The National Data Protection Authority Applies Its Third Sanction
*This is an AI-powered machine translation of the original text in Portuguese
** Image resource obtained from Freepik.com
The National Data Protection Authority (ANPD) recently imposed its third sanction in the context of an Administrative Sanctioning Procedure initiated against the Department of Health of Santa Catarina State (SES/SC) [1-2].
According to the procedure, a security incident in SES/SC systems in August 2021 resulted in the unauthorized extraction of part of the waitlist data for the State of Santa Catarina's Unified Health System (SUS), which was made available on the website listadeespera.saude.sc.gov.br. Due to the illegal access and data breach, approximately 48,000 data subjects were affected, including, presumably, children, adolescents, and the elderly, totaling about 1.2 million records, including names, CPFs (Brazilian identification numbers), phone contacts, and sensitive health-related information.
After deliberation, the ANPD imposed four sanctions on the offending agency for violations of the General Data Protection Law (LGPD) and the ANPD Inspection Regulation [3].
- LGPD Article 38 stipulates that the data controller may be required by the data protection agency to prepare a Data Protection Impact Assessment (DPIA), a document that provides a detailed description of data processing operations and the risk mitigation measures adopted by the data controller. Despite requests from the General Inspection Coordination (GCF), the ANPD department responsible for investigating data processing violations, for the presentation of a DPIA, SES/SC did not comply with this requirement, leading to the imposition of a warning sanction without additional corrective measures.
- A warning was also issued due to a violation of LGPD Article 48. According to this provision, in the event of a security incident, the data controller is obliged to provide a Security Incident Report (SIR) to the ANPD and the data subjects affected by the incident within a reasonable timeframe. However, the offending agency made a general communication on the government website providing access to the SUS waitlist, which the ANPD interpreted as not meeting the SIR presentation requirement. Moreover, the SIR was only submitted in March 2022, seven months after the data breach in the SES/SC system, which would constitute a violation of the reasonable timeframe for reporting. Due to the failure to fulfill this reporting obligation, the ANPD imposed two specific corrective measures. The offending agency must, as stated in the Decision Document, make the SIR available on the waitlist access website for 90 days, and this obligation must be verified through the submission of screenshots of the SES/SC website. Furthermore, it was determined that an individualized SIR should be sent to each of the data subjects affected by the incident, and compliance with this measure must be verified through the submission of a spreadsheet with contact information for the notified individuals, allowing for sampling to validate the communication.
- According to LGPD Article 49, systems for processing personal data must meet security requirements. In this case, the ANPD identified a failure to implement sufficient mechanisms to ensure data confidentiality, as it was found that "a lack of care in developing a secure system allowed the occurrence of an incident that could lead to financial fraud and misuse of identity." This resulted in a warning sanction for the violation of this article without the imposition of corrective measures.
- Finally, Article 5 of the Inspection Regulation establishes the cooperation duties of regulated entities with respect to the ANPD, including obligations related to document provision, physical facility access, and access to data processing systems, among others. In the context of this Administrative Procedure, requests for document submission were not fulfilled by SES/SC, including regarding a technical report on the incident that would provide information about the types and quantity of data and data subjects affected by the extraction. This led to the imposition of a warning sanction without corrective measures.
With the publication of the sanction decision in the Official Gazette on October 18, a 10-business-day period is currently underway for the Department of Health of Santa Catarina to file an appeal or to demonstrate compliance with the sanctions and corrective measures imposed.
[1] ANPD. Decision Document. Administrative Sanctioning Procedure No. 00261.001886/2022-51. Published on October 18, 2023. Available at https://www.in.gov.br/web/dou/-/despacho-decisorio-517000207. Accessed on October 18, 2023.
[2] ANPD. Instruction Report No. 4/2023/FIS/CGF/ANPD. Signed on October 11, 2023. Available at https://www.gov.br/anpd/pt-br/assuntos/noticias/anpd-sanciona-mais-um-orgao-publico/Relatorio_4_2023_e_DOU_versopblica.pdf. Accessed on October 18, 2023.
[3] ANPD. CD/ANPD Resolution. Approves the Inspection Process Regulation and the Administrative Sanctioning Process within the National Data Protection Authority. Published on October 29, 2021. Available at www.gov.br/anpd/pt-br/documentos-e-publicacoes/regulamentacoes-da-anpd/resolucao-cd-anpd-no1-2021. Accessed on October 18, 2023.