How does the GDPR apply to genomic data?

By Colin Mitchell

28 April 2019


The UK is a recognised powerhouse for genomic science and medicine. Genomics England’s 100,000 Genomes Project is the largest sequencing project of its kind in the world and, building on these achievements and on the pre-existing expertise of countless clinical and scientific professionals, the NHS launched the world’s first comprehensive Genomic Medicine Service in October 2018. This NHS provision is a key element of the government’s ambition for the UK to lead the world in genomic medicine, to sequence five million whole genomes in five years and, under the NHS Long Term Plan, to pioneer the application of technology and data in personalised prediction, prevention and treatment of disease.  

The potential of technologies such as these, together with other digital technologies to fall outside existing regulatory frameworks has prompted radical reform of data protection law across Europe. Thus, in May 2018 the EU General Data Protection Regulation (GDPR) came into force across the continent and in the UK, further national legislation has been implemented through the UK’s Data Protection Act 2018. This legal framework governs of the use of personal data in healthcare and research, and it explicitly recognises the category of genetic data for the first time (it will continue to apply in the UK regardless of Brexit).

However many, including Secretary of State for Health and Social Care, Matt Hancock, are concerned that the rules governing the use of genetic data could hinder the legitimate use of data for healthcare and research.

As the Secretary of State highlighted, there are significant—even lifesaving—benefits to sharing genomic data for healthcare and medical research. In the healthcare context, because so many genetic results are currently uncertain, the implications often only become clear when a patient’s data can be compared with a database  of pooled data (e.g. the DECIPHER database)and a connection made with similar cases from other parts of the country or even around the world. Increasing the quality, size and diversity of that pool allows for more accurate diagnosis, enhanced disease management, targeted therapies and better advice for family members.

Making genetic data available to researchers will also help to improve our overall understanding of diseases and to inform prevention and the development of treatments. Some of the costs of not sharing data- delayed or missed diagnoses, inappropriate care and slowed progress for public health - provide equally compelling arguments for overcoming the barriers to improving the quality of and access to, genetic data.

Legal uncertainty

There are risks to data sharing, including genomic data sharing, if not carried out responsibly, legally and securely, including the potential for breaches of privacy or discrimination. The particular sensitivity of genetic information and uncertainty about the law governing genetic data has led some genetics laboratories to be very cautious about sharing data but there has also been variation across the NHS and medical research. Now that genome sequencing is becoming a mainstream part of healthcare - given the establishment of the Genomic Medicine Service - there is a pressing need for a more consistent and robust approach.

There are several areas of law that govern using and sharing genomic data in healthcare and for research and they generally demand that a balance is struck between respect for the rights of patients/individuals and the importance of using that data for healthcare or research. The problem at the moment for genetics laboratories and other professionals is knowing quite where that balance should be struck and what the rules actually require. Adding to this uncertainty is a lack of clarity about how the GDPR will be interpreted, since this sets out rules for the appropriate use of ‘personal data’ and introduces new definitions such as ‘genetic data’ and ‘pseudonymisation’, all of which require interpretation to ensure compliance.  

Clarifying the impact of the GDPR

To address some of these issues, with funding from the Information Commissioner’s Office, PHG Foundation are investigating how the latest data protection laws apply to the use of genetic/genomic data. Over the next year we will be using our multidisciplinary expertise to investigate and evaluate the relevant law, policy, science and health technology in order answer three questions:

  • To what extent do genetic/genomic data used for healthcare and medical research in England and Wales count as ‘personal data’ under the GDPR?
  • To the extent they are ‘personal data’, what is the impact likely to be on the delivery of health and social care in the short-to-medium term (up to five years)?
  • What can be done to mitigate or reduce any negative impacts?

We will also bring a range of external health, science and policy experts together with patient representatives and lawyers to discuss the issues, consider potential impacts on healthcare and medical research and identify ways forward. We aim for our results to feed in to the work of the regulators, like ICO, and leaders in the field, such as the newly statutory National Data Guardian for Health and Social Care, to assist the development of consistent and robust approaches for the use of genomic data across health and social care.

Keep up to date with our work on data protection and genomic data here. 

Genomics and policy news

Sign up