An Audit of Salt Lake County Criminal Justice Services: Data Access and Protections

April 23, 2025

Report Highlights

Opportunity to Strengthen Network Access Termination Processes

When an individual leaves Salt Lake County employment, the agency is responsible for submitting an Information Technology Division (IT) service request to have the employee’s network access revoked. We found that Criminal Justice Services did not submit a termination request to have access to County systems and networks revoked for three out of 21 (14%) employees who ended their employment in 2023.

Opportunities to Strengthen Timeliness and Consistency of Application Access Removal

Criminal Justice Services used several applications containing confidential information on clients. For the 21 employees that terminated in 2023, we tested whether Criminal Justice Services requested that the employees’ access to these applications be revoked in a timely manner. We found that for the Offender Management System (OMS), Criminal Justice Services did not request that the Sheriff’s Office revoke access for any of the agency’s employees. For the application Uptrust, requests were not timely for 16 out of the 21 (76%) employees. Requests were made between 15 and 368 days after the employees’ last day. Finally, for the Utah Web Infrastructure for Treatment Services (UWITs) application, only one of the 21 employees required access to UWITs. We found that Criminal Justice Services did not request that BHS revoke access for that employee when they terminated.

Opportunities to Improve Data Entry Consistency in eSupervision

Criminal Justice Services uses a urinalysis testing company to conduct client drug testing. The testing company hosts web-based software that allows Criminal Justice Services to track and manage client drug test scheduling and results. Data from the online system is manually entered by Criminal Justice Services staff into the Agency’s client case management system. A review of client testing dates revealed that 21 of 45 (47%) scheduled tests dates were not recorded in the case management system. Additionally, 18 of the 45 (40%) scheduled tests that were entered lacked specific details, instead containing date ranges and general descriptions.