Using BPM for Identification and Processing of Personal and Sensitive Data of Donors: Conceptual Framework

: The stock of blood bags to serve the population of patients who need to be transfused is one of the main concerns of the Hemotherapy Services of Public Hospitals (PH). The complexity of managing the blood supply chain ranges from attracting blood donors to dispensing blood bags for transfusion. Understanding the chain processes and maintaining the security of personal and sensitive data from donors becomes one of the premises for public health organizations. The research aims to create and apply a conceptual framework that uses Business Process Management (BPM) approaches and concepts to support managing and securing donors’ personal data. The adopted method was the literature review based on scientific articles and the use of BPM in constructing the conceptual framework and applying it in a Hemotherapy Service (HS) of a Federal Public Hospital (FPH) in Brazil. By mapping the blood donation process and using the conceptual framework, possible failures were highlighted that could expose the personal and sensitive data of candidates for blood donation that would be in breach of the General Data Protection Law (LGPD). Using the conceptual framework with BPM to model an organizational process facilitates the identification of the vulnerabilities of the personal and sensitive data of the citizen that circulate in this process and disagree with the norms of the Law. Adherence to the scope of BJEDIS: This research introduces a blood donation process for the HS in a FPH. The objective is to practically apply the conceptual framework proposed here and in related studies. Notably, BPM, a hallmark of Industry 4.0, extends its influence to administrative processes. A Multidisciplinary Working Group (MWG) within the hospital is tasked with enforcing the LGPD through directives. This endeavor aims to establish a compliant business model across the institution, possibly influencing similar HS in other hospitals.


31
Federal University of Rio de Janeiro BJEDIS, Rio de Janeiro, Special Edition, v. 3 (1), 2024.DOI: https://doi.org/10.55747/bjedis.v3i1.60729ISSN: 2763-6925 One of the primary challenges faced by Federal Public Hospitals (FPH) in Brazil is ensuring an optimal blood supply to adequately cater to patients in need of transfusions.Furthermore, these hospitals must ensure the seamless operation of their organizational processes, particularly those that encompass a Hemotherapy Service (HS) or Blood Transfusion Service.These services encompass the critical tasks of blood collection, storage, and distribution of blood products throughout their production chain.Within this context, Ordinance 158/2016 (1) plays a significant role as it outlines the Technical Regulations for Hemotherapy Procedures.Article 1, paragraph 2, underscores that the sustainability of the entire blood production chain hinges on society's voluntary and altruistic spirit of donation.Prospective blood donors are required to be treated by the principles of universality, comprehensiveness, and equity within the Unified Health System (SUS).
This refers to the need for effective management of public organizations providing health services to capture the donor effectively and serve the patient efficiently.In addition, public health organizations are also governed by laws and one of them is the Brazilian General Data Protection Law (LGPD), Law N.º 13,709/2018 (2), which addresses the privacy of personal and sensitive data, security and availability of information to the public, not forgetting the treatment of these data.Therefore, the general objective of this article is to propose a conceptual framework using the conceptual approaches and best practices of Business Process Management (BPM) (3-10) so that a process and/or business analyst can identify vulnerable points in the organization's process that are in disagreement with the LGPD guidelines for the processing of sensitive personal data of the citizen.
This research holds significant relevance as it introduces a proposed blood donation process for the HS within an FPH with the aim of practical application of the conceptual framework put forth in this study and related works.Moreover, it's crucial to note that Business Process Management (BPM) represents a pivotal tool within the realm of Industry 4.0, extending its influence beyond traditional factory setups and physical production systems to encompass administrative processes and services (11).Another noteworthy aspect is the recent establishment of a Multidisciplinary Working Group (MWG) within the FPH, tasked with formulating overarching and specific directives to enforce the General Data Protection Law (LGPD).This endeavor involves the integration, implementation, and dissemination of a business model aligned with legal requirements across all sectors and strategic domains of the institution.This model, in turn, can serve as a blueprint for other Public and Private Hospitals housing Hemotherapy Services.

