[...]
One of the most controversial elements in the proposed regulations is how researchers conduct secondary experiments on biospecimens. Under the current rule, researchers do not require informed consent for secondary research performed on 'non-identified' biospecimens. In lay terms, researchers don’t need your permission to run tests on specimens taken for other reasons, such as the leftover blood or tissue from a routine doctor’s visit, as long as the specimens can’t be linked to you. However, as TechInsider explains:
But that "stripped of your personal information" bit is tricky—and easily bungled. Researchers have shown that today, they can use genetic testing and information on the internet, for example, to re-identify samples that were supposed to be anonymous. Nobody imagined that could happen back in 1991.
[...]
Consent in the Age of Big Data
We disagree with HHS’s assertion that it may not be as important to require informed consent in research that involves algorithmic analysis of “big data.” Instead, we argue, that while “big data” does make research easier, these technological advancement can also enhance the rights of human subjects. HHS also should be wary that “big data” can reproduce and exacerbate existing inequalities and injustices.
As we write:
First, computational and data-storage advances have increased the ease with which researchers can receive, track, send, and enforce fine-grained consent on the same databases they will be manipulating to perform their research.
Second, this ease of data transfer has had a paradigm-shifting impact on the ability of entities to aggregate deep databases on individuals—the disclosure of which have much more of an impact on patient privacy than the disclosure of databases did in the past.
Broad vs. Granular Consent
While the proposed rule would require informed consent for secondary research on “non-identified” biospecimens, the type of consent HHS envisions is not enough to protect subjects:
Unfortunately, the updated Rule would implement this requirement via a broad consent for future research, under which any such research would be “exempt” research that would not require annual continuing review by an IRB. We seriously question this approach. First, broad consent to future research is arguably the least meaningful form of individual consent. The human subject will not know what the future biospecimen research entails, how it will affect him or her, how the biospecimen or research data will be shared, or which biospecimens they can expect to provide in the time period that this consent is presumed valid for.
Second, while genomic-related research and technology is of great potential benefit, its rapid evolution also presents significant risk and uncertainty to privacy and social control, especially given the increasing use by law enforcement and government of genetic identification. And quite apart from the concerns about government access, use or disclosure of genetic data raises ethical and privacy issues for individuals in the employment and other private-sector contexts.
The proposed rule is based on the assumption that “individual tracking” of test subjects is too much of a burden for researchers. We obviously disagree; individual tracking can be easily accomplished with modern technology, such as APIs. As we explain:
For example, if the specimens may only be used if the researcher reports which specimens they are using and which information they intend to extract, then the researcher can query the database for fields that record a more fine-grained consent for secondary research. An individual could therefore offer consent for only certain kinds of experiments, and could require that information to be received by researchers before they undertake any experiments. And before a person undertakes research on the specimen, they could be required to confirm that their study fits into the permission granted from the human subject, and to check with the original specimen-collecting researcher to confirm that the cumulative information gathered from the tests will not surpass the human subject’s individual de-anonymization threshold.
[...]
Intelligence Activity Exemption
The proposal includes exemptions for intelligence surveillance activities. Since the intelligence communities have long histories of using creative interpretations of the law and regulations, we believe that any exemption should be subjected to heightened review. As we write:
[The policy] offers practically no limitation to an intelligence community with a history of expansively interpreting limited exemptions.
[...]
