The inclusion of genomic data in the 2015 revision of Japan’s Protection of Personal Information Act: protection of wider range of genomic data as our next challenge

Japan’s personal information protection laws were revised recently [1, 2] and were put in effect on 30 May 2017. One noteworthy change in this revision is that it is now clear which category of personal information genomic data belongs to.

Japan’s personal information protection laws consist of the three main laws: (i) the Act on the Protection of Personal Information (PPI Act), which was revised in September 2015; (ii) the Act on the Protection of Personal Information Held by Administrative Organs (PPIHAO Act); and (iii) the Act on the Protection of Personal Information Held by Incorporated Administrative Agencies (PPIHAA Act). Both (ii) and (iii) were revised in May 2016 and these revisions were based on previous revisions to the PPI Act in 2015, and as such the contents of the PPI Act are the most significant for our purposes and thus will be the focus of this paper.

The PPI Act of 2003 outlined the general regulations for the handling of personal information, but there was no mention made of genomic data in the Act. One of the most significant changes made in the 2015 revision was the inclusion of genomic data under two categories of personal information, namely the traditional category of personal information, as well as the category of “individual identification code information.” This category includes information that could possibly identify an individual, such as passport numbers, fingerprint scan data, social security numbers, and so on. Genomic data that includes a person’s name, birthday, or other such identifying information is covered under the traditional definition of personal information. On the other hand, genomic data itself (even if it does not contain the aforementioned identifying information) is now considered “individual identification code information”—specifically when these data contain whole-genomic sequence data, whole-exome sequence data, whole-single-nucleotide polymorphism (SNP) data, and sequence data containing ≥40 independent SNPs and/or  at least nine short tandem repeats. Genomic data are not traditionally thought of as authentication data (like fingerprints or other biometric data), but nevertheless it is now included in the category of “individual identification code information.” Furthermore, information in these two categories that could possibly lead to discrimination or unfair treatment is included in the category of “information requiring special care.” Examples of such information include results from genetic medical testing in hospitals, as well as services provided from private companies. The inclusion of genomic data in the above categories is the first step in creating legally enforceable regulations for genomic data.

Direct-to-consumer genetic testing services operating in the private sector have become more common in recent years, causing some researchers and medical professionals to worry about how personal information including genomic data gathered at such companies will be handled. These concerns have been eased by the following revisions to the PPI Act: (1) by mandating the inclusion of detailed genomic data in “individual identification code information,” anonymity can be better protected; (2) by including test results under the category of “information requiring special care,” patients/customers now have to actively give consent before providing such information; (3) the sharing and transfer of such information overseas is now strictly regulated; and (4) careful records must be kept and maintained to ensure traceability.

Personal genomic data are also being used actively in medical research. Since academic research is given exemption under the law, this new amendment does not apply directly to it. Instead, most medical research is regulated by national research ethics guidelines, and since these guidelines aim to reflect the essence of the law, they were also amended in 2016 [3, 4]. The most significant change in the amended guidelines is that now detailed genomic data are considered “individual identification code information.” It must now be treated as personal information even if personal identifying descriptions such as a subject’s name and date of birth are removed. On the other hand, the guidelines differ in some ways from the law. For example, the guidelines allow for opt-out consent with regard to handling “information requiring special care” and sharing information with researchers and collaborators who belong to foreign institutions when these kind of information are required for research related to the improvement of public hygiene and health.

With genomic data now qualifying as personal information in Japan, steps are being taken to ensure the appropriate use of these data. One task facing us is to increase and widen the protection of genomic information to cover a variety of situations. Genomic information does not only pertain to the individual, but rather the information is shared in part between family members and other relatives, meaning that the PPI Act (which only applies to personal information) is currently unable to protect all of the parties affected by genomic information. Furthermore, since the PPI Act only protects living individuals, those who have died and unborn embryos are not covered. In medical and clinical research, as the use of genomic information becomes more common, we have to think beyond the traditional categories of personal information and individual privacy and develop new ways to protect people’s information in the future. The first step in accomplishing this will be to create new laws that ensure broader protections for people who may be adversely affected or discriminated against when genomic information is used in these research fields. In Japan, this possibility is already being discussed and we will contribute as much as we can to the creation and implementation of these new laws.