The Protection of Personal Information Data in the Public Sector
Technical Form This study seeks to determine the level of treatment given to databases of personal information used by the public sector and whether these public institutions comply with Law No. 19.628 concerning the protection of that information. 166 requests for information were given to services and programs dependent on various ministries, the National Council for Culture and the Arts, and the National Women's Service. These requests were delivered between the 16th and 24th of November 2010. Their responses were received between December 6, 2010 and January 13, 2011. The consulted organizations responded through the Request Management System or some other electronic form that sufficed as a requirement.
The main issues were to identify whether the institutions have personal information databases in compliance with Law No. 19,628, and if the institutions have one or more of these databases, to ascertain whether they have systems of security in place that ensures the privacy of this data. On the other hand, the study calls for the consulted institutions to justify the possession of these databases. Along these lines, the study reveals whether agencies have​ transferred personal data to either public or private entities during the past year. In addition, it reveals whether these entities received instructions from the Council for Transparency regarding Law No. 19.628 during the same time period. The study also serves to form an analysis on the compliance of the consulted institutions as to whether they respond to requests within the deadlines stipulated in Law No. 20.285.
THE MINISTRIES THAT THE CONSULTED ORGANIZATIONS DEPEND ON (TOTAL= 166 INSTITUTIONS)
(34)
(10) (9)
(5)
(11)
(13)
(11)
(11)
(4)
In parentheses is the number of organizations that belong to each Ministry
(3)
THE MINISTRIES THAT THE CONSULTED ORGANIZATIONS DEPEND ON (TOTAL= 166 INSTITUTIONS) (17)
(9)
(9)
(6) ( 5 )
(2) (3) (1)
(2)
(1)
In parentheses is the number of organizations that belong to each Ministry
DID THE CONSULTED ORGANIZATION RESPOND TO THE INQUIRY? (TOTAL 166)
DID THE ORGANIZATION COMPLY WITH THE INQUIRY DEADLINE? (TOTAL= 166)
Does the service, benefit, and/or program have a database of information as defined by Law Nยบ 19.628? (TOTAL= 166) 63.3% of the institutions claim to have five or less databases. Only 3.7% possess 20 or more databases.
The Social Protection Form of Mideplan is the organization with the most expansive database containing 11,399,212 records.
111 organizations claim to have databases of personal information.
Meanwhile, the National Board of Student Aid and Scholarships (Mineduc) has the largest amount of records when all four of their databases are combined, equaling a total 11,725,182 records. The sum of all the records for each region of Serviu (Minvu) equals 7,411,412 total.
In accordance with Article 12ยบ of Law Nยบ 19.628, did an owner request access to his/her own personal information in the past year? (TOTAL= 111)
Has the service met its duty to register every database of personal information with the Civil Registry as required by Article 22 of Law No. 19.628? (TOTAL = 111)
What security measures did the Head of Service or responsible party for the management of databases take to ensure the due secrecy of the information? (TOTAL= 111)
What security measures did the Head of Service or responsible party for the management of databases take to ensure the due secrecy of the information? (TOTAL= 111)
What purposes regarding services, programs, and/or benefits do the institutions give to justify the existence of their information databases? (TOTAL= 111)
What purposes regarding services, programs, and/or benefits do the institutions give to justify the existence of their information databases? (TOTAL= 111)
Does the service, program, and/or benefit have a Department, Division, or Official in charge of monitoring the usage of personal data? (TOTAL= 111)
What is the backup method (Storage device or Digital Registry) that the service, benefit, and/or program utilizes for the usage of personal information? (TOTAL= 111)
In accordance with article 5ยบ of Law Nยบ 19.628, does the service, program, and/or benefit have an authorization procedure for the transfer of data to other public services? (TOTAL= 111)
Has the service, program, and/or benefit performed some transfer of personal data to either a public or private party (person or company) in the past year? (TOTAL= 111)
Conclusions • The study finds a high level of responses and compliance with the deadline for information requests. However, the 25% of unanwered requests is significant. • The majority of state agencies have databases, however, only 43% of them have reported having met their legal obligation to register with the Civil Registry. This impedes knowing what legal basis the noncompliant institutions have for possessing databases of personal information, what the purpose is for possessing these databases, the type of data stored, and the descriptions of the universe of people whose information could be included in the databases. All of this hinders the ability to exercise the rights to request information about, add to, modify, delete, or block personal data (habeas data).
