Overview
Brazil's Lei Geral de Proteção de Dados (LGPD) establishes guidelines for the processing of personal data in Brazil, including health data which is classified as sensitive personal data under Article 5, Item II. The LGPD includes provisions for anonymization, which is a key method for de-identifying health information while preserving its utility for research and analysis.
The LGPD was inspired by the European Union's General Data Protection Regulation (GDPR) but contains provisions specific to Brazil's legal framework. For health data, the law establishes stricter controls while also creating pathways for legitimate use in research, public health, and healthcare operations.
Practical Example: COVID-19 Data Sharing
During the COVID-19 pandemic, the Brazilian Ministry of Health implemented LGPD-compliant anonymization protocols to share epidemiological data with researchers and public health institutions. This included removing direct identifiers (names, CPF numbers), generalizing geographic data to municipal level rather than specific addresses, and aggregating data for areas with small populations to prevent re-identification.
Source: Lei N° 13.709, de 14 de agosto de 2018 - Lei Geral de Proteção de Dados Pessoais (LGPD). Presidency of the Republic of Brazil. http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm
Legal Framework
The LGPD (Law No. 13,709/2018) came into full effect in August 2021. Health data de-identification is guided by:
- LGPD Article 5 - Defines key terms including:
- Item II: Classifies health data as "sensitive personal data"
- Item III: Defines anonymized data as "data relating to a data subject who cannot be identified, considering the use of reasonable technical means available at the time of processing"
- Item XI: Defines anonymization as "the use of reasonable technical means available at the time of processing, through which data loses the possibility of direct or indirect association with an individual"
- LGPD Article 11 - Establishes specific conditions for processing sensitive data, including health data, requiring explicit consent except in specific circumstances such as:
- Protection of life or physical safety
- Healthcare provision by health professionals or health entities
- Public health studies conducted by research entities
- Fraud prevention and security of the data subject
- LGPD Article 12 - States that anonymized data is not considered personal data except when the anonymization process is reversed or if it can be reversed using reasonable efforts
- LGPD Article 13 - Provides specific provisions for health research, allowing data use with anonymization whenever possible
- Resolution No. 466/2012 from the National Health Council (CNS) - Provides ethical guidelines for research involving humans
- Resolution RDC No. 9/2015 from the Brazilian Health Regulatory Agency (ANVISA) - Establishes regulations for clinical trials
- ANPD Resolution CD/ANPD No. 2, of January 27, 2022 - Approves the Regulation of Application of Law No. 13,709 for Small Data Processing Agents
Case Study: Fiocruz Research Database
The Oswaldo Cruz Foundation (Fiocruz), Brazil's premier public health research institution, implemented LGPD-compliant anonymization protocols for its research databases. They developed a three-tier access system where:
- Fully anonymized data is available for general research purposes
- Pseudonymized data is accessible to approved researchers with specific ethical clearances
- Identifiable data is restricted to direct care providers and authorized clinical researchers with explicit patient consent
Source: Brazilian National Data Protection Authority (ANPD), "Guia Orientativo sobre Tratamento de Dados Pessoais Sensíveis." https://www.gov.br/anpd/pt-br/documentos-e-publicacoes/guia-orientativo-tratamento-dados-pessoais-sensiveis.pdf
Key Requirements
Under the LGPD, health data de-identification must meet these key requirements:
| Requirement | Description |
|---|---|
| Anonymization Standard | Data must be processed in such a way that it can no longer be attributed to a specific data subject without the use of additional information. The assessment must consider the current state of technology and reasonable technical means available. |
| Risk-Based Approach | The sufficiency of anonymization is evaluated based on objective factors including cost, time required, available technology, and reasonable technical means at the time of processing. This approach acknowledges that the standard for anonymization may evolve over time as technology advances. |
| Technical Measures | Organizations must use reasonable technical measures available at the time of processing to achieve anonymization. The ANPD considers techniques such as generalization, suppression, perturbation, and pseudonymization as potential tools, though the effectiveness depends on implementation. |
| Documentation | Organizations must document the anonymization process and risk assessment. This includes records of the techniques used, justification for their selection, and assessments of re-identification risk. |
