Published online by Cambridge University Press: 07 December 2017
Recent highly publicized privacy breaches in healthcare and genomics research have led many to question whether current standards of data protection are adequate. Improvements in de-identification techniques, combined with pervasive data sharing, have increased the likelihood that external parties can track individuals across multiple databases. This article focuses on the communication of identifiability risks in the process of obtaining consent for donation and research. Most ethical discussions of identifiability risks have focused on the severity of the risk and how it might be mitigated, and what precisely is at stake in pervasive data sharing. However, there has been little discussion of whether and how to communicate the risk to potential donors. We review the ethical arguments behind favoring different types of risk communication in the consent process, and outline how identifiability concerns can be incorporated into either a detailed or a simplified method of communicating risks during the consent process.
1. Barbaro M, Zeller T, Jr. A face is exposed for AOL searcher no. 4417749. New York Times, August 9, 2006, at A1; Sweeney L. Uniqueness of simple demographics in the U.S. population. Laboratory for International Data Privacy Working Paper, 2000; Narayanan A, Shmatikov V. Robust de-anonymization of large sparse datasets. IEEE Symposium on Security and Privacy 2008;8:111–25.
2. Lowrance, WW, Collins, FS. Identifiability in genomic research. Science 2007;317:600–602;CrossRefGoogle ScholarPubMed Wjst, M. Caught you: Threats to confidentiality due to the public release of large-scale genetic data sets. BMC Medical Ethics 2010;11:21–4;CrossRefGoogle ScholarPubMed Erlich, Y, Narayanan, A. Routes for breaching and protecting genetic privacy. Nature Reviews Genetics 2014;15:409–21;CrossRefGoogle ScholarPubMed Shringapure, SS, Bustamente, CD. Privacy risks from genomic data-sharing beacons. American Journal of Human Genetics 2015;97:631–46.CrossRefGoogle Scholar
8. Ohm P. Changing the rules: General principles for data use and analysis. In Lane J, Stodden V, Bender S, Nissenbaum H, eds. Privacy, Big Data, and the Public Good Frameworks for Engagement. Cambridge: Cambridge University Press; 2014:96–111.
10. Marko–Varga, G, Baker, MS, Boja, ES, Rodriguez, H, Fehniger, TE. Biorepository regulatory frameworks: Building parallel resources that both promote scientific investigation and protect human subjects, Journal of Proteome Research 2014;13:5319–24;CrossRefGoogle ScholarPubMed Hewitt, RE. Biobanking: The foundation of personalized medicine. Current Opinion in Oncology 2011;23:112–9.CrossRefGoogle ScholarPubMed
13. Skopek, JM. Reasonable expectations of anonymity. Virginia Law Review 2015;101:694.Google Scholar
14. Also see Skopek JM. Anonymity, the production of goods, and institutional design. Fordham Law Review 2014;82:1751–1809.
15. For a discussion of different interpretations of anonymization, see Schmidt H, Callier S. How anonymous is ‘anonymous’? Some suggestions towards a coherent universal coding system for genetic samples. Journal of Medical Ethics 2012;38:304–9.
16. If a third party holds the key-code connecting an identifying number to the patient, the patient’s information is considered pseudonymized. If no key-code exists, the information is considered completely anonymized. We group pseudonymization and anonymization together here because identifiability issues apply equally to both.
17. OECD. Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, 2013; available at http://www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf (last accessed 25 Aug 2017).
18. Similarly, the European Union General Data Protection Regulation, which will go into effect May 25, 2018, requires explicit consent whenever personal data is collected, including notification of the purposes for which the information will be used, but does not specify the communication of identifiability risks. Available at http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG (last accessed 25 Aug 2017).
19. OECD. Guidelines on Human Biobanks and Genetic Research Databases, 2009; available at https://www.oecd.org/sti/biotech/44054609.pdf. Accessed 08/25/2017.
20. Council for International Organizations of Medical Sciences (CIOMS) and the World Health Organization (WHO). International Ethical Guidelines for Health-Related Research Involving Human Subjects, 2016, at 44; available at https://cioms.ch/wp-content/uploads/2017/01/WEB-CIOMS-EthicalGuidelines.pdf (last accessed 25 Aug 2017).
21. WMA. Declaration of Taipei on Ethical Considerations Regarding Health Databases and Biobanks, 2016; available at https://www.wma.net/policies-post/wma-declaration-of-taipei-on-ethical-considerations-regarding-health-databases-and-biobanks/ (last accessed 25 Aug 2017).
22. Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML (last accessed 25 Aug 2017).
23. For an attempt to model identifiability risks, see Malin B, Loukides G, Benitez K, Clayton EW. Identifiability in biobanks: Models, measures, and mitigation strategies. Human Genetics 2011;130:383–92.
24. Ohm, P. Broken promises of privacy: Responding to the surprising failure of anonymization. UCLA Law Review 2010;57:1701–77.Google Scholar
25. Article 29 Data Protection Working Party. Opinion 05/2014 on anonymisation techniques, April 10, 2014; available at http://www.cnpd.public.lu/fr/publications/groupe-art29/wp216_en.pdf (last accessed 25 Aug 2017).
27. See note 1, Barbaro, Zeller 2006, at A1; Sweeney 2000; Narayanan, Shmatikov 2008.
28. Yakowitz J. Tragedy of the data commons. Harvard Journal of Law & Technology 2011;25, at 37.
29. See note 28, Yakowitz 2011, at 40.
30. There are a number of strategies that data controllers employ to protect against such attacks. For a review, see El Amam K. Guide to the De-Identification of Personal Health Information. Boca Raton, FL: CRC Press; 2013.
31. van Leeuwen CJ, Vermeire TG. Risk Assessment of Chemicals. An Introduction. Dordrecht: Springer; 2007.
32. See, for example, the debate initiated in Cavoukian A, Castro D. Big data and innovation, setting the record straight: De- identification does work, 2014; available at http://www2.itif.org/2014-big-data-deidentification.pdf (last accessed 25 Aug 2017); Narayanan A, Felten EW. No silver bullet: De-identification still doesn’t work, 2014; available at http://randomwalker.info/publications/no-silver-bullet-de-identification.pdf (last accessed 25 Aug 2017); El Emam K, Arbuckle L. De-identification: A critical debate, 2014; available at https://fpf.org/2014/07/24/de-identification-a-critical-debate/ (last accessed 25 Aug 2017).
33. Laurie G, Jones KH, Stevens L, Dobbs C. A review of evidence relating to harm resulting from uses of health and biomedical data. Nuffield Council on Bioethics Working Party on Biological and Health Data 2014; available at http://nuffieldbioethics.org/wp-content/uploads/FINAL-Report-on-Harms-Arising-from-Use-of-Health-and-Biomedical-Data-30-JUNE-2014.pdf (last accessed 25 Aug 2017).
34. Office for Civil Rights. Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Years 2013 and 2014. Washington, DC: United States Department of Health and Human Services; 2015.
36. See note 2, Erlich, Narayanan 2014.
37. See note 2, Shringapure, Bustamente 2015.
38. Taylor M. Genetic Data and the Law: A Critical Perspective on Privacy Protection. Cambridge: Cambridge University Press; 2012.
41. See note 15, Schmidt H, Callier 2012.
42. Beauchamp T. Autonomy and consent. In Miller F, Wertheimer A, eds. The Ethics of Consent: Theory and Practice. Oxford: Oxford University Press; 2009:55–74.
43. Faden R, Beauchamp T. A History and Theory of Informed Consent. Oxford: Oxford University Press; 1986, at 278.
45. See note 17, OECD 2013.
47. Barocas S, Nissenbaum H. Big data’s end run around anonymity and consent. In: Lane J, Stodden V, Bender S, Nissenbaum H, eds. Privacy, Big Data, and the Public Good: Frameworks for Engagement. Cambridge: Cambridge University Press; 2014:44–75.
48. See note 47, Barocas, Nissenbaum 2014, at 58.
49. McGuire AL, Besko LM. Informed consent in genomics and genetic research. Annual Review of Genomics & Human Genetics 2010;11:361–81.
50. See note 8, Ohm 2014.