On 18 October 2023, the Brazilian Data Protection Authority (ANPD) issued its third sanction, which was the second against a public entity (see our alerts about the first and second ANPD sanctions).
According to the ANPD, a security incident resulted in 1.2 million medical records being exfiltrated from the waiting list for medical care of Santa Catarina’s State Health Secretary's (Secretaria de Estado de Saúde de Santa Catarina, “SES/SC”) database, affecting roughly 48,000 people and several categories of personal data (including full names, relatives’ data, ID, addresses, phone numbers, and health data).
Following the incident, ANPD sanctioned SES/SC arguing that:
(i) SES/SC failed to timely submit a data protection impact assessment, despite ANPD’s order to do so, which was an alleged violation of Art. 38 of the LGPD;
(ii) it took seven months for SES/SC to notify the affected individuals about the foregoing incident, which was an alleged violation of Art. 48 of the LGPD. According to the ANPD, SES/SC allegedly published only a public notice on their website and has failed to notify affected individuals to date;
(iii) SES/SC failed to implement security controls to protect the confidentiality of personal data (i.e., ensure that personal data is accessible only by authorized individuals) which resulted in the incident, constituting an alleged violation of Art. 49 of the LGPD; and
(iv) SES/SC did not submit timely documentation, as requested by the ANPD during the investigation (i.e., a technical assessment of the incident), stating (a) the affected categories of personal data and individuals, and the methodology used by SES/SC to identify them, and (b) if the affected server kept records of access logs, an alleged violation to Art. 5 of Resolution No. 01/2021 of the ANPD.
The investigation into SES/SC began at the end of 2021, on the basis of the law enforcement notification SES/SC itself had filed at the ANPD. It took almost a year for the ANPD to conclude the investigation and subsequent administrative phase and to issue a decision. This decision can be challenged through an administrative appeal handled by ANPD’s board of directors.
No fine was issued against SES/SC, as the LGPD does not allow fines against public entities. Therefore, SES/SC was subject to:
(i) an admonition ordering SES/SC to keep the public notice to affected individuals available on SES/SC’s website for 90 days, and send an individualized notification to each affected data subject; and
(ii) three other admonitions following violations of Arts. 38 and 49 of the LGPD, and Art. 5 of Resolution No. 01/2021. However, no order was issued, as (a) the violation of Art. 38 was cured with the late submission of the data protection impact assessment, (b) the violation of Art. 49 was fully addressed with the late implementation of security controls by SES/SC, as evidenced during the administrative process, and (c) although the violation of Art. 5 persisted, as no technical assessment of the incident was submitted to the ANPD, the authority was able to ascertain the relevant information based on the data provided by SES/SC – in other words, there was no need to request further information.