Iceland's Dilemma: Privacy Versus Progress

A small Icelandic startup has been granted a 12-year license to create and manage adatabase of the entire nation's medical and genetic records. Can it make medical history without violating patient privacy?

1 2 Page 2
Page 2 of 2

One of Mannvernd’s main complaints is that the Health Sector Database Act is based on the presumed consent of Icelandic citizens. Furthermore, Icelanders who consent to give blood for one of DeCode’s disease studies must agree to have their DNA used for other studies without knowing what those might be. Thanks to Mannvernd’s complaints, Icelanders can now opt out of having information entered into the database by filling out a form, and so far 20,000 of Iceland’s population of 280,000 have. Of course, if their information is already in the database, they don’t have the right to opt out.

But now Mannvernd has a new dragon to slay. Until March 2001, the medical data, blood samples and genealogical information DeCode has access to was sent first to the Icelandic government’s Data Protection Commission, where the personal identification numbers on them were encrypted and then sent on to DeCode. One or two government workers did the encryption, an iffy system that created some lag time. "It’s a definite security risk if a government worker has an encryption key in his wallet that he might lose," Gudbjartsson says.

To address such risks, DeCode developed an encryption tool known as the Identity Protection System. After months of testing the system, the government replaced those individuals carrying encryption keys in their pockets with the automated encryption software. The encryption takes place at the Noatun Research Services Center, a blood collection facility financed by DeCode, where doctors send those patients who agree to participate in DeCode studies. The Data Protection Commission of Iceland members can log in remotely and find out what data has been sent back and forth and halt the process if they so choose.

But Hauksson and others say that doesn’t go far enough. In a small country like Iceland, they argue, it’s easy to figure out individual identities based on clinical data, even if personal identification numbers are encrypted. Mannvernd has filed a case in court, suing the government and DeCode for violating Icelanders’ right to privacy.

DeCode says a majority of Icelanders support its work, at least according to a recent Gallup Poll it commissioned. But Hauksson attributes that result to a DeCode marketing campaign that appealed to Icelanders to contribute to the global fight against diseases. Though Hauksson thinks the Icelandic population does offer a wealth of data for genetic disease research, he would prefer that public institutions use the data in the interest of medical progress rather than profit. Neither DeCode nor its partners, Hauksson points out, have revealed any data on their disease-gene discoveries for others in the genomics community to verify or build on.

Opposition to DeCode’s information monopoly isn’t limited to Icelandic naysayers. Dr. George Annas, a medical ethicist and professor at Boston University’s Schools of Law, Medicine and Public Health, says DeCode should obtain informed consent from individual Icelanders before including their medical records in the database and should allow them to withdraw from studies they don’t approve of. The Data Protection Commissioner of the European Union and the World Medical Association has echoed those beliefs.

DeCode’s Stefansson shrugs off the criticism. "The opposition isn’t large; it’s just been somewhat noisy," Stefansson insists. Pointing to DeCode’s third-party encryption technology, he says it would be a lot easier to get information on Icelanders by simply walking into a doctor’s office and grabbing their records.

Annas says that the controversy over DeCode is mild compared with what would erupt if other companies and national governments attempted similar collaborations. And while no one expects a U.S. company to gain the kind of monopolistic access to national medical, genealogical and genetic information that DeCode has, similar databases are expected to proliferate on a smaller scale, generating the same ethical concerns.

"[DeCode] took advantage of a very different climate in Iceland about these issues," says Dr. Russ B. Altman, president of the International Society of Computational Biology. "I don’t think a U.S. company could do the same thing, but many companies may form alliances with smaller medical entities, like Kaiser Permanente or another large health-care organization, to assimilate some of this data.

"Ethical issues," Altman concludes, "are paramount in this kind of research."


Copyright © 2001 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Watch out for these 6 IT management traps to avoid