The Need to Revisit Indian Consent Paradigms for the Storage and Use of Digitalized Biological Data

by | Jul 3, 2023

author profile picture

About Priya Ayyappaswamy

Priya Ayyappaswamy is a master's thesis student at the faculty of law, McGill University. She has an interest in comparative constitutional law and wishes to specialize in health law. She also works as a research assistant at the Center of Genomics and Policy where she undertakes policy work and tutelage under Professor Bartha Maria Knoppers.

The Indian Biological Data Center, established in 2022, is India’s first life sciences data repository. The IndiGen Programme aimed to sequence the genomic data of 1,000 individuals in India and has generated the whole genome sequence of 1,029 Indian Individuals in 2023. Similarly, the Genome India project aims to undertake a whole genome sequencing project of 10,000 participants to represent the nation’s diversity. The information collected by the Genome India protect will be transmitted to the Indian Biological Data Center. While this is a tremendous achievement for India after the Human Genome Project,  and an opportunity to study the genetic make-up of a section of the diverse population in the country, it is concerning that India lacks a privacy law and consent framework to ensure that submitted data remains confidential through robust de-identification practices, and to make certain that consent of the participants is obtained for the kind of research that can be conducted on such biological information.

Genetic and Genomic data is personal data which can be used for scientific research when de-identified and obtained through proper consent protocols from individuals. The EU’s General Data Protection Regulation (GDPR) and the Canadian Privacy Regime provide special status to genetic and genomic data.  The Indian Council of Medical Research has an informed consent process for research involving human participants. However, that process does not tackle the specificities required for privacy concerns arising from the use of genetic data stored in national data repositories for open access research, nor does it address issues arising from re-identification and de-identification of genetic information. Soon, direct-to-consumer genetic testing services will be widely available in India, however, passive consent guidelines and the lack of a privacy regime arising from a well-thought-out consent paradigm raise questions about the protection of genetic data in light of its collection and use.

The Indian privacy law framework is governed by the IT Act 2000 and is often articulated through the case of Justice K.S. Puttaswamy v. Union of India, which guaranteed an individual’s right to privacy. Furthermore, in United India Insurance Co. v. Jay Prakash, the Supreme Court of India recognized the right against genetic discrimination in health insurance contracts as an integral part of the right to health guaranteed under Article 21 of the Constitution of India. Although such protections are available to ensure one’s genetic privacy, there is a lack of governance of the storage and use of digitalized biological data collected from individuals, which is subject to re-identification risks. Indian law places health under the ‘state list’ (under the seventh schedule of the Constitution – Article 246), which means that concerns arising out of health regulation are subject to individual state prerogative. However, there is a legislative lacuna in India regarding the consent procedure for collecting and using genetic data, which could have disastrous consequences in cases of private information leaks or other privacy infringements.

The need to reframe privacy guidelines in India is the concern of the moment, and consent guidelines for collecting genetic information also need specific examination. The draft Data Protection Bill 2022 (which is currently tabled before the Indian Parliament) fails to answer questions on the protection of biological data from surveillance. This concern is exacerbated by the DNA Technology (Use and Application) Regulation Bill 2019, which envisioned the creation of regional and national data banks to collect genetic information from arrested persons without consent ‘if [the] offence [in respect of which they had been arrested] carried a punishment of seven years’. Such categorical denial of privacy rights poses a myriad of questions hinging on state surveillance and human rights, mainly due to the lack of a guarantee that data collected will only be used for identification and cannot be used to reveal personal or medical conditions about the individual.

In light of developments in India, such as the existence of a Biological Data Repository, Whole Genome Sequencing initiatives of the target group, and access to direct-to-consumer testing in genomics has amplified the need for privacy guidelines regulating the collection and storage of digitalized biological data, and for a robust informed consent procedure arising out of such privacy provisions.

Want to learn more?

Share this:

Related Content


Submit a Comment