Skip to main content
NCBI home page
Journal of Community Genetics logoLink to Journal of Community Genetics
. 2018 Feb 22;9(3):195–199. doi: 10.1007/s12687-018-0358-4

Risk stratification, genomic data and the law

Alison Hall 1,, Thomas Finnegan 1, Susmita Chowdhury 1, Tom Dent 1, Mark Kroese 1, Hilary Burton 1
PMCID: PMC6002307  PMID: 29470710

Abstract

Risk prediction models have a key role in stratified disease prevention, and the incorporation of genomic data into these models promises more effective personalisation. Although the clinical utility of incorporating genomic data into risk prediction tools is increasingly compelling, at least for some applications and disease types, the legal and regulatory implications have not been examined and have been overshadowed by discussions about clinical and scientific utility and feasibility. We held a workshop to explore relevant legal and regulatory perspectives from four EU Member States: France, Germany, the Netherlands and the UK. While we found no absolute prohibition on the use of such data in those tools, there are considerable challenges. Currently, these are modest and result from genomic data being classified as sensitive data under existing Data Protection regulation. However, these challenges will increase in the future following the implementation of EU Regulations on data protection which take effect in 2018, and reforms to the governance of the manufacture, development and use of in vitro diagnostic devices to be implemented in 2022. Collectively these will increase the regulatory burden placed on these products as risk stratification tools will be brought within the scope of these new Regulations. The failure to respond to the challenges posed by the use of genomic data in disease risk stratification tools could therefore prove costly to those developing and using such tools.

Keywords: Risk assessment, Stratification, Genomics, Cancer, Law

Introduction

Two emerging themes are currently driving developments in modern healthcare: the increasing use of large quantities of data to inform healthcare decision-making and the growing emphasis on the personalisation of medicine. At the convergence of these themes is the notion that genomic and other data may be used to stratify individuals into different ‘risk bands’ for disease, with the offer of differential preventive interventions according to risk.

A number of systems have arisen to drive and facilitate this kind of stratification, whether or not informed by genomic data—for example, the development of algorithms to determine disease risk scores and software developed to implement those algorithms. In this paper, we refer to both of these as ‘risk assessment tools’; by ‘genomic data’, we refer to single-nucleotide polymorphisms used as biomarkers, and also longer stretches of genomic data consisting of multiple or even hundreds of base pairs.

The legal and regulatory implications of incorporating genomic data into risk assessment tools have not until recently been studied in detail, but it is important that developers and users of those tools have an understanding of the challenges involved in using genomic data for those purposes. In 2015 these issues were considered by the PHG Foundation as part of EPIC-CVD—a pan-European initiative involving 28 partners, including 23 centres across 10 European countries. EPIC-CVD was designed to provide evidence-based options for cost-effective individualised cardiovascular disease (CVD) risk assessment. As part of the project, the PHG Foundation examined the main legal and regulatory implications of incorporating genomic information into cardiovascular risk stratification using a workshop-based approach supported by desk-based research. In this paper, we provide an account of some of the important regulatory challenges identified.

Key findings

While there are no insurmountable legal or regulatory obstacles, we found that there are a range of challenges to the use of genomic data in risk assessment tools. These include variations in data protection requirements between different countries in the EU and the uncertain status of risk assessment tools within the EU in vitro medical devices regime.

Data protection: the status of genomic data

Data protection law in the EU gives genomic data modest legal protection. Currently, the data protection laws in EU Member States are derived from a Directive, (EU Data Protection Directive 1995). A Directive is a type of legislation made at the EU-level but implemented differently by each constituent Member State. In May 2018, this Directive will be replaced by the General Data Protection Regulation (EU Data Protection Regulation 2016), a different type of EU-level legislation which is applied directly to Member States and does not require Member States to enact implementing legislation.

