Ethics of genomic data sharing: an interview with Bartha Maria Knoppers

13 Apr 2018

GA4GH regulatory and ethics lead Bartha Maria Knoppers discusses the Framework for Responsible Sharing of Genomic and Health-Related Data, broad consent, the European General Data Protection Regulation (GDPR), and planned REWS activities for the coming year.

Photo credit: McGill University

Bartha Maria Knoppers is the co-lead of the GA4GH Regulatory and Ethics Work Stream. She led the writing of the Framework for Responsible Sharing of Genomic and Health-Related Data, a guidance document which has now been translated into 13 languages and underlies all of the work we do here at GA4GH. Dr. Knoppers is a professor at McGill University and director of its Centre of Genomics and Policy. She also holds the Canada Research Chair in Law and Medicine (Tier 1, since 2001)and founded the Population Project in Genomics (P3G) and CARTaGENE, Quebec’s population biobank. We recently spoke with her about the current issues in the regulatory and ethics domain of genomic data sharing and ongoing activities within REWS. To learn more about Dr. Knoppers and her work, please visit the website of the Center for Genomics and Policy.

What is the Framework for Responsible Sharing of Genomic and Health-Related Data? Does it shift the previous bioethics conversation?

We wanted to move away from research as something you had to protect people from. Most Codes of Ethics are precautionary or prohibitive rather than protective while enabling. We wanted to take a dormant right from the 1948 Universal Declaration of Human Rights and activate it. It is the right of all citizens to benefit from scientific progress and advancements while also recognizing the right of attribution of creators and inventors. In other words, the right of citizens to benefit from data sharing does not obviate or do away with legitimate intellectual property. Even if our Framework is concentrating mainly on the right of the citizens to benefit and we think that data sharing is a way both to realize and to activate that legal right; it doesn’t mean that there is no recognition of legitimate IP.

More importantly, this right was enshrined in the 1976 International Covenant on Economic, Social and Cultural Rights, signed and ratified by 165 countries. This makes all the rights under the Covenant legally actionable in your own country. In other words, you can hold the government to account, saying “how come my right to benefit from scientific progress, in the case, of say, cellular genomics is not recognized, not realized?” Governments have to send in periodic reports every five years on how they have met their obligation under the Covenant.

How does sharing data activate the human right to benefit from scientific advancement?

The more we share data, the better the quality of the results, that’s number one. For me, quality is an ethical principle. Why even involve people in your research or medical care if the quality is not at an optimal level at a given moment in time? And to do that, you need lots of data and you also need lots of data on lots of people, because we live in heterogeneous societies, we are not in little pockets of villages between three mountains. In other words, we are culturally diverse, we come from different origins, our grandparents were born in different parts of the world and to really offer or even get to precision medicine, we need to have data that reflects what has happened in terms of population drift, in terms of immigration, in terms of the effects of the environment, and socio-economic factors and so on and so on. And for that, we need data from all the countries where citizens come from or where they actually reside.

Why is genomic data sharing important for human health and medicine? What are the unique regulatory & ethics aspects of that need?

I think data sharing is unique in that it’s both individual and social. We’re quite used to traditional ethical principles of research of you know, autonomy, privacy, justice and so on. But how can we filter traditional principles through this right of “citizens” to benefit via their health care systems, in the environment in which they live? And so, the unique aspect is trying to move away from individual ethics and rights in isolation and promote secure data sharing across societies. As citizens, we should not however undermine the trust of participants who finally in the last decade are slowly opening up to saying, “yes you may use my research for X — let’s say diabetes — and other related diseases.” Or, some would say “you may use my data as samples for any other biomedical research in the future as approved by an ethics committee.” If you have those broad consents and proper governance and you have the trust, then you have to make sure that the research you do is of quality and data is secure. Then in healthcare systems, based on large amounts of data, you can stratify down to sub-populations — why are some people healthy and why are some people resistant, others susceptible, or, super-transmitters, or, at high risk? You can allocate precious health resources to treat, prevent and plan where needed. So from a systemic level and a personal, precision medicine level, data going through a feedback loop from clinic to research back to clinic — that’s how you activate benefit for citizens.

Can you expand on this concept of broad consent — why is it so important?

Let’s take a specific consent in a clinical trial for drug compound “438”. You want to see if it has X affect or Y affect in this age group for that particular condition — that’s a specific consent, you are looking only at that, and that’s what you’re studying and when it’s over, it’s over. But if you add new questions, you need another consent. In other words, when you have research that involves devices or drugs, and so on you definitely need to be very specific, both in time and in the scope of your trial. When you wish to study let’s say juvenile diabetes however, you might want to consent to research on “related conditions” and that’s a relatively more open — but not completely open — consent. Or, you could ask for consent to the whole domain of biomedical research if ethically approved and with ongoing oversight. I support this is because in the past if you said breast cancer research and suddenly five years later you want to do ovarian research and the word “ovary” was nowhere on the form, you have to go back and re-consent 10,000 women for example. So best to say, “breast cancer and related conditions.”

With the arrival of population longitudinal studies — such as the recent “All of Us” research program in the US, and the UK, Canada, Japan, and Estonia biobanks that have been built over the past decade, there is much experience with broad consent. You follow people in real time in real contexts. As a citizen, you should be allowed to broadly agree to provide samples and data over time for ethics-approved biomedical research. That’s it. So today, as a researcher, I can go to those biobanks and I say, “Could I have data on 500 males of age such-and-such having the following condition with the following variables?” As a clinician researcher, I can also use these biobanks for my disease-specific research as well.

So if such infrastructure science has common principles, harmonized tools and interoperable IT, data-intensive science can achieve statistical significance with partners around the world in a much shorter time. Such IT science, is infrastructure science — it allows you to get enough data to see patterns, to form hypotheses, rather than imagining hypotheses and then gathering the data.

Is this a particularly important moment for genomic data sharing, from a regulatory and ethics perspective?

I am an optimist, romantic, idealist, you name it — but I’m a realist when it comes to the new European General Data Protection Regulation (GDPR). I was optimistic in that in the final version that was adopted, there was a recognition that consent could be to an area of research. The GDPR is quite protectionist, and rightly so in the sense that they are responding to perceived and actual threats to individual privacy and data security with surveillance scandals and with the social media. Yet, when you are in the area of scientific research per se, breaches are rare. But general public concern often spills over to research at a time when you need more data not less. Moreover, the Working Party 29 of the European Commission has just come out with a consultation report on how to interpret consent under the new GDPR and they’ve seem to have gone back to a narrower consent. This is disappointing.  We recognize that broad consent does not fit everywhere — a clinical trial on drug A is on drug A not on drug X so consent has to be specific. But I am worried that if the Working Party 29 doesn’t revisit its position on consent in their current explanatory document, we may have taken a step back again from the notion of the ethical acceptability of a broad consent.

But I think reason will prevail, I think WP29 is erring on the side of caution. Hopefully, it will understand the data intensive basis of modern science and that you cannot limit the range of consents needed to one particular explicit, specific consent model.

What influence do you and your colleagues have here?

We’ve already written to the Working Party expressing our concerns and saying that for the last 10 years — it’s not just national biobanks or GA4GH but also the WHO that has recognized broad consent as well as the International Harmonized Clinical Trials guidance and that of the World Medical Association. So it’s not like we’re pulling a fast one on anyone. It has made its way through trial and error over the last decade as a recognized approach. It’s not the only approach, but for certain areas of data-intensive science, it’s essential.

Can you highlight some of the planned REWS deliverables going forward?

The new stuff, yeah! So let’s start with the GDPR. The new GDPR allows an organization or industry to adopt a Code of Conduct for a specific area. So as a Code on Health-Related Data is being developed by BBMRI-ERIC, the REWS wants to make sure that it resonates outside of Europe as well.  If there is such a Code on Health-Related Data, international research and collaboration could benefit provided there is international harmonization. Then, as a researcher all you have to say is, “We will adhere to the EU Code of Conduct for Health-Related Data,” to be considered privacy compliant. This would be akin to a commonly understood and accepted ISO privacy standard for example, that Canadians, Americans, Brazilians, South Africans, Chinese, and so on can use —  a Code of Conduct would allow them to receive health data from Europe or send data to Europe. The REWS wants to help make the Code sufficiently international.

Another challenge is to prepare both a cloud access policy and a high-level return of results policy. I think there will be very many country specific interpretations of such an international return of results policy, which is fine as the starting point is common. Similarly, for cloud computing and access, we want to internationalize overall policy approaches.

The international participant values survey is ongoing and very exciting. It exists in 13 languages just like the Framework. The results are going to be extremely important in the kinds of decisions we make and for policymakers as well. Because if they look at the survey and see what individual participants in different countries want or are concerned about — and this across countries, this is informative for actionability.

A final word. What is researcher bona fide status for authentication and authorization to access data? If we’re going to open things up and allow people to go online and register so as to collect and share data — how do we know that you are really “you” and how do we know that you are a bona fide professional or whether you are really a person of integrity? There’s a lot of trust riding in this data sharing business and this authentication issue has to be addressed before we put more data out there than under a controlled access system.

How do we maintain trust, privacy, and responsibility with data sharing in an increasingly open era?

Considering the current climate of concern over unconsented data circulating around the world, GA4GH needs to remain transparent on the principles, policies, and tools it has put in place since 2014. Building on the Framework, they form an anticipatory governance regime for secure and responsible data sharing that respects the wishes of participants.