Genomic technology is increasingly becoming entrenched in a lot of our health services. From population health screening, ancestry testing, nutritional testing, policing, and crime prevention, the technique has become commonplace.
This has also led to growth in the need for an exchange of data across international borders, bringing with it significant responsibility from a data protection perspective. The unique sensitivity of genetic information requires strong privacy and security measures to protect individuals from potential misuse or data breaches.
Scientists have long relied on shared genetic data to develop treatments for genetic diseases, discover new genetic markers, and create personalised medicine. Sharing is commonly facilitated through secure databases managed by government healthcare entities, which allow researchers to access and analyse genetic information from various sources.
More recently, we have seen a rise in Direct-to-Consumer (DTC) genetic testing which is carried out privately outside government healthcare systems. DTC tests typically involve collecting a DNA sample at home, often by swabbing the inside of the cheek or providing a sample of saliva and mailing the sample back to a private laboratory. Consumers are subsequently notified of their results by post, over the telephone or online.
Understanding the challenge and risks
Transferring genetic data across borders presents a unique challenge due to varying regulatory requirements of each country. For example, a genetic research project involving institutions in both the EU and the US must comply with the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA), among other national laws. This regulatory maze creates significant legal and administrative hurdles for life science companies that need to process genetic data across borders for various reasons, particularly their data protection officers.
Genetic data represents one of the most sensitive types of personal data due to its inherently immutable nature. Unlike passwords or financial information, genetic data cannot be changed if compromised, and it reveals intrinsic personal information about an individual’s health, ancestry, and even potential future medical conditions. Therefore, the consequences of data breaches involving genetic data can be far-reaching.
Further, individuals may face unfair treatment in employment or insurance contexts based on their genetic predispositions to certain health conditions. Unauthorised access to genetic information can also lead to familial privacy intrusions, as genetic data often implicates relatives who share similar genetic markers. Breaches undermine public trust in genetic research and data-sharing initiatives. All of these challenges make it increasingly important for privacy and compliance teams to have appropriate training and processes in place to minimise risk.
Security measures and best practice for protecting genetic data
Protecting genetic data during cross-border transfer involves implementing technical and organisational measures to safeguard such data from unauthorised access and breaches. The following are key practices that organisations should adopt:
- Develop comprehensive data governance policies which outline procedures for data handling, storage, and transfer, and protocols for responding to security incidents. Clear governance frameworks help ensure that all stakeholders understand their roles and responsibilities in protecting genetic data.
- De-identify data records by removing explicit identifiers such as names and addresses. Many organisations rely on the Safe Harbor Standard of the HIPAA Privacy Rule, which enumerates 18 identifiers that must be suppressed.
- Implement end-to-end encryption protocols to maintain the confidentiality of genetic data throughout the transfer process. This ensures that even if data is intercepted or accessed without authorisation, it remains unreadable and secure.
- Implement role-based access control (RBAC) to ensure that only authorised personnel with a legitimate need can access sensitive information. Additionally, you can use multi-factor authentication (MFA) to add an extra layer of security by requiring users to verify their identity through multiple means, such as a password and a biometric factor.
- Conduct regular security audits and vulnerability assessments to progressively identify and address potential weaknesses in data protection measures. Audits should include reviewing access logs, testing for vulnerabilities, and evaluating the effectiveness of encryption and other security controls.
- Establish an incident response plan for addressing any security breaches or incidents involving genetic data. This plan should outline the steps to be taken in the event of a breach, including containment, investigation, notification, and remediation.
Despite ongoing efforts towards regulatory harmonisation to bridge the gaps between different regulatory regimes and streamline cross-border genetic data transfer rules, international frameworks and agreements seem to still have a long way to go. The EU-U.S. Privacy Shield for example was repeatedly questioned, and eventually derogated in total by the European Court of Justice1. Therefore, it is recommended that organisations processing genetic data work with DPO service providers, to support them in navigating the complex regulatory landscape of cross-border genetic data transfers and implementing necessary technical measures effectively.
HewardMills’ privacy experts are carefully tracking global legal and regulatory developments relating to genetic data. Whether harmonised legislations are passed, or national requirements continue to increase in scope and complexity, we can help your business comply and securely transfer genetic data across borders.