New Guideline from the Data Protection Authority: Considerations When Processing Genetic Data
The Guideline on Matters to Consider when Processing Genetic Data ("Guideline") was published by the Personal Data Protection Authority ("Authority") on its official website on October 13, 2023.
While genetic data is not defined separately under the Law No. 6698 on the Protection of Personal Data ("Law"), it is categorized as one of the special categories of personal data. In this context, the Guideline lists genetic data’s areas of use as (i) genetic analysis for diagnostic and therapeutic purposes in the health field, (ii) genetic analysis to determine parentage and ancestry, and (iii) genetic analysis to determine genetic predisposition.
The Guideline includes genetic data controllers and data subjects, the conditions for processing genetic data, the data controllers’ obligations, the genetic data security and, finally, the recommendations and suggestions of the Authority.
1. Data Controllers and Data Processors
For the determination of the data controllers, the Guideline refers to the Regulation on Genetic Diseases Evaluation Centers ("Genetic Diseases Regulation"). Accordingly, the Genetic Diseases Regulation requires that, in cases of medical necessity, such as diagnosis of genetic diseases, determination of predisposition to genetic diseases, and for the purpose of scientific research for medical purposes, organizations to obtain a license to be able to operate as a Genetic Diseases Evaluation Center ("Center"). In this context, the Guideline states that the Centers are deemed data controllers under Article 3 of the Law.
The Guideline further highlights that the cloud systems in which the Centers store genetic data, may be considered as data processors.
2. Data Subjects
Genetic data, by its very nature, concerns not only an individual but also others who are genetically related to that individual. The Guideline addresses this issue by stating that the processing of other persons’ genetic data who are genetically related to the data subject, other than the relevant data subject, will result a different purpose of processing to arise.
3. Genetic Data Processing
The Guideline states that the processing of genetic data must comply with the general principles set out in the Law. In this context, the following principles are mentioned by the Guideline:
The essence of fundamental rights and freedoms shall not be violated,
The genetic data processing shall be appropriate to the purpose,
The genetic data processing tools and purposes shall be proportionate,
Data controllers shall act in accordance with the retention of processed genetic data for the required period of time and immediate destruction of such data when no longer needed in accordance with the personal data retention and destruction policy (under the Genetic Diseases Regulation, reports and records are required to be retained for at least 30 years, electronic records are required to be retained indefinitely with backup, and samples and slides are required to be retained for at least 2 years).
In addition, few data processing conditions regulated in Article 6 of the Law are detailed specifically for genetic data:
3.1. Explicit Consent
The Guideline emphasizes that it is not sufficient for the individuals whose genetic data are processed, to read and sign the explicit consent form. In this context, the data controller is obliged to explain the genetic data processing activities and their consequences in a clear and comprehensible manner to the data subject. Moreover, genetic data processed on the basis of explicit consent should not be used for other purposes and that data controllers should take due care to inform data subjects. In addition, the Guideline highlights the link between explicit consent and free will, stating that it is not lawful to require explicit consent as a condition of providing a service/good.
Pursuant to the Guideline, if genetic data is not processed for diagnostic or therapeutic purposes, the data controller must inform the data subject in a clear and detailed manner on (i) the likelihood that the processing may involve personal data of individuals belonging to the data subject's lineage, and (ii) the risks associated with processing genetic data, (iii) potential difficulties in tracing the fate of genetic data in case it is transferred abroad, (iv) the risks that data controllers, who are located abroad, pose in terms of data security, (v) unclear situations such as the possibility of transferal of the genetic data transferred abroad previously, to third parties, (vi) the negative consequences that these situations may create.
Furthermore, the Guideline emphasizes that if genetic data is processed as health data, it may only be processed for certain purposes without explicit consent from the data subject. These purposes include (i) protecting public health, (ii) preventative medicine, (iii) medical diagnosis, (iv) execution of treatment and care services, and (v) health services and finance planning and management. Such processing may be conducted by authorized individuals or institutions under the obligation of confidentiality. The Guideline also highlights the necessity of informing the data subject during mandatory data processing activities and ensuring the presence of a health-related purpose while processing genetic data.
4. International Transfer of Genetic Data
The Guideline mandates that genetic data may only be transferred abroad provided that one of the specified conditions is met in accordance with the Law:
If data subject’s explicit consent is obtained, or
In cases where explicit consent is not obtained;
Adequate protection is provided in the country where the genetic data will be transferred (the list of countries with adequate protection has not yet been published by the Authority),
If adequate protection is not provided, the sender and recipient data controllers must sign an undertaking reflecting the adequate protection and obtain permission from the Personal Data Protection Board ("Board").
Additionally, the Guideline underlines that transfers can be made abroad with the Board’s permission in cases where the interests of the data subject or Turkey may be seriously harmed, provided that the opinion of the relevant public institution is obtained. Nevertheless, if the data controllers abroad fail to take the necessary technical and administrative measures, which may harm the interests of the data subject or Turkey, the Board may also take relevant measures provided under the Law.
