The Swedish Data Protection Authority rejects extension of temporary law on registry research

April 28, 2015

Pär SegerdahlSince the new Swedish law on research databases is delayed, there is a proposal to extend the current temporary law on certain registries for research about what heredity and environment mean for human health (until December 31, 2017).

The Swedish Data Protection Authority rejects extension, because major deficiencies noted previously have not been addressed and since the requirements for purpose identifications are not sufficiently specific and explicit.

Regarding specific and explicit purposes, the Authority gives special weight to a statement by the European so-called Article 29 Working Party, cited in the opinion:

  • “The purpose of the collection must be clearly and specifically identified: it must be detailed enough to determine what kind of processing is and is not included within the specific purpose, and to allow that compliance with the law can be assessed and data protection safeguards be applied. For these reasons a purpose that is vague and general, such as for instance ‘improving user’s experience’, ‘marketing purposes’, ‘IT-security purposes’ or ‘future research’ will – without more detail – usually not meet the criteria of being ‘specific’.”

This I regard as problematic in two ways.

First: In the cited statement the Article 29 Working Party equates the purpose “future research” with purposes like “improving the user experience” and “marketing purposes”. It is unclear if one can equate research purposes with such purposes, since researchers do not intend to return to the persons whose data are collected, to give them specifically profiled consequences. Personal data circulate in a categorically different way in research.

Secondly: The website of the Article 29 Working Party begins with a disclaimer. The group emphasizes that all material on the website solely reflects the group’s views, not the position of the European Commission. The group only has an advisory status and acts independently.

The group’s reasoning about research purposes can be questioned, and it seems to relinquish at least some of the authority that the Data Protection Authority ascribes to it in its opinion.

Pär Segerdahl

Approaching future issues - the Ethics Blog

Experts on assignment in the real world

April 14, 2015

Pär SegerdahlExperts on assignment in the real world cease in part to be experts. Just consider computer experts who create a computer system for the tax authorities, or for a bank, or for a hospital.

In order for these systems to work on location, the computer experts need to be open to what they don’t know much about: the unique activities at the tax authorities, or at the bank, or at the hospital.

Computer experts who aren’t open to their non-expertise on the site where they are on assignment perform worse as experts and will deliver inferior systems.

Experts can therefore not in practice be only experts. If one exaggerates one’s role as an expert, one fails on assignment in the real world.

This should apply also to other forms of expertise. My guess is that legal experts almost always find themselves in this precarious situation of being experts in a reality that constantly forces them to open themselves to their non-expertise. In fact, law appears to be an occupation that to an unusually high degree develops this openness systematically. I admire how legal experts constantly learn about the multifarious realities they act in.

Jurists should be a role model for computer experts and economic experts: because they methodically manage their inevitable non-expertise.

This post indicates the spirit in which I (as legal non-expert) took the liberty to question the Swedish Data Inspection Board’s shutting down of LifeGene and more recent rejection of a proposed law on research databases.

Can one be an expert “purely” on data protection? I think not. My impression is that the Data Inspection Board, on assignment in the world of research, didn’t open itself to its non-expertise in this reality. They acted (it seems to me) as if data protection issues could be handled as a separate field of expertise, without carefully considering the unique conditions of contemporary research and the kinds of aims that research initiatives can have.

Perhaps the temptation resides in the Board’s role as a public body: as an authority with a seemingly “pure” mission.

Pär Segerdahl

We like broad perspectives :

Openness as a norm

March 11, 2015

Pär SegerdahlWhy should scientists save their code keys as long as 20 years after they conducted their study, the Swedish Data Inspection Board apparently wonders. In its opinion to a proposed new Swedish law on research databases, it states that this seems too long a period of time.

Yet, researchers judge that code keys need to be saved to connect old samples to new registry data. The discovery of a link between HPV infection and cervical cancer, for example, could not have been made with newly collected samples but presupposed access to identifiable samples collected in the 1960s. The cancer doesn’t develop until decades after infection.

New generations of researchers are beginning to perceive it as an ethical duty to make data usable for other scientists, today and in the future. Platforms for long-term data sharing are being built up not only in biobank research, but also in physics, in neuroscience, in linguistics, in archeology…

It started in physics, but has now reached the humanities and the social sciences where it is experienced as a paradigm shift.

A recent US report suggests that sharing data should become the norm:

Research is obviously changing shape. New opportunities to manage data mean that research is moving up an IT-gear. The change also means a norm shift. Data are no longer expected to be tied to specific projects and research groups. Data are expected to be openly available for a long time – Open Access.

The norm shift raises, of course, issues of privacy. But when we discuss those issues, public bodies can hardly judge for researchers what, in the current vibrant situation, is reasonable and unreasonable, important and unimportant.

Perhaps it is profoundly logical, in today’s circumstances, to give data a longer and more open life than in the previous way of organizing research. Perhaps such long-term transparency really means moving up a gear.

We need to be humbly open to that possibility and not repeat an old norm that research itself is leaving behind.

Pär Segerdahl

Approaching future issues - the Ethics Blog

The need of a bird’s-eye view

February 25, 2015

Pär SegerdahlIn the previous blog post I wrote about the tendency in today’s research to build common research platforms where data are stored and made open: available for future research, meta-analysis and critical scrutiny of published research.

The tendency is supported at EU level, by bodies responsible for research. Simultaneously, it is obstructed at EU level, by other bodies working with data protection.

The same hopeless conflict can be seen in Sweden, where the Swedish Data Inspection Board time and again stops such efforts or criticizes suggestions for how to regulate them. This month the Data Inspection Board criticized a proposed law on research databases.

It may seem as if the board just dryly listed a number of points where the proposal is inconsistent with other laws or allowed unreasonable infringement of privacy. At the same time, the Data Inspection Board seems alien to the new way of organizing research. Why on earth should researchers want to save so much data so damn long?

How can we handle these conflicts between public bodies that each has his own little mission and thus its own limited field of vision?

Pär Segerdahl

We want to be just - the Ethics Blog

Revised European data protection will make data about rare diseases even rarer

April 30, 2013

EU is currently discussing changes to the European privacy laws. The intention is to strengthen the protection of privacy and to give people more control over their data.

The problem, which I highlighted on The Ethics Blog, is that the new proposal applies also to research. Presently there is an exception for scientific research about health and disease. The proposed revision of the privacy regulation, however, allows no exceptions.

Every person who has given data to a register must according to the new proposal be asked for consent each time researchers want to study some new disease pattern. Patient data can never be used in research without specific consent, and not even historical registers and data from diseased persons are given exception in the new proposal.

A recent article in Nature Reviews Genetics by Deborah Mascalzoni et al. highlights a patient group that is especially vulnerable to the proposed revision: patients suffering from rare diseases. In Sweden a disease is defined as rare if it affects less than a hundred persons in a million.

Data on rare diseases are, as a matter of course, rare. We therefore know little about these diseases and it is difficult to develop effective medical treatments. To achieve statistically significant analyses, researchers must typically share data over national borders. Every lost piece of data about rare diseases can mean dramatically impaired prospects of new drugs and treatments for these patient groups.

Rare diseases are thus a further strong reason for maintaining the current exception for scientific research in the data protection legislation. Read more on the CRB website.

Pär Segerdahl

Approaching future issues - the Ethics Blog

Don’t shoot at the patient (or at the messenger)

April 2, 2013

The newly proposed European Data Protection Directive overprotects research participants and exposes patients to greater risks of contracting illness and dying.

Thus dramatically a recent article in The Lancet Oncology can be summarized, written by Mats G. Hansson at CRB together with Gert Jan van Ommen, Ruth Chadwick and Joakim Dillner.

People who provide data to research registers are not exposed to physical risks, like participants in interventional research. The risks associated with register-based research are informational: unauthorized release of information about participants. One might ask if it even makes sense to say that people “participate in research” when researchers process large data sets.

Patients (and people in general) have significant protection from disease thanks to register-based research. For example, it is estimated that the HPV vaccine will save about 200 women from dying in cervical cancer each year, in Sweden alone. This cancer-preventive treatment became possible because researchers had access to samples dating back to the 1960s providing evidence for a causal connection between a certain virus infection and cervical cancer later in life.

  • Despite this vital value in biobanks and registers,
  • despite the fact that risks are only informational,
  • despite rigorous safety routines to prevent unauthorized spread of information,
  • despite the fact that researchers don’t study individuals but statistical patterns, and
  • despite the question if people really are “participants” in register-based research,

the EU committee proposing the new directive treats the integrity of “research participants” as so pivotal that researchers who process data not only must be subjected to the same ethical review process as for invasive research, but also must obtain informed consent from each and every one who once gave their data to the register, whenever the researchers want to study a new disease pattern.

Data protection efforts easily lose their sense of proportions, it seems, at least concerning register-based research. Not only is one prepared to expose patients to greater physical risks in order to protect research participants from (already rigorously controlled) informational risks.

One also is prepared to disturb data providers who hardly can be described as “participating” in research, by forcing researchers to recontact them about informed consent. Not only on one occasion, but time and again, year after year, each time a new disease pattern is explored in the registers. That’s what I call privacy intrusion!

Pär Segerdahl

We participate in debates - the Ethics Blog

No consent for maintaining high-quality health care?

September 21, 2012

Collecting biological samples and health information from healthy donors in the construction of biobanks and research registers obviously requires the donors’ informed consent.

But is a similar demand for consent reasonable when patients provide their doctor with samples for diagnosis, undergo medical examination and treatment, and answer the doctor’s questions? Or can patients be expected to accept that their traces in the health care system – for example, data about experienced side effects – are monitored to optimize the quality of medical diagnosis and treatment?

A recent article by Mats G. Hansson at CRB discusses the issue. The article in Theoretical Medicine and Bioethics is well-argued and challenges common assumptions.

The basic argument is that quality registers and biobanks within the health care system play such a decisive role in optimizing the quality of the care that we expect as patients, that no consent should be required for collecting and studying our traces as patients (provided that the purpose is maintenance of high-quality health care, and nothing else).

Consent is associated with costs, in the form of drop-out of data. This impairs the value of the information in quality registers and biobanks, and thereby also the conditions for optimizing medical diagnosis and treatment.

Privacy is not the only ethical concern. Quality of care carries moral weight too.

Perhaps we are prepared to accept certain access to our patient histories, if such access is a precondition to maintaining and developing high standards of health care?

Pär Segerdahl

We recommend readings - the Ethics Blog

%d bloggers like this: