Data Protection Legislation

Abstract

Abstract Data protection legislation regulates the acquisition, storage, transfer and processing of personal data of all kinds. Human genetic information, whether in digital form or in tissue samples, is by definition personal data and its use will therefore in many cases be governed by data protection legislation. The article introduces the key distinction between data security and wider data protection, and further explores the key legal requirements for data protection. In general, the requirements for legal use of genetic data are informed consent to acquisition and fair processing of any data that are held or generated. The approach to data protection differs between the European Union and the USA and these differences are explained. Key concepts: The purpose of data protection legislation is to ensure (1) data security and (2) that data acquisition and processing only occurs in accordance with the law. Data acquisition usually requires informed consent from the data subject. There are different rules for the processing of identifiable and nonidentifiable personal data. There are specific protections in relation to sensitive data, including health data. Anonymity and nonidentifiability are two different concepts. Identifiability is only absent if deductive identification is very difficult. The approach to data protection differs significantly between the European Union and the USA.