A serious code flaw in the OneSchool Student Protection Reporting Module update in January resulted in Queensland police being unable to receive child abuse reports.
The flaw has led the Queensland Department of Education and Training to conduct an independent investigation and put in place recommendations made by Deloitte yesterday.
On 19 January 2015, the module software update went live with a code flaw missed by OneSchool program IT staff and contracted third party developers. The update introduced a ‘QPS only’ reporting category for teachers to report to Queensland police of students who have been sexually abused or are at risk.
Thresholds were created, in accordance with laws, to determine whether a report will be escalated to police or monitored internally within the student’s school.
The software flaw was preventing emailed reports from reaching Queensland police for months, until it was discovered on 30 July that there was a problem.
“At that time the full extent of the problem and the exact details were not known apart from it being a serious issue affecting a large number of students and their families. Upon notification, the director general and the Minister [for Education] escalated the issue to the highest priority.
“At 5.30pm the same day, senior QPS officers attended DET [Department of Education and Training] head office to meet with senior DET staff and a process of triaging and remediation was immediately commenced,” the Deloitte report stated.
It was found that 644 cases of suspected child abuse failed to be reported to Queensland police.
The main error was that a logic step for checking a Department of Communities, Child Safety and Disability Services email recipient is present when sending a report, which was implemented before the January update, was not removed from the code. This resulted in emails failing to be sent to Queensland police.
The developers of this update missed this error when testing the software. A separate test was conducted for each of the eight logic steps involved in the system, but all test recipients were set up within the email account of the developer testing the software.
“This created confusion when verifying the number of emails received for each of the eight tests. As a result, he failed to notice the software code was not generating an email to QPS [Queensland police recipient, containing the student protection report] as intended,” the report stated.
The developer then concluded the software had been appropriately tested, but when Deloitte asked the developer why he did not undertake quality assurance (QA) on the test script, his response was: “I didn’t check it because I only do this when they either fail or when the testers have a problem with writing the test. This one passed so there was no reason for me to review it.”
The day after the flaw was discovered (31st July 2015), the team fixed the issue and re-tested to ensure everything was working properly. A manual validation process was also used to ensure the flaw was completely fixed, with Deloitte re-performing the process. This involved contacting recipients at the end of an email to make sure sent reports from 30 July were received.
Some of the recommendations in the Deloitte report, which the department has started implementing, is stronger operational governance to monitor progress of IT and system updates, taking a risk-based approach to OneSchool’s Software Development Lifecycle framework, implement email whitelisting to prevent filters blocking emails, and investigate alternatives to email reporting.
Queensland Minister for Education, Kate Jones, said it was “deeply concerning” that a lack of IT staff and resources was the main reason why the flaw was missed.
“Deloitte’s investigation also found the former government cut 228 staff from the IT branch as the Student Protection Reporting Module was implemented,” she said in a statement.
“Deloitte’s report reveals that staff working on the OneSchool technology were performing multiple key roles in addition to their prescribed position and non-technical staff were fulfilling roles typically conducted by ICT experts.”
John Lockhart, executive director of OneSchool Program, told CIO that it’s been constant 10-week sprints since the OneSchool online information portal became a program years ago.
“We are working through the recommendations of the report, and any actions that flow from that we’ll implement them carefully. We have already put processes and practices in place since the error was found,” he said.
He admitted that the flaw was missed by many people involved, and that child protection is an extremely sensitive and important area.
“As always, when you have someone review your processes there’s going to be something to learn,” he said.
“But can you sum up how you do seven years worth of good business in an incident like this when it occurs? Have a look at any IT shop, these sorts of errors occur [at some point]. We’ll work our way through those recommendations and implement them as required,” he added.
Follow Rebecca Merrett on Twitter: @Rebecca_Merrett
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.