Skip to content
Pasco County Civic Records
Clerk & Comptroller auditsFY 2023

CCC Docket Image Privacy Follow-Up - Final Report dated February 14 2023

Read the source PDF ↗

Summary

The Pasco County Clerk & Comptroller Inspector General conducted a follow-up review (Report No. 2022-05) of the original 2020-09 CCC Docket and Image Privacy audit (dated August 4, 2021). The follow-up assessed whether management had implemented the 22 corrective action plans created in response to findings from the original audit, which examined docket code privacy levels, public availability of court images, and training materials across Civil Courts, Criminal Courts, and Records departments.

Of the 22 corrective action plans reviewed, only 14 were complete and implemented. Civil Courts completed 8 of 9 plans; Criminal Courts completed 6 of 7 plans; the Records department had not completed any of its 6 corrective action plans. Three plans remained incomplete across Civil and Criminal, with management citing programming complexity and staffing transitions as reasons for delay. The IG encouraged management to implement all remaining plans and provide supporting documentation upon completion.

The original 2020-09 audit (also included in the document package) identified 22 opportunities for improvement spanning compliance failures, control weaknesses, and training deficiencies across Civil, Criminal, and Records departments. Key issues included incorrect privacy level assignments, missing docket code lists, undocumented compensating controls, one untimely public records release, and pervasive absence of formal training programs in all three departments.

22 findings

  1. Finding 1highpolicy

    Civil Marchman Act filing type assigned incorrect public privacy level

    One of 96 Civil test samples, a filing type 'Invol Asm Stab' associated with Marchman Act cases, was assigned a public privacy level in Clericus when it was required to be sealed under AO2017-064(II)(A)(9). Marchman Act case files and dockets must be sealed by the Clerk of the Circuit Court unless otherwise ordered by the court. Management immediately corrected the privacy level upon notification.

    Recommendation: Reach out to IT to determine if the case privacy level could be set automatically in Clericus when Mental Health case type 'Invol Asm Stab' is selected.
    Management response: Management agrees and has taken corrective action. Operations team set the privacy level in Clericus to automatically set the case privacy to confidential for this filing type. Completed February 11, 2021.
  2. Finding 2mediumpolicy

    Comprehensive list of Civil docket codes associated with List of 23 did not exist

    No comprehensive list of Civil docket codes related to the List of 23 existed prior to the initiation of the audit. The list was not provided in a timely manner and required multiple revisions after IG review. The initial verbal request was made June 5, 2020 and the final usable list was not provided until July 20, 2020. Without such a list, teammates lacked proper guidance to ensure images were docketed and maintained confidential in compliance with Rule 2.420.

    Recommendation: Maintain an up-to-date list of confidential, sealed, OnDemand docket codes including privacy level, document types, and governing authority. Establish a policy requiring periodic review of the list for completeness and accuracy.
    Management response: Management agrees. The operations team will create and maintain a list of docket codes and privacy levels with guidelines requiring periodic review. Target date: July 1, 2021. Follow-up status: Complete.
  3. Finding 3mediumpolicy

    Civil docket code for Child Abuse and Sexual Offences List of 23 item did not exist

    No Civil docket code existed for records associated with item #13 on the List of 23 (child abuse and sexual offenses) as required under Rule 2.420. Civil instead used a specific case type for sexual violence protective injunctions and relied on teammates to manually mark documents as confidential, increasing the risk that confidential documents could be missed or improperly marked and made available to the public.

