Factors for the Processing of Genetic Data

The handling of genetic data produces information of an exceedingly delicate nature, capable of leading to national strategic consequences that can impact the broader area. That is why the processing of genetic data must adhere to specific rules and procedures. Moreover, it is vi tal to foster public awareness regarding this matter. This approach ensures the ethical and secure processing of genetic data, safeguarding personal privacy and minimizing potential risks. Given the potential societal impact of genetic data, a meticulous approach and adherence to regulations are imperative. Organizations involved in genetic data processing must maintain compliance with the law.

The Personal Data Protection Law, No. 6698, enacted by the Turkish Grand National Assembly on March 24, 2016, and published in the Resmî (Official) Gazette on April 7, 2016, aims to protect individuals' fundamental rights and freedoms, including the privacy of private life, and to regulate the principles and procedures to be followed by real and legal persons processing personal data.

In the 6th article titled "Conditions for processing special categories of personal data" of the Law, the following categories of data are considered as "special categories" of personal data: race, ethnicity, political opinion, philosophical belief, religion, sect, or other beliefs, appearance and clothing, membership in associations, foundations, or unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.

Genetic Data: Definition

Genetic data refers to information that determines an organism's heredity and biological characteristics. Typically found within the molecule called DNA (deoxyribonucleic acid), genetic data encompasses an organism's genetic material, genes, and genetic variations. The fundamental components of genetic data include DNA, genes, and genetic variations.

According to the guideline, genetic data, defined as personal data providing unique information about a natural person's physiology or health, resulting from the analysis of a biological sample taken from that person and relating to characteristics acquired or inherited through genetics, is processed.

Processing and Principles of Genetic Data

1) The data controller must process genetic data in accordance with the general principles in Article 4 and the conditions regulated in Article 6 of the Law. The processing shoul follow the principles outlined below:

Non-infringement of the fundamental rights and freedoms

Convenience of genetic data processing for the intended purpose

Proportionality between the intended purpose and means of genetic data processing

Retention of processed genetic data for the required period and immediate deletion in accordance with the personal data retention and deletion policy after the necessity has ended.

2) Genetic data must be processed within the scope of the law:

Explicit consent for processing genetic data must be specific to a particular subject and limited to that subject. Informing should be carried out in a clear and understandable manner for all aspects of genetic data processing, and it must be done before processing the data.

Genetic data; within the scope of Article 6(3) of the Law for the purpose of carrying out preventive medicine, medical diagnosis, treatment, and care services as a health data, can be processed without the consent of the relevant individuals for mandatory tests in line with health requirements.

Genetic data can also be processed within the scope of Article 6(3) of the Law in cases foreseen in the laws. It should be noted that the individuals concerned should be informed about the processed genetic data in this context, and the data should be destroyed in accordance with the storage and destruction policy specified in the relevant Law.

3) For the transfer of genetic data abroad within the framework of Article 9 of the Law, either explicit consent of the relevant individuals must be gained, or if personal data is processed due to reasons foreseen in Article 6 of the Law, the conditions specified in subparagraphs (a) and (b) of Article 9(2) of the Law must be met, and other provisions in other laws are reserved.

You can find the exceptions outlined in Article 28 of the Law by clicking this link.

Obligations of Data Controllers

1)Obligation to Inform: Data controllers or authorized persons must fulfill the obligation to inform during the collection of data related to the processing of genetic data in accordance with Article 10 of the Law.

2) Obligation to Register in the Data Controllers Registry: According to Article 16 of the Law, individuals and legal entities processing personal data must register with the Data Controllers Registry before starting data processing.

3)Other Obligations: Data controllers are also obliged to take necessary technical and administrative measures during the processing of personal data.

Security of Genetic Data

Data controllers processing genetic data must adhere to personal data security issues specified in laws, regulations, statements, and decisions of the Board. The data controller must take all necessary technical and administrative measures to ensure the security of personal data, especially genetic data. The following are key measures:

1)Technical Measures:

Avoid storing genetic data in cloud systems.

When devices are delivered to authorized firms for maintenance, repair, or return of leased devices, data storage units on the devices should be removed or all data should be delivered to the laboratory in hard disk format. A written from the firm should confirm that there is no data on the device or server belonging to the firm.

Before establishing the system, during the testing phase, use synthetic data (unreal) whenever possible.

Use certified equipment, licensed and up-to-date software, manage patch management, prefer open source software whenever possible, and perform necessary updates on the system.

Data controllers should be able to monitor and restrict user operations on genetic data processing software.

Periodic hardware and software security tests should be conducted on systems processing genetic data.

Adherence to measures specified in the Information and Communication Security Guide.

2)Administrative Measures:

Personal data security and especially genetic data privacy must be considered in the design phase, and all mechanisms must be established based on the "Privacy by Design" principle.

Data controllers processing genetic data must apply a Data Protection Impact Assessment concerning the possible risks related to the nature of the data and data processing for the relevant persons.

Genetic data should be stored in a way that is inaccessible to anyone other than authorized personnel who have received relevant training and signed confidentiality agreements.

A ‘Personal Data Processing Inventory’ should be prepared, and notification should be made to the Data Controllers Registry Information System (VERBIS).

Separate processing policies, emergency procedures, and reporting mechanisms should be established for genetic data processing.

Before processing genetic data, individuals concerned should be thoroughly informed through meticlously prepared and valid informative texts, and if necessary, explicit consent should be obtained from the relevant individuals in accordance with Article 10 of Law No. 6698 and the ‘Principles and Procedures to be Followed in Fulfilling the Obligation of Lighting’.

Random and periodic internal audits and risk analyses should be conducted by the data controller on genetic data processing activities through which the data controller should continuously measure and monitor their preparedness for a possible data breach.

If a third-party data processor is preferred for processing genetic data for a specific purpose, the service contracts with data processors should include necessary security measures. Regular audits should be carried out, or external audits should be commissioned to ensure that the required technical and administrative measures are provided at the data processor's side.

Author: Nazlıcan Hatice TANIN/ BeyazNet Information Systems Audit Specialist