Missing Qld child protection reports blamed on coding error

A simple but undetected coding error has been blamed for the failure of Queensland’s OneSchool system to successfully transmit hundreds of reports about school children at risk of abuse in the first half of this year.

Education Minister Kate Jones today publicly released the findings [pdf] of a Deloitte investigation into the issue, which was triggered by a software upgrade to the mandatory child protection reporting module of OneSchool in January.

The software failure, which resulted in the disappearance of up to 1000 serious messages from teachers and principals, was described by one state Education executive as “the most serious situation we had ever faced at head office”.

Deloitte traced the failure back to a contracted software developer responsible for the January update.

The system amendment was designed to allow the most serious child protection reports, according to a common risk matrix, to be sent directly to the Queensland Police Service without additional reference to the Department of Communities, Child Safety and Disability Services (DCCSDS).

But the developer failed to remove existing coding logic that blocked messages from being sent if they did not have an @communities.qld.gov.au listed in the ‘to’ field.

Therefore, all QPS-only reports - which included the highest-risk children identified by teachers and principals in the period - never made it out of the OneSchool system, despite being flagged as successfully sent.

The Deloitte consultants also found that the testing process for the software update failed to pick up on the error.

They concluded that a second staff member, on testing duties, failed to properly count the number of test messages generated by the new module - missing the fact that QPS-only messages were not being generated.

At the time, the Department of Education did not routinely conduct peer unit testing on OneSchool code before it was released into the test environment, the report found.

The new code went live on 19 January 2015 after receiving a clean bill of health.

The error was not picked up until the original developer discovered it while scanning the codebase for an unrelated bug on 29 July 2015.

The discovery prompted the department and state Labor government to enter crisis mode.

Within 24 hours of the discovery, Minister Jones went public with the revelation. It triggered the department to use its emergency text message facility to immediately contact all principals and alert them of the issue.

The report declined to name the third-party firm that supplied the software developer to the department, but revealed seven contractors - including the original author of the faulty code - had been placed under a contract executed on 3 September 2013.

Jones previously stated that an external software developer and an internal testing officer had been stood down over the incident. CIO David O’Hagan also stood aside while the review was underway.