In vitro diagnostics offerings necessarily involve the collection of vast amounts of sensitive health data. This information is an invaluable resource for better understanding the genomic basis of disease, and making improvements to diagnostic offerings. It is imperative that stakeholders get it right when it comes to processing individuals’ data and maintaining public trust, so that they can continue to exploit these rich datasets.
As shown in the diagram above, in addition to being used to report back to patients, data from diagnostic testing can be stored and used for important research and product development. Recipients of diagnostic tests are often advised that their data is anonymised or de-identified before further processing – anonymised data falls outside the scope of the GDPR, because it does not relate to an identifiable person. However, is genetic data so inherently personal that it is incapable of being anonymised? In particular, how feasible is it to anonymise genetic data when it is combined with other personal data that are necessary to make the dataset useful? What other options do diagnostics companies have to process this data legitimately?
As highlighted by the European Commission’s request for clarification regarding the application of GDPR to scientific health research, the answers to these questions are not always straightforward. The European Data Protection Board’s guidelines published earlier in this year sought to address some of the misunderstandings in this area, to be supplemented by further guidelines due to be released in the coming months, specifically addressing the issue of processing for the purposes of scientific research.