Genomic Privacy on the Rock and Lessons for the Mainland

Address given to the We Are Connected: Access, Privacy, Security and Information Management Conference

St. John’s, NL
November 29, 2016

Address by Patricia Kosseim
Senior General Counsel and Director General, Legal Services, Policy, Research and Technology Analysis Branch

(Check against delivery)


Introduction

Thank you to Donovan for the invitation to be here today and join you as part of We Are Connected Conference in St. John’s and congratulations on your confirmation as Access and Privacy Commissioner for the province.  It’s always a pleasure to come to Newfoundland and Labrador which remains, in my view, the friendliest place on earth.   

The first time I came out here to give a speech 18 years ago.  I was about 8 months pregnant at the time, Lucy MacDonald from the Centre for Health Information – whom many of you may know - was waiting for me at the airport when I arrived!  I was astounded at the warmth and hospitality with which she personally welcomed me.  Having travelled across the country many times over, giving speeches in every province and territory, I can tell you, nowhere else do people come greet you personally at the airport.  In fact, for this trip, I received not one, but two such generous offers!

In addition to being the friendliest, Newfoundland and Labrador is also one of the most beautiful parts of our great land.  In summer 2014, my family and I spent our holidays hiking in Gros Morne National Park.  In particular, I remember our hike to the top of Tablelands and how challenging it was - not so much because of the physical difficulty of negotiating and climbing huge rocks and boulders, but the psychological challenge of feeling so miniscule, lost and disoriented in the sheer vastness of this fire-red layer of earth – otherwise known as its ‘inner soul’- that folded over inside-out during the course of half a billion years.  With no park guide or trail markings of any kind, we headed off on our own, instructed simply `to follow the river’.  

  No sooner did we complete our laborious climb up the great mouth of the horseshoe valley, finally reaching the desert-like plateau awaiting us atop, that I realized why the guides were so insistent on warning us ‘not to roam around up there’, but to just take a couple of photos and head straight back down.  I was astounded not only at the vastness of it all, but at the difficulty of keeping our sense of orientation.  With no markers, no contrasts, no parameters and no relief of any kind, I now understood how hikers can get so easily lost up there, needing to call for rescue on occasion. 

I began to imagine for the first time, what our founding fathers must have felt like exploring completely uncharted territory.  Perhaps not too much unlike some of our modern-day researchers who set out to invent or discover new things, without any ethical, legal or social boundaries, and no one there on the other side to greet them or guide them on what to do or where to go next.  How to allow these innovators the necessary freedom to roam, explore and discover great new things, while also charting the boundaries beyond which we, as a collective society, do not want to go -- or think we should go?  This challenge at the interface of innovation and ethics, law and society has long fascinated me and informs the perspective with which I approach these questions today.

The Peoples of Newfoundland and Labrador

Not only is Newfoundland and Labrador known for its friendliness and its spectacular beauty, it is also highly unique in other ways.  Called a “genetic gold mine”, Newfoundland and Labrador is one of few other geographic communities whose population grew from a relatively homogenous group of original settlers with limited immigration.   More than 80 per cent of the population can trace their ancestry to 20 000–30 000 Irish and English settlers who came here in the 1700s and 1800s, settled and stayed in isolated fishing villages.   As a result, a high degree of genetic homogeneity has developed among the people here and certain traits have become more pronounced than others.  The rate of some diseases for example has been found to be higher than elsewhere while other conditions are rare or even non-existent – all of which is of great interest to researchers who are attracted to come here to study these unique phenomena.

The collection of biological material and associated data about a distinct population or subset of a population, has the potential to radically alter the way we prevent, diagnose and treat disease.  By aggregating and analysing large datasets, researchers may be able to detect and understand previously unknown patterns and relationships, and ultimately improve the detection, prevention, diagnosis and treatment of disease, including the development of more targeted treatment strategies – the ‘Holy Grail’ of personalized medicine.

