Upload
fundacion-pro-acceso
View
217
Download
1
Tags:
Embed Size (px)
DESCRIPTION
An investigation by Pro Acceso found a number of shortcomings in the monitoring and recording of personal data of citizens by government entities. Pro Acceso observes the compliance and non-compliance of the obligation that public and private institutions have to register information databases pertaining to the transfer of data to the Civil Register. Pro Acceso calls for more oversight over the registration of this information.
Citation preview
The Protection of Personal
Information Data in the Public
Sector
Technical Form
This study seeks to determine the level of treatment
given to databases of personal information used by the
public sector and whether these public institutions
comply with Law No. 19.628 concerning the
protection of that information.
166 requests for information were given to services and
programs dependent on various ministries, the National
Council for Culture and the Arts, and the National
Women's Service.
These requests were delivered between the 16th
and 24th of November 2010. Their responses
were received between December 6, 2010 and January
13, 2011. The consulted organizations
responded through the Request
Management System or some other electronic form
that sufficed as a requirement.
The main issues were to identify whether the institutions
have personal information databases in compliance with
Law No. 19,628, and if the institutions have one or more of
these databases, to ascertain whether they have systems
of security in place that ensures the privacy of this data.
On the other hand, the study calls for the consulted
institutions to justify the possession of
these databases. Along these lines, the study reveals
whether agencies have transferred personal data to
either public or private entities during the past year. In
addition, it reveals whether these entities received
instructions from the Council for Transparency regarding
Law No. 19.628 during the same time period.
The study also serves to form an analysis on the
compliance of the consulted institutions as to whether they
respond to requests within the deadlines stipulated in Law
No. 20.285.
THE MINISTRIES THAT THE CONSULTED ORGANIZATIONS
DEPEND ON (TOTAL= 166 INSTITUTIONS)
(9)
(10)
(4)(5)
(11)(13)
(11) (11)
(3)
(34)
In parentheses is the number of organizations that belong to each Ministry
(9)
(1)
(2)
(3)(2)
(5)
(17)
(6)
(9)
In parentheses is the number of organizations that belong to each Ministry
(1)
THE MINISTRIES THAT THE CONSULTED ORGANIZATIONS
DEPEND ON (TOTAL= 166 INSTITUTIONS)
DID THE CONSULTED ORGANIZATION RESPOND TO THE INQUIRY? (TOTAL 166)
DID THE ORGANIZATION COMPLY WITH THE INQUIRY DEADLINE? (TOTAL=
166)
Does the service, benefit, and/or program have a database of information
as defined by Law Nº 19.628? (TOTAL= 166)
63.3% of the institutions claim to have five or less
databases.
Only 3.7% possess 20 or more databases.
The Social Protection Form of Mideplan is the
organization with the most expansive database
containing 11,399,212 records.
Meanwhile, the National Board of Student Aid and
Scholarships (Mineduc) has the largest amount of
records when all four of their databases are
combined, equaling a total 11,725,182 records.
The sum of all the records for each region of Serviu (Minvu)
equals 7,411,412 total.
111 organizations claim to
have databases of personal
information.
In accordance with Article 12º of Law Nº 19.628, did an owner request
access to his/her own personal information in the past year? (TOTAL= 111)
Has the service met its duty to register every database of personal information with the Civil
Registry as required by Article 22 of Law No. 19.628? (TOTAL = 111)
What security measures did the Head of Service or responsible party for the management of
databases take to ensure the due secrecy of the information? (TOTAL= 111)
What security measures did the Head of Service or responsible party for the management
of databases take to ensure the due secrecy of the information? (TOTAL= 111)
What purposes regarding services, programs, and/or benefits do the institutions give to
justify the existence of their information databases? (TOTAL= 111)
What purposes regarding services, programs, and/or benefits do the institutions give to
justify the existence of their information databases? (TOTAL= 111)
Does the service, program, and/or benefit have a Department, Division, or Official in charge
of monitoring the usage of personal data? (TOTAL= 111)
What is the backup method (Storage device or Digital Registry) that the service, benefit, and/or program utilizes for the usage of personal information? (TOTAL= 111)
In accordance with article 5º of Law Nº 19.628, does the service, program, and/or benefit
have an authorization procedure for the transfer of data to other public services? (TOTAL=
111)
Has the service, program, and/or benefit performed some transfer of personal data to either a
public or private party (person or company) in the past year? (TOTAL= 111)
Conclusions
• The study finds a high level of responses and
compliance with the deadline for information requests.
However, the 25% of unanwered requests is significant.
• The majority of state agencies have databases,
however, only 43% of them have reported having met
their legal obligation to register with the Civil
Registry. This impedes knowing what legal basis the non-
compliant institutions have for possessing databases of
personal information, what the purpose is for possessing
these databases, the type of data stored, and the
descriptions of the universe of people whose information
could be included in the databases. All of this hinders the
ability to exercise the rights to request information
about, add to, modify, delete, or block personal data
(habeas data).
• Regarding the backup of data, the study indicates
that only 21% of the companies that
responded have security policies, and moreover, not
all public institutions have a manager or department to
ensure the security of information contained in the
databases (only 73% have a responsible party). This can
transform into a potential breach of the Technical
Standards for the Bodies of State Administration on
Security and Privacy of Electronic Documents (DS No. 83,
2004 General Secretariat of the Presidency)
Conclusions
• The majority of the existing databases relate to
registration of beneficiaries, claims management, and
human resources, while only 2.7% of the institutions
declared to have data for statistical purposes. The
latter demonstrates the low level of processing data that is
in state hands, which is important to keep in mind when
developing public policy.
• 48% of the consulted institutions made transfers of
personal data to other public or private
institutions. However, only 43% declared that they
had authorization procedures for the transmission to
other public bodies, which shows the need to observe the
transfers of information in greater detail to see if they
have met all legal requirements, especially those that
eventually could have gone to the private sector.
Comparison of the
2010 and 2009 Studies
In 2009, Pro Acceso conducted its first study on personal
data. 164 requests were made to institutions under
the Ministry of Planning and Cooperation, the Ministry of
Housing and Development, the Ministry of Health, the
Ministry of Education, the Ministry of Labor, and the
National Service of Women to assess the level of
management and protection of this data by the public
system.
In order to analyze, to some extent, the results of the
2009 study with the 2010 version, some of the figures
must be checked. The comparison will take into account
only the institutions belonging to the same
ministries evaluated in 2009 and 2010. As a result, the
164 bodies consulted in 2009 will be compared to 83
from the 2010 study.
While in 2009 only 30% of the
164 institutions surveyed responded to the request, in
2010, 70% of the 83 entities responded. This undoubtedly
represents an advance in transparency and access
to public information.
Of the 50 institutions that responded in 2009, 78%
reported having one or more databases of personal
data. Meanwhile, 58 entities that responded to the
request in 2010 claimed to have personal databases.
Only 13% of institutions that reported having database in
2009 fulfilled their duty to register in the Civil Registry,
as required by law. In 2010 the number of entities that
complied with the registration increased to 52%. This
figure, however, remains low.
Finally, in 2009 only 13% of the agencies reported having
a department or division responsible for monitoring the
treatment of their databases. The 2010 study indicates
that this year, the figure rose to 81%.
ANNEXES
Ministry of the
Interior
• CONACE
• División de gobierno
• Extranjería y Migración
• Fondo social
• OEP
• Programa DDHH
Ministry of Foreign
Affairs:
• Dirección de Política Consular
• Dirección general de Asuntos
Consulares y de Inmigración
• Direcon
Ministry of Finance
• Casa de Moneda
• Dirección de Compras y
Contratación Pública
• Dirección de Presupuesto
• Dirección Nacional del Servicio Civil
Ministry of
Defense:
• Armada
• Carabineros
• Ejército
• FACH
• Investigaciones
Ministry of Justice:
• Corporación Asistencia Judicial
• Defensoría Penal Pública
• Gendarmería
• Sename
ANNEXES 1: Organizations Consulted
Ministry of Health:
• Cenabast
• Comisión Presidencial de Salud
• Fonasa
• Instituto Salud Pública
• Ministerio de Salud
• Servicio de Salud Aconcagua
• Servicio de Salud Antofagasta
• Servicio de Salud Araucanía Norte
• Servicio de Salud Araucanía Sur
• Servicio de Salud Arauco
• Servicio de Salud Arica
• Servicio de Salud Atacama
• Servicio de Salud Bío-Bío
• Servicio de Salud Chiloé
• Servicio de Salud Concepción
• Servicio de Salud Coquimbo
• Servicio de Salud Iquique
• Servicio de Salud Magallanes
• Servicio de Salud Maule
• Servicio de Salud Ñuble
• Servicio de Salud O’Higgins
• Servicio de Salud Talcahuano
Ministry of Education:
• Becas Chile
• Comisión Nacional de Acreditación
• Conicyt
• Consejo de Rectores
• Dibam
• Junaeb
• Junji
• Ministerio de Educación
• Programa de Becas y Créditos
• Programa Educar Chile
• Programa Enlaces
• Programa Inglés Abre Puertas
• Red de Fundaciones
Mnistry of Economy:
• Comité de Inversiones Extranjeras
• Consejo Nacional de Innovación
• Corfo
• Departamento de Cooperativas
• Estrategia Digital
• Fiscalía Nacional Económica
• Inapi
• Ine
• Sernotec
• Sernac
• Sernatur
Ministry of Public Works:
• Coordinación de Concesiones OP
• Dirección de Contabilidad y Finanzas
