It may be borne in mind that human tissue samples are by themselves not genetic data under data protection law. It is the information that is extracted from this biological sample that could fall under the category of genetic data, if the information leads to the identification of any person.
What is genetic data?
Under the European Union’s General Data Protection Regulation (GDPR), which is the gold standard for privacy law, genetic data is recognised as a special category of data1 with extra compliances. It defines genetic data2 as—
personal data related to the inherited or acquired genetic characteristics of a natural person (individual) which gives unique information about the physiology or the health of the natural person (individual) and which results, in particular, from an analysis of a biological sample from the natural person (individual) in question.
It may be borne in mind that human tissue samples are by themselves not genetic data under data protection law. It is the information that is extracted from this biological sample that could fall under the category of genetic data, if the information leads to the identification of any person.
Under the Digital Personal Data Protection Act (DPDPA) also, any data related to the inherited or acquired genetic characteristics of a natural person can be considered as “personal data”. And since it is personal data which is capable of identifying any person, the processing of this is now subject to the compliances of the newly released Digital Personal Data Protection Rules, 2025 (DPDP Rules, 2025).
Why is genetic data more sensitive?
Genetic data is much more sensitive than other categories of personal data as it can reveal minute details about a person’s health, lifestyle and ancestry.3 Except for identical twins, each individual has a unique genetic code. Most data protection regimes which have segmented different types of personal data as sensitive and non-sensitive, have regarded genetic data as sensitive.
Independently collected samples of genetic data can be matched with relatively high confidence on the basis of small number of genetic variants. So, genetic data is a unique identifier, if processed in that manner.
Government processing genetic data in public interest
Several government projects are processing personal data in public interest. It includes consolidated databases of genetic information which could potentially be mined for individual identification or other research purposes. That is why, not just private hospitals but also government organisations should ensure that they take strict precautions while handling genetic data. Following are examples of genetic data consolidation by government entities—
1. Genomic database for tribal population in Gujarat: On 17 July 20254, the Gujarat Government launched a tribal genome sequencing project titled “Creation of Reference Genome Database for Tribal Population in Gujarat”, which is being implemented by the Gujarat Biotechnology Research Centre under the aegis of the Gujarat Tribal Development Ministry. In this project, the Government will sequence the genomes of nearly 2000 tribal individuals to identify genetic health risks.
2. National Biobank: On 6 July 20255, the Ministry of Science and Technology launched “National Biobank”, where clinical data of more than 10,000 individuals will be stored and researched. The purpose of this will be to aid early diagnosis, improve therapeutic targeting, and bolster the fight against complex diseases such as diabetes, cancer, cardiovascular ailments, and rare genetic disorders.
3. Centre for Advanced Genomics and Precision Medicine at All India Institute of Medical Sciences (AIIMS) Jammu: On 2 February 20256, AIIMS Jammu has established this centre to promote gene therapy. This therapy promises individualised management of disease for each patient. This gene therapy is a method to ultimately decide the specific treatment for each individual. This will lead to generation of genetic data of patients admitted in this centre.
Global instances of privacy violation involving genetic data
Genetic data is handled with extra care and sensitivity in foreign privacy jurisdictions. Genetic data’s processing is limited to these instances in the European Union—
1. if processing is necessary for research or archival; or
2. when processing is necessary in the interest of public health, such as protecting cross-border threats to health or ensuring high standards of quality and safety of health care of medicinal products or medical devices.
