Bad code that passed testing and was applied to the production environment of Queensland’s OneSchool system has been blamed for at least 644 student protection reports failing to be forwarded to police.

A forensic investigation by Deloitte uncovered multiple levels of process failure by Queensland’s Department of Education and Training (DET) and third party contractors – costing a developer, tester and several executives their jobs.

Queensland’s OneSchool administration system consists of a number of modules, including one that covers student protection.

Principals and teachers at schools can create and submit student protection reports through OneSchool for students they believe “may have been sexually abused, or were at risk of being sexually abused”.

According to Deloitte, a “significant number” of SPRs were being sent to Queensland Police that “did not meet evidential standards”.

A software update was scheduled in January 2015 “to reduce this from occurring” and ensure only the most serious reports were referred to police.

The software update was created by a third party developer who mistakenly left an old logic step in the code that caused referrals to police to fail.

Deloitte found the update was not peer reviewed before being released to a testing environment – a best practice method of detecting defects in code early – because it “was not a documented requirement within OneSchool”.

The code was passed straight to a tester, who Deloitte found used inadequate test scripts and incorrectly interpreted test results.

It was subsequently passed and signed off as “production ready” by executives, allowing it to progress through a change stakeholder committee and “into the live production environment” on January 19 this year.

The error was eventually picked up by accident on July 29 while the code was being scanned for an unrelated bug fix.

It was disclosed publicly within 24 hours and a fix was successfully applied – and extra safeguards added – within 48 hours. But the damage had been done.

Early warning?

While the bad code sat in OneSchool, Deloitte’s forensic examination uncovered eight instances “that indicated that SPRs may not have been received” by police.

Those instances involved reports to IT and enquiries by teachers and principals on reports they had logged.

In several cases, departmental staff tried to identify the cause of problems in OneSchool, only to receive system indications that the reports had been sent. Other ‘early indicators’ of issues were put down to problems that resided ‘at the [Queensland Police] end’.

Education Minister Kate Jones said the state government would take on all 21 recommendations made by Deloitte.

Those recommendations include “implementing stronger operational governance to monitor progress and manage risks of IT updates”, and revising OneSchool’s software development lifecycle framework.

“I am advised that there is no evidence that children suffered further harm as a result of the IT failure,” Jones said.