The URL can be used to link to this page

Home My WebLink About2223-2 Personal Information Data Privacy Report (Final 2-14-23)Personal Information Data Privacy report #22/23-2 February 2023 Personal Information Data Privacy – Initial Assessment To request this information in an alternate format, please call (541) 330-4674 or send email to internal.audit@deschutescounty.gov Deschutes County, Oregon The Office of County Internal Audit David Givans, CPA, CIA – County Internal Auditor Aaron Kay – Performance Auditor internal.audit@deschutescounty.gov Audit committee: Daryl Parrish, Chair - Public Member Jodi Burch – Public Member Joe Healy - Public Member Scott Reich - Public Member Summer Sears – Public Member Stan Turel - Public Member Patti Adair, County Commissioner Charles Fadeley, Justice of the Peace Lee Randall, Facilities Director Take survey by clicking HERE Recommendations 4 Personal Information Data Privacy report #22/23-2 February 2023 TABLE OF CONTENTS: HIGHLIGHTS 1. BACKGROUND ON DATA PRIVACY 1.1. Background on the Audit ........................................................................... 1 1.2. Background on Personal Information Data Privacy ……………………….. 1-2 1.3. Background on Oregon Consumer Information Protection Act …….. 2-3 2. FINDINGS and OBSERVATIONS 2.1. Findings and Observations …………………………………………………………… 4-13 3. MANAGEMENT RESPONSES 3.1. County Administration ....................................................................... 14-15 3.2. Information Technology ………….………………………………………………… 15-17 3.3. Sheriff’s Office ………………………….……………………………………………….. 17-18 3.4. Finance Department …………………………………………………………………. 19-20 3.5. 9-1-1 County Service District …………..………………………………………… 20-21 3.6. Solid Waste Department ………………….……………………………………….. 21-22 3.7. Fair & Expo Department ………………………………………………………………… 22 3.8. Road Department …………………………….……………………………………………. 22 3.9. Justice Court ………………………………..………………………………………………… 23 A. APPENDIX A: OBJECTIVES, SCOPE, AND METHODOLOGY i. Objectives and Scope .......................................................................... 23-24 ii. Methodology ............................................................................................. 24 Personal Information Data Privacy report #22/23-2 February 2023 HIGHLIGHTS Why this audit was performed: An initial assessment of handling of personal information data privacy. What was recommended: Recommendations include: • assigning an employee over the personal information security program to oversee training and compliance; • deploying appropriate technology for communicating and sharing PI; • reducing the amount of PI being collected or retained; and • updating policy GA-9 for legislative changes. Personal Information Data Privacy - Initial Assessment This initial assessment of personal information data privacy was to demonstrate a commitment to and thoughtful protection of personal information (PI). What was found Overall, the County demonstrated a strong grasp of data privacy handling and only a couple of areas resulted in recommendations. Staff in departments/offices handling personal information exceed 99% of County staff. The County’s departments/offices that deal with HIPAA or law enforcement were unilaterally found to have greater awareness and procedures. The audit identified the following areas for further improvement, including: • additional administrative safeguards could help with personal information awareness; • department/office utilization of technology with personal information could be strengthened; • some departments/offices retain or collect personal information they do not need; and • county policy does not reflect update to statute. Deschutes County Internal Audit Personal Information Data Privacy report #22/23-2 February 2023 Page 1 1.1 BACKGROUND ON THE AUDIT 1. Introduction Audit Authority: The Deschutes County Audit Committee authorized the review of personal information data privacy in the Internal Audit Program Work Plan for 2022-2023. The scope of this audit is anticipated to cover most County departments/offices. This is the first audit of this topic at the County. Audit objectives, scope, and methodology can be found in Appendix A. 1.2 BACKGROUND ON PERSONAL INFORMATION DATA PRIVACY Personal information (PI) is data that distinguishes an individual, such as full legal name, driver’s license, or social security number. Additional risk comes with additional pieces of personal data. Generally, one piece of personal information alone cannot be used to steal a person’s identity. It’s the various pieces put together that risks compromise of an individual’s identity. Governmental entities collect many types of personal information, related to and including: • services to the public, • vendor payments, and • employee management. This information ranges widely in sensitivity and use. When individuals provide information of any kind to the County, they may wonder how the County will use that information and whether it will be secure in the County’s possession. As identity theft and cyber-security threats have become all too common, these concerns are quite valid. A privacy assessment can pose a series of questions to help stakeholders identify and understand any risks their systems may pose to the privacy of personal information. Performing this kind of assessment demonstrates a commitment to and thoughtful analysis of protection of personal information. It also allows a proper response should there be a privacy breach. Personal Information Data Privacy report #22/23-2 February 2023 Page 2 This initial assessment was developed to gain an understanding of the County’s maturity in addressing various privacy topics as well as compliance with Oregon laws. Assessment topics covered in discussions with County departments/offices included: a) identification of whether personal information is being collected; b) collection and purpose of data; c) access and use of data; d) sharing and/or transfer of data; e) providing consent (or declination of) rights and disclosure of data; f) storage and disposal of data (physical and electronic); and g) privacy analyses being performed. 1.3 BACKGROUND ON OREGON CONSUMER INFORMATION PROTECTION ACT The County has acknowledged and developed a policy G-9: Consumer Identity Theft Protection in response to the Oregon Consumer Information Protection Act (Act) (ORS 646A.600 et seq). The Act provides clear direction and expectations to ensure the safety of sensitive personal information data. The Act applies to covered entities (such as Deschutes County) that may own, maintain, store, manage, collect, process, acquire or otherwise process personal information in the course of business. In Oregon, personal information (PI) is defined by this law as including a consumer’s first name and last name (or first initial and last name) in combination with one or more of the consumer’s: • social security number; • driver’s license number (or state ID card number); • consumer medical and/or mental health history; Personal Information Data Privacy report #22/23-2 February 2023 Page 3 • health insurance policy number with another unique identifier (i.e. date of birth); • biometric measures (i.e. fingerprints) used to authenticate financial transactions; • credit or debit card number with security code; • passport number (or other US issued identification number); • financial account number with password; and/or • user name(s) for accessing consumer accounts. Other fields deemed supporting for verification include: • date of birth; • maiden name; and/or • mother’s maiden name. The Act requires applicable entities to develop, implement, and maintain reasonable safeguards to ensure the security, confidentiality, and integrity of personal information. Safeguarding also means properly disposing of information. The Act outlines steps to help implement an information security program to help minimize breach risks. Those include: • assessing extent and risks of having personal information; • protecting personal information; • reducing personal information; • training on personal information safeguards; • detecting risks with personal information; • preparing for breaches with personal information; and • destroying personal information no longer needed. A security program should include administrative, technical, and physical safeguards. A breach of security is allowing unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information being safeguarded. The Act stipulates what should be done if a breach occurs. Personal Information Data Privacy report #22/23-2 February 2023 Page 4 2. Findings and Observations The audit included limited procedures to understand personal information data privacy at the County. No significant deficiencies were found in this audit. A significant deficiency is defined as an internal control deficiency that could adversely affect the entity’s ability to initiate, record, process, and report financial data consistent with the assertions of management in the financial statements. The findings noted were primarily compliance and efficiency matters. Audit findings result from incidents of non-compliance with stated procedures and/or departures from prudent operation. The findings are, by nature, subjective. The audit disclosed certain policies, procedures and practices that could be improved. The audit was neither designed nor intended to be a detailed study of every relevant system, procedure, or transaction. Accordingly, the opportunities for improvement presented in the report may not be all-inclusive of areas where improvement may be needed and does not replace efforts needed to design an effective system of internal control. Management has responsibility for the system of internal controls, including monitoring internal controls on an ongoing basis to ensure any weaknesses or non-compliance are promptly identified and corrected. Internal controls provide reasonable but not absolute assurance that an organization’s goals and objectives will be achieved. 2.1 FINDINGS AND OBSERVATIONS Collection of Personal Information As one might expect, given the significant health and law enforcement services provided by the County, there is a lot of personal information collected, stored, managed, and destroyed. Staff in departments/offices handling personal information exceed 99% of County staff. The departments/offices with HIPAA and law enforcement level requirements over personal information exceed 78% of County staff. These requirements further strengthen adherence to best practices Personal Information Data Privacy report #22/23-2 February 2023 Page 5 DIAGRAM I – Prevalence of PI fields in County departments/offices by area (and FTE size). Legend HIPAA or Law enforcement level of PI Regular PI regarding handling of personal information and these departments/offices were found to be much more attuned to the importance of protecting this information. Many of these departments/offices receive routine external audits, training, and certifications that reinforce privacy. * OTHER includes less frequent personal information such as: health insurance number, biometric info, credit card information, and/or passport ID. Personal Information Data Privacy report #22/23-2 February 2023 Page 6 ASSESSMENT TABLE I * See recommendation that follows being made to further strengthen this area. Additional administrative safeguards could help with personal information awareness. A number of departments/offices struggle with training on privacy, especially if they don't have additional security over PI or protected health information (PHI). This is further exacerbated when there is not an assigned employee over the security program who can assist with training. The Oregon Consumer Information Protection Act (Act) sets expectations for a security program that includes training as well as having employees identified as security officers. Training includes aspects of security program practices and procedures with reasonable regularity. County Policy (GA-9) directs departments/offices to assign “an employee to coordinate the security program, identifying internal and external risks, and training employees.” Some County departments/offices have not formalized a response to the policy through appointment of a point person and providing the specific training called for in the Act. In the absence of proper training, there could be inconsistent implementation of policy. Having responsibilities for HIPAA and/or law enforcement doesn’t assure the Act’s Personal Information Data Privacy report #22/23-2 February 2023 Page 7 ASSESSMENT TABLE II requirements to protect personal information are covered. It is recommended for the County departments/offices to assign an employee over each department’s/office’s personal information security program who will also be responsible for establishing appropriate training and compliance with County policy. Access and use of personal information data County departments/offices according to their operations and services have established systems and access to protect their respective personal information. As an example: from discussions with staff, they were not aware of any intrusions. All County departments/offices receive this personal information to provide the services they do in coordination with state and federal agencies. For some situations, services can only be provided with consent and personal information provided. The County departments/offices have established sufficient technology to collect and control the data. Sharing and/or transfer of personal information data The County departments/offices are deliberate with how they share or transfer personal information data with other internal or external organizations. Personal Information Data Privacy report #22/23-2 February 2023 Page 8 ASSESSMENT TABLE III * See recommendation that follows being made to further strengthen this area. Department/office utilization of technology with personal information could be strengthened. Overall, the County has sufficient technology to employ safeguards over personal information. There are some areas noted where the usage of technology could be improved through: • further restricting access to personal information on shared network drives. In general, departments/offices should limit access to only appropriate staff. • considering appropriate technology for communicating personal information internally. In general, emails can be a riskier option for such communication. Though the County use of the MS365 (government) platform provides sufficient technical security for HIPAA and law enforcement, it may not protect for inadvertent emails to the wrong party. • considering additional technological options for customers, some customers without being provided options might resort to sharing personal information by email or text. The Oregon Consumer Information Protection Act (Act) calls for assessing, in light of current technology, risks of information collection; storage; usage; retention; access and disposal; and implementing reasonable methods to remedy or mitigate identified risks. Departments/offices are not always identifying the risks and exploring technology options with information technology staff (County or department/office) for responding to these risks. Personal Information Data Privacy report #22/23-2 February 2023 Page 9 ASSESSMENT TABLE IV In the absence of appropriate solutions, customers and staff may rely on inappropriate technology for communicating or sharing personal information. It is recommended for departments/offices to consider the risks and develop and/or deploy technology appropriate to the situation for communicating and sharing personal information. {Note: Preliminary discussions on technology offered up potential solutions that might include using: restricted shared drives, FTP portals, OneDrive, web applications, and/or encrypted email.