CCC: 2020-09 Docket & Image Privacy – Dated August 4, 2021

Summary

22 findings

1. Finding 1mediumpolicy

   Civil Marchman Act filing type assigned incorrect public privacy level

   A Civil filing type 'Invol Asm Stab' associated with Marchman Act cases was assigned a public privacy level in Clericus, when AO2017-064 required Marchman Act case files and dockets to be sealed. This was discovered in one of 96 test samples with a pending redaction status. Management responded immediately and corrected the privacy level prior to report publication.

   Recommendation: Reach out to Information Technology to determine if the case privacy level could be set automatically in Clericus when Mental Health case type 'Invol Asm Stab' is selected.
   Management response: Management agrees with this finding and has taken corrective action. The operations team set the privacy level in Clericus to automatically set the case privacy to confidential for this filing type. Completed February 11, 2021.
2. Finding 2mediumpolicy

   Comprehensive list of Civil List of 23 docket codes did not exist

   A comprehensive list of Civil docket codes related to the List of 23 did not exist prior to the audit. When requested, the list was not provided timely and required multiple revisions for completeness. Rule 2.420(d) requires the Clerk to designate and maintain confidentiality of court record information.

   Recommendation: Maintain an up-to-date list of confidential, sealed, OnDemand docket codes including privacy levels and governing authority. Establish a policy requiring periodic review of the list for completeness and accuracy.
   Management response: Management agrees with recommendation. The operations team will create and maintain a list of docket codes and privacy levels and establish guidelines for periodic review. Target implementation: July 1, 2021.
3. Finding 3mediumpolicy

   No Civil docket code exists for Child Abuse and Sexual Offences category

   No Civil docket code existed for records associated with item #13 (Child Abuse and Sexual Offences) on the List of 23. Civil used a specific case type for sexual violence protective injunctions and teammates manually marked documents as confidential, increasing the risk of confidential documents being made publicly available due to human error.

   Recommendation: Document and implement internal controls ensuring Civil teammates redact victim information per Rule 2.420. Implement dual control requiring secondary review of manually marked documents, and if possible work with IT to create a quality control report by filing type.
   Management response: Management concurs with the recommendation to implement dual control for specific filing types. The operations team will work with IT to allow secondary verification for all documents within these specific filing types. Target: FY 21-22.
4. Finding 4lowpolicy

   Civil List of 23 docket code list contained non-confidential codes

   Of 102 Civil docket codes on the List of 23 reference list, seven (7%) were determined not to be confidential. During the audit, privacy level updates were made in Clericus for five of the seven codes. Two codes (1397 and 1579) related to name change cases were public record, and others such as codes 4142, 8000, 4623, 3401, and 1517 did not contain confidential information.

   Recommendation: Maintain an up-to-date list of docket codes that must be maintained confidential, sealed, or OnDemand, including privacy levels and governing authority. Establish a policy requiring periodic review of this list.
   Management response: Management agrees with the recommendation. The operations team will create and maintain a list of docket codes and privacy levels with guidelines for periodic review. Target implementation: July 1, 2021.
5. Finding 5mediumdata access

   Civil image privacy levels inconsistent with assigned case privacy levels

   For six Civil docket codes, image privacy levels did not agree with or were less restricted than the assigned case privacy levels in Clericus. Examples included image privacy changed from Public to Confidential for codes 899 and 7163, and changes from Confidential to OnDemand for codes 1517, 3401, 4623, and 8000. The IG verified all six were corrected during the audit.

   Recommendation: Maintain a comprehensive list of codes related to the List of 23 and review images docketed with those codes to verify privacy levels agree with case privacy levels. When new docket codes are created, verify the privacy level tier is consistent and compliant.
   Management response: Management concurs with recommendation. The operations team will create and maintain a list of docket codes and privacy levels with guidelines for periodic review. Target implementation: July 1, 2021.
6. Finding 6lowpolicy

   Eight active Civil List of 23 docket codes were unused or replaced

   Of 102 Civil docket codes associated with the List of 23, eight (8%) were active but had either been replaced by other codes or had not been recently used, with some last used as far back as 2003. No documented policy requiring periodic review of docket code usage existed, creating a risk of codes being used in error.

   Recommendation: Deactivate all docket codes no longer used in current operations. Implement a policy requiring periodic review of docket codes to determine continued necessity and timely deactivation.
   Management response: Management agrees with deactivating unused docket codes. The operations team will create and maintain a list of docket codes and privacy levels and establish periodic review guidelines. Target implementation: July 1, 2021.
7. Finding 7mediumdata access

   Privacy levels incorrect for multiple Civil images tested

   Privacy levels were incorrect for several Civil images tested, including two sealed cases with images at OnDemand and dockets at public levels, adoption case images with inconsistent confidential vs. sealed levels, 19 images for domestic violence and stalking petitions incorrectly assigned public privacy, and one image confidential instead of sealed due to a FACTS-to-Clericus conversion issue. No periodic review process existed for image privacy level compliance.

   Recommendation: Document a procedure for periodic reviews of privacy levels. Review similar images for accuracy. Review codes revised during FACTS-to-Clericus conversion. Revise policies to require privacy level updates when images are added to sealed cases, and create a secondary review requirement for non-public cases.
   Management response: Management concurs with the recommendation. The operations team will establish a report for periodic reviews of privacy levels and create guidelines for cases not available to the public including secondary review requirements. Target implementation: July 1, 2021.
8. Finding 8mediumpolicy

   Civil online docket descriptions contained more detail than basic description

   For 130 (26%) of 495 Civil images tested, the online docket description included more information than the basic docket description in Clericus. Of those 130, 42 (32%) were sealed images. This occurred because legacy FACTS procedures instructed teammates to enter detailed descriptions, and those entries were not reviewed when Clericus was implemented.

   Recommendation: Review docket descriptions for sealed and confidential images to ensure they do not include confidential information. Update the docketing guide to ensure compliance with current legislation. Require docket descriptions to not contain more than the basic description.
   Management response: Management concurs with the recommendation. The operations team will create a quality assurance report for docket descriptions on sealed and confidential images and create a guideline for the quality assurance process. Target implementation: July 1, 2021.
9. Finding 9mediumpersonnel

   Civil lacked formal documented training program for confidentiality

   At the time of the audit, Civil did not have a finalized formal training program for teammates learning how to maintain the confidentiality of cases, records, and dockets. A formalized program is essential to ensure consistent policy compliance and to measure teammate comprehension through goals and benchmarks.

   Recommendation: Finalize a formal documented training program covering all training levels including new, progressing, and task-learning teammates. Include confidentiality guidance and a training checklist requiring sign-off by the teammate, trainer, and supervisor.
   Management response: Management agrees with the recommendation. The operations team is working with leadership to establish on-boarding guidelines incorporating the IG's recommendations, including a checklist documenting all training levels. Target implementation: August 1, 2021.
10. Finding 10mediumpolicy

    Comprehensive list of Criminal List of 23 docket codes did not exist

    A comprehensive list of Criminal docket codes related to the List of 23 did not exist prior to the audit. The list required four revisions for completeness and was not provided timely. Additionally, Grand Jury indictment codes (INDT and INDC) were mistakenly removed from the list, and some codes were shared between confidential and non-confidential documents, increasing the risk of inadvertent public disclosure.

    Recommendation: Clearly identify List of 23 docket codes on the Docket Node spreadsheet including required privacy levels. Assign docket codes INDT and INDC to item #16 (Grand Jury) as the authority requiring confidentiality.
    Management response: Agreed. Docket codes programmed confidential in the system will be identified on the docket node spreadsheet. Grand jury docket codes will be added to the list of confidential docket codes. Target implementation: August 2021.
11. Finding 11lowpolicy

    Three active Criminal List of 23 docket codes were unused

    Of 34 Criminal docket codes associated with the List of 23, three (8%) were active but not frequently used: BEHS (Behavior Summary) last used in 2017, AFJT (Amended Final Judgment of Termination of Parental Rights), and PCPB (Petition to Commit Minor to DCF For Adoption), the latter two not used in either Clericus or CJIS as of August 19, 2020. No policy required periodic review of code usage.

