33
The Protection of Personal Information Data in the Public Sector

Study personal data protection 2011

Embed Size (px)

DESCRIPTION

An investigation by Pro Acceso found a number of shortcomings in the monitoring and recording of personal data of citizens by government entities. Pro Acceso observes the compliance and non-compliance of the obligation that public and private institutions have to register information databases pertaining to the transfer of data to the Civil Register. Pro Acceso calls for more oversight over the registration of this information.

Citation preview

Page 1: Study personal data protection 2011

The Protection of Personal

Information Data in the Public

Sector

Page 2: Study personal data protection 2011

Technical Form

This study seeks to determine the level of treatment

given to databases of personal information used by the

public sector and whether these public institutions

comply with Law No. 19.628 concerning the

protection of that information.

166 requests for information were given to services and

programs dependent on various ministries, the National

Council for Culture and the Arts, and the National

Women's Service.

These requests were delivered between the 16th

and 24th of November 2010. Their responses

were received between December 6, 2010 and January

13, 2011. The consulted organizations

responded through the Request

Management System or some other electronic form

that sufficed as a requirement.

The main issues were to identify whether the institutions

have personal information databases in compliance with

Law No. 19,628, and if the institutions have one or more of

these databases, to ascertain whether they have systems

of security in place that ensures the privacy of this data.

On the other hand, the study calls for the consulted

institutions to justify the possession of

these databases. Along these lines, the study reveals

whether agencies have transferred personal data to

either public or private entities during the past year. In

addition, it reveals whether these entities received

instructions from the Council for Transparency regarding

Law No. 19.628 during the same time period.

The study also serves to form an analysis on the

compliance of the consulted institutions as to whether they

respond to requests within the deadlines stipulated in Law

No. 20.285.

Page 3: Study personal data protection 2011

THE MINISTRIES THAT THE CONSULTED ORGANIZATIONS

DEPEND ON (TOTAL= 166 INSTITUTIONS)

(9)

(10)

(4)(5)

(11)(13)

(11) (11)

(3)

(34)

In parentheses is the number of organizations that belong to each Ministry

Page 4: Study personal data protection 2011

(9)

(1)

(2)

(3)(2)

(5)

(17)

(6)

(9)

In parentheses is the number of organizations that belong to each Ministry

(1)

THE MINISTRIES THAT THE CONSULTED ORGANIZATIONS

DEPEND ON (TOTAL= 166 INSTITUTIONS)

Page 5: Study personal data protection 2011

DID THE CONSULTED ORGANIZATION RESPOND TO THE INQUIRY? (TOTAL 166)

Page 6: Study personal data protection 2011

DID THE ORGANIZATION COMPLY WITH THE INQUIRY DEADLINE? (TOTAL=

166)

Page 7: Study personal data protection 2011

Does the service, benefit, and/or program have a database of information

as defined by Law Nº 19.628? (TOTAL= 166)

63.3% of the institutions claim to have five or less

databases.

Only 3.7% possess 20 or more databases.

The Social Protection Form of Mideplan is the

organization with the most expansive database

containing 11,399,212 records.

Meanwhile, the National Board of Student Aid and

Scholarships (Mineduc) has the largest amount of

records when all four of their databases are

combined, equaling a total 11,725,182 records.

The sum of all the records for each region of Serviu (Minvu)

equals 7,411,412 total.

111 organizations claim to

have databases of personal

information.

Page 8: Study personal data protection 2011

In accordance with Article 12º of Law Nº 19.628, did an owner request

access to his/her own personal information in the past year? (TOTAL= 111)

Page 9: Study personal data protection 2011

Has the service met its duty to register every database of personal information with the Civil

Registry as required by Article 22 of Law No. 19.628? (TOTAL = 111)

Page 10: Study personal data protection 2011

What security measures did the Head of Service or responsible party for the management of

databases take to ensure the due secrecy of the information? (TOTAL= 111)

Page 11: Study personal data protection 2011

What security measures did the Head of Service or responsible party for the management

of databases take to ensure the due secrecy of the information? (TOTAL= 111)

