Before we delve into the position paper of the Conference of Independent Federal and State Data Protection Supervisory Authorities (DSK), it is important to discuss the exceptional nature of genetic data. Genetic data, defined in Art. 4 (13) GDPR and in Recital 34 GDPR, was included within the special categories of data by the GDPR, Directive 95/46 did not include it as a special category of personal data, however, the local legislation of some Member States as well as other countries worldwide had recognized the exceptionality of genetic data far before 2016, when the GDPR came into force.
But why do we consider genetic data exceptional?
Genetic data has certain characteristics which differentiate it from health data and which grant it an exceptional nature. Such characteristics are:
- Genetic data is unique and specific to each individual, thus being capable of unequivocally identifying the data subject;
- Because genetic data provides information regarding the genetic configuration of the individual, which is transmitted through inheritance, such information does not concern only the data subject but also her biological group, that is, to a different extent, depending on the degree of kinship, to all the members of her biological family, including deceased and unborn relatives. Genetic data can therefore provide information about family links. Furthermore, beyond concerning only the biological group of the individual, genetic data also concerns ethnic communities who share certain genetic traits.
- Genetic data is structural, immutable and indestructible, it constitutes a part of the organic being of the data subject that remains stable from the embryonic stage until after the data subject’s death and is contained in each and every cell of her body. The data subject is usually unaware of her genetic data and such data does not depend on her will, as it is non-modifiable.
- As long as it provides information regarding a large number of diseases, conditions, syndromes and traits that currently affect the data subject, that could probably affect her in the future depending on her degree of predisposition towards them or that could affect her offspring, genetic data is predictive.
- Even if the predictive power of genetic data is – in most cases – limited to the expression of probabilities, the processing of genetic data generates a specific problem due to its being socially perceived as unquestionable.
Adding another layer of complexity to this already evident complex and exceptional data category, we must consider that under certain circumstances the data subject may not only have a right to access her genetic data – a right to know – but also a right not to access or not to know her genetic data, in circumstances where being aware of such data could psychologically or otherwise harm her or her family. Another interesting question that comes to mind from the foregoing refers to the right to know and the right not to know the genetic data when it’s exercised by the family group: How can the family members, who are also data subjects with regard to the genetic data of the proband – the first data subjects from whom the genetic data was obtained – access or conversely, decide not to know the data in question?
These are interesting considerations that we must keep in mind when discussing the secondary use of genetic data for research purposes. Genetic data is the basis for personalized predictive medicine tailored to the individual patient which can significantly advance biomedical progress in particular in the field of cancer and rare diseases where processing genetic data could lead to promising treatment options and even cures. Therefore, a restrictive data protection approach would be unacceptable, considering the great benefits that the processing of this special category of personal data could derive. The position paper of the Conference of Independent Federal and State Data Protection Supervisory Authorities (DSK) advocates for a legal framework that would harmonize the consideration of the rights, interests and inherent risks for the data subject and her family with the need to process genetic data for the advancement of biomedicine.
The Position Paper
Considering the huge impact that the processing of genetic data could derive for people’s health and wellbeing, the DSK in its position paper, adopted on 15th May 2024, advocates for a legal framework aimed at data protection-compliant scientific biomedical research with genetic data for the benefit of patients which shall have the following features:
- Provide for high protection and trust requirements,
- Be backed up by sanctions,
- Provide effective participation and control options for the persons concerned, and
- Prohibit research using bodily substances such as blood, hair or saliva obtained without the knowledge of the person concerned.
The DSK discusses in its position paper some of the characteristics of genetic data described above, such as its predictive potential and the extension of the consequences of its processing to biological family members, the risk of discrimination and stigmatization that the processing of this category of data could entail, in the hands of employers and insurance companies for example, especially when considering that genetic data is immutable. The position paper discusses also the matter of effective anonymization of genetic data which usually fails because identification is possible, for instance, by comparing results with other genetic data from the person concerned.
Considering the fact, that the secondary use of genetic data for research purposes affects the absolutely protected core area of personality as it leads to conclusions about personality-relevant characteristics such as genetic make-up and potential diseases to be drawn, the DSK advances the following special rules for the secondary use of genetic data for research purposes:
- Explicit consent shall be obtained, however, the DSK recognizes that the specific consent of the data subject may not be enough to protect her from the consequences that the processing of her personal data for secondary purposes could entail, hence, the express consent of the data subject shall be complemented by necessary appropriate and specific safeguards and technical and organizational measures.
- The requirements and limits of broad consent shall be regulated by law. While the DSK recognizes that the specific purposes of secondary use of genetic data may be difficult to articulate for the future, it lays down that limits to such form of consent shall be defined by law in order to minimize the risks involved.
- Additional security measures shall be implemented in order to ensure transparency, confidence-building, participation and data security. The DSK asserts in this paper that there’s actually a need for legally defined requirements to protect this data, especially considering that biological relatives are also affected.
