Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Executive Office of Public Safety and Security (August 8, 2024)

August 8, 2024 · Executive Office of Public Safety and Security · Read the full official report on mass.gov ↗

Published August 8, 2024 Audit covers July 1, 2020 – October 31, 2022 Under Diana DiZoglio · 2023–present

In plain English
State auditors found that the Executive Office of Public Safety and Security had problems protecting sexual assault survivors' information, meeting deadlines for evidence kit reviews and shipments, and keeping kit locations accurate in its tracking system.
source
“EOPSS did not ensure that its PSCR data was free of PII.”
Read the plain-English breakdown
What is this?

This is a Massachusetts State Auditor performance audit of the Executive Office of Public Safety and Security, covering July 1, 2020 through October 31, 2022.

“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Executive Office of Public Safety and Security (EOPSS) for the period July 1, 2020 through October 31, 2022.”
Why was it audited?

Auditors checked whether the agency followed state rules for sexual assault reporting, evidence kit testing, quarterly reporting, and tracking the location of evidence kits.

“The purpose of our audit was to determine the following:”
Why it matters

The report matters because mistakes in privacy protection, evidence review, shipping, or tracking can affect sexual assault survivors and criminal investigations.

“The lack of proper review of the PSCR forms and subsequent data has created a threat to privacy and confidentiality for survivors of sexual assault.”
What's in it for me?

For an ordinary resident, the key issue is whether Massachusetts systems protect survivor privacy and handle sexual assault evidence kits carefully, on time, and transparently.

“Survivors of sexual assault can confidentially view the location and status of their SAECKs in the Track-Kit system.”
The bottom line

The Auditor found four main problems: personal information appeared in records, evidence-kit reviews missed the 90-day deadline, shipments were late, and the tracking system had wrong kit locations.

“Below is a summary of our findings and recommendations, with links to each page listed.”
What happens next

The Auditor recommended that EOPSS review and clean its data, improve controls and training, ship remaining eligible kits, and audit kit locations; EOPSS said it has taken or plans steps in several areas.

“Based on EOPSS’s response, it is taking measures to address our concerns regarding this matter.”
Why it's significant

The findings are significant because delayed testing and inaccurate tracking can slow investigations, while privacy lapses can expose sensitive information about survivors or their families.

“Prolonged reviews of QLIM can result in delays in DNA testing and subsequent delays in DNA profiles being entered into the Combined DNA Index System (CODIS) database, which can prolong the process to identify potential perpetrators, prevent them from committing other crimes in the future, and hold them accountable for their actions.”
Jargon, unpacked

PII means personal information that could identify a sexual assault survivor; SAECK means a sexual assault evidence collection kit; QLIM means evidence so limited that testing may use it up.

“According to Section 12A1/2 of Chapter 112 of the General Laws, the PSCR form must not include any of the survivor’s personally identifiable information (PII), such as their name, address, or any other data that could confirm their identity.”

What the Auditor checked

What the Auditor found

EOPSS did not ensure Provider Sexual Crime Report data was free of personally identifiable information.
data privacyrecordkeeping/documentationinternal controls

Why it matters: This created a privacy and confidentiality threat for survivors of sexual assault.

Standard: Section 12A1/2 of Chapter 112 of the Massachusetts General Laws prohibits including the victim’s name, address, or other identifying information in required reports. ( Section 12A1/2 of Chapter 112 of the Massachusetts General Laws )

4 recommendations
  • EOPSS should review its PSCR master database for any PII. In instances where PII is found, the associated PSCR form should be redacted.
  • EOPSS should establish processes and controls to periodically review its PSCR master database to ensure that there is no PII present within its data.
  • EOPSS should communicate to medical facilities that survivors’ confidential information is not to be included in any capacity within the PSCR form.
  • EOPSS should provide training to OGR employees to ensure that they know not to include PII when entering data into the master database.
Agency response & Auditor reply
Agency: "Unfortunately, in 11 out of the 35 records you reviewed for address information, providers had included the home address of a survivor of sexual assault, and this information was then entered into the database."
Auditor: "While the PSCR master database data may not be publicly accessible, including names or addresses that could be associated with survivors or perpetrators of sexual assault in the PSCR master database poses a security risk to these individuals in the event of a data breach."
EOPSS did not ensure MSPCL completed quantity-limited evidence reviews and notifications within the required 90 days.
public safetyreporting timelinessinternal controls

Why it matters: Delayed reviews can delay DNA testing and entry of DNA profiles into CODIS, slowing identification and accountability for potential perpetrators.

Standard: Section 2(a) of Chapter 35 of the Acts of 2021 required identification of previously untested investigatory SAECKs containing quantity-limited evidence within 90 days of the act’s effective date. ( Section 2(a) of Chapter 35 of the Acts of 2021 )

1 recommendation
  • EOPSS should ensure that MSPCL enhances controls to meet the regulated deadlines for SAECKs and QLIM reviews.agency: disagreed
Agency response & Auditor reply
Agency: "We respectfully disagree with the conclusion that EOPSS did not have sufficient controls in place over QLIM reviews during the audit period."
Auditor: "While we can appreciate the volume of reviews, EOPSS did not satisfy the statutory deadline for all previously untested SAECKs."
EOPSS did not ensure MSPCL shipped authorized sexual assault evidence collection kits within the required 180 days.
public safetyreporting timelinessinternal controlsvendor oversight

Why it matters: Delayed shipment can delay DNA testing, CODIS entry, identification of perpetrators, and law enforcement action.

Standard: Section 2(b) of Chapter 35 of the Acts of 2021 required previously untested investigatory SAECKs not identified as quantity-limited evidence to be transferred within 180 days to an accredited public or private crime laboratory for testing. ( Section 2(b) of Chapter 35 of the Acts of 2021 )

1 recommendation
  • EOPSS should ensure that MSPCL ships the remaining previously untested investigatory SAECKs.agency: disagreed
Agency response & Auditor reply
Agency: "Accordingly, under these two provisions, the 180-day deadline for EOPSS to transfer previously untested SAECKs runs from the date the DA has provided the MSPCL with authorization to test those kits."
Auditor: "Section 2(b) of Chapter 35 of the Acts of 2021 indicates that EOPSS had 180 days to transfer the SAECKs to an accredited crime laboratory."
EOPSS’s Track-Kit system showed incorrect locations for sexual assault evidence collection kits.
public safetyrecordkeeping/documentationinternal controls

Why it matters: Survivors may not have accurate information about kit locations and testing status, and law enforcement agencies may be delayed or prevented from accessing evidence.

Standard: Section 18X(b) of Chapter 6A of the General Laws requires the statewide sexual assault evidence kit tracking system to track the location and status of sexual assault evidence kits throughout the criminal justice process. ( Section 18X(b) of Chapter 6A of the General Laws )

2 recommendations
  • EOPSS should educate LLEAs about the importance of updating the Track-Kit system with the physical locations of SAECKs.
  • EOPSS should periodically audit the locations of SAECKs to ensure that the Track-Kit system is up-to-date.
Agency response & Auditor reply
Agency: "Nonetheless, EOPSS will start running a data query that will specify instances in which LLEA’s have not updated Track-Kit."
Auditor: "We found that 17 of the 60 SAECKS in our sample were in a different location to what was logged in the Track-Kit system."

More audits of this entity

Other Office of the State Auditor reports on Executive Office of Public Safety and Security .

See this entity's page with all 3 audits →