Risk prediction models have a key role in stratified disease prevention, and the incorporation of genomic data into these models promises more effective personalisation. Although the clinical utility of incorporating genomic data into risk prediction tools is increasingly compelling, at least for some applications and disease types, the legal and regulatory implications have not been examined and have been overshadowed by discussions about clinical and scientific utility and feasibility. We held a workshop to explore relevant legal and regulatory perspectives from four EU Member States: France, Germany, the Netherlands and the UK. While we found no absolute prohibition on the use of such data in those tools, there are considerable challenges. Currently, these are modest and result from genomic data being classified as sensitive data under existing Data Protection regulation. However, these challenges will increase in the future following the implementation of EU Regulations on data protection which take effect in 2018, and reforms to the governance of the manufacture, development and use of in vitro diagnostic devices to be implemented in 2022. Collectively these will increase the regulatory burden placed on these products as risk stratification tools will be brought within the scope of these new Regulations. The failure to respond to the challenges posed by the use of genomic data in disease risk stratification tools could therefore prove costly to those developing and using such tools.
This is a preview of subscription content,to check access.
Access this article
EU Data Protection Directive Article 8 stipulates that the processing of special categories of data including health data shall be prohibited but sets out a list of exemptions in the rest of this Article.
EU Data Protection Directive Article 8(2)(a).
EU Data Protection Directive Article 8(3) provides that these purposes include preventative medicine, medical diagnosis, the provision of care or treatment or the management of health care services where those data are processed by a health professional subject to obligations of professional secrecy or another person owing an equivalent obligation of secrecy.
Article 25(1)(2) requires that prior authorization be given by the National Commission of Informatics and Liberties.
Article 21(4) stipulates that personal data on hereditary properties may only be processed in respect of the person from whom the data has come unless for a ‘serious medical interest’ or that processing is necessary for scientific research or statistics.
As defined in Article 4(13) of the EU General Data Protection Regulation (2016)
Article 9(4) stipulates that Member States ‘may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health’.
Article 22 of the General Data Protection Regulation. This might be addressed on a sectoral basis through codes of conduct pursuant to Article 40 GDPR.
‘The information provided by the software is based on data obtained with IVD medical devices only or possibly combined with information from medical devices. European Commission (2016) pages 25 and 26.
EU IVD Regulation (2017) Article 2 clarifies that this assistance must be limited to the medical functionality of the device for its intended purpose.
EU IVD Regulation (2017) Recital 17
These include mHealth products for which a legal framework is being developed at European level.
Article 29 Data Protection Working Party (2015). Annex—health data in apps and devices. 2015. http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2015/20150205_letter_art29wp_ec_health_data_after_plenary_annex_en.pdf Accessed 24 July 2017
Bourne I (2000) Written evidence from the Office of the Data Protection Commissioner to the Select Committee on Science and Technology Written Evidence: letter from the Office of the Data Protection Commissioner 2000 https://publications.parliament.uk/pa/ld199900/ldselect/ldsctech/115/115we34.htm. Accessed 24 July 2017
European Commission. (2016) MEDDEV 2.1/6 Guidelines on the qualification and classification of stand-alone software used in healthcare within the regulatory framework of medical devices. https://ec.europa.eu/docsroom/documents/17921 Accessed 26 July 2017
EU Data Protection Directive (1995) 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995) http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML Accessed 24 July 2017
EU General Data Protection Regulation (2016) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN Accessed 24 July 2917
EU In Vitro Diagnostic Medical Devices Directive (1998) 98/79/EC of the European Parliament and of the Council of 27 October 1998 on in vitro diagnostic medical devices http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:01998L0079-20120111&qid=1489068115776&from=EN Accessed 24 July 2017
EU In Vitro Diagnostic Medical Devices Regulation (2017) 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2017:117:TOC Accessed 26 July 2017
EU Medical Devices Regulation (2017) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2017:117:TOC Accessed 15 August 2017
Human Genetics Commission (2010). A Common Framework of Principles for direct-to consumer genetic testing services. 2010. http://webarchive.nationalarchives.gov.uk/20100303164049/http://www.hgc.gov.uk/UploadDocs/Contents/Documents/Principles%20consultation%20final.pdf Accessed 24 July 2017
Loi n° 17 (1978) Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000000886460 Accessed 24 July 2017
Loi n° 800 (2004) Loi n°. 2004–-800 rélative à la bioéthique https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000000441469 Accessed 24 July 2017
Loi n°. 267 (2011) Loi n°.2011-267 d’orientation et de programmation pour la performance de la sécurité intérieure https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000023707312&categorieLien=id Accessed 24 July 2017.
Loi n° 814 (2011) Loi n° 2011-814 du 7 juillet 2011 relative à la bioéthique https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000024323102 Accessed 24 July 2017
Medicine and Healthcare products Regulatory Agency (2016) Guidance: Medical device stand-alone software including apps (including IVDMD’s) https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/610189/Software_flow_chart_Ed_1-03.pdf Accessed 26 July 2017
Sheikh AA (2008) The Data Protection Acts 1988 and 2003: some implications for public health and medical research. Health Research Board Discussion p102. http://www.hrb.ie/uploads/tx_hrbpublications/Data_Protection_Opinion.pdf Accessed 24 July 2017
Wet bescherming persoonsgegevens (2000) Data Protection Act http://wetten.overheid.nl/BWBR0011468/2017-07-01. Accessed 24 July 2017
We gratefully acknowledge the participants in the international workshop for their valuable contributions: Ms. Teresa Bienkowska-Gibbs, Dr. Anne Cambon-Thomsen, Mr. Edward Dove, Dr. Christian Gleißner, Professor Aart Hendriks, Mr. Julian Hitchcock, Dr. Stephen John, Dr. Kiran Patel, Dr. Rupert Payne, Dr. Emmanuelle Rial-Sebbag, Dr. Mark Taylor, Dr. Holger Tönnies and Professor David Townend.
This work was part of the European Prospective Investigation into Cancer and Nutrition—Cardio Vascular Disease (EPIC-CVD) (http://www.epiccvd.eu/), funded by the Seventh Framework Programme of the European Commission under grant agreement 27923.
Conflict of interest
The authors declare that they have no conflict of interest.
This article does not contain any studies with human participants or animals performed by any of the authors.
About this article
Cite this article
Hall, A., Finnegan, T., Chowdhury, S. et al. Risk stratification, genomic data and the law. J Community Genet 9, 195–199 (2018). https://doi.org/10.1007/s12687-018-0358-4