LGPD: Inside the new legislation
Data is a valuable asset in the digital age. And in health, it is no different. The information that was seen only as an identification form, over time, has become increasingly complex, serving as support for making decisions that influence the health and quality of life of patients, and also in business. Today, with the advancement of technology, the collection of this data is done everywhere and at all times, not only by management systems of the institutions, but also by health applications and wearable devices.
Very inspired by the General Data Protection Regulation (GDPR) of Europe, the Brazilian General Data Protection Law (Law No. 13,709 / 2018, with changes brought by Law No. 13,853 / 19) proposed to establish a series of rules for protection of individual information, reaching both public and private actors and introducing preventive and repressive measures, with the objective of promoting good practices in the management of the personal database. GPDR emerged in Europe after the data leak scandals without consent from big companies like Facebook. In the United States, Mark Zuckerberg had to explain the use of data to court and was ordered to pay a $ 5 billion fine, in addition to fulfilling a series of obligations on his social network.
Adapting to a new regulatory framework is never a simple task. The feeling that there are many doubts and little capacity for action has run through organizations that are beginning to work on the implementation of the General Law for the Protection of Personal Data (LGPD). And in health institutions, the challenges are even greater, as these organizations deal daily with an immense database with sensitive content, in which they cannot take risks of exposure or leakage. The standard defines as sensitive personal data any information about “racial or ethnic origin, religious conviction, political opinion, union membership or organization of a religious, philosophical or political nature, data relating to health or sexual life, genetic or biometric data, when linked to a natural person. ” Leandro Pesoti Netto, a specialist in cyber law and legal adviser to the Brazilian Association for the Distribution of Information Technology (ABRADISTI), highlights this perception, adding that even routine information, such as credit card or your full name and profile address on social networks , are covered by the law. In general, any information that allows the identification of a person is provided for in the legal regulation, regardless of the disposition of that information or how it was stored. In addition, several agents are involved in adjusting this personal data, such as hospitals, clinics, laboratories and operators. It is in this scenario that the General Data Protection Law (LGPD) inaugurates a new moment for the rules of manipulation of individual data. Patients now have the full right to the information collected, and must also be informed about the purpose of use. Its main goal is to guarantee the privacy of people's personal data and allow greater control over them. The document reflects in all sectors of the economy, as it aims to protect data and fundamental rights of people. In addition, it establishes clear rules on the processes of collecting, storing and sharing this information, helping to promote technological development in society - and assists in consumer protection itself.
The law starts by establishing nomenclatures and creating some figures in the data processing process. Check out some of the concepts.
- Personal data is any information relating to the “identified or identifiable” person;
- Sensitive personal data it is information related to racial or ethnic origin, religious belief, political opinion, union or organization affiliation, health, sexual life or genetic or biometric data .;
- Anonymized data it relates to a holder that cannot be identified;
- Databaseit is the structured set of personal information;
- Holder it is the person to whom the data refer;
- Controller is the person responsible for making decisions regarding data processing;
- Operator is the one who performs the treatment on behalf of the controller
- In charge is the person responsible for the communication between the three parties: the controller and the operator (company), the holder and the National Data Protection Authority;
- Consent it is the free manifestation by which the holder allows the use of the data (the burden of proof rests with the controller);
- Report on the impact of personal data protectionit is the controller's documentation describing the data processing process that may pose a risk to civil liberties.
Impacts and Applications
Tell what you are going to use the data for:
Any collection of information and data by a health institution must be justified.
It is necessary to inform the origin of their use within the storage environment, and there must be consent of the user for any action.
Delete the data after it is used.
After the demand for the use of sensitive information on the part of, for example, a hospital, it must delete all records containing this content from its database. The aim is to prevent the availability of this information after the patient has passed through the entity .
Make data available in a transparent way.
Understanding the user of a health service as the holder of the data informed to the institution, the institution must make this information available in an unbureaucratic and clear way. Thus, the patient can not only consult, but also make changes to and deal with consent.
Protect data for minors.
