Decree-Law n° 86/2000 of 12 May
The use of the new information technologies is not only a modernising factor and one that reduces bureaucratic procedures in issuing passports, but it is also a security factor.
Law n° 67/98, of 26 October, stipulates that personal data handling must be done with transparency and in strict respect for the right to privacy, as well as for the rights, liberties, and fundamental guarantees of the individual.
This law creates the database for issuing passports (BADEP), which is managed by the Serviço de Estrangeiros e Fronteiras, a service of the Ministry of Home Affairs (SEF/MAI), not only because SEF is geared to handling this in controlling all entry to and exit from Portugal, but also because the service is a large scale data processing centre.
The opinion of the National Commission for Data Protection (CNPD) was heard, in the terms stipulated by law.
In the terms of sub-paragraph a) of n° 1 of article 198 of the Constitution of the Portuguese Republic, the Government decrees the following:
CHAPTER I Database for issuing passports.
CHAPTER II Interconnection, communication, search and access to data.
CHAPTER III Keeping data and documents
CHAPTER IV Database security
Database for issuing passports
Purpose of the database
The database for issuing passports, hereinafter referred to as BADEP, is used to organise and update the information required to control the issue and granting of passports, for all categories, in the terms of the law regulating the granting and issuing of passports.
Apart from identifying information acquired from the forms used for granting passports, the following personal data on the applicant is also collected for automatic processing:
Number, date and issuing agent of identity card;
Marital status and, if married, name of spouse;
Loss of nationality;
Circumstances preventing a passport being granted.
Data collection methods and up-dating
Data should be precise, pertinent, up-dated and should not exceed the purpose for which it is required, and should be selected prior to computer processing.
Without prejudice to the stipulation in n°s 3 and 4 of this article, the personal data in BADEP is collected and up-dated based on the declarations made by the person whose data it is, or taken from forms filled in by this person or at this person's request, with the exception of the passport number, which is attributed automatically.
The loss of Portuguese nationality is recorded from notification given by the Central Registry.
Conditions preventing a passport from being granted are taken from judicial decisions with sentences in absence passed by the court, of which SEF is notified by the court authorities, or through access by searching the data base of default records, as laid down by law.
Personal data is registered and can be seen by the staff and agents of the issuing services authorised to do this.
The printed forms used for collecting data, or the accompanying instructions on how to fill them in, should include the information appearing in n° 1 of article 10 of Law n° 67/98, of 26 October.
Interconnection, communication, search and access to data
Characteristics and interconnection
BADEP complies with the following characteristics:
Centralisation of personal data records;
Decentralisation of information collection (data and image), done in issuing centres;
Decentralisation of individual passport production (issue/printing), done in issuing centres.
To ensure the efficiency and effectiveness of information collection, BADEP interacts for the sole purpose of data search and in the terms legally permitted with the following information systems:
Integrated Information System of the Serviço de Estrangeiros e Fronteiras (SII/SEF), to check for any pending cautionary measures;
The national part of the Schengen Information System (NSIS), to check for any possible negative entries regarding the provision of a passport;
Civil identification database, to confirm the identification information of the passport applicant;
Database for default records.
The data recorded in BADEP may be sent to police and judicial agents for the purposes of investigation or criminal examination, whenever the data cannot be, or should not be, obtained from the persons concerned and the authorities in question have no access to the database.
The communication referred to in the previous number must be requested with justification by a magistrate or police authority.
Communication may be refused when the request is not duly justified.
The online search for data may be authorised, guaranteeing respect for the security regulations for information and technical availability, for the agents referred to in the previous number, through a protocol signed with the SEF (Serviço de Estrangeiros e Fronteiras) of the Ministry of Home Affairs (SEF/MAI), once the opinion of the National Commission for Data Protection (CNPD) has been heard.
SEF/MAI, as the managing body of BADEP, should notify the data processing bodies of protocols signed so that the online search for data may be done in the conditions laid down in these protocols.
No form of interconnection whatsoever of data in the database used for issuing passports is permitted, unless in the terms envisaged in specific legislation.
