GAO Watchblog Reblog: Personal Information, Private Companies

The recent Congressional hearings on Facebook have highlighted the ways that companies collect and use personal information for marketing purposes.  So, what rights do you have to your own information?

The GAO outlined the lack of comprehensive legislation that addresses privacy in their 2013 report on the subject:

No overarching federal privacy law governs the collection and sale of personal information among private-sector companies, including information resellers. Instead, a variety of laws tailored to specific purposes, situations, or entities governs the use, sharing, and protection of personal information. For example, the Fair Credit Reporting Act limits the use and distribution of personal information collected or used to help determine eligibility for such things as credit or employment, but does not apply to information used for marketing. Other laws apply specifically to health care providers, financial institutions, videotape service providers, or to the online collection of information about children.

The current statutory framework for consumer privacy does not fully address new technologies–such as the tracking of online behavior or mobile devices–and the vastly increased marketplace for personal information, including the proliferation of information sharing among third parties. With regard to data used for marketing, no federal statute provides consumers the right to learn what information is held about them and who holds it.

These findings are still relevant today.

Read more here.

Accountability and Media Featured

Oregon State Police: Forensic Division Has Taken Appropriate Steps to Address Oregon’s Sexual Assault Kit Testing Backlog

Report Highlights


Oregon State Police (OSP) has taken appropriate steps to manage an influx of Sexual Assault Forensic Evidence (SAFE) kits sent by local law enforcement agencies after Melissa’s Law passed in 2016, including adding staff and equipment, changing how they prioritize the testing of DNA evidence, and using more efficient technologies for DNA processing. Many of these changes occurred too recently to definitively determine whether they will successfully eliminate the remaining backlog. However, the actions taken are aligned with best practices and OSP officials estimate they will largely eliminate the backlog by the end of 2018.

Background

The Forensic Services Division of OSP provides Oregon’s only full-service forensic lab system. The intent of Melissa’s Law is to prevent a future SAFE kit testing backlog at local law enforcement agencies by mandating all non-anonymous kits be sent to OSP for testing.

Purpose

The purpose of this audit was to report on whether OSP has taken actions consistent with statute and best practices to address the SAFE kit backlog.

Key Findings

  1. OSP has complied with Melissa’s Law by increasing lab capacity and reporting results to legislators on efforts to reduce the SAFE kit backlog.
  2. OSP is following best practices outlined by the National Institute of Justice for forensic labs that process SAFE kits. For example, OSP’s “high-throughput” approach to obtaining DNA profiles from SAFE kits is recommended for decreasing kit backlogs.
  3. The agency’s decision to suspend DNA processing of property crime evidence to focus on SAFE kits could lead to a backlog of DNA evidence of this type at local law enforcement agencies. Local law enforcement agencies are eager for OSP to resume accepting DNA evidence for property crimes.
  4. As of January 2018, many of OSP’s capacity-building and process improvement efforts have been implemented. Since then, OSP has shown substantial improvement in the number of kits processed each month. Also, there has been a significant reduction in the statewide backlog. A 2017 survey of local law enforcement agencies found approximately 1,100 kits needing testing, down from approximately 4,900 in 2015. For these reasons, OSP believes it can eliminate the backlog by the end of 2018.

Recommendations

We recommend that OSP publicly post backlog status reports, examine options for a statewide SAFE kit tracking system, and plan for reintroducing DNA testing in property crimes.

OSP generally agrees with our recommendation. The agency’s response can be found at the end of the report.

Read full report here.

Featured New Audit Release Performance Audit

Internal Auditor Repost: Emotional Intelligence for Internal Auditors

//player.ooyala.com/static/v4/stable/4.20.8/skin-plugin/iframe.html?ec=NpbTA2ZTE6qtYxwpXqzFPtB4FdwHk_Z3&pbid=25fa4687ddd4a7bb20f5b365516e6c9&pcode=Y1OXYxOr3VNhbNvow5X2KeFUvXVM

Mike Jacka discusses the usefulness of emotional intelligence for internal auditors.

Accountability and Media Featured

Oregon Office of Economic Analysis ReBlog: Oregon’s Unprecedented Growth?