Page 12: Study personal data protection 2011

What purposes regarding services, programs, and/or benefits do the institutions give to

justify the existence of their information databases? (TOTAL= 111)

Page 13: Study personal data protection 2011

What purposes regarding services, programs, and/or benefits do the institutions give to

justify the existence of their information databases? (TOTAL= 111)

Page 14: Study personal data protection 2011

Does the service, program, and/or benefit have a Department, Division, or Official in charge

of monitoring the usage of personal data? (TOTAL= 111)

Page 15: Study personal data protection 2011

What is the backup method (Storage device or Digital Registry) that the service, benefit, and/or program utilizes for the usage of personal information? (TOTAL= 111)

Page 16: Study personal data protection 2011

In accordance with article 5º of Law Nº 19.628, does the service, program, and/or benefit

have an authorization procedure for the transfer of data to other public services? (TOTAL=

111)

Page 17: Study personal data protection 2011

Has the service, program, and/or benefit performed some transfer of personal data to either a

public or private party (person or company) in the past year? (TOTAL= 111)

Page 18: Study personal data protection 2011

Conclusions

• The study finds a high level of responses and

compliance with the deadline for information requests.

However, the 25% of unanwered requests is significant.

• The majority of state agencies have databases,

however, only 43% of them have reported having met

their legal obligation to register with the Civil

Registry. This impedes knowing what legal basis the non-

compliant institutions have for possessing databases of

personal information, what the purpose is for possessing

these databases, the type of data stored, and the

descriptions of the universe of people whose information

could be included in the databases. All of this hinders the

ability to exercise the rights to request information

about, add to, modify, delete, or block personal data

(habeas data).

• Regarding the backup of data, the study indicates

that only 21% of the companies that

responded have security policies, and moreover, not

all public institutions have a manager or department to

ensure the security of information contained in the

databases (only 73% have a responsible party). This can

transform into a potential breach of the Technical

Standards for the Bodies of State Administration on

Security and Privacy of Electronic Documents (DS No. 83,

2004 General Secretariat of the Presidency)

Page 19: Study personal data protection 2011

Conclusions

• The majority of the existing databases relate to

registration of beneficiaries, claims management, and

human resources, while only 2.7% of the institutions

declared to have data for statistical purposes. The

latter demonstrates the low level of processing data that is

in state hands, which is important to keep in mind when

developing public policy.

• 48% of the consulted institutions made transfers of

personal data to other public or private

institutions. However, only 43% declared that they

had authorization procedures for the transmission to

other public bodies, which shows the need to observe the

transfers of information in greater detail to see if they

have met all legal requirements, especially those that

eventually could have gone to the private sector.

Page 20: Study personal data protection 2011

Comparison of the

2010 and 2009 Studies

In 2009, Pro Acceso conducted its first study on personal

data. 164 requests were made to institutions under

the Ministry of Planning and Cooperation, the Ministry of

Housing and Development, the Ministry of Health, the

Ministry of Education, the Ministry of Labor, and the

National Service of Women to assess the level of

management and protection of this data by the public

system.

In order to analyze, to some extent, the results of the

2009 study with the 2010 version, some of the figures

must be checked. The comparison will take into account

only the institutions belonging to the same

ministries evaluated in 2009 and 2010. As a result, the

164 bodies consulted in 2009 will be compared to 83

from the 2010 study.

While in 2009 only 30% of the

164 institutions surveyed responded to the request, in

2010, 70% of the 83 entities responded. This undoubtedly

represents an advance in transparency and access

to public information.

Of the 50 institutions that responded in 2009, 78%

reported having one or more databases of personal

data. Meanwhile, 58 entities that responded to the

request in 2010 claimed to have personal databases.

Only 13% of institutions that reported having database in

2009 fulfilled their duty to register in the Civil Registry,

as required by law. In 2010 the number of entities that

complied with the registration increased to 52%. This

figure, however, remains low.

Finally, in 2009 only 13% of the agencies reported having

a department or division responsible for monitoring the

treatment of their databases. The 2010 study indicates

that this year, the figure rose to 81%.

