Office of the City Clerk - Record #: F2021-42

This record contains private information, which has been redacted from public viewing.

Record #:

F2021-42

Type:

Report

Status:

Placed on File

Intro date:

5/26/2021

Current Controlling Legislative Body:

Final action:

5/26/2021

Title:

Inspector General's audit of data privacy and cybersecurity in Chicago Department of Public Health's COVID-19 Contact Tracing Program

Sponsors:

Dept./Agency

Topic:

CITY DEPARTMENTS/AGENCIES - Inspector General, - REPORTS - Miscellaneous

Attachments:

1. F2021-42.pdf

Date	Journal Page Number	Action By	Action	Result	Action Details	Meeting Details	Captions
5/26/2021	30299	City Council	Placed on File		Action details	Meeting details	Not available

OIG FILE #20-1263
CDPH COVID-19 CONTACT TRACING PROGRAM: DATA PRIVACY AND CYBERSECURITY AUDIT APRIL 29, 2021

TABLE OF CONTENTS
EXECUTIVE SUMMARY|910|
CONCLUSION|910|FINDING|910|RECOMMENDATIONS|910|CDPH RESPONSE|910|BACKGROUND|910|
CONTACT TRACING|910|CHICAGO COVID-19 CONTACT TRACING|910|CARES ELECTRONIC CASE MANAGEMENT TOOL 9
CITY OF CHICAGO INFORMATION SECURITY AND TECHNOLOGY POLICES 9
CENTERS FOR DISEASE CONTROL AND PREVENTION (CDC) CONTACT TRACING GUIDANCE 9

Standards to Facilitate Data Sharing and Use of Surveillance Data for Public Health
Action 9
Guidelines for the Implementation and Use of Digital Tools to Augment Traditional
Contact Tracing 10
FINDING AND RECOMMENDATIONS 11
FINDING: CDPH'S COVID-19 CONTACT TRACING PROGRAM MITIGATES DATA PRIVACY AND
CYBERSECURITY RISKS 11
CARES meets the security requirements of the City's Information Security and
Technology Policies 11
CARES access controls meet the security requirements of the City's Information
Security and Technology Policies, but CDPH did not promptly remove access for
all terminated users 12
Training for contact tracers aligns with the City's Information Security and Technology
Policies, and CDPH maintains a record of all contact tracers' completion of
training 13
CARES prompts contact tracers to inform individuals that all information will be
confidential and secure, and requires individuals' consent to be recorded, but
does not prompt notification of how long the City will store the information 13
CDPH has policies to mitigate risks when exchanging confidential information through
electronic communications 14
CDPH has policies that designate persons responsible for reviewing data requests, but
does not provide explicit criteria for determining whether to release data 14
OBJECTIVE, SCOPE, AND METHODOLOGY 16

OBJECTIVE 16
SCOPE 16
METHODOLOGY 16
D STANDARDS 17
E. AUTHORITY AND ROLE 17

- PAGE L

OIG FILE #20-1263
CDPH COVID-19 CONTACTTRACING PROGRAM: DATA PRIVACY AND CYBERSECUR...

Click here for full text

Legislation Text

Legislation Details

Legislation Details (With Text)