General Data Protection Law
The privacy of personal data has become a key security issue for various governments and companies around the world and, therefore, currently, approximately 120 countries have laws and/or regulations that aim to protect personal data that are maintained by public or private organizations (12).
One of these regulations is the General Data Protection Regulation (GDPR), which covers all residents of the European Union (EU) and applies, since May 25, 2018, to all EU Member States (13), but which was not limited to EU only, which brought consequences for many of these countries around the world, mainly in the management and sharing of health data (14)(15)(16).
The GDPR regulates and harmonizes personal data privacy laws across the EU, that is, guarantees the right of every EU citizen to control their personal data, making them their exclusive property and, making it difficult for companies to store this data without their consent (17)(18)(19).Thus, with this worldwide reach of the GDPR, Brazil sanctioned, on August 14, 2018, the General Data Protection Law (LGPD), Law 13,709 (BRAZIL, 2018), which came into force on September 18, 2020, and is based on the GDPR, the purpose of establishing the guidelines for the collection, processing, storage, and processing of personal data in Brazil (2,12,20,21).In this sense, the LGPD applies to both Brazilian and foreign organizations, even those that are not physically in Brazil, but provide services that involve personal data, in order to ensure privacy, that is, the ability of each individual to control their own data (21)(22)(23).

Information Security in the LGPD
The LGPD addresses information security concepts since the recommendation of organizations to use mechanisms to ensure physical security and access to information as well as the design of the service that will be provided until its execution (2,20).Thus, in Art.6, item VII, is addressed one of the principles of the LGPD which is security.This principle guides the "use of technical and administrative measures that can protect personal data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication or dissemination" to ensure information security and data protection in general (2).Therefore, it is important that organizations have a privacy governance program that is systematically reviewed and is committed to complying with the LGPD and on the other hand, allows the user to know how the data processing is done using their information and at what point can end this processing when it is necessary (20).
There is, however, some possibility of processing users' data without their consent, such as in compliance with legal obligation, in the implementation of public policies created by legislation or regulation of the Federal Public Administration, for the protection of one's own life or of third parties, by health surveillance in procedures carried out by multidisciplinary health professionals, for health services and/or for fraud prevention and security assurance of the holder in the identification and authentication processes in electronic systems (20).Thus, the application of LGPD has become a challenge and should be seen as an opportunity to redesign systems and processes capable of bringing security to the processing of personal data, especially in sensitive systems, and that collect and process many personal data (26).

MATERIALS AND METHOD
It was used, for the literature review, in the period from June to September 2022, the bibliographic research based, mainly, in articles of journals of the Base Scopus.Regarding the mapping of the HS business process, the BPM tool was used, which is considered an initial "driver" of work for the diagnosis and, later, for the restructuring of organizational processes, that is, a tool that can be used to diagnose and adapt the current organizational processes (phase AS-IS), in addition to the computerized systems that support these processes, the new guidelines of the legal standards established in the LGPD.Therefore, BPM serves as a tool to support the identification of parts of organizational processes (3) that present some "fragility" and require greater attention from FPH.Thus, the organization can act in the improvement and/ or reformulation of these business processes (phase TO-BE) and/ or in the improvement of their systems in order to meet the rules governing the LGPD (2) with regard to data considered personal and sensitive data.Thus, the work proposal is divided into 3 stages and on average 4 activities per stage.A professional who understands the area of business processes in the organization, for example, can use the steps and activities developed from the conceptual framework to act in the identification and diagnosis of processes (phase AS-IS) that use personal and sensitive data.In this sense, the professional of the organization can act in the analysis of the process of a certain service, area, or sector of the hospital, for further improvement of this process (phase TO-BE) and processing and security of the data that are used during the execution of the activities and tasks for the organizational process to work.In addition, this proposal brings a conceptual approach to how personal and sensitive data can be identified in organizational processes and how to treat them, adapting them according to the legal norms of the LGPD.
The methodological design is explained in three stages, namely: 1st stage in which the mapping of the processes of the service, area, or sector of FPH occurs (Table 1); 2nd stage in which there is the diagnosis of these processes (Table 2) and the 3rd stage in which the adequacy of the processes to LGPD occurs (Table 3).Thus, below is briefly described how a solution was proposed to identify in the business processes of the organization the points of non-compliance with the LGPD.The 1st Stage, Process Mapping (phase AS-IS), focuses on the identification of personal data and is divided into 3 activities described in Table 1.Perform the mapping of the processes of the service, area, or sector of the hospital using the good practices of BPM.

