With ever-more genomic data emanating from an increasingly wide range of sources, and multiple parties collecting, storing, processing and analyzing the data, how can Life Sciences companies ensure that they keep control over information? The key concerns center around genomic data privacy, reliability and security.
Privacy laws and regulations governing the processing of personal data for research purposes are a complex area requiring careful navigation. Of all the new pieces of regulation on privacy across the world, the one with potentially the greatest impact is the EU’s General Data Protection Regulation (GDPR). By covering the processing of personal data belonging to European citizens, regardless of whether the processing takes place in the EU or not, the GDPR applies to Life Sciences and technology companies developing IoT solutions and other third parties handling data on the data controllers’ behalf.
The main considerations with regards to genomics relate to:
Individuals using IoT devices through which personal data is collected and fed into clinical trials, should be aware of the organizations collecting their data, as well as the purposes for which the data is used. They also need to be informed of their privacy rights, such as the right of access, rectification and deletion of the data. It is understandably difficult to provide such comprehensive information when the data is collected through wearable or ingestible devices — technologies which often leave very little scope for presenting transparent privacy notices.
Legal basis for processing
Another significant challenge faced by organizations collecting genomic data is finding a suitable legal basis to justify the data processing activity. Given the sensitive nature of such data, the justification could involve explicit consent from the individual, or — for entities falling under the scope of the GDPR — it could be argued that the data processing is in the interest of public health.
Whilst capturing informed consent shows respect for personal autonomy, and is an important ethical requirement in research, it may also present serious hurdles. Under the GDPR, consent must be specific, informed and unambiguous. Meeting these specificity requirements can be tough, due to the difficulty in identifying research purposes in advance. This is especially true for big data, where data mining techniques search for correlations within data sets without the baseline of a specific test hypothesis.
And whilst the GDPR allows individuals to give their consent only to certain areas of research, it is extremely difficult to manage a full audit trail of consent for each area of research and for each individual taking part.
By contrast, processing data for reasons of public interest — such as ensuring high standards of medicinal products or medical devices — may be less onerous.
Overall, Life Sciences companies need to balance ethical considerations against the practicalities of privacy management, to identify the most suitable basis for processing personal data relating to medical research.
Genomic data is just one example of how life sciences is becoming one of the most data-intensive industries, and consequently highly susceptible to privacy risks. To leverage personal information as an asset, Life Sciences organizations should develop a robust privacy and data governance framework, supported through clear ownership and accountability for privacy across the organization.
Not surprisingly, Cyber Security looms large in the Life Sciences sector, especially for patient data generated from clinical trials. Genomic data, sensitive health data, or the formula for a complex molecule drug is worth far more on the black market than, for instance, credit card data.
To mitigate privacy and Cyber Security risks, more and more organizations are trying to de-identify personal data. However, as a recent article in Wired magazine puts it: “To completely eliminate the risk of outing an individual based on their DNA records, you’d have to strip it of the same identifying details that make it scientifically useful.”
The theft of trade secrets by hackers and company insiders is deemed to be an even larger problem.
The UK Government identified pharmaceutical companies as the primary target for cyber-theft of intellectual property (IP). Since the beginning of this decennium there has been an estimated US$12 billion of damages in the UK alone, of which US$2.4 billion was attributed to theft of pharmaceutical, biotechnology, and healthcare trade secrets. Overall the cost of cyber-attacks continues to rise exponentially each year.
In the US, the Life Sciences sector is a primary target for cyber-theft of IP. Prominent pharmaceutical companies like Abbott Laboratories, Boston Scientific and Pfizer have already experienced major attacks. The hack of the Food & Drug Administration’s computer center in Maryland exposed sensitive data including drug trial information, chemical formulas and other data for almost every important drug sold in the US.
In past years, Life Sciences organizations have been on an acquisition spree, expanding their footprints, defining and realizing synergies, moving into emerging markets, and trying to personalize products and services to get as close to the patient as possible. M&A of this scale, along with the tidal wave of new technology and data capabilities, means unprecedented exposure to even more nefarious cyber threats and privacy risks. These risks originate most often from competitors and nation-states scheming to capitalize on organizations’ R&D and IP data assets — and even from disgruntled or displaced workers.
Companies naturally want to protect their IP and trade secrets and could suffer serious commercial and reputational damage if such information were to be hacked or go public.
With a growing number of players holding genomic data, it becomes harder to enforce strict data protection policies, which increases the chance of breaches arising from insufficient security measures. Life Science executives need to help their organizations maintain a keen Cyber Security focus, instilling cyber- risk awareness and instigating action throughout the organization. In short: they should check the risks and not just check the box.