CERTAINTY IS ABSURD: MEETING INFORMATION SECURITY REQUIREMENTS IN LAWS ON POPULATION GENETIC DATABASES
HÖRÐUR HELGI HELGASON
LM Attorneys, Reykjavík (*)
SUSAN M C GIBBONS
University of Oxford
ABSTRACT
This paper describes the problem of determining whether plans for a population
genetic database in Iceland met statutory information security requirements. It
discusses the approach taken by the relevant governmental authority, which involved
employing technical standards to solve the problem. By examining the background
to the project, and the main challenges it faced, the paper aims to draw out insights
and lessons to inform the way in which future projects are designed and governed. It
reflects critically on the results of trying to meet legal requirements for information
security by using technical information security standards. Particular attention is
given to the founding legislation of the project, and the court case that eventually
found that legislation to be unconstitutional.
‘Doubt is not a pleasant condition, but certainty is absurd’(1) – Voltaire
1. INTRODUCTION
As data processing tools become more sophisticated, their
potential range of practical application grows, especially when paired
with large datasets. Such technological advances have spurred all
manner of data processing activities in every area of modern society,
literally changing the way we think and live. One area heavily affected
by this progress is research, not least medical research. There, not only
are the potential benefits great, but so is the purpose. What nobler
use of technology can there be than fighting disease? So it is with
this laudable goal in mind that medical researchers have set about
constructing vast databases on human populations. Commonly termed
‘population biobanks’
(2) or ‘population genetic databases’ (PopGDs),
(3)
these databases typically contain health-related information drawn
from biosamples and medical and familial records on very large sets
of people.
While research biobanks, health data registries, and populationbased
collections used for epidemiological research have existed
for many years, PopGDs are a relatively new development.
(4) Among
their key characteristics, PopGDs typically aspire to include physical
genetic samples and various sets of personal, lifestyle, health-related
and genealogical data obtained from hundreds of thousands, if not
millions, of individuals. Established primarily and explicitly to enable
research into the genetic and environmental factors implicated in the
development of common complex diseases, PopGDs are designed
to be longitudinal, following participants over many years. They are
intended to function as research platforms, supporting a potentially
limitless variety of future projects—and to be accessed by a similarly
wide range of researchers, both national and international.
However, the aggregation of such large datasets on individuals
into PopGDs, containing information on matters generally considered
to be highly sensitive and private, raises numerous concerns—
especially relating to data security and the crucial need to maintain
public trust. To address these concerns, various countries have taken
to enacting legislation containing information security requirements
to govern the construction and operation of PopGDs.
(5) But how well
have such measures worked when it comes to their implementation?
What dangers or pitfalls can arise? What are the inherent limitations
of data security, and what are their implications for utilising and
evaluating this method of governance?
This paper takes a retrospective look at attempts to construct
one such database system—the Icelandic Health Sector Database—
using legislation containing information security requirements. That
PopGD was to be constructed in Iceland, where the Data Protection
Authority is the governmental body that regulates personal data
processing.
(6) Taking the Icelandic PopGD as an empirical case study,
this paper reflects critically on the results of trying to meet legal
requirements for information security by using technical information
security standards. In so doing, it draws out insights and lessons that
aim to inform the way in which future PopGD projects are designed,
implemented and governed. In particular, it identifies a worrying
tendency for policy-makers to take an overly simplistic view of the
issues involved; a tendency which is largely due to the ever-increasing
complexities of those issues. This raises a host of problems—not least,
the use of ambiguous terminology, and far-reaching (and sometimes
inappropriate) delegations of powers without satisfactory guiding
principles or criteria.
NOTES
* The authors are grateful to the anonymous referee and to Jane Kaye for
invaluable comments, suggestions and advice.
1 Voltaire, in a letter to Frederick the Great, 16 April 1767.
2 See, eg: Council of Europe Recommendation Rec(2006)4 on Research on
Biological Materials of Human Origin (adopted 15 March 2006), article
17. Available at
https://wcd.coe.int/ViewDoc.jsp?id=977859 (last accessed
17.02.08).
3 V. Árnason, ‘Introduction: Some Lessons of ELSAGEN’ in M. Häyry et al.
(eds),
The Ethics and Governance of Human Genetic Databases – European
Perspectives (Cambridge: CUP, 2007) 1.
4 On the huge variability of collection types and PopGDs see, eg: M.A. Austin,
S.E. Harding and C.E. McElroy, ‘Monitoring Ethical, Legal, and Social Issues in
Developing Population Genetic Databases’ (2003) 5 Genetics in Medicine 451;
I. Hirtzlin
et al., ‘An Empirical Survey on Biobanking of Human Genetic Material
and Data in Six EU countries’ (2003) 11 European Journal of Human Genetics
475; S.M.C. Gibbons et al., ‘Governing Genetic Databases: Challenges Facing
Research Regulation and Practice’ (2007) 34 JLS 163, 174 (and references cited
therein).
5 J. Kaye
et al., ‘Population Genetic Databases: A Comparative Analysis of the
Law in Iceland, Sweden, Estonia and the UK’ (2004) 8 TRAMES 15, 15.
6 The first author of this paper acted as Chief Legal Counsel to that agency in
2001, when most of the events discussed in this paper took place. He has since
joined an Icelandic law firm, whose clients include the operating licensee of the
database, Íslensk erfðagreining ehf. He does not represent either entity in this
paper.
2. The Icelandic Health Sector Database: Background and Legislation >>
©2007 A B Academic Publishers