Skip to content
Pasco County Civic Records
← back to audits

Clerk & Comptroller

Audit findings · Medium · data access

19 findings match the current filter. Sorted by severity, then dollar amount.

  1. mediumdata accessCCC · FY 2025

    Printed and Electronic DAVID Personal Data Not Properly Safeguarded

    Criminal teammates were directed to place printed DAVID information in OSA (Obsolete, Superseded, or Administrative Value Lost) boxes when no longer needed, but those boxes were not physically secured from unauthorized persons. Additionally, teammates who telework were not required to black out their computer screens while accessing DAVID remotely, contrary to MOU Section V requirements for protecting personal information from unauthorized viewing.

    in: CCC: DAVID Attestation- Dated July 28, 2025
  2. mediumdata accessCCC · FY 2025

    DAVID User Access Not Deactivated Within Required Five Business Days

    MOU Section IV, Subsection B.8 requires user access and permissions to be updated within five business days of reassignment. One user was deactivated 55 working days after reassignment to a position that did not require DAVID access. The auditor verified the user did not access DAVID after reassignment.

    in: CCC: DAVID Attestation- Dated July 28, 2025
  3. mediumdata accessCCC · FY 2025

    Existing Password Security Procedures Inadequate

    Some practices did not demonstrate effective password security. Teammates used the web browser's autofill feature to save DAVID login credentials and did not lock workstations when left unattended. Additionally, passwords were stored in an envelope kept in an unlocked desk drawer, creating risk of unauthorized access to DAVID.

    in: CCC: DAVID Attestation- Dated July 28, 2025
  4. mediumdata accessCCC · FY 2025

    DAVID User Permissions Inconsistent and Not Role-Appropriate

    DAVID user permissions were not consistently configured to match user roles. Five of 13 Criminal users had permission to search by vehicle make and model, which was unnecessary for their job duties. Additionally, both Criminal and Inspector General users had varying days and hours of access to DAVID rather than a standardized schedule.

    in: CCC: DAVID Attestation- Dated July 28, 2025
  5. mediumdata accessCCC · FY 2023

    Image privacy levels for some Civil docket codes less restrictive than case privacy level

    For six Civil docket codes, image privacy levels did not agree with or were less restrictive than the assigned case privacy level within Clericus. For example, codes 899 (Petition for Termination of Parental Rights) and 7163 (Notice on Petition for Adoption) had public image privacy levels that were required to be confidential. All six codes were corrected during the audit.

    in: CCC Docket Image Privacy Follow-Up - Final Report dated February 14 2023
  6. mediumdata accessCCC · FY 2023

    Privacy levels were incorrect for some Civil images tested

    Privacy levels of existing images were not periodically reviewed for compliance or consistency. Issues identified included two sealed cases with images assigned OnDemand privacy levels, nineteen images with public privacy levels that were required to be confidential (docket codes 675, 678, 1397), and one image marked confidential rather than sealed. Corrections were made during the audit.

    in: CCC Docket Image Privacy Follow-Up - Final Report dated February 14 2023
  7. mediumdata accessCCC · FY 2023

    One Records OnDemand image not made available to public in timely manner

    One OnDemand image of 32 tested was requested for viewing on October 22 and again October 30, 2020 but was not made available until management was notified on November 23, 2020. An IT control error caused a 'Courts 23 rule banner' to be incorrectly assigned in the Dr. Watson redaction system, resulting in over-restriction of the image.

    in: CCC Docket Image Privacy Follow-Up - Final Report dated February 14 2023
  8. mediumdata accessBCC · FY 2023

    Terminated DAVID user not deactivated within required timeframe

    The MOU required user access to be immediately deactivated upon termination and updated within five business days upon reassignment. One DAVID user was not deactivated within five business days of their termination date. The IG verified there was no user activity after the termination date.

    in: BCC: Stormwater DAVID Contract Attestation - Dated November 13, 2023
  9. mediumdata accessBCC · FY 2023

    DAVID access authorization and acknowledgement forms not maintained

    The DAVID SOP required users to sign three forms before receiving access — the DAVID Access Authorization Request, Acknowledgement of Penalties for Misuse, and Florida Computer Crimes Act — and these forms were required to be retained for five years. Access and authorization forms for DAVID users were not maintained.

    in: BCC: Stormwater DAVID Contract Attestation - Dated November 13, 2023
  10. mediumdata accessBCC · FY 2023

    Four unauthorized employees had access to restricted DAVID file folder

    Citations, DAVID policies and procedures, and DAVID monitoring reports were stored in a restricted file folder accessible only to authorized personnel. The IG verified four unauthorized employees had access to the restricted file folder. After the IG brought this to the POC's attention, access was immediately requested to be removed for these individuals.

    in: BCC: Stormwater DAVID Contract Attestation - Dated November 13, 2023
  11. mediumdata accessCCC · FY 2023