Page 21: Study personal data protection 2011

ANNEXES

Page 22: Study personal data protection 2011

Ministry of the

Interior

• CONACE

• División de gobierno

• Extranjería y Migración

• Fondo social

• OEP

• Programa DDHH

Ministry of Foreign

Affairs:

• Dirección de Política Consular

• Dirección general de Asuntos

Consulares y de Inmigración

• Direcon

Ministry of Finance

• Casa de Moneda

• Dirección de Compras y

Contratación Pública

• Dirección de Presupuesto

• Dirección Nacional del Servicio Civil

Ministry of

Defense:

• Armada

• Carabineros

• Ejército

• FACH

• Investigaciones

Ministry of Justice:

• Corporación Asistencia Judicial

• Defensoría Penal Pública

• Gendarmería

• Sename

ANNEXES 1: Organizations Consulted

Page 23: Study personal data protection 2011

Ministry of Health:

• Cenabast

• Comisión Presidencial de Salud

• Fonasa

• Instituto Salud Pública

• Ministerio de Salud

• Servicio de Salud Aconcagua

• Servicio de Salud Antofagasta

• Servicio de Salud Araucanía Norte

• Servicio de Salud Araucanía Sur

• Servicio de Salud Arauco

• Servicio de Salud Arica

• Servicio de Salud Atacama

• Servicio de Salud Bío-Bío

• Servicio de Salud Chiloé

• Servicio de Salud Concepción

• Servicio de Salud Coquimbo

• Servicio de Salud Iquique

• Servicio de Salud Magallanes

• Servicio de Salud Maule

• Servicio de Salud Ñuble

• Servicio de Salud O’Higgins

• Servicio de Salud Talcahuano

Ministry of Education:

• Becas Chile

• Comisión Nacional de Acreditación

• Conicyt

• Consejo de Rectores

• Dibam

• Junaeb

• Junji

• Ministerio de Educación

• Programa de Becas y Créditos

• Programa Educar Chile

• Programa Enlaces

• Programa Inglés Abre Puertas

• Red de Fundaciones

Mnistry of Economy:

• Comité de Inversiones Extranjeras

• Consejo Nacional de Innovación

• Corfo

• Departamento de Cooperativas

• Estrategia Digital

• Fiscalía Nacional Económica

• Inapi

• Ine

• Sernotec

• Sernac

• Sernatur

Ministry of Public Works:

• Coordinación de Concesiones OP

• Dirección de Contabilidad y Finanzas

• Dirección de Aeropuertos

• Dirección de Arquitectura

• Dirección de Obras Hidráulicas

• Dirección de Planeamiento

• Dirección de Vialidad

• Dirección General de Aguas

• Dirección General de Obras Públicas

• Dirección Obras Portuarias

• Fiscalía

• Instituto Nacional de Hidráulica

ANNEXES 1: Organizations Consulted

Page 24: Study personal data protection 2011

Ministry of Housing:

• Ministerio de Vivienda y Urbanismo

• Parque Metropolitano

• Plan Chile Unido Reconstruye Mejor

Ministry of Employment:

• Dicrep

• Dirección del Trabajo

• Instituto de Previsión Social

• Instituto Seguridad Laboral

• Ministerio del Trabajo

• Sence

Ministry of

Agriculture:

• Ciren

• CNR

• Conaf

• Consejo de la Cultura y las Artes

• FIA

• Indap

• Inia

• Instituto Forestal

• Odepa

• SAG

Ministry of National

Assets:

• Ministerio de Bienes Nacionales

Ministry of Planning and

Cooperation:

• Conadi

• Ficha Protección Social

• Fosis

• Injuv

• Ministerio de Planificación

• Senadis

ANNEXES 1: Organizations Consulted

Page 25: Study personal data protection 2011

Ministry of

Mining:

• Cochilco

• Onemi

• Sernageomin

Ministry of

Transportation:

• Junta Aeronáutica Civil

Ministry of the

Secretary General of

the Government:

