A new internal audit raises questions about how DeKalb County protects and manages the personally identifiable information it collects from the public and its own employees — everything from Social Security numbers to banking information.

And county leaders tried to keep the audit’s findings a secret, claiming a majority of the document was exempt from release under the Georgia Open Records Act.

For some, the county’s refusal to release substantive portions of the document has raised just as many concerns about a lack of transparency and accountability as the audit’s findings themselves.

Richard T. Griffiths, president emeritus of the Georgia First Amendment Foundation, called the county’s handling of the audit “embarrassing” and said there was no reason it shouldn’t have been released.

“There are appropriate exceptions in the open records act to prevent information from being provided to hackers or others who might want to do ill,” Griffiths said. “But the top line of this report, whether the county is doing its job or not, whether the county is taking appropriate steps or not, should have been made completely available when citizens asked for it.”

It was not.

A final draft of the 17-page report, which was completed by DeKalb’s Office of the Independent Internal Audit, was finished in January.

A copy of the title page alone was posted on the county website late last month. The full audit was later posted online after a local resident asked about it, but the document was heavily redacted.

Even high-level findings — that the county needs a manager dedicated to the protection of personal information; that it lacks robust policies and procedures to manage the information; and that it lacks an emergency response plan in the event the data is stolen — were hidden from public view.

The lack of an emergency response plan was the only audit finding disputed by the county.

According to emails provided to The Atlanta Journal-Constitution, auditors requested that approach, citing a section of Georgia open records law that allows officials to shield “vulnerability assessments and security plans, which if made public could compromise security against sabotage, criminal, or terroristic acts.”

DeKalb County CEO Michael Thurmond said he did not make the decision to keep the audit results confidential, but supported it.

“Being cautious, taking your time, vetting it to be sure to make that we didn’t inadvertently open the pathway for someone with an evil intent” was a smart path forward, Thurmond said.

The AJC is sensitive to potential security concerns but believes the audit’s findings are a matter of public interest, and recently obtained an unredacted version of the report.

It provides few specifics that would provide an easy roadmap for hackers or other nefarious actors. But it does reflect the auditors’ serious concerns.

The report found that most county departments collect personally identifiable information from employees and residents yet had inconsistent, or even non-existent, policies for handling and securing the sensitive information.

In addition, there were no guidelines or standards in place for third-party vendors managing personal information on behalf of the county.

“Also, we noted that the applications where [personally identifiable information] is collected, processed, and stored have minimum security procedures to limit access to such data,” the audit said.

The DeKalb government has more than 6,000 employees. There are some 180,000 water and sewer customers, for instance, that have also provided personal information to the county. And there are untold thousands of others who have filed for a business license, applied for a government job, paid a library fine or become involved in the court system.

Ed Williams, the local watchdog that helped raise the alarm about the redacted report, called the secrecy an affront to the employees and people of DeKalb. They deserve to know how their government is protecting sensitive information like their medical records and Social Security, driver’s license and bank account numbers, he said.

“What would be the purpose of writing a report that nobody would see?” Williams said. “I don’t accept the premise.”

The audit suggests the county administration has agreed to address the issues raised by the first quarter of 2022. Thurmond said some of the auditor’s recommendations have already been adopted.

County leaders also rejected insinuations that any employees’ or residents’ data had already been compromised, saying the audit — which covered a period between July and Dec. 2019 — confirmed that no breach of personally identifiable information had occurred.

“We would have notified any individual whose personal information was exposed had that occurred, which it did not,” the county administration said in an emailed statement.

The statement said that “all DeKalb County systems” are in compliance with guidelines established by the National Institute of Standards and Technology.

Thurmond, who inherited a number of systemic issues within DeKalb’s government when he first took office in 2017, said performance audits like the one in question are actually a government executive’s “best friend,” but are too often weaponized.

“I’m crazy enough to run into a burning house, and somebody wants to say I’m the arsonist,” he said. “Just because I’m crazy enough to want to try to fix it.”

Shortly after the AJC notified DeKalb officials that it had obtained an unredacted version of the audit, most of the document was removed from the county website.

As of Thursday afternoon, the title page was again the only part of the document posted online.

The review was scheduled as part of the internal auditor’s annual work plan, and wasn’t triggered by a specific incident.