Audit of Settlement Agreements and Confidentiality Clauses Across Multiple State Agencies—Tranche 2 - Other Matters 2

During the course of this audit, we conducted a Data Reliability Assessment (DRA) of settlement agreements provided to us by the agencies. As part of this DRA, we attempted to verify that the settlement agreements provided to us represented all settlement agreements that existed for the 21 agencies included in this audit. We used audit software to take a random sample of state employees employed at the Office of the Attorney General (AGO) and the Massachusetts Port Authority (Massport) during the audit period and requested access to the personnel records for the employees identified in this random sample. The purpose of this aspect of the DRA was to determine whether settlement agreements or other indicators of settlement agreements existed in these records and whether we were provided a complete list of settlement agreements.

Indeed, in this very audit report, it has been verified that agencies keep settlement agreements in employee personnel files. One of our auditees, in fact, expressed this in writing in one of their responses, as follows:

If the settlement is employee-specific (and not related to a group of employees), the settlement agreement generally includes language indicating that the settlement should be regarded as a personnel record and, therefore, will be maintained in the employee’s personnel file.

When we reviewed Massport files, at least the ones we were provided access to, it was confirmed that Massport also keeps employee settlement agreements in personnel files. During our review of the Massport personnel files that we were actually able to access, we discovered an additional 7 settlements that Massport itself did not report to us. This highlights how important it is for our office to be able to verify what agencies are claiming by being able to review personnel records. Massport disputes our position on this issue and denied our access to 10 of the 131 underlying records our office sought to access.

Both AGO and Massport claimed that Chapter 66A of the Massachusetts General Laws, known as FIPA, required notification to employees and the ability to “quash” or “object” to allowing a review of these records—records that we have express authority to access under Section 12 of Chapter 11 of the General Laws and which we required access to in order to complete the DRA under Generally Accepted Government Auditing Standards (GAGAS).

We rejected this, as the FIPA’s restrictions and obligations related to the disclosure of certain records do not apply when there is statutory authorization to access such records. Our enabling statute is such statutory authorization, granting our office “access to . . . books, documents, vouchers and other records relating to any matter within the scope of an audit” (emphasis added). In 2012, the Superior Court affirmed our office’s authority under Section 12 of Chapter 11 of the General Laws to access sensitive, confidential information, including information that would otherwise be protected from disclosure by law, such as FIPA. See Suzanne Bump, State Auditor v. Shahrzad Haghayegh-Askarian and Hancock Dental Co., Mass. Super. Ct., No. 11-4539A (Suffolk County May 10, 2012). Indeed, it would make oversight meaningless—and practically impossible—if our office needed to obtain permission from every public employee and every person who applies for public benefits, for example, each time we needed to view sensitive information to conduct audits; combat waste, fraud, and abuse; review processes and procedures; or ensure that the law is being followed. We note that there has been only one other instance where an auditee (GOV, in our January 28, 2025 Audit of Settlement Agreements and Confidentiality Clauses Across Multiple State Agencies) has invoked FIPA, disclosed sensitive information to non-parties, and denied our access to records needed to conduct our work. GOV was coached by AGO to “moot” our records request by claiming FIPA. This is a misapplication of the law, and we have not previously been required to obtain such permission in any prior instances regarding accessing such records, dating back to FIPA’s inception in the 1970s. This includes countless reviews of personnel records for state employee settlement agreements and cybersecurity and ethics training records, among other documents required for our audits.

We repeatedly, and in writing, rejected this new and made-up claim that auditees, such as GOV, could have the choice to withhold information from our office that is needed for our audit work. Nonetheless, AGO and GOV both worked together to ensure that our office did not have access to the documents that we required to conduct our audit in accordance with the law. Massport, seemingly taking its cue from AGO and GOV alike, decided to also send letters to employees and retirees in our sample, granting them the authority to “quash” and “object” to our audit.

