Report faults APD’s handling of information
Friday, September 27, 2019 by Jo Clifton
The Austin Police Department has failed to comply with the federal policy relating to access to criminal justice information maintained by the FBI, according to a special report from the Office of the City Auditor.
Assistant City Auditor Andrew Keegan briefly described his findings to the Council Audit and Finance Committee on Thursday.
The Texas Department of Public Safety conducts audits of entities like APD that have access to criminal justice data, such as arrest records and fingerprints. According to the report, DPS auditors noted several areas of noncompliance when they audited APD in February.
APD staff apparently said they had reported those issues to DPS.
“However, prior to the audit, APD staff submitted a document to DPS indicating that the city was fully compliant with the information security policy. City staff were aware of issues several years before DPS’s 2019 audit,” the auditor said.
City Auditor Corrie Stokes told members of the committee that her office found information they were required to report to City Council while conducting an audit on another subject.
In addition to APD, a number of other city departments, including the Austin Fire Department, Human Resources, and Communications and Technology Management, can access criminal justice information in the course of their duties. The report also noted that staff from the Building Services Department maintain some of the buildings that contain criminal justice information.
The report notes that, in order to ensure that the information is protected, the FBI has created a policy describing measures the city must take, “such as security training, data encryption and physical security, that must be in place for entities that use or access criminal justice information.”
Keegan told the Austin Monitor after the meeting that the FBI could refuse to allow the city the information it needs to conduct background checks, look at criminal histories and compare fingerprint data. However, he said in his research he had not found that the FBI actually withheld such information from any community, although they threatened to do so if the state of
Virginia South Carolina did not start complying with federal regulations related to such information. South Carolina made changes and continued its access to the information, he said.
According to the auditors’ report, “DPS audits involve a limited part of city operations that use criminal justice information, which means there may be more compliance issues beyond what DPS identified in their 2019 audit. For example, an investigation by the City Auditor’s Integrity Unit noted that city staff may not know the location of all criminal justice information in the city. This is a compliance risk because the city cannot ensure all criminal justice information is adequately protected if staff does not know where it is located.
“Additionally, during the Public Safety Dispatch Audit our office identified potential issues with background checks and security training for personnel at the Combined Transportation and Emergency Communications Center. Since criminal justice information is used at the site, these issues with background checks may create violations of the information security policy,” the report continued.
The report states that the chief of police should work with the city manager “to ensure APD has the necessary support from other city departments to ensure compliance” with FBI policies. In addition, auditors suggested that APD should identify where criminal justice information exists in city operations and establish appropriate controls to protect that information.
Auditors also noted that there is no written agreement between APD and Building Services related to criminal justice information, although APD staffers have known about the problem since 2017 and failed to correct it.
But APD Assistant Chief Joseph Chacón told the Monitor that his department had been working with Building Services “for a while now.” He added, “It’s a pretty stringent agreement,” though he could not say exactly why the agreement has not yet been signed.
Chacón said APD has a good working relationship with DPS and would work through any problems to make sure that the department does not lose access to the federal data.
Members of the committee did not comment on the report, but went into an executive session where they were scheduled to discuss an update on information security, including the report as well as confidential network security information.
Council Member Jimmy Flannigan, who serves on the committee, said via email, “There have been no incidents or problems, just some process errors that haven’t been corrected. We have made it clear to the Manager that it needs to be addressed ASAP so that there are no incidents or problems.”
Download (PDF, 147KB)
Photo by David Bruce made available though a Creative Commons license.
The Austin Monitor’s work is made possible by donations from the community. Though our reporting covers donors from time to time, we are careful to keep business and editorial efforts separate while maintaining transparency. A complete list of donors is available here, and our code of ethics is explained here.
Join Your Friends and Neighbors
We're a nonprofit news organization, and we put our service to you above all else. That will never change. But public-service journalism requires community support from readers like you. Will you join your friends and neighbors to support our work and mission?