BBMRI.at Legal Knowledge Base

Legal Q&A: How is the management of genetic and health data sharing regulated – for health care on the one hand and research on the other hand?

Under the General Data Protection Regulation (GDPR) genetic data is recognized as a sensitive form of personal data, requiring strict processing conditions. Alongside GDPR provisions, the article below underscores how Austrian national laws impose additional safeguards for the collection and use of genetic data.

BBMRI.at Legal Helpdesk Service answers

 

The BBMRI.at Legal Helpdesk Service answers questions on legal and regulatory matters around biobanking and/or using biological samples and data. This service is offered to BBMRI.at partners to support them, as biobanking and research using biological samples and data (e.g. human, animal/veterinary, microbial, etc.) may raise legal questions.

 

QUESTION:

Legal Q&A: How is the management of genetic and health data sharing regulated, for health care on the one hand, and research, on the other hand?

 

ANSWER:

Under the General Data Protection Regulation (GDPR), genetic data is recognized as a sensitive form of personal data, requiring strict processing conditions. Austrian national laws, such as the Gentechnikgesetz (GTG) and the Research Organisation Act (FOG), provide additional safeguards for the collection and use of genetic data, particularly in healthcare and research settings. These national laws set specific criteria for genetic testing, data de-identification, and consent.

 

1. Genetic data as personal data and sharing in the GDPR 

 

For the purposes of this answer, we shall assume that Question no. 002 is referring to situations such as exchange of Personal Data (as defined in Article 4(1) of the GDPR[1]) between organisations, several organisations pooling information and making it available to each other, providing data to a third party or parties, among others[2]. We shall also assume, from the context of this second question, that the Author of the query is specifically concerned with sharing personal data which is genetic data, in line with Article 4(13) of the GDPR.

 

According to the GDPR, data sharing is a form of data processing (Article 4(2)), which is subject to strict conditions. The national regulatory framework provided by the GTG regarding genetic data therefore coexists with the European Union’s legislation on the subject of data protection – namely the GDPR (see recitals 34, 35, 53, 71, 75 as well as Articles 4(1), 4(13), 9(1) and (4)), which categorises genetic data as a form of personal data (recital 34 and Article 4(1)) – and international and soft law instruments which help guide stakeholders in the matters of data protection, which must be taken into account when dealing with the topics at hand.

 

We’ve established that genetic data is personal data and that data sharing, as a form of data processing, is within the scope of the GDPR. Apart from all of the conditions set out in the GDPR for processing personal data (which includes specific roles and responsibilities for those who carry out these actions – Articles 26 and 28 of the GDPR, for example) and the potential need to pursue a data protection impact assessment (Article 35), genetic data falls within a specific framework of protection, as it is a special category of personal data (Article 9), often referred to as sensitive data (see recital 10). Sharing personal data with third parties should only happen based on a contractual agreement outlining the responsibilities with regards to the GDPR between the parties – a data sharing agreement.
This can be an agreement between a controller and processor(s), between two or more joint controllers or between the controller and a data recipient (Articles 26 and 28 GDPR).

 

Personal data collected for health care purposes, including sensitive data, can in most circumstances also be further processed for scientific research purposes as under the GDPR these are by default considered as compatible with the initial purposes of collection (Articles 9(2)(j), 5(1)(b) and 89(1) GDPR). However, other GDPR obligations still apply. Moreover, EU Member States may introduce their own rules with regards to processing personal data for research purposes (Article 89(1) GDPR). In Austria this can be found under the Forschungsorganisationgesetz (FOG)[3].

As stated in paragraph 2 of Article 9, explicit consent from the data subject is, among other motivations, a lawful basis for the processing of genetic data (Article 9(2)(a)). The GDPR allows Member States to “[…] maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health” (Article 9(4) and recital 53). This links national regulations to the EU framework.

 

2. Austrian law and genetic data sharing 

 

As previously stated, the GTG establishes different prerequisites for genetic testing for medical purposes (Article 65) and genetic testing for scientific and educational purposes (Article 66). Therefore:

 

 

 

The Datenschutzgesetz, Austria’s Data Protection Act, commonly referred to as DSG[5]. is one of the applicable laws specified in Article 71(3) of the GTG. A right to secrecy of personal data is enshrined in §1 of the GTG, which also contains provisions regarding the processing of personal data for archival purposes in the public interest, scientific or historical research purposes, or statistical purposes (§7). Additionally, §8 concerning the transmission of address data of a certain group of data subjects for the purpose of notifying or questioning them, states that such
transmission requires the consent of the data subjects (§8(1)).

 

The other legal act which remains applicable – according to Article 71(3) of the GTG – is the Gesundheitstelematikgesetz 2012 (Health Telematics Act[6]) containing important rules which apply, inter alia, to electronic transmission of genetic data (§3, §4, §6, §7).

 

Article 66(3) states that certain paragraphs from the Research Organisation Act (Forschungsorganisationsgesetz, or FOG[7]) apply to human genetic analysis conducted for educational and scientific purposes and are most relevant to determine under in which conditions data processing can be conducted. There are specific obligations for scientific institutions which hold repositories of data in accordance with Article 89 of the GDPR. Since, pursuant to Article 66(3) of the GTG, from the first paragraph of Article 2f of the FOG, only number 6 applies, there is a heightened protection of the data subject and no data which can lead to the identification of the respective individual is allowed to be stored in these repositories.

 

3. Additional Resources that may be helpful

 

Legal 

 

Council of Europe, Convention for the Protection of Human Rights and Dignity of the Human Being with regard to the Application of Biology and Medicine: Convention on Human Rights and Biomedicine, 1999. Austria is not a party to this Convention. Nevertheless, Austrian legislation is very much in line with article 12 of the Convention, which states that “Tests which are predictive of genetic diseases or which serve either to identify the subject as a carrier of a gene responsible for a disease or to detect a genetic predisposition or susceptibility to a disease may be performed only for health purposes or for scientific research linked to health purposes, and subject to appropriate genetic counselling”.

Additional Protocol to the Convention on Human Rights and Biomedicine concerning Genetic Testing for Health Purposes, Council of Europe, 2008 (CETS 203). Austria is not a signatory State to this Protocol. Nevertheless, it provides great insight into the legal and ethical issues that concern the topic at hand.

 

Other

 

Guidelines and Opinions from the Austrian Society for Human Genetics (Österreichische Gesellschaft für Humangenetik), available from: http://www.oegh.at/index.php?option=com_content&view=category&layout=blog&id=9&Itemid=16 (German only).

Resources from the Bundesministerium für Bildung, Wissenschaft und Forschung (BMBWF), i.e, the Federal Ministry of Education, Science and Research, available from: https://www.bmbwf.gv.at/Themen/Forschung/Forschung-in-%C3%96sterreich/Services/Gentechnik.html (German only).

Resources from the Umweltbundesamt (Federal Environment Agency), available from: https://www.umweltbundesamt.at/ (German only).

Bundeskanzleramt Österreich – Bioethikkommission, Stellungnahme der Bioethikkommission zu Gen und Genomtests im Internet, 10.05.2010, available from: https://www.bundeskanzleramt.gv.at/dam/jcr:821b891a-4217-49e7-abb2-1effe6f3fc4a/Stellungnahme_der_Bioethikkommission_zu_Gen-_und_Genomtests_im_Internet_vom_10._Mai_2010.pdf (German only).

Available documents (in German only) include a Statement on somatic diagnostics of tumor tissue of the BRCA1 and BRCA2 genes and other genes and Guideline on Molecular genetic diagnostics with high-throughput germline methods, such as next-generation sequencing.

Other relevant document: Stellungnahme der Bioethikkommission beim Bundeskanzleramt zum Entwurf eines Bundesgesetzes, mit dem das Fortpflanzungsmedizingesetz, das Allgemeine bürgerliche Gesetzbuch und das Gentechnikgesetz geändert werden (Fortpflanzungsmedizinrechts-Änderungsgesetz 2015 – FMedRÄG 2015), available from: https://www.bundeskanzleramt.gv.at/dam/jcr:ecbae513-5ea7-4c76-867e-6316bff33baf/FMedRAEG_2015.pdf (German only).

Draft WHO principles for human genome data access, use and sharing, World Health Organization, 8 April 2024, available from: who-principles-human-genome-data-access–use–and-sharing_public-consultation_8-april.pdf (English).

Download Legal Q&A: How is genetic health data sharing regulated for healthcare and research?

Sources:

 

[1] General Data Protection Regulation: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

[2] IPO (Information Comissioner’s Office), Data sharing code of practice, 17 October 2022 – 1.0.31, p. 20

[3] § 2f FOG Datengrundlagen für Tätigkeiten zu Zwecken gemäß Art. 89 Abs. 1 DSGVO.

[4] The article has been subject to some discussion over the years and was the subject of a Constitutional Court decision in 2015. See Verfassungsgerichtshof, 08.10.2015, Geschäftszahl: G20/2015 ua, Sammlungsnummer 20012, ECLI:AT:VFGH:2015:G20.2015. Available from: https://www.ris.bka.gv.at/Dokumente/Vfgh/JFT_20151008_15G00020_00/JFT_20151008_15G00020_00.html
(accessed: 26/03/2024).

[5] Bundesgesetz zum Schutz natürlicher Personen bei der Verarbeitung personenbezogener Daten (Datenschutzgesetz – DSG)
StF: BGBl. I Nr. 165/1999. Available from: RIS – Datenschutzgesetz – Bundesrecht konsolidiert, Fassung vom
26.03.2024 (bka.gv.at) (accessed: 26/03/2024).

[6] Bundesgesetz betreffend Datensicherheitsmaßnahmen bei der Verarbeitung elektronischer Gesundheitsdaten und genetischer Daten (Gesundheitstelematikgesetz 2012 – GTelG 2012), StF: BGBl. I Nr. 111/2012. Available from: RIS – Gesundheitstelematikgesetz 2012 – Bundesrecht konsolidiert, Fassung vom 28.03.2024 (bka.gv.at) (accessed: 28/03/2024).

[7] Bundesgesetz über allgemeine Angelegenheiten gemäß Art. 89 DSGVO und die Forschungsorganisation (Forschungsorganisationsgesetz – FOG), StF: BGBl. Nr. 341/1981. Available from: RI – Forschungsorganisationsgesetz – Bundesrecht konsolidiert, Fassung vom 26.03.2024 (bka.gv.at) (accessed: 26/03/2024).

 

Disclaimer: this commentary aims to provide a summary of the main ethical and legal issues related to the questions put by interested stakeholders and to direct them to the relevant legal provisions that are applicable. It does not, however, preclude from reading the official sources of legislation relating to the subject matters of this document as well as those quoted by the authors and does not constitute legal advice.