The most important facts about handling genetic data
How genetic data is to be handled (consent of the person concerned, information, storage, destruction, transfer) is regulated in the Federal Act on Human Genetic Testing (HGTA). If the HGTA does not contain any provisions on the handling of data, the Federal Data Protection Act (FADP)[1] applies in a subsidiary capacity.
What are genetic data according to HGTAHGTA and FADP?
Genetic data is information about a person's genetic material obtained through genetic testing (incl. DNA profile).[1] Under the FADP, genetic data are considered as personal data requiring special protection.[2] Depending on the respective categorisation in the HGTA, different requirements must be observed for processing.
Which categories of examinations are to be legally distinguished?
The HGTA distinguishes between genetic and prenatal examinations in the medical field (e.g. hereditary diseases, predictive risk factors for diseases) and genetic examinations outside the medical field. Genetic examinations outside the medical field are further subdivided into genetic tests on medical properties that are particularly worthy of protection (e.g. lifestyle analyses, character traits, genealogical research) and other genetic examinations (e.g. information on height, eye or hair colour).
To what extent are data protection regulations relevant to the conduct of genetic testing?
Genetic examinations are only carried out correctly if, in addition to the basic requirements, the provisions of data protection law are also complied with. Violations of the law may result in criminal prosecution or administrative measures[3]. If the European Union's General Data Protection Regulation is also applied in international cases, additional administrative sanctions may be imposed under certain circumstances.
Among other things, the HGTA provides for punishment for carrying out, arranging or commissioning a genetic examination without the consent of the person concerned.[4] The communication of information about a person's genetic material against his or her will or the unlawful further use of genetic data[5] can also result in criminal sanctions.[6]
What must be considered before conducting genetic testing?
Before giving consent to genetic testing, the person concerned must be informed about the following points, among others (informed consent):
Are there additional requirements for prior information for genetic examinations outside the medical field?
If the genetic test is carried out outside the medical field, the following additional information must be provided:
Consent by the person concerned is only valid if it has been given voluntarily after appropriate information.
In what form must the information be provided outside the medical field?
The clarification must be in writing[1] and include the contact details of the following persons:
May samples and genetic data be transferred abroad?
The transmission of samples and genetic data abroad is only permissible if the corresponding rules of general data protection law are observed. Art. 29 HGTA contains provisions on the performance of genetic tests abroad. However, these are of an organisational nature and contain prerequisites for the technical requirements (e.g. suitable quality management system, science and technology).
Subsequently, samples and genetic data may only be transferred abroad as long as the state in question guarantees adequate protection of the data.[2] If the individual in question expressly consents to the transfer abroad, the above-mentioned requirements need not be met.[3]
What must be considered when using subcontractors for data analysis?
The processing of personal data (samples and genetic data) may be transferred by contract or by legislation to a data processor (subcontractor), provided that the data is processed in the way the controller (principal) would be allowed to do it himself and that no legal or contractual confidentiality obligation prohibits the transfer.[4] The principal must also ensure that the subcontractors are able to guarantee data security at all times.[5] If the subcontractor wishes to transfer the processing of the data to a third party, this is only permitted with the prior consent of the principal.[6]
How long may the genetic data be retained?
Samples and genetic data may only be stored for as long as necessary (i) to carry out the test, including quality assurance, (ii) for use for another purpose or (iii) to comply with cantonal regulations, in particular concerning the keeping of patient files.
If this concerns other genetic data that has arisen in the course of an examination outside the medical field, it must be destroyed no later than two years after it has been carried out, unless the person concerned has consented to its use for another purpose or has not objected to its anonymisation.
May the genetic data and samples be used for other purposes (e.g. for the technical development of laboratory equipment, research methods or IT resources)?
Yes, provided that the individual in question has freely and expressly consented to the use of their samples or genetic data (in unencrypted or encrypted form)[1] for another purpose after having been adequately informed. In anonymised form, they may be used for another purpose if the person concerned has been informed in advance and has not objected to anonymisation.[2]
In compliance with the general requirement of purpose limitation of any data processing[3], only the use for a sufficiently specific purpose, which was explained in the medical briefing, is permissible. Information on the place and duration of the planned further use must also be provided. Apart from that, it is up to the parties how detailed they want to describe the "other purpose". A narrowly defined one-time processing or a comparatively open or abstractly formulated purpose in the sense of a general consensus are acceptable.[4]
May all examinations outside the medical field be given directly to clients (DTC)?
No, examinations of personality traits that are particularly worthy of protection may not be given directly to clients.[1] Such examinations must always be accompanied by a specialist in order to prevent third parties from being able to examine particularly sensitive personal characteristics unnoticed.
Only tests concerning the other genetic properties may be given directly to the person concerned.[2]
Interested in our checklist for DTC testing?
[1] Note: This text refers exclusively to the revised FADP, which will enter into force on 1 September 2023.
[2] Art. 3 lit. k GUMG.
[3] Art. 5 lit. c No. 3 FADP.
[4] Art. 51 FADP.
[5] Art. 56 para. 1 lit. a GUMG.
[6] Art. 56 para. 2 GUMG.
[7] Art. 56 para. 1 lit. b GUMG.
[8] The text may also be reproduced electronically (e.g. in e-mails); due to the large number of conceivable forms of offer, the text of the Act deliberately leaves open who must provide the information. This can be the manufacturer of the test, the laboratory carrying out the test or the person initiating the test (Dispatch on the Federal Act on Human Genetic Testing of 15 July 2017, BBl 2017, 5703).
[9] Art. 16 para. 1 FADP; cf. Art. 8 para. 1 and Annex I of the Data Protection Ordinance (SR 235.11 - Ordinance of 31 August 2022 on Data Protection (Data Protection Ordinance, DPA) (admin.ch)).
[10] Art. 17 para. 1 lit. a FADP.
[11] Art. 9 DSG.
[12] Art. 9 Abs. 2 DSG.
[13] Art. 9 Abs. 3 DSG.
[14] Unencrypted samples or data allow direct conclusions to be drawn about the person from whom they originate. In the case of encrypted samples and data, on the other hand, their origin is not directly apparent, but it can be determined with the aid of a corresponding key that is known to a selected group of people (Dispatch on the Federal Act on Human Genetic Testing of 5 July 2017, BBl 2017, 5672).
[15] Art. 12 GUMG.
[16] Cf. Art. 6 FADP.
[17] Dispatch on the Federal Act on Human Genetic Testing of 5 July 2017, BBl 2017, 5672.
[18] Art. 34 GUMG.
[19] Art. 13 GUMG.
