The Brazilian Data Protection Authority (ANPD) published on October 18, 2023 their third sanction for violation of the General Data Protection Act (LGPD). Similarly to the second penalty, the infraction occurred in the public sector, not involving a private company.
This time, the violating entity was the Santa Catarina State Department of Health (SES-SC), which violated Articles 38, 48 and 49 of the LGPD, as well as Article 5, item I, of the Inspection Regulation. Violations include (i) failing to present the Personal Data Protection Impact Report (RIPD), (ii) failing to adopt adequate security measures for the storage and processing of personal data of millions of citizens of the State of Santa Catarina in the public health system, (iii) not informing, in a clear, adequate, and timely manner, the ANPD and data subject about the security incident, which could pose a risk of relevant harm to them, and (iv) not providing additional information requested by the ANPD.
In total, 4 infractions were identified, 3 of which were considered serious. Even so, the ANPD decided to apply 4 warning sanctions, one for each infraction, along with corrective measures that the SES-SC must implement. These measures include (i) displaying a general security incident notice on their website for 90 days and (ii) reporting the incident directly to personal data subjects identified as victims of the incident.
SES-SC has the option to appeal the decision within ten working days, counting from the receipt of the notice. Any appeal presented will be analyzed by the ANPD Board of Directors. It is important to remember that the sanction is applied by the General Coordination of Inspection of the ANPD. For those who wish to read the full report, click on “report“.
Once again, sanctions are applied due to inadequate security measures. This type of fault has been frequently identified in Europe and is now also being noticed by the ANPD in Brazil, covering private sector companies, public companies, and government agencies. In the case in question, SES-SC reported that approximately 4Gb of data, that is, no less than 1.2 million records, were extruded, affecting around 48 thousand data subjects, both patients and service providers. Initially, SES-SC denied that there was data on children, adolescents, and elderly people, but later corrected this information, confirming the existence of said data. The most critical, however, was the extrusion of sensitive personal data related to the health of several patients, containing descriptions of diseases, diagnoses and treatments.
Furthermore, organizations carry on ignoring the classification of risks associated with data processing according to its purpose and neglecting to prepare a Personal Data Protection Impact Report, with the exception of a few large companies.