EthicsandGenetics has published ‘A Shift in Privacy Law, and the Attendant Risks'. Coverage of the report by the Guardian can be found here. In this report, we identify and explore the risks associated with the government’s plans to establish a national genetic database and commercialise personal genetic information. Furthermore, we assess changes to privacy law and practice - in particular, the recent information governance review, and demonstrate that the new privacy framework fails to adequately safeguard highly sensitive information.
Our report, reveals that the government are set to commercialise personal genetic information collected from the population, and stored on a national genetic database. As well as this, EthicsandGenetics can reveal that now, by default, NHS-users can be contacted to take part in clinical trials with private companies, without having expressed an interest in taking part in research of any kind - let alone clinical trials.
Furthermore, the report offers a critical account of a major legislative programme to commercialise medical and genetic information collected from the population, and shows that in combination with major changes to privacy law and practice, these developments put people at serious risk of harm.
Here is a brief summary of the report:
A Freedom of Information Disclosure by the Department of Health to EthicsandGenetics, confirms that Section 251 of the NHS social care Act can be used by pharmaceutical companies to trawl through personal, identifiable medical data, so that people, without having expressed an interest can be invited to take part in clinical trials. A further FoI disclosure by the Department of Health to EthicsandGenetics confirms that genetic information collected from the population and held on a central database, will be commercialised. At present, UK privacy law does no stop the government or private sector organisations from accessing personal medical and soon, genetic information, for a variety of purposes, which extend far beyond administering patient care or the advancement of medicine.
A national genetic database is part of the Government’s intentions to connect genetic information with electronic medical records, and is the culmination of more than a decade of policy and legislative developments. Ultimately, the plan is to sequence the genomic information of the entire population and connect it to electronic medical records. Indeed, accessing massive datasets of genetic and medical data has long been considered a potential ‘unique selling point’ for the UKbiosciences and pharmaceutical sectors.
In our report, we question the secrecy with which successive governments have implemented a legislative programme designed to secure this ‘unique selling point’ for the health-research, and UK pharmaceutical and bioscience sectors. Furthermore, we demonstrate that over the past decade, a shift in privacy law and practice has taken place, which primarily serves private companies, and is not of direct benefit to the person whose data it is. In fact, these changes not only compromise our right to privacy, but they also put people at risk of harm, too.
Although the information governance review, and the substantial amendments to the NHS constitution that took place last Autumn, went largely unnoticed, their implications remain immense. We show that, within the context of privacy law, and over the course of the last decade, power has shifted away from the individual and towards the governement and other actors. The concepts of the ‘public interest’, ‘proportional’ and ‘necessary’ have become central, and the requirement to seek 'informed consent' when seeking to use a person's confidential information is quickly becoming a thing of the past.
Indeed, this new climate of information governance offers something very different to 'informed consent' and the control we used to have over personal data. In point of fact, it is now down to the Secretary of State for Health and the ‘Confidentiality Advisory Group’ to determine if it is in the public interest to disclose identifiable confidential information, and not the person whose data it is, to decide.
At the launch of the recent information governance review, the Secretary of State for Health stated that an opt-out clause would be included. However, default opt-in is the problem. Default opt-in suggests that a fundamental shift in attitude towards personal medical information has taken place, in which everyone is content to hand over identifiable, personal data. But, has a shift in public perception regarding personal, often highly senstive information, really occured? As there has little in the way of meaningful, public-consultation, the government are not in a position to know, either way.
Would the public, without hesitation, have warmed to the idea that identifiable medical data can be sold to Bupa without their consent, or indeed, that all NHS-users - by default, could be contacted to take part in clinical trials with private companies? And lastly, that genomic information collected from the population and held on a national genetic database will be commercialised, and the paramaters within which such information can be shared remains at best, unclear? These are questions that ought to have been put to the public; not least, as there are serious risks involved with this laissez-faire approach to personal genetic material.
In its report to Government, the head of the Human Genomics Strategy Group, Sir John Bell, is adamant that “a whole genome cannot be truly anonymised.” Adding that, “an individual’s genetic information is sensitive personal data” and “there is a risk of the information being misused.” Even some form of anonymisation offers no guarantee that the information will not be re-identified. In a recent, high-profile DNA study in the US, Harvard Professor Latanya Sweeney re-identified the names of more than 40% of a sample of anonymous participants.
Despite the risks, the government are pressing ahead with a national genetic database and the commercialisation of genetic information, and there is no sign that the government are set to legislate against the associated risks. In contrast to what is happening here, the federal US government sought to legislate against absuses of personal genetic information at the earliest opportunity. After a number of genetic discrimination cases, the 'Genetic Information Non-Discrimination Act' (GINA) was enacted. In the UK, however, there is no such legislation that prohibits discrimination on the grounds of genetic traits or dispositions. Furthermore, there is merely a moratorium between the Association of British Insurers, and the Department of Health, on the use of genetic test results for insurance purposes - and this only lasts until 2017.
In the report, we link the lack of transparency in the implementation of a national genetic database to the risks that now confront us. We argue that the decision to change privacy laws in a way which serves the interests of the UK biosciences and pharmaceutical sectors - and establish a national genetic database and commercialise genetic information - puts certain groups at serious risk of discrimination based on genetic characteristics; and others at risk of being re-identified through their genomic information. As re-identification could lead to a person being subject to some form of genetic discrimination, greater protection is needed in order to avoid such an eventuality.
In light of the inadequacies of current privacy law and practice, and the risks associated with a national genetic database, we propose a traffic light system as way of ensuring the individual has greater choice over what happens to their confidential information, and reduce any potential harm that may come from the unconsented disclosure of genetic information. This would bring information governance practice into line with Article 8 of the Human Rights Act, and a plethora of international treaties, agreements and charters.
For a traffic-light system along these lines to work, far greater clarity is needed regarding what the government deems acceptable and non-acceptable uses of whole-sequenced genomes. As the new privacy model fails to do this, we urge the government to adopt a framework that provides greater clarity on what types of studies or research genomic information can be used for. Finally, as the government intends to commercialise genetic information held on a national database, it is essential that adequate protections are reinstated so as to protect people from unnecessary harm.
The full report can be found in the ‘Reports’ section.