Technical and Legal Specialists Team Up to Address Security of Genomic Data

Technical and Legal Specialists Team Up to Address Security of Genomic Data
Vanderbilt’s GetPreCiSe team surveys the current state of privacy protection.

An explosive increase in the quantity of genomic data being collected, used and shared is propelling current and ongoing research into privacy protections related to personal genetic information. A team at Vanderbilt University Medical Center has reexamined the literature surrounding online threats and protections against genomic data leaks from both a legal and technical perspective.

Their review, published in Nature Reviews Genetics, draws on the work of Vanderbilt’s Center for Genetic Privacy and Identity in Community Settings (GetPreCiSe), an NIH Center of Excellence in Ethical, Legal, and Social Implications Research. The center was the first to propose the combined legal and technical framework to address ongoing issues.

“The techies and the lawyers and the regulatory experts do not talk to each other on a daily basis,” said GetPreCiSe co-director Bradley Malin, Ph.D., Accenture Professor of Biomedical Informatics, Biostatistics, and Computer Science at Vanderbilt.

This has led to a situation Malin describes as “cowboy country.”

“[Establishing standards] hasn’t happened because the field has moved so quickly that they didn’t want to get in the way of innovation,” Malin said.

Factors accelerating the collection and use of genomic data include mandates for data sharing, introduction of direct-to-consumer genetic testing (DTC-GT), and the COVID-19 pandemic. These factors have also dramatically transformed the surrounding social environment.

“This is a space in which we can anticipate that the law will either fall way behind or it will make great leaps, some of which will be uncontrolled and disruptive,” said Ellen Wright Clayton, M.D., J.D., Craig-Weaver Professor of Pediatrics and a professor of law at Vanderbilt, who also serves as co-director of GetPreCiSe.

Although DTC-GT, including programs such as 23andMe and forensic investigation, often get the most media attention, the protections and threats related to genomic research are vitally important and frequently daunting.

“The research-world regulation around genomic information is much more complex,” Malin said. “You have all sorts of craziness that can happen. Data get collected for one purpose and then get reused in another setting, and technologies that you designed to support that first setting don’t necessarily apply to the other settings.”

After reviewing thousands of papers on genomic privacy, lead author Zhiyu Wan, Ph.D., a postdoctoral research fellow in the Department of Biomedical Informatics at Vanderbilt, eventually cited about 100 of the most relevant published articles in the technical literature. James Hazel, Ph.D., J.D., a former postdoctoral fellow in the Department of Health Policy at Vanderbilt, contributed a similar review of the legal literature, enabling Wan to focus on connections and gaps between the technical and legal studies.

“This is a space in which we can anticipate that the law will either fall way behind or it will make great leaps, some of which will be uncontrolled and disruptive.”

Importance of Context

The review also emphasizes just how much context matters. Partitioning the ecosystem into four settings – health care, research, DTC and forensic – helps clarify various legal and technical protections.

The authors emphasize that blending legal and technical concerns is challenging. The protections are interconnected but they vary in the environments where they were developed, the stakeholders involved, their underlying assumptions, and the potential consequences of use.

“The technical issues in this article really go to show what different approaches have to offer in levels of protection,” Clayton said. “But which one you use depends on how you want the data to be used or shared. That intersection of what the goals are and what the technology can do is absolutely essential.”

The GetPreCiSe team focuses on the primary tools that define and protect these boundaries. Technological interventions can heighten or ameliorate legal risks, whereas some laws provide controls or protections that can limit the need for stringent technological measures.

“There’s no single-bullet technology for compliance. What worked for one organization, you can’t just drop into another place.”

Elusive Data Protection

The right to privacy has never been absolute, the authors write. An individual’s control over genomic data may amount only to a consent form or service agreement.

In some cases, individuals may not have any choice at all about how information is used – as long as the data comply with one or more of the major governing bodies regarding anonymization standards: the EU’s General Data Protection Regulation; HIPAA in the U.S.; or the Health and Human Services Common Rule adopted by most U.S. federal government agencies for human subject data. 

“There’s no single-bullet technology for compliance. What worked for one organization, you can’t just drop into another place,” Malin said. “Clinical protections do not necessarily extend when patients interact with companies. There are different worlds, different regulatory requirements.”