ANPD Find Lack of Privacy Maturity by Pharmacies

Brazil’s National Data Protection Authority (ANPD) has released their notes following an investigation into the use of personal data in the pharmaceutical sector. There were concerns regarding practices and whether they complied with LGPD. There were multiple concerns regarding privacy policies. Some sites did not provide any information at all regarding their privacy policy and other failed to provide important information.

The ANPD have said as a whole the policies lacked:

  • Conceptual precision
  • Maturity as to data protection
  • Information for the data subject
  • Clarity on the treatment of personal data.

Loyalty Programs

Those with loyalty programs didn’t address how they store and process the data involved in these programs. Others failed to provide information on how personal data is shared with service providers, social networks and security and regulatory authorities.

For those with loyalty programs and offering discount coupons and cashback offers there were many issues with missing information. The legal bases for which any data was collected was not made clear. Individuals were also not informed that there were data sharing agreements with advertisers, service providers, authorities and other third parties. It was not clarified what data was shared and there was no information on how data is processed within pharmacies.

There were concerns regarding whether a consumer’s right to information request would encounter problems if their information had been used within a loyalty program.

Additionally, there were issues found in the way that points accumulated could end up creating sensitive information about individuals. As purchases are made and points are accumulated the purchase history is noted. By noting multiple purchases you could gather information regarding a persons health or sex life. This would be fine if the legal bases for this data collection was made clear, which it hasn’t been.

There is no reason why loyalty programs cannot take place but there must be transparency between the company and the individuals.

Biometric Data

Some pharmacies were also found to be using the biometric data of customers. Some ways it was being used was to identify customers, validate customers’ registration and to prevent fraud.

Biometric data can be used but must meet the principles of necessity and minimization. It may not be the only form of identity verification and if it can be done via non-sensitive personal data then it should be considered whether there is any reason to be using biometrics.

When collecting biometric data there needs to be a face-to-face conversation where the consumer is made aware of what this means for data processing. Any biometric data being compromised can cause serious harm to the data subject impacted.

A blue gradient background which is darker in the bottom right and lighter in all other corners. In the centre is a logo for Value Privacy. It is value privacy written in white, privacy is bold, value is not and there is a yellow fullstop after privacy. Underneath this logo is written "Making Privacy Simple" in yellow

Value Privacy’s experts are on hand to make sure that you and your company aren’t caught out by new or existing privacy laws.

You can find out more about the services we offer or just get in touch with us directly with any questions you have about how privacy laws impact you.

Previous Post

Sports Betting Company Fined for Storage of Payment Data

Next Post

US Senators Call On Google to Delete Sensitive Locations

Related Posts