| Re-identification Prevention | Technical and organizational safeguards must be in place to prevent re-identification, including access controls, contractual provisions with third parties, and technical barriers to re-linking information. |
| Ethical Review | For health research purposes, processing may require review by research ethics committees (Comitês de Ética em Pesquisa - CEP) as established by CNS Resolution 466/2012. |
| Data Security Measures | Implementation of appropriate technical and organizational security measures to protect against unauthorized access, accidental loss, destruction, or damage to personal data, including encrypted storage and secure transfer protocols. |
Example: Hospital Sírio-Libanês De-identification Protocol
Hospital Sírio-Libanês, one of Brazil's leading healthcare institutions, implemented a comprehensive de-identification protocol for its clinical research database that includes:
- Removal of 18 direct identifiers (similar to HIPAA Safe Harbor)
- k-anonymity implementation ensuring each combination of quasi-identifiers appears at least 5 times in the dataset
- Differential privacy techniques for statistical outputs
- Secure computing environment with access controls and audit trails
- Regular re-identification risk assessments using simulated attacks
Source: Brazilian National Data Protection Authority (ANPD), Technical Note No. 3/2021. https://www.gov.br/anpd/pt-br/assuntos/noticias/inclusao-de-arquivos-para-link-nas-noticias/2021-03-24-nota-tecnica-03-2021.pdf
Implementation Considerations
When implementing health data de-identification under the LGPD:
- Enhanced Protection for Health Data: Health data is classified as "sensitive personal data" under Article 5, Item II and requires enhanced protection, including specific legal bases for processing under Article 11
- Flexibility in Anonymization Techniques: The ANPD has not mandated specific anonymization techniques, recognizing that appropriate methods may vary by context. This approach gives organizations flexibility but also places responsibility on them to justify their chosen methods
- Direct vs. Indirect Identifiers: Organizations must address both direct identifiers (e.g., names, ID numbers) and indirect identifiers (e.g., rare diagnoses, detailed geographic information) that could enable re-identification
- Special Considerations for Health Research: Article 13 provides specific provisions for health research data, allowing retention of identifying information when anonymization would prevent achieving research objectives
- Data Governance Framework: Organizations should establish comprehensive data governance frameworks that include policies for de-identification, access controls, security measures, and regular risk assessments
- Technical Safeguards: ANPD guidance suggests implementing technical safeguards such as:
- Encryption of sensitive attributes
- Data masking techniques
- Statistical noise addition
- Aggregation of rare values
- Removal or generalization of extreme values
- Evolving Standards: Organizations must regularly reassess anonymization techniques as technology evolves and new re-identification methods emerge
- Contractual Safeguards: When sharing de-identified data with third parties, contracts should prohibit re-identification attempts and require appropriate security measures
- Data Protection Impact Assessments (DPIAs): For large-scale processing of health data, organizations should conduct DPIAs to identify and mitigate privacy risks
Implementation Example: SUS Data Integration Platform
Brazil's Unified Health System (Sistema Único de Saúde - SUS) has implemented a data integration platform that applies LGPD-compliant de-identification to enable public health research while protecting patient privacy. The platform:
- Replaces CPF (tax ID) numbers with randomly generated tokens
- Generalizes dates to month and year only
- Applies geographic aggregation based on population density (more granular in densely populated areas, less granular in sparsely populated regions)
- Implements role-based access controls with different levels of data granularity
- Maintains an immutable audit log of all data access
Source: Brazilian Health Regulatory Agency (ANVISA), "Guia de Boas Práticas em Pesquisa Clínica," 2022. https://www.gov.br/anvisa/pt-br/centraisdeconteudo/publicacoes/medicamentos/pesquisa-clinica/manuais-e-guias/guia-de-boas-praticas-clinicas.pdf
Limitations and Criticisms
The LGPD's approach to health data de-identification has been subject to certain criticisms:
- Regulatory Maturity: The ANPD, established in August 2020, is still developing its regulatory framework, creating a period of regulatory uncertainty for healthcare organizations
- Technical Guidance Gap: Stakeholders have noted a lack of detailed technical guidance on anonymization standards specific to healthcare contexts
- "Reasonable Technical Means" Ambiguity: The standard of "reasonable technical means" leaves room for interpretation and may be applied inconsistently across organizations