2
Identify and point out in the processes which are the personal and sensitive data in each task and/ or activity that use this data, regardless of whether they are manual or systemic tasks.

3
Carry out the inventory of personal and sensitive data or create an initial (unrefined) data matrix with the identified data, classifying it as personal data and sensitive data.
In Stage 2, the diagnosis is made (phase AS-IS) and is divided into 5 activities described in Table 2. Identify in the mapped processes the tasks and/or activities that use personal and sensitive data.

2
Identify in the processes who are the main actors responsible for maintaining and using this data.

3
Identify in the mapped processes how these data enter the process, how they are organized, how and how they are manipulated, where and by what means, (for example spreadsheets, systems, email, digitization, and others) these data are processed in the processes and how they are discarded.

4
Identify which are the systems that offer vulnerability to the processes of the service, area, or sector of the hospital and where there is the crossing (borders of the processes) of data with the other services, areas, or sectors, in addition to the exchanges of data between systems, pointing out in the mapped processes (even if they are outside the scope of the current analysis), which data and systems cross the borders of other services, areas or sectors that use the same data.Thus, when this work approach is used in other services, areas or sectors of the hospital will already facilitate the initial diagnosis of the process (phase AS-IS) to be analyzed.

5
Refine the inventory sheet of personal and sensitive data or the initial data matrix of the previous step with the identified data, classifying them as personal data and sensitive data.
In Stage 3, the adequacy of organizational processes to the LGPD (phase TO-BE) is treated and is divided into 5 activities described in Table 3.

Table 3. The alignment of organizational processes with LGPD (phase TO-BE) in Stage 3
Activity Description Verify in the processes of the AS-IS phase which are the points considered critical and vulnerable that are exposing personal data and/or sensitive data.
Activity Description

2
Propose changes to the main actors and owners of the processes of the service, area, or sector of the hospital organization.

3
Redesign (phase TO-BE) the current processes in such a way that meet the legal compliance of the LGPD.These changes should also be thought of with a focus on adapting to ISO 27001 which addresses Information Security in the context of the organization.

4
Elaborate on the Risk Plan and Incident Responses, in case of leakage or Cyberattacks on personal data.In this case, the organization can adopt the practices and adapt them to the Safety Incident Response Guide, prepared by the Ministry of Planning.

5
Communicate the practices adopted to mitigate the risks of information leakage.
Finally, Fig. 1 summarizes a proposal for a conceptual framework of the organizational process (service, area, or FPH sector) to be analyzed to adapt them to the legal norms of the LGPD. Figure 1.Proposal for a conceptual framework to meet LGPD standards using BPM Therefore, it is through these three stages and the activities that make up each stage that a model is proposed that can treat personal and sensitive data, in addition to information security, using BPM as a support tool and at the same time, to meet the legal requirements imposed by the LGPD.

