The National Data Protection Authority (ANPD) published on October 18, 2023 its second sanction to a public entity in Brazil. The target of the new sanction was Santa Catarina State Health Department. ANPD found the Department guilty of four infractions:
- Gaps in information security - negligence in the security of personal data storage systems, infringing article 49 of the General Data Protection Law (LGPD);
- Failure to report incidents: the Department suffered a security incident and did not inform the affected data subjects about which personal data were involved in this incident (it is estimated that about 300 thousand data subjects were victims of the incident). The insufficiency of clarity, inadequacy and untimeliness of communication to the victims of the incident was considered a violation of article 48 of LGPD, which provides for the obligation of the personal data controller to communicate the occurrence of a security incident to ANPD and to the personal data subject;
- Data Protection Impact Assessment (DPIA) – the Department did not submit the DPIA requested by ANPD, consequently violating article 38 of LGPD and article 5 of ANPDs Inspection Regulation (Resolution CD/ANPD No. 1/2021), as the Department would not have provided the information required by the Authority.
In view of the violations, ANPD applied four warning sanctions, one for each article violated. The Department shall take corrective measures such as: maintaining notification of a security incident on its website for 90 days and informing the holders of personal data who were victims of the incident.
ANPDs first sanction on a public entity had been published on October 6, 2023, whereby the General Coordination of Inspection (CGF) concluded an administrative sanctioning proceeding against the Institute for Assistance to the State Public Servant of São Paulo (IAMSPE). The Institute was sanctioned for not keeping its storage systems secure, as well as for failing to communicate its personal data subjects in a clear, adequate and timely manner when a security incident occurred.
The Azevedo Settes TMT team remains available to provide clarifications.