3

In the UK GDPR ‘personal data’ is defined as:

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Genetic information is shared to some extent by blood relatives. Therefore one person's genetic sequence is related to all their relatives. A person's genetic sequence can be used to identify their relatives, as shown in the case of the Golden State Killer Joseph James DeAngelo who was caught via their relatives genetic data in a commercial database.

It seems that one persons genetic sequence meets the requirements to be all their relatives personal data. Is this a correct interpretation?

Improve this question

1 Answer 1

Reset to default
2

The pure information "This is DNA" does not make it personal data for you. Only for the person whose DNA it is.

If they also have data on you and they somehow link you to the DNA of another person, let's say "Brother of DNA sample #123", then it becomes PII for you.

Basically the same way that your brother has a car with the plates "CAR-123" is his PII, while the link in your account "sometimes drives his brothers car" makes it your PII.

But please note that to remove it, all they have to do is sever that link. And if they still have a valid reason to process this information after that, they have a right to keep it. For example if you want your account deleted, but your brother wants to keep his. Then there is consent to keep it from the owner, and no more information about you, although the DNA sample is still on file. They just deleted the information relevant to you.

If I remember the case(s) correctly, it is never about identifying a person directly. It is always about identifying an individual who has directly consented (the relative) and then doing normal police work from there on, knowing the circle of suspects is very well defined. The company will never say "This is probable Dean's brother Joe". They know nothing about Joe, Joe does not have an account there and could not request any data deletion, since none of their data is saved there. The company will only say "this is probably a close relative to Dean, maybe a brother".

Improve this answer
3
  • And what if the brothers are identical twins?
    – Dale M
    Commented Oct 20, 2023 at 7:55
  • Nothing really. If the twin has no account and no other personal data linked, then it's not their data, even though it could be. The same as if we share a birthday. It doesn't give anybody born on the same day any right to demand deletion of my birthday. Even if it is also theirs.
    – nvoigt
    Commented Oct 20, 2023 at 8:34
  • To identify DeAngelo, investigators built 25 family trees - the one that contained DeAngelo comprised more than a thousand people - and eliminated people until they were left with one suspect. Which took months. It doesn't seem something that a "genetic genealogy research" company would be reasonably likely to do.
    – Lag
    Commented Oct 20, 2023 at 9:34

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .