ANPD issues two warnings to public body for data leaks

ANPD issues two warnings to public body for data leaks

A decision that concluded the administrative sanctioning process of the National Data Protection Authority (ANPD) against the public body Instituto de Assistência ao Servidor Público Estadual de São Paulo (IAMSPE) was published in the Federal Official Gazette on October 6. The authority applied two warning sanctions to the Institute for non-compliance with the provisions of the General Law on the Protection of Personal Data (LGPD).

In February 2023, the ANPD approved the Regulation on the Measurement and Application of Administrative Sanctions, which determined the criteria to be adopted for applying the nine sanctions provided for in the LGPD. Since then, through administrative proceedings, all the sanctions can be applied, considering the particularities of each specific case.

The case in question involves a complaint that reported vulnerabilities in information systems maintained by IASMPE that would allow access to information in its database without the use of valid credentials. Among the information that could be accessed were names, dates of birth, addresses and telephone numbers, as well as copies of documents such as IDs, driver’s licenses and proof of residence.

The ANPD issued the two warnings for non-compliance with articles 48 and 49 of the LGPD, and according to the report on which the decision was based, “the possible non-compliance with art. 48 was due to the fact that IAMSPE did not communicate individually to all the affected data subjects within the time allowed, as determined by the CGF/ANPD. In addition, the institute did not provide any reasonable justification for doing otherwise.”

With regard to the violation of article 49, the decision indicates that the public body failed to implement controls to guarantee the confidentiality of the data, in order to ensure that the information was accessible only to those authorized to have access. On this point, the report also mentions the principle of security and the principle of responsibility and accountability, both contained in Article 6 of the LGPD.

The ANPD’s decision and instruction report can be accessed via the link: PAS nº 00261.001969/2022-41