Office of Inspector General Office of Professional Practice Services

Similar documents
Postal Inspection Service Mail Covers Program

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

The University of British Columbia Board of Governors

UNIVERSITY OF NORTH CAROLINA CHARLOTTE

Adopter s Site Support Guide

Privacy Policy. MIPS Website Privacy Policy. Document Information. Contact Details. Version 1.0 Version date March 2018.

Fluid Metering, Inc. Privacy Policy

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA FAYETTEVILLE STATE UNIVERSITY

BCN Telecom, Inc. Customer Proprietary Network Information Certification Accompanying Statement

RULES OF THE TENNESSEE ALCOHOLIC BEVERAGE COMMISSION CHAPTER RULES FOR PROFESSIONAL ALCOHOL SERVER TRAINING TABLE OF CONTENTS

Investigation. City of Edmonton Office of the City Auditor. ETS Workforce Development. January 14, 2019

POLICY BURLINGTON TOWNSHIP BOARD OF EDUCATION. PROGRAM 2361/page 1 of 8 Acceptable Use of Computer Network/Computers and Resources M

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

UNIVERSITY OF NORTH CAROLINA CHAPEL HILL

[Utility Name] Identity Theft Prevention Program

Department of Veterans Affairs VA DIRECTIVE April 17, 2006 WEB PAGE PRIVACY POLICY

Code of Ethics Certification 2018 CHECKLIST

Request for Qualifications for Audit Services March 25, 2015

Mobile Application Privacy Policy

Information Security Incident Response and Reporting

Red Flag Policy and Identity Theft Prevention Program

Virginia Commonwealth University School of Medicine Information Security Standard

STATE OF NORTH CAROLINA

Client Services Procedure Manual

EDENRED COMMUTER BENEFITS SOLUTIONS, LLC PRIVACY POLICY. Updated: April 2017

Financial Planning Standards Council 2016 ENFORCEMENT AND DISCIPLINARY REVIEW REPORT

CliniSys Website Privacy Policy

California Code of Regulations TITLE 21. PUBLIC WORKS DIVISION 1. DEPARTMENT OF GENERAL SERVICES CHAPTER 1. OFFICE OF THE STATE ARCHITECT

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

NASD NOTICE TO MEMBERS 97-58

HPE DATA PRIVACY AND SECURITY

MICRO-ENTERPRISE CREDENTIAL TRACKING AGREEMENT

NYSVMS WEBSITE PRIVACY POLICY

REGULATION BOARD OF EDUCATION FRANKLIN BOROUGH

1.7 The Policy sets out the manner by which the University will respond to Subject Access Requests.

NEWTON COUNTY OPEN RECORDS ACT POLICY

New Jersey State Legislature Office of Legislative Services Office of the State Auditor. November 16, 2015 to November 30, 2017

Child Welfare DUAL Certification Application and Policy Guide

China Code of Ethics Certification 2018 CHECKLIST

Terms & Conditions. Privacy, Health & Copyright Policy

Managing Your Record Retention Policy Safely

Social Security Number Protection Policy.

CNH Industrial Privacy Policy. This Privacy Policy relates to our use of any personal information you provide to us.

Cyber Security Reliability Standards CIP V5 Transition Guidance:

Policy Summary: This guidance outlines ACAOM s policy and procedures for managing documents. Table of Contents

FD E Florida Department of Law Enforcement

Ministry of Government and Consumer Services. ServiceOntario. Figure 1: Summary Status of Actions Recommended in June 2016 Committee Report

Defense Hotline Allegations Concerning Contractor-Invoiced Travel for U.S. Army Corps of Engineers' Contracts W912DY-10-D-0014 and W912DY-10-D-0024

FLORIDA S PREHOSPITAL EMERGENCY MEDICAL SERVICES TRACKING & REPORTING SYSTEM

Putting It All Together:

Application for Certification

Prevention of Identity Theft in Student Financial Transactions AP 5800

1 Privacy Statement INDEX

RippleMatch Privacy Policy

PENN MANOR SCHOOL DISTRICT

TO THE FLORIDA BUILDING COMMISSION

Children s Services Council of Palm Beach County

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

Palo Alto Unified School District OCR Reference No

INSPECTOR GENERAL U.S. DEPARTMENT OF THE INTERIOR

RMU-IT-SEC-01 Acceptable Use Policy

Security and Privacy Breach Notification

Judiciary Judicial Information Systems

Data Subject Access Request Form (GDPR)

Privacy Policy on the Responsibilities of Third Party Service Providers

Attachment 9 DCF-QA System User Guide. Department of Children and Families Quality Assurance (DCFQA) System User Guide September 16, 2015

FIRESOFT CONSULTING Privacy Policy

QSD Public Records Request

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

Internal Audit Follow-Up Report. Multiple Use Agreements TxDOT Office of Internal Audit

Customer Proprietary Network Information

Article I - Administrative Bylaws Section IV - Coordinator Assignments

TechTarget, Inc. Privacy Policy

Data Use and Reciprocal Support Agreement (DURSA) Overview

Young Adult Case Plan & Judicial Review Worksheets User Guide

VFS GLOBAL PVT LTD PRIVACY DISCLAIMER

Office of the City Auditor 2014 Third Quarter Activity Report November 25, 2014

Electronic Network Acceptable Use Policy

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

OUTDATED. Policy and Procedures 1-12 : University Institutional Data Management Policy

Training Guide for Arkansas Law Enforcement Officers and Licensing Board Representatives

POMONA EUROPE ADVISORS LIMITED

Policy & Procedure Privacy Policy

Notes User Guide April 1, 2016

VETS FIRST CHOICE PRIVACY POLICY FOR PARTICIPATING VETERINARY PRACTICES

I. PURPOSE III. PROCEDURE

Florida Safe Families Network

If you have any questions or concerns about this Privacy Policy, please Contact Us.

University of Wisconsin-Madison Policy and Procedure

Application and Instructions for Firms

Alberta Reliability Standards Compliance Monitoring Program. Version 1.1

PROCEDURE COMPREHENSIVE HEALTH SERVICES, INC

Schools and Libraries (E-rate) Program FCC Form 472 (BEAR) User Guide

Florida Safe Families Network

This policy is a public document and has been prepared in light of the National Privacy Principle 5: Openness.

**The Florida Lottery is not a State Personnel System Employer** TECHNICAL ANALYST II - POSITION NUMBER

Privacy Policy. What information do we collect automatically?

manner. IOPA conducts its reviews in conformance with Government Auditing Standards issued by the Comptroller General of the United States.

Please contact the Justice Center at with any questions.

Throughout this Data Use Notice, we use plain English summaries which are intended to give you guidance about what each section is about.

Transcription:

Office of Inspector General Office of Professional Practice Services Executive Summary In accordance with the Department of Education s fiscal year 2017-18 audit plan, the Office of Inspector General (OIG) conducted a consulting engagement with the Office of Professional Practice Services (PPS). The purpose of this consulting engagement was to review access to the Department of Children and Families (DCF) Florida Safe Families Network (FSFN) Database to ensure PPS has effective internal controls over the use of FSFN. The engagement also included a review of the notification process to ensure PPS efficiently addressed all notifications from DCF. The OIG initiated an audit of the controls, policies, and processes in place related to PPS access to the DCF database, external notifications, and internal requests for the period of April 1, 2017, through January 31, 2018. During the preliminary information gathering and fieldwork, we determined PPS is implementing a new notification process and had not established policies and procedures. Therefore, we determined it was in the best interest of the office to change the audit to a consulting engagement to better assist the program. Florida Statue 39.202 permits DCF to disclose all records held by the department concerning reports of child abandonment, abuse, or neglect, including reports made to the central abuse hotline, to employees or agents of the Department of Education who are responsible for the investigation or prosecution of misconduct by a certified educator. As a result, DCF provided the PPS staff responsible for investigating educator misconduct the ability to access DCF s system of record known as FSFN and established a new notification process. Per the new process, DCF requires investigators to only notify PPS if the subject of a child abuse investigation is a certified educator. Scope, Objectives, and Methodology The scope of this consulting engagement included controls, policies, and processes in place from April 1, 2017, through January 31, 2018. The objectives of this engagement included: 1. Determining if PPS has effective internal controls over the personal data accessed and protects that data from unauthorized access, distribution, use, or disclosure; and 2. Determining if PPS has effective internal procedures for external and internal notifications. 1

To accomplish our objectives, we reviewed applicable laws, rules, and regulations; interviewed appropriate PPS staff; reviewed the department s policies and procedures; reviewed the external and internal notification process; and reviewed DCF audit logs. Background The Office of Professional Practices Services (PPS) investigates alleged misconduct by educators in Florida who hold an educator s certificate and pursues disciplinary action against the certificates of educators found to have committed acts of misconduct. PPS investigates when facts presented show a violation has occurred as provided in s. 1012.796, Florida Statutes, and defined by rules of the State Board of Education. Such facts provide the basis to investigate whether the educator has broken the law or violated the Principles of Professional Conduct, which outline the standards of conduct expected of certified educators in Florida. 1 In the past, Child Protective Investigators (CPI) were responsible for notifying PPS at the onset of the investigation when a report of abuse was received involving a certified educator, as well as providing the subsequent findings of the investigation upon closure. The Department of Children and Families (DCF) worked with the Department of Education (DOE) to provide PPS staff responsible for investigating or prosecuting educator misconduct with direct access to the Florida Safe Families Network (FSFN). On June 13, 2017, DCF sent a memorandum to all CPI staff advising them of a new process for notifying DOE PPS when a certified educator is involved in an institutional investigation. Effective June 19, 2017, CPIs are no longer required to notify PPS by telephone at the onset of any institutional investigation involving a certified educator. CPIs will only notify and provide FSFN report numbers to DOE for verified and not substantiated investigations upon closure of an investigation involving a certified educator. Notification will only involve a specially designated email to doereports@fldoe.org that includes the FSFN report number, the educator s full name, the educator s date of birth, and the educator s DOE certification number. Current Processes Notifications Prior to June 13, 2017, PPS received notifications of possible abuse from DCF and law enforcement offices across the state via phone, email, or fax. DCF contacted PPS primarily via phone when they were notified of possible abuse. The notifications included all school related employees (bus driver, cafeteria workers, etc.) regardless of the findings. Upon receipt of a notification, PPS staff logged the information in the Educator Abuse Report Log (EARL). PPS staff verified with DCF investigators if a case was already open for the subject or if a case would be opened in the future. Staff would determine whether the reported subject was a certified educator. 1 http://www.fldoe.org/teaching/professional-practices/ 2

The department collaborated with DCF to create a more efficient process that included allowing PPS to access the DCF system of record known as the Florida Safe Families Network (FSFN). Pursuant to the newly created process, CPIs should only send cases involving certified educators to PPS at the closure of an investigation. In addition, CPIs should verify the DOE certification status of individuals before notifying PPS. In order to provide guidance and make recommendations, we reviewed external reports of abuse sent to PPS via phone, email, or fax. PPS staff provided 37 emails from various DCF and law enforcement offices from June 2017 through December 2017. Only thirteen of the 37 email notifications referenced closed cases. The others were intake notifications or notifications where the CPI investigator did not identify the status of the cases. When PPS received notifications on initial cases or when CPIs did not identify the status of the cases, PPS staff emailed instructions informing the CPIs of the new notification process. The emails include two documents with specific instructions on reporting child abuse to PPS. Of the 37 notifications, PPS staff marked 21 notifications for follow up; however, only seven of the 21 notifications were marked complete. PPS staff documented the follow-ups using an Outlook flagging feature but did not include the actions taken by PPS. The 14 remaining emails marked for follow-up had end dates or due dates ranging from August 23, 2017, to November 23, 2017. We determined PPS does not have established procedures for consistently conducting follow-ups on notifications of alleged abuse. We additionally reviewed internal PPS requests for DCF reports via FSFN from April 1, 2017, to November 30, 2017. Due to the sensitive nature of FSFN, PPS limited FSFN access to four employees. If a PPS employee who does not have access to FSFN needs to verify information for an investigation or related prosecution, he or she has to contact the PPS lead staff person for FSFN. The PPS employee must have a valid reason to request information from FSFN and the reason must relate to a PPS investigation or prosecution. To track requests, PPS created a form for internal employees to complete when requesting information from FSFN. Upon receipt of the request, the PPS FSFN lead should ensure the requester properly completed the internal form. If the request is properly completed and valid, the PPS lead locates the investigative summary report in FSFN and places the report into the requestor s folder located on the PPS secure share drive. The PPS lead should then send an email to the requestor informing them the report is available for viewing. The PPS lead maintains a record of all requests in folders via email and marks the request complete once moved to an Internal Worked folder. These requests are not stored outside of Outlook. PPS provided 28 emails of internal requests for FSFN reports. Of the 28 emails received, 25 did not follow the documented process established for internal employees to request information from FSFN. In addition, PPS staff did not follow the documented process established for internal requests when notifying a requestor that a report is available on the shared drive in their investigative folder. PPS only provided two emails notifying the requestors of available reports. We determined PPS does not consistently follow their procedures for internal requests for FSFN reports. 3

