Rules for processing genetic data for research purposes in view of the new EU General Data Protection Regulation

Genetic data contain sensitive health and non-health-related information about the individuals and their family members. Therefore, adopting adequate privacy safeguards is paramount when processing genetic data for research or clinical purposes. One of the major legal instruments for personal data protection in the EU is the new General Data Protection Regulation (GDPR), which has entered into force in May 2016 and repealed the Directive 95/46/EC, with an ultimate goal of enhancing effectiveness and harmonization of personal data protection in the EU. This paper explores the major provisions of the new Regulation with regard to processing genetic data, and assesses the influence of such provisions on reinforcing the legal safeguards when sharing genetic data for research purposes. The new Regulation attempts to elucidate the scope of personal data, by recognizing pseudonymized data as personal (identifiable) data, and including genetic data in the catalog of special categories of data (sensitive data). Moreover, a set of new rules is laid out in the Regulation for processing personal data under the scientific research exemption. For instance, further use of genetic data for scientific research purposes, without obtaining additional consent will be allowed, if the specific conditions is met. The new Regulation has already fueled concerns among various stakeholders, owing to the challenges that may emerge when implementing the Regulation across the countries. Notably, the provided definition for pseudonymized data has been criticized because it leaves too much room for interpretations, and it might undermine the harmonization of the data protection across the countries.

What Does Anonymization Mean? DataSHIELD and the Need for Consensus on Anonymization Terminology

Anonymization is a recognized process by which identifiers can be removed from identifiable data to protect an individual's confidentiality and is used as a standard practice when sharing data in biomedical research. However, a plethora of terms, such as coding, pseudonymization, unlinked, and deidentified, have been and continue to be used, leading to confusion and uncertainty. This article shows that this is a historic problem and argues that such continuing uncertainty regarding the levels of protection given to data risks damaging initiatives designed to assist researchers conducting cross-national studies and sharing data internationally. DataSHIELD and the creation of a legal template are used as examples of initiatives that rely on anonymization, but where the inconsistency in terminology could hinder progress. More broadly, this article argues that there is a real possibility that there could be possible damage to the public's trust in research and the institutions that carry it out by relying on vague notions of the anonymization process. Research participants whose lack of clear understanding of the research process is compensated for by trusting those carrying out the research may have that trust damaged if the level of protection given to their data does not match their expectations. One step toward ensuring understanding between parties would be consistent use of clearly defined terminology used internationally, so that all those involved are clear on the level of identifiability of any particular set of data and, therefore, how that data can be accessed and shared.

Access Governance for Biobanks: The Case of the BioSHaRE-EU Cohorts

Currently, researchers have to apply separately to individual biobanks if they want to carry out studies that use samples and data from multiple biobanks. This article analyzes the access governance arrangements of the original five biobank members of the Biobank Standardisation and Harmonisation for Research Excellence in the European Union (BioSHaRE-EU) project in Finland, Germany, the Netherlands, Norway, and the United Kingdom to identify similarities and differences in policies and procedures, and consider the potential for internal policy “harmonization.” Our analysis found differences in the range of researchers and organizations eligible to access biobanks; application processes; requirements for Research Ethics Committee approval; and terms of Material Transfer Agreements relating to ownership and commercialization. However, the main elements of access are the same across biobanks; access will be granted to bona fide researchers conducting research in the public interest, and all biobanks will consider the scientific merit of the proposed use and it's compatibility with the biobank's objectives. These findings suggest potential areas for harmonization across biobanks. This could be achieved through a single centralized application to a number of biobanks or a system of mutual recognition that places a presumption in favor of access to one biobank if already approved by another member of the same consortium. Biobanking and Biomolecular Resources Research Infrastructure-European Research Infrastructure Consortia (BBMRI-ERIC), a European consortium of biobanks and bioresources with its own ethical, legal, and social implications (ELSI) common service, could provide a platform by developing guidelines for harmonized internal processes.

Biobank Report: United Kingdom

The United Kingdom is a leader in genomics research, and the presence of numerous types of biobanks and the linking of health data and research within the UK evidences the importance of biobank-based research in the UK. There is no biobank-specific law in the UK and research on biobank materials is governed by a confusing set of statutory law, common law, regulations, and guidance documents. Several layers of applicable law, from European to local, further complicate an understanding of privacy protections. Finally, biobanks frequently contain data in addition to the samples; the legal framework in the UK generally differentiates between data and samples and the form of the data affects the applicability of legal provisions. Biobanks must be licensed by the Human Tissue Authority; certain projects must be reviewed by Research Ethics Committees, and all projects are encouraged to be reviewed by them. Data Access Committees in biobanks are also common in the UK. While this confusing array of legal provisions leaves privacy protections in biobanking somewhat unclear, changes at the EU level may contribute to harmonization of approaches to privacy.

Ethical issues in consumer genome sequencing: Use of consumers' samples and data

High throughput approaches such as whole genome sequencing (WGS) and whole exome sequencing (WES) create an unprecedented amount of data providing powerful resources for clinical care and research. Recently, WGS and WES services have been made available by commercial direct-to-consumer (DTC) companies. The DTC offer of genetic testing (GT) has already brought attention to potentially problematic issues such as the adequacy of consumers' informed consent and transparency of companies' research activities. In this study, we analysed the websites of four DTC GT companies offering WGS and/or WES with regard to their policies governing storage and future use of consumers' data and samples. The results are discussed in relation to recommendations and guiding principles such as the “Statement of the European Society of Human Genetics on DTC GT for health-related purposes” (2010) and the “Framework for responsible sharing of genomic and health-related data” (Global Alliance for Genomics and Health, 2014). The analysis reveals that some companies may store and use consumers' samples or sequencing data for unspecified research and share the data with third parties. Moreover, the companies do not provide sufficient or clear information to consumers about this, which can undermine the validity of the consent process. Furthermore, while all companies state that they provide privacy safeguards for data and mention the limitations of these, information about the possibility of re-identification is lacking. Finally, although the companies that may conduct research do include information regarding proprietary claims and commercialisation of the results, it is not clear whether consumers are aware of the consequences of these policies. These results indicate that DTC GT companies still need to improve the transparency regarding handling of consumers' samples and data, including having an explicit and clear consent process for research activities.

Biobanks, Data Sharing, and the Drive for a Global Privacy Governance Framework

Biobanks are a key emerging biomedical research infrastructure. They manifest the turn towards greater global sharing of genomic and health-related data, which is considered by many to be an ethical and scientific imperative. Our collective interests lie in improving the health and welfare of individuals, communities, and populations; improving health and welfare requires access to, and use of, widely dispersed quality data. But sharing these individual and familial data requires in turn that due thought be given to the ethical and legal interests at stake. Most critically, data sharing must occur in an environment whereby privacy interests are safeguarded throughout the lifecycle of biobank initiatives, and regardless of the locations where the data are stored, to which they are sent, and where they are ultimately processed. In this article, I outline the complex dimensions of data privacy regulation that challenge data sharing within the biobanking context. I discuss how harmonization may be a remedy for the gaps and marked differences of approach in data privacy regulation. Finally, I encourage the development of foundational responsible data sharing principles set within an overarching governance framework that provides assurance that reasonable expectations of privacy will be met.