It appears as though AGO has helped to create the beginning of a potential trend where agencies not wishing to provide records to our office will be coached and empowered by AGO to go against the law that grants our office access to these records—specifically Section 12 of Chapter 11 of the General Laws. Accordingly, our office will be pursuing litigation with respect to this matter and calls on AGO to recuse itself since AGO has itself misapplied FIPA and advised agencies (GOV and itself) to do the same. Our office needs to be able to access records to conduct our audits in compliance with the law and deserves a fair and impartial hearing on this matter, alongside independent legal representation, free from conflict. We, therefore, request the appointment of a Special Assistant Attorney General of our choosing to represent us on this matter because we believe a dangerous precedent is being set on this issue by the position of AGO, GOV, and Massport.

Our office does not discuss details of ongoing audits in order to comply with Section 12 of Chapter 11 of the General Laws, which mandates that we follow Generally Accepted Government Auditing Standards and do not jeopardize an audit’s integrity by disclosing sensitive information prior to the audit’s release. By inappropriately disclosing this sensitive information to non-auditees, AGO and Massport compromised the integrity of our audit and granted individuals the right to obstruct our office’s access to information needed to conduct our audit in accordance with the law. Additionally, AGO’s and Massport’s actions resulted in unnecessary interference, delaying our ongoing audit, which is authorized by statute. This was either an unintentional consequence of a disagreement regarding the law or an intentional attempt to coerce or pressure our office to back off from reviewing certain records that agencies may prefer to keep hidden. 

Before I address the two findings that the [Office of the State Auditor (OSA)] mistakenly believes apply to the AGO, I must address the Audit Report’s unfounded and unnecessary comments in the Other Matters section. The final sentence of that section is demonstrably inaccurate and must be stricken from the final report. The AGO did not send out Fair Information Practices Act (FIPA) notices to current and former employees impacted by the OSA’s request to examine personnel files to stymie the audit, but because the AGO has a legal duty to do so. It is the legal opinion of the AGO that [Chapter 66A of the General Laws] required these notices. The AGO disagrees that [Section 12 of Chapter 11 of the General Laws] authorizes access to personal data without notice to the data subject. Under Chapter 66A, the AGO is a state agency holding personal data and is prohibited from making personal data available in response to a demand for data by means of compulsory legal process unless the data subject has been notified of such demand with enough notice to have the process quashed. Moreover, as the holder of the data, the decision on whether FIPA required notice was the AGO’s, as if the AGO did not give notice and was incorrect about the legal analysis, the AGO would be the agency responsible for any resulting damages and attorney’s fees.

Additionally, the OSA’s contention that no other agency has ever raised FIPA concerns in response to requests for cybersecurity or ethics training records is inapposite as those records are not personal data under FIPA. Indeed, the AGO itself provided cybersecurity training records in its last OSA audit as FIPA did not apply to those records. Personnel files, however, clearly contain personal data as defined in FIPA, and at least two agencies in this tranche and previously the Governor’s Office on behalf of multiple agencies, have concluded that notice must be given before review.

The AGO’s FIPA compliance did not hinder the OSA’s review of the personnel records; to insinuate otherwise is demonstrably false. The OSA sent a letter to the AGO requesting to review 116 current and former employees’ personnel records on April 14, 2025. Following the FIPA notification process, the OSA was able to review each and every one of those 116 personnel records. The AGO provided notice to the data subjects on April 22, 2025. As required by [Section 2(k) of Chapter 66A of the General Laws], the AGO informed the data subjects that if they objected to the OSA’s request to review their files they have the right to ask a court to quash this request. The Audit Report references our notice of this right as if it was somehow improper rather than what is clearly required by [Section 2(k) of Chapter 66A of the General Laws] (“no personal data are made available in response to a demand for data made by means of compulsory legal process, unless the data subject has been notified of such demand in reasonable time that he may seek to have the process quashed.”) Regardless, none of the data subjects made such a motion to quash, so the OSA’s access to the requested records was exactly the same as it would have been had notice not been provided. This notice did not prevent the OSA from reviewing any requested personnel file and did not delay OSA’s review. The AGO and OSA entered into a Memorandum of Understanding regarding the review (attached)¹ on May 12, 2025, and OSA reviewed all 116 personnel files that were in its original request on that same day, less than thirty days after OSA’s request to the AGO. OSA did not find any additional settlement agreements in the requested personnel files.

