By Robert I. Field, Anthony W. Orlando, and Arnold J. Rosoff
Large genetic databases pose well-known privacy risks. Unauthorized disclosure of an individual’s data can lead to discrimination, public embarrassment, and unwanted revelation of family secrets. Data leaks are of increasing concern as technology for reidentifying anonymous genomes continues to advance.
Yet, with the exception of California and Virginia, state legislative attempts to protect data privacy, most recently in Florida, Oklahoma, and Wisconsin, have failed to garner widespread support. Political resistance is particularly stiff with respect to a private right of action. Therefore, we propose a federal regulatory approach, which we describe below.
Current laws and regulations, at both the federal and state level, are clearly inadequate to protect genetic data subjects and their relatives. The Privacy Rule issued under the Health Insurance Portability and Accountability Act (HIPAA) only applies to health care providers and payers. The Common Rule, adopted in 1981 and revised in 2018, requires Institutional Review Board (IRB) oversight only for human subjects research funded by the federal government; and similar rules of the Food and Drug Administration (FDA) apply only to the research used in support of New Drug Applications. Should genetic data reach a third party, the Genetic Information Nondiscrimination Act (GINA) offers no protection against discrimination in disability, life, and long-term care insurance. The Americans with Disabilities Act (ADA) has little application to genetic traits that have not yet manifested as phenotypes. Those state laws that do exist apply only in those jurisdictions enacting them and typically treat genetic information the same as other data without regard for its exceptional risks.
Of particular concern are databases maintained by private, direct-to-consumer (DTC) testing companies, such as 23andMe and Ancestry, which largely escape federal oversight. The only significant legal constraint on unauthorized data disclosure is companies’ terms of service, which tend to be vague, hard to find, couched in legalistic language, changeable, and often nonexistent. Current regulatory oversight by the Federal Trade Commission (FTC) is widely seen as limited. These large databases pose additional risks to relatives of data subjects, who can often be identified at several degrees of genetic separation and are likely unaware that information about them has been stored.
The legislative remedies that have been proposed call for enhanced federal authority, either for the FTC, or a new agency, devoted to regulating genetic privacy. While the intent of these proposals is commendable, there are significant political obstacles to their implementation, and they run the risk of creating large, centralized bureaucracies that are unresponsive to individual circumstances.
We propose use of a new, decentralized mechanism modelled on IRBs, as explained further in our recent article in the Indiana Health Law Review. It would also include elements of Data Access Committees, which review requests for access to databases on a voluntary basis. We call our new mechanism Data Protection Review Boards (DPRBs).
Our concept envisions DPRBs constituted in response to each proposed data-sharing arrangement between a DTC company and an external organization, which might be a research institute, university, health system, or pharmaceutical company. The company would be required to constitute a DPRB before data could be shared, and it would continue to monitor the arrangement until the sharing arrangement had been concluded. In addition to considering privacy risks to database subjects, DPRBs would consider ways to mitigate risks to their genetic relatives.
In terms of operational details, the boards could be housed in nonprofit organizations under the direction of either the FTC or a new federal agency. The organizations would maintain rosters of eligible members based on vetting of their expertise and independence. DTC companies could select members for each proposed arrangement from the roster, with limits on repeat selection of the same individuals, to avoid preference for those considered most likely to approve the arrangement. An external organization might be created to accredit the organizations that house DPRBs, similar to the Association for the Accreditation of Human Research Protection Programs, which accredits IRBs.
We view 10-15 members as the ideal size for DPRBs. The average IRB size is 13.9 members. Each DPRB would include expertise in key relevant disciplines, including genetics, cybersecurity, data analytics, bioethics, and law. It would also include members representing the interests of database subjects, researchers, and the DTC companies themselves. Resources for operations could be provided, with user fees paid by the companies along the lines of those paid by pharmaceutical firms for FDA new drug reviews. Enforcement could be through fines, limits on use of data analyses in New Drug Applications, and ineligibility for publication of research in peer-reviewed journals.
DRPBs would require privacy safeguards tailored to each data-sharing arrangement. General safeguards applicable in all cases would start with limiting sharing to those data elements needed for the arrangement involved, with no sharing of whole genomes unless necessary. Others would include prohibition of further data sharing by the recipient without DPRB approval, encryption of data, use of secure servers, vetting of personnel with data access, maintenance of records of individuals with authority to access data, and deletion of data by the recipient once the arrangement had concluded. Technical safeguards required in individual cases might include removing metadata, replacing direct access to data with queries to the DTC company, and using a statistical technique known as differential privacy.
The advantages of our model are similar to those of using IRBs instead of centralized oversight. DPRBs would be decentralized, have the flexibility to adapt their reviews to individual circumstances, and be able to apply expertise relevant to each data-sharing arrangement.
We acknowledge that our proposal would likely face substantial political resistance. DPRBs would be intrusive and might add hurdles for some valuable data-sharing arrangements. However, a trend of increasing reports of unauthorized data disclosures could discourage many people from contributing their information to genetic databases or permitting the use of their data for research, presenting a much greater threat to the ability of database research to advance biomedical innovation. Given how valuable the continued expansion of genetic data analysis is, we must take action to make genetic data sharing more secure and increase the public’s perception of its importance and safety.
Robert I. Field is Professor of Law and Professor of Health Management and Policy at Drexel University.
Anthony W. Orlando is Assistant Professor of Finance, Real Estate, and Law at the College of Business Administration at California State Polytechnic University, Pomona.
Arnold J. Rosoff is Professor Emeritus of Legal Studies and Health Care Management at The Wharton School of the University of Pennsylvania.