Protection of information should be more rigid when it comes to data from children and adolescents. The handling and access to this information must be done cautiously within the institution and with the absolute consent of those responsible for the patients.
A database vulnerability can result in hacking and hacking. In some cases, the intent of criminals is to ask for money in return for the return of the system to function or the knowledge of secret data for theft. It is important to note that such attacks generate a great loss of credibility in hospitals, in addition to very high financial losses. Thus, the main impacts in the health area are due to the way the requirements are applied. A study by IBM in partnership with the Ponemon Institute shows that the average cost of data breaches in Brazil is R$ 1.24 million for companies. The survey also shows that Brazil is the country most likely to suffer security breaches. According to researchers consulted by IBM, the risk is 43% for a company to suffer an attack. The number is well above countries with a cybersecurity culture like Germany (with 14%) and Australia (17%).
Several regulatory standards, whether from ANS, Anvisa or the Federal Council of Medicine, already regulate and use data in health establishments. However, from now on, the patient may have expanded access to the information available in hospitals, clinics and health plan operators, as well as may require corrections and deletion of stored data, which will certainly require changes in the systems used by establishments, such as way to allow easy handling of information.
Also due to the LGPD, the patient's personal data cannot be used to block access to a specific treatment, nor will the implementation of the so-called health score, consisting of the pricing of a health plan based on the attribution of points resulting from data, be allowed. personal information of an individual.
How to adapt your company to the LGPD.
There is still much discussion about the scope of the law. It is not known whether it will be applied with the same rigor in inspection and punishment for multimillion-dollar organizations and for local businesses or NGOs, for example. Anyway, any company with some type of customer registration will be subject to the LGPD. Check out some steps to keep your business, your data and your customers safe:
In order to meet the demands made by the LGPD in health, it is important to have a hospital management system. Recalling that it must adapt its user to the guidelines imposed by the law and offer updates that contribute to this adaptation of the entities to the new data protection model, which aims at the innovation and technology of sensitive data of a health institution.
The first step is to create a Security Committee Information responsible for analyzing the current situation of the data received and the current procedures. Within this process, it is important for adequacy to carry out a detailed mapping of the personal data processed and its life cycle. Knowing where they are, how they are stored, who has access, whether data is shared with third parties in Brazil or abroad and what risks are associated with the life cycle, are some essential questions that all organizations must answer before establishing the implementation program. Technologies will also be one of the important components for organizations, since the new law poses challenges for privacy management and governance such as: the management of consents (and respective revocations), management of petitions opened by holders (which, in some cases, must be answered immediately), management of the life cycle of personal data (data mapping & data discovery) and implementation of anonymization techniques (anonymised data will not be considered personal data by provided the process is not reversible).
Step-by-step to suitability.
1. Make a diagnosis
The first thing that you need to have is clear knowledge of the current status of the data. Currently, what is the path that people's information takes in the organization?
It is necessary to know the entire useful life of this data, from collection, through storage, the purpose of use, among others. Depending on the size of the organization and the complexity of the services performed, it may be advisable to hire the services of a consultancy. What cannot happen is that you are surprised by details of the process that takes place within your company after the law is in effect.
2. Consult legal bases.
With the specific information about your business, you need to go deeper.
What parts of the process need to be reviewed to comply with the LGPD? It's time to call the legal department, if any, or consult with expert advice. From this, it will be possible to set up a plan.
3. Define the agents
As seen above, the legislation typifies some new figures: data processing agents. An important part of planning will be to define who will be your controller and operator (s). In addition, it is necessary to define the person in charge, responsible for making contact with customers, with their internal public (employees) and with the newly created regulatory agency. Again, the implementation of this part will depend on the company's development stage. It may be necessary to hire personnel to perform these functions. Or use outsourced, specialized labor. Or even adapt your current employees, depending, of course, on their profile and availability.
4.Invest in the relationship with the client
It is important to remember that the main objective of all this change is to increase the security of citizens and the transparency of companies. Customers can question the status of their data at any time or even ask for the deletion of everything. However, there is nothing better than facilitating communication channels with the public and maintaining an open and clear dialogue. The less they feel threatened, the less chance of problems.
