Genetic Testing and Privacy: What is the Code to Regulating Ours?

Antoine Guilmain, Jean-Raphaël Champagne and Eliane Ellbogen, Genetic Testing and Privacy: What is the Code to Regulating Ours?, Bulletin Fasken, September 2018.

The direct-to-consumer genetic testing industry is producing an unprecedented amount of genetic data, which provides the medical and research communities with the ability, more than ever before, to collect and analyze a significantly larger and more diverse range of genetic data. While the wealth of information the genetic testing industry is producing might seem, at first, like a boon for medical and scientific research, it is unequivocally also attracting the interest of other sectors, particularly insurance, pharma, credit institutions, and law enforcement. As the industry continues to expand and the technology becomes more accessible to the average consumer, it is becoming increasingly clear that privacy and protection of personal data will be one of the hottest topics moving forward, as competing interests fight to gain access to this wellspring of information.

The Genetic Testing Industry Landscape

The surge in popularity of the consumer genetic testing industry, as evidenced by reports indicating the market will triple in size within the next four years (from nearly $100 million in 2017 to over $300 million in 2022), has been spurred on by a lack of government regulation in countries where the majority of these companies are located, notably the United States and China. While privacy laws in many countries prohibit consumer genetic testing companies from disclosing confidential genetic information under certain circumstances, the American Food and Drug Administration (« FDA ») is easing the approval process for genetic testing, making whole genome sequencing infinitely more accessible to consumers.

Furthermore, the genetic testing industry has seen an influx of fresh investment amid heightened interest from pharmaceutical companies who hope to draw from DNA databases in search of new medical insights and cures. Recently, a partnership was concluded between a genetic testing company and a pharmaceutical company, by which they became exclusive collaborators for drug target discovery programs, giving the pharmaceutical company exclusive access to the testing company’s DNA database and proprietary statistical analytics.

Generally speaking, industry standards and relevant legislation consider genetic data to be sensitive information, warranting a high standard of privacy protection. This is particularly so because it may be used to identify a predisposition to a medical condition, or reveal information about third parties, namely an individual’s biological relatives (including future children) and others with whom the individual shares genetic ancestry, or even contains information of which the full impact may not be understood at the time of collection. More importantly, genetic data is far-reaching and, taken in its aggregate form, can have a broad impact on communities of individuals.

Privacy and Data Protection Moving Forward

On July 31, 2018, the Future of Privacy Forum (« FPF »), an American privacy protection think tank, published a set of guidelines for best practices in the consumer genetic testing industry. A number of genetic testing companies have pledged to follow the voluntary guidelines in an effort to render their practices more transparent and mindful of the growing privacy issues that accompany direct-to-consumer genetic testing. These guidelines were published amidst sprouting privacy concerns following, among other recent events, news of a data breach at a genetic testing company where a large number of accounts were hacked. Though the hackers only accessed encrypted emails and passwords, this type of data breach will occur more frequently as consumer genetic testing becomes increasingly popular and lucrative. It is worth pointing out that a breach of genetic data would often be expected to be a great deal more serious than most credit breaches, all else being equal, given that genetic information is immutable. By the same token, some genetic testing companies collect information from the profiles of customers who log into their websites from other social media accounts, increasing the potential for such security breaches.

The FPF Best Practices establish that genetic testing companies shall obtain « initial express consent » for data collection and analysis and « separate express consent » for transfer of genetic data to third parties. Testing companies shall, as well, be required to obtain « informed consent » to conduct research on genetic data, confirming the voluntary nature of such research. The guidelines also provide for a right for consumers to access their genetic data or have it be deleted, and to be notified (as quickly and clearly as possible) in the event that the data must be disclosed to law enforcement agencies. They require increased accountability measures through the designation of an official responsible for compliance with the FPF Best Practices and increased security measures to prevent unauthorized access or any other type of data breach.

One area of data sharing and privacy protection, though, that isn’t impacted by the guidelines is anonymized medical research. As such, genetic testing companies may transfer « de-identified » genetic data to third parties, provided the consumer has given prior consent to do so. « De-identified » data is defined as « information that does not include direct or indirect identifiers such that information cannot be reasonably associated with an individual. » To be sure, as part of the industry-made guidelines, genetic testing services do not have to notify consumers when their data has been « de-identified » and transferred or sold to a third party for research or analysis purposes.

The Current Privacy Legislative and Regulatory Framework

It is worth mentioning that the industry Best Practices are, to some extent, patterned around recent privacy legislation and regulations, namely the European General Data Protection Regulation(« GDPR »), which came into full effect on May 25th, 2018, and the newly passed California Consumer Privacy Protection Act (« CPPA »), which will be applicable as of January 1st, 2020. Both the GDPR and the CPPA provide for an individual’s right to access their data and have it be erased (although the CPPA is not as far-reaching as the GDPR in this respect). Like the industry guidelines, the GDPR provides for express consent to the processing and sharing of « sensitive » personal data, which includes genetic data. As well, the GDPR and CPPA require the implementation of administrative and technical safeguards, including but not limited to the de-identification (or « pseudonymization ») of personal data.

Other relevant American legislation, with which the genetic testing industry must comply, includes the Health Insurance Portability and Accountability Act (« HIPAA ») and the Genetic Information Non-discrimination Act (« GINA »). Under HIPAA, insurance companies are prohibited from using and disclosing genetic information for underwriting health insurance policies. HIPAA, however, does not extend to long-term insurance policies, including life and disability insurance. Under GINA, individuals are protected from genetic discrimination by health insurers and employers, but, again, long-term insurance plans are not covered.

In Canada, the Genetic Non-Discrimination Act (« GNDA »), which came into force on May 4th, 2017, makes it a criminal offence to enter into any kind of contract that enforces mandatory genetic testing or disclosure of genetic testing results or to deny a person services based on those results. For example, an employer or an insurance company could not require a prospective employee or customer to be subjected to or reveal the results of a genetic test as a condition of employment or insurance coverage, respectively. The GNDA prohibits, as well, the collection, use, and disclosure of an individual’s genetic test results without their written consent. The maximum punishment for GNDA infringement is a fine of up to one million dollars and/or imprisonment for up to five years. Note that the Quebec government is currently challenging the constitutionality of the GNDA by referring it to the Quebec Court of Appeal, arguing that the Act is outside federal jurisdiction by infringing, notably, on the regulation of the insurance industry, a provincial jurisdiction.

Other relevant Canadian legislation includes the Personal Information Protection and Electronic Documents Act (« PIPEDA »), the Quebec Act Respecting the Protection of Personal Information in the Private Sector (« ARPPI ») and the Ontario Personal Health Information Protection Act (« PHIPA »). This legislative framework, as a whole, restricts the sharing of personal information with third parties. However, neither PIPEDA, nor ARPPI, nor PHIPA refer explicitly to personal information as comprising genetic data. PIPEDA and PHIPA do provide a definition of personal health information as relating to the physical health of an individual and, as per PHIPA, including information that refers to the health history of an individual’s family.

With respect to consent, its nature and the circumstances in which it is given vary from one law to the next. PIPEDA allows for implied consent, but suggests that it should be explicit for the processing and sharing of sensitive information, which arguably includes genetic data. ARPPI provides for explicit consent in all processing of personal information except under certain circumstances. One of them does not require additional consent for the sharing of such information with third parties to the extent that its disclosure serves a serious and legitimate purpose and is in the interest of the individual. Finally, PHIPA allows for implied consent, but requires it to be explicit in the sharing of personal health information to a third party that is not defined as a « health information custodian. » It should be noted that insurance companies are not treated under PHIPA as « health information custodians. » However, the opposite could be argued vis-à-vis genetic testing companies.

Finally, the 2nd edition of the Tri-Council Policy Statement (« TCPS2 ») includes an entire chapter about human genetic research. While the TCPS2 does not have force of law, any research carried out under the auspices of the Canadian Institutes of Health Research (CIHR), the Natural Sciences and Engineering Research Council of Canada (NSERCC) or the Social Sciences and Humanities Research Council of Canada (SSHRCC), i.e. the so-called three councils, must abide by the standards outlined in the TCPS2. In practice, studies conducted by researchers in Canadian hospitals or university settings are almost always subject to the TCPS2. As a result, the impact of the TCPS2 may appear limited for the direct-to-consumer genetic testing industry, but the impressive amount of real world data collected by this industry can be very attractive and extremely useful in medical and pharma research, which is why the TCPS2 is considered  an important element in the current regulatory framework.

In addition to reiterating various legal standards already enshrined in the Canadian legislative framework, the TCPS2 provides for a series of specific rules in connection with the use of genetic data with the objective of mitigating the impact of the research on individuals and even, by extension, the family members, communities or groups that could be affected by study findings. In particular, research involving the secondary use of previously collected and banked genetic material shall specify how researchers plan to address associated ethical issues.

Health and Public Safety

Overall, the growth of the direct-to-consumer genetic testing market is born out of a paradigm shift among consumers who are continuously seeking greater control over their own healthcare. With the rise of the Internet and its expanded use for medical information, a profound change in the traditional doctor/patient relationship has taken place as individuals become more knowledgeable about their own health and want more control over their personal information and treatment decisions.

As such, together with testing and analysing genetic material for the purpose of discovering one’s ancestry or ethnic background, individuals are increasingly turning to genetic testing services to generate health risk reports and detect genetic anomalies. In addition to the more standard identity testing, this area of genetic testing includes carrier screening, preimplantation genetic diagnosis, newborn screening, presymptomatic testing, conformational diagnosis, and personalized treatment plans. Such types of consumer initiated genetic testing must be ordered by a physician. However, the doctor need not be a geneticist; they can simply be a company staff doctor or the patient’s own family doctor.

In April 2017, for example, the FDA granted approval to a major genetic testing company to market ten genetic health risk reports, including detection of Celiac’s and late-onset Parkinson’s and Alzheimer’s, and more recently, cleared the company to sell genetic tests for cancer risk. This detection kit will test for three mutations known to predispose people to developing cancer, but it is worth mentioning that there are hundreds more that it won’t take into account. This is the first time the FDA has approved a direct-to-consumer genetic test for these three particular mutations on the BRCA1 and BRCA2 genes, which are known to be associated with higher risk for prostate, ovarian, and breast cancer. However, because the test only detects these three mutations, individuals tested are likely to get the false illusion that they are not carriers. Indeed, these reports only approximate genetic risk for developing a disease and in no way offer an actual medical diagnosis.

Along with the diagnostic uncertainty of this type of genetic testing, though, come further health and safety concerns as they converge with consent and privacy issues. While the customer/patient must give their express consent before undergoing whole-genome sequencing, and provided that certain laws, like the Canadian GNDA, aim at protecting consumers by prohibiting mandatory genetic testing or mandatory disclosure of genetic testing results, there are technically no restrictions around what a customer can do with their own genetic information or requirements regarding a customer’s family members to be involved in the consent process. This raises important questions as to who owns exclusive rights to an individual’s genetic code, given that family members share many genetic traits and may harbor the same genetic abnormalities associated with certain diseases.

Organisational Best Practices

Genetic testing, whether for predictive medical purposes or not, comes with its benefits and risks. Privacy concerns, ethical issues, and potential health risks are not to be ignored. And because the industry is growing so rapidly, ex post regulation might be perceived as inadequate or, inversely, disproportionately restrictive. It remains to be seen, then, how the genetic testing industry will position itself in the face of increased scrutiny from the general public and regulatory bodies.

For the time being, as legislation continues to evolve and adapt to changing market dynamics, privacy and public health concerns should remain among the highest priorities for industry stakeholders. Industry-led initiatives such as the FPF Best Practices are, as such, an interesting step forward. Still, current laws and regulations are patchy and at times incongruous from one jurisdiction to another. As genetic testing continues to gain in popularity, transparency, accessibility, and user consent should continue to inform the best practices of the direct-to-consumer genetic testing industry. Moving forward, as the industry continues to make its mark on the medical field, it should not lose sight of the fact that privacy related considerations in respect of one’s genetic data will be a matter that will continue to need to be addressed.

Ce contenu a été mis à jour le 23 septembre 2018 à 14 h 57 min.