} Consent rights and disclosure of personal information Generally, outside of HIPAA, the Oregon Consumer Information Protection Act (Act) does not require a person’s consent regarding personal information nor require informing the person on disclosure. County departments/offices utilize appropriate approaches based on the services they provide. Storage and disposal of personal information data (physical and electronic) The County departments/offices provide sufficient safeguards over data, whether it be electronic or in physical form. The County has retention schedules that dictate how long data is supposed to be retained. Personal Information Data Privacy report #22/23-2 February 2023 Page 10 ASSESSMENT TABLE V * See recommendation that follows being made to further strengthen this area. Some departments/offices retain or collect personal information they do not need. Some departments/offices collect customer personal information fields included in forms they do not need. In many cases they redact the information as it is received. In addition, some departments/offices have older personal information from employee applications and management of employees and keep those in personnel files held in the department/office. Departments/offices appear to be providing sufficient security over the physical personnel files, however with these files comes responsibility to address document retention and associated risks of having such data. The Human Resources Department has responsibility for personal information in personnel files, and it could be an additional risk for departments/offices to continue to hold onto older files with personal information. Best practices for personal information include reducing exposure by not retaining personal information you no longer need. Before the use and implementation of personal information policies, many County departments/offices retained copies of their own staff’s personnel information or because of requirements for the position require certain personal information. For example, many departments/offices have employees driving on County business and need to oversee the status of their driver’s licenses. Personal Information Data Privacy report #22/23-2 February 2023 Page 11 ASSESSMENT TABLE VI Having duplicated or additional personal information in departments/offices could result in additional risks and administrative burdens to departments/offices. It is recommended County departments/offices consider whether they are following policies and could reduce the amount of personal information they collect or retain and make changes to associated processes. Privacy analyses performed on personal information data Many County departments/offices have the need and may utilize personal information in analyses. Analyses help inform departments/offices on the services being performed. Staff performing analyses make efforts to limit the amount of PI they utilize and make sure any personal information is not inappropriately reported. Other safeguards in Oregon Consumer Information Protection Act (Act) There are a couple of other safeguards included in the Oregon Consumer Information Protection Act (Act) that were also inquired about and not addressed in the above assessments. Those include: Personal Information Data Privacy report #22/23-2 February 2023 Page 12 ASSESSMENT TABLE VII County Policy does not reflect update to statute. County policy (GA-9) was developed with the initial Consumer Identity Theft Protection Act (created in 2008). The policy has not been updated since the Act was modified in 2019 to be the Oregon Consumer Information Protection Act. In 2019, Oregon adopted SB 684 to update some of the provisions of the Consumer Identity Theft Protection Act to now be known as the Oregon Consumer Information Protection Act. The amended short title mirrors the national (and international) trend of expanding laws beyond mere “identity theft protection” to focus on larger scale consumer privacy and data rights. Key substantive changes in the revision include: • revising the title of the Act; • extending breach notification obligations to “vendors,” defined as entities who contract Personal Information Data Privacy report #22/23-2 February 2023 Page 13 with a covered entity to “maintain, store, manage, process or otherwise access personal information;” • expanding the definition of “personal information” to include user names and passwords or similar means to access an individual’s account (i.e. disclosure of usernames and passwords alone is now sufficient to trigger breach notification obligations); and • expanding the definition of “breach of security” to cover personal information a person “maintains or possesses.” County Policy GA-9 (from 2008) for Consumer Identity Theft Protection refers to the older statutory title, whereas it should be now known as the Oregon Consumer Information Protection Act as well as address the changes as noted above. It does not appear the County identified the policy for update from this legislative change. In the absence of the updated language of the Act, there could be inconsistent adherence to the underlying Act. It is recommended the County update policy GA-9 to reflect the substantive changes from the revised Oregon Consumer Information Protection Act. Personal Information Data Privacy report #22/23-2 February 2023 Page 14 3. Management responses 3.1 County Administration Erik Kropp, Deputy County Administrator Personal Information Data Privacy report #22/23-2 February 2023 Page 15 County Administration continued 3.2 Information Technology Whitney Hale, Deputy County Administrator (Interim IT Director) Date: February 3, 2023 To: David Givans, County Internal Auditor Personal Information Data Privacy report #22/23-2 February 2023 Page 16 Information Technology continued From: Whitney Hale, Interim IT Director, Deputy County Administrator Subject: Response to Data Privacy Audit _____________________________________________________________________________________________________ Thank you for the detailed review of personal information data privacy. We recognize the importance of protecting data privacy. The Information Technology Department will