In 2018, it was approved and Brazilian General Data Protection Law (LGPD), with the aim of providing better treatment to the use of personal data. To adapt to the legislation, Unicamp began the processes of mapping the use and flow of data in the institution. The project pilot began in February at the Community Health Center (Cecom), a unit that works with a large volume of physical and digital data.
“Unicamp is working to understand how the law works and verify what personal data we need to protect in each of our workplaces, checking which data exists and which needs to be protected”, explains the general coordinator of Unicamp. University, Teresa Atvars. To this end, the Data Protection Steering Committee (CGPD), which is the group responsible for the work. The initiative was taken by professor Paulo Lício de Geus.
O General Coordinator of the Information and Communication Technology Coordination at Unicamp (CITIC) and member of the Committee, Sandro Rigo, observes that the survey, in an institution the size of Unicamp, means complex and broad work. “Although we are just starting out, we are ahead of most institutions. Unicamp not only stores a lot of data, but exchanges data with a lot of people. This will somehow have to be documented and catalogued. We will have an x-ray of Unicamp, from a data point of view, that never existed”, he states. He also emphasizes that the Law does not mean the non-use of data, but rather guarantees the right to use only those data that are necessary, and with consent.
The pilot
At Cecom, the work routine involves working with data from the entire academic community, such as physical and electronic records. That's why he was chosen to be the pilot. Cecom coordinator, Patricia Asfora Falabella Leme, highlights that, in health bodies in general, there is already a concern about patients' sensitive data. Being able to further guarantee the security of this data is very beneficial for her.
“We have already separated all processes and identified those that use personal data. We will carry out a security diagnosis and it is interesting to map out why we are co-responsible for the security of this data. From the moment we have the diagnosis, we can take actions to assure the user that their sensitive data is being well taken care of”, says Patricia.
To guarantee the quality of the work, workshops on process identification methodologies, in addition to meetings between the Cecom and CGPD teams, are taking place periodically. The CGU technical assistant who is part of the CGPD, Silviane Duarte Rodrigues, points out that, in this initial stage, the data is recorded and verified, and then documented.
Knowing the purpose for which the data is being used and how long it is being stored is also part of the mapping. “By making this diagnosis, we identify opportunities for improvements and possible weaknesses in the system and processes. All of this generates action plans so that we, as an institution, can guarantee protection”, he observes.
After the work at Cecom and with the methodologies already improved, the CGPD should elect a new body to continue the project.