This external circular published the 5th of September of 2019 presents various general guidelines that public entities and private entities that have public functions must follow to protect the right of habeas data and to protect personal information in interoperable information systems.

Firstly, it contemplates…

that habeas data as a fundamental right enshrined in the Constitution must be regulated by a statutory law which, in this case, is the Law 1581 of 2012. However, it clarifies that legal reserve[1] is not absolute as it only forces the legislator to regulate the structural and essential elements of the fundamental right in discussion, for this reason, the whole regulation of this right cannot be contained in just one law that contemplates every detail and variant of how the right can be exercised.

With this in mind, the SIC (for its acronym in Spanish) considers that there is no need to create new laws to protect this right in new environments because the Law 1581 of 2012 already regulates the general aspects of this right and how it must be protected.

On the other hand, the entities consider that …

the usage of technologies of information and communication must be used by public and private entities -that have public functions- to guarantee the proper exploitation of this tools and to develop new ways of implementing them to the daily processes. This sends a clear message to all public entities that must prioritize the implementation and usage of technologies in their daily processes.

Regarding the Digital Transformation of the State …

the Superintendence defines the interoperable information systems “as those who have the capacity to guarantee the adequate flow of information and of interaction between information systems between government entities, allowing them to share and integrate information with the ultimate purpose of improving and facilitating the exercise of their constitutional and legal functions.”

Additionally, it highlighted the Law 1955 of 2019 as it incorporated as an obligation for the governmental entities the duty of implementing and incorporating in their respective action plans a component of digital transformation.

Having all of this into account, the Superintendence mentions various elements to have into account:

(1) the interoperability between information systems where personal data circulates must be regulated according to the principles stablished in the Law 1581 of 2012, as there is no need to create new and more specific laws.

(2) Protection of personal data does not go against interoperable information systems as long as article 15 of the Constitution and the law mentioned before is respected.

(3) Public entities do not need to obtain the authorization to treat personal data when this information is needed to function.

(4) The law 1581 of 2012 authorizes private or administrative entities to supply public entities with the information they need without additional or special authorization in the frame of interoperable information systems as long as the information administered is useful, pertinent and necessary to achieve the legal and constitutional obligations.

The circular ends by mentioning that public entities have the duty to have into account the guidelines contained in this document in the moment they need to develop plans, projects and programs in the government.

Of everything mentioned in the circular it is important to highlight the special emphasis made by the Superintendence exhorting public entities to include data protection as an essential and structural element when developing and implementing different technological innovations.

[1] The term in spanish is “reserva legal” however there is no proper translation for the word