- Email: [email protected]
Advancing Research and Privacy: Achievements, Challenges, and Core Principles
ASHG PERSPECTIVE Advancing Research and Privacy: Achievements, Challenges, and Core Principles The genetics and genomics research community is a leader in leveraging large-scale data to transform science and medicine and in developing related policies and practices to protect the confidentiality of personal genetic information. Many laws also protect the genetic privacy of patients and participants in federally funded research. If the potential benefits of genetics and genomics research are to be advanced in the context of public considerations regarding broader consumer data protections, it is vital to recognize genetic research privacy protections already in place and imperative to avoid inadvertently harming biomedical research. With the growth of privately funded genetics research, ASHG asserts core privacy principles that should be applied to protect the data confidentiality of all research participants, regardless of the funding source.
The genetics and genomics research community is a leader in the use and stewardship of large-scale data to advance scientific knowledge and improve health. Worldwide, these data and biobanks are helping us understand more about the genetic health risk and resiliency of individuals and populations, and that new knowledge is driving improved disease diagnosis, novel treatments, and greater insight into our shared human origins. To sustain these advances, the community must encourage broad public participation, continue research investments, and promote privacy protections. Through decades of biological research, much of it funded by federal sources, human genetics and genomics has been at the forefront of strategies and efforts to use and share datasets while striving to protect confidential information. Four Key Points Concerning Genetic and Genomic Research Where genetic and genomic research and data privacy are concerned, ASHG stresses four key points: d
d
The field of medical research, and genetics and genomics in particular, employs the highest standards of protection of confidentiality of personal information. ASHG affirms its unwavering commitment to encouraging and expecting the research community to meet all requirements for protecting participant genetic
d
d
privacy in accordance with national policies. Given the centrality of data to genetics and genomics, the research community is proactive in addressing privacy risks or breaches, assessing how new technological advances could identify individuals from genomic information, and helping to lead the development or revision of professional practices to protect confidentiality. In broader policy discussions about data protection, it is vital to recognize the robust research protections currently in place, preserve them, and avoid inadvertently harming biomedical research. Broader consumer privacy policies should establish defined research exemptions and prevent undue or redundant regulation that slows discovery. As more genetic and genomic research is conducted in the private sector with privately collected data, ASHG urges collective recognition of, and action on, core principles that support privacy protections in both the publicly and privately funded research spheres and the potential value of harmonizing such regulations to advance research.
Current Approaches to Protecting Privacy in U.S. Federally Funded Research Currently, multiple laws and policies in the U.S. collectively provide genetic
privacy when individuals participate in federally funded genetics research or undergo genetic testing. For instance, the U.S. Federal Policy for the Protection of Human Subjects (45 CFR 46, known as the Common Rule) requires informed consent and a description of how participant results are shared. The National Institutes of Health’s Genomic Data Sharing Policy, Certificates of Confidentiality, and Freedom of Information Act provisions in the 21st Century Cures Act protect research participant data from disclosure for non-research purposes. Similarly, the Health Information Portability and Accountability Act (HIPAA) protects individuals against unauthorized access to clinical genetic information such as test results. The federal Genetic Information Nondiscrimination Act1 and a variety of state privacy laws restrict access to genetic data by employers, health insurers, and others. The genetics community has been proactive in examining practices in our current research methods, for example by exploring the identifiability of participants solely from genomic information and from public data sources.2 This line of research feeds active discussions among genetics researchers and the development of novel strategies to protect participant privacy. Genetics and genomics researchers continue to adjust protections to better meet the needs of both participants and researchers, for example by updating the Genomic Data Sharing Policy.3
https://doi.org/10.1016/j.ajhg.2019.08.005.
The American Journal of Human Genetics 105, 445–447, September 5, 2019 445
Emerging Broader Privacy Policies Must Consider Research Needs Given the growing role of data in virtually every facet of human life, the need for broader and more rigorous general data privacy policies is gaining substantial traction. For research, surveys4 have found that the public is interested in participating in biomedical research and contributing specimens to biobanks and that their willingness increases when they are informed about existing privacy protections. At the same time, emerging broad consumer data privacy laws and policies provide instructive examples as we consider research and data regulation. The European General Data Protection Regulation (GDPR) provisions were developed expressly to protect research uses; they allow for broad consent and enable the European research community to continue crucial genomic and genetic population-based research. Yet the potential for unintended consequences is real: a well-intentioned South African consumer protection law could imperil medical research on cardiovascular disease and stroke in diverse populations across the African continent. That law omitted the research protections granted through GDPR and, if uncorrected, could effectively restrict the use of research participant data after broad consent had already been granted.5 Privately Collected Research Data— Important Privacy Questions Need Discussion Current U.S. genetic privacy laws apply only to federally funded research or to clinical genetic and genomic testing. In recent years, there has been a marked increase in consumers availing themselves of private services offering genetic and genomic tests such as those of genetic health and ancestry, but these consumers may have more limited legal privacy protections and might be unaware of how their data could be used in other contexts. Consumers who agree to share their data for privately funded research purposes might not be pro-
tected by the Common Rule. Where there is appropriate consent and oversight, consumer data collected by private testing services can be a valuable resource for genetic and genomic research. ASHG encourages opportunities to engage with consumer genomics companies developing customer privacy policies related to their research, and we commend the Future of Privacy Forum for their publication of best practices for protecting consumer genetic data.6 Core Principles ASHG is dedicated to advancing human genetics and genomics through research, education, and advocacy and believes that essential privacy principles should govern genetic information acquired for publicly or privately funded research: d
d
d
d
d
Individuals should have a right to maintain the confidentiality of their own genetic information and should not be compelled to disclose it. Entities holding human genomic data must take robust measures to protect the confidentiality of individuals’ medical and genetic information. The users of research participants’ genetic and genomic information should assess the risks and benefits for both the participants and for society. The nature of those analyses should determine which privacy protections and data-sharing practices are appropriate. When establishing privacy policies and practices, it is important to consider context—when it is desirable and appropriate for genetic information to be treated the same way as other biological, health, or personal information and when there are factors that require genetic information to be treated differently from other forms of health data.7 Research policies should both facilitate data sharing and protect the confidentiality of research participants’ medical and genetic
446 The American Journal of Human Genetics 105, 445–447, September 5, 2019
data in a way that both advances research and respects participants’ preferences. Looking Ahead ASHG will continue to engage with policymakers regarding emerging discoveries in our field, the benefits of research participation, and the importance of laws and regulations that address research, medical progress, and privacy. As new broad dataprivacy policies are considered, it is essential to examine how they will affect research and medicine, seek clarity, and advocate for research needs. The community might also explore how core privacy principles for research might apply to emerging non-research settings and new uses of genetic data. If we are to realize the benefits of genetics and genomics research for all, we must ensure broad data sharing while fostering confidentiality so that we can maintain the confidence and trust given to us by research participants who seek to improve medical and health outcomes for us all.
Acknowledgments The statement above has been reviewed, edited, and approved by the ASHG Executive Committee on behalf of the ASHG Board of Directors. They alone are responsible for its content. The statement was informed by input from ASHG members with expertise and interest on the topic but does not necessarily represent the views of those members. ASHG thanks them for their contributions, dedication, and input.
References 1. American Society of Human Genetics (2018). Genetic Information Nondiscrimination Act. http://www.ashg.org/ policy/gina.shtml. 2. Gymrek, M., McGuire, A.L., Golan, D., Halperin, E., and Erlich, Y. (2013). Identifying personal genomes by surname inference. Science 339, 321–324. 3. National Institutes of Health (2018). Update to NIH Management of Genomic Summary Results Access. https://grants. nih.gov/grants/guide/notice-files/NOTOD-19-023.html. 4. Kaufman, D.J., Murphy-Bollinger, J., Scott, J., and Hudson, K.L. (2009).
Public opinion about the importance of privacy in biobank research. Am. J. Hum. Genet. 85, 643–654. 5. Nordling, L. (2019). A new law was supposed to protect South Africans’ privacy. It may block important research instead.
Science. https://www.sciencemag.org/ news/2019/02/new-law-was-supposedprotect-south-africans-privacy-it-mayblock-important-research. 6. Future of Privacy Forum (2018). Privacy Best Practices for Consumer Genetic Testing Services. https://fpf.org/
2018/07/31/privacy-best-practices-forconsumer-genetic-testing-services/. 7. Garrison, N.A., Brothers, K.B., Goldenberg, A.J., and Lynch, J.A. (2019). Genomic contextualism: Shifting the rhetoric of genetic exceptionalism. Am. J. Bioeth. 19, 51–63.
The American Journal of Human Genetics 105, 445–447, September 5, 2019 447
The genetics and genomics research community is a leader in the use and stewardship of large-scale data to advance scientific knowledge and improve health. Worldwide, these data and biobanks are helping us understand more about the genetic health risk and resiliency of individuals and populations, and that new knowledge is driving improved disease diagnosis, novel treatments, and greater insight into our shared human origins. To sustain these advances, the community must encourage broad public participation, continue research investments, and promote privacy protections. Through decades of biological research, much of it funded by federal sources, human genetics and genomics has been at the forefront of strategies and efforts to use and share datasets while striving to protect confidential information. Four Key Points Concerning Genetic and Genomic Research Where genetic and genomic research and data privacy are concerned, ASHG stresses four key points: d
d
The field of medical research, and genetics and genomics in particular, employs the highest standards of protection of confidentiality of personal information. ASHG affirms its unwavering commitment to encouraging and expecting the research community to meet all requirements for protecting participant genetic
d
d
privacy in accordance with national policies. Given the centrality of data to genetics and genomics, the research community is proactive in addressing privacy risks or breaches, assessing how new technological advances could identify individuals from genomic information, and helping to lead the development or revision of professional practices to protect confidentiality. In broader policy discussions about data protection, it is vital to recognize the robust research protections currently in place, preserve them, and avoid inadvertently harming biomedical research. Broader consumer privacy policies should establish defined research exemptions and prevent undue or redundant regulation that slows discovery. As more genetic and genomic research is conducted in the private sector with privately collected data, ASHG urges collective recognition of, and action on, core principles that support privacy protections in both the publicly and privately funded research spheres and the potential value of harmonizing such regulations to advance research.
Current Approaches to Protecting Privacy in U.S. Federally Funded Research Currently, multiple laws and policies in the U.S. collectively provide genetic
privacy when individuals participate in federally funded genetics research or undergo genetic testing. For instance, the U.S. Federal Policy for the Protection of Human Subjects (45 CFR 46, known as the Common Rule) requires informed consent and a description of how participant results are shared. The National Institutes of Health’s Genomic Data Sharing Policy, Certificates of Confidentiality, and Freedom of Information Act provisions in the 21st Century Cures Act protect research participant data from disclosure for non-research purposes. Similarly, the Health Information Portability and Accountability Act (HIPAA) protects individuals against unauthorized access to clinical genetic information such as test results. The federal Genetic Information Nondiscrimination Act1 and a variety of state privacy laws restrict access to genetic data by employers, health insurers, and others. The genetics community has been proactive in examining practices in our current research methods, for example by exploring the identifiability of participants solely from genomic information and from public data sources.2 This line of research feeds active discussions among genetics researchers and the development of novel strategies to protect participant privacy. Genetics and genomics researchers continue to adjust protections to better meet the needs of both participants and researchers, for example by updating the Genomic Data Sharing Policy.3
https://doi.org/10.1016/j.ajhg.2019.08.005.
The American Journal of Human Genetics 105, 445–447, September 5, 2019 445
Emerging Broader Privacy Policies Must Consider Research Needs Given the growing role of data in virtually every facet of human life, the need for broader and more rigorous general data privacy policies is gaining substantial traction. For research, surveys4 have found that the public is interested in participating in biomedical research and contributing specimens to biobanks and that their willingness increases when they are informed about existing privacy protections. At the same time, emerging broad consumer data privacy laws and policies provide instructive examples as we consider research and data regulation. The European General Data Protection Regulation (GDPR) provisions were developed expressly to protect research uses; they allow for broad consent and enable the European research community to continue crucial genomic and genetic population-based research. Yet the potential for unintended consequences is real: a well-intentioned South African consumer protection law could imperil medical research on cardiovascular disease and stroke in diverse populations across the African continent. That law omitted the research protections granted through GDPR and, if uncorrected, could effectively restrict the use of research participant data after broad consent had already been granted.5 Privately Collected Research Data— Important Privacy Questions Need Discussion Current U.S. genetic privacy laws apply only to federally funded research or to clinical genetic and genomic testing. In recent years, there has been a marked increase in consumers availing themselves of private services offering genetic and genomic tests such as those of genetic health and ancestry, but these consumers may have more limited legal privacy protections and might be unaware of how their data could be used in other contexts. Consumers who agree to share their data for privately funded research purposes might not be pro-
tected by the Common Rule. Where there is appropriate consent and oversight, consumer data collected by private testing services can be a valuable resource for genetic and genomic research. ASHG encourages opportunities to engage with consumer genomics companies developing customer privacy policies related to their research, and we commend the Future of Privacy Forum for their publication of best practices for protecting consumer genetic data.6 Core Principles ASHG is dedicated to advancing human genetics and genomics through research, education, and advocacy and believes that essential privacy principles should govern genetic information acquired for publicly or privately funded research: d
d
d
d
d
Individuals should have a right to maintain the confidentiality of their own genetic information and should not be compelled to disclose it. Entities holding human genomic data must take robust measures to protect the confidentiality of individuals’ medical and genetic information. The users of research participants’ genetic and genomic information should assess the risks and benefits for both the participants and for society. The nature of those analyses should determine which privacy protections and data-sharing practices are appropriate. When establishing privacy policies and practices, it is important to consider context—when it is desirable and appropriate for genetic information to be treated the same way as other biological, health, or personal information and when there are factors that require genetic information to be treated differently from other forms of health data.7 Research policies should both facilitate data sharing and protect the confidentiality of research participants’ medical and genetic
446 The American Journal of Human Genetics 105, 445–447, September 5, 2019
data in a way that both advances research and respects participants’ preferences. Looking Ahead ASHG will continue to engage with policymakers regarding emerging discoveries in our field, the benefits of research participation, and the importance of laws and regulations that address research, medical progress, and privacy. As new broad dataprivacy policies are considered, it is essential to examine how they will affect research and medicine, seek clarity, and advocate for research needs. The community might also explore how core privacy principles for research might apply to emerging non-research settings and new uses of genetic data. If we are to realize the benefits of genetics and genomics research for all, we must ensure broad data sharing while fostering confidentiality so that we can maintain the confidence and trust given to us by research participants who seek to improve medical and health outcomes for us all.
Acknowledgments The statement above has been reviewed, edited, and approved by the ASHG Executive Committee on behalf of the ASHG Board of Directors. They alone are responsible for its content. The statement was informed by input from ASHG members with expertise and interest on the topic but does not necessarily represent the views of those members. ASHG thanks them for their contributions, dedication, and input.
References 1. American Society of Human Genetics (2018). Genetic Information Nondiscrimination Act. http://www.ashg.org/ policy/gina.shtml. 2. Gymrek, M., McGuire, A.L., Golan, D., Halperin, E., and Erlich, Y. (2013). Identifying personal genomes by surname inference. Science 339, 321–324. 3. National Institutes of Health (2018). Update to NIH Management of Genomic Summary Results Access. https://grants. nih.gov/grants/guide/notice-files/NOTOD-19-023.html. 4. Kaufman, D.J., Murphy-Bollinger, J., Scott, J., and Hudson, K.L. (2009).
Public opinion about the importance of privacy in biobank research. Am. J. Hum. Genet. 85, 643–654. 5. Nordling, L. (2019). A new law was supposed to protect South Africans’ privacy. It may block important research instead.
Science. https://www.sciencemag.org/ news/2019/02/new-law-was-supposedprotect-south-africans-privacy-it-mayblock-important-research. 6. Future of Privacy Forum (2018). Privacy Best Practices for Consumer Genetic Testing Services. https://fpf.org/
2018/07/31/privacy-best-practices-forconsumer-genetic-testing-services/. 7. Garrison, N.A., Brothers, K.B., Goldenberg, A.J., and Lynch, J.A. (2019). Genomic contextualism: Shifting the rhetoric of genetic exceptionalism. Am. J. Bioeth. 19, 51–63.
The American Journal of Human Genetics 105, 445–447, September 5, 2019 447