Sir Julian Lewis: To ask the Secretary of State for Science, Innovation and Technology, what privacy safeguards exist to prevent identifiable people's sequenced DNA being passed to third parties when companies which offer family or other research services to members of the public (a) are sold and (b) go into liquidation; and what assessment he has made of the potential merits of introducing stronger safeguards.  [47609]

[Due for Answer on 29 April]

ANSWER

The Minister of State for Data Protection and Telecoms (Sir Chris Bryant): The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA) already require organisations to process personal data lawfully, fairly, transparently and securely, unless certain limited exemptions apply. Organisations are also required to meet additional conditions and safeguards when processing ‘special category’ data, or data that is more sensitive, such as DNA data.

The UK’s data protection legislation does not automatically prohibit the selling or sharing of personal data with third parties. Instead, it sets out a framework within which data sharing may safely take place.

The Information Commissioner’s Office (ICO), the UK’s Data Protection Regulator, has published a statutory Code of Practice on data sharing which contains practical guidance for organisations on how to share data fairly and lawfully, available at:

https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-sharing/data-sharing-a-code-of-practice/.

The ICO has also published guidance to help organisations processing special category data, available at:

https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/a-guide-to-lawful-basis/special-category-data/.