• Regarding the backup of data, the study indicates that only 21% of the companies that responded have security policies, and moreover, not all public institutions have a manager or department to ensure the security of information contained in the databases (only 73% have a responsible party). This can transform into a potential breach of the Technical Standards for the Bodies of State Administration on Security and Privacy of Electronic Documents (DS No. 83, 2004 General Secretariat of the Presidency)
Conclusions • The majority of the existing databases relate to registration of beneficiaries, claims management, and human resources, while only 2.7% of the institutions declared to have data for statistical purposes. The latter demonstrates the low level of processing data that is in state hands, which is important to keep in mind when developing public policy.
• 48% of the consulted institutions made transfers of personal data to other public or private institutions. However, only 43% declared that they had authorization procedures for the transmission to other public bodies, which shows the need to observe the transfers of information in greater detail to see if they have met all legal requirements, especially those that eventually could have gone to the private sector.
Comparison of the 2010 and 2009 Studies In 2009, Pro Acceso conducted its first study on personal data. 164 requests were made to institutions under the Ministry of Planning and Cooperation, the Ministry of Housing and Development, the Ministry of Health, the Ministry of Education, the Ministry of Labor, and the National Service of Women to assess the level of management and protection of this data by the public system. In order to analyze, to some extent, the results of the 2009 study with the 2010 version, some of the figures must be checked. The comparison will take into account only the institutions belonging to the same ministries evaluated in 2009 and 2010. As a result, the 164 bodies consulted in 2009 will be compared to 83 from the 2010 study.
While in 2009 only 30% of the 164 institutions surveyed responded to the request, in 2010, 70% of the 83 entities responded. This undoubtedly represents an advance in transparency and access to public information. Of the 50 institutions that responded in 2009, 78% reported having one or more databases of personal data. Meanwhile, 58 entities that responded to the request in 2010 claimed to have personal databases. Only 13% of institutions that reported having database in 2009 fulfilled their duty to register in the Civil Registry, as required by law. In 2010 the number of entities that complied with the registration increased to 52%. This figure, however, remains low. Finally, in 2009 only 13% of the agencies reported having a department or division responsible for monitoring the treatment of their databases. The 2010 study indicates that this year, the figure rose to 81%.
ANNEXES
ANNEXES 1: Organizations Consulted
Ministry of the Interior
Ministry of Foreign Affairs:
Ministry of Finance
Ministry of
Ministry of Justice:
• Casa de Moneda
• Dirección de Política Consular
Defense:
• Corporación Asistencia Judicial
• CONACE
• Dirección general de Asuntos Consulares y de Inmigración
• Dirección de Compras y Contratación Pública
• Armada
• Defensoría Penal Pública
• División de gobierno
• Carabineros
• Gendarmería
• Ejército
• Sename
• Extranjería y Migración • Fondo social
• Direcon
• Dirección de Presupuesto • Dirección Nacional del Servicio Civil
• OEP
• FACH
• Programa DDHH
• Investigaciones
ANNEXES 1: Organizations Consulted Ministry of Health:
Ministry of Education:
Mnistry of Economy:
Ministry of Public Works:
• Servicio de Salud Iquique
• Becas Chile
• Comité de Inversiones Extranjeras
• Coordinación de Concesiones OP
• Servicio de Salud Magallanes
• Comisión Nacional de Acreditación
• Consejo Nacional de Innovación
• Dirección de Contabilidad y Finanzas
• Servicio de Salud Maule
• Conicyt
• Corfo
• Dirección de Aeropuertos
• Servicio de Salud Ñuble
• Consejo de Rectores
• Departamento de Cooperativas
• Dirección de Arquitectura
• Servicio de Salud O’Higgins
• Dibam
• Estrategia Digital
• Dirección de Obras Hidráulicas
• Servicio de Salud Talcahuano
• Junaeb
• Fiscalía Nacional Económica
• Dirección de Planeamiento
• Servicio de Salud Antofagasta
• Junji
• Inapi
• Dirección de Vialidad
• Servicio de Salud Araucanía Norte
• Ministerio de Educación
• Ine
• Dirección General de Aguas
• Servicio de Salud Araucanía Sur
• Programa de Becas y Créditos
• Sernotec
• Dirección General de Obras Públicas
• Servicio de Salud Arauco
• Programa Educar Chile
• Sernac
• Dirección Obras Portuarias
• Servicio de Salud Arica
• Programa Enlaces
• Sernatur
• Fiscalía
• Servicio de Salud Atacama