Data protection law treats various ‘types’ of data differently. In some circumstances, data protection law includes exceptions that allow data to be processed in circumstances where otherwise it would not be permitted.1 The most obvious of these is where the person to whom the data relate provides their consent,2 but there are also other important exceptions—including where data are used for medical purposes.3 Under the Directive, there is no specific category assigned to genetic or genomic data, and available guidance suggests that both are likely to fall under the more general heading of ‘health data’ (Article 29 Data Protection Working Party 2015) (Bourne, 2000) which are given strong protection and cannot be used outside of specific circumstances. This interpretation applies both to ‘genetic’ and ‘genomic’ data.

Because genomic data are currently classified in this way, the addition of genomic data to disease risk assessments usually makes little practical difference from a data protection perspective, because risk assessments already use health data.

In implementing the Directive, some EU Member States have developed unique provisions applicable to genomic data which go beyond those requirements relating to general health data. In some circumstances, these provisions could offer an additional challenge to the inclusion of genomic data in disease risk assessment. For example, French law proscribes the automatic processing of genetic data unless authorisation is given by the French competent authority (Loi n° 78-17 1978)4; Dutch law prohibits the processing of data ‘concerning inherited characteristics’ unless that processing ‘takes place with respect to the data subject from whom the data concerned have been obtained’ (Wet bescherming persoonsgegevens 20005). However, both French and Dutch law contain significant exceptions permitting such data to be used for medical purposes: in France, this includes processing by doctors or biologists which is necessary for preventive medicine, diagnosis and care (Loi n° 78-17 1978), while in the Netherlands, the processing of genetic data is limited to the data subject even if that person has consented to wider processing for the benefit of another person such as a family member, unless exemptions prevail (Sheikh 2008).

The changing environment for storing, processing and integrating data since the mid-1990s has resulted in calls for a complete overhaul of data protection laws across Europe. After almost a decade, this has resulted in substantial revision to the existing legislative framework. The resultant EU General Data Protection Regulation will potentially impact upon risk stratification tools incorporating genetic/genomic data in several important ways: genetic data, (defined in the Regulation as ‘personal data relating to the inherited or acquired genetic characteristics of a natural person’ giving ‘unique information’ about their physiology or health, resulting from an analysis of a biological sample)6 is identified as a special category of personal data for which Member States may maintain or introduce further conditions or limitations. Although one of the objectives of updating the law on data protection was to achieve greater harmonisation between Member States, since the General Data Protection Regulation explicitly allows some flexibility, the variability noted above is likely to continue.7

Under current and forthcoming data protection regulation, the permissible grounds for data processing are predicated on the purpose for which disease risk assessment is performed. In most cases, the use will fall within whatever medical purpose exception applies, whether under the category of health data or other more specific data categories. But disease risk assessment tools may be used for non-medical purposes, for example, online direct-to-consumer (DTC) genetic testing services. The extent to which these are considered ‘medical’ is unclear, so medical exceptions may not apply in those situations. Where medical exceptions do not apply, the use of health data would be restricted. As a further complication, the use of risk assessment tools may often necessitate the transfer of data across national borders. Thus, although protections for health-related data are broadly the same across EU Member States, incorporation of genomic data could cause complications to the delivery of disease risk assessment if relevant Member States have a separate data protection category relevant to genomic data, or if services are provided on a direct-to-consumer basis.

Any cross-border non-medical disease risk assessment that includes genomic data, will probably but not necessarily involve DTC genetic testing at some stage, because the subject of the risk assessment is unlikely to already have access to the relevant genomic data. Different EU Member States have different approaches to DTC genetic testing, ranging from very little regulation in the UK to a ban in France (both in providing and seeking such tests) (Loi n° 800 2004) (Loi n°. 267, 2011) (Loi n° 814, 2011). In the UK, the only regulation specifically regarding DTC genetic tests are the voluntary guidelines published in 2010 by the now defunct Human Genetics Commission (Human Genetics Commission 2010). More comprehensive analysis of this topic is outside the remit of this paper, but it should be noted that if genomically informed risk assessment is offered across borders, it may be inadvertently covered by rules restricting DTC genetic testing, which adds an additional and important layer of complexity.