    Recommendation: Document and implement internal controls ensuring Civil teammates redact victim information per Rule 2.420. Implement a dual control requiring secondary review of manually marked documents. Work with IT for a quality control report by filing type.
    Management response: Management concurs with the recommendation to implement dual control for specific filing types. The operations team will work with IT to allow secondary verification for all documents within these specific filing types that include manual redaction. Follow-up status: Incomplete; management requested extension to FY 22-23 for programming update in Dr. Watson.
  4. Finding 4lowpolicy

    Civil docket code list associated with List of 23 contained non-confidential codes

    Of 102 Civil docket codes on the List of 23 reference list, seven (7%) were determined not to be confidential. During the audit, privacy level updates were made in Clericus for five of the seven codes. Codes such as 4142 (Order to Show Cause Guardianship), 8000 (Motion to Determine Confidentiality), 4623 (Notice of Confidential Information), 3401 (Confidential Sealed Order), and 1517 (Confidential Sealed Envelope) were found not to require confidential treatment.

    Recommendation: Maintain an accurate, up-to-date list of docket codes with correct privacy levels, document types, and governing authority. Establish a policy for periodic review to ensure completeness and accuracy.
    Management response: Management agrees. The operations team will create and maintain a list of docket codes and privacy levels with periodic review guidelines. Target date: July 1, 2021. Follow-up status: Complete.
  5. Finding 5mediumdata access

    Image privacy levels for some Civil docket codes less restrictive than case privacy level

    For six Civil docket codes, image privacy levels did not agree with or were less restrictive than the assigned case privacy level within Clericus. For example, codes 899 (Petition for Termination of Parental Rights) and 7163 (Notice on Petition for Adoption) had public image privacy levels that were required to be confidential. All six codes were corrected during the audit.

    Recommendation: Maintain a comprehensive list of codes related to the List of 23. Review images docketed with these codes to verify privacy levels agree with case privacy level. When a new docket code is created, verify the privacy level tier is consistent with applicable authorities.
    Management response: Management concurs. The operations team will create and maintain a list of docket codes and privacy levels with periodic review guidelines. Target date: July 1, 2021. Follow-up status: Complete.
  6. Finding 6lowpolicy

    Some Civil docket codes associated with List of 23 were inactive or unused

    No documented policy or procedure required periodic review of docket codes. As a result, eight (8%) of the 102 Civil docket codes associated with the List of 23 were active but had either been replaced or not recently used, some not since 2003 or earlier. This created risk of erroneous use of obsolete codes.

    Recommendation: Deactivate all docket codes no longer used in current operations to prevent erroneous use. Implement a policy requiring periodic review of docket code usage and timely deactivation.
    Management response: Management agrees with deactivating unused docket codes. The operations team will create and maintain a list and establish guidelines for periodic review, enabling deactivation of unused codes. Target date: July 1, 2021. Follow-up status: Complete.
  7. Finding 7mediumdata access

    Privacy levels were incorrect for some Civil images tested

    Privacy levels of existing images were not periodically reviewed for compliance or consistency. Issues identified included two sealed cases with images assigned OnDemand privacy levels, nineteen images with public privacy levels that were required to be confidential (docket codes 675, 678, 1397), and one image marked confidential rather than sealed. Corrections were made during the audit.

    Recommendation: Document a procedure for periodic reviews of privacy levels including a quality control report. Review similar images and revise privacy levels as needed. Review codes revised during FACTS to Clericus conversion. Require secondary review before cases progress to Court Records.
    Management response: Management concurs. The operations team will establish a report for periodic privacy level reviews, create a guideline verifying non-public cases including secondary review requirement, and maintain conversion compliance verification. Target date: July 1, 2021. Follow-up status: Complete.
  8. Finding 8mediumpolicy

    Civil docket descriptions online included more information than basic docket description

    For 130 (26%) of 495 Civil images tested, the docket description on the public website included more information than the basic docket description in Clericus. Of these, 42 (32%) were sealed images. This was a legacy issue from the prior case management system (FACTS) when detailed descriptions were entered because images were not available online.

