Institute of Access to Public Information shares citizens’ information with Bukele’s government

A report of Jessica Avalos for FACTUM

In the first half of June 2019, the Institute of Access to Public Information sent reports to the Presidential House that contained personal data of information requestors. Following the suspension of this exchange, the president of the Institute authorized the transfer of information requests’ stadistical data. The other commissioners, who were unaware of this situation, ask the president of the IAIP to be responsible for having authorized the sending of statistical reports, for having jeopardized the autonomy of the institution.

 

The Institute of Access to Public Information (IAIP, in Spanish) delivered to the Presidency of the Republic, for at least two weeks, confidential information of citizens: reports containing personal data of users who requested information through its portal. The Institute stopped sending these reports on June 16, 2019, but the Presidential House noticed and asked them to resume. The IAIP president (RENE CÁRCAMO), without notifying the rest of the commissioners, authorized the Institute’s Technology Unit to prepare new reports for the Executive.

These were two moments that compromise the IAIP. In the first, there was a leak of confidential information; and in the second, an intervention by a commissioner to generate reports, without personal data of the users, for the Presidency of the Republic. The explanation given by the IAIP Technology Unit of the transfer of confidential information to the Presidency is that a code programmed in the portal generated the automatic sending of notifications to the Presidential House.

“It included all personal data: the name, and included their request, and remember that people in the request sometimes put DUI number, telephone number, emails,” said the head of the IAIP Technology Unit, Jorge Martinez, in a meeting with the IAIP commissioners on September 23, as stated in a recording to which Factum had access.

The IAIP manages, since May 31st, the portal https://www.transparencia.gob.sv/, where citizens can request information from 285 institutions, from ministries to city halls. Each time a user asks for information, they must place a picture of their DUI, their address, telephone numbers and their occupation. All that, which by law should be protected, is what was exposed the first half of June 2019.

The Institute gave this confidential information to an institution to which it must oversee.

 

 

And not even the IAIP is clear about how much confidential information came to the Presidency through that leak. Nor has he established who should answer for it: “We are in a process of determining it through an external audit, so that it is under that assessment that we determine everything else,” said Martinez, the head of the IAIP Technology Unit, in an interview with Factum Magazine on November 1st.

According to Martínez, when he noticed the reports sent at the beginning of June, he told the president of the IAIP, René Cárcamo: “I told the doctor verbally that we had encountered this situation and that it had been suspended to avoid any misunderstanding towards us, but he asked if there was the possibility of keep sending them, ”said the Chief of Technology at the September 23rd session, as recorded in the meeting audio.

 

The problem did not end there. The Technology Unit complied with the order of the president of the Institute and sent new reports for a month, from August 19 to September 19, which contained five fields: the reference number, type, date of entry, status and date of Expiration of the information request. But this was not enough for the Presidency and they asked that a column with more information were added.

Presidential House (CAPRES) wanted to know in advance the information that citizens ask of all institutions. When the IAIP stopped sending confidential information, the Government continued to urge them to report something that by law is prohibited and had the complicity of the president of the Institute, who compromised the independence of the institution, according to testimonies, an audio of a private session, minutes, memorandums and emails exchanged in recent months.

 

The intervention of the president of the Institute began after the initial filtration. The IAIP Chief of Technology ensures that, in addition to ordering him in writing the delivery of reports with the five fields mentioned above, the president commissioner verbally urged him to send to the Presidency another column detailing the information that the citizens were asking for, although, according to him, he warned that this field stored personal data of the applicants.

 

The IAIP was created to protect citizens from abuse of institutions that do not want to deliver public information. Article 76 of the Law on Access to Public Information (LAIP), with which the Institute is governed, establishes as a serious infraction to reveal personal data of citizens because this is confidential information. And, according to article 56 of the same law, “disclosing or using confidential or confidential information, due to bad faith or negligence” is a cause of removal of a commissioner.

 

… (the chief of technology of the IAIP) not only says that his boss asked him to deliver information that compromised citizen data, but he says he said they would do it to get more budget for the IAIP by 2020.

“He told me verbally and I asked if he was sure that this would be done. He said it in the vehicle, and in the report I mention it, that we were coming from a third meeting (with CAPRES staff), ”Martínez confirmed to Factum Magazine.

 

(…)

In 2014, when (ROBERTO BURGOS, A LAW PROFESSIONAL)  worked at the Anti-Corruption Legal Advice Center (ALAC), he asked Transparency for information on who were managing the data of citizens in transparency.gob.sv and why that portal included fields that were not necessary to manage the information. They did it because they deemed it suspicious that they wanted to force citizens to use forms that collected personal data.

The problem, according to the lawyer, is not that the IAIP manages a portal donated by the previous Government, but that the Institute does not have authentic independence from the Presidency, because it is bound to receive funds from the Executive. And it detects an even bigger problem: that user data is being leaked, taking advantage of the legal vacuum that exists regarding the custody and handling of personal data.

The Salvadoran government recently approved an agreement with the United States for the exchange of biometric data (the fingerprint, for example) of migrants. The IAIP reacted to this agreement with a statement in which it recalled that it is this institution, the one responsible for ensuring the protection of citizens’ data. The same Institute that internally discusses the handling they have given to the information of citizen applications published: «We reiterate to the Salvadoran people that the IAIP works to guarantee the right of access to public information and the protection of personal data that are in the hands of the State».

In El Salvador there is no specific law for the protection of citizen data. The deputies of the Legislative Assembly started this week the discussion of two bills on the matter. The IAIP has requested that, in line with one of these proposals, their powers are expanded to be the lookout of the citizens’ personal data.

 

The article has been summarized. Read the entire version (in Spanish) here.