A legislative review triggered by a Sun Herald story has found several problems with the way state agencies handle confidential information.
The Joint Legislative Committee on Performance, Evaluation and Expenditure began investigating the records practices after the Sun Herald reported that thousands of pages containing copies of Social Security cards, birth certificates and other sensitive information had been found on the Bay St. Louis bridge. The records were traced back to the defunct Gulf Coast Community Action Agency, a social services agency that operated in Hancock, Harrison, Stone, George and Greene counties until it lost its federal funding and closed in 2015.
The agency was supposed to hand the records over to the Department of Human Services under a closeout agreement, and GCCAA reported in April of 2016 that it had done so. It wasn’t until the records were found blowing across the bridge that DHS learned GCCAA hadn’t complied with the agreement.
That incident remains under investigation, but DHS told PEER it had contacted the several thousand people whose records were scattered on the U.S. 90 bridge.
At the Legislature’s request, PEER reviewed practices at 13 state entities and universities under the authority of the Institutes of Higher Learning. Thursday, PEER issued a report that found that while the Department of Archives and History is supposed to oversee management of confidential records, it has no way of punishing agencies who do not comply with the proper procedures.
It also found that:
▪ The rules and regulations for records that aren’t covered by federal law often do not follow recognized best practices. Those rules and regulations also contain gaps in security procedures, PEER found.
▪ Some state entities often collect more confidential information than necessary. For example, many record full Social Security number rather than last four digits, which it said is sufficient for identification.
▪ The schedules for retaining the records date back to when all records were on paper, and the shift to electronic data collection has made those schedules outdated. The state doesn’t have uniform agreements for sharing data, doesn’t properly verify when records are destroyed or the confidential information in them is scrubbed and data is sometimes transmitted electronically in a manner that isn’t secure.
The report recommends the Legislature require agencies to use more uniform practices and agreements and give the MDAH the power to enforce them. It says agencies should be required to ensure that confidential data is retained, destroyed or removed in an appropriate manner. PEER said MDAH and the Department of Information Technology Services should work together to ensure that requirements for retention, destruction or removal of data is incorporated into policies and standards and recommends it work judicial and legislative staff to determine which, if any, laws need to be amended to help ensure records are properly handled.
The 13 entities studied are:
▪ Board of Cosmetology
▪ Board of Dental Examiners
▪ Board of Examiners for Licensed Professional Counselors
▪ Board of Optometry
▪ Department of Health
▪ Department of Human Services
▪ Department of Information Technology Services
▪ Department of Insurance
▪ Department of Rehabilitation Services
▪ Department of Wildlife, Fisheries and Parks
▪ Division of Medicaid
▪ Public Employees’ Retirement System
▪ Real Estate Commission
▪ State universities under IHL authority: Alcorn State University, Delta State University, Jackson State University, Mississippi State University, Mississippi University for Women, Mississippi Valley State University, The University of Mississippi, The University of Southern Mississippi