• CNTV

• Instituto Nacional del Deporte

Ministry of the Secretary

General of the Presidency:

• Agencia Chilena Para la Inocuidad Alimentaria

• Comisión de Probidad y Transparencia

• Comisión Defensor Ciudadana

• Comisión Nacional de Asuntos Religiosos

• Senama

Ministry of National Service

of Women:

• Programa de Prevención de Violencia

Intrafamiliar Centro

• Programa Mejorando la Empleabilidad y

Condiciones Laborales

• Programa Mujeres Jefas de Hogar

ANNEXES 1: Organizations Consulted

Page 26: Study personal data protection 2011

1) Organization to which the request was made

2) Organization that responded to the request

ANNEXES 2: Questionnaires

Page 27: Study personal data protection 2011

ANNEXES 2: QuestionnairesINTERIOR 1

RE.EE 2

HACIENDA 3

DEFENSA 4

JUSTICIA 5

SALUD 6

EDUCACIÓN 7

ECONOMÍA 8

OBRAS PÚBLICAS 9

VIVIENDA 10

TRABAJO 11

AGRICULTURA 12

BIENES NACIONALES 13

CON. CULTURA Y ARTES 14

MIDEPLAN 15

MINERÍA 16

TRANSPORTES Y TELEC. 17

SEGEGOB 18

SEGPRES 19

SERNAM 20

3) Ministry to which the organization belongs

Page 28: Study personal data protection 2011

ANNEXES 2: Questionnaires

/ /

4) Responded to Request

5) Date that the inquiry was received (day, month

and year; to fill with numbers):

6) Deadline of the organization to respond to the

request (day, month, and year; to fill with

numbers):

7) Did the organization comply with the required

response time?

8) Was there a referral to another organization

Page 29: Study personal data protection 2011

ANNEXES 2: Questionnaires9) Was there consultation with third parties?

9.1 Did the third party reserve the information

10) Required information:

1. Does the service, program and/or benefit have a

database of personal information as defined in Law

Nº 19. 628?

2. For a positive response, how many databases

does the service, program, or benefit have?

3. How many people use each database of personal

information for services, programs, or benefits?

Page 30: Study personal data protection 2011

ANNEXES 2: Questionnaires

4. In accordance with Article 12º of Law Nº 19.628,

did an owner request access to his/her own

personal information in the past year?

5. Has the service met its duty to register every

database of personal information with the Civil

Registry as required by Article 22 of Law No.

19.628?

Page 31: Study personal data protection 2011

6) What security measures did the Head of

Service or responsible party for the

management of databases take to

ensure the due secrecy of the

information?

ANNEXES 2: Questionnaires

Antivirus 1

Own Software 2

Restricted Access Internal Server 3

Backup Copy 4

Data Provided by Interested Parties 5

Several Media at Once 6

Other - Which? (Write) 7

None 8

Page 32: Study personal data protection 2011

ANNEXES 2: Questionnaires

7) What purposes regarding services, programs,

and/or benefits do the institutions give to justify

the existence of their information databases?

8) Does the service, program, and/or benefit have a

Department, Division, or Official in charge of

monitoring the usage of personal data?

To Quantify the Number of Entries 1

To Register Beneficiaries 2

To Monitor and Process Claims 3

Other - Which? (Write In) 4

Page 33: Study personal data protection 2011

ANNEXES 2: Questionnaires

9. What is the backup method (Storage device or Digital Registry)

that the service, benefit, and/or program utilizes for the usage of

personal information? (TOTAL= 111)

10. In accordance with article 5º of Law Nº 19.628, does the

service, program, and/or benefit have an authorization procedure

for the transfer of data to other public services?

11. Has the service, program, and/or benefit performed some

transfer of personal data to either a public or private party (person

or company) in the past year?

12. In accordance with the first art. of Article 33 letter (m) of

Law No. 20.285, did the service or program receive instructions

from the Council for Transparency on the implementation of

Law No. 19.628?

Storage Device 1

Digital Registry 2

Storage Device and Digital Registry 3