(Photo: iStock)
(Photo: iStock)

Opinion | The country’s new DNA law raises privacy concerns

The law goes well beyond criminal matters and regulates civilian and medical use of DNA

Parliament is set to pass a law to regulate the use of DNA technology. Since the DNA of a person is unique, it can be used to accurately identify a person’s identity. Globally, DNA technology is used to help enforcement agencies identify both perpetrators and victims in criminal cases. In medicine, DNA is used to identify the susceptibility of a person to diseases such as cancer and Alzheimer’s. In civilian life, DNA can be used to establish parentage of children or sibling relationships.

However, the use of DNA technology also raises major concerns relating to consent (i.e. the right to refuse to provide a bodily substance), privacy and data security. Hence, countries the world over have felt the need to strictly regulate the use of DNA. One hopes that the new law would fill a major gap, as the use of DNA technology in India has been left unregulated. Unfortunately, there are major lacunae in the way the new law addresses core issues such as privacy and fundamental rights.

In criminal cases, the law specifies the requirement of written consent before DNA samples are collected for testing from criminal suspects or under trials, offenders, victims of a crime, and missing or unidentified deceased persons.

Once these samples are analysed by a DNA laboratory, they will be stored in a national DNA data bank under various categories depending on whether the DNA has been collected from a crime scene, suspects or offenders, or unidentified deceased persons. For such criminal cases, safeguards are specified on limiting access to the DNA data bank and conditions under which DNA information can be deleted.

However, the new law goes well beyond criminal matters and regulates civilian and medical use of DNA. This is where major concerns arise and affect issues as diverse as parentage disputes, medical negligence, and any matter related to establishing an individual’s identity. On these issues, the new law does not prescribe any safeguards.

For example, the law does not require the consent of an individual while giving DNA samples in civil matters such as a paternity suit. The ethic behind the need for consent is that a person’s bodily substances include DNA, which not only identifies the person, but also reveals her genetic information such as physical and medical traits. Such information may affect her privacy, and so consent offers a safeguard against DNA misuse.

Or consider the provision related to the national DNA database that is being created under the law. As the name suggests, the database is a central repository of DNA information of individuals covered by the law. While the database will have information related to criminal offences, the law is unclear on whether DNA collected for civil cases will be stored in this database.

This is because the law requires all DNA laboratories to share DNA test results with the data bank. Therefore, were a DNA laboratory to analyse a DNA sample in the course of a private dispute between parties (say, an in vitro fertilization clinic and a pregnant woman), would it share this information with the data bank?

The Bill in question does not state that DNA information related to civil matters will not be stored in it. Note that the Combined DNA Index System (CODIS) in the US and the National Criminal Intelligence DNA Database in the UK are national DNA data banks with information related only to criminal investigations.

Further, if DNA information related to civil matters is stored in the data bank, it may violate the fundamental right to privacy as laid down by the Supreme Court. The Court has stated that the right to privacy may be infringed only through the enactment of a law, and that law must achieve a public purpose that’s proportionate to the infringement of privacy. Since the storage of DNA profiles for civil matters (such as paternity suits and medical diagnoses) may not serve a public purpose, it may violate the right to privacy.

A more fundamental issue is ambiguity on whether the law intends to regulate DNA tests conducted in medical and diagnostic settings. For instance, many laboratories across the country offer such tests to determine a person’s predisposition to cancer, diabetes and other diseases.

Such testing can also be used to identify an individual. For example, breast cancer can be diagnosed by analysing mutations in the BRCA1 gene, which involve analysis of large parts of an individual’s DNA, which could provide enough information to identify an individual. The law does not address how this DNA data will be stored, for how long, whom it will be shared with (such as a person’s health insurer), and when it will be deleted.

In fact, the gaps in the new DNA law dovetail into the larger issue of the lack of a data privacy law, which was raised by several Members of Parliament opposed to the law. While introducing it, Union minister Dr. Harsh Vardhan stated that the law intends to regulate DNA testing for identifying criminals, victims, missing, and deceased persons.

Clearly, the law goes beyond this objective. It needs rigorous scrutiny by a cross-section of experts and wider consultations. This can be achieved if the Bill is referred to a parliamentary committee. Otherwise, it could be a missed opportunity to effectively regulate the use of DNA technology.

Mandira Kala is head of research at PRS Legislative Research

Close