Personal Data At Risk: Is the State Doing What it Takes?

Datos Personales Portada

This article was first published in Spanish at 

Public administration holds the greatest responsibility regarding data custody and needs to raise safety standards for all collected information, which belongs to each citizen.


Management of the public sector entails large volumes of information. Every day, information regarding filiation data, tax reports, finances and health issues, among other data types, is collected, managed and processed in State-owned databases. Not only is this data important for governance, it also holds great market value and has great impact on people’s private lives. For this very reason, public administrations hold the greatest responsibility regarding data custody and need to raise safety standards for all collected information, which belongs to each citizen. Public administrations cannot be negligent in this matter.

Information faces a wide range of threats and improper and even illegal uses, which is why all data-managing public offices must have an appropriate policy for the preservation of confidentiality, data availability and data integrity.  It is undoubtedly a matter of ensuring the protection of people’s rights and freedoms, as well as complying with all the services a modern State should provide. A new policy for information security, data preservation and confidentiality is mandatory and vital. These are all many facets of the same complex issue, which requires professionalism, autonomy and long-term policies.

A loophole in Argentina’s priorities: historical failures in data protection and information security

Argentina has an enduring debt when it comes to public policies on this matter and is far from understanding its importance. In December 2004—signed by the then Chief of Cabinet and now President Dr. Alberto Fernández —the National Executive Power published Administrative Resolution 669/2004, “Information Security Policy”, establishing the terms of reference for the enactment of new laws,  the adaptation of information security policies, the appointment of an information security committee with top level authorities and the development of a series of guidelines for proper protection of State-held information.

Information security policies have always been insufficient and good practices in the matter were never standardized. Lack of adequate funding is part of the problem. Information security demands highly skilled professionals, and such human resources are on demand on the global market and the Argentinean market is forced to compete for them. The virtual lack of work protocols, data access policies, establishment of responsibilities by personnel in charge of databases and the nearly nonexistent activity of the Department of Data Protection when it comes to laying down criteria for State-held data management have taken its toll.

In addition to this, the Access to Public Information Agency has been operating in a virtually acephalous way ever since the resignation of its first manager director, Dr. Eduardo Bertoni, on January 1st, 2021. Currently, an agency that should ensure two fundamental rights —data protection and access to public information-— has no suitable political leadership or institutional framework for setting effective boundaries and taking appropriate action to safeguard these rights. The need for a reform of the Personal Data Protection Law appears on the horizon, too, particularly when it comes to putting database holders under an obligation to duly inform data leaks if their safety has been compromised.

Towards the definition of a suitable and comprehensive policy for data protection

It is unacceptable that apps lacking assessment and minimum safety and data protection standards should be made available by public administrations at different levels, but it has happened and it happens a lot more often than it should. With support from the Initiative for Digital Rights in Latin America (Indela), we at Fundación Vía Libre (Vía Libre Foundation) understand that cooperating in the development of public policies for data protection is mandatory.

Sadly, security doctrines from criminal and law enforcement viewpoints have prevailed in the region, instead of those aiming at prevention and data responsibility. The almost emblematic adoption of the Budapest Convention on Cybercrime or the following up of the OAS cybersecurity doctrine, as opposed to assessing more suitable guidelines, as the ones outlined in the European Union’s General Data Protection Regulation or NIS Directive, left us in a problematic situation in terms of State-held information security.

The preemptive way demands investments, skill training, long-term policies, consensus-based strategies at the highest possible level and political support from all the involved branches under the common premise of protecting digital assets and safeguarding the citizen’s rights. On the contrary, the punitive way presupposes a fait accompli policy, under the mistaken notion that the threat of criminal penalties can dissuade a potential attacker, without taking into account that the vast majority of security issues are primarily due to the negligence of those who should take responsibility for the information they manage.

The States manages an increasing amount of data everyday, much of which is sensitive information for citizenship: filiation data pertaining information about ethnic or racial origins, health, gender identity and even biometric information. Sadly, Argentina has a long history of prioritizing the punitive way in security matters. This has decanted in a critical state regarding the use of Infosec. The gray areas in Argentina’s penal legislation presuppose a discretionary capacity to prosecute those who report vulnerabilities to companies or public offices. Prioritizing preemptive work and due diligence when vulnerabilities are reported is urgent, since —and this is also true for other subjects— once the data is leaked, the damage is done.

The approach to information security should not fall under cybercrime, let alone be included in issues pertaining to complex offences. Without quality technical infrastructure, funding and good public policies, the police won’t be able fix cybersecurity problems (but quite the opposite).

In turn, mapping data responsibility has become almost as essential as putting an end to unwarranted databases. The precautionary principle must be the norm before further building of databases is conducted. Nowadays, as things stand, the State is not doing enough to protect them.


Translated by Eugenia Santana Goitía