Genetic data privacy, the GDPR, and research needs: A delicate balance
The EU's General Data Protection Regulation (GDPR) has created a great deal of uncertainty about how key requirements should be interpreted. This means that collaborators in international genetic research projects do not always agree on fundamental issues such as whether they are processing personal data, consent requirements under the GDPR and on what basis genetic data can be transferred outside the EU/EEA, if at all. These results from a study carried out by Colin Mitchell, Senior Policy Analyst in Law, Regulation and Digital Health, and colleagues from the PHG Foundation, University of Cambridge, UK will be presented to the annual conference of the European Society of Human Genetics today.
The investigators carried out legal research, interviews, and held an expert meeting to investigate the subject. They were supported by the UK Information Commissioner's Office, responsible for national data protection. "This topic is of great concern to scientists and people working in genetic medicine because of the way that the GDPR made significant changes to the way that personal data from patients or research participants may be used," says Dr. Mitchell. "These changes are not specific to genetic data, but because such data are highly sensitive, their impact on the genetics field is considerable."
Their analysis demonstrates that a range of legal interpretations are possible, and that other parts of the regulation, like those setting out 'data subject rights', are also potentially ambiguous in the genetic context. For example, interpreting the 'right to access' data in the genomic context will be complicated because multiple individuals or family members might be able to claim the data as their own.
Another problem is how to characterise 'personal data' (those data that can be used to identify an individual), as opposed to data that cannot be used in this way. The GDPR requires that a risk assessment be undertaken to see what sources of information could lead to identification. In the genomic context, finding agreement on this can be particularly challenging. And now, recent developments such as the growth of ancestry websites can complicate things further.
In the UK, Brexit is another new difficulty. The UK is a leader in genomic healthcare and research, and it is vital that collaboration with individuals and institutions in the EU/EEA should continue, say the researchers. "The UK is now a 'third country' and therefore subject to strict rules about receiving data from the EU. Now, the UK's rules are almost identical to the GDPR. But should they diverge in the future due to changes on either side, this will pose a major problem," says Dr. Mitchell.
Having identified the challenges associated with the GDPR and its impacts, the researchers looked into measures that could reduce these. "We believe that it will be possible to pursue a more genetics-sensitive approach with the regulators," Dr. Mitchell says. "And the GDPR also contains some mechanisms that could allow the genomics community to develop best practice for compliance with the regulation and set this out incodes of conduct or certification schemes to demonstrate compliance with the law. Developing such a system will not be easy, but it is crucial if confusion about data protection law is not to act as an unwarranted barrier to data sharing and scientific progress in genetics."
Because of the high potential sensitivity and identifiability of genomic data, it is crucial that the correct balance between individual privacy and genomic science and medicine is struck. Getting this right is essential to avoid a breakdown in trust between the public and professionals that could lead to considerable, long-lasting harm to healthcare and scientific research.
The GDPR may have brought this issue into sharper focus, but it is not a new problem. "We were surprised to find that some of the major challenges and uncertainties related to legal standards that already existed in previous EU law. What has changed, though, is how these may need to be interpreted and how that interpretation now should be uniform across the whole EU/EEA. True coordination of the interpretation of the GDPR for genetic data across all the Member States will take time, and may be very difficult in practice", says Dr. Mitchell. "Though to some this may appear to be a somewhat technical and esoteric issue, it is absolutely essential to get it right if we are to continue to exploit the enormous potential of genetic medicine to the best of our ability."
Chair of the ESHG conference, Professor Alexandre Reymond, Director of the Center for Integrative Genomics, University of Lausanne, Lausanne, Switzerland, said: "Choosing between an individual's privacy and the responsibility of a nation regarding the health of its citizens that can only progress with the exchange of increasing amounts of data has become more and more difficult. Legal standards are not adapted to the fast pace of technological change in genetics. The society as a whole will need to decide were the balance should be."