The Audit Report’s use of the passive voice to suggest that the AGO gave FIPA notice as “an intentional attempt to coerce or pressure our office to back off from reviewing certain records that AGO [] may prefer to keep hidden” is flatly untrue, deliberately provocative, not supported by the facts, and must be stricken from the final report. . . . Given the legal and factual background, OSA’s inclusion of this section in the Audit Report is reflective of bad faith so substantial as to call into question OSA’s objectivity in conducting this audit.

[Footnote:]

1. Despite OSA’s current contention that [Section 12 of Chapter 11 of the General Laws] permits them to view and receive any document it requests for an audit, the memorandum includes an agreement that OSA may not view background checks in personnel files that contain Criminal Offender Record Information, which has its own statutory restrictions on dissemination.

The [Office of the State Auditor (OSA)] issued a Scope Limitation with respect to Massport’s delivery of notices to individuals selected by the OSA for personnel file review, based on the Massachusetts Fair Information Practices Act (“FIPA”), [Chapter 66A of the General Laws], and its associated regulations. Massport believes that its FIPA notices were required by law, as well as consistent with Massport’s past practices and its commitment to fairness to its employees. In any event, the OSA was able to review the great majority of personnel files that it had selected (111 of 121 files) and the OSA’s Final Report states that the OSA “determined that the data was sufficiently reliable for the purposes of its audit.”

Massport respectfully requests that the Final Report be revised to exclude Massport from Finding No. 4 and the associated Scope Limitations. Alternatively, we request that the Report include the following express acknowledgement of Massport’s positions:

1. Massport’s omission of seven agreements from its initial audit response stems from a good-faith difference in the parties’ understanding of the scope of the OSA’s audit requests; and
2. Massport’s issuance of FIPA notices to employees whose personnel files were selected for review by the OSA, and its temporary hold on the disclosure of the files of those employees who indicated an intention to object, is consistent with Massport’s understanding of its legal obligations and its past practices. Massport respects both the OSA’s authority and its employee’s privacy rights, and it has sought to honor both.

AGO and Massport indicate in their responses that they believe FIPA notices were required to be sent by law to current and former employees impacted by the Office of the State Auditor’s (OSA’s) request to examine personnel files. OSA does not agree and reiterates to AGO and Massport that the first time throughout history that an agency asserted the misapplication of this law was in December 2024 by the Healey-Driscoll administration with respect to personnel records from GOV and on behalf of executive branch agencies, as we have express authority to access these records under Section 12 of Chapter 11 of the General Laws. As stated above, our enabling statute is such statutory authorization, granting our office “access to . . . books, documents, vouchers and other records relating to any matter within the scope of an audit.”

Our position on this matter with the AGO and Massport is consistent with the position that our office took with GOV during our previous audit, where we rejected GOV’s application of FIPA and engaged with the AGO to adjudicate this matter in Superior Court. We explained to both AGO and GOV that no other auditee had ever raised FIPA concerns to deny us access to records or otherwise interfere with or obstruct our access to records. Indeed, our office provided AGO with several examples of recent audits where OSA accessed personnel files through our enabling statute and, most importantly, without notice to or consent from data subjects under FIPA. Yet, GOV, citing guidance from AGO, which was also alleging to have been representing our office’s legal interest at the time, interfered with and obstructed our access to information needed to conduct our audit on time. Our office learned that AGO, while claiming to be legally representing us on this matter, was simultaneously coaching GOV to invoke FIPA to block our access to the records that AGO had led us to believe it was helping us access. We disagreed with GOV and AGO’s position then, and we disagree with the position of AGO and Massport now. Although we were ultimately able to obtain access to all of the personnel files that we requested from AGO, Massport ultimately withheld 10 personnel files from our office that we requested to complete this audit. This misapplication of FIPA also delayed the completion of our audit fieldwork, as we had to wait for FIPA notices and the execution of Memoranda of Understanding with AGO and Massport. Once again, Section 12 of Chapter 11 of the General Laws provides us with statutory authority to access these records—access that is not subject to FIPA.

