Brazilian national health agency publishes manual on data protection for the health sector

The Brazilian national health agency (ANS) published a manual that contains information about the law No. 13.709 of 14 August 2018, General Personal Data Protection Law (LGPD). The manual includes general aspects of the law, role and obligations by the data protection agency, corporate governance, type of data, and penalties. In addition, the manual outlines the ANS’ understanding of consent for the processing of personal data, while clarifying that there is no requirement for consent when the data is necessary for the following actions: (a) the fulfilment of a legal obligation; (b) conducting studies by research bodies; (c) the fulfillment of contracts; (d) preservation of a person’s life and physical integrity; (e) the supervision of procedures conducted by health or sanitary profesional; (f) prevention of fraud; (g) legitimate interest. Moreover, the manual states that operators of private healthcare plans are prohibited from processing health data for risk assessment, profiling and excluding beneficiaries.