Maryland Public Television failed to adequately protect donor financial information gathered during fundraising efforts, according to a state audit covering the years 2011 to 2015.
The report also questioned MPT's handling of contracts worth $8 million and its monitoring of payments to companies hired for such fundraising services as operating a call center.
MPT officials challenged the Department of Legislative Services' findings on the way contracts were awarded and other financial and procedural matters. It did not dispute the charges that donor privacy was not properly protected but stated that confidential information was not breached.
Damon Effingham, policy manager for Common Cause Maryland, said MPT's handling of donor information could undercut public trust in state agencies.
"While we are typically focused on the importance of public access to public data, protecting Marylanders' confidential data is the other side of that coin and just as important," he said.
"Marylanders must be able to trust that the state will be a dependable custodian of their information," he added. "Each time there is a breach of that trust, fewer people feel confident in interacting with the government at any level. Incidents like this point to the need for the state to have uniform best practices for data storage and handling — both to easily facilitate the sharing of public data and to safeguard the vital confidential data that our citizens share."
In an email response to The Baltimore Sun on Wednesday, Tom Williams, a spokesman for MPT, wrote: "We take the confidentiality of member information very seriously. In fact, as soon as these items were brought to our attention by the auditors, we immediately made appropriate changes to address their concerns."
At the heart of the donor privacy finding is the discovery that "numerous users" at the public broadcasting operation "had unnecessary access to information that is required to be kept confidential by state law."
That information is contained in donor databases and an online donation system, which viewers are urged to use during fundraising telecasts.
As of September, there were 61 users who "could access and modify donor information on the donor database" and 11 who "could access and modify credit card donation information, including account numbers and donation amounts, on the online donation system," according to the audit.
The audit, which covered the period from Dec. 1, 2011, to June 30, 2015, said 10 of the 61 users with access to the donor database "did not require it," while there were four users who did not need access to the online system.
The report faults MPT for failure to "periodically review user access to critical fundraising systems," but says MPT officials removed those users who did not require access during the audit when it was brought to their attention.
The report also found that "one user had the capability to change bank account information into which certain credit card donations were deposited even though the user did not require this capability."
The ability to change the destination accounts allowed for the possible "misappropriation of credit card donations without detection."
According to the report, $1.3 million in credit card donations was at risk because of this situation during the fiscal year of 2015.
In a response included within the final audit, MPT replied to the donor privacy portion of the report by saying it "does not dispute the finding, but notes that there has been no breach of any confidential information."
It also says it has complied with the audit, which recommended that the ability to change bank account information be restricted "only to applicable management personnel (such as the chief financial officer)."
The state agency named in the audit is the Maryland Public Broadcasting Commission, or MPBC, which holds MPT's broadcast licenses from the Federal Communications Commission and oversees it.