    Key and Combination Access to Evidence Vaults Not Properly Documented

    The Key/Combination Request & Issuance Form used to document issuance of vault keys and combinations was not always maintained, complete, or updated. For 6 of 13 Records teammates with vault access, forms were missing required signatures, did not clearly identify the specific access location, were not on file, or were not updated. Form language was also too vague to clearly identify which specific location access was authorized for.

    in: CCC: Evidence Final Report - Dated December 8, 2023
  12. mediumdata accessCCC · FY 2022

    One DAVID User Not Deactivated Within MOU Required Timeframe

    Of nine DAVID users deactivated during the audit period, one employee's access was disabled 21 working days after reassignment to a position not requiring DAVID access, well beyond the MOU-required five working days. The IG verified the user did not conduct any DAVID searches after reassignment, limiting the actual risk exposure.

    in: CCC: DAVID Attestation-Admin - Dated July 12, 2022
  13. mediumdata accessCCC · FY 2022

    Inadequate Segregation of Duties for Monitoring POC Activity in DAVID

    The IT Point of Contact responsible for conducting and signing off on the DAVID Quarterly Quality Control Reviews was also included in the randomly sampled users for the 2021 Q3 and Q4 reviews, meaning the POC reviewed their own activity. Additionally, the alternate POC was included in the Q4 random sample. This lack of segregation of duties created a risk that POC activity would not receive independent review.

    in: CCC: DAVID Attestation-Admin - Dated July 12, 2022
  14. mediumdata accessBCC · FY 2022

    EAM system glitch added phantom inventory items to wrong warehouses

    During the audit at Shady Hills Warehouse, one item (#2083Y) appeared on count sheets without a valid bin location and did not physically exist at that location. A system glitch caused the item, newly added to Embassy Warehouse, to be automatically propagated to Shady Hills (with '*' bin) and Wesley Center (with 'PR' bin), creating inaccurate inventory records and count sheets.

    in: BCC: Utilities Warehouse Inventories Follow-up – Dated December 13, 2022
  15. mediumdata accessBCC · FY 2022

    Inventory system reflected incorrect bin locations for multiple items

    Of the 103 items tested at Embassy Warehouse, five items (5%) — #22003, #07007M, #82048, #500586, and #230112 — were located in a different area than reflected in the EAM system or could not be identified. Management stated the inventory had been reorganized due to spacing issues, but the system was not updated at the time of the audit, compromising the reliability of inventory records.

    in: BCC: Utilities Warehouse Inventories Follow-up – Dated December 13, 2022
  16. mediumdata accessCCC · FY 2021

    Civil image privacy levels inconsistent with assigned case privacy levels

    For six Civil docket codes, image privacy levels did not agree with or were less restricted than the assigned case privacy levels in Clericus. Examples included image privacy changed from Public to Confidential for codes 899 and 7163, and changes from Confidential to OnDemand for codes 1517, 3401, 4623, and 8000. The IG verified all six were corrected during the audit.

    in: CCC: 2020-09 Docket & Image Privacy – Dated August 4, 2021
  17. mediumdata accessCCC · FY 2021

    Privacy levels incorrect for multiple Civil images tested

    Privacy levels were incorrect for several Civil images tested, including two sealed cases with images at OnDemand and dockets at public levels, adoption case images with inconsistent confidential vs. sealed levels, 19 images for domestic violence and stalking petitions incorrectly assigned public privacy, and one image confidential instead of sealed due to a FACTS-to-Clericus conversion issue. No periodic review process existed for image privacy level compliance.

    in: CCC: 2020-09 Docket & Image Privacy – Dated August 4, 2021
  18. mediumdata accessBCC · FY 2020

    DAVID workstation not secure from unauthorized access or view

    The cubicle used to access the DAVID system was not secure from unauthorized view and access. Other Stormwater Inspectors who were not authorized DAVID users shared the cubicle workspace, and the cubicle had no door. DAVID users stated they attempted to access the system only when unauthorized inspectors were absent, but this was not a reliable control. This arrangement violated MOU Section V, Subsection G, which required DAVID information to be protected from unauthorized persons viewing, retrieving, or printing it.

    in: BCC: Stormwater DAVID Contract Attestation – Date March 24, 2020
  19. mediumdata accessBCC · FY 2020

    Review of POC DAVID activity not independent or documented

    The Assistant Director of Public Works stated he conducted monthly reviews of the Point of Contact's (POC) DAVID activity, but these reviews were not documented. Furthermore, the user activity reports reviewed were generated by the POC from the DAVID system, meaning the review was not independent. As a result, the IG could not verify that reviews were actually performed or that the information was complete and accurate.

    in: BCC: Stormwater DAVID Contract Attestation – Date March 24, 2020
Top ↑