The ICO exists to empower you through information.

Executive summary

Over the last decade there has been a rapid increase in investment and influence in genomic technologies in a range of sectors. The technology offers well-known benefits in areas like advanced disease treatment and personalised healthcare, and there is a drive to deliver a genomic-focused healthcare system. But the rapid growth of applications in sectors like insurance, education and law enforcement also have the potential to impact us all.

As the UK’s data protection regulator, the Information Commissioner’s Office (ICO) aims to increase public trust in how organisations process personal information through responsible practice. We want to empower people to safely share their information and use innovative products and services that will drive our economy and our society. In our ICO25 strategy, we committed to set out our views on emerging technologies to reduce burdens on businesses, support innovation and prevent harms.

The genomics chapter of our 2023 Tech Horizons Report set out an initial area of concern around polygenic risk scores; probabilistic assessments of traits and characteristics derived from genomics that could inform how we deliver health care and other services in the future.

This report goes into more depth to consider regulatory and privacy issues raised by the wider development of genomics. We illustrate how these may arise through scenarios that cover potential uses of the technology in and beyond healthcare, including in direct-to-consumer services, insurance, education and law enforcement. The issues we cover include:

  • the challenges of understanding when genomic data may be considered personal information. Genomic information relating to the deceased, or once thought unimportant or even unidentifiable in terms of personal information, may have an increasingly large significance as personal data as research rapidly advances;
  • the complexities of using and sharing third party information (including both genomic information and inferences derived from it) given how much of a genome and the information derived from it is shared - even on a familial level;
  • the associated risks and challenges of anonymising and pseudonymising genomic information in a way that embeds privacy by design without compromising innovative and necessary research; and
  • the significant risks of bias and discrimination emerging from the processing of genomic information. Inaccurate models trained on unrepresentative datasets may emerge, or inferences used to support unfair decisions even when using accurate information.

We will address these areas of concern through:

  • ongoing engagement with key stakeholders across industry, regulation, academia and civil society. This will include inviting organisations to work with our Regulatory Sandbox to engineer data protection into uses of genomic information;
  • monitoring and highlighting developments in this area through our Tech Horizons reports, where we will set out future programmes of work on the issues as they arise. We will pay particular attention to the sharing of third party genomic information and direct-to-consumer genomic services linked to polygenic risk scoring. We have invited views from organisations with an interest in this area; and
  • engagement with the public to better understand their knowledge and concerns about the use of genomics and privacy.