Durrant Pate/Contributor

The Hurricane Melissa Support Jamaica website is fraught with systemic weaknesses based on the findings of a recent audit carried out by the Auditor General’s Department (AuGD).

The supportjamaica.gov.jm website was established upon the approach of Hurricane Melissa on October 28 last year, as a central digital platform to support national disaster response. The website is intended to serve as a single point for the collection and management of financial and in-kind donations, volunteer registration and coordination, emergency reporting, and engagement with local and international stakeholders. 

The main objective of this real-time audit is to determine whether internal controls are adequate to prevent fraud, waste and abuse of public resources during the disaster response and recovery and the AuGD identified significant weaknesses in ODPEM’s information security (IS) governance framework, which impacted the access controls over the Support Jamaica website. 

We found that ODPEM (Office of Disaster Preparedness and Emergency Management did not have formally approved Information Security (IS) or Access Control policies and procedures to govern the assignment, management and monitoring of user rights across its information systems. In the absence of an established access policy, ODPEM operated without an enforceable standard for the provisioning, modification and deprovisioning of user accounts on the Support Jamaica-Administrative dashboard. 

Consequently, ODPEM was exposed to an elevated risk of inappropriate or unauthorised access, inconsistent security practices, and weakened overall control of its information systems.”

The AuGD’s 23-page report and findings focused on assessing whether appropriate IT controls exist over the www.supportjamaica.gov.jm website and was tabled in the parliament yesterday. It cited inadequate user access management. The audit team found that access was granted to eight external officers without documented requests, formal approvals, or evidence that the permissions assigned aligned with their official roles and responsibilities. 

More lapses in management

In fact, “the audit confirmed the deprovisioning of only two officers, as the relevant audit log evidence was unavailable for the other six accounts. Additionally, we noted that one individual was elevated to ‘Super Admin’ status and subsequently provisioned multiple accounts without a documented basis for the level or duration of access granted. Similarly, we found that the Head of the Entity was assigned the ‘Super Admin’ role that provides full administrative, operational, reporting, and security privileges though system administration responsibilities were not consistent with his job function or justified.” 

As a result, there is an increased risk of unauthorised access to sensitive donor, financial and administrative data, potential misuse of system privileges, and non-compliance with applicable data protection laws. The audit uncovered a non-compliance with the Data Protection Act (DPA).

In December 2025, ODPEM and the developer of Support Jamaica platform executed a Data Processing Agreement, formally designating ODPEM as Data Controller and the private developer as Data Processor. However, the audit finds that while the Agreement referenced compliance with the DPA, General Data Protection Regulation (GDPR) Article 32, and System and Organization Controls 2 (SOC2) security standards, there was no evidence that ODPEM verified the private developer’s compliance with those requirements. 

The auditors report that ODPEM did provide evidence of assurances obtained to confirm the implementation of the technical and organisational safeguards mentioned in the agreement with documentary evidence obtained indicating that the private developer was not SOC 2 Type 2 compliant at the date of the agreement or launch of the website. A review of the privacy policy on the Support Jamaica website revealed that the data processor’s access to personal data was not disclosed. 

The policy also advised users to contact ODPEM’s Data Protection Officer, but the entity had not appointed a DPO in breach of Section 20 of the DPA. Up to 2026 January 11, donations were successfully made by 16,900 individuals on the platform, while 4628 individuals registered as volunteers. 

Recommendations  

1. Management should approve and implement a formal Access Control Policy that requires documented justification for all user accounts, including those which may be assigned to external entities and government Ministries, Departments and Agencies. Access should be granted strictly in accordance with an individual’s roles and responsibilities and be aligned with the principle of least privilege. The policy should also require the timely deprovisioning of user access when access is no longer required, including upon role changes, completion of relief activities or termination of employment or engagement. A centralised log of access requests, approvals, modifications, and removals should also be maintained. Additionally, periodic reviews of user accounts and monitoring of privileged accounts should be implemented to ensure the continued appropriateness of access granted. 

2. ODPEM should immediately require the private developer, as the Data Processor, to provide documented and independently verifiable evidence demonstrating compliance with the technical and organisational security measures stipulated in the Data Processing Agreement. This should include confirmation of the safeguards implemented to protect personal and sensitive data collected through the supportjamaica.gov.jm platform, along with evidence of ongoing monitoring arrangements.

3. To strengthen governance, accountability, and statutory compliance, ODPEM must complete registration as a Data Controller with the Office of the Information Commissioner (OIC) and formally appoint a Data Protection Officer, as required by the DPA. 

4. Finally, ODPEM should review and update the privacy notice on the Support Jamaica website to accurately disclose the private developer’s role and access as a Data Processor, thereby ensuring transparency, reinforcing data-subject trust, and aligning public-facing statements with actual data-processing practices.