A common refrain our office hears is that Oregon’s growth in recent years is unprecedented. Meaning that we’ve never seen population growth like this before. This is usually in the context of the housing market and explaining away our shortage more as a function of extremely high demand, and less about the supply issues. As such, I think it may be helpful to take a graphical trip down memory lane. The bottom line is that yes, in many places in Oregon, mostly urban, we’re seeing population gains that are better than in the 2000s but on par with the 1970s and the 1990s. Remember, people have been packing up and moving to this part of the world since before Lewis & Clark. Population growth and migration is nothing new. It is ingrained in our community and economy and remains our number one comparative advantage.

Josh Lehner explores Oregon’s history of population growth and shares some hard facts and a nuanced perspective on this hot button topic. Read more here.

Accountability and Media Featured

GAO Watchblog ReBlog: Office Space

The federal government spends billions of dollars every year to operate and maintain the roughly 273,000 buildings it owns or leases. But we’ve reported for years on problems with how the federal government manages its real estate—in fact, federal real property management has been on our High-Risk list since 2003.

So, has anything changed? How effectively is the government using its real estate assets? Today’s WatchBlog explores our recent work on reducing office space in federal buildings and telework as a space planning tool.

Read more here.

Accountability and Media Featured

Data-Smart City Solutions RePost — Map Monday: Beyond Floods

People tend not to think that bad things will happen to them. This psychological proclivity towards optimism—logically termed “optimism bias”—is in many ways a beneficial feature of the human psyche, as most live better lives when they’re not constantly obsessing over the possibility of some calamity befalling them.

However, the optimism bias also has its disadvantages, as it may discourage people from preparing for emergencies. This was the case during Hurricane Sandy, during which 77 percent of New Yorkers reported that inland flooding was much higher than they expected. In New York City alone, the storm damaged 90,000 buildings, created $19 billion in damage,and killed nearly 50 people.

Chris Bousquet, a Research Assistant and Writer with Harvard’s Ash Center, explores how data sharing can influence human action through the Beyond Floods CARTO platform.

Read more here.

Accountability and Media Data Wonk Featured

Audit Release – Oregon Department of Revenue: GenTax Accurately Processes Tax Returns and Payments, but Logical Access and Disaster Recovery Procedures Need Improvement

Report Highlights


The Oregon Department of Revenue (DOR) designed and implemented controls in their GenTax system to provide reasonable assurance that tax return and payment information remains complete, accurate, and valid from input through processing and output. Logical access controls and change management controls are generally sufficient, but some areas need improvement. In addition, existing controls ensure the creation of appropriate backup of GenTax system files, though DOR does not have assurance they could timely restore the system in the event of a disaster or major disruption.

Background

The Oregon Department of Revenue replaced its legacy tax systems with GenTax, an integrated tax processing software package. This system processed about $10.3 billion in payments and $1.2 billion in refunds for tax periods ending in 2016.

Audit Purpose

The purpose of our audit was to review and evaluate key application and general computer controls governing DOR’s GenTax system. We focused on personal income, withholding, and corporate income and excise tax programs.

Key Findings

  1. GenTax controls ensure accurate input of tax return and payment information for personal income, withholding, and corporate income and excise tax programs. Additional processing and output controls provide further assurance that GenTax issues appropriate refunds and bills to taxpayers for taxes due.
  2. Logical access controls are generally sufficient, but DOR needs to make improvements to ensure managers have enough information to request appropriate access. DOR should also ensure that access remains appropriate for users who change jobs and is removed for users who are terminated.
  3. DOR monitors and tracks changes to GenTax to ensure system developers implement only approved program modifications, but better guidance is needed for testing procedures to ensure program modifications meet business needs.
  4. DOR does not have sufficient assurance that it could timely restore GenTax in the event of a disaster or major disruption.
  5. DOR has not obtained independent verification that the GenTax vendor has implemented appropriate controls over servers at an external data center to provide additional assurance that Oregon data is secure.

Recommendations

The report includes 11 recommendations to DOR regarding needed improvements to logical access procedures, disaster recovery plans and tests, and independent assurance of controls over servers at an external data center. DOR generally agreed with our recommendations. DOR’s response can be found at the end of the report.

Read the full report here.

Featured IT Audit New Audit Release