RESULTS AND DISCUSSION
In 2021, the HS of FPH performed approximately 14,569 transfused hemocomponents, which produced 9063 red blood cell concentrates, 8662 random platelet concentrates of 5 days, 8748 fresh plasma, 764 platelet concentrates per apheresis, 10 lymphocyte concentrates, 18 granulocyte concentrates and 72 hematopoietic progenitor cells, operating seven days a week, twenty-four hours a day.In addition, 12,014 screenings/year, captured 12,000 possible donors/year and performed 10,075 collections/year.With this demand and complexity, the interruption or failure at some point in the SSC process can lead to several problems in the treatment of patients who are treated in the HS of FPH and the capture of donors for the maintenance of their stock of blood bags.
Regarding the process, it begins when a candidate for blood donation arrives at the reception and receives a password (numbered plastic card) for arrival control.Then the candidate is called by the password and served in the reception sector.This service at the reception consists of registering the candidate for donation in the computerized system, hereinafter called the Hemotherapy Management System (SGH) of the HS, where the personal data of the candidate and the information on the type of donation are recorded.Thus, after the registration of the candidate, this register is now viewed in the service queue of the SGH of the clinical triage area, waiting at the reception to be called to one of the offices of the clinical triage sector.The employee of this sector (called "triador") calls verbally at the reception of the HS the candidate to be evaluated (weight, pressure, height, pulse, and hemoglobin) and then he is interviewed.
After the interview, if necessary, the "triador" sends the candidate to snack.However, if the candidate can triage, it will be viewed in the SGH service queue to perform blood collection.However, if he is unfit, the candidate is guided and released from the donation.Soon after, the candidate fit for the donation awaits to be called at the reception by the blood donation collection department, which occurs after a few minutes when the employee of this sector views the candidates in the SGH and calls the next candidate of the queue for attendance.
Thus, at the end of the blood collection, there is the completion of the form (screening questionnaire) by the employee who collected the donation data (beginning, end, total time, number of bag segments, number of homogenizers used, number of collectors, volume collected and if there were complications).Finally, the employee of this area sees if the donor is okay and if so, directs him to have a snack, releasing him then.
In the sequence, the employee of the blood collection area places the bag in a plastic tray containing the blood bag and blood tubes collected.Then the laboratory staff collects the tubes containing the blood for immunohematology and serology tests, as well as the employees of the fractionation area collect the tubes to perform fractionations of blood products and subsequent release of blood bags to be transfused.When the fractionation area arrives and if the result of the blood test is reactive, that is, after the tests, it turns out that some of the components are unsuitable for donation, the bag is discarded.In the laboratory area, if any non-conformity is found in the results of immunohematological and/or serological tests (reactive result), the donor is communicated by a registered letter to perform a second test/collection.Therefore, for a better understanding of the blood donation business process, the modeling of this process (phase AS-IS) performed in the HS of the FPH is presented in Figure 2.There are sub processes that were not modeled in this work, as it would make the model more complex .Through the mapping of the HS process (Figure 2) the points of vulnerabilities of the data, considered personal and sensitive, of the candidate for blood donation or the routine donor, are evident.Among these points of vulnerability is the form (screening questionnaire) on paper, which circulates between areas of the HS of the FPH.In the mapping carried out, the donation candidate himself takes the completed form from the reception waiting area to the clinical screening area so that the information is complemented by an employee who collects the blood.In addition, the security of donor and donor information may be compromised, because there is a need to survey the levels and types of access that are allowed to users during the service process and what types of data are available and do not hurt the LGPD.
Thus, Figure 2 was marked by circles with the points of attention in the blood donation process in which vulnerabilities were found and that must be corrected to adapt the donation process from the HS to the LGPD.In this way, at these points of the process marked, you can act, align and redefine (redesign) the process (phase TO-BE) to meet the minimum requirements or the entire.It is expected that this way the new process is adequate and adjusted to the current rules of the Law.It is essential that the activities proposed in the conceptual framework are documented, and that the artifacts (datasheet, risk plan, and responses to incidents) are in operation.In addition, to ensure security throughout the process, users and actors responsible for the processes, as well as the HPF, know how to act in the event of leakage of personal and sensitive data or any type of information that may compromise the identification of the donor candidate, who is donating, the doctor or even anyone related to the process.Therefore, for FPH processes to be aligned with LGPD ( 2  As recommended by activity 3 (Figure 1) of the proposed conceptual framework, there is a need for professionals of HS administration and the direction of FPH to reevaluate the AS-IS process with the main actors that interact with the organizational process.The communication should be part of the routine of the organization after the remodeling of the process, considering that the HS will already be aligned with the new guidelines of the LGPD making the process more effective, and efficient and therefore insurance for both the donation candidates and blood donors and the respective employees of the organization who work in the HS process.

Figure 2 .
Figure 2. Blood donation process approaching the AS-IS phase of a Hemotherapy Service of an FPH.
), there is a need for continuous training of all those involved in the pillars of the LGPD that deals with the protection of personal and sensitive data; define what limits and scope the LGPD acts on these organizational processes to understand what data (from the donor, the doctor or even a collaborator) can be disclosed, to whom and in what way; how they should circulate in the services of a public hospital or, between other services of the organization or even among other public hospitals; the alignment of all services of the public organization as: what types of data are sensitive or not; what types and forms the citizen's data (donors or patients) can be disclosed; how and what incidents, if any, should be reported to the National Data Protection Agency (ANPD) (27) to comply with the new regulations of the LGPD, as outlined in Figure 3.

Figure 3 .
Figure 3. Points of attention (vulnerabilities) of the blood donation process addressed in the AS-IS phase.

Table 2 .
Diagnosis (AS-IS phase) in the 2nd Stage