EthicsAndGenetics has published ‘A Shift in Privacy Law, and the Attendant Risks'. Coverage of the report by the Guardian can be found here. In this report, we identify and explore the risks associated with the government’s plans to establish a national genetic database and commercialise the sequenced genetic information held therein. Furthermore, we assess changes to privacy law and practice - in particular, the recent information governance review, and demonstrate that the new privacy framework fails to adequately safeguard highly sensitive information. In addition, EthicsAndGenetics can reveal that, by default, NHS-users can now be contacted to take part in clinical trials with private companies, without having expressed an interest in taking part in research of any kind, let alone clinical trials.
The report comprises a critical account of a major legislative programme to commercialise medical and genetic information collected from the population; it shows that in combination with considerable changes to privacy law and practice, these developments put people at serious risk of having their personal, senstive, information, used for purposes for which they have not given their consent. Further, this could, in certain instances, lead to the individual being seriousely harmed.
Here is a brief summary of the report:
A Freedom of Information Disclosure by the Department of Health to EthicsAndGenetics, confirms that Section 251 of the NHS social care Act can be used by pharmaceutical companies to trawl through personal, identifiable medical data, so that people - without having expressed an interest - can be invited to take part in clinical trials. A further FoI disclosure by the Department of Health to EthicsAndGenetics confirms that genetic information collected from the population and held on a central database, will be commercialised. The changes that have been ade to the UK regulatory regime are such that, Government and private sector organisations can access personal medical and genetic data, for a variety of purposes. Many of which extend far beyond administering patient care.
A national genetic database is part of the Government’s plans to connect genetic information with electronic medical records, and is the culmination of more than a decade of policy and legislative developments. Ultimately, the aim is to sequence the genomic information of the entire population of England and Wales and connect it to electronic medical records. Accessing massive datasets of genetic and medical data has long been considered a potential ‘unique selling point’ for the UK biosciences and pharmaceutical sectors. In our report, we question the secrecy with which successive governments have implemented a legislative programme designed to secure this ‘unique selling point’ for the health-research, and UK pharmaceutical and bioscience, sectors. Furthermore, we demonstrate that over the past decade, a shift in privacy law and practice has taken place, which primarily serves private companies and is not of direct benefit to the data-subject. In fact, these changes not only compromise our right to privacy, they also put people at risk of harm too.
Although the information governance review, and the substantial amendments to the NHS constitution that took place last Autumn, went largely unnoticed, their implications are immense. We show that, within the context of privacy law - and over the course of the last decade - power has shifted away from the individual and towards the governement, and other actors. The concepts of the ‘public interest’, ‘proportional’ and ‘necessary’ have become central, and informational autonomy and the requirement to seek 'informed consent' when seeking to use a person's confidential information is quickly becoming a thing of the past. This new climate of information governance is markedely different to the control data-subjects once had over sensitive and personal data. At the launch of the recent information governance review, the Secretary of State for Health stated that an opt-out clause would be included. Default opt-in, however, is the problem. Default opt-in suggests that a fundamental shift in attitude towards personal medical information has taken place, in which everyone is content to hand over identifiable personal data. Since there has been little in the way of meaningful, public-consultation, the government are not in a position to know either way.
Would the public, without hesitation, have warmed to the idea that identifiable medical data can be sold to Bupa, a private insurer, for example, without their consent, or, indeed, that all NHS-users - by default, can be contacted to take part in clinical trials with private companies? And, lastly, that genomic information collected from the population and held on a national genetic database will be commercialised, and the paramaters within which such information can be shared remains indeterminate, at best? These are questions that ought to have been put to the public; not least, as there are serious risks involved with this laissez-faire approach to personal genetic material.
In its report to Government, the head of the Human Genomics Strategy Group, Sir John Bell, is adamant that “a whole genome cannot be truly anonymised.” Adding that, “an individual’s genetic information is sensitive personal data” and “there is a risk of the information being misused.” Even some form of anonymisation offers no guarantee that the information will not be re-identified. In a recent, high-profile DNA study in the US, Harvard Professor Latanya Sweeney re-identified the names of more than 40% of a sample of anonymous participants.
Despite the risks, the government are pressing ahead with a national genetic database and the commercialisation of genetic information, and there is no sign that the government are set to legislate against the associated risks. In contrast to what is happening here, the federal US government sought to legislate against absuses of personal genetic information at the earliest opportunity. After a number of genetic discrimination cases, the 'Genetic Information Non-Discrimination Act' (GINA) was enacted. In the UK, however, there is no such legislation that prohibits discrimination on the grounds of genetic traits or dispositions. Furthermore, there is merely a moratorium between the Association of British Insurers, and the Department of Health, on the use of genetic test results for insurance purposes - and this only lasts until 2017.
In the report, we link the lack of transparency in the implementation of a national genetic database to the risks that now confront us. We argue that the decision to change privacy laws in a way which serves the interests of the UK biosciences and pharmaceutical sectors - and establish a national genetic database and commercialise genetic information - puts certain groups at serious risk of discrimination based on genetic characteristics; and others, at risk of being re-identified through their genomic information. As re-identification could lead to a person being subject to some form of genetic discrimination, greater protection is needed in order to avoid such an eventuality.
In light of the inadequacies of current privacy law and practice, and the risks associated with a national genetic database, we propose a 'traffic light' system as way of ensuring that the individual has greater choice over what happens to their confidential information, and reduce any potential harm that may come from the unconsented disclosure of genetic information. This, indeed, would bring the information governance regulatory regime into line with Article 8 of the Human Rights Act, and the relevent international treaties, agreements and charters.
For a traffic-light system along these lines to work, far greater clarity is needed regarding what the government deems acceptable and non-acceptable uses of whole-sequenced genomes. As the new privacy model fails to do this, we urge the government to adopt a framework that provides greater clarity on what types of studies or research genomic information can be used for. Finally, as the government intends to commercialise genetic information held on a national database, it is essential that adequate protections are reinstated so as to protect people from unnecessary harm.
The full report can be found in the ‘Reports’ section.