Cross-border transfers of genomic data: the Indian framework

Introduction

A significant increase in medical research in India gives rise to the question – does transfer of genomic data from India require regulatory consent? India’s data protection framework is silent – and its health laws, while not so silent, do not comprehensively frame the process required for the transfer of genomic data. In summary, while conducting clinical trials and biomedical research may require approvals, transfer of genomic data only requires the consent of the data subject.

Data Protection Laws

Present Law

India’s data laws, at present, seem to view data protection primarily through the prism of information technology and information technology-enabled services. Regardless, genomic data is captured by the long (rather ambiguously defined) arm of the law. Sensitive Personal Data or Information (“SPDI”) is conceived of electronic data and information of individuals that relates to, amongst other categories, biometric information, physical and mental health conditions, and medical records and history. Genomic data in electronic form would, therefore, constitute SPDI, and organisations processing such data would be bound by the SPDI Rules.

Transfer of SPDI is permitted only on two grounds: if the data subject has consented to such transfer, or if the transfer is necessary for the performance of a lawful contract between the transferring organisation (or any organisation on its behalf) and the data subject. Thus, as long as adequate consent of the data subject is obtained, no further regulatory approvals are required. 

The New Data Law

The draft personal data protection bill imposes certain additional restrictions. Sensitive personal data, that includes health data and genomic data may be transferred outside India, provided that the data subjects have explicitly consented to the transfer and a copy of such data continues to be stored in India. Further, the transfer shall be done either pursuant to a contract or scheme approved by the data protection authority (to be set up under the law) or to a country that has been deemed by the Indian Government to offer adequate levels of data protection.

ICMR Guidelines

National Ethical Guidelines for Biomedical and Health Research involving Human Participants, 2017

The Indian Council of Medical Research’s (the “ICMR”) National Ethical Guidelines for Biomedical and Health Research involving Human Participants, 2017 (“Biomedical Guidelines”) regulate the testing of biological material and data generated from it.

Informed Consent

Any research that involves human participation must be undertaken only upon the voluntarily written informed consent of human participants. Such consent involves three components: providing sufficient information to participants, ensuring that such information is comprehensible to these participants, and ensuring that participants are competent to provide consent.

International Collaborations

All research that involves international collaborations or funding requires the approval of the Health Ministry’s Steering Committee prior to commencement. In addition, foreign funding may require additional governmental and regulatory clearances. Further, all international collaborations should be on the grounds of a memorandum of understanding or a material transfer agreement that is executed between the collaborating parties.

Material Transfer Agreement

Material transfer agreements form the basis of any data transfer, and should address the purpose and quantities of samples being collected; and clarify data ownership and obligations following data collection, confidentiality, sharing of data, joint publications, benefit-sharing, the post-analysis handling of leftover biological materials, and safety norms amongst other factors. The Biomedical Guidelines also require the Ethics Committee to oversee the functioning of the material transfer agreement.

Other Considerations

The Directorate General of Foreign Trade has clarified that customs authorities are to permit the import or export of biological samples without prior licences or approvals from other agencies of the government, provided that the concerned Indian importer or exporter submits a declaration that it follows rules and procedures for the safe transfer and disposal of such biological samples.

While the factors mentioned above typically address the imports and export of physical samples, the Biomedical Guidelines also require ensuring the use of data encryption for data transfers from one location or device to another.

National Guidelines for Gene Therapy Product Development and Clinical Trials, 2019

In addition to the Biomedical guidelines which provides generic guidelines to be followed for carrying out all kinds of research and clinical trials involving human participants; the National Guidelines for Gene Therapy Product Development and Clinical Trials, 2019 were issued by the ICMR in the specification to research and development of gene therapy products.

All organisations engaged in such clinical trials are required to register in the Clinical Trials Registry of India and seek approvals from the Review Committee on Gene Manipulation. Further, the Gene Therapy Advisory and Evaluation Committee has been established to provide recommendations and evaluate the clinical trial application for such products before a submission is made to Central Drug Standard Control Organisation (the regulatory body for pharmaceutical products and medical devices) for product approval. Additional approvals are required if it concerns ‘stem cells’.

The guidelines allow cross-border transfers of data on similar conditions as provided in Biomedical Guidelines. They allow cross-border data transfer in accordance with the terms of a material transfer agreement and are subject to the approval of committees on ethics and biosafety that have to be established by the Indian institutions or entities involved in such transfer. 

Conclusion

As genomic data acquires value, independent of the biological material generated and results of the clinical research conducted, we suspect that the as of yet unformed data protection authority will provide guidance – sooner rather than later.

For any comments or queries, do reach out to us.