Audit of the Executive Office of Public Safety and Security (August 8, 2024)
August 8, 2024 · Executive Office of Public Safety and Security · Read the full official report on mass.gov ↗
source
“EOPSS did not ensure that its PSCR data was free of PII.”
Read the plain-English breakdown
This is a Massachusetts State Auditor performance audit of the Executive Office of Public Safety and Security, covering July 1, 2020 through October 31, 2022.
“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Executive Office of Public Safety and Security (EOPSS) for the period July 1, 2020 through October 31, 2022.”
Auditors checked whether the agency followed state rules for sexual assault reporting, evidence kit testing, quarterly reporting, and tracking the location of evidence kits.
“The purpose of our audit was to determine the following:”
The report matters because mistakes in privacy protection, evidence review, shipping, or tracking can affect sexual assault survivors and criminal investigations.
“The lack of proper review of the PSCR forms and subsequent data has created a threat to privacy and confidentiality for survivors of sexual assault.”
For an ordinary resident, the key issue is whether Massachusetts systems protect survivor privacy and handle sexual assault evidence kits carefully, on time, and transparently.
“Survivors of sexual assault can confidentially view the location and status of their SAECKs in the Track-Kit system.”
The Auditor found four main problems: personal information appeared in records, evidence-kit reviews missed the 90-day deadline, shipments were late, and the tracking system had wrong kit locations.
“Below is a summary of our findings and recommendations, with links to each page listed.”
The Auditor recommended that EOPSS review and clean its data, improve controls and training, ship remaining eligible kits, and audit kit locations; EOPSS said it has taken or plans steps in several areas.
“Based on EOPSS’s response, it is taking measures to address our concerns regarding this matter.”
The findings are significant because delayed testing and inaccurate tracking can slow investigations, while privacy lapses can expose sensitive information about survivors or their families.
“Prolonged reviews of QLIM can result in delays in DNA testing and subsequent delays in DNA profiles being entered into the Combined DNA Index System (CODIS) database, which can prolong the process to identify potential perpetrators, prevent them from committing other crimes in the future, and hold them accountable for their actions.”
PII means personal information that could identify a sexual assault survivor; SAECK means a sexual assault evidence collection kit; QLIM means evidence so limited that testing may use it up.
“According to Section 12A1/2 of Chapter 112 of the General Laws, the PSCR form must not include any of the survivor’s personally identifiable information (PII), such as their name, address, or any other data that could confirm their identity.”
What the Auditor checked
- Did not comply Did EOPSS ensure that the information entered into the Provider Sexual Crime Report (PSCR) master database did not contain personally identifiable information (PII) of survivors of sexual assault, in accordance with Section 12A1/2 of Chapter 112 of the General Laws?
- Did not comply Did EOPSS ensure that all previously untested investigatory sexual assault evidence collection kits (SAECKs) were reviewed for quantity-limited evidence (QLIM) and that district attorneys’ (DAs’) offices were notified of the review results within 90 days of the effective date of Section 2(a) of Chapter 35 of the Acts of 2021?
- Did not comply Did EOPSS ensure that the Massachusetts State Police Crime Laboratory (MSPCL) shipped to an accredited private crime laboratory all previously untested investigatory SAECKs that were identified as not containing QLIM within 180 days of the effective date of Section 2(b) of Chapter 35 of the Acts of 2021?
- Complied Did EOPSS file “Sexual Assault Evidence Collection Kit (SAECK) Quarterly Reports” with the Legislature, as required by Section 2(c) of Chapter 35 of the Acts of 2021?
- Did not comply Did EOPSS ensure that the location and status of SAECKs were accurate in the Track-Kit system, in accordance with Section 18X(b)(i) of Chapter 6A of the General Laws?
What the Auditor found
Why it matters: This created a privacy and confidentiality threat for survivors of sexual assault.
