Personal Data Protection Policy of deCODE Genetics
- About deCODE’s Personal Data Protection Policy
Since its founding, deCODE Genetics (deCODE) has emphasised the secure processing of personal data as a key factor in the company’s operations. Personal data are any information about an identified or identifiable natural person, i.e. information that may be directly or indirectly traced to an individual. A reference to an identifier like a name, ID number, or one or more factors identifying an individual physically, physiologically, genetically, mentally, socially and culturally are personal data. All deCODE’s processing of personal data is done in conformity with the Data Protection Act no. 90/2018 (then act), Regulation (EU) 2016/679 (then regulation) of the European Parliament and of the Council of 27 April 2016, Act on Scientific Research in the Health Sector no. 44/2014, Act no. 110/2000 on Biobanks and Health Databanks and domestic and international rules and criteria on conducting scientific research. deCODE has set a code of ethics for itself and rules of conduct that apply to the work of the researchers it employs.
In many ways, the processing of personal data for scientific research differs from other kinds of personal data processing, for example, regarding the registered individuals’ interests. Thus, many specific provisions in the Data Protection Act focus on the special nature of such processing, as well as the special Act on Scientific Research in the Health Sector, applying to carrying out scientific research, and the activities of the National Bioethics Committee that safeguard participants’ interests.
deCODE’s Personal Data Protection Policy is based on this unique position. It includes information on what personal data deCODE collects and processes, why, the estimated length of time the information will be stored, and how the security of the data will be safeguarded. It also discusses the rights of the individuals/registered participants.
Further information on the processing of personal data in each of deCODE’s scientific research projects is found in the introductory letter for the research project and the participants’ informed consent in the research. This information is in addition to this Personal Data Protection Policy.
- Regarding deCODE Genetics and The Service Centre for Research Projects
deCODE is a company that has engaged in scientific research for more than two decades and has got permits from the National Bioethics Committee. The research focuses on human genetics and goes on with the participation of individuals and various collaborators, including the employees of Landspítali – National Hospital and other health institutions and self-employed healthcare workers. The Service Centre for Research Projects (SCRP) is a private non-profit organisation that carries out the clinical part of deCode Genetics’ research on genetics for the collaborators in the Icelandic healthcare system requesting these services. SCRP’s employees work as agents of the parties responsible for individual research projects collecting biosamples and data on the symptoms of diseases, risk factors, analysis, and treatment. SCRP is, therefore, deCODE’s processor. More information on deCODE’s operations may be found on the company’s website, www.decode.is, and further information on SCRP may be found at www.rannsokn.is.
The responsible party for the processing of personal data in deCode’s scientific research is Kári Stefánsson MD and CEO of deCODE, who is the person responsible for scientific research under the Act on Scientific Research. In other instances, it is deCODE, Sturlugata 8, 101 Reykjavik, ID no. 691295-3549. deCODE bases its research on the participation of many individuals who have provided biosamples and their informed consent to use data on their state of health and many other factors affecting their health and quality of life to use to research human genetics. deCODE processes biosamples and personal data that are stored under IDs produced by deCODE’s pseudonymisation system. It has been used for more than 20 years, has been approved, and has been under surveillance by the Data Protection Authority. The European Union’s General Data Protection Regulation (GDPR) categorically urges the use of pseudonymised IDs. In addition, their use is recognised as a very robust method to ensure the protection of personal data. All biosamples and research data are further protected in secure storage and information systems where robust measures have been taken to ensure internal and external security.
The research findings are published in the foremost peer-reviewed academic journals if they meet scientific requirements. However, the research data and findings are only expressed in a completely anonymous form.
- The kinds of personal data that are collected and processed.
deCODE collects and processes personal data to research Icelanders’ DNA, thereby looking for the causes of many of the most serious diseases afflicting mankind, such as cancer, coronary disease, and diabetes. When genetic variance is found that relates to diseases, possibilities open up to improve life and health.
The kinds of personal data that deCODE works with includes information on people’s state of health that is obtained from clinical collaborators, information from databases in conformity with a research permit from the National Bioethics Committee and participants’ answers to questionnaires in scientific research projects that store general personal data in addition to data on their state of health and lifestyle. In terms of research involving the use of health data from international health data collections, it is based on permits from science ethics committees in the relevant country.deCODE also processes genetic information obtained by isolating and analysing DNA from biosamples that participants provided or were obtained from biological specimen banks in addition to data about the expression of genes and the proteins formed from them. This, therefore, involves personal data that is deemed to be sensitive. deCODE likewise processes genealogical information obtained from the Book of Icelanders.
deCODE processes personal data about applicants applying for work at the company. The evaluation of applications requires specific information, such as the applicants’ contact information, resumes, letters of reference, information about education, third-party comments, etc. deCODE processes personal data regarding communications with the company’s suppliers. At deCODE, video recordings accumulate from the video surveillance cameras in the company’s facilities. deCODE is also required by law, like all Icelandic business operators, to process certain personally identifiable data that are not related to scientific research projects, for example, regarding its staff and employees, and provisions of the Act on Accounting and tax laws. deCODE gets general demographic information from Registers Iceland to update genealogical information. The website islendingabok.is collects and processes personal data in the name of genealogical research. See islendingabok.is for further information about the website.
