Dáil Éireann Debate, Thursday - 9 September 2021
1217. Deputy Pa Daly asked the Minister for Health if he will report on the number of Kerry residents, distinguishing between children and adults who have had genomic and DNA data gathered on them under the State’s relationship with a research institute (details supplied); and if he will make a statement on the matter. [42103/21]
View answer1218. Deputy Pa Daly asked the Minister for Health if he will report on the extent of genomic and DNA data gathered on Kerry residents attending hospitals in the State including any historical data under a research institute (details supplied); and if he will make a statement on the matter. [42104/21]
View answer1219. Deputy Pa Daly asked the Minister for Health if he will report on the expected treatment of genomic and DNA data gathered under the State’s relationship with a research institute (details supplied) in view of the sale to a company (details supplied); and if he will make a statement on the matter. [42105/21]
View answer1352. Deputy Róisín Shortall asked the Minister for Health if his attention has been drawn to the sale of a company (details supplied); the implications of the sale on Irish DNA samples collected by the company; if he has engaged with the company in relation to their controllership of genomic research databases following this sale; if GDPR allows for the private sale of Irish citizen’s genomics data; and if he will make a statement on the matter. [42511/21]
View answerI propose to take Questions Nos. 1217, 1218, 1219 and 1352 together.
I am aware of the sale of the company specified in the questions -Genuity (previously known as GMI). It is important to make clear that my Department has no relationship with the company concerned and has no involvement or role in the sale of a private company. Such matters are governed, in Ireland, by the sizable body of applicable company law.
Further, my Department has not provided funding to the company or asked any hospital to collect bio-samples or related personal data about individuals -adults or children- resident in Kerry or any county in the State for the purposes of the company.
Persons attend hospitals for care and treatment. If, for the purposes of that care and treatment, bio-samples (including blood samples which includes DNA) are required they must be obtained from the patient on the basis of the patient’s informed consent and in line with long established principles of medical ethics. The processing of any personal information relating to those samples is regulated by data protection law and by the common law duty of confidentiality.
Further, if is intended to further process -which includes disclosure to third parties- that personal data for research purposes, the Health Research Regulations set out a detailed governance structure including the safeguard of explicit consent to protect the data protection rights and freedoms of the individuals whose data are involved. It is important to note that the rights and protections under the Health Research Regulations cover not only personal data that readily identifies the individual but also covers the situation where that data has been pseudonymised by the hospital before disclosure.
Hospitals, as data controllers, are required under data protection law to be aware of and record all processing of personal data collected and held by them and the purposes for which it is used and the third parties to which they intend to disclose it. They must also comply with the numerous substantive obligations placed on them by GDPR and by the Health Research Regulations. That is designed to ensure that the disclosure by them of readily identifiable or pseudonymised personal health information relating to genomic or DNA samples to the company referenced in the question or to any third party must be on the basis of the explicit consent of the individuals concerned and also within a formal corporate governance framework.
In short, data controllers, whether hospitals or private companies, need to ensure that they comply fully with the applicable law in this area. That includes where a private company is sold whether within the State or to another company outside the State.
As the Deputies will be aware, the interpretation and enforcement of data protection law, including in relation to the processing of personal health data associated with genomic or DNA samples, is for the independent Data Protection Commission. It is not something that I, as Minister for Health, can interfere with or involve myself in. However, I can inform the Deputies that matters relating to the sale of bio-samples or personal data related to the samples are matters that fall to be addressed in the informed consent process.
As I said at the beginning of my answer, my Department has no relationship with the company specified in the Deputies’ questions. If an agency of the State provided funding to the company then the terms of that funding and any relationship created would be between the agency and the company but under no circumstances could any relationship set aside the provisions of data protection law. Indeed, it would be a serious breach of data protection law and of medical ethics for any hospital to gather genomic and DNA samples and related personal data as part of any relationship other than its relationship with the patient and his or her the care and treatment.
