In defence of privacyPosted: November 18, 2013
The following post has just appeared in BioNews:
Last week saw the launch of the UK arm of the Personal Genome Project (PGP). This is the second major sequencing initiative launched this year in the UK (the first being Genomics England). Interestingly, both projects seek to sequence 100,000 genomes, and of course both are fuelled by a belief that genomics is set to become a routine part of healthcare. Yet the projects are as notable for their differences as their similarities.
Genomics England is bankrolled by the government, with £100 million of NHS funds earmarked for the project. The source of funding for PGP is rather more disparate, with the PHG Foundation reporting that it is to be funded for the next year ‘by the Chinese Beijing Genomics Institute (BGI) and commercial sequencing and interpretation service providers Illumina, Life Technologies, and Personalis’. Whether it can secure long-term funding is not clear, with Science Insider reporting that the more established US and Canadian arms are struggling for funding. Another difference is in their approach to confidentiality: PGP operates on the principle that research participants share their data publicly.
Controversy surrounding protecting the privacy of genetic research participants heightened after the 2008 publication by Homer et al demonstrating a new technique which allowed them to re-identify genotyped individuals or even individuals in pooled mixtures of DNA. The publication immediately led research funders including the US National Institutes of Health and the Wellcome Trust to place new restrictions on access to data from genome wide association studies (GWAS).
The PGP’s solution to the problem of privacy is not to increase safeguards but to do away with them altogether, by enrolling research participants in a project which requires consent to full public disclosure of their data. This is a radical move. Genetic epidemiology, like most other biomedical research, has hitherto operated according to a norm that seeks to ensure that research subjects are protected by the cloak of anonymity. As far as I am aware, this remains the case for most genomic research. The ethics and governance framework of the UK Biobank, our flagship initiative in this research field, states that the organisation ‘is committed to protecting the confidentiality of data and samples’. The UK’s other flagship initiative is Genomics England, an organisation whose governance framework is still in development but which has already promised to ‘strictly manage secure storage of personal data in accordance with existing NHS rules designed to securely protect patient information’.
I am unconvinced by the argument that the PGP’s public disclosure policy is the best response to the difficulties of safeguarding genomic confidentiality. In a recent review of this issue, Greenbaum et al provided an alternative perspective: ‘Another approach could be to learn from the legal and banking sectors wherein privacy and confidentiality are protected while the practitioners nevertheless manipulate and analyze large databases of highly confidential personal and financial data. Furthermore, private information is exchanged between many organizations ranging from large companies to small law firms. In those cases, incentives to keep clients, as well as governmental regulations with stiff penalties and civil and criminal repercussions, help to prevent breaches of customer privacy’.
This carrot-and-stick approach is not a 100 percent guarantee of good behaviour: when the incentives are strong enough, as is the case with insider trading, then individuals may break the law. But it does provide a significant measure of protection for individuals and corporations from the malicious abuse or careless disclosure of their confidential data, and, as importantly, it provides legislative support to the principle that such protection is a reasonable expectation.
In the era of big data, the governance of personal information requires the robust defence of such principles.