As regulators bed down rules on privacy and consent, R&D heads are thinking about how to speed up the pace of innovation. The future research agenda, therefore, should address the commercial, regulatory, technological and ethical challenges of getting new products to market quicker.
All Life Sciences companies need robust internal policies for keeping data safe, secure and reliable; policies that extend to all customers/patients, suppliers and partners, ensuring anonymity and pseudonymity, and avoiding any data tampering. With fake news, data leaks and breaches hitting the headlines, trust in data has become a hugely important issue. In this section we outline the five pillars of a robust genomic data strategy.
1. Standardized sequencing and analysis
The science behind genomics should be reproducible, to ensure that results are reliable and can be compared. Reproducibility is the ‘litmus test’ of robust science. Regrettably, R&D units and sequencing labs often sequence on different platforms, using a variety of software and analysis techniques. Without a common standard, something as simple as the amount of time a blood sample spends in a centrifuge, or the temperature during testing, can distort findings and prevent meaningful comparisons.
With more and more community platforms being used to access biobanks and other repositories, there are literally dozens of strategies available to sequence genomes. According to one study on technical analysis: “Each approach makes trade-offs between the cost of sequencing, time to results, and type and frequency of errors. This means that different approaches may produce different results and these differences may have important clinical implications. To move toward precise genomic medicine, we must be able to reliably sequence and decipher the difficult regions of the genome.”
There is some hope that from a data perspective, use of blockchain technology can help bring greater consistency to sequencing during clinical trials. With its immutable nature, this technology helps to ensure traceability and data integrity, so trials can be automated and standardize.
To maintain and foster individuals’ trust, personal data should be used for limited purposes and in line with the expectations set with the individual at the point of data collection. Privacy notices should be clear and accessible to individuals whose genomic, health and lifestyle data is being collected. Due consideration should also be given to the best format for notice requirements: for instance, ‘Just in Time’ notices can go a long way towards meeting the transparency requirements for individuals using wearable devices. Organizations using genomic data must also consider the most suitable legal basis for processing the data (with attention given to the GDPR requirements and other privacy laws applying to the organization), and establish their ethical position on using individuals’ data for medical research.
Companies should appoint a Data Protection Officer (DPO) to oversee IT, Legal and other functions involved in processing genomic information, to vouch for reliability, trustworthiness and completeness of data, and confirm legal consent for its use. One of the key governance goals is to balance the desire for new products with a commitment to accurate and credible trial reporting, to avoid any inaccuracies that could backfire in future. How data is processed is not just a regulatory matter — security should also be considered.
3. Cyber Security
Life Sciences companies and the industry together will need to commit more resources to managing cyber risk as the threat continues to evolve — with high stakes. European governments have regular meetings with major life sciences companies to participate in cross-industry working groups. Cyber Security is everyone’s responsibility — and it starts at the top. Leadership and all members of the executive management team should be committed, and that commitment should radiate throughout every level of every department. Best practice for Cyber Security involves raising awareness, performing training and simulation exercises, monitoring threats, assessing and detecting vulnerabilities, establishing processes to address weaknesses, adopting disclosure policies, and building systems that mitigate cyber risks.
In safeguarding data, the guiding principle is to constantly assume the possibility of a breach. Cloud technology providers are increasingly expected to provide a high baseline of security. Consequently, Life Sciences companies and their cloud security providers should be carefully assessed to ensure compliance with HIPAA (Health Insurance Portability and Accountability Act of 1996), the GDPR, and other regulations to minimize the impact of data breaches. In assessing the security of cloud technology providers, Life Sciences companies should also check for encryption techniques for transmitting and stationary data, assurance over third party contracts and security vetting of employees and other insiders.
Managing access to genomics data
Identity and access management technology is increasingly important for managing general and privileged access to assets for employees, customers and other third parties. This technology is important not only for security, but also to streamline digital transactions across the Life Sciences ecosystem.
Think ahead and make practice a priority
No system can ever be completely secure, so continuous threat monitoring and regular testing of organizational Cyber Security practices is a must, to stay on one’s digital toes and avoid any security or privacy lapses. A crisis response plan is another important safeguard, to build the capability to respond swiftly and appropriately should a breach occur, to stop any further leaks, and communicate openly to stakeholders and the media.
© 2020 R.G. Manabat & Co., a Philippine partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
KPMG International Cooperative (“KPMG International”) is a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.