Standard: Section 12A1/2 of Chapter 112 of the Massachusetts General Laws prohibits including the victim’s name, address, or other identifying information in required reports. ( Section 12A1/2 of Chapter 112 of the Massachusetts General Laws )
4 recommendations
- EOPSS should review its PSCR master database for any PII. In instances where PII is found, the associated PSCR form should be redacted.
- EOPSS should establish processes and controls to periodically review its PSCR master database to ensure that there is no PII present within its data.
- EOPSS should communicate to medical facilities that survivors’ confidential information is not to be included in any capacity within the PSCR form.
- EOPSS should provide training to OGR employees to ensure that they know not to include PII when entering data into the master database.
Agency response & Auditor reply
Agency: "Unfortunately, in 11 out of the 35 records you reviewed for address information, providers had included the home address of a survivor of sexual assault, and this information was then entered into the database."
Auditor: "While the PSCR master database data may not be publicly accessible, including names or addresses that could be associated with survivors or perpetrators of sexual assault in the PSCR master database poses a security risk to these individuals in the event of a data breach."
Why it matters: Delayed reviews can delay DNA testing and entry of DNA profiles into CODIS, slowing identification and accountability for potential perpetrators.
Standard: Section 2(a) of Chapter 35 of the Acts of 2021 required identification of previously untested investigatory SAECKs containing quantity-limited evidence within 90 days of the act’s effective date. ( Section 2(a) of Chapter 35 of the Acts of 2021 )
1 recommendation
- EOPSS should ensure that MSPCL enhances controls to meet the regulated deadlines for SAECKs and QLIM reviews.agency: disagreed
Agency response & Auditor reply
Agency: "We respectfully disagree with the conclusion that EOPSS did not have sufficient controls in place over QLIM reviews during the audit period."
Auditor: "While we can appreciate the volume of reviews, EOPSS did not satisfy the statutory deadline for all previously untested SAECKs."
Why it matters: Delayed shipment can delay DNA testing, CODIS entry, identification of perpetrators, and law enforcement action.
Standard: Section 2(b) of Chapter 35 of the Acts of 2021 required previously untested investigatory SAECKs not identified as quantity-limited evidence to be transferred within 180 days to an accredited public or private crime laboratory for testing. ( Section 2(b) of Chapter 35 of the Acts of 2021 )
1 recommendation
- EOPSS should ensure that MSPCL ships the remaining previously untested investigatory SAECKs.agency: disagreed
Agency response & Auditor reply
Agency: "Accordingly, under these two provisions, the 180-day deadline for EOPSS to transfer previously untested SAECKs runs from the date the DA has provided the MSPCL with authorization to test those kits."
Auditor: "Section 2(b) of Chapter 35 of the Acts of 2021 indicates that EOPSS had 180 days to transfer the SAECKs to an accredited crime laboratory."
Why it matters: Survivors may not have accurate information about kit locations and testing status, and law enforcement agencies may be delayed or prevented from accessing evidence.
Standard: Section 18X(b) of Chapter 6A of the General Laws requires the statewide sexual assault evidence kit tracking system to track the location and status of sexual assault evidence kits throughout the criminal justice process. ( Section 18X(b) of Chapter 6A of the General Laws )
2 recommendations
- EOPSS should educate LLEAs about the importance of updating the Track-Kit system with the physical locations of SAECKs.
- EOPSS should periodically audit the locations of SAECKs to ensure that the Track-Kit system is up-to-date.
Agency response & Auditor reply
Agency: "Nonetheless, EOPSS will start running a data query that will specify instances in which LLEA’s have not updated Track-Kit."
Auditor: "We found that 17 of the 60 SAECKS in our sample were in a different location to what was logged in the Track-Kit system."
More audits of this entity
Other Office of the State Auditor reports on Executive Office of Public Safety and Security .
- Audit of the Executive Office of Public Safety and SecurityState Agency / Office · September 27, 2018
-
Audit of Settlement Agreements and Confidentiality Clauses Across Multiple State Agencies - Executive Office of Public Safety and Security (January 28, 2025)State Agency / Office · January 28, 2025