EU law defines genetic data as personal data. Under the present Data Protection Directive personal data is defined as “information relating to an identified or identifiable natural person”, including “physical or physiological” traits.
Lest there be any doubt that genetic data is personal, the new General Data Protection Regulation (GDPR), which will replace the directive from 2018, makes it explicit.
What is new is this official recognition: the GDPR lists as personal data any “factors specific to the physical, physiological, genetic […] identity of that person”. It also defines genetic data as “personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person”.
Not only is genetic data qualified as personal, it is also listed among the “special categories of personal data” that warrant additional protection under the GDPR. Because genetic information – just like data about political opinions or religious beliefs – is sensitive, its processing is outlawed, with few exceptions.
The attention paid to genetic data in the GDPR reflects the high stakes involved in ensuring its privacy. Until recently scientists believed DNA could be ‘de-identified’, but computing advances have made it possible to ‘re-identify’ people. Researchers also point out that people who disclose their genetic data risk not only their priv-acy but also that of their descendants.
But genetic data is more than just a privacy risk, it also carries the promise of important medical advances. For the private sector it also holds enormous potential: it could make possible personalised risk assessments, targeted development and marketing of medical products and tailored health insurance.
The GDPR takes this into account, allowing the processing of sensitive data under certain exceptions, such as for reasons of substantial public interest or for medical, public health or research purposes. And when certain data rights can “seriously impair” research, member states may grant derogations from these rights.
The charity, academic, and pharmaceutical communities have welcomed these exceptions but the question remains – what will qualify as scientific research? It is unclear whether work carried out purely for commercial gain, rather than in the public interest, will benefit from these provisions.
The health sector must keep a close watch on how data protection authorities interpret the notion of scientific research as the GDPR is rolled out.