RIO DE JANEIRO, BRAZIL – The federal government issued a decree yesterday, October 10th, establishing the rules for sharing citizen data collected and processed by federal administrative bodies, in addition to defining requirements for access to records and limitations. The rule also created the Citizen’s Basic Registry, a list containing general information on people registered by Federal Executive institutions.
The Executive is the owner of the largest databases in the country. Individual registrations, national driver’s licenses, income tax returns, pensions, and social benefits are only a few of the instances where millions of records are collected, stored and managed. Thus, the rules for using these records relate to citizens’ information, involving the provision of public services but also privacy and the protection of such data.
The decree aims to regulate the management of these records, meeting the guidelines of the General Law of Data Protection (LGPD). The regulation governs the collection and processing of information, the rights of individuals and the liability of bodies managing these records, be they private companies or public bodies. The LGPD will enter into force in August 2020.
The decree states that the purpose of data sharing is to simplify public services, analyze the right to social benefits and increase the effectiveness of the Executive’s internal activities by reducing the costs of measures such as the reuse of information systems.
The rule exempts the requirement of a convention or agreement for this communication and establishes three types of sharing. In the case of unrestricted non-confidential data, the sharing will be broad, with public disclosure and disclosure to any interested party who so requests.
The restricted form will be used when dealing with data subject to confidentiality obligations for the purpose of implementing public policies, with simplified modes of communication between the agencies. The specific mode, on the other hand, involves data protected by confidentiality, which may be shared with specific bodies in the situations provided for in the legislation.
According to the secretary of digital administration, Luis Felipe Monteiro, the purpose is to ease access to certain information by a body through sharing. “The government does not speak among itself. The citizen has to travel to get a service, such as obtaining a certificate from one body to deliver to another. This is not what we want”.
Base register
The decree also introduced the Citizen’s Basic Registry (CBC). The integrated database will contain general data on Brazilians such as their CPF (Federal Tax Identification), name, date of birth, gender, affiliation, nationality, and birthplace. The registry cross-checks data from different Executive bases in order to, according to the text of the rule, enable the unified means of citizen identification for the provision of public services.
According to the secretary of digital administration, the purpose of registration is to enable a given body to access the information it needs about a person for a given activity or service offering and to make it more reliable. Thus, Monteiro adds, individuals will no longer be required to register to deal with a particular organization and will be able to provide their CPF number.
Governance
The decree established the Central Data Governance Committee, which is in charge of making decisions detailing the guidelines set forth in the legislation and in the regulations, such as parameters for broad, restricted and specific sharing, methods for measuring the quality of the agencies’ databases and the inclusion or not of new data in the Citizen’s Base Registry.
The committee will consist of representatives from the Ministry of Economy, including the Federal Treasury, the Office of the Prosecutor General of the Union, the General Secretariat of the Presidency, the Civil House, the National Institute of Social Welfare and the Office of the Comptroller General of the Union.
Care
According to Rafael Zanatta, researcher of the Latin American Network of Studies on Surveillance, Technology, and Society (LAVITS), the decree does not adequately respond to the guidelines of the General Law on Data Protection regarding the guarantee of the rights of data holders in some points. “The rule does not provide for cases in which the purpose of data use between different bodies may be different, which should give rise to preventive control measures regarding the use of such information,” comments Zanatta.
The researcher believes that the governance structure should also include representatives of companies and civil society organizations. “This goes against what the laws on the relationship between law and technology require in relation to governance. Both the Civil Framework for the Internet (Law No. 12.485 of 2014) and the LGPD point this out by emphasizing multisectoral participation and structures, such as the Internet Steering Committee (CGI.Br) and the National Council for Data Protection (CNPD),” he adds.
Source: Agência Brasil