The benefits of using genetic information for research purposes are clear, especially as the technology underpinning medical research continues to advance at such a rapid pace. Outside of research and clinical development, the number of organisations which use blood and saliva samples and other genetic information for diagnostic and treatment purposes, as well as ancestry research, has exponentially increased.
When an individual provides a genetic sample, whether as part of a medical treatment, a clinical trial or in connection with ancestry research, what regimes are in place to protect his or her privacy?
In this article we examine, by way of example, the differing regimes in place in Australia and the UK.
When does the privacy regime apply in Australia?
Australia’s Privacy Act 1988 (Cth) expressly includes health information and genetic information in the definition of “Sensitive Information”. Genetic information is not further defined, however more clarity is provided in respect of “health information”. This includes:
genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual (with the genetic relative of an individual (the first individual) being another individual who is related to the first individual by blood, including but not limited to a sibling, a parent or a descendant of the first individual).
There is no requirement for information falling within the definition above to also be “personal information” – namely information about an identified individual or an individual who is reasonably identifiable. The key requirement is that the genetic information must be about an individual. However, when can it be said that genetic information is not “about” an individual?
The answer appears to be that genetic information is per se about an individual (and therefore within the scope of the Privacy Act) if it is associated with information that otherwise identifies an individual i.e. some form of record/label containing identifiers of an individual (and this does not necessarily need to include a name).
Looked at another way, for privacy purposes, unless and until a genetic sample is dis-associated with information which could be used to identify a specific individual, it is within the scope of the Privacy Act.
If genetic samples are processed in isolation, without any identifying information, the Privacy Act is unlikely to apply. At the other end of the scale, the Privacy Act will apply to a genetic sample with the name of the individual affixed. The grey area is where genetic samples are associated with some information about the individuals who provided those samples, whether or not that information is linked to a specific sample. Here, it will depend upon the facts and the extent to which it is possible to ascertain the identify of an individual based on all of the information available (including any pre-existing records of the processor).
Who does it apply to?
Any organisation which collects, holds (i.e. has within its possession and control), uses or discloses a record of genetic information falls within the scope of the Privacy Act (although the extent of the compliance requirement varies).
A “record” is defined broadly and includes records captured in documents, electronically or via other devices. No settled position applies as to whether a genetic sample constitutes a “record” for this purpose, but certainly any data or other information accompanying the sample (and, possibly, generated as a result of that sample such as test results) will qualify.
In the complex ecosystem of medical research this may result in multiple parties being subject to privacy obligations in respect of the same record. For example, a patient suffering from a rare disease is involved in a clinical trial for a new treatment run by a local clinical trial company on behalf of an Australian research institution. The patient provides written consent to the research institution and amongst other things, provides blood samples at various stages of the trial. These blood samples are sent to the UK for testing by an expert facility. The clinical trial agreement with the patient permits the overseas entity to retain leftover blood samples for research purposes. Following the conclusion of the trial, the UK facility uses the leftover blood samples for its own and third party studies. In this case, there are multiples entities which are collecting, holding and otherwise controlling the use of the genetic information provided by the patient, however Australian privacy laws do not automatically apply to each entity which processes the personal information of Australians.
Organisations wishing to use health information for research purposes in Australia may wish to have reference to the so-called “section 95A guidelines” on the collection, use or disclosure of health information published by the National Health and Medical Research Council.
Generally, these guidelines are not binding. Organisations wishing to avail themselves of the exceptions related to “permitted health situations” in the Privacy Act are required to comply other than where consent is used as the basis for processing. The Office of the Australian Information Commissioner recommends that consent should be informed, specific and voluntarily provided by an individual with the requisite capacity.
In addition to Privacy Act, organisations must also be aware of the health records laws which operate in several jurisdictions in Australia (namely New South Wales, Victoria and the Australian Capital Territory).
The UK GDPR identifies both ‘genetic data’ and ‘health data’ as ‘special category data’ that merit additional protection in comparison with normal personal data.
This is because the risk-based approach of the UK GDPR provides that the processing of genetic and health data presents a heightened inherent risk to an individual’s fundamental rights and freedoms, including:
- the freedom of thought, conscience and religion;
- the right to bodily integrity;
- the right to respect for private and family life; and
- freedom from discrimination.
‘Genetic data’ is defined under Art 4(13) UK GDPR as:
personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.
Recital 34 further elaborates to state that this definition includes chromosomal, DNA or RNA analysis or any other analysis that would result in equivalent information. As with the position in Australia above, genetic information only constitutes genetic data if can be linked back to an identifiable individual. However, it is increasingly challenging to determine when genetic information is anonymised – i.e., no longer constitutes personal data – due to technological advances. In this context, the grouping of EU data protection authorities (the EDPB) has ‘strongly advised’ data controllers to treat genetic data as personal data by default. Whilst the UK has now left the EU, its laws are inherited from its EU membership and EDPB guidance remains persuasive.
However, at the same time it is important to remember that the unique nature of a person’s genomic data does not inherently make it identifying (and therefore personal data). A number of factors need to be considered, including the other information and technical means available to the persons processing the data, as well as the context and purposes for which the data is being processed (e.g., is it being processed to create a profile concerning, or take measures or decisions relating to, a specific individual or, on the other hand, is it being processed as part of a much larger dataset to lead to the publication of anonymised research findings?). ‘Individuation’ (or the ability to single out one person’s data from the data of other persons) can be a factor contributing to the existence of personal data, but is not by itself determinative.
‘Health data’ is defined under Art 4(15) UK GDPR as:
personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
The ICO clarifies that health data as a concept is broader than information about specific medical conditions, tests or treatment. It can also include any related data that reveals any information regarding the state of an individual’s health such as medical examination data or information on disease risk.
The privacy regime for genetic data in the United Kingdom
The UK GDPR requires a lawful basis to process personal data. It further prohibits processing special category data unless one of the 10 exceptions, referred to as ‘conditions’, apply (see table below).
In addition to the UK GDPR conditions the Data Protection Act 2018 states that, when using a UK GDPR condition, you must also meet one of the additional conditions in Schedule 1 as follows:
In any case, Art 22(4) UK GDPR prohibits the use of special category data solely for automated decision-making purposes unless you have either explicit consent or meet the substantial public interest condition.
What else must be done?
You must carry out a data protection impact assessment (DPIA) for any type of high risk data processing. You are therefore likely required to carry out a DPIA if you plan on processing special category data:
- on a large scale;
- to determine access to a product, service, opportunity or benefit; or
- which includes genetic data.
Other considerations recommended by the ICO include:
- data minimisation – ensuring the data collected and retained is kept to the minimum required amount;
- security measures – ensuring the appropriate level security is in place for the sensitive data;
- transparency – ensuring the special categories of data are included in a privacy notice;
- rights related to automated decision-making – considering whether automated decision-making might have a ‘legal or similarly significant effect’ on the individual and taking the appropriate steps;
- documentation – ensuring accurate records documenting the categories of data are provided and considering whether an ‘appropriate policy document’ is required under DPA 2018;
- data protection officer – considering whether a data protection office must be appointed; and
- EU representatives – considering whether an EU representative must be designated.