Reconciling the need to share genomic data to improve public health with General Data Protection Regulation (GDPR) legislation is complex, claimed a presentation at the European Human Genetics Conference (see BioNews 1110).
There were a number of areas of conflict and confusion over how genomic data should be handled under GDPR legislation, despite this being a particularly sensitive area of data protection, researchers told the conference. The research was carried out by Dr Colin Mitchell and colleagues from the PHG Foundation, University of Cambridge and funded by the Information Commissioner's Office.
Speaking at the online conference, Dr Mitchell said: 'This topic is of great concern to scientists and people working in genetic medicine because of the way that the GDPR made significant changes to the way that personal data from patients or research participants may be used. These changes are not specific to genetic data, but because such data are highly sensitive, their impact on the genetics field is considerable.'
Researchers carried out an analysis of current data legislation alongside interviews with people who worked in the sector and also held workshops with clinical and scientific professionals, policymakers, regulators and academic experts to reach these findings.
Current GDPR legislation that gives individuals a right to access their own data was ambiguous when considering genomic data, the researchers found. This was because families, or a group of people, may be able to claim they have a right to access genomic data. There were further complications caused by the growth of ancestry websites.
It was also unclear whether or not genomic data counted as 'personal data' under GDPR, with different groups coming to different conclusions, the researchers found.
The added complexity of Brexit was discussed, with the need to consider legal mechanisms for the transfer of data between the EU/EEA and the UK. Dr Mitchell explained: 'The UK is now a "third country" and therefore subject to strict rules about receiving data from the EU. Now, the UK's rules are almost identical to the GDPR. But should they diverge in the future due to changes on either side, this will pose a major problem'.
Professor Alexandre Reymond, chair of the conference said: 'Choosing between an individual's privacy and the responsibility of a nation regarding the health of its citizens that can only progress with the exchange of increasing amounts of data has become more and more difficult. Legal standards are not adapted to the fast pace of technological change in genetics. Society as a whole will need to decide where the balance should be.'