Following are two case studies of genetic data mishandling which led to huge penalties:
1. deCODE Genetics in Iceland7— Iceland has a small population which has been largely untouched by immigration. Since, Icelanders have a passion for genealogy, Icelandic Government had passed a law to allow for access medical records including genetic data for allowing people to trace back their genealogy. This meant that there was a wealth of material which could have been mined for genetic research. Looking at this opportunity, a private Icelandic company called deCODE Genetics sought licence from the Government to cross-reference Iceland’s medical records with genetic and genealogical data. This licence grant provoked controversy, that of, right to opt out, which is necessary for anyone who is trying to protect themselves from harmful effects of genetic data breach. But, this right was only limited to those alive and not for deceased persons. So, a problem arose wherein, the dead people’s genetic data was being mined, which could have posed a risk to current decedents. Since genetic data gives a lot of information, it can almost create a database of someone solely from the genetic information processing of not him/her but their deceased ancestors. A lady called Ms Gudmundsdottir8 objected to her late father’s name inclusion in the database. This objection ultimately was upheld by Icelandic Supreme Court, which in its ruling held that she had a right to object to inclusion of information about her deceased father in the data bank because information about her could be inferred from the information about her parent. This ruling, which was given in 2003, much before the GDPR came into being, but when the EU Data Protection Directive, 1995 was in force. This ruling which was made keeping in mind the extra sensitivity of genetic data and the extra harmful effects it could have on humans, made serious impact on deCODE company. Due to its fundamental impact on the business model, the company eventually ran out of money. It filed for bankruptcy in the US in 2009 and eventually it was bought by a US biopharmaceutical company called Amgen.
2. 23andMe being fined pounds 2.31 million (Rs 2.7 crore)— 23andMe is a personal genomics and biotechnology company that provides direct-to-consumer genetic testing services. Customers submit a saliva sample to the company, which analyses the DNA to generate reports on ancestry and genetic predispositions to certain health-related conditions. The company’s name comes from the 23 pairs of chromosomes found in a human cell. In 2025, a joint investigation by UK’s Information Commissioner’s Office (ICO)9 and Privacy Commissioner of Canada (Canada’s privacy regulator) found that between April and September 2023, a hacker had carried out cyberattack on 23andMe’s platform and exploited the personal information of UK users. This resulted in the unauthorised access to personal information belonging to 1,55,592 UK residents, potentially revealing names, birth years, self-reported city or postcode-level location, profile images, race, ethnicity, family trees and health reports. Keeping in mind the sensitivity of the data leaked, the regulators imposed a fine of pound 2.31 million (Rs 2.7 crore) for data of only the UK residents under the GDPR. Think about it, this was only in the UK. If this data breach in other EU jurisdictions were to be taken into account then the amount of fine would have been much more.
Genetic data and research
Private hospitals and biotech companies commonly use genetic data as part of their operational workflows, particularly for research and development (R&D). In most cases, the collection, analysis, and storage of genetic data by such entities is therefore for research-related purposes.
Under Section 17(2)(b) DPDPA10, research-related processing enjoys a major exemption. However, this exemption is not absolute and it is subject to several conditions. Hospitals and biotech organisations should not assume they have unrestricted freedom or a “free pass” under this provision.
Further, if a data breach occurs, the nature of the data involved becomes critical. Even though the DPDPA does not classify “genetic data” as a separate or more sensitive category, the penalties imposed by the Data Protection Board of India may vary significantly depending on the sensitivity and potential impact of the breach. The fine structure ranges from Rs 0 to Rs 250 crores.11
To illustrate: A telecom company typically processes basic subscriber information (name, age, phone number, call metadata), whereas a biotech company may process the genetic data of research participants or consolidated genetic datasets. If a breach of similar scale affects both companies, the Data Protection Board of India (DPBI) may still impose a higher penalty on the biotech company. This is because leaked genetic data can reveal deeply personal and immutable attributes. Like illnesses, predispositions, or ancestry. Such disclosures can have severe personal, social, or even political consequences. For example, if the affected individual is a political office-holder, revealing medical conditions or ancestry can have significant ramifications. Even for a common man, disclosure of sensitive physiological information (generated through genetic data) like whether a person has genetic tendency to get cancer could lead to embarrassment, discrimination, or even matrimonial issues or family property disputes.
Therefore, although the DPDPA does not explicitly classify genetic data as “sensitive”, private hospitals and biotech companies should treat it as such. Adoption of following technical standards may prove useful—
1. ISO/DIS 27799:2016— Health Informatics: Information Security Management in Health (based on ISO/IEC 27002).12
2. ISO 27789:202113— Health Informatics: Audit Trails for Electronic Health Records.
3. ISO/TS 22220:201114— Health Informatics: Identification of Subjects of Healthcare.
4. Electronic Health Records Standards for India (2016).15
Genetic data used for research — requirements under the DPDP Rules, 2025
While the DPDPA provides a research exemption, the DPDP Rules, 2025 impose specific compliance obligations. Hospitals and biotech companies using genetic data for research must ensure compliance with Rules 5(2) and 15, including the following:
1. Personal data must be processed lawfully and appropriately.
2. The primary purpose of processing must be research, whether for private benefit or public interest.
3. Reasonable care must be taken to ensure the data is complete, accurate, and reliable for research use.
4. Data may be retained only for the legally permitted duration, supported by a valid justification (such as a law or government directive).
