Both Gostin and Erlich agree the most realistic and pragmatic course of action to take is telling people of the upfront privacy risks so they can make an informed decision on whether or not to participate.
“If privacy can’t be guaranteed, then the focus should be shifted to mitigating data misusage,” says Jeffrey Kahn, professor of bioethics and public policy at Johns Hopkins Berman Institute of Bioethics. Kahn says that the U.S Department of Health and Human Services should tighten its regulations on sharing data from human subject research. Currently, federal protections apply only to research funded by a select number of federal agencies. Kahn says this means a person or company could potentially exploit someone’s genetic information in certain online sequencing databases without fear of legal repercussions.
The proposed changes would put in place protections for all federally supported human research projects and make it easier to track instances of misuse. “All genetic information is inherently identifiable,” he says. “But that doesn’t mean there shouldn’t be consequences for people and companies that put it to misuse.”
Rights & Permissions
See what we're tweeting about
2 Comments
Add CommentIts challenging to truly get informed consent about the risks of providing genetic material and information to a study. Generally, its the partners and service providers that are the source of many leaks - often three of four steps away from the original interaction.
Reply | Report Abuse | Link to thisDoes this mean privacy is dead? Or even deader than we feared before?
Reply | Report Abuse | Link to thisNo! The thing that so many observers are missing is that international privacy law already provides a mechanism to control re-identification of anonymous data. These laws have been applied forcefully in Europe to shut down Facebook's facial recognition feature and make them destroy their templates.
Said mechanism is the Collection Limitation Principle: a business or government must not collect Personally Identifiable Information (PII) it does not need. "Collection" is a technology neutral concept. If a named data record comes to be in your possession, you have essentially collected it. Collection can be direct or indirect. So, putting names to erstwhile anonymous data -- be it photos or DNA -- is a clear case of indirect collection of PII.
Re-identificaton of DNA is an act that has major implications under existing international privacy law. There is an argument in my mind that any re-identification by researchers should at the very least be subject to ethics committee approval. And any company that deliberately exploits DNA re-identification may face the force of the law as Facebook did.
See http://lockstep.com.au/blog/2013/02/08/dna-privacy-letter-to-science.