    Recommendation: Review docket descriptions for sealed and confidential images to ensure descriptions do not include confidential information. Update the docketing guide to ensure guidance is current and require docket descriptions to not contain more information than the basic description.
    Management response: Management concurs. The operations team will create a quality assurance report for docket descriptions of sealed and confidential images and will create a guideline for the quality assurance process. Target date: July 1, 2021. Follow-up status: Complete.
  9. Finding 9mediumpersonnel

    Civil lacked formal documented training program for confidentiality

    At the time of the audit, Civil did not have a finalized formal training program outlining objectives, needs, strategy, and curriculum for maintaining confidentiality of cases, records, and dockets. Without a formalized program, there was increased risk that policies and procedures were not consistently followed and that teammates were assigned tasks for which they were insufficiently trained.

    Recommendation: Finalize a formal documented training program covering all training levels including new, progressing, and cross-training teammates. Include a training checklist requiring sign-off by the teammate, trainer, and supervisor.
    Management response: Management agrees. The operations team is working with leadership to establish on-boarding guidelines incorporating IG recommendations with a checklist documenting all training levels. Target date: August 1, 2021. Follow-up status: Complete.
  10. Finding 10mediumpolicy

    Comprehensive list of Criminal docket codes associated with List of 23 did not exist

    No comprehensive list of Criminal docket codes related to the List of 23 existed prior to the audit. The list required four revisions after IG review and was not provided in a timely manner. Grand Jury indictment codes (INDT, INDC) were initially omitted. Some docket codes were shared between confidential and non-confidential documents, increasing risk of publicizing confidential records.

    Recommendation: Clearly identify on the Docket Node spreadsheet all codes related to the List of 23 with applicable privacy level criteria. Assign codes INDT and INDC to item #16 (Grand Jury) as the confidentiality authority.
    Management response: Agreed. Confidential docket codes will be identified on the docket node spreadsheet, avoiding two separate reference resources. Grand jury docket codes will be added to the list. Target date: August 2021. Follow-up status: Complete.
  11. Finding 11lowpolicy

    Some Criminal docket codes related to List of 23 were unused

    No documented policy requiring periodic review of docket code usage existed in Criminal. Three (8%) of 34 Criminal docket codes associated with the List of 23 were active but not frequently or recently used, including codes BEHS (not used since 2017), AFJT, and PCPB (neither used in Clericus or CJIS as of August 19, 2020).

    Recommendation: Establish a documented policy requiring periodic review of all docket codes to determine necessity and deactivate unused codes as appropriate.
    Management response: Agreed. A policy/procedure will be created documenting an annual review of docket code activity and determination of need to deactivate. Target date: September 2021. Follow-up status: Complete.
  12. Finding 12mediumpolicy

    Criminal compensating controls for docket privacy not documented

    For 60 Criminal images tested, case privacy levels were confidential but image and docket privacies were OnDemand and Public respectively. Compensating controls were in place (IT security matrix, VOR process, extensive training, case-level sealing/expunging) but none were formally documented in written policies or procedures, creating risk of inconsistent application.

    Recommendation: Document all compensating controls including VORs and training. Implement a quality control procedure requiring management to periodically obtain a report of privacy level misalignments to verify documents are properly restricted.
    Management response: Agreed. Compensating controls will be documented into written procedures. Quality control measures for accuracy of docket privacy will be reviewed and implemented. Target date: September 2021. Follow-up status: Complete.
  13. Finding 13lowpolicy

    Criminal docket node spreadsheet lacked guidance for docket descriptions

    The Criminal docket node spreadsheet did not provide guidance on when to include or exclude additional language in docket descriptions. As a result, docket descriptions for numerous images contained more information than the basic docket description. Policies and procedures related to the docket code review process were also not documented.

    Recommendation: Document policies and procedures for reviewing docket codes and conducting legislative reviews. Update the docket node spreadsheet to provide sufficient guidance for all docket codes including when literals are required.
    Management response: Acknowledged. A written documented guide will be created to identify different actions for reviewing and ensuring docket codes are accurate. The docket node spreadsheet will be updated with 'No Literal' where blank. Target date: September/July 2021. Follow-up status: Complete.
  14. Finding 14lowevidence

    One Criminal image of 361 tested was docketed incorrectly

    One Criminal image was a Return of Service but was docketed with code NOFI (Notice of Filing) because the portal filer selected an incorrect docket code and the teammate did not correct it. The image description on the document and the docket description did not agree.