But scientific fascination with the genetic traits of the people of Newfoundland and Labrador has not come without costs or its share of abuses.  One infamous example I was recently reminded of, involved a research group from Baylor University, otherwise known as the ‘Texas Vampires’, who came to Newfoundland and Labrador to collect biosamples, family histories and patient records and took these back with them for purposes of conducting genetic research on a devastating fatal heart condition found to have higher than normal incidence among young males in this area.  Yet, when this became known, provincial researchers experienced significant difficulty recuperating relevant data about their own people in order to conduct the necessary clinical follow up of affected patients.     

This and other examples of so-called ‘helicopter researchers’ who fly in from elsewhere to conduct genetic research in the province without any accountability to its people and refuse to give back samples or related data, demonstrate the tensions that arise when commercial interests in proprietary information or fierce competitive pressures to win ‘the notoriety race’ begin to creep into the research enterprise.  

The Legislative Response

But true to their heritage, the people of Newfoundland and Labrador responded with courage and resilience, vowing ‘Never Again’.  These negative experiences may have been part of the impetus for some of the legislative innovations that followed.  In an article I co-wrote with Professor Daryl Pullman from Memorial University and others, we examined the legal and ethical governance framework that has since evolved in Newfoundland and Labrador to guard against such abuses in the future.  The integration of health privacy legislation with a research ethics statute that creates a legitimate, independent and accountable research ethics authority and elevates national research ethics guidelines into law while preserving flexibility, creates a unique regime that can potentially serve as a model elsewhere. 

Using as a case study the Newfoundland Genealogy Database and infrastructure developed by the (then) Population Therapeutics Research Group of Memorial University, Daryl and I walked through a seemingly intractable consent problem.  More specifically, whether researchers could augment the database with privately constructed genealogies, voluntarily donated by individuals interested in furthering research, but without having first obtained the consent of family members, many of whom had since deceased.

While the purpose of our article was not to definitively conclude ‘yea’ or ‘nay’, we did illustrate how Newfoundland and Labrador has put in place probably the most integrated legal and ethical governance regime in Canada capable of resolving this difficult consent question.   We simulated the analysis from the perspective of a duly constituted and legally designated research ethics board, and showed how the Personal Health Information Act (PHIA) and the Health Research Ethics Authority (HREA), operating together, ensure a more robust and accountable decision-making framework.  Also, unlike some of its cruder parallels in other Canadian jurisdictions, these NL laws allow for a more flexible and subtle consideration and weighing of the privacy and general welfare interests of family members, on the one hand (both living and deceased), with the public good that could come from the research, on the other. 

New forms of Private Sector Research

But even this governance regime is not without limitations.  For one, it begins to break down in the face of commercial research.  Yet we know that the private sector is a big proponent of health research in Newfoundland and Labrador due to the unique genetic heritage of its peoples.  Given their profit-making mission, these companies are highly motivated to be the first to solve or at least mitigate some of the province’s unique health problems and commercialize their resulting discoveries.  Considering the hardships in the region, the exciting potential for innovation and economic development is not necessarily unwelcome, but nor should it be too readily or naively embraced.

The most recent incarnation of commercial interest wanting to occupy this space is Sequence Bio. Founded in 2013, Sequence Bio plans to sequence the genomes of 100,000 residents of Newfoundland and Labrador, with a view to unlocking transformative insights and ultimately, improve how we treat diseases and develop medicines.   Among the partners mentioned on its website, the company counts the province of Newfoundland Labrador, Genome Atlantic, BiotecCanada and Memorial University. 

Private sector research by pharmaceutical and biotech companies is not a new phenomenon; they have long had strong interest in accelerating discovery and bringing new drugs and devices to market, dependent on local clinicians to gain access to patients and patient data and on university researchers to benefit from existing infrastructures and enhance the credibility and acceptance of research results. 

What is different now is the new generation of online companies and business models growing in size, prominence and independence.  More and more, these online companies are capable of unilaterally exploiting new sources of big data and displacing health research traditionally carried out in academic institutions on which they once relied.   Google Health’s ability to predict influenza outbreaks better than the U.S. Centres for Disease Control, based solely on analyses of internet search terms, as opposed to any clinical data, was an early example of the power of big data (though not completely flawless as it turned out). 

Another example is 23andMe, a direct-to-consumer genetic testing company now well-entrenched with offices in Canada that has until 2015 collected more than 850,000 samples from customers who have paid the company to sequence their DNA either for health, paternity-testing or ancestry purposes -- the current cost of which is a mere $249 Canadian.  According to the company, 80 percent of these people (or almost 700, 000) have agreed to allow their genetic information to be used for research purposes. 

To give you some perspective, 23andMe probably holds one of the largest genetic biobanks in the world, certainly in excess of what major national biobanks in Canada have managed to collect to date, even when combined.  Considering the co-founder of 23andMe is the spouse of the co-founder of Google, this gives us some indication of the potential for these types of online business models to explode at lightning speed. 

Though 23andme is the most well-known and probably largest direct-to-consumer testing company, there are scores of other online companies that offer a wide variety of genetic tests, including health-related testing and paternity testing.  Other companies claim to be able to provide insights into your child’s sports performance, for example, and even one company called Instant Chemistry claims to be able to use one’s DNA to identify a compatible partner.

Genetic testing to identify an individual’s ancestry is also very popular.  For example, companies like Ancestry have started charging users to submit their DNA in addition to their family histories under the tagline "Uncover your ethnic mix, discover distant relatives, and find new details about your unique family history with AncestryDNA."  The company recently sold access to its DNA database to Calico, a genetic company backed by Google, which intends to examine genetic patterns in people who live long lives.

Not only can online direct-to-consumer genetic testing companies accumulate more genetic samples than academia could ever hope to collect, through enticing claims backed by powerful marketing departments, they can also potentially link these to data extracted from social media platforms.  They can further enhance these with search terms and other data scraped from internet usage.  In partnership with others, they can combine them with data generated by digital health technologies, wearable devices and biosensors greatly expanding the size, scope and sensitivity of their repositories capable of being mined by proponents of Big Data. 

Privacy Implications

Much of this is not apparent to the consumer who simply wishes to send in their spit kit to find out their predisposition to certain diseases, confirm paternity linkages, simply for fun or out of curiosity, or to learn more about their ancestry (I recently saw commercials suggesting that an ancestry test kit would make a great holiday gift for the person you love cuz ‘it’s what’s on the inside that counts’!)

As part of our public education efforts, our Office, together with our counterparts in British Columbia, Alberta and Quebec, have developed a soon-to-be released fact sheet to inform Canadians of some privacy-relevant questions individuals should consider asking before undergoing direct-to-consumer genetic testing online.  

In addition, last year, our Office funded the development of a video-documentary by Professor Julia Creet of York University entitled, “Data Mining the Deceased: The Ancestry and Business of Family”.   The documentary explores ownership, privacy and social implications of the commercial intermingling of genetic data and family histories ‘gone viral’ through online genetic testing and social media websites, filling in large gaps left behind by more traditional forms of genealogical research, like personally constructed family trees, supplemented by old church, census and museum records.

The videodocumentary will be aired on TVO February 1st, but in the meantime, a few clips extracted from the fuller documentary are available on our website.  (show clips)

PIPEDA and the Consent Challenge

Private sector companies in Newfoundland & Labrador and elsewhere in Canada not otherwise covered by substantially similar provincial legislation, are subject to the federal private sector law, the Personal Information Protection and Electronic Documents Act (or PIPEDA).  Unlike the flexible and integrated legal and ethical regime of PHIA and HREA, PIPEDA was designed to regulate commercial transactions of a more traditional, binary type such as typical dealings between individuals and their banks, telecom service providers, insurance companies or retail stores.  However, now more than fifteen years since its adoption, PIPEDA is proving to be more difficult to apply in an online commercial world populated by a new generation of companies vying to analyze and monetize big data. 

For one thing, the consent principle is a cruder, more rigid mechanism under PIPEDA.   In order to be able to collect, use or disclose personal information, organizations must obtain the informed consent of individuals, which requires that individuals understand the nature, purpose and consequences for the collection, use or disclosure.   This typically translates into 20 + page privacy policies that offload all of the known information and risks from company’s lawyers’ shoulders onto the consumers.  While the Act exceptionally permits for implied consent in cases involving non-sensitive information, it cannot be stretched beyond the reasonable expectations of the individual and most certainly would not apply to genetic information.   In the absence of consent, the organization purporting to collect, use or disclose personal information must fall within an explicit exception to consent under the Act, none of which obviously covers these newfound uses.  

Just as biobank researchers have struggled for years to obtain meaningful consent for inclusion into a research platform, the future purposes of which cannot be specified at time of collection, companies wanting to engage in big data analytics to find yet unknown correlations from which to infer future behaviour find themselves today in a similar predicament.  And yet, unlike university-based researchers in Newfoundland and Labrador, they lack the more subtle and flexible legal-ethical framework to help guide and carefully deliberate complex evaluations of risks and benefits in the face of unknowns.  How to obtain prospective, informed consent that is not so vague and broad as to be meaningless?      

Also, unlike academic researchers in public sector, commercial organizations carrying out big data research are not subject to any ethics review.   A powerful example of this significant gap appeared when news broke of Facebook’s emotion contagion study.  This social experiment involved altering the newsfeeds of 689,000 users, by showing more positive posts to one study group and more negative posts to another, then testing the resulting impact on users’ mood by counting the number of generally positive or negative words in their own subsequent posts.

The company partnered with researchers from Cornell University to design the study.  But since Facebook had done all the collection and analyses of user data and the University itself was not technically engaged in the research, the study was exempt from the Common Rule requirements.  Moreover, when the journal required demonstration of informed consent for publication purposes, the company cited the general terms of its user policy as sufficient informed consent.

Some supported Facebook for being transparent about a practice that presented no more risk than that which companies create everyday by experimenting with new and improved commercial services.  They fear that by being too critical about it, companies like Facebook will less likely want to cooperate with university researchers, meaning they’ll just do it on their own, become even less transparent and won’t make their resulting data available for advancement of generalizable knowledge.

Others were not so generous and were highly critical of Facebook — creeped out by its having crossed the line from observation to manipulation (from the fishbowl to the petri dish, so to speak) without any external, independent ethics review.  Could independent ethics review have helped better anticipate the social, ethical, and legal implications of this social experiment? 

In a Big Data environment, the potential to mine data for new insights and correlations is immense, and many data scientists and engineers are scrambling to find the ‘how’, but there is no one there to ask the ‘whether’.  If university research ethics boards are not the appropriate gateway, then who is?  Some have suggested creating independent consumer ethics boards specially designed to review commercial research, although as you can imagine, there are lots of questions about how these would work in practice and the idea has not been too warmly received by industry.     

In June of this year, our Office released a discussion paper about these and other stresses on the current consent model under PIPEDA in an era of big data analytics and the Internet of Things. 

In response, we received 51 very thoughtful submissions.  We have been holding stakeholder consultations across the country with businesses, lawyers, academics, consumer groups and civil society.  We have completed four and have one left to go in Ottawa in December.  We will also be holding consumer focus groups across the country early in the new year to get the perspective of individual Canadians.  And our hope is to be able to develop and publish a position paper on this sometime in 2017. 

Genetic Information and Insurance

But there is more to the consent challenge.  In large part, it is about ensuring individuals are well aware of the privacy risks on the basis of which they can do their own calculus and exercise meaningful choice so that consent, when given, is informed and knowledgeable.  Sometimes, however, it is also about critically pushing back on some of the risks people are being unfairly asked to take on which can make them so fearful that they are hesitant to provide consent at all – even to their own detriment or to the detriment of their families or society as a whole.   One example of this is the reluctance we see among people who forgo genetic testing either for clinical or research purposes for fear of what insurance companies will do and decide with that data. 

Unlike many other countries that prohibit, or significantly limit, the use of genetic information by insurance companies, Canada does not have any such stand-alone legislation in place.  Although insurance companies have an industry policy of not requiring applicants to undergo genetic testing, they may, as part of their risk assessment, ask applicants to disclose existing test results, conducted either in a clinical setting, a research study or even a commercial direct-to-consumer context. 