The inclusion of genetic data in risk stratification tools to prospectively target screening interventions could also be limited by provisions that restrict the use of automated individual decision-making including profiling. Decisions based on such tools would not be binding on data subjects unless they had provided their explicit consent or the processing is deemed necessary ‘for reasons of substantial public interest’ on the basis of Member State or Union law, and proportionate, and shown to safeguard the fundamental rights and interests of the data subject by suitable and specific measures.8

Once the positive predictive value of such tools improves, they could be used within screening programmes to stratify populations at risk of disease into various sub-groups, each of which could be offered different types of intervention. As automation becomes increasingly feasible, the implementation of such ‘profiling’ is unlikely to be harmonised given a likely divergence between different Member States in the way that risk stratification tools are regulated, and therefore used.

In vitro diagnostic devices: the status of risk assessment tools

Under the current in vitro diagnostic devices Directive (EU In Vitro Diagnostic Medical Devices Directive 1998), disease risk assessment tools are likely to qualify as in vitro diagnostic medical devices (IVDs). Risk assessment software may qualify either as an IVD as ‘standalone’ software or as an ‘accessory’ to another IVD; it is likely that the algorithms that calculate the risk scores would qualify only as accessories. Whether a device is an IVD has important implications for those developing these tools, as IVD status requires compliance with complicated and potentially expensive conformity assessment, performance evaluation, and labelling requirements. Furthermore, the nature and extent of these requirements is determined by IVD classification—an accessory takes on the requirements applicable to the IVD to which it is an accessory, for example. However, there is uncertainty as to whether risk assessment software that takes into account genomic data could qualify as standalone software under the IVD Directive, since four criteria must be fulfilled: the device must be software that constitutes a medical device; it must do something more than simply store, communicate, or search data; it must not be incorporated into another device, and finally it must constitute an ‘expert system’—a system intended to capture and analyse together several results obtained for one patient in order to provide information.

The status of IVD genomically informed risk stratification tools has been quite unclear in the past, partly because of conflicting interpretations about the extent to which results should be obtained exclusively from IVD medical devices or be combined with those data (European Commission 20169) (Medicine and Healthcare products Regulatory Agency, 2016). This ambiguity has been rectified to some extent by European and UK regulatory bodies publishing more harmonised guidance, but considerable complexity remains. Where there is continuing ambiguity, developers should consider contacting the appropriate regulatory body to clarify whether their work falls under these laws and take appropriate steps to ensure compliance if it does: legal advice may be necessary.

However, the legal framework for medical devices and in vitro diagnostic devices regulation is changing substantially: new Regulations come into force from 2020 onwards with an EU medical device regulation and EU in vitro diagnostic medical device regulation coming into force in May 2020 and May 2022, respectively (EU Medical Devices Regulation 2017; EU In Vitro Diagnostic Medical Devices Regulation 2017). Once this occurs, it is more likely that disease risk assessment tools will be classified as IVDs. In the IVD Regulation, an in vitro diagnostic medical device explicitly includes ‘software’ and there is greater clarity about the interconnection between the software and a device; the definitions of both medical devices and IVDs have been expanded to include purposes more relevant to risk assessment; and the relationship between devices and accessories is more clearly stated i.e. the need to ‘enable’ the device to be used in accordance with its intended purpose or to directly assist the medical functionality of the associated device.10 Significantly, software intended for general or well-being purposes even if used within a health care setting11 is not an in vitro diagnostic medical device although other regulations may apply.12 This distinction is likely to become increasingly important as health systems focus on personalisation as a means of delivering more effective, targeted care.

However, the most important change suggested in the Regulation is the alteration of the risk classification band applicable to devices used for genetic testing. Annex VIII places all devices used for human genetic testing in Class C which is the second highest risk category, requiring comprehensive requirements for clinical evidence of performance and effectiveness before the risk algorithms can be placed on the market. The thresholds are even more onerous if the devices are intended for self-testing or near patient testing by health care professionals, including those in primary care. The application of stricter controls to risk assessment tools if they are classified as accessories to genetic testing devices seems likely to mean that such tools will take longer to get to market since clinical evidence might be difficult to accrue in the case of the longer timescales involved in risk reduction and disease prevention. This could be a powerful disincentive for manufacturers to develop and launch disease risk assessment tools for use in healthcare.

