The ANAO concluded that the establishment of CrimTrac as an Australian Government agency has resulted in the alleviation of many of the issues of its predecessor, NEPI. Although progress in some projects has been slower than anticipated, CrimTrac has progressed the key deliverables; implemented many internal plans and controls; and has continued to provide support for the former PRS systems.

However, the ANAO concluded that there would be benefit in CrimTrac seeking to better define the links between the broad objectives of the IGA and its Outcome, which is ‘Coordinated national policing information systems for a safer Australia^2'. This would provide an increased understanding of the context of the CrimTrac projects and a common goal for all parties to work towards.

The ANAO also considered that it is difficult for CrimTrac to measure and report against its stated Outcome. However, the ANAO further considered there would be benefit in CrimTrac, in consultation with its partners, seeking the means to better reflect what is collectively being achieved, which would benefit both efficient and effective management and enhanced external accountability.

The ANAO also found that the IGA has limitations with respect to the partnership approach. We concluded that there would be benefit for the arrangement by establishing a formal agreement, such as a Memorandum of Understanding (MOU), between all the partners, as the basis for setting out the expected responsibilities of each partner in their role as a signatory to the IGA.

The deployment of the deliverables under the objectives of the IGA, and hence the achievement of the CrimTrac Outcome, are likely to continue to be subject to legislative amendment issues, such as those impeding the deployment of NCIDD. The ANAO recommended that CrimTrac consult with its key external stakeholders to develop a framework that allows for the timely resolution of key issues that pose a risk to the CrimTrac Outcome, or to particular projects.

Project management (Chapter 4)

CrimTrac had a sound project management methodology in place in PRINCE2. This methodology was adapted to develop an in-house project management framework, the CrimTrac Project and Programme Management Framework (CPPMF). However, there were some weaknesses in the manner of adaptation and implementation of the CPPMF, leading to difficulty in tracking the history of projects, and some difficulties in the coordination of projects. CrimTrac had already taken some steps to rectify these. During the audit, the agency commissioned a consultant to examine a current project, and to consider whether changes were required in the overarching project management framework.

The ANAO concluded that the agency's project management framework is not sufficiently robust to be effective in a multi-agency project delivery environment. The ANAO made recommendations aimed at strengthening the framework through: providing more detailed policy and guidance; measuring the full costs and benefits of projects; better detailing the roles and responsibilities of all parties and how they should interact; and establishing an arrangement to more effectively coordinate the projects.

Data and IT security (Chapter 5)

The ANAO has reported a number of findings relating to the controls and procedures in place to ensure the security of CrimTrac's systems, as well as the security of data it either holds, or accesses, for matching purposes. The ANAO notes that most of CrimTrac's data is only accessible by police jurisdictions and that, to date, there have been no security breaches or incidents of significance. However, as CrimTrac continues to build systems and to host increasing volumes of sensitive data, it is important that adequate controls are in place to protect the data.

The ANAO found that, although the existing CrimTrac Security Policy was generally compliant with the Protective Security Manual, the links to appropriate TRAs were insufficiently established. As a consequence, the procedural environment to ensure the protection of data was weakened. CrimTrac would benefit from finalising the development of its various IT security plans, policies and procedures, as well as implementing measures to ensure greater consistency between these plans. This would minimise the risks of gaps in the agency's approach to the management of the security of its data and systems. The ANAO considers that CrimTrac should finalise its IT Strategic Plan, Business Continuity Plan and Disaster Recovery Plan.

The ANAO further concluded that CrimTrac should take action to: establish formal agreements with the jurisdictions which cover the ownership of the data and systems, and assign responsibilities for the security of these data and systems accordingly; ensure that its formal agreements with its service providers are up to date, finalised and appropriately signed off; and take a more strategic approach to the security training of staff and users of its various systems.

Overall audit conclusion

CrimTrac has faced significant challenges in its role of developing and delivering IT solutions to service Australia's police, as well as maintaining the former NEPI mainframe systems, and establishing itself as a new Australian Government executive and prescribed agency. Although progress in delivering the key deliverables under the IGA has been variable, the CrimTrac agency has exerted significant effort to initiate all of the deliverables, and appears to have successfully replaced its predecessor, NEPI.

The ANAO concluded that, after some three years of operation, it is timely for a review of the nature of the relationship between the partners in the CrimTrac initiative, and a clarification of their various roles and responsibilities. The ANAO considered that better definition of the links between the broader objectives in the IGA and the CrimTrac Outcome would be useful in providing a common goal for all parties to work towards.

The ANAO also concluded that more work needed to be done to: refine CrimTrac's strategic monitoring of its projects; provide more detailed guidance to project managers; and clarify the role of CrimTrac as the coordinating agency as well as the responsibilities of jurisdictions as project partners.

There is also significant scope to enhance the controls and procedures in place to ensure the security of CrimTrac's systems, as well as the security of data it either holds, or accesses, for matching purposes. As CrimTrac continues to build systems and to host increasing volumes of sensitive data, it is important that adequate controls are in place to protect the data.

Responses to the audit

Agency response

CrimTrac has agreed with all of the recommendations, and provided its response to the audit as follows:

The CrimTrac initiative's primary challenge has been to gain co-operation—financial and technical across 9 disparate police services—then give police nationwide access to centrally hosted information technology tools and services that support each jurisdiction's approach plus introduce new nationwide capabilities not addressed by the former NEPI. This has required a significant personal investment by Agency staff in creating and maintaining effective jurisdictional relationships since the Agency was created in 2000.

CrimTrac's programmes being delivered under the IGA strive for consensus and trust with and between police jurisdictions before they are designed and implemented. It takes time, however,—much more time than the original CrimTrac proponents contemplated and whilst a slower than optimum rate has been observed by the audit, responsible spending and prudential management of the Australian Government's $50 million investment has been demonstrated.

Weaknesses reported in project management and data security had already received the attention of the CrimTrac Board of Management prior to notification of the audit. Through the Agency's risk management approach, they were identified as high priority areas for attention and significant resources were allocated to improve outcomes in these areas. The risk exposure as it currently stands is understood by all stakeholders as the Agency continues to mitigate it.

The Agency is refining its role and modus operandi within the stakeholder arrangements of the CrimTrac initiative and the stakeholders are refining their understanding of how best to participate in and exploit the opportunities that CrimTrac provides. The audit has been a valuable opportunity to take stock of our progress and to note constructive criticism that should strengthen the Agency in its contributions to improved community safety.

The full agency response is included in the audit report at Appendix 3.

Special interest party responses

The ANAO also sought comments from the police jurisdictions and the Attorney-General's Department (AGD) as special interest parties, and these are detailed in full at Appendix 4 in the audit report. In summary, the police jurisdictions and the AGD were supportive of the report and its recommendations.

Footnotes

1 There are nine jurisdictions covering the laws for each State and Territory and the Commonwealth. The ACT Police Services are delivered as an arm of the Australian Federal Police.

2 CrimTrac Agency Second Annual Report 2002–03, CrimTrac, Canberra, September 2003. p.12.