Following the guidelines of the General Data Protection Law (LGPD), Unicamp approved this Tuesday (6), in the Administration Chamber (CAD), the creation of the Privacy and Data Protection Management Committee and the Unicamp Privacy Policy. University. This one The document aims to inform the categories of data processed at the University, how they are used and what measures are adopted to keep them safe. It thus establishes Unicamp's commitment to the privacy of personal data under its responsibility, whether those of members of the academic community, suppliers or users of health services. But why is this important? To help you understand better, we have prepared a special report covering the trajectory of the LGPD and the challenges of its application in the context of science, research and education.
With the digitization of processes and the popularization of the internet, private and public institutions began to move millions of personal data. Data collection takes place at different moments in everyday life: from registering at a pharmacy to using social networks. In educational institutions, there is also a flow and storage of data, which focuses on information about the academic community. Examples include sociodemographic data, bank account information for employee and scholarship payments and medical records of health service users.
In order for society to have greater knowledge about what this data is and for greater security and control in its use, the LGPD was developed, approved by the National Congress and sanctioned in 2018. It came into force in August 2020 and until the next year all institutions must adapt, under penalty of sanction. In a video produced for the special report on the LGPD, reporter Felipe Mateus explains how the provision of data is present in our daily lives and explains how the legislation should work.
In relation to the application of the Law at Unicamp, the approval of the Privacy Policy and the Privacy and Data Protection Steering Committee was not the first step. In January 2020, the Committee had already been created Data Protection Manager (CGPD), made up of Information Technology (IT) professionals, who had already been studying the topic, and integrated into the General Coordination of Unicamp (CGU). The CGPD began to put into practice the data protection improvement project personnel in March 2020.
SAccording to the University's general coordinator, Teresa Atvars, the task of adapting to the legislation is not complex, but the application of the LGPD is an important step so that everyone can have information about how the data will be used and for what purposes. “It is a law that protects citizens. At the University, we have the personal data of many people, for various types of purposes. The University is responsible for their safekeeping and cannot use them for other purposes. What applies to Unicamp applies to everyone”, he observes.
“After a period of study and understanding of the scope of the LGPD, we are prepared to begin the process of applying the requirements of the Law. It is not easy. Unicamp has a complex ICT [Information Technology] system, personal data dispersed across multiple systems, a huge health area without integration of systems and databases, so there will be a great institutional effort to be carried out”, says Teresa .
Necessary steps for more security
To begin the process of mapping data flows at the University, CGDS chose a pilot unit for the work: the Community Health Center (Cecom). At Cecom, an organization that works with a large amount of physical and digital data, and where there is already concern about data arising from medical confidentiality, training was carried out with employees on process identification methodologies.
In this initial stage, which will be carried out in all Unicamp bodies, where the data is stored, its origin and where it circulates is recorded and verified. Furthermore, the purpose for which the data is being used and for how long it is being stored is identified. After mapping, a risk report is generated, which indicates, for example, where security needs to be strengthened.
Professor Paulo Licio de Geus, coordinator of Information and Communication Technology at Unicamp and member of the CGPD, notes that this step is crucial to verify whether there is sensitive data and whether it really needs to be stored. “It is necessary to minimize exposure to sensitive data. If there is sensitive data, I need to identify what it is, whether I should host it and for how long I can host it. If the data residence time window decreases, the chance of private data leakage problems decreases,” he explains.
After the pilot at Cecom, the methodologies were improved and five more units will carry out the same process by the end of 2020: General Directorate of Human Resources (DGRH) Caism Hemocentro, Student Support Service (SAE) and Faculty of Applied Sciences (FCA ). Afterwards, the methodology will be generalized across Unicamp.
For the last stage, according to Professor Paulo Licio, the possibility is foreseen for each member of the academic community to request information about the data that the University has about them. The deletion of information that is not essential to Unicamp may be requested. “The third stage is the part in which the user can request all personal information about them in any Unicamp system and request to delete everything that was possible”, he says.
LGPD and research ethics
Another axis of incidence of the LGPD in educational institutions is related to ethics in research. Check out the video produced by the reporter from the Dean of Extension and Culture (ProEC/Unicamp) and doctoral student at Department of Scientific and Technological Policy (DPCT/Unicamp) Gabriela Villen an analysis of the subject carried out by Cristiana de Oliveira Gonzalez, doctoral student at the Gleb Wataghin Institute of Physics (IFGW/Unicamp); Gustavo Rodrigues, from the Laboratory for Advanced Studies in Journalism (Labjor/Unicamp) and Maria Cecilia Oliveira Gomes, lawyer specializing in Privacy and Data Protection.
The coordinator of the Research Ethics Committee (CEP) at Unicamp, Renata Maria dos Santos Celeghini, recalls that there are already standards and guidelines regulating research involving human beings, defined in Resolution 466/2012. “This resolution states that research must provide procedures that ensure confidentiality, privacy, image protection and non-stigmatization of research participants, guaranteeing that information will not be used to the detriment of people or communities”, she points out.
Furthermore, the document establishes that the free and informed consent form must be signed by the research participant. It contains all the necessary information to clarify how the research will be conducted. Guaranteeing the maintenance of confidentiality and the privacy of participants are also points highlighted in the resolution and, in this sense, the LGPD aligns with the standard that is already in force and reinforces the need for anonymization and privacy.
Regarding the challenges regarding the protection of databases, Renata assesses that the development of Artificial Intelligence raises concerns regarding the re-identification of anonymized data. “Computers are able to cross-reference information at such a high speed that, in some cases, it is not possible to guarantee 100% that anonymization will be maintained and that the data cannot be re-identified, due to these new algorithms”, she explains.
For the researcher, this has become a research concern in several scientific fields, which are dedicated to creating more robust algorithms and ways of processing data without risk to the identity of those involved. “But we need to recognize that complete anonymity is increasingly difficult as the ability to compare large data sets improves. The more difficult it is to maintain anonymous data, the more important the possibility of excluding personal data from a data set becomes”, says Renata, remembering that it is the participants’ right to request the deletion of data from banks.
Em podcast produced by reporter Juliana Franco, two social scientists, Rafael Evangelista, researcher at the Laboratory of Advanced Studies in Journalism (Labjor), and professor Diego Vicentin, from the Faculty of Applied Sciences (FCA Limeira), argue that the issue of data protection should be approached without falling into the Manichaeism that tends to contrast positive and negative aspects of new technologies. They evaluate the impacts of the LGPD in the country and comment on recent publications that explore the relationships between technology and surveillance in times of coronavirus. Both are part of the Latin American Network for Studies on Surveillance, Technology and Society (Lavits), which aims to bring together researchers, activists and artists from different countries in the region who work on these themes. Check out:
LGPD as an opportunity
Legislation for data protection is seen as an opportunity in several ways by the members responsible for the project to improve data protection at Unicamp. According to Silviane Rodrigues, CGU technical assistant who is part of the Committee, through the work that has been carried out, the university has come to know itself better, thus being able to act on data minimization. “We have gone through an era of large volume of data, where everything is asked and now it is time to minimize, to think about data privacy and security. It is a great opportunity for our education and science sector so that, in addition to complying with the LGPD, we have privacy and that this is part of this culture from now on”, she assesses.
Another opportunity, says Silviane, is the simplification of processes, as different units of the University often ask the same questions. By identifying this problem, it is possible to reduce the burden of questions for data subjects.
In Professor Paulo Licio's assessment, in relation to critical data, security tends to improve and this is important as sensitive information publicly disclosed can cause multiple damages. Concern about data privacy, he recalls, began to emerge around 20 years ago, when the internet became more accessible to the public, and now it is necessary to rethink data collection mechanisms. Universities, which were at the forefront in the use of the internet, now also have the opportunity to take on the role of criticizing the negative impacts of the use of technology on society and act to minimize them.
“We are reaching such a high level of computerization and participation in networks that it is time to start raising this concern. The law comes as a consequence. Instead of collecting and collecting data, you need to think about whether it is really necessary. It is time for society to rethink this unbridled data collection mechanism”, he ponders.
Technical sheet
General coordination: Patrícia Lauretti
Reporting and production: Felipe Mateus, Gabriela Villen, Liana Coll and Juliana Franco
Text editing (portal): Liana Coll
Photo: Antonio Scarpinetti and Antoninho Perri
Photo editing: Renan Garcia
Video editing and arts: Kleber Casablanca
Podcast editing: Juliana Franco
General production and technical support: Marcos Botelho Jr. and Octávio Silva