    Recommendation: Document a policy and procedure requiring teammates to review and appropriately revise docket codes that were incorrectly selected within the portal.
    Management response: Agree. Current written procedure will be updated to specifically address incorrect filing category of documents from the portal. Target date: September 2021. Follow-up status: Complete.
  15. Finding 15mediumpersonnel

    Criminal lacked formal documented training program for confidentiality

    At the time of the audit, Criminal did not have a formal, documented training program in place for new teammates learning how to maintain the confidentiality of cases, records, and dockets. Without such a program, there was increased risk of inconsistent application of confidentiality requirements and assignment of teammates to tasks for which they were insufficiently trained.

    Recommendation: Create a formal documented training program covering all training levels with a training checklist requiring sign-off by teammate, trainer, and supervisor.
    Management response: Agreed. A formal documented training plan for docketing will be created including materials, guidance, progress tracking documentation, and performance review. Target date: FY 21-22. Follow-up status: Incomplete as of follow-up; management reported 95% complete as of November 2022, target completion end of January 2023.
  16. Finding 16mediumdata access

    One Records OnDemand image not made available to public in timely manner

    One OnDemand image of 32 tested was requested for viewing on October 22 and again October 30, 2020 but was not made available until management was notified on November 23, 2020. An IT control error caused a 'Courts 23 rule banner' to be incorrectly assigned in the Dr. Watson redaction system, resulting in over-restriction of the image.

    Recommendation: Require adequately trained teammates to perform image review requests. Work with IT to obtain a report with redaction status, reviewer, request and release dates. Create policy for periodic review and revise procedures to clearly outline steps for removing banners.
    Management response: Records agrees with all recommendations. Records will ensure management provides access to Internet Image Request system to ensure timely release and will add clarification on document vs. case privacy level with banners in the guide. Target date: October 31, 2021. Follow-up status: Incomplete; moved to FY 22-23, new Operations Specialist reviewing recommendations.
  17. Finding 17mediumpersonnel

    Records lacked formal documented training program for confidentiality

    At the time of the audit, a formal, documented training program did not exist in the Records department for teammates learning to maintain the confidentiality of court records. The absence of a formalized program increased the risk that policies and procedures were not consistently followed and that teammates were assigned to tasks for which they were not sufficiently trained.

    Recommendation: Revise and expand training materials. Document and formalize a training program for new, progressing, and cross-training teammates. Implement a training checklist with required sign-offs. Create a policy for management to periodically review the training program for currency.
    Management response: Records agrees with all recommendations. Records has a training matrix and will add a training program curriculum, expand the matrix to include a checklist, perform bi-annual reviews, and conduct additional reviews with legislative changes. Target date: October 31, 2021. Follow-up status: Incomplete; see management update on comment #16.
  18. Finding 18mediumpolicy

    Records policies, procedures, and training materials required significant improvement

    Existing Records training materials (Redaction and Confidentiality Guide, Scenario Questions, PowerPoint, Redaction Validation procedure) provided limited guidance and failed to address all key controls. Deficiencies included lack of full statute language, absence of envelope placement guidance, no explanation of case parties, insufficient escalation guidance, no glossary, undocumented queue authorization levels, and no requirement for supervisory approval to change a Courts 23 Rule in Dr. Watson.

    Recommendation: Review and revise training materials to include complete guidance, full Florida Statute language, envelope and electronic document guidance, party identification, leadership escalation guidance, glossary, documented queue authorization, required supervisory approval for Courts 23 Rule changes, and department-specific scenario organization.
    Management response: Records agrees with all recommendations except the supervisory approval requirement for Courts 23 Rule changes in Dr. Watson, stating that Records teammates are trained on the rule before working in Dr. Watson. Management later partially conceded that Civil and Criminal do need supervisory approval when a change is needed involving the Courts 23 Rule. Target date: October 31, 2021. Follow-up status: Incomplete; see management update on comment #16.
  19. Finding 19lowpolicy

    Records redaction and confidentiality scenario answer key lacked adequate detail

    The existing scenario question answer key provided limited explanations for correct answers. Specific issues included: scenario 15.2 referencing confidentiality when statute required sealing; scenario 23 lacking guidance on why tattoo descriptions did not apply to defendants; scenario 39 being unclear that customers may only view redacted documents; and the number of legal authorities per scenario being unclear from the outset of the document.

    Recommendation: Review and revise scenario questions to include more guidance, include full Florida Statute language, provide party identification guidance, clarify scenario 39, and clarify the number of legal authorities for each scenario at the beginning of the document.
    Management response: Records agrees with all recommendations. Records will provide links to full statute language, add party identification guidance, clarify answer to scenario 39, remove the one multi-authority scenario, and clarify single-authority scenarios on the cover page. Target date: October 31, 2021. Follow-up status: Incomplete; see management update on comment #16.
  20. Finding 20lowpolicy

    Records scenario questions provided limited guidance to Civil and Criminal teammates

    The redaction and confidentiality scenario questions were designed for the Records department but were intended to be distributed to Civil and Criminal teammates as well. Of the scenario questions, only two (numbers 13 and 41) were related to Criminal and Civil Courts, providing insufficient department-specific training guidance.

    Recommendation: If feasible, separate questions by department and work with Civil and Criminal Courts to develop department-specific scenario questions for use in their training materials.
    Management response: Records agrees. Records will collaborate with Civil and Criminal Departments and update the guide to have clearly labeled sections with scenarios tailored for each department. Target date: October 31, 2021. Follow-up status: Incomplete; see management update on comment #16.
  21. Observation 21lowdata access

    Civil defendant incorrectly flagged as juvenile in Clericus

    For one Civil image tested, the defendant/relevant party was not reflected on the Online Court Records Search because they were incorrectly marked as juvenile in Clericus. However, the party was born in 1965 and was not a juvenile. Management corrected the issue during the audit and the party's name was made available online.

    Recommendation: Verify whether other cases have relevant parties incorrectly marked as juvenile. Document a policy and procedure requiring periodic review of all cases where relevant parties are maintained as confidential, including running a system report to check for erroneous juvenile checkboxes.
    Management response: Management concurs. The operations team will run a quality assurance report to verify parties marked as juvenile and create a guideline for periodic review of cases with confidential relevant parties. Target date: July 1, 2021. Follow-up status: Complete.
  22. Observation 22lowpolicy

    No policies existed for court documents written in foreign languages

    No documented policies or procedures existed in Civil, Criminal, or Records for handling court documents written in a foreign language. During testing, one OnDemand image contained a plea form written in Spanish with an accompanying English translation, but there was limited documented guidance for teammates handling such documents to ensure confidential information was properly protected.

    Recommendation: Create a documented policy and procedure to guide teammates on handling documents written in a foreign language, including guidance on obtaining assistance for documents they are unable to read.
    Management response: Civil: Management concurs; a guideline was created, approved, and implemented with legal counsel. Completed March 12, 2021. Criminal: Agreed; a written policy/procedure will be created in alignment with legal counsel direction. Target: May 2021. Records: Legal counsel guidance provided; will include information in the guide addressing foreign language documents. Target: October 31, 2021. Follow-up status: Civil complete; Criminal complete; Records incomplete (Action Plan Item 175, new estimated due date 9/30/23).

Findings extracted by Claude from the source PDF. Every claim on this page traces back to the linked report — click through for the original wording, exhibits, and management response in full.

Top ↑