Aiming to support its associates and telehealth companies in the country in understanding current legislation, the Digital Health Brazil Information Security and Data Protection Working Group has been sharing knowledge on the topic
Since February 2023, anyone who fails to comply with the General Data Protection Law (Law 13,709/18 or “LGPD”) may in fact be punished. Although the administrative sanctions of the LGPD have been in force since August 1, 2021, the National Data Protection Agency (ANPD) had not yet defined the rules for their application. With the regulation of the dosimetry of administrative sanctions recently published by the regulatory agency, administrative proceedings that provide for penalties can now in fact be instituted.
For healthcare providers in a technological environment, since they deal with a high volume of sensitive personal data, the new dosimetry regulation demands special attention, and institutions in this scenario must comply with the standard. In this way, it is possible to avoid legal or administrative proceedings due to alleged data processing that may be considered irregular or illegal.
“According to the understandings issued by both the ANPD and the Judiciary Branch, it is possible to see that agents who process sensitive personal data using innovative technologies may be one of the focuses of investigation at this time. There are signs that there is a map of priority issues to be addressed by the authority in relation to administrative proceedings and, in this sense, based on the information obtained so far, it can be deduced that in order to define preferential issues, characteristics such as the nature of the business and the risks of processing will be considered”, explains Luiza Teotônio, a lawyer in the Digital Law area at the Machado Nunes Law Firm.
Aiming to address in more detail the parameters used by ANPD to classify sanctions and which methodology will be applied when applying the fine, Saúde Digital Brasil, through the Information Security and Data Protection Working Group, held a meeting to discuss the new regulations with a focus on the health and technology sector.
The objective is that, based on this knowledge, institutions can understand how to adjust internal procedures to be in better compliance with what the Authority has decided, and how such regulations currently impact telehealth in Brazil.
Understanding the impact of the new dosimetry regulations
The LGPD has a varied list of administrative sanctions, which range from a simple fine, publication of the infraction, blocking or deletion of personal data; partial suspension of the operation of the database to suspension, partial or total prohibition of the exercise of activities related to data processing.
Luiza also emphasizes that, although only the ANPD is responsible for instituting administrative sanctions provided for in the LGPD, other authorities, such as PROCON (Consumer Protection and Defense Program), SENACON (National Consumer Secretariat), CADE (Administrative Council for Economic Defense), the Public Prosecutor's Office and other instances of the Judiciary, can also institute other demands aimed at data protection.
“Although the ANPD is the central body for interpreting the Law and establishing standards and guidelines for its implementation, the regulatory agency already has technical cooperation agreements signed with these entities, such as SENACON and CADE. The idea is to develop joint activities on topics that generate repercussions in the areas of activity of the agencies involved. There are already specific cases under analysis by the Authority that involve cooperative action with these agencies and with the Public Prosecutor's Office,” he emphasizes.
Furthermore, it is important to note that companies that are investigated or sanctioned may experience other consequences in the market that go beyond administrative punishment, such as the reaction of customers, consumers, investors and others. stakeholders.
“If the violation is made public, one of the sanctions provided for in the LGPD, the organization may experience a breach of trust with its own consumer audience. This could become a problem, especially when it involves the improper exposure of sensitive personal data. For example, a situation in which a patient's health data is made public against their will.”
Furthermore, for institutions that provide telehealth products and services, especially to other agents in the segment, the absence of information security measures, as determined by the LGPD or the contractual adjustments signed, may result in a breach of contract.
Regarding measures to minimize potential impacts, the expert explains that digital health companies must seek to comply not only with data protection legislation, but also with other regulations in the sector. Hence the importance of having the support of experts capable of interpreting the rules in a broad and correlated manner so that, in this way, there can be practical application to the challenges faced in the day-to-day activities of these institutions.
“Considering that regulatory requirements and the evolution of technologies used are constantly emerging or changing, it is recommended that companies seek to understand how the sector is organizing itself to respond to ANPD requirements. This is crucial, for example, to avoid misconduct analyses by these institutions during administrative proceedings,” concludes Victor Prata, coordinator of the Information Security and Data Protection Working Group at Saúde Digital Brasil.
The Information Security and Data Protection Working Group is an exclusive group for members of Saúde Digital Brasil, made up of lawyers specializing in data protection and professionals in the area of information security. The Group deals with aspects related to information and systems security and encompasses issues related to data protection. Saúde Digital Brasil has participated extensively in regulatory initiatives, as well as encouraged the implementation of good practices and promoted internal discussions, mainly in working groups, to publicize regulatory changes and gather information on the needs of its members, in order to dialogue with regulatory entities, seeking greater harmony and enable compliance with legal and regulatory standards by all entities in the sector, especially by its members. To become a member, please contact us by email at contato@saudedigitalbrasil.com.br.
