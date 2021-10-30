Providing information such as name, phone number and address to participate in religious activities is a common practice. Now, what will be done with this data and how it will be stored by the institutions involved deserves attention.

Religious entities, as well as private organizations, such as telephone companies and pharmacies, need to comply with the rules of the LGPD (General Data Protection Law) and guarantee everyone’s privacy, according to experts consulted by Tilt.

In practice, there is no limit or determination on what churches, centers, places of worship, among others, can and cannot gather information about their participants. What needs to exist is that they demonstrate in a clear and objective way the reason for obtaining certain data.

And here it is worth mentioning: the LGPD is a general law and not only for digital documents. Therefore, physical files also come into your umbrella protection.

To clarify doubts and clarify the rules of law applied to religious institutions, the report heard:

director of the Data Privacy Brazil Research Association, Rafael Zanatta, who works in defense of the right to privacy;

lawyer Renato Ópice Blum, director of the ABPD (Brazilian Association for Data Protection);

Network Rights Coalition, which represents organizations and researchers and activists who defend rights on the free Internet;

president of Instituto Sigilo (Brazilian Institute for the Defense of Personal Data Protection), Victor Gonçalves;

director of IP.Rec (Research Institute in Law and Technology of Recife), André Ramiro.

Ask CPF and bank details can?

Registering a name and cell phone number, for example, to invite the person to social activities is a plausible justification for the need for collection, storage and use. It is also not illegal to request information such as CPF, PIX or bank details, in the form of registration for tithing or donation.

However, respondents reinforce that the religious site must demonstrate that this information has a specific purpose, such as financial control of the institution. If you do not feel comfortable providing your data, you cannot be forced to do so or be coerced to do so.

According to attorney Ópice Blum, the use of information by these sites must be done with the individual’s express consent in most cases. That is, the person needs to make it clear that they agree to share their data after learning what will be done with them.

The collection and use of sensitive data (such as racial or ethnic origin, biometrics, genetics, sexual orientation, religion, health, political opinions) needs an extra layer of protection as it can be used for discriminatory purposes.

For the lawyer, this authorization for use must be carried out separately from the others.

It could be done, for example, by means of accepting a descriptive document with detailed information about data processing, as in the Privacy Policies and Terms of Use, which various applications work on.

Is there any situation where consent is not required?

There are some situations that can collect personal data without the participants needing to authorize, according to the interviewees.

“These are cases where churches [e outras entidades religiosas] they are involved in welcoming campaigns, emergency situations and life protection. They can ask for information without express consent,” explains Rafael Zanatta.

In any case, if there is a misuse of the purpose of use (as shared with other religious entities, political groups or economic agents), we will be faced with misuse of information and violation of data protection rules, complete.

Can I request deletion of my data?

Yes. Henrique Bawden, coordinator of data governance and digital economy at Lapin, one of the 48 entities that make up the Rights on the Network Coalition, explains that it is possible to request at any time the elimination of information stored in the database of religious institutions.

In addition, as with private companies, the individual can demand that the religious institution provide a copy of all the data it has about him, as a kind of report, a right provided for in Article 18 of the LGPD.

Professor Guilherme Klafke, a researcher at FGV (Getúlio Vargas Foundation), points out that having a record of what measures the sites take to protect participants’ data and keeping the path open for people to contact to change data are two points fundamental.

In case of a leak, what to do?

Like any data processing agent, churches and other religious entities must keep security protocols up to date for the entire “useful life” of the data involved, from collection, through storage and ending with its elimination, when the need no longer exists. of use.

One of the challenges for more traditional religious institutions is that many things still remain in physical archives. In these cases, they must be kept in suitable places, without risk of fire or destruction, with access control and a clear definition of who can handle them.

For locations that use virtual systems, it is important to keep operating systems up to date and with security programs.

This means maintaining strict controls for accessing databases, implementing strong encryption for their storage, and educating people who are part of that administration to avoid risky behavior, such as clicking on malicious links or jeopardizing control over a password access, explain the interviewees.

Klafke emphasizes that it is necessary that institutions, even when small, maintain a basic security policy, since they work with sensitive data.

In situations of information leakage, the injured person must immediately notify the religious institution and report the incident through ANPD (National Data Protection Authority) channels. She is the body that will investigate and, if necessary, open an administrative proceeding against the religious entity.

If there is material or subjective damage — reputational or psychological — it is also possible to file a lawsuit against the site.

“Data leakage is very dangerous because it can compromise a person’s life, reaching the point of being threatened and blackmailed”, says the president of the Instituto Sigilo.

“The ANPD will also have to pronounce on the minimum security standards, especially taking into account the processing of sensitive data. This does not mean that certain security standards can no longer be adopted, at the risk of later liability of the religious entity”, he concluded André Ramiro, from IP.Rec.