We are at present seemingly swamped by marketing materials which are keen to point out the financial consequences of noncompliance with the new EU wide data protection regulation, the GDPR1, which is due to come into force on 25th May 2018. This legislation, despite the inevitable cost to business in terms of change to process and procedure, is badly needed for the protection of all of us.
The stealing of personal data for nefarious reasons is becoming more and more common and it is right that the law evolves to protect its citizens. Hailed by many as a “revolution”, we prefer to think of it as an “evolution” to fill a niche largely created by e-communication.
For those of us involved in resolving family law cases using DNA testing technology, there are now some additional considerations, notably those relating to genetic information that could have derived from, say, a paternity test.
For the first time, these data, along with biometric data are specifically mentioned in the legislation and are classified as sensitive personal information, along with religious beliefs, physical and mental health and ethnic origin. This is long overdue.
Nothing is closer to your very being than your own unique genetic code. Analysis of your genes can already tell a lot about you, in the future this will be substantially more.
Predicting (yes predicting, not just diagnosing) diseases, abilities or preferences all come under the spotlight. For those of you that think that the ability of ISPs to present advertisements based on your surfing activity is bad enough, it is truly little compared to what could be done with access to your genetic data.
The key to unlocking your code is the physical DNA itself, which can be isolated from a bodily sample, most simply a cheek swab or saliva sample to collect some cells from inside the mouth.
In a paternity test we look at regions of DNA that are to be found throughout your personal DNA code (your genome). For the most part, these regions (the DNA profile) have no functional consequence, they are just markers in the sand.
They are powerful enough though, to identify your immediate family and who is, or is not, the father of a child. It is this DNA profile that you may hear about as being stored on DNA databases and retrieved for example, in connection with a crime.
More imperative to consider is the rise of companies which obtain your DNA sample and sequence the entire genome or make a detailed map, thus providing you with a report on say, your distant ancestry or changes in your genome which relate to disease predisposition or other characteristics.
These data are necessarily far from complete and conclusions are far from absolute, yet these providers often continue to hold the DNA, sample and data. Consumers may find that they have agreed to retention of their DNA and the sharing of their genetic data (sometimes with payment) with third parties for other purposes.
The consent these companies have obtained from consumers is not a fully informed consent as there may be risks and consequences that currently cannot be foreseen.
The retention of genetic information is in fact broader than that too…such information is being held by healthcare providers and by universities and indeed, sometimes without limitation of time.
You may have heard of “biobanks”, where genetic information is held for the purpose of “research”…i.e. DNA data mining, which is often carrying a tenuous rationality.
This is precisely why GDPR is needed, consent buried in T&Cs is not a fair consent and the explicit “opt-in” required under GDPR will mean that consumers genetic data cannot now just be held in the expectation that an opportunity will arise for the testing company, without the consent of the donor to the use of their data in the new circumstances.
GDPR also means that there will need to be accountability for the genetic data stored and how it is used. This is in no part a complete block on important genetic developments; GDPR is quite rightly asking for accountability for the DNA data, as it does with other pieces of Personally Identifiable Information (PII).
In family law cases, which generally involved DNA profiling, reasonable steps must be taken to protect clients data.
Given the complexity of the cases we generally have to deal with, e.g. multiple solicitors representing different clients, the involvement of social services and local authorities, court orders, private individuals and international cases (including immigration), there is a veritable minefield of responsibility which must be attended to under GDPR.
Coupled with the need of many to improve general internal practices (location of data, how it is used and shared, accessing from off site, cloud storage) GDPR will bring significant audit responsibility to the legal profession and its subcontractors.
We stand ready to work with you on these complex issues. What will arise will be a better system where genetic and other data is properly accounted for. Dr Neil Sullivan, BSc., MBA (DIC), LLM, PhD. General Manager, Complement Genomics Ltd. (trading as www.dadcheckgold.com)
 The General Data Protection Regulation see: https://ico.org.uk/fororganisations/guide-tothe-generaldataprotection-regulation-gdp