Brazil recently joined the group of countries that have passed specific legislation regarding the use, protection, and sharing of their citizens’ data. In effect since September, the General Personal Data Protection Law (LGPD) establishes individuals’ rights over their data and standardizes the criteria and requirements that companies and public agencies must follow to provide appropriate care when handling personal information and sharing it with third parties. The new legislation also stipulates a daily fine of up to R$50 million and partly or completely prohibits activities related to the handling of collected data in cases of non-compliance. This raises questions among researchers, especially those working in the fields of social, health, and human sciences, whose studies involve collecting, handling, and analyzing personal information from research volunteers.
As a consequence, universities are mobilizing to adapt to the new law. The primary challenge these institutions face today in complying with the new legislation is the need to expand infrastructures and train teams specialized in information security and data curation. “Managing data gathered by research projects remains the responsibility of the study coordinator, but under the LGPD, processing personal, sensitive information for scientific work in a safe and controlled environment has become the responsibility of the research institutions,” explains sociologist Bethânia de Araujo Almeida, of the Center for Integration of Data and Health Knowledge of the Oswaldo Cruz Foundation (CIDACS-FIOCRUZ), in Bahia. “This means that these institutions will have to invest in computing capacity and training personnel to ensure adequate workflows for collecting, processing, storing, and accessing data. All of this requires resources, something most Brazilian universities and research institutes today don’t have.”
There are also concerns regarding administrative and institutional data, especially those contained in academic enrollments, employee records, and medical records, among others. At the University of Campinas (UNICAMP), this information is spread across decentralized structures. In light of these issues, at the beginning of the year UNICAMP created its Data Protection Management Committee, made up of representatives from every department. “Each of them is evaluating the data held in their systems to identify what needs to be protected,” explains Teresa Atvars, the university’s general coordinator. She is referring to what are called sensitive data, i.e. information regarding racial, ethnic, genetic, or religious beliefs, and data referring to people’s health or sex lives recorded in medical records at the institution’s Hospital de Clínicas. “Once identified, this information will be passed on to a central manager, who will decide how to protect it. It’s a complex job, given the size of the university.”
The University of São Paulo (USP) also created a management group to adapt to the new law. “The Information Technology Department will be responsible for the operational handling of the data, while the human resources, undergraduate, and graduate sectors, among others, will make decisions about which data need to be protected and how it will be done,” says João Eduardo Ferreira, superintendent of Information Technology at USP and coordinator of the working group heading the institution’s management committee. USP also has concerns regarding attempts to breach this data. In addition to investing in data-protection systems, it created the Hackers do Bem [white-hat hackers] program, in which computer science undergraduate and graduate students use system invasion techniques to test the security of protected information. “The idea is to identify potential vulnerabilities. The ones we’ve identified so far are minimal, but significant,” Ferreira says.
FAPESP is also moving to adapt to the new legislation. In late September the foundation created a team made up of representatives from its principal departments, to discuss what steps must be taken to bring the institution into compliance with the LGPD requirements. The measures proposed for adoption will be collected in a report which is scheduled to be presented in early November, says Fernanda Rizek, technical coordinator of FAPESP’s Administrative Directorate.
“Universities are at a pivotal moment of risk assessment and mitigation,” comments Ivar Hartmann, a law professor at Fundação Getulio Vargas Law School (FGV) in Rio de Janeiro. This process takes place in the middle of a debate around the organization of the National Data Protection Authority (ANPD), created to make enforcing the LGPD viable, since its sanctions will go into effect in August 2021. Hartmann clarifies that the main question surrounding the ANPD concerns its autonomy in relation to the executive branch, to which it is linked. On October 16, the president appointed five directors for the new agency. Three come from the military.
The association Data Privacy Brasil conducted a survey of the 20 most developed nations in the world, as defined by criteria from the International Monetary Fund (IMF). They found military personnel working in the agencies responsible for protecting personal data in only two other countries: China and Russia, whose governments are accused of violating fundamental rights, for example, by legitimizing surveillance regimes on their citizens. “It had been feared that in Brazil the ANPD would end up under the umbrella of the Institutional Security Office of the Presidency of the Republic. Fortunately, that didn’t happen,” Hartmann says. “Even so, it’s essential that the agency is transparent and to those ends it needs to be independent, since it will produce regulations that will be followed by the executive branch itself.”
Even after its regulatory agency is established, the LGPD is expected to have little impact on research activity in Brazil. This is because studies involving human beings—and, by extension, the collection and analysis of their data—already comply with a set of rules that incorporate the principal data protection requirements and techniques provided for in the new law. “Concerns regarding the ethical aspects of handling personal data within the scope of science predates the current legislation and, in many ways, are even more incisive than the LGPD itself,” states attorney Danilo Doneda, from the Brazilian Institute of Education, Development, and Research (IDP) in Brasília, who is also a member of the National Data Protection and Privacy Council and a coauthor of the LGPD text.
