On 18 October 2023, the Brazilian Data Protection Authority (ANPD) issued its third sanction, which was the second against a public entity (see our alerts about the first and second ANPD sanctions).

According to the ANPD, a security incident resulted in 1.2 million medical records being exfiltrated from the waiting list for medical care of Santa Catarina's State Health Secretary's (Secretaria de Estado de Saúde de Santa Catarina, "SES/SC") database, affecting roughly 48,000 people and several categories of personal data (including full names, relatives' data, ID, addresses, phone numbers, and health data).

Following the incident, ANPD sanctioned SES/SC arguing that:

(i) SES/SC failed to timely submit a data protection impact assessment, despite ANPD's order to do so, which was an alleged violation of Art. 38 of the LGPD;

(ii) it took seven months for SES/SC to notify the affected individuals about the foregoing incident, which was an alleged violation of Art. 48 of the LGPD. According to the ANPD, SES/SC allegedly published only a public notice on their website and has failed to notify affected individuals to date;

(iii) SES/SC failed to implement security controls to protect the confidentiality of personal data (i.e., ensure that personal data is accessible only by authorized individuals) which resulted in the incident, constituting an alleged violation of Art. 49 of the LGPD; and

(iv) SES/SC did not submit timely documentation, as requested by the ANPD during the investigation (i.e., a technical assessment of the incident), stating (a) the affected categories of personal data and individuals, and the methodology used by SES/SC to identify them, and (b) if the affected server kept records of access logs, an alleged violation to Art. 5 of Resolution No. 01/2021 of the ANPD.

The investigation into SES/SC began at the end of 2021, on the basis of the law enforcement notification SES/SC itself had filed at the ANPD. It took almost a year for the ANPD to conclude the investigation and subsequent administrative phase and to issue a decision. This decision can be challenged through an administrative appeal handled by ANPD's board of directors.

No fine was issued against SES/SC, as the LGPD does not allow fines against public entities. Therefore, SES/SC was subject to:

(i) an admonition ordering SES/SC to keep the public notice to affected individuals available on SES/SC's website for 90 days, and send an individualized notification to each affected data subject; and

(ii) three other admonitions following violations of Arts. 38 and 49 of the LGPD, and Art. 5 of Resolution No. 01/2021. However, no order was issued, as (a) the violation of Art. 38 was cured with the late submission of the data protection impact assessment, (b) the violation of Art. 49 was fully addressed with the late implementation of security controls by SES/SC, as evidenced during the administrative process, and (c) although the violation of Art. 5 persisted, as no technical assessment of the incident was submitted to the ANPD, the authority was able to ascertain the relevant information based on the data provided by SES/SC – in other words, there was no need to request further information.

Visit us at Tauil & Chequer

Founded in 2001, Tauil & Chequer Advogados is a full service law firm with approximately 90 lawyers and offices in Rio de Janeiro, São Paulo and Vitória. T&C represents local and international businesses on their domestic and cross-border activities and offers clients the full range of legal services including: corporate and M&A; debt and equity capital markets; banking and finance; employment and benefits; environmental; intellectual property; litigation and dispute resolution; restructuring, bankruptcy and insolvency; tax; and real estate. The firm has a particularly strong and longstanding presence in the energy, oil and gas and infrastructure industries as well as with pension and investment funds. In December 2009, T&C entered into an agreement to operate in association with Mayer Brown LLP and become "Tauil & Chequer Advogados in association with Mayer Brown LLP."

© Copyright 2020. Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. All rights reserved.

This article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.