GENEWATCH
 
GENETIC PRIVACY IN EUROPE
By Helen Wallace
 

from GeneWatch 27-1 | Jan-Apr 2014

Genetic privacy in Europe is under threat as commercial companies seek to access electronic medical records held in national healthcare systems and to combine this data with individuals' whole genomes, all without their knowledge or consent. The aim is to make personalised risk assessments which can be used to market medicines and other products directly to consumers, vastly expanding the healthcare market. Policymakers are being lobbied to subsidize construction of these databases with taxpayers' money as a public-private partnership. Lobbyists aim to seek consent only after the databases have been built and the risk assessments have been calculated, at the point of feedback of these assessments to the individual. Because genomes act as biometrics - linking online data to an individual's physical person - other data will be connected to this system in the future, including government data (such as a person's use of social services and their education records) and online data such as search histories and social media. If these databases go ahead, it will also be possible to identify a person's genetic relatives and their heath and other data.

Democratic debate about these plans has been limited as companies seek to set the rules before the general public become aware of the proposals or their consequences. However, awareness is now growing and it is likely that over the coming months debate over the privacy of genetic and health data will intensify. Questions include:

  • whether a new EU Data Protection Regulation will be adopted to protect the privacy of European citizens;
  • whether (and to what extent) the U.K. Government will backtrack from plans to scoop up the medical records of everyone that uses the National Health Service in England and hand the data, without people's knowledge or consent, to companies like Google;
  • how a pilot project to link genomes with health data in England (the 100,000 Genomes project) will be governed; and
  • what safeguards will be provided for health and genetic data from EU citizens stored by U.S. internet companies, in the wake of the revelations made by Edward Snowden about snooping by the U.S. National Security Agency.

At the same time, a new EU In Vitro Diagnostics Regulation is being developed which will determine the extent that claims made about personalised health risk assessments and genetic tests are regulated, and whether or not medical supervision and counselling will be required.

New privacy protections

On March 19, the European Parliament backed strong privacy protections for European citizens which would require individuals to give their consent to the use of health data for research and which treats genetic data as requiring special protection. Under the European Union's complex decision-making process, member governments must now endorse the new proposals before they enter into law, or a process of amendments and negotiations must take place.

U.S. companies are vigorously lobbying to water down the safeguards so that health data and genomes from European citizens can be stored in the cloud and shared with commercial companies without people's knowledge or consent. A new category of "pseudo-anonymized" data (with identifiers stripped off prior to widespread sharing, but retained in "safe havens" to allow linkage back to the individual and to further data sets) has been introduced to facilitate such sharing. However, until now the European Commission and Parliament have insisted that such data still retains sensitive personal information and should not be used for health research without the individual's knowledge and consent.

The U.K. Government's "care.data" scheme

The U.K. Government has adopted legislation requiring all doctors to upload electronic medical records collected in the National Health Service in England to a central database called the Health and Social Care Information Centre. A system called "care.data" will then be used to share pseudo-anonymised health data with public and private bodies, and later to link in data collected by social services. There has been significant public controversy about the scheme, including concerns about potential access to such data by the police, its exploitation by commercial companies, and loss of patient privacy. It is clear that "pseudo-anonymisation" cannot protect identities from being deduced by a combination of other information and that promises of anonymity will certainly be meaningless if genotypes or whole genome sequences are later added to the records, as has been proposed. The plan is on hold now for six months while there is further policy debate.

The 100,000 Genomes Project

Although genomes have not yet been included in the "care.data" scheme, the U.K. Health Secretary has made clear that it is his intention to screen the whole genome of every baby at birth and add this data to the system. Much of the impetus for this idea comes from the Google-funded gene testing company 23andMe, which has been in discussions with the U.K. Government about accessing this data since at least 2008.

The 100,000 Genomes Project has been set up as a pilot project for using whole genome sequences within the National Health Service. Its focus is on families with genetic disorders, who may genuinely benefit, and also on cancer research, rather than more speculative applications such as screening the whole genome of every healthy person. However, data collected in the 100,000 Genomes Project is expected to be widely shared with commercial companies for much broader purposes. It remains to be seen whether the data-sharing process will be sufficient to meet the proposed new European standards and also to maintain the public's trust.

Security agencies, police access and transfers overseas

A major factor in the debate in Europe has been the revelations by Edward Snowden about the ease with which data stored in the cloud can be accessed by the U.S. National Security Agency. European politicians are increasingly aware that the whole genomes of individuals can be used to track then through their DNA (for example, by testing at borders using the new RapidDNA system) or identify who has been at a political meeting by collecting DNA from coffee cups. Because DNA can also be used to identify a person's relatives, the potential for abuse is huge. Thus, debate continues about the extent to which genetic sequences should be stored on secure servers or made widely available via the cloud. Destruction of samples and data is a key part of protecting citizens from excessive state surveillance, but this important privacy protection conflicts with commercial claims that storing "Big Data", including whole genomes from whole populations, is essential for progress in medicine. These claims are hotly contested by many scientists, who point to evidence that genes are poor predictors of most diseases in most people, with limited clinical utility, and to limited success at predicting adverse drug reactions.

Gene test regulation

A new EU In Vitro Diagnostics Regulation is being developed which will regulate software and algorithms used for health diagnoses or predictions, including genetic tests. Powers for prior pre-market assessment of genetic tests are weaker than those exercised by the U.S. Food and Drug Administration and it is expected that most oversight will remain with "notified bodies" which act as consultants to the companies making applications to sell tests on the EU market. However, the new rules will require companies to provide evidence of clinical validity, and in some cases clinical utility, and this evidence will be made publicly available on request. The draft regulation also includes clauses which ban direct-to-consumer sales of genetic tests and make counseling mandatory. As with the draft EU Data Protection Regulation, the In Vitro Diagnostics Regulation still requires negotiation with the Council of EU Member States and is likely to be revised before becoming law. Strict regulation would restrict the market for genetic tests and other health-related algorithms to those that genuinely showed some benefit to health and prevent companies from making unsupported and misleading claims. Whilst some compromise is likely, it is clear that the current lack of any regulation for genetic tests with health-related claims is coming to an end.

Conclusions

Data collected by public healthcare systems, particularly Britain's National Health Service is seen as a gold mine by companies such as Google and the Google-funded gene testing company 23andMe. However, the British public are skeptical of commercial interests and are rightly concerned about the potential exploitation of this data for personalized marketing and its likely misuse to discriminate against them, for example by insurance companies. Further, government plans to store information that until now was private between an individual and their doctor has raised significant concerns about likely poor security and access by the police. Within the EU more widely, the Snowden revelations have raised awareness of the fact that information in the cloud will likely be accessible to hackers including foreign governments. Restricting the use of whole genome sequencing to applications that are genuinely likely to be of benefit to health - such as diagnosing unknown genetic disorders in children who have symptoms - is more likely to maintain public trust than screening every baby at birth and making misleading claims about genetic susceptibility to common diseases or adverse drug reactions in the general population.

The coming months are likely to determine whether genuine safeguards are put in place to allow useful genomic applications to be introduced whilst maintaining public trust, or whether corporate greed and enthusiasm for building vast repositories of data without people's knowledge or consent will lead to a major public backlash.    

 

Helen Wallace, PhD, is the Director of GeneWatch UK.

 

Further reading:

A DNA Database in the NHS: Your Freedom Up for Sale? GeneWatch UK Briefing. 23rd May 2013. http://www.genewatch.org/uploads/f03c6d66a9b354535738483c1c3d49e4/DNAinNHS_GWbriefing_fin.pdf

A DNA Database in the NHS? GeneWatch UK webpage. Contains regular updates on "care.data" and relevant legislation. http://www.genewatch.org/sub-569340

 
 
Search: GeneWatch
 
 
 
The purpose of the Genetic Bill of Rights is to introduce a global dialogue on the fundamental values that have been put at risk by new applications of genetics.
 
View Project
 
 
The purpose of the Genetic Bill of Rights is to introduce a global dialogue on the fundamental values that have been put at risk by new applications of genetics.
 
View Project
 
 
Tools
PAGE TOOLS
 
 
 
 
ON THE WEB