• Dirección de Aeropuertos
• Dirección de Arquitectura
• Dirección de Obras Hidráulicas
• Dirección de Planeamiento
• Dirección de Vialidad
• Dirección General de Aguas
• Dirección General de Obras Públicas
• Dirección Obras Portuarias
• Fiscalía
• Instituto Nacional de Hidráulica
ANNEXES 1: Organizations Consulted
Ministry of Housing:
• Ministerio de Vivienda y Urbanismo
• Parque Metropolitano
• Plan Chile Unido Reconstruye Mejor
Ministry of Employment:
• Dicrep
• Dirección del Trabajo
• Instituto de Previsión Social
• Instituto Seguridad Laboral
• Ministerio del Trabajo
• Sence
Ministry of
Agriculture:
• Ciren
• CNR
• Conaf
• Consejo de la Cultura y las Artes
• FIA
• Indap
• Inia
• Instituto Forestal
• Odepa
• SAG
Ministry of National
Assets:
• Ministerio de Bienes Nacionales
Ministry of Planning and
Cooperation:
• Conadi
• Ficha Protección Social
• Fosis
• Injuv
• Ministerio de Planificación
• Senadis
ANNEXES 1: Organizations Consulted
Ministry of
Mining:
• Cochilco
• Onemi
• Sernageomin
Ministry of
Transportation:
• Junta Aeronáutica Civil
Ministry of the
Secretary General of
the Government:
• CNTV
• Instituto Nacional del Deporte
Ministry of the Secretary
General of the Presidency:
• Agencia Chilena Para la Inocuidad Alimentaria
• Comisión de Probidad y Transparencia
• Comisión Defensor Ciudadana
• Comisión Nacional de Asuntos Religiosos
• Senama
Ministry of National Service
of Women:
• Programa de Prevención de Violencia
Intrafamiliar Centro
• Programa Mejorando la Empleabilidad y
Condiciones Laborales
• Programa Mujeres Jefas de Hogar
ANNEXES 1: Organizations Consulted
1) Organization to which the request was made
2) Organization that responded to the request
ANNEXES 2: Questionnaires
ANNEXES 2: QuestionnairesINTERIOR 1
RE.EE 2
HACIENDA 3
DEFENSA 4
JUSTICIA 5
SALUD 6
EDUCACIÓN 7
ECONOMÍA 8
OBRAS PÚBLICAS 9
VIVIENDA 10
TRABAJO 11
AGRICULTURA 12
BIENES NACIONALES 13
CON. CULTURA Y ARTES 14
MIDEPLAN 15
MINERÍA 16
TRANSPORTES Y TELEC. 17
SEGEGOB 18
SEGPRES 19
SERNAM 20
3) Ministry to which the organization belongs
ANNEXES 2: Questionnaires
/ /
4) Responded to Request
5) Date that the inquiry was received (day, month
and year; to fill with numbers):
6) Deadline of the organization to respond to the
request (day, month, and year; to fill with
numbers):
7) Did the organization comply with the required
response time?
8) Was there a referral to another organization
ANNEXES 2: Questionnaires9) Was there consultation with third parties?
9.1 Did the third party reserve the information
10) Required information:
1. Does the service, program and/or benefit have a
database of personal information as defined in Law
Nº 19. 628?
2. For a positive response, how many databases
does the service, program, or benefit have?
3. How many people use each database of personal
information for services, programs, or benefits?
ANNEXES 2: Questionnaires
4. In accordance with Article 12º of Law Nº 19.628,
did an owner request access to his/her own
personal information in the past year?
5. Has the service met its duty to register every
database of personal information with the Civil
Registry as required by Article 22 of Law No.
19.628?
6) What security measures did the Head of
Service or responsible party for the
management of databases take to
ensure the due secrecy of the
information?
ANNEXES 2: Questionnaires
Antivirus 1
Own Software 2
Restricted Access Internal Server 3
Backup Copy 4
Data Provided by Interested Parties 5
Several Media at Once 6
Other - Which? (Write) 7
None 8
ANNEXES 2: Questionnaires
7) What purposes regarding services, programs,
and/or benefits do the institutions give to justify
the existence of their information databases?
8) Does the service, program, and/or benefit have a
Department, Division, or Official in charge of
monitoring the usage of personal data?
To Quantify the Number of Entries 1
To Register Beneficiaries 2
To Monitor and Process Claims 3
Other - Which? (Write In) 4
ANNEXES 2: Questionnaires
9. What is the backup method (Storage device or Digital Registry)
that the service, benefit, and/or program utilizes for the usage of
personal information? (TOTAL= 111)
10. In accordance with article 5º of Law Nº 19.628, does the
service, program, and/or benefit have an authorization procedure
for the transfer of data to other public services?
11. Has the service, program, and/or benefit performed some
transfer of personal data to either a public or private party (person
or company) in the past year?
12. In accordance with the first art. of Article 33 letter (m) of
Law No. 20.285, did the service or program receive instructions
from the Council for Transparency on the implementation of
Law No. 19.628?
Storage Device 1
Digital Registry 2
Storage Device and Digital Registry 3