continue to support departments, when requested, with tools to meet their business needs related to data. Recommendation #1 - It is recommended for the County departments/offices to assign an employee over each department’s/office’s personal information security program who will also be responsible for establishing appropriate training and compliance with County policy. IT will discuss how to best implement this recommendation internally. Recommendation #2 - It is recommended for departments/offices to consider the risks and develop and/or deploy technology appropriate to the situation for communicating and sharing personal information. IT supports this recommendation. We have successfully partnered with many departments on safeguards related to personal information and have created documented processes that can be shared and adapted for use by other teams. Staff does want to share feedback on the recommendation that relates to restricting shared drives. At times, adding additional security constraints to shared drives can interfere with staff’s day to day tasks. Today, the County’s shared drives are secure at the business unit level. IT recommends that they maintain this level of security and that, if needed, departments work with IT to develop reporting so that managers can periodically monitor utilization of shared drives. Personal Information Data Privacy report #22/23-2 February 2023 Page 17 Information Technology continued 3.3 Sheriff’s Office Zachary Neemann, Lieutenant Recommendation #3 - It is recommended the County departments/offices consider whether they are following policies and could reduce the amount of personal information they collect or retain and make changes to associated processes. We agree with this recommendation and can support departments / offices as requested with data reviews. Recommendation #4 - It is recommended the County update policy GA-9 to reflect the substantive changes from the revised Oregon Consumer Information Protection Act. IT agrees with this finding and will support Administration in any necessary Policy Updates, as requested. Personal Information Data Privacy report #22/23-2 February 2023 Page 18 Sheriff’s Office continued Personal Information Data Privacy report #22/23-2 February 2023 Page 19 3.4 Finance Department Robert Tintle, CFO Personal Information Data Privacy report #22/23-2 February 2023 Page 20 Finance Department continued 3.5 9-1-1 County Service District, Sara Crosswhite, Director Recommendation 1, assigning an employee over the personal information security program to oversee training and compliance - Agree with recommendation, but feel we need a bit more understanding of the Oregon Consumer Information Protection Act, and once we have a review internally, we will understand what is needed for the assigned employee as well as the training component. Our goal is to have this completed by March 15, 2023. Recommendation #2, departments/offices to consider the risks and develop and/or deploy technology appropriate to the situation for communicating and sharing personal information. Agree. The District currently has secure/share drives with our LE/DA/Fire departments where information is shared if needed. Emails are not sent with personal information but our I.T. team will be evaluating an option of encrypted email in certain circumstances. Personal Information Data Privacy report #22/23-2 February 2023 Page 21 9-1-1 County Service District continued 3.6 Solid Waste Department, Sue Monette, Management Analyst Recommendation #3, It is recommended the County department/offices consider whether they are following policies and could reduce the amount of personal information they collect or retain and make changes to associated processes. Agreed. Personal information that is kept on site related to employment is in a secure file cabinet and in a locked office. Documents that are stored here are related and necessary to Department of Public Safety Standards and Training certifications for our staff. If staff is no longer with the District those files are sent to archiving. Recommendation #4, It is recommended the County update policy GA-9 to reflect the substantive changes from the revised Oregon Consumer Information Protection Act. Agreed. If there are revisions to the Oregon Consumer Information Protection Act that Departments should be following it should be reflected in our policy. Recommendation 1, assigning an employee over the personal information security program to oversee training and compliance - Current Practice: User security access to Solid Waste specific software programs are managed by the Management Analyst. This person also maintains security over the Department personnel records and ensures compliance with policies and procedures for other records containing personal information in the department. The Operations Manager trains employees on proper procedures for handling customer credit card information. Recommendation #2, departments/offices to consider the risks and develop and/or deploy technology appropriate to the situation for communicating and sharing personal information. Current Practice: The Department of Solid Waste utilizes a secure FTP site and other tools as needed when sharing personal information. Recently Implemented: Based upon feedback from the internal audit on personal information data privacy meeting, the Department recently created a new Personnel folder on the network drive, secured and accessible to only management, in order to move to electronic storage of