The recreation of National Data Protection Authority (ANPD), authorized in June 2019, shows that the government is serious about enforcement when the law comes into force in August 2020.
The detailing of the legislation when presenting the definitions, makes it clear that all processes, automated or not, will be in the crosshairs. The regulatory agency, created by means of a provisional measure, will be composed of 23 professionals. Five of them will compose the Directing Council, and will be chosen and appointed by the President of the Republic, after approval by the Federal Senate, occupying commissioned positions.
The ANPD will be directly subordinated to the Presidency in the first two years after implementation. Then, it will be transformed into an autarchy, with independence of action.
What happens to those who break the LGPD?
THE LGPD is a law that imposes varying sanctions on anyone who breaks the rules.
Initially a simple warning is given, which determines a date for correcting the irregularity. Fines of up to 2% of the company's net sales can also be applied, not exceeding R$ 50 million; there is also the possibility of applying a daily fine. Another form of punishment is the disclosure of the irregularity in the processing of data, making the infraction public if it is confirmed after an investigation. Likewise, personal data can be blocked and even removed from the organization's system.
Technology is a strong ally in the process of adapting to the LGPD, but it is also essential to have training so that the adaptation is done well.
Domino effect of LGPD.
Following the GDPR model, the General Data Protection Law also has extraterritorial application, so that any company that handles data from Brazilian citizens or foreigners residing in Brazil, even if it does not have a head office or branch in Brazil, has to regularize itself according to Brazilian law.
All processes that require processing of personal data must be in accordance with the law. To avoid fines and interruption of their activities in Brazil, companies will seek to regularize themselves and demand that partner companies regularize themselves.
For this reason LGPD is said to have a “domino effect”, companies need all stages of their process to comply with the law, including steps where they deal with partner companies.
The LGPD is a major breakthrough in the personal data security scenario in Brazil, as it is the first law in Brazil to deal with the subject and really assuresr the user the control of their personal data, providing him with more privacy, through clear rules that dictate how personal data should be treated and what the user's rights are. Although some parts of the law are still somewhat ambiguous and need to be matured, the LGPD does provide guidelines for dealing with data processing, removing several uncertainties that had previously been about the field.
It is, therefore, O challenge in adapttion of services and products to comply with the LGPD, since, by 2020, anyone who wants to do business in Brazil will have to have their personal data treatment policy regularized. To this end, cybersecurity companies can provide consultancy services to help companies and other entities comply with the law, avoiding any kind of damage that may arise if the law is not observed.
Wareline, “LGPD and Health: how does the law directly affect the sector?”
Accessed on 10/18/2019. https://www.wareline.com.br/legislacao/lgpd-na-saude-como-lei-atinge-o-setor/
MV, “5 questions about LGPD in the context of Digital Health”
Accessed on 10/18/2019. http://www.mv.com.br/pt/blog/5-perguntas-sobre-a-lgpd-no-contexto-da-saude-digital
Ottoni, Breno, “The LGPD regulation and the Health Sector”
Accessed on 10/18/2019 https://politica.estadao.com.br/blogs/fausto-macedo/a-regulamentacao-da-lgpd-e-o-setor-de-saude/
Team Totvs, ”LGPD: The manual for understanding the general data protection law”
Accessed on 10/18/2019 https://www.totvs.com/blog/lgpd-o-manual-para-compreender-a-lei-geral-de-protecao-de-dados/
Arbulu, Rafael, “Is your company ready for LGPD? See what the experts say. ”
Accessed on 10/18/2019 https://canaltech.com.br/legislacao/a-sua-empresa-esta-pronta-para-a-lgpd-veja-o-que-dizem-os-especialistas-144711/
Andrade, Marcio. “LGPD Brasil: how to comply with the General Law for the Protection of Personal Data”
Accessed on 10/18/2019 https://blog.contaazul.com/lgpd-lei-geral-protecao-dados-pessoais