Policy recommendations for addressing privacy challenges associated with cell-based research and interventions

Background The increased use of human biological material for cell-based research and clinical interventions poses risks to the privacy of patients and donors, including the possibility of re-identification of individuals from anonymized cell lines and associated genetic data. These risks will increase as technologies and databases used for re-identification become affordable and more sophisticated. Policies that require ongoing linkage of cell lines to donors’ clinical information for research and regulatory purposes, and existing practices that limit research participants’ ability to control what is done with their genetic data, amplify the privacy concerns. Discussion To date, the privacy issues associated with cell-based research and interventions have not received much attention in the academic and policymaking contexts. This paper, arising out of a multi-disciplinary workshop, aims to rectify this by outlining the issues, proposing novel governance strategies and policy recommendations, and identifying areas where further evidence is required to make sound policy decisions. The authors of this paper take the position that existing rules and norms can be reasonably extended to address privacy risks in this context without compromising emerging developments in the research environment, and that exceptions from such rules should be justified using a case-by-case approach. In developing new policies, the broader framework of regulations governing cell-based research and related areas must be taken into account, as well as the views of impacted groups, including scientists, research participants and the general public. Summary This paper outlines deliberations at a policy development workshop focusing on privacy challenges associated with cell-based research and interventions. The paper provides an overview of these challenges, followed by a discussion of key themes and recommendations that emerged from discussions at the workshop. The paper concludes that privacy risks associated with cell-based research and interventions should be addressed through evidence-based policy reforms that account for both well-established legal and ethical norms and current knowledge about actual or anticipated harms. The authors also call for research studies that identify and address gaps in understanding of privacy risks.


Background
Uses of human biological materials for cell-based research and interventions have re-ignited persistent worries regarding the protection of genetic privacy in an era where openness, sharing, and access to affordable and accessible genetic testing technologies are increasingly commonplace. While the privacy challenges associated with cell-based research and interventions are by no means unique, they have become more evident in light of the considerable public interest and scientific excitement surrounding ground-breaking recent discoveries in the field, such as induced pluripotent stem cells (iPSCs) [1,2], somatic-cell nuclear transfer (SCNT) derived human embryonic stem cells (hESCs) [3] and triploid human embryonic stem cells (hESCs) [4]. In this article, we examine and offer recommendations for addressing these privacy challenges through the lens of cell-based research and interventions, while recognizing that the derivation and sharing of stem cell lines are a critical part of good scientific practice [5], and that the privacy challenges discussed here are engaged equally (or perhaps more markedly) in other contexts, such as in relation to genetic research and biobank datasets. Indeed, our discussion of the stem cell context will necessarily canvass and draw upon the academic literature on privacy issues facing genetic research.
In the context of cell-based research and interventions, a specific concern relates to potential privacy risks surrounding research uses of iPSCs. There is emerging scientific consensus that these stem cell lines retain substantial genetic characteristics of the parent/donor somatic cell or tissue [6,7]. Accordingly, an individual could be reidentified from anonymized or anonymous genetic data derived from such cell lines. Moreover, in most cases, cell lines will be linked to the donor's clinical information for both research and regulatory purposes [8]. Insecure handling or misuse of these lines and associated clinical information could also result in disclosure of personal information to unauthorized parties. The highly collaborative nature of cell therapy research and the transnational movement of stem cell lines and associated health information reinforce privacy concerns, and have generated calls for policy intervention [9][10][11]. Privacy concerns, among other ethical and legal issues associated with cross-jurisdictional transfer of stem cell lines, also suggest a need for harmonization of policy responses across jurisdictions [12][13][14][15]. Indeed, it has been observed that conceptual and logistical impediments to international sharing of biological resources can be overcome by harmonizing privacy standards through a continuing process that fosters the interplay of different national viewpoints [16].
Furthermore, recent studies have demonstrated the possibility of re-identifying research participants from anonymized genetic data [17][18][19] by linking such data with freely available information in the public domain, such as familial database records, and demographic information obtained through Internet searches [10,18,[20][21][22]. However, these re-identification studies currently require highly sophisticated technical ability and technological resources, and involve complex and specialized processes, with very limited success rates [23]. Also, institutional data use policies may preclude or impose stringent conditions on re-identification of research participants from anonymized genetic data or other health information. While it is possible that re-identification could become easier or more successful with advances in data linkage technologies, and proliferation of reference databases (including genealogy websites, genome-phenome data banks, and linked electronic medical records) [18,22,24,25], the potential risks of re-identification are presently neither manifest nor pressing in magnitude or feasibility [26]. That said, the potential for re-identification has generated significant policy and media attention and scrutiny [27][28][29][30][31][32][33][34].
It has been suggested that re-identification may cause a variety of harms, including harms to donors' privacy interests [9,10], the possibility of genetic discrimination in the context of employment, health care, and life and medical insurance [35][36][37], and inappropriate disclosure of stigmatizing, embarrassing or incriminating genetic information [10,35,38]. Also, unauthorized re-identification of anonymous research participants could undermine public trust in genetic research and result in public reluctance to donate biological material for genomics research [39,40]. However, there is presently little evidence to support fears that these harms will materialize [21,41,42]. Genetic discrimination in insurance, for example, is uncommon because the predictive ability of genetic testing is limited, and most of the information that would arise is already disclosed through evaluation of family and medical history [36,[42][43][44].
The foregoing privacy concerns are made more sensitive by emerging practices that challenge well-established legal and ethical norms. For instance, consent models, such as broad consent-which enable donors to consent to prospective, as-yet-unknown research uses of their donated materials-are increasingly common in genomics and related research contexts [45][46][47]. Likewise, an increasing number of policy instruments limit the right to withdraw consent to the use of donated biological materials to a time before the materials are used for research or a stem cell line is created [45,[48][49][50][51][52][53]. These practices remain controversial and have generated significant discussion in the academic community [52][53][54][55][56]. In many jurisdictions, including Canada, Australia, the U.S. and the E.U., voluntary informed consent to identified or specific research studies is required by applicable policies [57][58][59][60][61][62]. However, research ethics committees (RECs) can approve studies that depart from this rule, on a case-by-case basis, but only if there is minimal risk to participants and the failure to obtain consent will not adversely affect participant welfare, or if it would be impossible or impractical to carry out the research without prior consent from participants [57][58][59].
Given the significant public interest in cell-based research and interventions, privacy is likely to be a hot area of policy debate. However, to date, there have been few, if any, attempts to examine the privacy issues arising in this context, or to formulate proactive evidence-based policy guidance to address associated risks. To this end, and under the auspices of the Office of the Privacy Commissioner of Canada Contributions Program, we convened a workshop to facilitate focused scholarly and policy reflection and analysis on the privacy risks and issues associated with cell-based research and interventions. Workshop participants consisted of the authors of this paper, and represent a multi-institutional, multidisciplinary group of legal scholars, bioethicists, privacy experts, data security experts, bioinformaticians, stem cell scientists, and trainees in all these areas. Using a workshop format we have successfully employed in the past to generate debate and consensus on policy recommendations [8,63,64], participants presented on and discussed the following topics: cell-based research and interventions, current governance regimes and associated challenges, data security and re-identification studies, privacy and open access, and consent requirements. Following the presentations, recommendations formulated by the workshop conveners (Ogbogu, Caulfield and Burningham) were presented for deliberation and revision. In the next section, we outline key themes and specific policy recommendations that emerged from the discussions at the workshop.

Theme 1: Re-identification risk is a moving target
Recent research studies have demonstrated the possibility of successful re-identification of de-identified genetic data [18,19]. While these studies raise serious questions about whether de-identification-based privacy guarantees are adequate to protect research participants against unlawful use and disclosure of their genetic information, it should be borne in mind that re-identification attacks are presently technologically rigorous and expensive, have limited success rates, and require specialized equipment and access to other health data. Re-identification attacks therefore do not currently raise a level of risk that should be met with restrictive policies, such as restrictions on open access and on sharing of genetic research data. Open access policies should be combined with acceptable use or data use agreements that prohibit re-identification and/or misuse.
The risk of re-identification may increase as technology improves and/or publicly accessible databases containing genetic information linkable to identifiable individuals become more widespread. Policies designed to prevent unauthorized re-identification should be based on evidence of actual or anticipated harm, and incorporate processes for ongoing evaluation of anticipated risk or harm.
Theme 2: Informed consent: "The devil is in the defaults" a As previously stated, many jurisdictions require researchers to inform research participants about and obtain their consent to specific research uses of their biological materials and associated genetic or other health information. This requirement is typically subject to limited exceptions and must be complied with prior to commencement of research. Participants must also be made aware of any legally or ethically sanctioned limits to exercising meaningful control over their personal health or genetic information once the research has commenced.
To ensure "a consistent floor of privacy protections" [34], p. 5, these policies should be maintained as the default in relation to uses and disclosure of genetic information and associated health data. Departure from the default rules may be warranted, but only where the public interest in the departure clearly outweighs a corresponding public interest in protecting and preserving individual privacy and autonomy. The rationale for setting aside the default rules must be clearly and specifically demonstrated, and balanced against actual evidence of consequent benefits and risks. This approach is necessarily case-specific, and should be implemented by a body or institution that is familiar with, or structured to obtain and incorporate into its deliberative and decision-making process, multiple perspectives on the research context, associated privacy challenges, participant preferences, and the risks and benefits of proposed exceptions. While it remains an open question whether or not RECs can fulfill these roles within the scope of their present mandates [65], an emerging alternative is the establishment of data access committees that are charged with the responsibility of overseeing requests or applications for research use and disclosure of personal health data, and with monitoring and responding to privacy challenges resulting from innovations in health research [26,65].
Theme 3: Beyond re-identification risk and consent: grounding the default in a "big picture" view of policy development and analysis There is a need to move scholarly reflection beyond discussion of re-identification risks and consent issues surrounding research involving human biological materials. To encourage a shift in focus, researchers should prioritize two other relevant areas: the broader framework of policies and regulations applicable to privacy issues in this context (such as the impact of access to information law on participant rights and researcher responsibilities), and studies of affected groups' views, such as the views of research participants, the public, and researchers working in this area. Some work has been done in both areas, including studies of public and stakeholder opinions [66][67][68] and a recent analysis of Canadian judicial doctrine and its implications for participants' rights of continued access to and control over genetic and other health information [69]. However, de-identification is still an important tool in the privacy "tool-box". Even though de-identification of cell lines may not guarantee privacy, it is one tool to employ in the construction of a privacy framework and will work in conjunction with other approaches, such as education and strengthening of governance mechanisms.
In accordance with this "big picture" approach to policy development, default rules should be broadly based on existing policy rules and norms, including privacy and access to information laws, research ethics guidelines, government reports and white papers, and non-binding policy statements issued by influential scientific or research ethics organizations [34,[70][71][72][73][74][75][76][77][78][79][80]. Gaps and warranted exceptions should be addressed through governance mechanisms designed to balance competing public interests that arise in this research context. To facilitate cross-border research collaborations, national policies should be designed to allow for harmonization with other jurisdictions.
Lastly, affected groups' perspectives must be taken into account in designing policy, including the views of scientists, clinicians, institutional managers and research participants. Research on missing or incomplete perspectives should be encouraged and prioritized. Specifically, these groups should be included in policy deliberations and in the actual policy-making process, in addition to more traditional "top down" approaches to public consultation such as public opinion surveys, focus groups and public commentary.

Recommendation #1: Changes to existing policies
Existing legal and ethical policies (including privacy and access to information laws and research ethics policies) should be extended to cover research involving human biological material that contains identifiable genetic information about a research participant. No special rules or exceptions need apply. Specifically: i. research participants must be informed of known risks of re-identification of de-identified genetic data at the time of donation and consent; ii. researchers and research institutions should inform research participants about new risks of re-identification as they emerge; iii. researchers and institutions seeking to use or share human biological material and/or de-identified genetic data must have policies and processes in place to monitor and respond to re-identification risks, including but not limited to controlled access mechanisms; b iv. legal definitions of "personal information", "personal health information" and similar terms should be expanded to include "human biological material"; v. the term "information custodian" and other similar terms in privacy and access to information legislation should be defined to include "persons or institutions that collect, use, share or disclose human biological material or genetic information derived from such samples"; vi. institutional sharing policies should address privacy protections for associated clinical health information collected with human biological material; vii. policymakers should seek to harmonize policies across jurisdictions, and to coordinate monitoring and enforcement processes; viii. institutions should work out inter-institutional arrangements to deal with privacy issues either through delegated or centralized review; and ix. privacy regulators should establish mechanisms to monitor technological developments and review and update best practices in relation to privacy risks attending to research uses of human biological materials.

Recommendation #2: Changes to governance mechanisms
The role of RECs in privacy governance in the context of cell-based research should be clarified. At the moment, some hurdles may stand in the way of effective oversight, including the fact that RECs may lack experience in privacy matters or may exchange rigorous ethics review for bureaucratic box checking [65,81,82]. Accordingly, legislation and relevant policies should set out dedicated governance frameworks to monitor and respond to privacy challenges in the context of cell-based research. Options to consider include: i. revising membership requirements to include mandatory representation by a privacy expert or IT security specialist; or ii. establishing an independent "data access committee" to review research protocols that raise significant privacy concerns (perhaps on a referral basis from RECs) and to provide general guidance in response to anticipated or existing privacy challenges.

Summary
Addressing privacy challenges and issues facing cell-based research and interventions requires collaborative reflection among and response from multiple interested parties, including scientists, privacy experts, bioethicists, legal scholars and policymakers. This paper outlines the first attempt at such an endeavour, and provides a summary of key themes and recommendations to facilitate and guide both future discussions and policymaking activities in this context. While the issues canvassed in the paper, chiefly the privacy risks surrounding ongoing linkage of stem cell lines to research participants' genetic and clinical information, deserve scholarly and policy scrutiny, they are not necessarily unique. They must therefore be met with measured evidence-based policy reforms that account for both well-established legal and ethical norms and current knowledge about actual or anticipated harms.
Research on privacy issues in this context should focus on gaps in knowledge, such as canvassing the views of persons or groups whose interests are most likely to be affected. Lastly, policy development in this context must be necessarily proactive and aimed primarily at maintaining public trust in and support for cell-based research and interventions.
Endnotes a This phrase is borrowed from Ian Kerr's presentation at the workshop, and is referenced in his earlier editorial discussing Facebook and privacy [83].
b In controlled-access agreements, one party agrees to provide the other with access to specific data or material on certain conditions relating to security practices or confidentiality [84].