The collection and sharing of genomic data is integral to the continual development of genomic science and healthcare, but presents a particular challenge for data protection. Reconciling the two is vital if policymakers and regulators are to ensure that genomic science for healthcare continues to progress, whilst also safeguarding individuals’ privacy and rights.
The General Data Protection Regulation (GDPR), a comprehensive new data protection regime, governs all processing of personal data within the whole of the EU and EEA, as well as some forms of processing anywhere in the world. Since its early stages, the genomics community has highlighted the impacts the GDPR could have on medical research and practice.
Data protection of genomic data is complex: some genomic data confer sensitive information and may be used to identify individuals, but the vast majority of the genome is common to everyone. This is a dynamic situation, because genomic data can become more useful and reveal more as scientific understanding increases over time.
Generating and analysing genomic data through cutting-edge technology is no simple matter, but data protection raises a series of further challenges:
The answer to these questions always depends on the precise circumstances, but at present there is also a lack of consensus on what the GDPR actually requires.
The central challenge for genomic healthcare and research is uncertainty and ambiguity about how this general Regulation, which is still in its infancy, applies to the specific context of genomic data. For some pressing questions there are already possible answers:
Despite the ambiguity there is an opportunity for the genomics community, regulators and policymakers to work together and establish appropriate standards for genomic medicine and research.
In particular, sector-specific codes of conduct or certification mechanisms could be formally approved and relied on to demonstrate compliance with aspects of the GDPR including:
Developing codes or certifications will be challenging because they require broad agreement and in many cases approval at a European level. To try and reach consensus more quickly and to establish some level of certainty for genomic data processing under the GDPR, the genomics community should begin to consider:
The Information Commissioner’s Office awarded the PHG Foundation a research grant to investigate how the GDPR impacts upon the field of genomics. The GDPR and genomic data report provides a detailed legal analysis of the many ways in which the GDPR impacts genomic healthcare and research, highlights areas for urgent attention, and makes recommendations for the genomics community, regulators and policy makers to maintain the flow of genomic data for healthcare and scientific research.