Editorial | ODPEM’s IT failure

An element of the auditor general’s (AuG) real-time review of the Government’s response to Hurricane Melissa that has escaped significant scrutiny is the AuG’s findings of the management and oversight of the website through which people can make financial or in-kind donations to the relief effort.

Yet, the report is a case study of either a loss or neglect of institutional memory and of the potential dangers when agencies are either not guided by global best practices or believe they can play catch-up. Or worse, that they don’t matter.

Except that in these days of global connectivity and the capacity to generate and transmit information in an instant, after-the-fact implementation of rigorous data management oversight may be too late. Hence the need to be aggressive in ensuring the effective management and policing of information technology systems, including an urgent audit to determine whether they are compliant with international standards.

The same day Hurricane Melissa devastated western Jamaica, the Government launched the website supportjamaica.gov.jm, which was the product of a private developer, who gifted its functional aspects to the Government. According to the auditor general, “technical aspects of the design, coding and intellectual property rights to the source codes and security requirements were retained by the developer”.

By January 11, the auditor general found, 16,900 individuals had contributed nearly US$1.4 million and approximately J$71.4 million in donations via the site. Additionally, 4,628 people had registered as volunteers.

Noted the auditor general: “Support Jamaica collects personal and health-related data from donors and potential volunteers.” As it does with respect to payment arrangements supplied by donors.

However, it was two months after the site was in operation that the Office of Disaster Preparedness and Emergency Management (ODPEM), in its capacity as data manager, formally signed an agreement with the platform’s developer, for the processing of the data deposited on the platform.

NO EVIDENCE

However, at the time of the auditor general’s review, while the developer may have been in the process seeking international standard certification of its security systems, “there was no evidence to demonstrate ODPEM verified the private developer’s compliance with these requirements”.

Additionally, “ODPEM was unable to confirm that relevant technical and organisational security measures stated in the agreement were in place to secure the personal and health data collected subsequent to the launch of the website”.

Moreover, the auditor general found that not only that ODPEM – a critical institution where the use of technology would be expected to be central to its logistics functions – didn’t have an IT policy in place, but that internal management of access to the Support Jamaica site was lax.

The audit found, for instance, that access to the backend of the site was afforded “to external officers without documented formal requests or evidence that the permissions aligned with their official roles and responsibilities”.

One of those persons, who worked in the education and information ministry, had his access status updated to “super admin” “subsequently provisioned multiple accounts without a documented basis for the level or duration of access granted”.

There were perhaps good grounds for granting access to the site to these people. They may indeed have done excellent administrative and support work that will make recovery from the hurricane faster and less painful.

Nonetheless, it is widely understood, globally, that the security, and therefore robust management oversight, of people’s private information is crucial. It’s an insurance against identity theft and other potential scams and ills that is possible with the use of modern information technology systems.

SHOULDN’T BE INTELLECTUAL ABSTRACTION

For the people who established and managed the Support Jamaica website, and for the Jamaican Government, this shouldn’t be an intellectual abstraction. Certainly, not if they recalled the JamCovid debacle, which should be part of the documented institutional memory of the Government.

At the height of the COVID-19 pandemic, the Amber Group developed the JamCovid app and website, which, similar to the Support Jamaica system, was gifted to the Government.

The app and website allowed potential tourists and Jamaicans planning to travel to the island to upload their negative COVID-19 test results to the site, as a pre-screening method ahead of their trips.

However, in February 2021 the online publication TechCrunch discovered that the absence of a security lock on the cloud server where the data was stored left potentially exposed immigration documents as well as the passport numbers and COVID-19 test results of over half a million travellers. That breach was reportedly fixed.

However, in short order two more security lapses emerged.

First TechCrunch revealed, based on the findings of a security researcher, that private keys and passwords were left exposed on the site. This was followed by the revelation that Jamaican quarantine for thousands of travellers was easily accessible on the site.

At one point, the Government and Amber claimed that the site was hacked and the administration promised criminal prosecutions, a threat that eventually withered.

The point is that there is no value in shooting the messenger. The better approach is to have the systems in place that work even in emergencies and crises.