Select Committee on Science and Technology Written Evidence

Letter from the Office of the Data Protection Commissioner

  "Personal data" is defined in the Data Protection Act 1998 as meaning data which relate to a living individual who can be identified from those data or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller. It is clear therefore that information such as a genetic test result that can be linked to a living individual will constitute personal data subject to the Data Protection Act 1998. Indeed, such information will be deemed "sensitive personal data", it being about an individual's health or condition.

  In essence, the Data Protection Act 1998 does not treat genetic information that constitutes personal data differently to any other form of information constituting personal data, for example personal data about an individual's health derived from the "traditional" analysis of clinical test results. The general principles that apply to the processing of personal data derived from genetic analysis are those contained in the data protection principles:

  1.  Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:

    (a)  at least one of the conditions in Schedule 2 is met; and

    (b)  in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

  2.  Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

  3.  Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

  4.  Personal data shall be accurate and, where necessary, kept up to date.

  5.  Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

  6.  Personal data shall be processed in accordance with the rights of data subjects under this Act.

  7.  Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

  8.  Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

  However, the processing of personal genetic data may raise some novel issues in terms of its potentially "inter-personal" and predictive nature. The processing may also raise some fundamental problems of making the processing fair to individuals. Do individuals understand the implications sufficiently well to allow them to make informed decisions about whether to take a genetic test or to disclose its results, for example?

  Other particular issues that arise as the result of the processing of information derived from genetic analysis concern the use of the results of genetic testing for employment and insurance purposes. Will the use of such tests become standard? Will it become difficult for individuals with a certain genetic make-up to be employed or insured? Who should decide whether, or in what circumstances, individuals can be requested to take a genetic test or to reveal the results of a test that has already been taken? Clearly, these are important social policy issues. Although the Secretary of State has powers under section 22 of the Data Protection Act 1998 to make an Order in respect of "assessable processing", and this is likely to apply to the processing of genetic information for employment or insurance purposes, there are questions as to whether the Data Protection Commissioner is best placed, in terms of having the necessary expertise, to regulate the processing of personal data consisting of genetic information. Clearly, assessing the adequacy, relevance or accuracy of such personal data could require a considerable level of technical expertise. Would it be more appropriate for another body to regulate the processing of genetic information?

Iain Bourne
Compliance Manager (Health)

18 October 2000

previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2000