The processing of genetic data
The genetic data, defined in the international documents as data referring to the hereditary characteristics of a person or to the hereditary model of such characteristics concerning a group of person belonging to a family, are personal data according to Directive 95/46/EC because they allow the identification of that person, pointing out the its oneness.
Taking into account their specificity, the processing of genetic data request and justify a particular juridical protection. That is why the international fundamental instruments forbid any discrimination based on genetic data. Thus, Article 21 of the Charter of Fundamental Rights of European Union states that: "any discrimination based (...) on genetic purposes" must be forbidden. This interdiction can be found also in the Convention of Council of Europe regarding the Human Rights and Bio-Medicine (Article 11) and in the Universal Declaration concerning the Human Genome and Human Rights of UNESCO (Article 6).
The efficiency of this interdiction implies the existence of certain strict rules to limit the situations in which the genetic data can be used.
Taking into consideration the complexity and the sensitiveness of the genetic information, it was considered that there is a high risk of misuse or reuse for other purposes by the data controller or by third parties at international level. Thus, the genetic data might be used only if they are adequate, relevant and non-excessive for the purpose for which are intended to be used, which implies a strict assessment of the necessity and proportionality of the data processed.
In the Article 29 Working Party Opinion regarding the genetic data, it is underlined the fact that the proportionality was a main criterion in most of the decisions taken so far by the data protection authorities in connection with the processing of genetic data.
Thanks to the particular nature, the characteristics of the genetic data and the impact which their usage might have on the privacy of individual and of his/her family, the compliance with the principles of finality and proportionality implies a clear purpose for which genetic data are collected and used by a data controller.
Regarding the usage of genetic data for employment purposes, Article 29 Working Party considers that the processing of genetic data in this sector should be, in principle, forbidden.
In the same time, the European Working Party on the Ethics of Science and of New Technology stated that "until now, there is no proof that the genetic tests are relevant for the employment".
However, the setting up of a genetic database represents, at European level, a potential reason for worrying from the data protection point of view, especially concerning:
- the onward processing of the data for other purposes than the ones established at the collection moment;
- the retention period of the genetic data;
- adequate security measures.
Applying the anonymisation might be a solution for the problems appeared from the point of view of personal data protection.
In the same time, the genetic data should be processed under the control of the qualified professionals, by complying with the provisions of Directive 95/46/EC and of specific regulations because, in certain situation, these data refer also to health.
In the Opinion 6/2006 concerning the Humane Genome and privacy, Article 29 Working Party already stated the necessity to correlate the new genetic technologies with adequate safeguards for protecting the right to privacy.
Article 29 Working Party recommends the Member States to analyse the possibility for the processing of genetic data to be subject to preliminary control, carried out by national supervisory authorities, according to Article 20 of Directive 95/46/CE. This method should be used especially in the case of establishing and using certain genetic databases.
In Romania, the personal data processing field is regulated by Law no. 677/2001 and genetic data are part of the personal data, according to Article 3 a) of this normative act.
For the application of Article 23 of the law mentioned above, Mrs. Georgeta Basarabescu - president of the National Supervisory Authority for Personal Data Processing - issued Decision no. 11/2009 regarding the establishing of the categories of personal data operations susceptible to present special risks for the rights and liberties of persons
Throughout this decision it was established that the processing operations of genetic data are part of the ones susceptible to present special risks for the rights and liberties of persons, which impose our authority to carry out preliminary controls, according to the provisions of Law no. 677/2001
The first obligation of the data controllers which intend to use genetic data consists in notifying the processing of this category of data to the national supervisory authority at least 30 days before starting the processing.
According to the purpose of the declared processing, the compliance with the proportionality principle is assessed.
In the same time, that data controller has to inform the data subjects, according to the provisions of Article 12 of Law no. 677/2001 and to take the necessary measures in order to ensure the confidentiality and the security of that processing.