Auditor General flags information security, access, and data protection issues with Support Jamaica website

An audit of the Government’s Support Jamaica website,which was set up, among other things, to receive Hurricane Melissa relief donations—has found information security governance gaps, inadequate access management, and non-compliance with data protection requirements, according to the Auditor General’s Department (AuGD).

The report was tabled in Parliament on Tuesday.

The website, which has raised millions of dollars, falls under the purview of the Office of Disaster Preparedness and Emergency Management (ODPEM), the agency leading the recovery effort.

The AuGD said its review identified significant weaknesses in ODPEM’s information security (IS) governance framework, which affected access controls over the Support Jamaica website.

“We found that ODPEM did not have formally approved Information Security (IS) or Access Control policies and procedures to govern the assignment, management, and monitoring of user rights across its information systems. In the absence of an established access policy, ODPEM operated without an enforceable standard for the provisioning, modification, and deprovisioning of user accounts on the Support Jamaica administrative dashboard,” the report stated.

“Consequently, ODPEM was exposed to an elevated risk of inappropriate or unauthorised access, inconsistent security practices, and weakened overall control of its information systems.”

The department also identified issues in user access management.

It found that access was granted to eight external officers without documented requests, formal approvals, or evidence that the permissions assigned aligned with their official roles and responsibilities.

“The audit confirmed the deprovisioning of only two officers, as the relevant audit log evidence was unavailable for the other six accounts. Additionally, we noted that one individual was elevated to ‘Super Admin’ status and subsequently provisioned multiple accounts without a documented basis for the level or duration of access granted,” the report said.

It further found that the head of the entity was assigned “Super Admin” privileges, which provide full administrative, operational, reporting, and security access, despite system administration responsibilities being inconsistent with his job function and not justified.

“As a result, there is an increased risk of unauthorised access to sensitive donor, financial, and administrative data, potential misuse of system privileges, and non-compliance with applicable data protection laws,” the report noted.

The audit also raised concerns regarding data protection practices associated with the website.

The department said that in December 2025, ODPEM and the developer of the Support Jamaica platform executed a Data Processing Agreement, formally designating ODPEM as the data controller and the private developer as the data processor under the Data Protection Act.

The developer was not named in the audit.

According to the AuGD, while the agreement referenced compliance with the Act, there was no evidence that ODPEM verified the developer’s compliance with certain statutory requirements.

The review also found that the privacy policy on the Support Jamaica website did not disclose the data processor’s access to personal data.

Additionally, although the policy advised users to contact ODPEM’s Data Protection Officer, the entity had not appointed such an individual, in breach of the Act.

The Auditor General’s Department has recommended that ODPEM approve and implement a formal Access Control Policy requiring documented justification for all user accounts, including those assigned to external entities and government ministries, departments, and agencies.

It said access should be granted strictly in accordance with an individual’s roles and responsibilities and aligned with the principle of least privilege.

“The policy should also require the timely deprovisioning of user access when access is no longer required, including upon role changes, completion of relief activities, or termination of employment or engagement. A centralised log of access requests, approvals, modifications, and removals should also be maintained. Additionally, periodic reviews of user accounts and monitoring of privileged accounts should be implemented to ensure the continued appropriateness of access granted,” the report stated.

Further, the department has urged ODPEM to immediately require the private developer, as the data processor, to provide documented and independently verifiable evidence demonstrating compliance with the technical and organisational security measures outlined in the Data Processing Agreement.

“This should include confirmation of the safeguards implemented to protect personal and sensitive data collected through the supportjamaica.gov.jm platform, along with evidence of ongoing monitoring arrangements,” the report said.

“To strengthen governance, accountability, and statutory compliance, ODPEM must complete registration as a data controller with the Office of the Information Commissioner (OIC) and formally appoint a Data Protection Officer, as required by the Data Protection Act,” it added.

The department also recommended that ODPEM review and update the privacy notice on the Support Jamaica website to accurately disclose the private developer’s role and access as a data processor, thereby ensuring transparency, reinforcing data-subject trust, and aligning public-facing statements with actual data-processing practices.

Follow The Gleaner on X, formerly Twitter, and Instagram @JamaicaGleaner and on Facebook @GleanerJamaica. Send us a message on WhatsApp at 1-876-499-0169 or email us at onlinefeedback@gleanerjm.com or editors@gleanerjm.com.