Direct access to information
Those bodies authorised to access BADEP directly will adopt the technical administrative measures required to ensure that information may not be obtained incorrectly, nor used for a purpose other than that permitted.
Direct searches or attempted searches for the issue of passports are recorded digitally, for a period of no less than one year, and recording of the same may be appropriately controlled by the issuing services.
For the purposes of the previous number, the issuing services may request clarification from the entities whose search has been registered.
The descendants, parents or grand parents, spouse, tutor or guardian of the person to whom the information refers or, in the case of the death of this person, the assumed heirs, may also have access to the information recorded providing they show a legitimate interest and there is no risk of interfering in the private life of the bearer of the passport.
If a justified request is made, the Minister of Home Affairs may authorise access to information gathered in BADEP, providing the purpose for this is duly proved, there is no risk of interference in the private life of the holder and the information is not used for purposes other than those for which it was recorded.
Information for investigation or statistical purposes
Apart from the cases envisaged in the previous numbers, information may be given for the purposes of scientific and statistical investigation, providing the individuals to whom this information refers are not identifiable and that the legal provisions applicable in such matters are observed.
Right to information and access to data
Any individual has the right to know the content of the record or records referring to them.
Without prejudice to the conditions established in the terms of sub-paragraph is g) and h) of n° 1 of article 23 of Law n° 67/98, of 26 October, an exact copy of the records referred to in the previous number, indicating the meaning of any codes or abbreviations appearing in them, is supplied when the person to which these records refer requests this.
Corrections of possible errors
Any individual has the right to demand that any errors are corrected, data unduly recorded is removed and any omissions filled in, in the terms envisaged in sub-paragraph d) of n° 1 of article 11 and in sub-paragraph h) of n° 1 of article 23, of Law n° 67/98, of 26 October.
Storage of data and documents
Storage of personal data
Personal data are kept in BADEP for up to 10 years after the last issue of the passport to its holder.
Personal data may be kept in a past archive for 20 years after the date of the last issue of passports.
Storage of documents
Application forms requesting a passport are kept in secure computer records and after the paper support is destroyed.
Any other documents and records used in running services that to do not contain a decision with a permanent effect may be destroyed after one year has elapsed.
BADEP should be given the security guarantees required to prevent the search, modification, removal, addition, destruction or communication of data that does not conform to what is laid down in this law.
Control will be guaranteed, with a view to information security:
For data supports and their respective transfer, to avoid their being read, altered or removed by any person or non-authorised means;
For the entry of data, to prevent non-authorised introduction, as well as any access to, alteration or elimination of personal data;
For automatic data-processing systems, to prevent their being used by non-authorised persons, through data transfer installations;
For data access, so that authorised persons may only access the data of interest to them in performing their legal attributions;
For data transmission, to guarantee that the data is used only by authorised bodies;
For entering personal data in automatic processing systems, to check what data was introduced, when and by whom.
Entity responsible for BADEP
The entity responsible for BADEP, according to the terms and for the purposes envisaged in sub-paragraph a) of n° 1 of Article 30 of Law n° 67/98, of 26 October, is SEF/MAI, represented by its director.
The entity referred to in the previous number is responsible for ensuring the right to information and access to data by those to whom it concerns and the correction of errors, as well as ascertaining that the search for all communication of information complies with the conditions laid down by law.
Communicating or showing personal data recorded in BADEP may only be done in the terms laid down in this law.
Persons who in performing their duties have access to personal data recorded in BADEP must respect professional secrecy, in the terms of Article 17 of Law n° 67/98, of 26 October.
Seen and approved in the Council of Ministers of 16 March 2000 - Antonio Manuel de Oliveira Guterres - Jaime Jose Matos da Gama - Fernando Manuel dos Santos Gomes - Joaquim Augusto Nunes Pina Moura - Antonio Luis Santos Costa.
Promulgated on 26 April 2000.
The President of the Republic, JORGE SAMPAIO.
Ratified on 3 May 2000.
The Prime Minister, Antonio Manuel de Oliveira Guterres.