In a previous post we discussed the status, in general, of ‘disease risk’ genetic data, and we saw that it is generally going to be health data. Now, suppose we do not know the identity of the data subject: we only have DNA sequencing data; is that personal data? It seems that under GDPR the answer is in the affirmative (and in future we’ll discuss other laws, which answer in the negative). Moreover, WP29 Opinion 216 states (section 2.2.2) that “removing directly identifying elements in itself is not enough to ensure that identification of the data subject is no longer possible… Genetic data profiles are an example of personal data that can be at risk of identification if the sole technique used is the removal of the identity of the donor due to the unique nature of certain profiles. It has already been shown in the literature that the combination of publically (sic) available genetic resources (e.g. genealogy registers, obituary, results of search engine queries) and the metadata about DNA donors (time of donation, age, place of residence) can reveal the identity of certain individuals even if that DNA was donated “anonymously”.” In other words, for EDPB it is a given that genetic sequencing data must be treated as identifiable. One of the notable researchers writing on genetic data and data protection is Kart Pormeister. She writes of “DNA sequencing data that …such data can never be fully anonymized and as it has essentially boundless informational potential that sets this particular type of sensitive data apart from other types of personal data.” The reason that genetic data in its various forms is considered by almost all authorities to be personal data under GDPR is that “data used in genomic research are by necessity personal and sensitive, as samples can unambiguously be traced back to an individual with the help of only around 10 single nucleotide polymorphisms (SNPs)” (Molnár-Gábo and Korbel). In other words, even if no one has the key to re-identification, genetic data, held in isolation, can be linked back to an individual and as such is personal data. The important takeaway from the above is: genetic data even with no further identifiers is generally considered personal data under GDPR, meaning that the parties processing that data will be governed by GDPR. As we'll see in future posts, other jurisdictions do not necessarily concur, and we'll discuss additional exceptions.
* * * * * Reminder: this isn't legal advice. To subscribe, click here. #GDPR, #DPO, # DataProtectionOfficer Photo credit: Brain Cancer Chromosomes. Chromosomes prepared from a malignant glioblastoma visualized by spectral karyotyping (SKY) reveal an enormous degree of chromosomal instability -- a hallmark of cancer. Created by Thomas Ried, for the National Cancer Institute. 2014 Sources: Kärt Pormeister ‘Genetic research and applicable law: the intra-EU conflict of laws as a regulatory challenge to cross-border genetic research’, Journal of Law and the Biosciences (2018)706:723 Molnár-Gábor F, Korbel JO, ‘Genomic data sharing in Europe is stumbling-Could a code of conduct prevent its fall?’ EMBO Mol Med. 2020;12(3)