Originally published July 8.
By Turna Ray
Direct-to-consumer genomics firm 23andMe has changed the consent process for its customers, giving them more control over the types of research for which their genomic data can be used.
In a June 24 post on 23andMe's blog "The Spittoon," the company informed customers that it has received institutional review board approval for genomic studies conducted by the company using customer data. An IRB is an independent panel, empowered by HHS, that ensures that studies involving human subjects protect them according to federal guidelines.
According to 23andMe, the company's research does not require approval by an IRB, but it sought this additional check to assure its customers that its "work is in line with scientific research best practices."
The federal regulation for protecting human research subjects (5 USC. 301; 42 USC. 289(a); 42 USC. 300v-1(b)), exempts IRB approval for research "involving the use of educational tests (cognitive, diagnostic, aptitude, achievement), survey procedures, interview procedures or observation of public behavior" that de-identifies study subjects.
Garnering IRB approval "has taken some time because 23andMe’s innovative new model of research was not originally anticipated by traditional IRB guidelines," the company stated in the blog. Well before this new research consent policy took hold, 23andMe used customers' data in at least one study that's been published.
Last month, the company published its first genome-wide association findings based on self-reported data from its customers. In the study, published in PLoS Genetics, researchers from 23andMe and Columbia University analyzed data from more than 9,000 customers and were able to verify previously reported associations for five traits and identified new SNPs linked to four of the traits, including hair curl, freckling, sneezing in response to light, and the ability to detect asparagus metabolite odors in urine.
The company has said in the past that it intends to pursue a similar model to study Parkinson's and other diseases through its 23andWe research arm.
Two years ago, the company launched 23andWe, aiming to improve the quality of patient data that enter pharmacogenomic-based clinical trials organized by 23andMe; advance the development of tailored drugs; and encourage regulators and medical groups to use genetic information in their medical decision making. Consumer-driven research is the cornerstone of the 23andWe research model, drawing from 23andMe's web-based community of customers to populate its studies (PGx Reporter 06/04/08).
According to the new consent document, which greets customers when they log on to their account, customers can explicitly give consent to submit their de-identified genomic data for research. If a customer chooses to not participate in 23andMe's research, they will still have access to their genomic information provided by the company. Customers who do not initially decide to participate in research will have other chances to give their consent, particularly if they continue to use 23andMe's services.
Previously, customers automatically gave consent to the company to use their data in research simply by purchasing a 23andMe genome scan.
Now, with IRB approval, customers are provided more detail with regard to how their genomic data may be used. Specifically, customers allow the company to use their data "to discover links between genetic markers and a variant of traits, diseases, and other physical conditions."
23andMe said in the consent form that it expects to enroll at least 5,000 of its customers in research studies of this type. Study topics can focus on traits such as hair color or freckles, or investigate a range of diseases and conditions, from Parkinson's disease to migraine headache or customers' response to over-the-counter drugs.
The company assures customers that its studies will not "cover potentially sensitive topics "such as sexual orientation, illicit drug use or other illegal behavior, or HIV/AIDS status." If 23andMe conducts future studies on these topics, the company promises to seek separate approval from its customers for these projects.
In the event 23andMe collaborates with other companies or research groups to conduct studies, these outside entities will also have access to de-identified, pooled genomic data. "23andMe will never release your individual-level data to any third party without asking for and receiving your explicit consent to do so," the company states in the consent form.
The company also notes that participating in its research studies is not without risks.
According to 23andMe, some research surveys might ask questions that will require the help of family members, and this might cause discomfort. The consent form also warns against abuse that might occur if customers release their account passwords to others.
In the event of a security breach, 23andMe customers' genomic data may be stolen. "If your data are associated with your identity they may be made public or released to insurance companies, which could have a negative effect on your ability to obtain insurance coverage," the consent form warns. While the company states that it has "strong security procedures in place" to lower the chance of this type of breach from occurring, it notes that this is not a fail-proof guarantee.
Finally, although the company strips customers' genomic data of identifying information, third parties involved in research studies may still be able to figure out customers' identities, albeit with difficulty.
"If 23andMe investigators publish results of this research study, your Genetic & Self-Reported Information may be made public, but only after being pooled so that identification of your individual-level data is extremely difficult," the consent form explains.
"However, it is possible that a third party that has obtained partial genetic data from you could compare the partial data to the published results and determine your survey responses."