5. Data Processing Exceptions
In the event that genetic data is processed for scientific purposes within the framework of the exceptions set out in the Law, the Guidelines state that the following criteria should be applied:
The Regulation on Personal Health Data governs the use of health data in scientific research. The Guideline refers to the Regulation on Personal Health Data and emphasizes the need to minimize risks to personal data security by rendering genetic data unattributable to data subjects and by utilizing techniques like pseudonymization.
Although genetic data processing for scientific studies is regulated as an exception by the Law, the Guideline asserts that genetic data processing is only appropriate when it is necessary to achieve anticipated results in scientific studies.
When processing genetic data for scientific purposes, data controllers must take appropriate measures to ensure security and adhere to the principle of purpose-related, limited, and proportionate data processing.
Upon completion of scientific research, an evaluation should be made as to whether genetic data warrants retention. If it is not deemed necessary, appropriate mechanisms should be established in compliance with the destruction policy.
6. Data Controllers’ Obligations
6.1. Obligation to Inform
In addition to Article 10 of the Law regulating the data controller's obligation to inform data subjects and the Communiqué on the Procedures and Principles of the Obligation to Inform, the Guideline underlines that data controllers who process genetic data must also inform the data subject on the following issues:
The importance of genetic data,
Risks that may arise in the event of a data breach,
The fact that genetic data includes data of both the data subject and their family members.
6.2. Registration Obligation
The Guideline reminds the obligation of data controllers who process genetic data, to register with the Data Controllers Registry (VERBIS).
6.3. Data Protection Obligation
The Guideline evaluates the nature of genetic data and the possible risks that may arise in case of processing, and lists the following technical and administrative measures:
- Technical Measures:
The Guideline does not recommend storing genetic data in cloud systems. However, the Guideline also states that the following points should be considered when processing genetic data through cloud systems:
Records of data stored in the cloud should be kept.
Data should be backed up outside the cloud.
Two-factor authentication control should be used to access data stored in the cloud.
Data should be encrypted using cryptographic methods that provide adequate security in line with the current technology.
Applications, devices and systems that include algorithms from the standardized and secure cryptographic algorithm suite should be used, and industry standards and best practices for these algorithms should be considered.
If it is necessary to use cryptographic algorithms that are not part of the standard cryptographic algorithm suite, they should be analyzed and evaluated by an authorized cryptanalysis laboratory to determine whether they provide a sufficient level of security prior to use.
Encryption and key management policies should be clearly defined.
Access to cryptographic keys should be restricted to authorized personnel with a crypto-security certificate.
Where possible, separate encryption keys should be used, especially for each cloud solution.
In cases such as maintenance, repair, or the return of equipment used in the processing of personal data, the data storage units in the equipment should be removed and transported, or all data should be delivered to the data controller on hard disk media. A written undertaking, stating that there is no personal data on the equipment and servers, should be obtained from the owner of the equipment.
Before installing the data processing system, it should be tested using synthetic data. If real data is used during testing, the principle of data minimization should be followed. In addition, data controllers should take measures to alert the system administrator, protect the data, and report in case of unauthorized access to the system.
Data controllers should use certified equipment, up-to-date software, provide patch management, and prefer open-source software.
Data controllers should be able to monitor and restrict user actions on the system. Transaction records of the transactions performed on the system should also be maintained and protected on a regular basis.
Hardware and software security tests of the systems should be performed on a regular basis.
- Administrative Measures:
Data processing mechanisms should be set up and managed based on the principle of Privacy by Design, as set out in the European Union's General Data Protection Regulation ("GDPR"), which states that all processes regarding the production of a product/technology should be designed with privacy and confidentiality at the forefront.
Data controllers should conduct a Data Protection Impact Assessment as regulated under the GDPR.
Genetic data should be accessible only to trained, accredited and confidential personnel.
The processing policies, emergency procedures and reporting mechanisms should be prepared for processing operations, and a secure back-up system should be established, with back-ups of records kept offline.
The relevant security measures should be included in the contract that data controllers conclude with data processors.
7. Recommendations and Suggestions by the Authority
Underlining the risk that genetic data may affect society and have national consequences due to the information it contains, the Authority states that the processing of genetic data should be subject to certain rules and procedures and that it is essential to take national measures.
In addition, the Guideline lists the following actions that can be taken at the national level:
It would be beneficial to apply different procedures and rules according to the different purposes of the processing of genetic data. For instance, the Guideline states that samples containing genetic data to be sent abroad within the scope of the Genetic Diseases Regulation should be considered as personal data and should be evaluated within the framework of the international transfer provision and general principles of the Law.
Referring to the International Declaration on Human Genetic Data adopted by the General Conference of UNESCO on October 16, 2003, the Guideline emphasizes that in cases where tests and research involving genetic data must be conducted abroad, necessary measures must be taken to ensure privacy and to ensure that genetic data are used only for the purposes for which they were collected.
The Guideline states that national laboratories should be supported to conduct testing and research on genetic data domestically.
Administrative arrangements should be made to host genetic data in Turkey and domestic, national and accredited IT infrastructures suitable for hosting genetic data should be supported.
The practices of transparency, openness and accountability should be developed in the processing of genetic data, enabling the public to be informed on such issues.
Data subject requests should be managed by a staff who have the necessary training.
Authors: Burak Özdağıstanli, Sümeyye Uçar, Begüm Alara Şahinkaya