In view of the above, the DSK advocates for a differentiated and legally clear regulation for the secondary use of genetic data for research purposes that would harmonize the interests in scientific advancement and the right to personal data protection in this field.
Data protection by design and by default shall be at the heart of any secondary use of genetic data, in particular, according to the DSK, it shall be ensured that data subjects can exercise their rights effectively, especially if and when they decide to withdraw their consent.
A specific problem addressed by the proposed new regulation should be, according to the DSK, the differentiation between various processing purposes of secondary use. The paper discusses, for example, quality assurance, which is and shall be considered a separate purpose vis-à-vis scientific research.
Among the protective measures that according to the DSK the future legal regulation shall guarantee are:
- An obligation to observe a minimum reflection period between the time when the information is provided and the submission of consent shall be observed. Assistance to affected data subjects and their families shall be provided in this context.
- Information and counselling shall be provided regarding the handling of individually relevant research results and incidental findings – and the right of the data subject not to know – after informing her about the risks and effects of such knowledge not only for the person but also for her biological relatives as well as information about the possibility of changing her decision to know/not to know about the findings.
- Transparency of processing shall be established by providing information and clarification regarding purposes, scope and risks of processing for the rights and freedoms of natural persons.
- Extended control and participation of data subjects shall be ensured through active and timely provision of up-to-date information, barrier-free exercise of cancellation rights and data subjects rights via digital management systems.
- Regarding consent for future use of genetic data, the DSK advocates for a time limit on the validity of such consent.
- Encrypted processing of genetic data and timely pseudonymization of the same with the involvement of trusted third parties in conjunction with appropriate and sufficient technical and organizational measures as established above.
- Storage limitation, retention periods and destruction obligations for genetic data and biological samples shall be legally defined.
- Definition of specific disclosure and transmission prohibitions subject to sanctions, in particular to employers or insurance companies, and criminalization of the misuse, improper and unlawful use of genetic data.
- Effective protection against the procurement and use of genetic samples without the knowledge of the persons concerned should be regulated by criminal law.
- A secure processing environment shall be created for the transmission of data to authorized third parties in accordance with a defined use and access procedure that entails the principles of data protection law.
- Special protection shall be granted to unborn, minors and persons incapable of giving consent.
- Guidelines for preserving the anonymity of data subjects when publishing research results shall be legally defined.
- The measures laid down in the resolution “Strengthening data protection in research through uniform standards” of November 23rd 2023 shall also be observed.
Conclusion
Our point of departure when discussing the processing of genetic data for secondary research purposes shall always be the fact that genetic data is essential to advance biomedical research and consequently, that a legal framework that will allow the future use of this data for such purpose and which aim at facilitating such processing, rather than being an obstacle to it shall be established.
In line with the DSK considerations, I believe that such legal framework shall depart from the obtention of a (really informed) express consent from the data subject which not only deals with the current but also with the future (expected) use of the genetic data. I agree on that broad consent forms shall be worded in a way that allows sufficient and appropriate information for the decision process of the data subject but I also think that defining future uses in detail is in most of the cases impossible. Hence, in my opinion, the express consent of the data subject shall be obtained in the framework of secure processing environments and complemented with legally defined minimum technical and organizational measures, retention periods and destruction/erasure methods for both information and samples, the approval of future research by ethics committees and the definition of clear criminal consequences for the misuse of genetic data. These measures, defined by law and reinforced by the application of clear sanctions shall be enough to guarantee a balance between the rights, freedoms and interest of the data subject and her family and the interests of the scientific community which shall be understood from my perspective as the interests of humankind. The position paper does not discuss the establishment of time limits to broad consent in detail but it seems to advocate for such limits. I wonder, first, how those limits shall be established, and secondly, if setting a time limit to the secondary use of genetic data would potentially have a negative impact on the processing for future research purposes and in some cases, effectively hinder scientific progress.
The position paper discusses the importance and implications of genetic data for family members and the rights to know and not to know about it and its consequences, however, a way of addressing the exercising of the rights of family members with regard to genetic data, which, attending to the definition of personal data according to the GDPR, concerns them too, is left undiscussed. I do realize that this question entails a host of legal and practical issues but I also understand that they need to be addressed perhaps by finding a creative way to inform family members, keep them up-to-date and allow them to exercise their rights with the use of digital management systems.
Key Takeaways for You
Biomedical research organizations shall be prepared to face new and reinforced legal requirements for the secondary processing of genetic data for the purpose of research. The position paper provides an excellent opportunity to understand how the future requirements will be framed and allows a timely preparation for what is to come.
If your organization processes health and genetic data for research purposes or to provide health care and needs advice on how to handle it adequately and in compliance with data protection laws, contact FIRST PRIVACY Health and Medical. Our team of data protection experts, specialized in the health and medical field will be happy to support you!