Legal dilemmas of genetic data

Answer

Scientists' ability to sequence the human genome with increasing ease and speed has improved our overall understanding of how specific sections of our DNA, our genes, relate to certain characteristics or personality traits. While these advances present opportunities in many aspects of society, not only limited to the healthcare sector, there are ethical, data and security risks that must be considered to ensure the use of genomics is properly governed.

Genomics in healthcare

The UK boasts global status as a leader in the field of genetics, as evidenced during the covid pandemic where the UK led efforts to sequence the genome of the SARS-CoV-2 virus. Initiatives such as the 100,000 Genomes Project and the UK Biobank, which is the world's most advanced genetic database, have allowed for huge advances in the early detection and diagnosis of rare diseases, enabling patients to have a much more proactive approach to their healthcare.

The use of genetic testing in this sector is by necessity heavily regulated and the genomic data collected is protected under the GDPR. Genetic data is listed in the "special categories of personal data" making its processing subject to both consent and sufficient organisational and technical safeguards. However, the GDPR doesn’t provide protection for anonymised data, such as that passed between hospital services and research groups for the purposes of disease advancement.

But can we confidently consider that genetic data has been irreversibly de-identified and therefore consider it as non-personal data for GDPR purposes? English GPs are the legal data controllers for their registered patients, and many are concerned about the privacy of sensitive personal and genetic data, for which they’re liable, and they’re driving demand for new systems that hold patient data securely and use it ethically, while still working in the wider public interest.

Opportunities outside of healthcare

Recognising the role genetic testing and genomics is expected to play as a central pillar in the NHS in the near future, the government issued a report last year looking at where we are now, but also forward to some of the other sectors outside of healthcare, where genomics could play an increasingly significant role.

Direct-to-consumer genetic and genomic testing

Millions of people globally have undergone some form of direct-to-consumer genetic or genomic testing, with companies providing information about ancestry, family relationships (eg, paternity tests) and health and wellness.

Where these services produce health-related results, the House of Commons Science and Technology Committee in 2020 called for the government to consider amending regulation around the support companies provide to consumers when interpreting their results. As a standard in healthcare, professional counselling is offered to patients, should genomic or genetic analyses reveal potentially upsetting results, but there’s not the same obligation on direct-to-consumer companies. It’s suggested that regulation should include a requirement for companies to inform consumers of the potential consequences of genomic test results and undergo independent assessment on the evidence supporting their test offerings.

Perhaps one of the bigger concerns in this industry, however, is the impact these services may have on individuals' right to privacy. Some companies offer consumers the opportunity to be connected to relatives who’ve also opted-in to the service, or consumers may take their results from these tests and post them on third-party databases for the purpose of finding relatives. Quite often this data is stored outside of the UK, and in the US at least, these sites are rarely subject to any kind of regulation beyond what they specify in their terms of service. However, the GDPR means that data protection requirements apply to all companies that process data relating to UK residents even if it’s outside of the UK/EU.

But there are significant challenges where increasing amounts of data are shared internationally and where data from different sources are combined, which may make identification of individuals easier, through triangulation of information. But where breaches in anonymity take place from combining data from different sources, it may be difficult to determine which data led to the breach.

To ensure maximum data protection, best practice regarding privacy and security measures should be regularly reviewed and understood by policy makers. A purpose-built legal framework for these genomic databases could be the best way to provide a clear and consistent approach to both commercial businesses and research institutions, as well as those providing their genomic information.

Insurance

Another field where genetic testing could play an increasingly relevant role is insurance. Currently, the information that you need to share with insurance companies in relation to genetic testing is regulated by a voluntary code – the Code on Genetic Testing and Insurance (the code). The code's current stance is that you will not usually have to disclose the results of predictive genetic testing – for example, tests that may show that you're more likely to suffer from a certain health condition in the future, with the only current exception being for Huntington's diagnoses for life-insurance policies valued over £500,000.

However, as genetic testing becomes more commonplace and more accurate could we see an increasing number of tests required to be disclosed? If such disclosure of genetic tests to insurers were mandatory could this deter people from taking these sometimes life-saving tests?

Outside of general health and genetic diseases, another potentially heritable characteristic is risk-taking behaviour. Risk proxies are already used by insurers when calculating premiums and can result in certain groups facing higher costs, for example young male drivers typically facing higher car insurance costs. But using genetic tests to assess eligibility or set pricing for insurance policies has ethical implications, especially where there are biases in the genetic data used to identify these trends and inequal access to genetic testing. The perceived risk of insurers accessing genomic data may affect public willingness to participate in research or screening, or even take out insurance policies in the first place.

At present, the UK industry through the code, sets fairly strict limitations. However the code is only voluntary, and while enrolment is compulsory for all members of the Association of British Insurers, which includes more than 200 companies and many household names, there’s no legislative requirement for insurance companies to sign up to the code.

Forensics and criminal justice

Over recent years there’s been public media interest in the ability of forensic scientists to solve or progress cold cases using genetic data uploaded to such genealogical databases as mentioned above, perhaps most notably the capture of the 'Golden Gate Killer' in 2018 who was identified through several third cousins. While these databases don't disclose genomic data to other parties, they still facilitate genomic matching, raising privacy and consent issues for these commercial sites.

Anyone uploading their DNA profile tor these sites is making a choice that impacts their wider relatives, who may not have consented. Moreover, what happens when law enforcement seeks to compel healthcare companies or direct-to-consumer services to share genetic information? Is it sufficient for these services and databases to have an opt-out policy for sharing data with law enforcement or should they require people to actively opt-in and how might that hinder progress in convictions relying on DNA evidence?

Conclusion

Giving individuals control over their genomic and genetic data, through consents or opt-in/outs, seems like an obvious solution, but could hamper progress that’s in the public interest due to fears over the potential abuse of genomic data. More specific legislation relating to these growing genomic databases is clearly needed, but whatever the precise solution may be, a coordinated effort across government and industry will be required, not just in the UK but globally.

And while some of these uses may still, from a scientific perspective, be a fair way from reality, given the advances in technology and scientific understanding seen in recent years, and the increasing digitisation of our everyday lives, including our genetic data, answers to the questions raised will likely be provided by future generations of lawyers.

Natalie Smith is a trainee solicitor at Taylor Wessing.