Should your medical data be off the record?
Ethical issues that arise in stem-cell research, embryo research and reproductive cloning, genome sequencing, gene editing and population-scale biobanks are huge
Medical and scientific researchers are closely watching the new EU General Data Protection Regulation and what it might mean for their work after it takes effect next May
Almost four and a half years ago, then minister for health Dr James Reilly ordered the Health Service Executive not to destroy more than one million blood samples taken from newborn children in the Republic between 1984 and 2002.
The heel-prick tests, known as Guthrie tests, are carried out on all babies to screen for genetic conditions.
The decision to destroy the cards with the blood samples on them came after it emerged that those taken before July 1st, 2011, were being retained without consent, and therefore in breach of national and EU data protection law.
The Royal College of Physicians at the time said there was an “explosion of molecular genetics” every day that was being added to and that the “museum piece” cards could prove to be even more valuable in the future.
The Irish Heart Foundation, which had campaigned to save the cards, said some 1,400 families that had lost a member through sudden adult death syndrome would, as a result, be able to get a genetic diagnosis to see if they were at risk.
The debate over those cards and the legality of retaining them still rumbles on, as do ethical questions about the privacy of highly sensitive medical data obtained for one purpose and whether it should ever be used for another without the consent of the original subject, in the absence of a legal exemption.
Meanwhile, medical and scientific researchers are closely watching the new EU General Data Protection Regulation (GDPR) and what it might mean for them and their work after it takes effect next May.
While the regulation allows certain exemptions for processing “special cateogories” of data, including genetic and biometric data, the Irish legislation hasn’t been written yet and researchers are waiting to see what it will mean for their work.
In some cases, they are worried about what the new law will mean for historic datasets and longitudinal studies and whether they will have to delete them on the grounds that they will not have the appropriate standards of explicit consent post May 2018 to retain them.
Even in just a few years, the medical, legal, ethical and social dilemmas involved in processing health data, including biological samples obtained from patients or research study volunteers have become vastly more complex.
The ethical issues that arise around areas such as stem cell research, embryo research and reproductive cloning, genome sequencing, gene editing and population-scale biobanks are huge.
Opportunities for uncovering the causes of disease, for resolving fertility issues, for “fixing” genetic conditions, for treating cancers, are within the grasp of scientists and researchers, but there is still no international consensus on many issues.
Concerns are evolving too in light of new models for funding research, such as venture capital-backed projects where highly sensitive data used for research, and effectively a permanent record, may ultimately end up being used by or sold for profit to companies or other third parties anywhere in the world.
Researchers are still uncertain what exactly the GDPR will mean for them in terms of the exemptions from data protection legislation that will apply to so-called “special categories” of data – including genetic and biometric health data used for research.
At a recent event in Dublin, the Irish Platform for Patients’ Organisations, Science and Industry (IPPOSI) explored the concerns about data protection, consent and the forthcoming regulation.
IPPOSI chief executive Dr Derick Mitchell told the event: “Patients are aware that the altruistic benefit of being involved in research far outweighs the risks, but they do expect that they will be consulted on the use of their data.”
He said empowerment of the data owner was fundamental to the forthcoming changes in the law, and the event explored a model of so-called “dynamic consent” to allow people consent to have their data used for research, possibly allowing “broad consent” at the outset and opt-outs at a later stage where they did not agree to new uses. The legal jury is still out on whether such a model is even possible.
Dr Mitchell said a national response was required to GDPR and not just for health research.
He hoped that guidance on the question of consent for processing of personal data expected later in the year from the independent body representing all of the EU’s national data protection authorities would be a step forward.
“But I think the real crux is the code of conduct and each institution in effect will have to develop their own code of conduct as to how they approach data protection from the beginning of projects rather than having it as a kind of tick-box exercise at the end of a project,” he said.
Dr Mitchell said the explicit consent referred to in the EU regulation, for example, had “very real consequences” for the continuation of large-scale population biobanks, for example.
There was also an ethical argument going on as to whether a person’s consent could be said to be informed if they ultimately did not know what the research project might ultimately examine.
Prof Jane Grimson, a member of the e-health Ireland committee and a former director of Health Information in the Health Information and Quality Authority, said the potential of health data and research had to be balanced with a patient’s right to privacy.
Ownership of patient records was critical, she said.
“I think the way we are moving now is much more towards electronic health records that will be owned and controlled by the individual. It’s their information and they should be in control of who has a right to see information and the information (that is used in research).”
Ethics research committees were critical and needed to operate to a very high standard to ensure the trust of people, she added.
“It’s an absolute minefield but I really think that ethics committees are critical.”
Prof Orla Sheils, director of the Trinity Translational Medicine Institute and director of medical ethics at the School of Medicine, TCD, said she believed GDPR would have immediate consequences for data already being processed by researchers. It was a “very grey area”.
“The difficulty with that is that if data has been collected over a long period of time that a person may not want to be reminded of the time that they were ill. That’s the balance you are trying to find there. So the way to get around that is to try to give people enough options up front to decide ‘yes, I want to gift my sample and provided the research that’s going to be done is ethical and has been approved, that’s okay by me’.”
Prof Sheils, who sits on the St James’s and Tallaght hospital research ethics committee, said all research involving humans had to be approved by such a committee.
“It’s never an ethical issue if the answer is easy,” she said.
“Like everything else in life, it’s about finding that happy balance that people are comfortable with,” she said.
“There is never really a right answer when there is an ethical dilemma. What I always say to students is that you are hoping for the ‘least bad’ option.”
Cathal Ryan of the office of the Data Protection Commissioner told the IPPOSI event the new EU regulation would bring harmonisation, transparency and accountability to a very dense and complex area. The regulation was “very pragmatic” and the code of conduct within it would act as a form of self-regulation, with the additional oversight of an independent monitoring body. But he said adequate transparency on data protection in the sector had been lacking.
“If there is an erosion of trust, if the health sector doesn’t treat an individual’s data in the right way, there will be problems.”