Consent and Privacy Policy Updates From GA4GH

October 18, 2019

By Allison Proffitt

October 18, 2019 | Last month the Regulatory and Ethics Work Stream of the Global Alliance for Genomics in Health shared revised regulatory and ethics policies.

The GA4GH Consent Policy and the GA4GH Data Privacy and Security Policy were both originally released in June 2015 and build on the Alliance's Framework for Responsible Sharing of Genomic and Health-Related Data. Prompted by developments in data protection law and genetic privacy—including the European Data Protection Regulation in May 2018 and the Council of Europe's Recommendation on the protection of health-related data in March 2019—the Regulatory and Ethics Work Stream (REWS) undertook a comprehensive review of its policy frameworks and guidance documents to ensure they meet the demands of the current era of genomic medicine.

The revised Consent Policy aims to guide international data sharing in a way that respects autonomous decision making while promoting the common good. The Data Privacy and Security Policy provides guidance on protecting and promoting the security, integrity, and availability of data and services, and the privacy of individuals, families, and communities whose data are processed.

The team also reviewed the 2014 Framework for Responsible Sharing of Genomic and Health-Related Data and reaffirmed its suitability for the current regulatory climate.

Reviewing Consent Policies

The GA4GH Consent Policy, "aims to guide the sharing of genomic and health-related data in a way that supports the autonomous decision-making of data subjects while promoting the common good of international data sharing, allowing everyone to share in the benefits of scientific progress and its applications as is their right."

"There is… a generally increasing need to share data collected from patients in clinical settings with researchers in many different arenas," said Susan Wallace, who led the revision of the Consent Policy, in a statement. "At the same time, healthy individuals are uploading their data to online platforms such as genealogy websites, sometimes unaware of how those data will be used. In general, we're seeing a continued move towards giving individuals more information on and greater say in how their data are used. We wanted GA4GH policy guidance to reflect this."

Consent is a "bedrock principle" for all clinical practice and research, the policy asserts, and can only be given freely by a data subject (or representative) with sufficient information and time to understand it. Yet if consent language is too specific (or vague), the policy warns, "it may be difficult to share data in a way that respects the data subject’s expectations."

The policy outlines consent best practices which include transparency, accountability, and privacy and data confidentiality. Among the best practices include recommendations for clear instructions enabling "researchers and data subjects to contact each other with updates, questions regarding data sharing, withdrawal, complaints, or inquiries about policies and practices relating to the sharing of genomic and health-related data." Participation in data sharing plans should never compromise care or participation in research, the policy emphasizes.

The policy also addresses retrospective data sharing. The policy recommends giving data subjects the opportunity to re-consent or opt-out if the original policy was too narrow. If re-contact isn't possible, "it may still be appropriate to share a limited, anonymized version of the data, or to seek authorization from a competent authority (e.g., consent waiver)," according to the policy.

Updated Look at Data Privacy and Security

REWS updated the GA4GH Data Privacy and Security Policy in August. The policy should help process data in a way that promotes and protects privacy and security in a proportionate manner, and facilitate compliance with international and national laws, regulations, policies, and interoperable standards.

The policy is meant to serve any persons and organizations providing, storing, accessing, managing, or otherwise using data, and in particular the organizational members of the GA4GH.

Edward Dove, a lecturer in health law and regulation at the University of Edinburgh, led the revision of the Data Privacy and Security Policy, which is intimately linked to the GA4GH Security Technology Infrastructure. He explained that the reevaluation of the policies was driven by advances inside GA4GH as much as outside. "Developments in other GA4GH standards, such as the authentication and authorization infrastructure and new automated approaches for recording and tagging consent, also demanded these updates," said Dove.

"When updating both policies, we wanted them to be in harmony with the other existing GA4GH deliverables and to remove any redundancies, inconsistencies, and confusing elements based on GA4GH member feedback. The GA4GH member community was tremendous in providing helpful and insightful feedback during the rounds of policy revision," he added.

The policy differentiates between data privacy and security. Privacy protection is a fundamental value and right of human societies, but is not absolute, REWS states in the policy. Instead, privacy protection, "involves the delicate balance of considerations at individual, familial, and societal levels." They argue that data privacy safeguards should be "proportionate to the sensitivity, nature, and possible benefits, risks, and uses of the data."

All data should be processed according to local, national, and international laws and should only be accessed according to consent. Safeguards such as controlled access, anonymization, and pseudonymization should be used. Re-identification should be strictly prohibited, and mechanisms and procedures should be in place to maximize the likelihood of detection of data breaches.

The policy specifically calls out privacy for vulnerable populations. "Persons or organizations that seek to process data from vulnerable populations should consider working with them to develop a data access protocol that governs requests by third parties for research requiring the processing of such data, unless there is an established vehicle in place," the policy states.

Security, on the other hand, "is concerned with organizational, technical, and physical measures and standards to effectively manage risks to the sensitivity and integrity of data and the availability of resources and services."

The policy recommends minimum copies of data, Identity and Access Management (IAM) policies, restricted physical access to computers or storage sites with sensitive data, and disaster-recovery plans.

Alliance Updates

The announced updates to the two policies came just a few weeks before the 7th Annual GA4GH Plenary meeting in Boston. These policies, along with others from GA4GH, view data sharing as a means of activating the human right to share in the benefits of scientific advancement.

"With tens of millions of genomes expected to be sequenced within the coming decade for clinical and research purposes, the scientific community has an unprecedented opportunity to advance our global understanding of human biology and improve human health and medicine," said Prof. Bartha Knoppers, current and founding chair of the REWS and Director of the Centre for Genomics and Policy at McGill University. "As the field develops, we in REWS are thrilled to provide guidance that will support the human right to benefit from this work."