**Questions? [[Contact us!]]** ## Introduction Genetic information and medical instruments are intertwined in healthcare, working together to enhance patient care and outcomes through personalised treatment, disease risk evaluation, monitoring, research, and the creation of devices customised to an individual's genetic characteristics. ## Relevant legislation ### [[GDPR]] Genetic personal data provides unique information about a person's physiology, health or the health of family members. It is personal information about a person's inherited or acquired genetic traits. This data is typically obtained through the analysis of a biological sample from the individual (art. 4(13) GDPR). In particular it could concern chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis. According to GDPR, genetic data is a special category of personal data (also called [[Sensitive data]]). In principle, it is prohibited to process sensitive data (art. 9 GDPR), unless an exception applies. As a consequence, there are restrictions on the processing of genetic data, requiring consent from data subjects in most cases. However, particular organisations, such as those in healthcare, may have other legal grounds for processing genetic data. For example, art. 9(2)(h) which allows processing of sensitive data in case it is necessary for health treatment and Union or national law allows it as well. National governments can maintain or introduce additional conditions and limitations, leading to variations in the application of genetic data rules across different countries within the EU (art. 4(4) GDPR). See, for example, the [[Dutch GDPR Implementation Act (UAVG)]] for specific exceptions under Dutch law concerning the processing of biometric and health data. Furthermore, it is advisable to consider privacy impact assessments and privacy by design when implementing predictive technologies in healthcare. _More information on sensitive data in the_ [_Article 29 advice paper_](https://ec.europa.eu/justice/article-29/documentation/other-document/files/2011/2011_04_20_letter_artwp_mme_le_bail_directive_9546ec_annex1_en.pdf) #### Anonymisation: not (yet) possible It is (legally) unclear whether you can anonymise genetic data. Even if the [[Controller]] carries out reasonable efforts and uses technically available means in order to prevent re-identification of the individuals. There is not yet one perfect combination of technical and organisational measures that can effectively remove genetic information from the scope of the GDPR. This means that the processing of genetic data should always go hand in hand with the implementation of appropriate technical and organisational measures. ### [[AI Act]] The AI Act does not mention anything specific on genetic data and medical devices. It is important to always keep in mind that you should apply other existing legislation (e.g. those mentioned on this page) and codes of conduct when using a specific AI-system. You should also be transparent about the use of your algorithm and you should stick to other general principles for AI systems, in order to analyse healthcare predictions ethically. ### [[MDR]] Article 2 of the MDR defines genetic data as personal data relating to the genetic characteristics of an individual that have been inherited or acquired which provide unique information about the physiology or health of that individual. Manufacturers using genetic data in their devices must meet additional requirements under Annex I Chapter II, including: - Providing information on the genetic disease to be diagnosed, tested population, clinical validity of the test, implications for healthcare decisions, and limitations of the technology. - Complying with data protection laws regarding processing of genetic data (see: [[GDPR]] below. - Obtaining [[(Informed) consent within healthcare|Informed consent]] from the patient or user prior to carrying out testing. - Ensuring test results are reliable, robust, clinically valid, and include disclaimers on limitations. - Having technical specifications to minimize erroneous results related to the quality of nucleic acids, algorithms used, or variability between populations.