The Brazilian General Data Protection Regulation (GDPR) provides legal guidelines for the processing of personal data. In healthcare, this means that any person treated by a professional, institution, or health network has the right to the confidentiality of information concerning him or her. This confidentiality covers, except in cases already provided for by law, all information concerning the data subject that comes to the attention of the healthcare professional.
According to the Brazilian GDPR, personal data is all information relating to an identified or identifiable natural person, that is, a natural person who can be identified, directly or indirectly. Health-related data and genetic data of identified or identifiable persons are, by definition, sensitive personal data that have a higher criticality and must therefore be protected. To quote the law:
II – sensitive personal data: personal data concerning the racial or ethnic origin, religious conviction, political opinion, membership of a labor union or of a religious, philosophical, or political organization, data concerning health or sex life, genetic or biometric data, when linked to a natural person.
An individual’s health-related data is diverse and poses a major security challenge. While the development of digital technologies has enabled increasingly comprehensive and assertive processing, the privacy issues that such processing entails become more apparent.
What do data subjects need to pay particular attention to?
Consent: when the processing of personal data requires the consent of the data subject, such consent is only legally valid if it is given on the basis of correct information, in a free and clear manner. Consent is usually required for most processing of sensitive data not carried out by health professionals, explicitly in the case of sensitive data.
The processing of health data through digital technologies is increasingly common. Therefore, private actors will have to be vigilant when collecting individuals’ consent by electronic means, in particular by creating an effective system that is transparent to users.
Data Protection: patient data must be protected from unauthorized or unlawful access and from loss, sharing, or destruction, even accidental. It is therefore necessary to establish appropriate security measures.
The adoption of security measures must cover physical, technical, and organizational aspects. This becomes even more important in the case of tools and systems for the provision of online health services, including telemedicine.
Transparency: this is one of the principles of the Brazilian GDPR. Any data processing must be done in a transparent manner. The Data Controller must be aware of which personal data will be processed, the form of processing, in addition to other information. Thus, he or she can consciously decide whether or not to share his/ her personal data.
Purpose: this is another important principle of the GDPR. The data collected should only be used for legitimate, specific, and explicitly informed purposes to the Data Controller.
Right of revocation: when data processing is based on the data subject’s consent, he/she can revoke his/her consent and stop the processing at any time. It is also possible to request the deletion of the previously processed data.
Right of access: any person has the right to request from the data controller all information regarding the processing of their personal data, as well as the relationship of third parties with whom the data may have been shared.
A company that handles sensitive data, such as that concerning an individual’s health, may be required to appoint a DPO (Data Protection Officer), which we have talked about before. This may be the case depending on the volume of data handled.
Here at Pryor Global, we offer DPO outsourcing services so that our clients can count on the support of a technical team skilled in data security and privacy. Talk to one of our specialists now!