• Programa Inglés Abre Puertas
• Servicio de Salud Bío-Bío
• Red de Fundaciones
• Cenabast • Comisión Presidencial de Salud • Fonasa • Instituto Salud Pública • Ministerio de Salud • Servicio de Salud Aconcagua
• Servicio de Salud Chiloé • Servicio de Salud Concepción • Servicio de Salud Coquimbo
• Instituto Nacional de Hidráulica
ANNEXES 1: Organizations Consulted Ministry of Housing:
Ministry of Employment:
• Ministerio de Vivienda y Urbanismo
• Dicrep
• Parque Metropolitano
• Dirección del Trabajo
• Plan Chile Unido Reconstruye Mejor
• Instituto de Previsión Social • Instituto Seguridad Laboral • Ministerio del Trabajo • Sence
Ministry of Agriculture: • Ciren
Ministry of National Assets:
Ministry of Planning and Cooperation:
• Ministerio de Bienes Nacionales
• Conadi
• CNR • Conaf • Consejo de la Cultura y las Artes • FIA • Indap • Inia • Instituto Forestal • Odepa • SAG
• Ficha Protección Social • Fosis • Injuv • Ministerio de Planificación
• Senadis
ANNEXES 1: Organizations Consulted Ministry of Mining: • Cochilco • Onemi • Sernageomin
Ministry of Transportation: • Junta Aeronáutica Civil
Ministry of National Service of Women:
Ministry of the Secretary General of the Government:
Ministry of the Secretary General of the Presidency:
• CNTV
• Comisión de Probidad y Transparencia
• Instituto Nacional del Deporte
• Comisión Defensor Ciudadana
• Programa Mejorando la Empleabilidad y Condiciones Laborales
• Comisión Nacional de Asuntos Religiosos
• Programa Mujeres Jefas de Hogar
• Agencia Chilena Para la Inocuidad Alimentaria
• Senama
• Programa de Prevención de Violencia Intrafamiliar Centro
ANNEXES 2: Questionnaires 1) Organization to which the request was made
2) Organization that responded to the request
ANNEXES 2: Questionnaires 3) Ministry to which the organization belongs
INTERIOR RE.EE HACIENDA DEFENSA JUSTICIA SALUD EDUCACIÓN ECONOMÍA OBRAS PÚBLICAS VIVIENDA TRABAJO AGRICULTURA BIENES NACIONALES CON. CULTURA Y ARTES MIDEPLAN MINERÍA TRANSPORTES Y TELEC. SEGEGOB SEGPRES SERNAM
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
ANNEXES 2: Questionnaires 4) Responded to Request
5) Date that the inquiry was received (day, month and year; to fill with numbers): 6) Deadline of the organization to respond to the request (day, month, and year; to fill with numbers): 7) Did the organization comply with the required response time? 8) Was there a referral to another organization
/
/
ANNEXES 2: Questionnaires 9) Was there consultation with third parties? 9.1 Did the third party reserve the information 10) Required information: 1. Does the service, program and/or benefit have a database of personal information as defined in Law Nยบ 19. 628? 2. For a positive response, how many databases does the service, program, or benefit have? 3. How many people use each database of personal information for services, programs, or benefits?
ANNEXES 2: Questionnaires 4. In accordance with Article 12ยบ of Law Nยบ 19.628, did an owner request access to his/her own personal information in the past year? 5. Has the service met its duty to register every database of personal information with the Civil Registry as required by Article 22 of Law No. 19.628?
ANNEXES 2: Questionnaires 6) What security measures did the Head of Service or responsible party for the management of databases take to ensure the due secrecy of the information?
Antivirus
1
Own Software
2
Restricted Access Internal Server
3
Backup Copy
4
Data Provided by Interested Parties
5
Several Media at Once
6
Other - Which? (Write)
7
None
8
ANNEXES 2: Questionnaires 7) What purposes regarding services, programs, and/or benefits do the institutions give to justify the existence of their information databases?
To Quantify the Number of Entries
1
To Register Beneficiaries
2
To Monitor and Process Claims
3
Other - Which? (Write In)
4
8) Does the service, program, and/or benefit have a Department, Division, or Official in charge of monitoring the usage of personal data?
ANNEXES 2: Questionnaires 9. What is the backup method (Storage device or Digital Registry) that the service, benefit, and/or program utilizes for the usage of personal information? (TOTAL= 111) 10. In accordance with article 5ยบ of Law Nยบ 19.628, does the service, program, and/or benefit have an authorization procedure for the transfer of data to other public services? 11. Has the service, program, and/or benefit performed some transfer of personal data to either a public or private party (person or company) in the past year? 12. In accordance with the first art. of Article 33 letter (m) of Law No. 20.285, did the service or program receive instructions from the Council for Transparency on the implementation of Law No. 19.628?
Storage Device Digital Registry Storage Device and Digital Registry
1 2 3