11 April 2019
ICCL is alarmed by reports that the private genomic research company Genomic Medicine Ireland (GMI) has expressed confusion regarding its basic obligations under the GDPR.
Huge Privacy Risks
ICCL’s Executive Director, Liam Herrick, said:
“There are huge privacy risks inherent in GMI’s activities. Given the collection of information pertaining to DNA there should be absolutely no question about obligations around use and storage of this data. Confusion as to whether these are new obligations under the Health Research Regulations 2018 highlights a concerning lack of knowledge or even wilful ignorance of these obligations.
It is also worrying that the Irish State has invested in this corporation in light of government stalling on providing clarity around specific issues of consent for data collection.”
Human Rights Obligations
GMI must ensure that privacy rights under GDPR and under human rights law are protected when processing the sensitive data of Irish citizens for profit. The Irish government must oversee this.
The GDPR clearly includes “genetic data” as sensitive data that requires high levels of protection and stringent conditions for use. Individuals must provide informed consent to their data being collected for a specific purpose. Any use other than for that specific purpose requires further consent. It is also very clear that the data collected in the EU attracts the protections of the GDPR even if used or processed outside the EU.
Research done using highly sensitive data must be subject to strict oversight and accountability. Private companies, in particular companies with state investment, attract human rights responsibilities, including on protection of personal data. This means the company should assess their activities in light of human rights standards. Both the company and the government must be held accountable if rights are not being protected.
Notes for editors:
Original media reports: