Media Centre

Protecting Genetic Information in Health Research: The Canadian Approach

Data Protection and Biomedical Research Forum

April 25, 2007
Barcelona, Spain

Address by Patricia Kosseim
General Counsel, Office of the Privacy Commissioner of Canada

Introduction

I am honoured to have the opportunity to join you here today, at this seminar dedicated to examining the daunting challenge of regulating research uses of personal information, particularly, genetic information, in pluri-national and federal states. Canada has 14 separate federal, provincial and territorial jurisdictions, all implicated in one way or another in privacy and health care matters. This gives Canada the same kind of jurisdictional headaches that other countries like Spain, Germany, Switzerland and Australia, with similar federal systems, can certainly relate to.

Outline

In Part 1 of this presentation, I will provide an overview of Canadian federal, provincial and territorial data protection laws. In Part 2, I will discuss how these laws apply to the collection, use and disclosure of personal information in the context of health research. Finally, in Part 3, I will attempt to address some specific challenges we are facing in Canada in regulating genetic information in particular. I am certain that you are facing many of these same challenges in your own countries, so I hope my remarks today will help in some small way to contribute to this joint discussion.

Part 1: A Brief Overview of Canadian data protection laws

As many of you already know, Canada’s federal system is comprised of a federal government, as well as ten provinces and three territories. Federal and provincial legislative powers are divided in accordance with the separation of powers entrenched in our Constitution Act since 1867. The Federal Government may legislate to govern its own public institutions, in addition to general matters of national importance and specific matters, such as trade and commerce. Provinces, for their part, may regulate their own parallel institutions, as well as other matters that take place within their respective borders, such as property and civil rights, health care, education, etc.

As you can well imagine, the collection, use and disclosure of genetic information for so many potential purposes, by so many potential actors, cuts across these federal-provincial legislative powers, resulting in a mix and overlap of applicable laws. Although there are multiple statutory regimes related to our topic of discussion today (e.g. laws creating statutory torts of invasion of privacy, human tissue gift acts, laws governing clinical records and registries, food and drug regulations governing clinical trials and human rights laws protecting the right to privacy), I will, in the interest of time, focus only on the application of data protection laws, as the most directly applicable, commonly-used and relevant to today’s discussion.

In Canada, we have not, to date, attempted to introduce genetic-specific data protection laws. Genetic information is not afforded exceptional legal status, and is for the most part treated the same way as other personal information in our general data protection regimes. Furthermore, there is no specific category of "sensitive" information such as that identified in the European Union Data Protection Directive and many other data protection laws.

Federally, Canada has two data protection laws: the Privacy Act, which was adopted more than 25 years ago to regulate the collection, use and disclosure of personal information by federal government institutions in carrying out their operating programs and activities. Moreover, under its trade and commerce power, the federal legislature adopted the Personal Information Protection and Electronic Documents Act (PIPEDA) in 2000, which applies to private sector organizations and their data-related activities in most parts of the country. I say only "most" because PIPEDA provides that organizations covered by substantially similar provincial laws, where they exist, are exempted from PIPEDA. Whether a provincial law will be considered substantially similar to PIPEDA is determined by the Federal Government in accordance with established standards, by way of formal Order in Council, and on recommendation by our Commissioner.

Turning to the provinces and territories now: All provinces and territories have public sector data protection laws that apply to provincial government institutions in each province or territory. For the most part, these laws closely mirror the federal Privacy Act and apply in parallel to their respective public institutions.

Three provinces have adopted private-sector data protection laws, which have been formally deemed to be substantially similar to PIPEDA. Commercial activity that occurs in these three provinces and that are subject to the provinces’ substantially similar laws, are exempt from the application of PIPEDA. However, any transfer of personal information that occurs across borders, or any collection, use or disclosure of personal information carried out in all the remaining provinces that do not have substantially similar private sector laws, continues to be regulated by the federal law, PIPEDA.

Four Canadian provinces have enacted specific health sector legislation that applies to collection, use and disclosure of personal health information by health information custodians in each province. These could include a mixture of public and private bodies, such as: health professionals, professional regulatory bodies, health care facilities, laboratories, pharmacies, regional health authorities, provincial health boards, and some relevant government institutions, such as Health Ministries and departments. The application of these provincial health sector laws to public health information custodians will take precedence over that province’s general public sector law. Their application to any private health information custodian in that province will apply concurrently with PIPEDA. The exception to this is Ontario’s Personal Health Information Protection Act, which has been deemed substantially similar to PIPEDA, and therefore, has exclusive application over any private health clinics, laboratories or pharmacies in that province.

Part 2: Application of Canadian data protection laws to Health Research

All of the data protection laws I just surveyed regulate to some extent the collection, use and disclosure of personal information, including genetic information, for research purposes. Although the relevant provisions differ across jurisdictions, typically, most of them are more or less constructed as follows.

Depending on whether they are public sector, private sector or health sector laws, they cover relevant organizations falling within their scope of application that collect, use or disclose personal information for various purposes, including research under certain conditions.

Before an organization can disclose personal information to a third party researcher who is outside the scope of the Act, the law will typically require there to be a research agreement between the covered entity and the third party researcher. Sometimes the law, and/or its accompanying regulations, will specify in more or less detail the provisions and undertakings that must be included in such contractual arrangements. So while the Act may not cover third-party researchers, its requirement that covered entities enter into research agreements to bind researchers to specific terms and conditions via contract, serves as a means of essentially extending the scope of its application.

Also, the law may require that collection, use or disclosure of personal information or personal health information for research purposes be subject to review and approval by designated research ethics committees. While research ethics boards are not governed by the Acts, their oversight role is sometimes referred to as a condition for collection, use or disclosure for research purposes. Moreover, notification to the relevant Privacy Commissioner’s office may also be required, and in some cases, prior approval by the Commissioner must be obtained. The nature of that role among Privacy Commissioners may vary from jurisdiction to jurisdiction. For example, the Commissioner may act as a tribunal with order-making powers, or it may act as an ombudsman, with the power to make only non-binding recommendations.

Generally, these laws:

• Are based on modern principles of fair information practices
• Apply to information about identifiable individuals
• Require the purpose to be legitimate, appropriate, reasonable
• Limit the collection, use or disclosure to that which is necessary
• Require informed consent as a general rule, though the form and elements of that consent may vary
• Permit non-consensual collection, use and disclosure of personal health information for research, on exceptional basis, subject to specific conditions, including:
  • identifiable data must be justified to meet the research objective
  • there must be some form of harm/benefit analysis or public interest test
  • it must be impracticable to obtain consent from the individual
  • individuals cannot be contacted without prior authorization
  • there are specific rules for data matching and linkages
  • research confidentiality agreements are often required, and
  • the approval of the custodian of the health information, the Research Ethics Board and/or Privacy Commissioner is required.

In addition to relevant laws governing privacy in health research, there are other important non-legal instruments that provide strong incentives for researchers to protect personal information, including genetic information, in the course of their work.

For instance, the Tri-Council Policy Statement on Research Involving Humans sets out ethical conditions for research, including general privacy and confidentiality obligations, and more specific conditions for genetic research and the use of human tissue. Any research project or program sponsored by one of Canada’s three major federal funding agencies (health, social sciences and natural sciences and engineering), must be approved by a research ethics board in accordance with this Policy Statement before any research funding will be released to hundreds of academic institutions across the country (including universities, research centres, affiliated hospitals, etc.). Moreover, by virtue of a Memorandum of Understanding between the federal research agencies and their funded institutions, even privately-sponsored research studies, to the extent they are carried out under the auspices of these publicly-sponsored academic institutions, must likewise be reviewed and approved by research ethics boards in accordance with these same ethical standards. Further, there are many other provincial and voluntary health agencies that have adopted this Policy Statement and require the same conditions be met before they will agree to contribute their funds to research. Our country’s federal health research agency, the Canadian Institutes for Health Research, has recently published more detailed privacy best practices as a further accompaniment to the Policy Statement as applied to health research.

So, even though they are not legally binding, national policies and best practices that guide the review and approval of research ethics boards as a necessary condition for funding, provide strong practical incentive for privacy protection. The influence, authority and legitimacy of these policy instruments should therefore not be underestimated.

Part 3: Current Challenges

I will now turn to address a few of the current challenges we face in trying to protect genetic information in the context of health research in Canada, which you may find similar to issues you are experiencing elsewhere. For instance:

The Right to Know and Not to Know

One of the fundamental principles of data protection laws in Canada, as elsewhere, is the right to access personal information about oneself. There is no statutory acknowledgment of the right not to know about oneself – a concept that seems antithetical to modern fair information practices. Unwanted knowledge about one´s genetic characteristics can have profound consequences on individuals, particularly children. This may involve predicting with more or less probability the onset of a serious debilitating or fatal disease, or revealing previously unknown facts about biological parentage or family links. In a report our office published more than 16 years ago, entitled Genetic Testing and Privacy, we described the reasonable expectation of genetic privacy as including two aspects: the right to not have others know information about one’s possible genetic destiny, and the right not to know information about oneself. We recommended that neither governments nor the private sector should oblige persons to learn their genetic traits or disorders.

At the international level, the Council of Europe Convention for the Protection of Human Rights and Dignity of the Human Being with Regard to the Application of Biology and Medicine (1997) speaks of the requirement to observe the wishes of individuals not to be informed about information collected about their health. This would obviously include genetic information. The UNESCO Universal Declaration on the Human Genome (1997) speaks of the need to respect the right of each individual to decide whether or not to be informed of the results of genetic examination and the resulting consequences. But, despite the growing number of such international instruments that now recognize the right not to know, nothing exists in Canadian data protection laws to ensure that protection.

Informed Consent: An ongoing process

Another foundational principle of data protection legislation, of course, is the need to obtain consent from individuals before collecting, using or disclosing their personal information. To be meaningful, this consent must be free and informed, based on a specific description of the intended purpose. This concept assumes a particular transaction at a discrete point in time.

However, the collection of personal information, including genetic information, from tens if not hundreds of thousands of individuals to be included in large-scale biobanks for future research purposes cannot be treated as a particular transaction at a discrete point in time. In data protection terms, consent clauses so broad as to constitute a form of blanket license to use individuals’ personal information for unlimited time and for yet undefined research purposes would not likely be valid.

To meet the requirements of data protection laws, consent must be as specific as possible and tailored to individuals’ preferences, particularly when the creation of the biobank will involve ongoing contact with individuals to collect further data over the course of their lifetime as a platform for longitudinal research studies on a wide range of health and lifestyle factors. But how to manage that ongoing consent process in a way that is respectful of individuals’ autonomy and practically feasible over the long term remains a challenge that current laws do not address. How do we accommodate individuals’ preferences to be enrolled in some types of research and not others? How do we deal with the changing legal capacity to consent as children become adults, and as adults become incapable over time of deciding for themselves? Particularly challenging is how to respect individuals’ wishes to withdraw consent should they come to change their minds about their involvement in the biobank: is there understanding and agreement on what that really means? Does it mean agreeing not to enrol them in any further research projects? Does it mean agreeing to withdraw their data from the research database? Does it mean extracting their data from research that has already been conducted and published, which would clearly be impossible.

Equally important, are the requisite mechanisms and strategies put in place to promote openness and transparency and ensure that consent remains informed on an ongoing basis. Public engagement strategies are critical for gauging peoples’ level of acceptance and respecting the general boundaries beyond which they are not prepared as a society to go.

Information about "Identifiable" "Individuals"

All of Canada´s data protection laws apply to personal information, defined as information about identifiable individuals. Two concepts embedded in that definition are particularly challenging to apply to the collection, use and disclosure of genetic information for research purposes. The first is the concept of identifiability:

In our 1992 report on Genetic Testing and Privacy, we recommended that, wherever possible, genetic research should use anonymous, unlinked genetic samples or information. To the extent that genetic information is truly anonymized, data protection laws will not even apply to the collection, use and disclosure of such information. But this statutory silence begs the question: Is there a residual privacy interest even in anonymized genetic information? Some Canadian scholars argue that there may well exist a privacy interest independent of having one’s identity exposed to others. This is based on jurisprudence under our Canadian Charter of Rights and Freedoms that recognizes privacy as forming a part of one’s fundamental right to dignity, integrity and autonomy, even though our data protection laws do not expressly reflect a continuing interest in anonymized information.

Another concept embedded in the term personal information defined as information about an identifiable individual, is the concept of individual. Yet we know that genetic information extends beyond the individual and comprises information about families, and in some cases, entire communities. For instance, population-based studies may reveal certain characteristics linked to genetic traits shared by particular groups of individuals who can be readily identified by virtue of common descent, geographic location or ethnic origin. Stigma may begin to attach to members of the larger group, resulting in undesirable discrimination. Data protection laws are completely silent on these broader family and community implications of genetic information which extend beyond the privacy and confidentiality of the individual.

Governance of Research Ethics: Who Oversees the Process of Oversight?

Beyond recognizing that data protection laws are limited when it comes to protecting the particularities of genetic information, the question of whether these laws should be changed to accommodate these different conceptual notions remains open. Should these issues even be regulated by law at all? Some may hold the view that special concepts introduced by genetics are better regulated by flexible means such as research ethics guidelines, as is currently the case in Canada.

However, in Canada generally, apart from Quebec, there is little, if any, legislative or regulatory scheme governing the process of research ethics review. As I mentioned, there are significant funding levers in place which require review and approval by research ethics boards (REBs), but there is no means in place for overseeing the REBs themselves. REBs are constituted by volunteers who give their unpaid and unrecognized time to serve. There is presently no statutory or regulatory mechanism in place (accreditation, certification or the like) ensuring the proper composition and institutional independence of these boards, ensuring their level of knowledge, expertise and competence, regulating their meeting process, requiring standards of accountability for decision-making and record-keeping, and ensuring some degree of coordination and harmonization in their approach to multi-centred trials, etc.

Because REBs are currently a creature of voluntary practice, put in place by institutions as a necessary condition for public research funding, there is no overarching requirement for research ethics approval across the board, resulting in significant gaps, including, other activities that are not considered research, such as quality assessments etc. and research that is privately funded and carried out completely outside academic institutions which do not require any REB review at all.

Health Research: Regulating in a Bubble vs. the Modern World

To date, data protection laws have regulated the collection, use and disclosure of personal information for health research, as a separate and defined area of activity. However, in reality, we live in a world of more and more connectivity, where activities can no longer be governed as separate bubbles.

One reality outside the health research world that is becoming increasingly prevalent in the larger world we live in is the amount of state and commercial surveillance we have come under. The U.K. Privacy Commissioner, Richard Thomas, has referred to our general complacency in respect of this phenomenon, as "sleepwalking into a surveillance society".

As we create biobanks for research purposes, we must be mindful of the increasing pressures from the state and private sector to potentially tap into these databases for other purposes. In most countries that do not have extensive law enforcement DNA databanks, it is not difficult to imagine that police agencies would soon become very interested in gaining access to these databases. All they need is a valid search warrant. And in an age where we are seeing a gradual erosion of the reasonable expectation of privacy based on the significant lowering of the legal threshold for law enforcement and national security purposes, there would be very little in the way of the law to stop authorities from doing so. In the absence of some statutory immunity, no researcher, and no research agreement, can override the authority of a valid search warrant or legal subpoena compelling the production of personal information.

While we could remain secure in the knowledge that good, dedicated, ethical health researchers and health information custodians will stand on guard at the gateway to prohibit access to linkable data for these other purposes, we cannot be completely naïve in thinking that trust alone is enough.

Conclusion

My final message is an echo of what so many others have said, but that bears repeating. Genetic research holds great promise for individuals and society. But it also carries with it the spectre of a world where, increasingly, our genetic characteristics can be used to differentiate, and potentially discriminate. We must always remain aware of the risks of genetic research, and while we may be supportive of those who are doing it, and even applaud their work, we must continue to scrutinize, challenge, and question, so as to maintain a healthy space for critical analysis, exchange and discourse.