The Presidential Commission for the Study of Bioethical Issues released its report regarding recommendations to address the privacy of human genomic sequencing data. Many of the recommendations involve changes to the informed consent process. The recommendations may affect a broad category of entities involved in genomic research including institutions, pharmaceutical and biotechnology companies, biorepositories, non-profit research organizations, contract research organizations and third party laboratories, data storage and analysis companies.

As we reported in our previous Client Alert, the Commission studied the balance between individual privacy concerns related to whole genome sequencing in genetic research and clinical care and the need for broad information gathering to promote scientific and medical discovery. The Commission’s report, Privacy and Progress in Whole Genome Sequencing (the “Report”), contains proactive recommendations to lay the groundwork for instituting policies and regulations. The recommendations generally involve the issues of informed consent related to whole genome sequencing and protection of genomic sequencing data.

Informed Consent Process

The Report recommends that the consent process include information about what whole genome sequencing is; how data will be analyzed, stored, and shared; the types of results the patient and study subject can expect to receive, if relevant; and the likelihood that the implications of some of these results might currently be unknown, but could be discovered in the future. The Commission recommended that consent documents for whole genome sequencing address a number of issues specific to whole genome sequencing such as an explanation of the science, whether whole genome sequence data collected for clinical applications will be made available for research purposes, and what types of results will be produced through whole genome sequencing.

The Report also recommends that the Office for Human Research Protections (OHRP) or a designated central organizing federal agency establish guidelines for informed consent forms for research that involves whole genome sequencing. Specifically, the Report recommends that informed consent forms: 1) briefly describe whole genome sequencing and analysis; 2) state how the data will be used in the current study, and state, to the extent feasible, how the data might be used in the future; 3) explain the extent to which the individual will have control over future data use; 4) define benefits, potential risks, and state that there might be unknown future risks; and 5) state what data and information might be returned to the research subject.

A controversial issue in the Report involves communicating research results and incidental findings to the research subject. An incidental finding is information obtained from research that was not an intended or expected result. The Report recommends that researchers, clinicians, and commercial genome sequencing entities (such as laboratories) adopt strong consent processes that allow research subjects to understand that incidental findings are likely to be discovered in the course of whole genome sequencing. The Report asserts that the consent process should convey whether these findings will be communicated, the scope of communicated findings, and to whom the findings will be communicated.

Importantly, the Commission noted that there exist a number of frameworks for the return of research results and incidental findings and that researchers could offer to return study subject results that 1) are analytically valid; 2) are in compliance with the Clinical Laboratory Improvements Act (CLIA); 3) the research subject has consented to receiving; 4) are clinically actionable; and 5) present an “established and substantial risk of a serious health condition.”

Data Security

The Commission made data security recommendations for funders of whole genome sequencing research (such as pharmaceutical/biotechnology companies and non-profit research organizations) and managers of research, clinical, and commercial databases (such as biobanks, data storage companies and contract research organizations).

The Report recommends that these entities maintain or establish clear policies regarding access to and permissible uses of whole genome sequence data and that this data be deidentified whenever possible. It further recommends that these policies should ensure the security of whole genome sequence data while allowing the data to be shared by individuals who want to share their whole genome sequence data with clinicians, researchers, or others. The process should apply to all recipients of the data, from those who collect the sample or data through third-party storage and analysis service providers. The Report also states that these entities be responsible for breaches in whole genome sequence data security (such as breaches due to hacking or stolen laptops).

Any organization involved in the genomic sequencing process (including genomic research funding, sample collection, genomic research, laboratory analysis or data storage) should evaluate and adopt robust consent and data security policies and procedures that allow research subjects, patients, and others to understand who has access to their whole genome sequences and other data generated in the course of research, clinical, or commercial sequencing; how the data might be used in the future; and what data and information may be returned to the individual if they so consent. In addition, these organizations should establish strong policies and procedures for access, use, disclosure and protection of the confidentiality of genomic sequencing data. These policies should reflect the permitted uses stated in the informed consent and/or authorization.