In considerable measure, deCODE’s role has been as a processor in foreign scientific collaboration. It then processes genetic information from participants’ biosamples that the foreign collaborators have acquired under a permit for the research from the national bioethics committee in the relevant country and, depending on circumstances, obtained the participants’ consent. In all instances, the genetic samples are received encrypted and then put into deCODE’s pseudonymisation system.
In special instances, deCODE undertakes clinical work for the Icelandic healthcare system. The company has also acted as a processor or sub-processor, working under the directions and the responsibility of the relevant healthcare institution or office, under a contract or subcontract regarding the processing. Examples of this include various sample takings and measurements done under deCODE’s contract with the State Epidemiologist and Landspítali – National Hospital regarding the COVID-19 pandemic. In the role of processor or sub-processor, deCODE is only authorised to contact the registered participants in conformity with the relevant responsible party’s instructions.
- The purpose and authority for the processing of personal data.
deCODE’s purpose for processing personal data is to carry out scientific research on healthcare by researching genetic data on groups’ characteristics and their relation to information about a health condition and other factors affecting human diversity. Thus, new knowledge is found where an attempt is made to link the variation in mankind’s genome to phenotypes like diseases. This knowledge may then be used to find new procedures to diagnose and cure diseases. deCODE’s research is deemed to be basic research.
The processing of personal data builds on the authority set out in acts, such as The Act on Biobanks and Health Databanks and the Health Records Act and Act on Scientific Research in the Health Sector, and research permits issued by the National Bioethics Committee, and, depending on circumstances, also requiring the participants’ informed consent. A participant can revoke his consent at any time, but it must be borne in mind that the findings of the research already completed about the person are preserved. If information is acquired from people other than the participant, this is done under the authority of the act and the research permit. Examples of such research are desk analysis, which is covered in the laws on scientific research within the health sector, which builds on existing data, and the participation of individuals is not required. In terms of research involving the use of health data from international health data collections, the authority for the processing is from the participant’s consent, and the legitimate interests of deCODE, whereas the processing is necessary for scientific research.
The use of genealogical information from The Book of Icelanders in the interest of scientific research in the health sector builds on the same authority as the processing of other personal data in the interest of scientific research, i.e. a permit of the National Bioethics Committee. In addition, the handling of all data processed in the interest of scientific research shall conform with the Data Protection Authority’s special directions for deCODE on procedures to ensure the security of the processing of personal data in the interest of scientific research in the health sector.
The authority for the processing of personal data on applicants for jobs at the company is based on the consent and provisions requested by an applicant before a contract is signed. The processing of personal data regarding communications with the company’s suppliers is based on a contract between the parties, while the relevant legislation covers the processing of personal data to enforce a legal duty. Video recordings from surveillance video cameras in and nearby the company’s work facilities are based on its lawful interests. deCODE’s webpages leave cookies in a computer or smart device used to examine the company’s webpages. Here is a more detailed account of deCode’s cookies policy.
When deCODE is a processor in a foreign scientific collaboration and processes genetic information from biosamples obtained from foreign collaborators, deCODE then processes the personal information in conformity with the responsible parties’ directions and based on the current processing contract between deCODE and the responsible parties. The responsible party is responsible for enforcing acts and regulations regarding the research project, such as getting consent from a bioethics committee in the country involved and, depending on the circumstances, informed consent of the participants.
In special instances, deCODE undertakes clinical work for the Icelandic healthcare system. The company then has the status of a processor working under the directions and responsibility of the relevant healthcare agency or office, under a contract regarding the processing. Examples of this include various sample takings and measurements done under deCODE’s contract with the State Epidemiologist and Landspítali – National Hospital regarding the COVID-19 pandemic.
- How long does deCODE store data?