Our office provides oversight for over 200 state entities. OSA regularly requests and reviews (without notice to data subjects) personnel data and other personally identifiable information, including personal health information. Below are just some of the countless examples:

• Massachusetts Convention Center Authority, 2023-1272-3A (Issued August 19, 2024)—OSA reviewed personnel files in connection with non–union employee complaints and non–union employee settlement agreements.
• Hampden County District Attorney’s Office, 2022-1259-3J (Issued November 28, 2023)—“For the list of employees, we selected a random sample of 10 employees from HCDA’s personnel files and determined whether the information in the personnel files matched the data in the Massachusetts Management Accounting and Reporting System (MMARS). We also selected a judgmental sample of 10 employees from MMARS and traced the information to personnel files.” (p. 6)
• Division of Capital Asset Management and Maintenance, 2021-0025-3S (Issued February 23, 2022)—OSA reviewed employee personnel files to determine whether employees had cybersecurity awareness training certificates on file.
• Department of Industrial Accidents, 2019-0222-3S (Issued March 23, 2021)—“We examined that employee’s personnel file to determine whether the employee had been approved for, and received, a flextime schedule.” (p. 17)
• Greater Springfield Senior Services, Inc., 2019-4604-3C (Issued September 4, 2019)—“Additionally, we randomly selected 10 employees from the list obtained from APS, as well as their personnel files, and documented their dates of hire. . . we tested the entire population of 15 Protective Services Unit employees hired during the audit period by reviewing the 15 employee personnel files.” (p. 15)
• Worcester County Sheriff’s Office, 2018-1432-3J (Issued March 11, 2019)—“We selected a nonstatistical judgmental sample of 33 SSTA records and determined whether information in SSTA matched information in hardcopy employee personnel files. We also selected a nonstatistical judgmental sample of 32 employee personnel files and traced information in the personnel files to SSTA for agreement.” (p. 9)
• And lastly, State Auditor Joseph DeNucci’s audit of the General Court (House of Representatives), addressed to Speaker Flaherty and ironically conducted at the request of the then-Attorney General, “Overpayments to a Court Officer” (issued January 15, 1992), was entirely focused on reviewing personnel records. Specifically, “We reviewed documentation maintained by these agencies with respect to time and attendance, salary payments, accident reports, appeal reports, and related files.”

Had our office not been able to access personnel records in connection with our 1992 audit of the General Court (House of Representatives), which identified fraud, or in connection with any of the other audits listed above, our attempt to provide oversight would have been rendered meaningless.

Indeed, our review of personnel files for Massport uncovered an additional 7 settlement agreements that Massport failed to report to us. We would not have identified that these additional agreements existed had we not sought to verify Massport’s claims. This underscores the need for our access to verify and validate data provided to us by auditees, i.e., conduct actual audits and not just rely on testimonials.

The recently publicized circumstance involving a now-former state employee with a criminal history, who has been arrested and faces serious charges related to criminal activities allegedly conducted on and at the job in the Governor’s western Massachusetts office, underscores the need for access to personnel records to ensure proper oversight and compliance with all applicable laws, regulations, policies, and best practices. Under GOV’s, AGO’s, and Massport’s misinterpretation of the law, bad actors across our state government would be entitled to block statutorily authorized reviews of their personnel files by state oversight entities anytime they feared such a review might reveal misconduct. It is critical for oversight and the public’s faith in government that potential bad actors not be provided the opportunity to prevent appropriate accountability through false application of FIPA at the expense of the taxpaying public.