PIPEDA requires organizations to limit the collection of personal information to that which is “necessary” for identified business purposes and not beyond what the “reasonable person” would consider appropriate in the circumstances.”  Informed by studies we commissioned by experts in economics and actuarial science specialized in the field of genomics, and based on the state of science at this time, our Office concluded that the collection of genetic test results by insurance companies is not demonstrably necessary, effective, proportionate or the least intrusive means of achieving the industry’s objectives. 

In 2014, the OPC issued a public statement urging the life and health insurance industry to voluntarily and temporarily refrain from requesting access to existing test results until such time as they can be shown to be demonstrably necessary for actuarial purposes. 

Subsequent to this, the Canadian Life and Health Insurance Association updated their Industry Code but continued to insist that insurers need to be made aware of relevant and material information derived from existing genetic tests in order to properly assess risk.  In the case of context of genetic research, the insurance industry ceded it will no longer insist on receiving the results if, and only if, the individual does not receive them either – based on the principle that parties must have equal knowledge in a good faith contract.    

Prompted by concerns that genetic information could be used by insurers, employers and others to make discriminatory decisions about individuals, Bill S-201, An Act to prohibit and prevent genetic discrimination, was introduced and passed in the Senate as a private Member’s bill, and is currently before the House of Commons Justice Committee. 

S-201 proposes to prohibit any person from requiring an individual to undergo a genetic test or disclose the results of a genetic test as a condition of providing goods or services or entering into a contract.  If adopted, the bill would effectively ban the insurance industry from collecting and using genetic test results to assess risk altogether – going further than the temporary, voluntary moratorium our policy position called for. 

The fate of the Bill is very much up in the air since the Government has raised concerns that the law as drafted might intrude on provincial jurisdiction over insurance matters.   

Earlier this month, when they appeared before the House Committee to discuss Bill S-201, and perhaps in an attempt to stave off stricter legislation, the Canadian Life and Health Insurance Association indicated they had had preliminary discussions with provinces about a possible industry concession to refrain from collecting or using any genetic test results for applications for life insurance policies below $250,000.  CLHIA claimed that, as a result, more than 85% of applications for life insurance would not require any disclosure of genetic test results, and therefore would address concerns for the large majority of Canadians.

Conclusion

In many ways, these and other challenges we are facing and trying to resolve around consent to the collection, use and disclosure of personal information as important as they may be, may soon become yesterday’s problem. 

 There are those who predict the day when the big data we are amassing today, will be manipulated by artificial intelligence so autonomous and powerful, that computers will be able to make near perfect inferences and predictions about our health risks and prognoses, the kind of person we are, our interests and dispositions, and the decisions we are likely to make.  In essence, computers will become so accurate that they will know us better than we know ourselves.   All we will need is to get our DNA sequenced, wear biosensors 24/7, let Google, Facebook and other internet giants analyze our online behaviour, our emails, chats, messages, likes and clicks, and we will approach the day when the Internet of all Things and the data about us – all around us – will no longer be ours to give away.  And if by then, consent is no longer the operative gateway to control access to this newfound data, then what will be?

Unless we conceive and build the legal and ethical governance around the collection and use of data now in this new uncharted territory, then just like the park guides warn us at the top of Tablelands, we risk losing our way amidst the sheer vastness of it all.  

Many jurisdictions and think tanks around the world are working and thinking about how to integrate ethics into privacy governance regimes that up to now have been dominated by more rigid legal rules and instruments that do not easily lend themselves to the kinds of subtle deliberations and decision making processes needed to chart our future course. 

The kind of courage Newfoundland and Labrador has shown by adopting a governance framework that gives legitimacy to ethics review, elevates the authority of ethical principles and integrates ethics into its privacy legislation is an interesting example that could serve as an model for the kind of robust legal-ethical framework we need to help position ourselves for what’s about to hit us and fast.

And while the upcoming PHIA review will certainly provide you with a timely opportunity to improve and refine things, know that, compared with other jurisdictions, you’ve got a solid ‘ROCK’ to stand on.

Thank you.

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: