On October 7 2019, the Supreme Decree No. 899 was published in the Official Gazette of the Republic of Chile, which regulates the operation of the so-called “Unified Data Bank” (BUD).
This rule arises from Article 11 of Law No. 20.931 (Official Journal 5 of July 2016), which facilitates the effective application of penalties established for the crimes of robbery, theft and reception, and improves the criminal prosecution of such crimes.
The idea, after this new regulation, was to unify the databases kept by various institutions related to the criminal jurisdiction, which, due to the establishment of the criminal procedure reform and the digitalization of said information, were not properly related for its application in Criminal jurisdiction procedures. Indeed, on many occasions there was a lack of coordination of such information in criminal hearings, allowing several people to avoid the action of justice.
Consequently, successive governments dedicated themselves to achieving this objective. A first problem to overcome was the compatibility of computer systems of the institutions that had such information. Also, as a second impediment, there was the natural suspicion on the part of these entities, especially the police, to share the background regarding the people who had been registered in their databases.
Even so, and after several postponements over the years, it was possible to dictate this regulation that establishes several interesting provisions.
In the first place, the so-called “Operational BUD” that governs this regulation is distinguished from the so-called “Analytical BUD”, maintained by the Ministry of Interior and Public Security, whose purpose is merely statistical, for purposes of internal public security and verification of the effectiveness of policies in this matter.
The Operational BUD is administered by the Public Ministry, who must keep it in a position to be used by those who consult its records. Cooperating in its administration, a “Coordination Committee” is created composed of the entities that participate in the Operational BUD.
This Operational BUD, according to article 1º of the regulation, has two precise missions, these being the support to the investigative work in all the stages of the criminal process and the collaboration for the decision making of the courts of justice and of support to the policies of reintegration; basically a reiteration of what is established in Article 11 of Law No. 20.931. The first function is the one that gives rise to the system, but it does not disregard the second, since it is not only used for the investigation of crimes, but also for the post-compliance stages of the penalty, reintegration, a goal often not taken in bill. Article 4º of the regulation is much more explicit in pointing out the scope of “prevention, control, persecution, administration of justice or reintegration into the criminal field”.
Also, it is necessary to comment on the name of this system, correctly in my opinion called "bank" and not "base", since the first reflects what it is in essence: a meeting of various databases which, in turn, They contain the data themselves. It does not carry out the conceptual assimilation mentioned in letter m) of Article 2º of the current law in force.
Another interesting aspect that can be derived from this standard is the way in which it is understood that the system will operate. In effect, it describes that the entry of the information, which he calls “injection or load” will be made by each entity according to the respective requirements, but its visualization will be carried out through a “BUD application”, that is, a computer system to access to the information, so we can deduce that it is not a kind of “common fund” of combined data, but rather that each entity has a space where its information operates and it is the computer system that will be responsible for gathering all the information queries about a person (art. 3º letter b and letter c, under the concept of interconnection). This seems like a procedure of all logic.
In addition, various provisions establish the responsibility of the entity that provides the data regarding their quality. Indeed, if the articles 4º final paragraph are analyzed; 7º; 11 letters a), d) and e); and 24 of the regulation, all of them hold the BUD participating institution responsible for the correct contribution and maintenance of the data, without prejudice to the administrator's responsibility, established in art. 13 section III, number 10 of the regulation.
An important aspect is the referral of the technical regulation of this system to a protocol issued by the Public Prosecutor's Office, at the proposal of the Coordination Committee (Articles 4 and 13 section III, No. 7). Since this entity is a State body, it will be necessary to know precisely, to which legal category this protocol will conform. It will be considered a kind of internal administrative act, or it will be based on a technical norm, integrating a normative category, which increasingly has a presence or influence in legal systems, not being a legal document.
Part of the answer is granted by the Chilean experience itself. On March 23 of 2018, the Exempt Resolution No. 432 of the Ministry of Health was published, which approved the conscientious objection protocol required by law, which allows the termination of pregnancy in three cases. This rule was the subject of a presentation before the Comptroller General of the Republic, which through the 11.781 Opinion No. 9 of May 2018, determined among other things, that its legal nature was "(...) instructions on operational management of problems of certain health ”. That is, a merely executive norm, subordinate to the respective higher norms. We understand that the protocol concerning the operation of the BUD will follow the same legal nature.
However, the same article 4º indicates, towards the end of its second paragraph that, among other matters of the protocol, it will establish the technical guidelines of the platform (art. 13 section III, regarding the computer system), which makes the doubt arises if an international norm on the subject will be used, producing the use of a figure of great relevance in the current administrative law, called “technical norm”, with all the consequences that this would bring.
In another aspect, as a large part of the regulatory norms, it reproduces provisions of the law in force in the matter. Thus, the concept of personal data (art. 3º letter d; art. 2 letter f of the law); the principles of truthfulness, purpose and proportionality (art. 5º; arts. 9 and 6 of the law); the confidentiality of the data (art. 6º; art. 7º of the law); the rectification, modification or deletion of data (art. 7º; art. 6 of the law); and data security (art. 8º; art. 11 of the law). It should be borne in mind that if the new law on data protection innovates in some of the aspects described, the relevant adjustment must be made. We must note that the principle of proportionality developed in the regulation, does not appear in the data protection law, but merely indicated in art. 3º of Law No. 20.575, misnamed “establishes the principle of purpose in the processing of personal data".
An interesting aspect, which is not expressly mentioned in the regulation, but in Article 11 of Law No. 20.931, is the linking of this rule with Article 20 of the current law on protection of personal data. In fact, this rule indicates that public bodies are empowered to process personal data, with respect to the matters of their competence and subject to the rules of the same law, not requiring in such cases, the authorization of the owners of such data. This is the basic standard for the operation of said database.
However, it remains pending how it relates to Article 21 of the law, which speaks of three types of sanctions: administrative, disciplinary and criminal. If the regulation addresses only the last one, the other two will remain without a unified basis. In the case of disciplinary sanctions, an equivalent system must be established within the public administration related to its officials, through information communication. However, with regard to administrative sanctions, an equivalent system, similar to the criminal complexity, will also be required, covering all those who have committed such an infraction.
Finally, there is the norm of article 22 of the law, on the registry that the Civil Registry Service maintains with respect to all public bodies that carry personal data banks. In this sense, the Public Ministry must appear on the payroll of the Civil Registry as responsible (administrator) of a data bank.
The rule will enter into force twelve months after its publication in the Official Gazette, in order to prepare for its entry into operation. During this period, the new law on the protection of personal data will continue to be processed, with which these regulations must be made compatible with the new provisions it contains. As for its effectiveness, it remains to wait for the beginning of its operation to assess whether or not it meets the objectives established in the law and these regulations.
Without prejudice to the foregoing and, in an area of similar difficulty, the creation of the so-called “Consolidated Debt Registry” is pending, a system that aims the same objective to the Operational BUD for the field of economic, commercial, banking and financial obligations .