5. Appropriate security controls encryption, backups, logging, access management, and similar measures must be implemented.
To sum up, better keep the “Gene” carefully in the bottle.
*Senior Manager — Legal and Regulatory Affairs represent K&S Digiprotect Services Pvt. Ltd. Author can be reached at: adv.amanvarma@gmail.com.
1. General Data Protection Regulation, Art. 9 classifies genetic data as “special category” which require extra compliances.
2. General Data Protection Regulation, Art. 4(13).
3. Murat Sariyar, Stephanie Suhr et al., “How Sensitive is Genetic Data?” (2017) 15(6) Biopreserv Biobank, available at <https://pmc.ncbi.nlm.nih.gov/articles/PMC7473038/> last accessed 5-12-2025.
4. Abhinay Deshpande, “Gujarat Launches India’s First Tribal Genome Project to Tackle Inherited Diseases” The Hindu, 17-7-2025, available at <https://www.thehindu.com/sci-tech/science/gujarat-launches-indias-first-tribal-genome-project-to-tackle-inherited-diseases/article69819673.ece> last accessed 5-12-2025.
5. Press Release, Ministry of Science & Technology, Dr Jitendra Singh Inaugurates “National Biobank” and India’s Own Longitudinal Population Data Study at CSIR-IGIB (PIB, 6-7-2025) available at <https://www.pib.gov.in/PressReleasePage.aspx?PRID=2142726®=3&lang=2> last accessed 6-12-2025.
6. Press Release, Ministry of Science & Technology, Gene Therapy Promises Individualised Management of Disease for Each Patient: Dr Jitendra Singh (PIB, 2-2-2025) available at <https://www.pib.gov.in/PressReleasePage.aspx?PRID=2098931®=3&lang=2> last accessed 6-12-2025.
7. Bogi Andersen and Einar Arnason, “Iceland’s Database is Ethically Questionable” (1999) 318(7197) BMJ, available at <https://pmc.ncbi.nlm.nih.gov/articles/PMC1115937/> last accessed 7-12-2025.
8. “Controversy in the Development of Research Databases” in Rosemary Jay, Data Protection Law and Practice (5th Edn., Sweet & Maxwell, 2020) p. 934.
9. “23andMe Fined £2.31 Million for Failing to Protect UK Users’ Genetic Data” Information Commissioner’s Office, 17-6-2025, available at <https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/06/23andme-fined-for-failing-to-protect-uk-users-genetic-data/> last accessed 7-12-2025.
10. Digital Personal Data Protection Act, 2023, S. 17(2)(b) reads as:
17. Exemptions.—2(b) necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with such standards as may be prescribed.
11. Digital Personal Data Protection Act, 2023, Entry 1 under Sch. to S. 33(1).
12. It is a guideline that helps healthcare organisations apply the information-security controls from ISO/IEC 27002 to protect health information. It explains how to choose, implement, and manage security measures so that personal health data — no matter its format or how it is stored or shared remains confidential, accurate and available.
13. This document defines a common framework for audit trails in electronic health records (EHRs), specifying what events must trigger an audit entry and what data each audit record must contain. It ensures that every time a user reads, creates, updates, or archives health information, the system securely records who did it, to which patient’s record, what action was taken, and when it happened.
14. ISO/TS 22220:2011 provides guidelines for accurately identifying individuals in healthcare, whether in face-to-face settings or between computer systems. It defines the key demographic and identifying data elements needed to ensure patients are correctly matched to their health records and offers guidance on both manual and computerised identification procedures.
15. Ministry of Health and Family Welfare, Circular No. Q-11011/3/2015-eGov (Issued on 30-12-2016) — with objective to introduce standard-based system for creation and maintenance of Electronic Health Records by healthcare providers.