Bartha Maria Knoppers

Consent Codes: Upholding Standard Data Use Conditions

Author Summary A systematic way of recording data use conditions that are based on consent permissions as found in the datasets of the main public genome archives (NCBI dbGaP and EMBL-EBI/CRG EGA).

Ethics review for international data-intensive research

Ad hoc approaches mix and match existing components Historically, research ethics committees (RECs) have been guided by ethical principles regarding human experimentation intended to protect participants from physical harms and to provide assurance as to their interests and welfare. But research that analyzes large aggregate data sets, possibly including detailed clinical and genomic information of individuals, may require different assessment. At the same time, growth in international data-sharing collaborations adds stress to a system already under fire for subjecting multisite research to replicate ethics reviews, which can inhibit research without improving the quality of human subjects protections (1, 2). “Top-down” national regulatory approaches exist for ethics review across multiple sites in domestic research projects [e.g., United States (3, 4), Canada (5), United Kingdom, (6), Australia (7)], but their applicability for data-intensive international research has not been considered. Stakeholders around the world have thus been developing “bottom-up” solutions. We scrutinize five such ef orts involving multiple countries around the world, including resource-poor settings (table S1), to identify models that could inform a framework for mutual recognition of international ethics review (i.e., the acceptance by RECs of the outcome of each others review).

Editing policy to fit the genome

Framing genome editing policy requires setting thresholds of acceptability Balancing therapeutic prospects brought by scientific advances with regulation to address highly contested socioethical issues is the ultimate challenge in dealing with disruptive science. Human genome editing is a powerful tool that offers great scientific and therapeutic potential (1, 2). Yet, it rejuvenates socioethical and policy questions surrounding the acceptability of germline modification.

Registered access: a ‘Triple-A’ approach

We propose a standard model for a novel data access tier – registered access – to facilitate access to data that cannot be published in open access archives owing to ethical and legal risk. Based on an analysis of applicable research ethics and other legal and administrative frameworks, we discuss the general characteristics of this Registered Access Model, which would comprise a three-stage approval process: Authentication, Attestation and Authorization. We are piloting registered access with the Demonstration Projects of the Global Alliance for Genomics and Health for which it may provide a suitable mechanism for access to certain data types and to different types of data users.

Sharing health-related data: a privacy test?

Greater sharing of potentially sensitive data raises important ethical, legal and social issues (ELSI), which risk hindering and even preventing useful data sharing if not properly addressed. One such important issue is respecting the privacy-related interests of individuals whose data are used in genomic research and clinical care. As part of the Global Alliance for Genomics and Health (GA4GH), we examined the ELSI status of health-related data that are typically considered ‘sensitive’ in international policy and data protection laws. We propose that ‘tiered protection’ of such data could be implemented in contexts such as that of the GA4GH Beacon Project to facilitate responsible data sharing. To this end, we discuss a Data Sharing Privacy Test developed to distinguish degrees of sensitivity within categories of data recognised as ‘sensitive’. Based on this, we propose guidance for determining the level of protection when sharing genomic and health-related data for the Beacon Project and in other international data sharing initiatives.

Comparative Approaches to Biobanks and Privacy

Laws in the 20 jurisdictions studied for this project display many similar approaches to protecting privacy in biobank research. Although few have enacted biobank-specific legislation, many countries address biobanking within other laws. All provide for some oversight mechanisms for biobank research, even though the nature of that oversight varies between jurisdictions. Most have some sort of controlled access system in place for research with biobank specimens. While broad consent models facilitate biobanking, countries without national or federated biobanks have been slow to adopt broad consent. International guidelines have facilitated sharing and generally take a proportional risk approach, but many countries have provisions guiding international sharing and a few even limit international sharing. Although privacy laws may not prohibit international collaborations, the multi-prong approach to privacy unique to each jurisdiction can complicate international sharing. These symposium issues can serve as a resource for explaining the sometimes intricate privacy laws in each studied jurisdiction, outlining the key issues with regards to privacy and biobanking, and serving to describe a framework for the process of harmonization of privacy laws.

Are Data Sharing and Privacy Protection Mutually Exclusive

We review emerging strategies to protect the privacy of research participants in international epigenome research: open consent, genome donation, registered access, automated procedures, and privacy-enhancing technologies.

Public variant databases: liability?

Public variant databases support the curation, clinical interpretation, and sharing of genomic data, thus reducing harmful errors or delays in diagnosis. As variant databases are increasingly relied on in the clinical context, there is concern that negligent variant interpretation will harm patients and attract liability. This article explores the evolving legal duties of laboratories, public variant databases, and physicians in clinical genomics and recommends a governance framework for databases to promote responsible data sharing.Genet Med advance online publication 15 December 2016

The discombobulation of de-identification

VOLUME 34 NUMBER 11 NOVEMBER 2016 NATURE BIOTECHNOLOGY To the Editor: In 2005 one of us (B.M.K.) coauthored a Correspondence in your pages entitled “The Babel of genetic data terminology,” which warned of a dangerously inconsistent and confusing set of terms in the literature describing the identifiability of genetic data1. We now are writing to report that, in the intervening decade, the literature has become even more discombobulated with regard to terminology. Here we summarize the Babel-like lexicon for de-identified data and provide our own suggestions for harmonizing terms. The benefits of next-generation sequencing2, mobile health apps3,4, cloud computing5 and big data analytics have now arrived. They are, however, accompanied by unwelcome friends: namely, a flourishing of novel re-identification techniques that have thrown the idea of guaranteed, total anonymization into question6–8. Moreover, international research guidelines are turning away from anonymization for reasons tied to data quality, participant withdrawal and the need to communicate findings and continually link with clinical or other data9. Nascent efforts to tie data protection to proportionate and realistic risk assessment are appearing10,11. Mandatory policies imposed by funders are pushing researchers toward greatly increased data sharing. Legal duties often require ‘deidentification’ as a form of privacy protection. Researcher understanding of ‘anonymization’ often differs in strictness from that which is actually necessary. This almost guarantees overor under-sharing, which poses risks to participant privacy or research potential, respectively. Legally, anonymized data is not personal data and thus not subject to personal data protection duties. But there is no consensus definition of anonymization. Although record re-identification codes are sometimes allowed12,13, law and policymakers tend to define anonymization as “irreversible”1,14,15. Occasionally, even indirect identifiers (or quasi-identifiers) seem permissible, as in criteria that ask whether a person’s identity “can be readily ascertained”16. Still others seem to contradict themselves. The UK Information Commissioner’s Office (London), for example, adopts a definition suggesting irreversibleness and conflates anonymized data with pseudonymized data17 (the latter meaning data that can only be re-identified with access to a deliberately crafted re-identification mechanism). The Global Alliance for Genomics and Health’s 2015 Privacy and Security Policy definition labels anonymization as a process that “prevents the identity of an individual from being readily determined by a reasonably foreseeable method”18. Later its Data-Sharing Lexicon refined anonymization to mean the “irreversible delinking of identifying information from associated data”19. The same holds for other terms describing identifiability. De-identification is often defined as synonymous with irreversible anonymization1,18,19. The US Health Insurance Portability and Accountability Act (HIPAA) similarly uses it to refer to data sets to which its anonymization process have been applied. But HIPAA also provides for ‘de-identified’ data sets to which a reidentification code has been added20. Moreover, the term ‘anonymous’ tends to be used by health researchers to describe information that was collected without direct identifiers, rather than data with identifiers that were later removed9,15; however, in recent data privacy instruments such as the European Union’s (EU; Brussels) General Data Protection Regulation14, anonymous is used interchangeably with anonymized, a concept that covers any data that cannot be linked back to an individual. The need for harmonization of terminology is clear. But what identifiability classification system would best help law and policymakers to regulate de-identification and researchers to understand it? We believe that ‘anonymized data’ (or ‘anonymous data’) should mean data that cannot reasonably foreseeably be reidentified, alone or in combination with other data. ‘Pseudonymized data’ (often referred to as ‘coded data’) should mean data that can only be re-identified with access to a deliberately crafted re-identification mechanism. This pseudonymization mechanism can be singleor double-coding, encryption and tokenization, with appropriate safeguards in place. Data that can be reidentified using quasi-identifiers, however, are not pseudonymized. In light of occasional but recurring confusion in the literature on this point, we stress that the mere substitution of direct identifiers with a re-identification mechanism does not result in pseudonymized data, unless it is also shown that its quasiidentifiers do not allow re-identification. Otherwise, the data remain identifiable, and fall within some definitions of ‘masked’ data17. When the data include plain-text direct identifiers, it is ‘identified’. Given the emergence of increasingly sophisticated re-identification attacks8,21–25, it is now only reasonable to consider genetic data to be anonymized or pseudonymized in narrow circumstances, though we disagree with literature suggesting that anonymization should be abandoned altogether6,7. Though even aggregate statistics can allow re-identification of a data set, at some level of generality this ceases to be the case (for example, percentages of US people with a particular single nucleotide variant). The time when the mere removal of direct identifiers was considered defensible anonymization26 is past. Our dual schema accommodates new techniques, such as secure multiparty computing, homomorphic encryption, k-anonymity, and differential privacy27, without having to explicitly refer to any of them, by making identifiability determinations on a case-by-case, contextual basis28. In short, although the details of and difference between techniques to limit identifiability will necessarily be highly significant to technicians applying them to a given data set, our view is that from the perspective of policymakers, the distinctions that are of the highest significance are almost always whether the data have been anonymized or pseudonymized. As to ‘deidentification’ itself, we believe that the adjective ‘de-identified’ is ambiguous and confusing to the degree that it should be avoided altogether, whereas the verb ‘deidentify’ is acceptable to describe any process aiming to limit the identifiability of personal data. Given the sea of confusion in which the terminology describing identifiability finds The discombobulation of de-identification CORRESPONDENCE

Do It Yourself Newborn Screening

Direct-to-consumer (DTC) genetic testing on the Internet is flourishing and now includes disease risk testing that complements health care. Direct-toconsumer genetic testing continues to raise concerns, notably about consent and counseling issues, in addition to the clinical validity and utility of the tests. Direct-to-consumer genetic testing in children adds specific issues.1 Clinical guidelines currently advocate that testing and screening minors is only recommended when established, effective, and important medical treatment can be offered or when testing provides scope for treatment that may prevent, defer, or alleviate the outbreak of disease or its consequences. This reflects the careful consideration that is usually given to genetic tests, for which special attention is paid to communication about the test and its results, the confidentiality of genetic information, the willingness of the client to make the request, and the psychosocial impact of the test results. Recently, a new form of DTC genetic tests for children has emerged that raises additional ethical issues: a supplemental newborn screening (NBS) test sold to expecting couples. Although a few companies already sell such tests, the Baby Genes service is novel in several respects (https: //www.babygenes.net). For decades, NBS has been offered as a public health program in most industrialized countries and is recognized as one of the greatest achievements in public health.2 Public NBS programs aim to identify asymptomatic infants at high risk of certain congenital and metabolic disorders. This conventional NBS is based on specific criteria that are limited to well-understood diseases that require immediate medical intervention to prevent serious and permanent effects if left undetected and untreated, and for which effective treatments are available.3 Early detection of at-risk newborns allows for preventive measures and treatment before the manifestation of symptoms and considerably reduces morbidity and mortality. Newborn screening programs offer a range of services that include, in addition to the screening itself, the education of parents and health professionals; follow-up with diagnostic tests of the identified at-risk newborn; and treatment if affected, as well as the management, evaluation, and improvement of the NBS program.4 The Baby Genes genomic NBS test can be bought online by the consumer, but an order can also be made directly by the physician of a consumer. If bought by the consumer, the company’s own physician reviews the information provided and orders the supplemental NBS panel. The service may also be bought as a gift by family members or friends that could be considered “the perfect baby shower gift.” Consumers retrieve the results through their online accounts after physician review. Although the primary market for Baby Genes is the United States (except for 2 states for which the license is pending), international requests are accepted. Thus, supplemental NBS is available to parents across the globe and, depending on the country, represents a major challenge for public NBS programs. Baby Genes uses a next-generation sequencing panel of 92 genes linked to 71 conditions. The panel includes the American College of Medical Genetics (ACMG) recommended core and secondary newborn metabolic conditions, as well as testing for about 10 additional conditions not found in most states such as Krabbe, Gaucher, Fabry, and Pompe diseases. Considering that the United States is one of the countries in the world where NBS programs include the largest number of diseases screened and that the DTC supplemental NBS panel can be bought internationally, this offer of private screening significantly exceeds the number of diseases found in most public NBS programs. Internationally, national policies for NBS support transparent and evidence-based decision making, are based on population-specific characteristics, and ensure high-quality screening.5 The commercial offer of NBS does not fulfill these criteria. Indeed, commercial NBS raises issues about which conditions and variants are appropriate for screening and reporting to parents. Public health NBS panels are usually limited to asymptomatic but treatable conditions with a known natural history and a suitable and acceptable test for which immediate, adequate, medical follow-up exists. Admittedly, current NBS panels worldwide vary due to both a combination of organizational and operational factors, different value judgments of existing evidence, the presence (or not) of patient advocacy, and, population-related and economic considerations.6 Nevertheless, the Baby Genes panel includes conditions (such as Pompe, Krabbe, and Fabry disease) that have been evaluated by professional organizations or health agencies and currently are not recommended for screening due to high false-positive rates, variability in onset, lack of treatment options, and counseling difficulties. Although some interest groups push for the NBS screening of some of these diseases,7 we maintain that offering this kind of screening with high false-positive rates, without follow-up, counseling, or appropriate treatment is problematic. Serious challenges also include the return of variants of unknown significance. Unlike current practices and guidelines, Baby Genes reports variants of unknown significance in asymptomatic individuals.8 Moreover, it does so without adequate information and counseling for the parents in a period (ie, a few days after birth), during which time there is a serious risk of misinterpretation of the “results” and with potential repercussions for the parents and the child. VIEWPOINT