5 December 2018
In the eyes of the GDPR, not all data are equal. Rather, ‘special categories’ of personal data are given additional protection. For our purposes, there are three special categories of note:
The boundaries of ‘genetic data’ and ‘data concerning health’ are particularly indistinct. Of two possible interpretations of ‘genetic data’, the latter seems more probable:
Similarly, it is uncertain what counts as ‘data concerning health.’ If interpreted along similar lines as the Data Protection Directive and Lindqvist, the concept will be expansive and blurred.
Notwithstanding these definitional questions, the lawful processing of special category datarequires both an Article 6 legal basis and Article 9 derogation. However, some civil law jurisdictions interpret the Article 9 derogations as superseding this requirement to have an Article 6 legal basis. Health, genetic, and biometric data are unique amongst the special categories in allowing Member States to introduce further conditions on their processing.
Data controllers should select a derogation that is compatible with the purpose of their processing and the legal basis they rely upon. Depending on the purpose of processing, clinical and research genomics will usually invoke derogations (g) to (j) of Article 9(2).
To provide UK examples, the GDPR Working Group counsels that NHS organisations utilise the Article 6(1)(e) ‘public interest’ legal basis with the Article 9(2)(h) derogation on ‘preventative or occupational medicine’ or the Article 9(2)(i) derogation on ‘public health.’ Regarding research, the NHS Health Research Authority recommends that the Article 6(1)(e) legal basis be paired with the Article 9(2)(j) derogation on scientific or research purposes.
In certain circumstances, invoking a derogation (e.g. Article 9(2)(j)) frees data controllers from some obligations to their data subjects (Article 89(2)). However, if one relies upon the Article 9(2)(j) research derogation, the rights and freedoms of data subjects must be safeguarded (Article 89(1)). Data controllers must be cognizant of the potential risks to these rights and freedoms (Recital 75) when carrying out data protection impact assessments, especially when processing genetic and health data (Article 35 and Recital 91).
Alison Hall and Johan Ordish work for the PHG Foundation, a think tank with a special focus on genomics and personalised medicine that is a part of the University of Cambridge.
Relevant GDPR Provisions