State Auditor Finds Flaws in Texas Criminal Justice Information System
In September 2011, the Texas State Auditor released a report on the Criminal Justice Information System (CJIS) used by the Texas Department of Public Safety (DPS) and Texas Department of Criminal Justice (TDCJ). The audit, which covered the period from September 2009 through November 2010, found inaccuracies and incomplete records in the CJIS as well as the potential for unauthorized changes to be made.
The CJIS includes the Computerized Criminal History System (CCHS) maintained by DPS and the Corrections Tracking System (CTS) maintained by the TDCJ. The goal of the CCHS is to provide accurate criminal background checks to law enforcement while the CTS tracks people who are under the supervision of the state’s criminal justice system. Both systems depend on the input of numerous persons, many of whom are not employed by DPS or the TDCJ.
The CCHS relies upon the input of 4,272 separate agencies, including 2,309 law enforcement agencies such as police departments or sheriff’s offices, 507 district or county attorney offices and 1,456 district or county courts. By statute, the CCHS is supposed to include information related to the prosecution and disposition of all felony cases and misdemeanor cases that are not punishable solely by a fine. However, the audit found that only 73.68% of arrests were entered into the CCHS. That was a slight improvement over the 71% submission rate from a previous audit conducted in 2006.
The audit also discovered many incomplete records in the CCHS, including 65,424 prosecutor or court records with no matching arrest record. DPS cannot control the agencies it depends on for data, thus there is no penalty for failing to submit complete records. Further, the CCHS rejects submissions that lack state identification numbers but may not inform the information systems of courts and prosecutor offices of the rejection or data entry errors. Therefore, despite efforts by DPS to improve the CCHS, problems persist. Complicating matters is the fact that once a court or prosecutor office submits information to the CCHS, it can only be corrected manually via fax.
One suggestion made by the auditors for improving the completeness of CCHS records was to link the database with information in the CTS. This would provide the outcomes for all persons placed on probation or sent to prison.
The CTS also had a problem with incomplete data entries. Close to a fifth of all prisoner entries and about 7% of probationer entries had no arrest incident number. The TDCJ has no control over the local law enforcement and probation offices that make the data entries, but the auditors suggested that the TDCJ adopt a policy encouraging the collection and submission of arrest incident numbers.
The CTS issues a flash notice when individuals with CTS records who are on probation or parole are rearrested, to inform the probation or parole officer about the arrest. Officials in over 47% of the counties in Texas do not view the pertinent arrest record within 90 days of receiving a flash notice, indicating they are not using the flash notices. Nearly 42% of the audited system users had not accessed their CTS accounts within a six-month period.
In Bexar County, one of the two county Community Services and Corrections Departments that the auditors visited had no flash notice coordinator and did not know about the flash notice process. The TDCJ was unaware of this because it does not monitor the frequency with which flash notice coordinators view pertinent arrest records or the length of time an account is dormant. The auditors recommended that the TDCJ begin tracking the use of flash notices.
DPS was about two months behind in entering criminal records submitted in hardcopy format. The auditors recommended that DPS speed up the process. Nearly 60% of CCHS arrest record entries had incorrect disposition codes; the most common error was showing the person as incarcerated when he or she had been released. The auditors also discovered errors in the submitting agencies’ identification codes, especially when the person was arrested out-of-county.
The TDCJ maintains a log of errors in local probation department entries but fails to track the errors to ensure they are corrected. The auditors suggested that the TDCJ begin monitoring such errors.
The CCHS had a number of security issues, such as 26 staff members who could modify criminal records, security configurations and application functionality when only one should have such system access. Plus there were two former DPS employees who retained the ability to modify criminal records. Further, DPS inappropriately gave eight programmers administrative access that could let them modify the CCHS database.
DPS also failed to appropriately manage access to criminal records stored on an external website used to conduct background checks. Ten percent of the audited website users had no need to conduct such background checks yet retained the ability to do so. Auditors found no unauthorized changes had been made in the CCHS database; however, they criticized the fact that DPS had no formal process for monitoring security events related to suspicious attempts to access CCHS.
CTS had several security issues, as the TDCJ failed to restrict programmers’ access to production data. Thus, the programmers could modify criminal records and both TDCJ and contractor personnel could make changes to data. The TDCJ also failed to have an audit trail activated for modifications to the database.
Overall, the report found improvements since the last audit was conducted in 2006, but noted a number of persistent problems. Both DPS and the TDCJ agreed with the audit findings and stated they would implement recommended changes to correct identified security lapses.
Source: “An Audit Report on the Criminal Justice Information System at the Department of Public Safety and the Texas Department of Criminal Justice,” Texas State Auditor’s Office, Report No. 12-002 (September 2011)