relevant/necessary personnel records. Personal Information Data Privacy report #22/23-2 February 2023 Page 22 Solid Waste Department, continued 3.7 Fair & Expo Department, Geoff Hinds, Director 3.8 Road Department, Keli Candella, Administrative Supervisor Recommendation #3, It is recommended the County department/offices consider whether they are following policies and could reduce the amount of personal information they collect or retain and make changes to associated processes. Recently Implemented: The Department of Solid Waste is implementing an archive policy to ensure compliance with retention guidelines and has actively started reviewing saved records. Those needing to be retained are scanned and then storage boxes marked with retention dates; others outside the retention dates are being destroyed. In addition, records that are not necessary to Department function that contain personal information maintained elsewhere, such as in Human Resources, are being destroyed. Going forward, new hire forms electronically submitted to Human Resources will be destroyed upon successful delivery. Recommendation 1, assigning an employee over the personal information security program to oversee training and compliance - Fair & Expo will identify an employee to oversee the departments personal information security program, and to identify and establish appropriate training and safeguards in compliance with County policy and current best practice. Until or unless otherwise identified in the future, this person shall be the Director, Fair & Expo. Recommendation #2, departments/offices to consider the risks and develop and/or deploy technology appropriate to the situation for communicating and sharing personal information. Fair & Expo will work to continuously improve and utilize best practices and to identify and obtain technology which can improve the safeguarding of shared personal information whenever available. Recommendation 1, assigning an employee over the personal information security program to oversee training and compliance I will be the Department’s liaison and take on the department’s/office’s personal information security program. Once the County has a policy and training in place, I will be responsible for training our department personnel. Personal Information Data Privacy report #22/23-2 February 2023 Page 23 3.9 Justice Court, Judge Charles Fadeley Justice Court agrees with the recommendation. Justice Court staff follows all County policies concerning personal information security. Additionally, staff must be certified biannually in information security best practices as a requirement to access CJIS and LEDS. Court Administrator Jodi Stacy is the JC employee responsible for establishing appropriate training and compliance with County policy. i. OBJECTIVES and SCOPE Appendix A: Objective, Scope, and Methodology “Audit objectives” define the goals of the audit. Objectives included: 1) Assess whether the County has adequate controls to protect personal information/data from unauthorized access and use. This would include: a) identification of whether personal information is being collected; b) collection and purpose of data; c) access and use of data; d) sharing and/or transfer of data; e) consent (or decline) rights and disclosure of data; f) storage and disposal of data (physical and electronic); and g) privacy analyses being performed. 2) Be aware of any issues with compliance with federal and state regulations and requirements, as may be applicable. Scope and timing: The audit began in August 2022 and extended through December 2022. This audit includes County operations thought to be collecting personal information. The scope of personal information includes members of the public receiving County services; County employees and volunteers; and County vendors. The scope did not go so far as protected health information. As an initial Personal Information Data Privacy report #22/23-2 February 2023 Page 24 assessment, the inquiry did not go further than interviews and review of topics. The scope of the audit did not include all aspects of the internal controls employed. ii. METHOOLOGY “Audit procedures are created to address the audit objectives” Audit procedures included: • interviews and observation of selected departmental/office employees and other procedures as deemed necessary; • developing and utilizing privacy assessment tools to collect privacy information from departments/offices (some of the tool developed was more reaching than the Oregon Consumer [Identity Theft] Information Protection Act); • analyzing results of collected information to identify gaps and needs; • reviewing of legal and statutory frameworks around privacy to identify areas for assessment; and • reviewing County policy and practices around privacy. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. (2018 Revision of Government Auditing Standards, issued by the Comptroller General of the United States. GAO-21-368G) The County Internal Auditor was created by the Deschutes County Code as an independent office conducting performance audits to provide information and recommendations for improvement. Personal Information Data Privacy report #22/23-2 February 2023 Page 25 {End of Report} Please take a survey on this report by clicking on the attached link: https://www.surveymonkey.com/r/PI_Data_Privacy If you would like to receive future reports and information from Internal Audit or know someone else who might like to receive our updates, sign up at http://bit.ly/DCInternalAudit.