Data is stored while the research continues and as long as necessary to achieve the goals of the relevant research project in conformity with current acts, research permits and the conditions set by the international health data collections, when applicable. Possible storage of research data for a longer period builds on the authorisations in Act no. 110/2000 on Biobanks and Health Databanks. Regarding personal data other than those connected with scientific research, deCODE preserves them as long as necessary, based on the purpose of the processing, conditions in contracts, and the provisions in acts, such as those on accounting and taxes and the relevant substantive circumstances. deCODE has an approved policy on the preservation of data.
- Where are personal data distributed?
deCODE does not distribute to other parties personal data or personally identifiable data from research projects.
In exceptional cases, deCODE contracts with parties inside or outside the EEA on further analyses or measurements of biosamples regarding specialised equipment or technology that the party has but deCODE does not. In all such instances, personally unidentifiable samples are sent for use with deCODE’s pseudonymisation system. The dissemination is done in conformity with Chapter 5 of the European General Data Protection Regulation.
deCODE’s processor for personal data with direct personal identifiers (e.g. name and personal ID no.) is the Service Centre for Research Projects (SCRP), which, for example, sees to communications with participants in scientific research projects. Depending on the circumstances, deCODE sends personal data to SCRP under deCODE’s pseudonymisation system so that SCRP can perform its tasks under a research permit from the National Bioethics Committee. See more detailed information on SCRP on its website www.rannsokn.is.
deCODE does not make data processing agreements with data processors for further processing of health data obtained from international health data collections.
In its role as a processor for a foreign collaborator, deCODE must send the research findings on foreign biosamples to the responsible party in conformity with the instructions in the processing contract between the responsible party and deCODE.
- How does deCODE ensure the security of personal data?
Data security has been a key factor in deCODE’s operations since the company’s founding as the secure handling of personal data is a fundamental prerequisite for maintaining the trust of the general public and participants. deCODE’s data security policy lays the foundation for data security at deCODE. deCODE is constantly assessing the risk to the security of personal data. deCODE is taking appropriate security measures, especially by encrypting explicit personal identifiers where they are replaced with pseudonyms, data segregated in closed computer systems without Internet connections, access control, and multifarious other security measures to ensure the security of computer systems and ensure the general operational security in all the company’s operations. deCODE also employs internal surveillance of the above and regularly reviews its risk assessment and response plans for security.
- Rights of individuals.
The Act on Personal Data Security ensures various rights for individuals related to the processing of personal data. However, the act also specifies certain restrictions.
8.1 Access to one’s personal data
The main rule is that an individual has the right to confirmation from the responsible party for personal information on whether his personal data are being processed, and if so, that there is access to these personal data. There is an exception to this main rule in par. 2 of Art. 18, cf. par. 2 of Art. 89 of the Personal Data Protection Regulation, when scientific research is involved and it can be expected that the rights involved will make it impossible or substantially difficult for the researcher to achieve the research goals aimed for. Here, personal data are, therefore, excepted that are not being used to support the dispositions or decisions of the individual involved. In its research, deCODE is not taking decisions or making arrangements for participating individuals. All of deCODE’s research effort focuses on seeking new knowledge about groups of people, not individuals, even though the basic research data are data about individuals. Consequently, there will be unprocessed basic data about individual participants in deCODE’s research, like data on the sequences of nitrogenous base in DNA according to its genotyping, but not specific findings applying to particular participants and in connection with the relation of the data to particular phenotypes like a disease. There will therefore be no accessible files at deCODE describing relations between specific variables in individuals’ genomes and phenotypes like diseases. Instead, there will only be group files describing such relations for bigger groups. It is therefore not possible to provide participants with information about an individual’s risk linked to genetic traits related to specific diseases in the project that the individual participated in except by carrying out special processing calling for enormous effort, and entailing great cost, and would not further deCODE’s research goals. Consequently, deCODE does not foresee that providing genetic information on an individual basis will be in its purview. The only exception testing this has been mutations in the “BRCA2” gene that unequivocally has medical value for individuals, and deCODE decided to devote a great deal of work, effort, and expenditure to make this information accessible through the website www.arfgerd.is.
deCODE will therefore provide participants in scientific research requesting information about i) which research projects contain information about them, ii) which genotypes (e.g. disease diagnoses and observed numerical values) are being researched in the relevant project, and iii) which genotypic data are utilised in the relevant project. However, this does not apply to participants in international health data collections; those participants will be referred to the appropriate channels within the data collections to complete their request.
Upon completion of participation in specific research projects under deCODE’s auspices, the participants get summarised findings of the measurements of clinical factors they have undergone (such as blood pressure and blood value). Such findings are accessible to participants in scientific research while it is ongoing.
8.2 Correction of wrong personal data
If an individual thinks that information that the responsible party for personal data will preserve about him is unreliable, he has the right to have the responsible party correct it immediately, cf. Art. 16 of the General Personal Data Protection Regulation. An exemption to this main rule in instances of scientific research appears in par. 2 of Art. 18 of the Act on the Protection of Privacy as Regards the Processing of Personal Data, cf. par. 2 of Art. 89 of the Personal Data Protection Regulation.
8.3 Revocation of consent
A participant in scientific research who has given informed consent and provided biosamples has the right, under the Act on Scientific Research in the Health Sector, to revoke the consent at any time without explanation. The same applies to consent for the preservation of biosamples and health information for use in later research. If consent is revoked, research on the relevant participant’s biosamples and/or health information shall be stopped. The revocation does not affect the lawful processing based on approval up to the revocation.
Under the Act on the Protection of Personal Data, an individual has the right to have a party responsible for personal data destroy data about him, upon the fulfilment of certain terms. The rights are subject to limitations if the processing is necessary regarding research in the fields of science or history, cf. subpar. d. of par. 3 of Art. 17 of the Personal Data Protection Regulation. The rights are, therefore, not available regarding the processing of personal data in deCode’s scientific research. On the other hand, the Act on Scientific Research in the Health Sector and The Act on Biobanks and Health Databanks provide participants in scientific research the right to revoke their consent and have their biosamples and healthcare information about them destroyed. However, an individual cannot demand destruction when a biosample or information is non-personally identifiable and the biosample has become part of other materials, or the information has already become part of the research findings. In such instances, it is no longer possible to trace the research findings to the individual. In the event that a participant has withdrawn their consent regarding their health data in an international health data collection or requests the deletion of their data, deCODE will receive instructions from the data collection’s management on how to execute the request.
8.5 The right of protest and limitation of processing
The Act on Personal Data Security provides an individual with the right to have the responsible party limit the processing of personal data about him, in specific instances. In addition, he has the right to protest at any time, and this can result in the responsible party’s obligation to stop the processing. This right of individuals does not cover scientific research, cf. par. 2 of Art. 18 of The Act on Personal Data Security, cf. par. 2 of Art. 89 of the Personal Data Protection Regulation. However, it is appropriate here to mention again the right of revocation of a participant in scientific research as stated in Art. 83 and the right of destruction in Art. 8.4.
8.6 Complaint to the Data Protection Authority
Individuals have the right to complain to the Data Protection Authority if they think that the provisions of The Act on Personal Data Security have not been followed, or that deCODE has not responded to a complaint regarding the unsatisfactory processing of their data. The complaint shall be sent to firstname.lastname@example.org or the address of The Data Protection Authority, Rauðarárstígur 10 105 Reykjavik. The Data Protection Authority oversees the monitoring of carrying out of the Act on Personal Data Security and the processing of personal data and ruling on disputes in the field of personal data security.
- How can you contact deCODE?
Individuals may contact The Service Centre for Research Projects (SCRP) in The Tower, Smáratorg 3, Kópavogur, phone: 520 2800 to get general information on carrying out scientific research or processing personal data. Individuals shall also contact SCRP to request the processing of their data in deCODE Genetics’ (deCODE) scientific research projects, based on its Personal Data Protection Policy, The Act on The Data Protection Authority and the Processing of Personal Data and the Act on Scientific Research in the Health Sector. Available there are forms for requesting information on the processing. The individual involved will be required to show a valid personal ID with a picture upon submitting the request for information to ensure secure identification.
Requests by telephone or email for information on the processing of personal data are not accepted at deCODE because such communications media do not fulfil personal data security requirements. Findings containing personal data are also not delivered that way.
If an individual thinks that SCRP has not answered a request for the processing of personal data, he can send an email to deCODE’s Data Protection Officer at Data Protection Authority@decode.is. The role of the Data Protection Officer is to monitor that the provisions of the Act and Rules of the Data Protection Authority are followed. deCODE Genetics’ Data Protection Officer is Erla Thurídur Pétursdóttir, attorney.
A quick and easy way to get acquainted with the latest information on the processing of personal data at deCODE is to examine the company’s educational materials at www.decode.is.
- How does deCODE update and change its Personal Data Protection Policy?
deCODE can change this Personal Data Protection Policy and add to it at any time to reflect as well as possible the processing currently going on at deCODE and make such changes without notice. For example, such changes may be made to coordinate the current Personal Data Protection Policy and rules regarding Personal Data Protection. The updated Personal Data Protection Policy is always accessible on deCODE’s website: www.decode.is.
This Personal Data Protection Policy went into effect on 15 July 2018, cf. also later changes made on 27 May 2020, 15 July 2022 and 17th of October 2023.