    Recommendation: Establish a documented policy requiring periodic review of infrequently used docket codes to determine necessity and deactivate as needed. Consider deactivating the three identified unused codes.
    Management response: Agreed. A policy/procedure will be created documenting an annual review of docket code activity and determination of need to deactivate. Target implementation: September 2021.
12. Finding 12mediumpolicy

    Criminal compensating internal controls for privacy misalignments not documented

    For 60 Criminal images tested, case privacy levels were confidential while image and docket privacies were OnDemand and Public respectively. Compensating controls existed (IT security matrix, View on Request process, teammate training, and case-level sealing/expungement) but none were documented in written policies and procedures.

    Recommendation: Document all compensating controls in written procedures. Implement a documented quality control procedure requiring periodic reports of images where privacy levels do not align, with all monitoring documented and retained per applicable requirements.
    Management response: Agreed. Compensating controls will be documented into written procedures. Quality control measures for accuracy of docket privacy will be reviewed and implemented. Target implementation: September/August 2021.
13. Finding 13lowpolicy

    Criminal docket node spreadsheet lacked guidance for docket descriptions

    The Criminal docket node spreadsheet did not provide guidance on when to include or exclude additional language in docket descriptions, resulting in numerous images containing more information than the basic docket description. Policies and procedures related to the docket code review process were also not documented.

    Recommendation: Document policies and procedures for reviewing docket codes and legislative reviews. Review and update the docket node spreadsheet to include sufficient detail for each docket code to reduce the risk of adding incorrect language.
    Management response: Acknowledged. A written documented guide will be created for reviewing and ensuring docket codes are up-to-date. The docket node spreadsheet will be updated with 'No Literal' in place of blank sections. Target implementation: September/July 2021.
14. Finding 14lowevidence

    One Criminal image of 361 tested was docketed with incorrect code

    One Criminal image tested — a Return of Service — was docketed using code NOFI (Notice of Filing), which did not match the actual document. The filing was received via the online portal with the incorrect docket code selected by the filer, and the code was not corrected by staff before docketing.

    Recommendation: Document a policy and procedure requiring teammates to review and appropriately revise docket codes that were incorrectly selected within the portal.
    Management response: Agreed. Current written procedure will be updated to specifically address incorrect filing category of documents from the portal. Target implementation: September 2021.
15. Finding 15mediumpersonnel

    Criminal lacked formal documented confidentiality training program

    At the time of the audit, Criminal did not have a formal, documented training program for new teammates learning how to maintain the confidentiality of cases, records, and dockets. Without a formalized program, there was no structured mechanism to measure goals and benchmarks for teammate comprehension.

    Recommendation: Create a formal documented training program with materials for all training levels. Create a training checklist requiring sign-off by the teammate, trainer, and supervisor upon completion.
    Management response: Agreed. A formal documented training plan for docketing will be created including materials, guidance, progress tracking, and performance review. Target implementation: FY 21-22.
16. Finding 16lowdata access

    One OnDemand image not made available to public in timely manner

    Of 32 OnDemand images tested, one was requested for viewing on October 22 and again on October 30, 2020, but was not made available until management was notified on November 23, 2020 — over a month later. The delay was caused by an IT control error that incorrectly assigned a 'Courts 23 rule banner' to the image in Dr. Watson, resulting in over-restriction.

    Recommendation: Require adequately trained teammates to perform VOR review requests. Work with IT to obtain a monitoring report of image request activity. Revise existing procedures to clearly outline steps for removing the Courts 23 rule banner and appropriate scenarios for doing so.
    Management response: Records agrees with all recommendations. Records will ensure management provides access to the Internet Image Request system to ensure requests are released timely and will add clarification on document versus case privacy level with banners in the guide. Target implementation: October 31, 2021.
17. Finding 17mediumpersonnel

    Records lacked formal documented training program for court record confidentiality

    At the time of the audit, Records did not have a formal, documented training program in place for teammates learning how to maintain the confidentiality of court records. Without a formalized program, there was no structured approach to ensure consistent policy compliance or to measure teammate progress.

    Recommendation: Revise and add to training materials for all training levels. Formalize a training program for new, progressing, and task-learning teammates. Implement a training checklist with sign-off requirements. Create a policy for management to periodically review training materials for currency.
    Management response: Records agrees with all recommendations. Records will update its training matrix, add a curriculum to the guide, expand the training matrix to a checklist, and management will perform bi-annual reviews. Target implementation: October 31, 2021.
18. Finding 18mediumpolicy

    Records training materials and policies insufficient for effective teammate performance

    Existing Records training materials (Redaction and Confidentiality Guide, Scenario Questions, PowerPoint Presentation, and Redaction Validation procedure) contained limited guidance and did not address all key controls and procedures. Deficiencies included: insufficient Florida Statute guidance, missing instructions for envelope placement, no explanation of Parties to a case, limited escalation guidance, no glossary, undocumented queue authorization levels, and no secondary review required for Courts 23 rule changes in Dr. Watson.

    Recommendation: Review and revise training materials comprehensively to include statute language, envelope handling guidance, party identification, escalation procedures, glossary, queue authorization documentation, a secondary review requirement for Courts 23 rule changes, and department-level scenario organization.
    Management response: Records agrees with all recommendations except one (supervisory approval for Courts 23 rule changes in Dr. Watson). Records will implement numerous improvements including statute links, envelope guidance, party identification guidance, escalation instructions, glossary, and training matrix. Records will reach out to IT for a quality assurance report on Courts 23 rule changes. Target implementation: October 31, 2021.
19. Finding 19lowpolicy

    Records scenario question answer key lacked sufficient detail and guidance

    The redaction and confidentiality scenario question answer key provided limited explanations. Specific deficiencies included: answer 15.2 described confidential status when the statute required sealed; answer 23 lacked explanation for why tattoo descriptions did not apply to defendants; answer 39 was unclear that customers could only view the redacted document; and the document did not clarify how many legal authorities applied to each scenario.

    Recommendation: Review and revise scenario questions to include more guidance, include full Florida Statute language, improve answer clarity for questions 15.2, 23, and 39, and clarify the number of legal authorities applicable to each scenario.
    Management response: Records agrees with all recommendations. Records will provide statute links, add party identification guidance, clarify answer 39, and clarify the authority structure on the cover page. Target implementation: October 31, 2021.
20. Finding 20lowpersonnel

    Records scenario questions provided limited guidance to Civil and Criminal teammates

    The redaction and confidentiality scenario questions were designed primarily for the Records Department, yet the materials were intended to be distributed to Civil and Criminal teammates as well. Only two of the scenario questions (numbers 13 and 41) were related to Criminal and Civil Courts.

    Recommendation: If feasible, separate scenario questions by department. Work with Civil and Criminal Courts to develop department-specific scenario questions for use in their training materials.
    Management response: Records agrees with the recommendation. Records will collaborate with Civil and Criminal Departments and update the guide to have clearly labeled sections with scenarios tailored for each department. Target implementation: October 31, 2021.
21. Observation 21lowdata access

    Civil defendant incorrectly flagged as juvenile in Clericus

    For one Civil image included in testing, the defendant/relevant party born in 1965 was incorrectly marked as juvenile in Clericus, causing their name to not appear on the Online Court Records Search. Management corrected the issue during the audit and the party's name was made available online.

    Recommendation: Verify whether other cases have relevant parties incorrectly marked as juvenile. Document a policy requiring periodic review of all cases maintaining relevant parties as confidential, including running a system report to identify cases where the juvenile checkbox was incorrectly checked.
    Management response: Management concurs with the recommendation. The operations team will run a quality assurance report to verify parties marked as juvenile and create a guideline for periodic review. Target implementation: July 1, 2021.
22. Observation 22lowpolicy

    No policies exist for handling court documents in foreign languages

    Civil, Criminal, and Records had no documented policies or procedures for handling court documents written in a foreign language. During testing, one OnDemand image included a Plea form written in Spanish with an English translation also docketed, but teammates had limited documented guidance for reviewing such documents to ensure confidential information was not publicly released.

    Recommendation: Create a documented policy and procedure guiding teammates on handling documents written in a foreign language, including instructions to obtain assistance for documents they are unable to read.
    Management response: Civil: Management concurs; a guideline was created, approved, and implemented with legal counsel. Completed 3/12/2021. Criminal: Agreed; a written policy/procedure will be created per legal counsel direction. Target: May 2021. Records: Will include information in the guide and procedures per legal counsel guidance. Target: October 31, 2021.