Tracking Prior to obtaining access to FSFN, PPS manually tracked reports of abuse in EARL. The earliest record in EARL dates to September 2006. A PPS designee would manually log all allegations of abuse in EARL regardless of whether the accused was a certified educator. PPS designed EARL to capture the reported date of abuse, the district making the report, the educator involved, and a description of the allegation. All records in the SQL driven table resulted from faxes or phone calls received by PPS. Once DCF granted PPS access to FSFN, PPS disabled EARL and no longer utilizes a tracking application. PPS now tracks notifications of alleged abuse by utilizing Outlook email folders and flagging emails for follow-up. PPS records reports of abuse from entities outside of DCF and law enforcement offices (i.e. internal DOE reports) in a Correspondence Log (C-Log) application. PPS currently utilizes C- Log to capture the correspondence contact as well as the action taken. In addition, the C-Log allows users to attach documents and search by contact name. Both EARL and C-Log allow users to edit, delete, save, or create new records. The current PPS tracking process via Outlook does not allow PPS to effectively track allegations of abuse or conduct and document follow-ups appropriately. In addition, an ineffective tracking process could hinder PPS management s ability to reconcile FSFN logs and identify instances of misuse of FSFN. Identifying Misuse In order to determine whether PPS staff misused their FSFN access, we attempted to analyze DCF audit logs and compare the cases identified on the logs to the notification emails provided by PPS. We requested an audit trail of PPS active user access to FSFN from DCF s IT department from April 2017 to November 2018. An employee within DCF s Office of Information Technology Services informed us the FSFN audit logs list unique Identification (ID) numbers for each case an individual reviews. The audit logs DCF provided displayed ID numbers viewed by PPS staff but did not include names associated with the cases viewed. We were unable to match any of the cases identified on the audit log with the PPS notification emails. Due to insufficient tracking of external abuse reports by PPS and the use of unique IDs rather than names on the DCF audit logs, we were unable to show whether misuse of the system occurred. Per DCF staff, FSFN audit logs can include all information needed to conduct an effective misuse review; however, PPS management will need to submit a request to DCF to tailor the audit logs to their specific needs. Recommendations We recommend PPS establish documented policies and procedures for receiving, processing, and tracking notifications of institutional investigations or alleged abuse. The procedures should entail precise activities to ensure and align PPS efforts. These procedures should include but not be limited to: Requiring all external and internal notifications be documented in a tracking system; 4

Establishing a follow up process for external and internal notifications; and Storing and securing documents (i.e. internal notifications, external notifications, and FSFN reports). To implement the established policies and procedures, we recommend PPS develop a notification tracking system. PPS could utilize one of the existing tracking systems to track internal and external notifications. A tracking system could also facilitate the follow up process and assist with monitoring user activity in the FSFN system. The tracking system should, at a minimum, capture the FSFN case number, the subject s full name, the subject s date of birth, and the subjects DOE certification number. The system should include whether follow up is required, the date staff started and completed follow up activities, and any actions taken. The system should allow the attachment of faxes, emails, and other related correspondence as needed. As processes become more established, we recommend PPS conduct periodic quality assurance reviews. Quality assurance reviews will ensure PPS identifies instances of improper use of FSFN access and takes appropriate action. In order to conduct an effective quality assurance review, PPS will need to collaborate with DCF and customize audit logs to use for comparison purposes. The audit logs will need to include the name of the alleged abuser and be comparable to the information tracked on the PPS notification logs. We recommend PPS periodically request reports from DCF listing the subjects of all closed investigations. This will allow PPS to compare the notifications received from the CPIs to the DCF closed cases to ensure all relevant cases were submitted and appropriate action was taken. Finally, we recommend PPS establish a retention policy for both internal and external notifications. The retention policy should include but not be limited to policies and procedures for maintaining documents, storing documents, destroying records, etc. 5

Closing Comments The Office of the Inspector General would like to recognize and acknowledge the Office of Professional Practice Services and staff for their assistance during the course of this engagement. Our fieldwork was facilitated by the cooperation and assistance extended by all personnel involved. To promote accountability, integrity, and efficiency in state government, the OIG completes audits and reviews of agency programs, activities, and functions. Our audit was conducted under the authority of section 20.055, F.S., and in accordance with the International Standards for the Professional Practice of Internal Auditing, published by the Institute of Internal Auditors, and Principles and Standards for Offices of Inspector General, published by the Association of Inspectors General. The audit was conducted by Keisha Conyers and supervised by Tiffany Hurst, Audit Director. Please address inquiries regarding this report to the OIG s Audit Director by telephone at 850-245-0403. Copies of final reports may be viewed and downloaded via the internet at http://www.fldoe.org/ig/auditreports.asp#f. Copies may also be requested by telephone at 850-245-0403, by fax at 850-245-9419, and in person or by mail at the Department of Education, Office of the Inspector General, 325 West Gaines Street, Suite 1201, Tallahassee, FL 32399. 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback