Temple Street delayed review of DNA project’s GDPR compliance
Rare disease genomics research continued eight months after start of data regulations
DNA molecule: GMI said the sample data gathered under the programme, following explicit consent from patients, would be deleted at the end of the rare disease programme.
Temple Street Children’s Hospital operated a project using patient DNA information for eight months before suspending it to review its compliance with new data-processing laws,
The study has seen DNA samples taken from 190 patients, with their consent, and sent to GMI for analysis.
Children’s Health Ireland (CHI), which operates Temple Street hospital, has confirmed that it had suspended the programme in February of this year for a review of the agreement it has with GMI to “reflect the requirements” of a raft of new data protection laws which came into force during 2018.
The new laws include the General Data Protection Regulations (GDPR).
The GDPR came into force in May of last year, some eight months before the programme was suspended.
“The 2016 agreement with GMI reflected the legal position as it existed in 2016. Since then, three significant pieces of legislation commenced in May and August 2018 – the General Data Protection Regulation, the Irish Data Protection Act 2018 and the Data Protection Act 2018,” a spokeswoman for CHI said.
“A decision to suspend the ‘Genomics of Rare Diseases in the Irish Population’ study was taken by CHI at Temple Street in partnership with GMI in February 2019,” the spokeswoman said.
The review of the agreement was undertaken “to reflect the requirements of GDPR, the Act and the health regulations”.
An updated agreement was signed on September 16th. The new agreement was reviewed by the CHI data protection officer and Temple Street’s legal counsel. It will also be examined by the hospital’s research ethics committee.
However, privacy experts said the suspension of the programme months after the introduction of GDPR raised questions for the hospital.
“If there was cause to pause and review it in light of GDPR, why was that not done prior to GDPR coming into force? If the processing that was done between May 25th and February of this year was not compliant, have they notified the Data Protection Commissioner of any breach?” asked Simon McGarr, a solicitor who specialises in privacy and data protection issues.
“It’s profoundly concerning that any matters relating to the use of genetic material by a third party were not examined as a matter of priority for their compliance before that point,” he said.
In a statement, GMI said that the samples gathered under the programme, which are gleaned following the receipt of explicit consent from patients, would be deleted at the end of the rare disease programme. The data was “not shared with any third parties on a commercial basis”, a spokesman said.
“The objective of the rare disease programme is to identify pathogenic variants causing rare diseases in children.
“Children with rare diseases often go undiagnosed for many years and understanding the diagnosis is critically important for the family so that they can have better support, optimal clinical care and importantly understand whether or not other family members are likely to be affected.”
GMI, which has plans to spend up to €800 million collecting DNA data from 400,000 Irish people, is a wholly owned subsidiary of WuXi NextCode, which has its headquarters in the US and investment links with China.
The US department of health and human services has previously been asked to report to Congress on the collection of US citizens’ DNA by WuXi NextCode and other companies.