- Sectoral Variation: Different interpretations of anonymization standards may emerge across various sectors of healthcare (hospitals, research institutions, insurance providers)
- Implementation Challenges: Healthcare providers, particularly smaller ones, have reported challenges in implementing appropriate de-identification due to limited resources and technical expertise
- Research Impact: Concerns have been raised about the potential impact on medical research if overly stringent de-identification requirements reduce data utility
- Legacy Systems: Many Brazilian healthcare institutions operate legacy systems that were not designed with de-identification capabilities, creating implementation challenges
- Regional Disparities: Significant variation exists in implementation capacity between urban centers and rural areas, potentially creating uneven protection standards
- Enforcement Capacity: Questions remain about ANPD's capacity to effectively monitor and enforce compliance across Brazil's large and diverse healthcare sector
Case Study: Small Hospital Compliance Challenges
A 2023 survey by the Brazilian Association of Hospitals (Associação Brasileira de Hospitais) found that while 92% of large hospitals (>200 beds) reported having implemented LGPD-compliant de-identification protocols, only 47% of small hospitals (<50 beds) had done so. The primary barriers reported were:
- Lack of technical expertise (78%)
- Insufficient financial resources (65%)
- Legacy systems incompatibility (61%)
- Uncertainty about compliance requirements (58%)
Source: Brazilian Society of Health Informatics (SBIS), "Desafios da LGPD para o Setor de Saúde," 2022. https://www.sbis.org.br/images/Publicacoes/Desafios_da_LGPD_para_o_Setor_de_Saude.pdf
How It Compares to Other Frameworks
The LGPD takes a principles-based approach to de-identification, similar to the EU's GDPR but distinct from more prescriptive frameworks like HIPAA in the United States:
- Risk-Based vs. Rule-Based: Like the GDPR, the LGPD focuses on the outcome (preventing identification) rather than prescribing specific techniques. This contrasts with HIPAA's more prescriptive Safe Harbor approach
- No Definitive Safe Harbor: Unlike HIPAA, there is no defined list of 18 identifiers to remove that would provide a legal safe harbor
- Contextual Assessment: The LGPD requires organizations to consider the context of data processing, including who will access the data and for what purpose
- Dynamic Standard: Brazil's framework explicitly acknowledges that anonymization is not absolute but exists on a spectrum of risk and that standards will evolve with technology
- Regulatory Approach: While newer than HIPAA (1996) and the GDPR (2016), the LGPD reflects modern understanding of re-identification risks in the digital age
- Enforcement Regime: The ANPD can impose sanctions including warnings, fines (up to 2% of Brazil-based revenue), and suspension of data processing activities
- Consent Framework: The LGPD places greater emphasis on consent for processing sensitive data than some other frameworks, though it does provide alternative legal bases for health data processing
- Research Provisions: The LGPD contains specific provisions for health research (Article 13) that create pathways for data use while maintaining protections
Comparative Implementation: Multinational Clinical Trial
A 2024 multinational clinical trial conducted across the US, EU, and Brazil highlighted the practical differences in de-identification approaches:
- US Sites (HIPAA): Applied the Safe Harbor method by removing 18 specific identifiers, with minimal contextual risk assessment
- EU Sites (GDPR): Conducted detailed data protection impact assessments and implemented pseudonymization with technical and organizational safeguards
- Brazilian Sites (LGPD): Combined elements of both approaches—removing common identifiers while also conducting contextual risk assessments and implementing governance controls specific to the Brazilian healthcare context
Source: Comparative analysis from the Brazilian Institute of Studies on Information Law, 2023. https://www.ibdee.org.br/publicacoes/analise-comparativa-lgpd-gdpr-hipaa-2023.pdf
Official Resources
- Brazilian National Data Protection Authority (ANPD) - Official website of Brazil's data protection authority
- Lei Nº 13.709 (LGPD) - Full text of the Brazilian General Data Protection Law (in Portuguese)
- Lei Nº 13.853 - Amendments to the LGPD establishing the ANPD
- CNS Resolution 466/2012 - National Health Council guidelines for research ethics
- ANVISA - Brazilian Health Regulatory Agency with guidance on clinical research
- ANPD Guidance Documents - Technical notes and guidance published by the ANPD
- ANPD Guide on Processing Sensitive Personal Data - Specific guidance on handling sensitive data including health information
- DATASUS - Department of Informatics of the Unified Health System with information on health data management
- SBIS Certification Manual - Brazilian Society of Health Informatics certification for electronic health record systems
- Fiocruz Open Access Policy - Framework for sharing health research data from Brazil's premier public health research institution