The National Institute against Discrimination, Xenophobia and Racism (INADI) was created in 1995 by Act No. 24,515. The agency is responsible for, among other things and as its name indicates, receiving complaints of discrimination, xenophobic and/or racist acts. It has been operating since 2005 under the auspices of the Ministry of Justice and Human Rights.
Confidentiality is a key element in protecting the data of reporting victims. However, an investigation by the Auditor General of the Nation (AGN) determined that the protection of information within INADI's computer system shows a range of vulnerabilities with potential risks.
The number of whistleblowers whose data should be safeguarded by the institute is linked to the number of complaints received by INADI. According to official data, there were 2022,2 complaints in 542 and a similar number in 2021. Half of them were carried out by women and most of them were carried out by episodes in the workplace, according to the management report prepared by the agency.
Other areas of discrimination are usually the school, the street, the neighborhood, the nightclubs, the family and clothing stores, among a long list of scenarios. In its latest annual report, INADI detailed that 50 percent of complaints in 2022 had been made by women; 42 per cent by males; and the rest by other genres.
The AGN report
The concern that arises from the AGN report is whether the data of these people, victims of acts of discrimination whose complaints point to alleged perpetrators, are properly protected. The answer of the audit, once the investigation has concluded, is that this aspiration is in a far lane parallel to the ideal.
Victoria Donda was INADI's auditor at the time the audit was conducted. Photo: Federico López Claro
The expertise focused on the treatment of complaints received at INADI headquarters and its delegations; how the consultations were handled through the communication channels; and the preparation of statistics and the "National Map of Discrimination" were also investigated.
The audited period was more than two years, from December 1, 2019 to January 31, 2022 and the work was approved by the six auditors general last Wednesday. The division was commanded by Victoria Donda at the time of the audit, a position now held by the comptroller Greta Pena, a lawyer and journalist.
The first finding of the AGN is tied to the strictly operational: "INADI does not have a strategic plan for information technology (IT), which makes it difficult to establish a medium- and long-term vision and to demonstrate the role that technology should play in providing support for critical processes." It also states that "the organizational structure of IT is inadequately designed and insufficient to efficiently and effectively fulfill its functions."
He then goes into the most disturbing aspect of the report, which is information security. It then says that it "does not have cross-cutting information security policies" and that this "impacts its confidentiality, integrity, and availability." It adds that "it does not have a consistent information security plan, and it leads to vulnerability in the organization's critical processes."
Another point that is warned is that "the management of 'users' to access the database of discrimination complaints is inadequate, putting at risk the confidentiality, integrity and availability of the information", in addition to the fact that IT staff "do not carry out security and intrusion tests on the platform, or on reporting support environments, queries and statistics, which does not allow for safety measurement, diagnosis, and corrective action."
Jesús Rodríguez, president of the Auditor General of the Nation.
Regarding the security of the IT infrastructure, the conclusion is that "the server room that houses the computer support and the office where the discrimination complaint server is housed do not meet the minimum conditions".
And it notes that this situation "places the agency in a situation of high level of risk and vulnerability, even more so considering that the processes related to complaints of discrimination manage sensitive and confidential information."
The research provides several examples of these deficits. One, for example, observes it in the process of receiving inquiries. He explains that "the agency operates and accesses a database that is outsourced, under a system developed by the company Gradicom S.A., which requires the licensing of users for its operation and data entry on it." And that INADI has only licensed the number of users who work at the headquarters, which is why "the delegations do not have access to the upload of data on this technological environment, which means that they must send monthly by email the spreadsheets with the queries received locally."
In addition, he adds, "the data reception process applied by the delegations does not have documented and formalized procedures for each of the sub-processes involved, such as: the sending of the forms by the delegations; the storage of this information, both in emails and in shared network folders; the management of the information on queries received from the delegations.
No contingency plan
What follows is no better: it refers to the continuity of operations and concludes, simply, that "IT personnel do not have a formalized Disaster Recovery Plan, and there is a risk of high impact in the event of an IT interruption, on which INADI has a high dependence."
Finally, he adds that IT staff "do not have formalized backup procedures that establish the execution and periods of backups and their restoration tests."
The AGN then focuses on one of INADI's programmatic pillars: the Coordination of Reception and Evaluation of Complaints (CRED) of the Directorate of Victim Assistance (DAV), about which it states that "it does not monitor the connectivity service of "Line 168" (ex 0800) and makes it impossible to measure compliance with the service."
The final points of the report, from which the salient paragraphs are extracted here, are just as worrying:
- "The DAV and the CRED do not control the level of service contracted for "Line 168" and the user areas cannot manage, control and measure the quality of the service".
- "The systems and processes applied for the treatment of complaints and inquiries due to discrimination are not integrated, putting their integrity at risk at the time of receipt and subsequently at the time of processing."
- "There are no formalized policies and procedures for the discrimination complaints database that can guarantee the confidentiality of the information."
- "The DAV has not formalized the signing of a confidentiality agreement with employees who have access to confidential information, generated by complaints of discrimination that ensures non-disclosure."
The AGN attributes the mismanagement at INADI to several reasons. On the one hand, it states that in recent years the number of complaints grew by 33 percent and the agency's infrastructure was not expanded. On the other hand, it points out that although it should be directed and administered by a board of directors, assisted by an Advisory Council with advisory functions, "since 1997 it has been intervened intermittently". In total, he has spent 25 of his 28 years under surgery.