Law professor Eduardo Tomasevicius Filho, from the USP Law School, goes even further. “The personal data protection laws in force worldwide—and now in Brazil—result from successful experiences involving rules for research with human beings that were established after the Second World War [1939–1945], first with the Nuremberg Code, in 1947, then with the Helsinki Declaration, in 1964, and the UNESCO [United Nations Educational, Scientific and Cultural Organization] Declaration of Bioethics and Human Rights, in the 1990s.” In Brazil, he explains, research with human beings is regulated by resolutions from the National Health Council (CNS).
One of the primary issues of the LGPD regards the need to obtain an individual’s consent to collect and process their personal data. The law also establishes that a person may revoke that consent at any time, as well as request that their data be blocked or excluded, totally or partially, from the databases in which they are stored. Similarly, the data must be managed based on the research objectives, which must also be disclosed to study volunteers prior to their consent. “It turns out that these tools are already included in the Free and Informed Consent Agreement [IC], as defined by the CNS,” says neuroscientist Iscia Lopes Cendes, from the School of Medical Sciences (FCM) at UNICAMP.
IC agreements are used by university Research Ethics Committees to assess the ethical standards of research with human beings, regardless of the field of study. “It clarifies the details of the study for volunteers, and the study’s objectives, risks, and possible benefits, among other points, so that subjects can knowingly express their willingness—or not—to participate in the research. No proposal for scientific research involving data on human beings is approved without this document,” confirms Cendes, who is a member of the UNICAMP Research Ethics Committee. “The IC also guarantees that the confidentiality of study participants’ personal information will be preserved, in accordance with what is now stipulated in the LGPD,” Tomasevicius points out.
Researchers today use two techniques to ensure the privacy of their research volunteers’ data. One of them is anonymization, whereby information that could lead to the identification of the data subject is deleted. The other is de-identification (or pseudonymization). In such cases, information that would allow a research subject to be identified, such as their name, date of birth, race, etc., is separated from the main data. This information is not deleted but is kept under the control of the study coordinator. “They’re the only person with access to this data,” explains Cendes. Each researcher stores this data according to the methodology described in the study and in the consent form submitted to the Research Ethics Committee.
Claudia Bauzer Medeiros, a researcher at the UNICAMP Computing Institute and a coordinator for the eScience and Data Science programs at FAPESP, believes the LGPD doesn’t initially introduce anything new into researchers’ routines for collecting and sharing data, but there is a fear that it may be interpreted by judges in ways that would be detrimental to scientific activity. For example, to ensure that information on an individual participant in a clinical trial or study in anthropology cannot be identified within research data, the law requires that “all reasonable technical means” capable of providing anonymization be used. “But suppose that a computer scientist develops new software and that, after 20 years running on supercomputers it’s able to identify a specific person, or, because it has prior knowledge of certain other confidential information, such as a radiography, it can associate particular data with that person. To me, it’s clear that such situations don’t fall within the bounds of reasonableness provided for by the law, but there could always be questions in the courts,” Medeiros says. The presumptive risk is that the LGPD would weaken efforts to encourage the sharing and reuse of research data, or that it could even compromise Brazil’s participation in international collaborations. “What can’t happen is that researchers stop sharing data in order to avoid the risk of breaking the law. That would be terrible for the advancement of science,” she adds.
Ferreira, from USP, clarifies, however, that the law is clear in saying that whenever data is published or shared it is required to be anonymized. This applies both to internal initiatives, involving data sharing in institutional repositories, and to external initiatives, as in the case of the Covid-19 Data Sharing/BR platform, launched in June this year, which contains laboratory, clinical, and demographic information from around 180,000 individuals who underwent Covid-19 diagnostic tests. “The data is anonymized from a personal, clinical, and georeferenced standpoint, so that researchers who reuse it don’t have access to information that would enable the identification of an individual the data refer to,” he says. Medeiros, who coordinated the creation of the FAPESP Data Repositories Network that the Covid-19 Data Sharing/BR platform is linked to, notes that any patient data that details identifiable characteristics, such as a rare disease, are not shared.
“Researchers aren’t interested in individuals’ personal information, but rather in patterns or associations regarding a group of people that emerge from the data set being analyzed,” adds Almeida, from CIDACS-FIOCRUZ. Even so, she emphasizes that according to the LGPD, the information that the data will be shared must appear in the Informed Consent agreement signed by volunteers. “There won’t be problems if data subjects authorize the sharing and reuse of their data under certain terms and conditions that aim to guarantee its ethical, legal, and responsible processing and use in research with converging goals.”
The new law also allows data sharing with other countries as long as they provide a degree of protection equal to the LGPD. “Consequently, the new legislation shouldn’t affect scientific collaboration between Brazil and European countries, since they have an even more robust law than ours in this area: the General Data Protection Regulation, approved in 2016, which inspired the Brazilian law,” explains law and information scientist Adriana Carla Oliveira, from the Federal University of Rio Grande do Norte (UFRN). The United States does not have such a law. In July, the European Court of Justice invalidated the transfer of personal data between EU countries and the United States because it considered the Privacy Shield pact did not adequately protect data, a move which affected companies that operate in the EU but store their data on the other side of the Atlantic, such as Google and Facebook. “The key word when it comes to data sharing in scientific practices aligned with open science, now more than ever, is anonymization,” says Ferreira.Republish