The importance of the Principle of Responsibility and Accountability in the ANPD's inspection and sanctioning processes based on the LGPD
By Caroline Teófilo, DPO, partner at Peck Advogados.
On October 18th, the National Data Protection Authority (ANPD) published a sanction applied to the Health Department of the State of Santa Catarina (SESC-SC) due to violation of the General Personal Data Protection Law (LGPD), since a security incident occurred in the systems that resulted in the availability of personal registration and medical data.
According to Report no. 4/2023, the Controller, despite having communicated the incident to the ANPD, after request, there was no presentation of (i) technical report on the handling of the incident, (ii) nor proof of communication to the holders and (iii ) there was also no delivery of the Personal Data Protection Impact Report (RIPD).
The non-presentation of the RIPD resulted in non-compliance with Article 38 of the LGPD. Article 48 deals with the Controller's obligation to communicate the occurrence of incidents that may cause significant risk or damage to data subjects. Although there was general communication on the Controller's website, even after several requests from the ANPD and a reasonable period of time had passed, there was no individualized communication to the affected data holders.
The last violation was related to non-compliance with Art. 49, which determines that systems used in the processing of personal data must meet security requirements, standards of good practice and governance, in addition to the general principles of the LGPD.
All processing agents must implement Privacy Governance Programs that enable:
- Definition and implementation of an effective Incident Response Plan, with simulations;
- Maintenance of evidence in the service process for holders and actions taken in the face of incidents;
- Definition of those responsible and ways of responding to ANPD requests in the event of incidents;
- Implementation of security controls in the development of systems that enable the maintenance of confidentiality, integrity and availability of personal data.
However, it was latent in the ANPD's decision that the Controller was unable to demonstrate the RIPD, the communications carried out and the security controls implemented in its systems. Therefore, it is essential that Privacy Governance Programs are able to comply with principle data protection laws.
Source: PartnerSales