720-913-5000 auditor@denvergov.org

DENVER – Denver is taking data privacy seriously and continuing to address and improve processes and procedures to protect personally identifiable information, according to a follow-up report from Denver Auditor Timothy M. O’Brien, CPA.

“Tracking the data storage of private information and knowing who has access is the first step in fighting fraud and cybercrime,” Auditor O’Brien said. “I am pleased to see significant progress in protecting the city.”

The City of Denver collects personally identifiable information through various agencies for services to the public, and this data includes items such as birth dates, Social Security numbers, health information, banking information or full legal names. Each piece of information on its own is useless, but when more than one piece of personal information is combined, it could put a person at risk of identity theft.

The follow-up report checked back in on the city’s progress after an audit found concerns about unsecured network folders, outdated policies, low completion rates for security training and lack of public transparency regarding the collection of personally identifiable information.

Today, the follow-up found that the Mayor’s Office and the Technology Services Department have taken significant steps to address the audit’s concerns, although there is still work to do.

The audit found no evidence of fraud or misuse of the data. However, the audit team still found a need for better controls to ensure the information cannot be incorrectly accessed or misused in the future.

To address the Auditor’s concerns, the Mayor established the Information Governance Committee, which included the chief information officer and the senior city attorney. The committee developed the new Executive Order 143, which established a protected data privacy policy. Technology Services also created the chief data protection officer position to work with the committee to directly address the audit recommendations. The committee now has working groups addressing training, data mapping, HIPAA and payment card compliance issues.

Technology Services worked to evaluate shared folders and update individual and group access to personally identifiable information. The chief data protection officer also created a draft privacy program manual, which addresses data access policy and procedure. In the new guide, agencies will be required to track the use and storage of personally identifiable information, so it cannot be accidentally exposed. Final implementation of these changes was pushed out to next year.

The committee also developed a new training policy for all employees, which requires cybersecurity and privacy training.

“Ensuring that the city is protecting sensitive data and stopping cyber criminals from taking advantage of the public’s resources is one of my top priorities,” Auditor O’Brien said. “I’m glad to see the city taking the issue just as seriously, and I will continue to keep a close eye on how the city addresses technology risks.”

At the time of the follow up, the Mayor’s office had fully implemented one recommendation and partially implemented another. Risk Management fully implemented one of the technology services recommendations. Technology Services partially implemented the three remaining recommendations. Despite the significant progress, the Mayor’s Office and Technology Services said they need a little more time to finish addressing some of the audit’s recommendations. The offices requested an extension for implementation to June 30, 2019.

Read the Follow-Up Report

Read the Audit

%d bloggers like this: