LONDON - Considerable research has been devoted to understanding how our genes affect our body in health and in disease. Of even more use, however, is an understanding of the way in which individuals are affected by the interaction between their genetic makeup and their environment.
To do this would involve charting the health and lifestyles of large numbers of individuals over long periods and linking the resultant observations to these people's DNA sequences.
A project to do just that has recently been announced in the UK. The UK Biobank Project, a study of genes, environment and health, has been designed to collect genetic information from DNA samples and relate that information to the medical records of some half-million volunteers aged between 45 and 69 years.
Projects such as Biobank UK, which will be funded jointly by the Wellcome Trust, the Medical Research Council and the Department of Health, hope to explore the effect that nature and nurture have on health. Similar projects are taking place in the private sector. Just think Decode Genetics.
The efforts to sequence the human genome were accompanied by a well-publicized debate on the extent to which intellectual property should be available to protect the fruits of privately funded genetic research. Scientists leading the publicly funded research endeavoured to ensure that genetic sequence data remains publicly available. But such openness is unlikely to be replicated when research takes an extra step and links individual genetic information to personal details.
Although databases containing personal genetic information are likely to yield benefits to human health, they are clearly collections of some of the most private and sensitive personal information. As a result, llegislators around the world are now beginning to take notice of the privacy and confidentiality issues associated with the collection or use of personal genetic information.
Privacy and confidentiality
Article 8 of the European Convention on Human Rights says eeveryone has the right to get respect for his or her private and family life, home, and correspondence. Although this right of privacy has been enacted in the UK by legislation under the Human Rights Act 1998, recent case law has revealed a marked reluctance by the courts to establish new law involving the infringement of privacy.
Indeed, one of the UK's most senior judges, Lord Woolf, recently stated: "In the great majority of situations ... an action for breach of confidence now will, where this is appropriate, provide the necessary protection."
In order for a breach of confidence to come to life, three distinct elements must be in place that prove that confidential information was either disclosed or used without the proper authority:
1. The information at the center of the breach must have been confidential;
2. The information must have been communicated in circumstances importing an obligation of confidence; and
3. There must have been an unauthorized use of that information to the detriment of the party communicating it.
Although the law deems that an obligation of confidentiality exists in certain circumstance--say, between a doctor and his patient--in most commercial matters such an obligation can only be imposed by putting in place an appropriate confidentiality agreement.
The "processing" of "personal data"--which includes virtually any personal information relating to living individuals--is regulated by the Data Protection Act 1998. Processing is very widely defined, and almost any interaction with information about a living person, including obtaining, storing, using, or transferring it, will be an act of processing.
The DPA also identifies a special class of "sensitive personal data"--information about a person's health, race, sexuality, religious beliefs, trade union membership, or criminal convictions or prosecutions--that warrants stricter controls. Once the provisions of the DPA are triggered, a number of obligations and restrictions is imposed on those who collect, use, or otherwise process such data. Additionally, the law grants the data donors a number of rights.
Although a detailed analysis of the provisions of the DPA is outside the scope of this column, the take-home message is simple: In general, in order to process personal genetic information a data controller must ensure that it has the data subject's explicit consent to such processing. The terms of such consent should be drafted as widely as possible to cover all the purposes for which such data are likely to be used.
The limitations of anonymity
If the data concerned do not relate to a living individual then the DPA is not triggered. Anonymizing data may therefore be a shortcut to ensuring that the restrictions imposed by the DPA will not apply.
But guidance from the UK's Information Commissioner, the government-appointed official charged with overseeing the DPA, suggests that avoiding data-protection issues through anonymization may not be as simple as it first seems: The very nature of personal genetic data, for example, limits its complete anonymization.
In any event, as the value of genetic databases is derived from the fact that genetic information can be linked to a person's health and lifestyles, the opportunities for anonymization are limited.
The Human Genetics Commission, a body that advises the UK government on current and potential developments in human genetics, has suggested in a recent report that it should be a criminal offence to test someone's DNA or access that genetic information without their consent for non-medical purposes, except as allowed by law.
In respect of the principle of consent, the HGC states: "Private genetic information about a person should generally not be obtained, held, or communicated without a person's free and informed consent."
Yet the HGC also manages to identify the concept of genetic solidarity and altruism this way:
"We all share the same basic human genome, although there are individual variations which distinguish us from other people. Most of our genetic characteristics will be present in others. This sharing of our genetic constitution not only gives rise to opportunities to help others but also highlights our common interest in the fruits of medically based genetic research."
In other words, these considerations may override the principle of respect for persons in which the social interest exceeds the interests of individuals.
From this starting point, the HGC report comes to a number of conclusions on the subject of genetic databases.
On the commercial uses of data, the HGC notes that access to samples and personal genetic information may need to be made available to commercial organizations since the development of medicines and treatments is largely a commercial undertaking. This undertaking would be severely limited if commercial access to genomic data were denied.
To ensure that any consent for the processing of an individual's data for such purposes is properly obtained, the HGC concludes that the question of commercial involvement in research or access to genetic databases should be fully explained at the time of obtaining that consent. In order to allay concern about wider uses it may be necessary to restrict commercial access to only those companies engaged in health-related research.
In terms of public and private databases, the HGC notes that setting up large-scale population databases, such as the Decode database in Iceland, has raised concerns about the "privatization" of genetic resources. The report mentions how, in this case, there was particular criticism of the exclusive relationship which was developed between the controllers of the databases and a single private company.
In other cases in which genetic data has been obtained or databases established in developing countries, there has been criticism that this data could benefit research in western countries and will not benefit in any way the community from which the data is obtained.
Though the HGC has attempted to balance public benefit with the interests of commercial organisations that set up such databases, it has does not come to any fixed conclusions. Its view is that large-scale population genetic databases, established with and supported by public funding like the UK Biobank project, constitute a national asset. In other words, national benefit and interest should be taken into account in determining the terms upon which access to such databases should to be granted. The message from the HGC is that this matter should be kept under review.
Penny Gilbert is a Partner in the law firm Bristows in London. She has a DPhil in Molecular Biology and specialises in advising on IP rights in the biotech field. George Moore is an Assistant Solicitor at Bristows. He has a degree in chemistry and advises on IP rights in the chemical, pharmaceutical and biotech fields.