Evaluation Of The Draft Guidelines On The Processing Of Genetic Data
Table of Contents
The Personal Data Protection Authority (“Authority”) published the Draft Guidelines on the Issues to be Considered in the Processing of Genetic Data (“Draft Guidelines”) on 24.08.2022 and submitted it for public opinion. The Draft Guidelines include the issues to be considered during the processing and protection of genetic data, which is regulated as special categories of personal data according to Law No. 6698 on the Protection of Personal Data (“LPPD”) and some technical and administrative measures.
In the public announcement made by the Authority, it is stated that genetic data has a highly sensitive data identity in terms of the information arising from the processing of genetic data and may cause national strategic consequences that may affect the whole society, and that the processing of genetic data should be bound by certain rules and procedures and awareness should be raised in the public sphere.
In this article, we share our evaluations regarding this Draft Guideline, which is of great importance, especially for institutions and organizations operating in the fields of health, genetics, biomedicine, medicine, biotechnology, pharmaceuticals, and investors.
II. PROCESSING OF GENETIC DATA IN PRINCIPLE AND THE MATTERS STIPULATED BY THE GUIDELINES
According to the Draft Guidelines, genetic data is defined as “personal data that provides unique information about the physiology or health of a natural person and specifically arises from the analysis of a biological sample taken from that natural person and relates to the inherited or acquired characteristics of that person”. Within the scope of LPPD, genetic data is considered a special category of personal data and as a principal, it can be processed within the framework of the explicit consent of the person concerned. As an exception to this principle, genetic data may be processed without the explicit consent of the data subject in the presence of certain limited situations stipulated under the LPPD.
Within the scope of the Draft Guidelines, in parallel with the situations specified in the LPPD, it is stated that genetic data can only be processed without the explicit consent of the data subject; (i) for mandatory tests in line with health requirements in order to perform preventive medicine, medical diagnosis, treatment and care services as a health data, and (ii) in other situations stipulated by law (e.g. for molecular genetic examinations that may be required by the Criminal Procedure Law). Apart from these situations, it is stated that the processing of genetic data for commercial purposes for various reasons, for instance, determination of lineage/ancestry or kinship relations, determination of predisposition to sportive activities or any talent, dietary services can only be carried out with the explicit consent of the person concerned.
In terms of the use of genetic data for scientific purposes and exempted from the LPPD, a special evaluation was made by the Authority in the Draft Guidelines and it was stated that genetic data can be processed for scientific purposes by obtaining ethics committee permissions based on the general principles in the Regulation on Personal Health Data.
III. TRANSFER OF GENETIC DATA ABROAD
The transfer of genetic data abroad has been specifically regulated and is subject to certain restrictions by the Authority in light of the possibility that processing genetic data could have an impact on not only the natural person whose genetic data is processed but also relatives, future generations, and even national security and the economy.
In principle, genetic data is only able to be transferred abroad with the explicit consent of the person concerned, and the exception to this situation is that the transfer is mandatory for preventive medical diagnosis and treatment. However, as stated above, it is important to keep genetic data in the country if possible, as it has a cumulative effect rather than only the person concerned. As a matter of fact, the Authority is of the same opinion and the Draft Guidelines include assessments in this direction. Although almost all tests and examinations requiring the use of genetic data can be carried out in national laboratories, it is stated that in the situations where this is not possible, transfer of genetic data abroad can only be carried out with the explicit consent of the person concerned, and if such a situation occurs, it is highly important that the transfer of genetic data abroad can only be carried out under the supervision of the Ministry of Health through genetic disease evaluation centres licensed by the Ministry of Health and licensed medical laboratories in accordance with the Regulation on Genetic Diseases Evaluation Centres and the Regulation on Medical Laboratories.
It is crucial to mention that in case of such a transfer, it is crucial to minimise the risks by expanding the scope of the disclosure obligation and informing the data subject in a clear and detailed manner in terms of possible difficulties in tracking the fate of genetic data, the risks of data controllers abroad regarding data security, the possibility of transferring genetic data transferred abroad to third parties, and the negative consequences that may arise from these situations.
IV. SOME PRECAUTIONS STIPULATED IN THE DRAFT GUIDELINES FOR THE PROTECTION OF GENETIC DATA
Within the scope of the Draft Guidelines, it is recommended that many administrative and technical precautions be taken for genetic data in addition to the precautions in the Decision dated 31.01.2018 and numbered 018/10 on “Adequate Measures to be Taken by Data Controllers in the Processing of Sensitive Personal Data”. Some important measures are as follows;
- Genetic data privacy should be taken into account at the design stage and all mechanisms should be stipulated on this basis the process should be established based on “privacy-based design” in the European Union legislation,
- Genetic data are kept in such a way that they cannot be accessed by anyone other than authorized personnel who have received relevant training and with whom confidentiality agreements have been concluded,
- Establishing separate processing policies, emergency procedures, and reporting mechanisms for genetic data processing processes, regularly backing up genetic data in electronic media and keeping backups outside the network,
- In case of working with a data processor, the service contracts to be concluded with the data processors shall include security measures at least at the level of security provided by the data controller,
- Genetic data should not be kept in cloud systems; however, if there are genetic data kept in the cloud, keeping a record of what these data are, taking backups outside the cloud, applying two-stage authentication control for remote access, and encrypting the data with cryptographic methods,
- Data controllers can monitor and limit user actions on the genetic data processing software,
- Data controllers should test the data processing system before the installation of the data processing system and after any modifications, if possible through synthetic data in test environments to be created.
It is crucial to secure genetic data at the national level since the effects of processing genetic data are cumulative rather than the individual. In this regard, the processing and protection of genetic data are subject to specific procedures with the Draft Guidelines released by the Authority in addition to the LPPD, and compliance with these procedures and suggestions is of high importance. Following the finalization and publication of the Draft Guideline, a resource that will guide the processing and protection of genetic data at the national level will be taken as a basis in legal disputes and will create social awareness will emerge. For this reason, it will be important for institutions, organizations, and investors operating in the fields of health, genetics, biomedicine, medicine, biotechnology, pharmaceuticals, etc. to follow the process and complete the harmonization works as soon as possible.
Data Protection and Cybercrime
Kılınç Law and Consulting provides legal consultancy services to its clients regarding their personal data processing activities....