As these Regulations get closer to implementation, it is important that lack of clarity over the legal status of potentially useful risk tools is not a deterrent to their development and implementation. A more harmonised approach could be facilitated by developing a code of conduct pursuant to Article 40 of the General Data Protection Regulation which could address specific challenges arising in relation to these tools, particularly around data collection and integration. Such codes could also promote debate amongst stakeholders, about how to take account of restrictions on profiling without compromising their potential clinical and public health utility.

Conclusions

Although our analysis was performed in the context of risk assessment for cardiovascular disease, regulations are rarely disease-specific. Our conclusions are therefore generalisable to any disease risk assessment tools and overall to the way algorithms and software are classified under EU in vitro medical devices regulation. Failure to recognise the challenges outlined, and to abide by the rules associated with them, could cause legal complications and lead to additional development costs. As such, appropriate steps should be taken by anyone developing, providing or using risk assessment tools and services whether they are academics, physicians or employees of commercial entities. These steps include engaging in effective discussions with relevant national regulatory bodies (such as the Medicines and Healthcare products Regulatory Agency in the UK), and where necessary, seeking formal legal advice.

Acknowledgments

We gratefully acknowledge the participants in the international workshop for their valuable contributions: Ms. Teresa Bienkowska-Gibbs, Dr. Anne Cambon-Thomsen, Mr. Edward Dove, Dr. Christian Gleißner, Professor Aart Hendriks, Mr. Julian Hitchcock, Dr. Stephen John, Dr. Kiran Patel, Dr. Rupert Payne, Dr. Emmanuelle Rial-Sebbag, Dr. Mark Taylor, Dr. Holger Tönnies and Professor David Townend.

Funding

This work was part of the European Prospective Investigation into Cancer and Nutrition—Cardio Vascular Disease (EPIC-CVD) (http://www.epiccvd.eu/), funded by the Seventh Framework Programme of the European Commission under grant agreement 27923.

Compliance with ethical standards

Conflict of interest

The authors declare that they have no conflict of interest.

Ethical approval

This article does not contain any studies with human participants or animals performed by any of the authors.

Footnotes

1

EU Data Protection Directive Article 8 stipulates that the processing of special categories of data including health data shall be prohibited but sets out a list of exemptions in the rest of this Article.

2

EU Data Protection Directive Article 8(2)(a).

3

EU Data Protection Directive Article 8(3) provides that these purposes include preventative medicine, medical diagnosis, the provision of care or treatment or the management of health care services where those data are processed by a health professional subject to obligations of professional secrecy or another person owing an equivalent obligation of secrecy.

4

Article 25(1)(2) requires that prior authorization be given by the National Commission of Informatics and Liberties.

5

Article 21(4) stipulates that personal data on hereditary properties may only be processed in respect of the person from whom the data has come unless for a ‘serious medical interest’ or that processing is necessary for scientific research or statistics.

6

As defined in Article 4(13) of the EU General Data Protection Regulation (2016)

7

Article 9(4) stipulates that Member States ‘may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health’.

8

Article 22 of the General Data Protection Regulation. This might be addressed on a sectoral basis through codes of conduct pursuant to Article 40 GDPR.

9

‘The information provided by the software is based on data obtained with IVD medical devices only or possibly combined with information from medical devices. European Commission (2016) pages 25 and 26.

10

EU IVD Regulation (2017) Article 2 clarifies that this assistance must be limited to the medical functionality of the device for its intended purpose.

11

EU IVD Regulation (2017) Recital 17

12

These include mHealth products for which a legal framework is being developed at European level.

References

  1. Article 29 Data Protection Working Party (2015). Annex—health data in apps and devices. 2015. http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2015/20150205_letter_art29wp_ec_health_data_after_plenary_annex_en.pdf Accessed 24 July 2017
  2. Bourne I (2000) Written evidence from the Office of the Data Protection Commissioner to the Select Committee on Science and Technology Written Evidence: letter from the Office of the Data Protection Commissioner 2000 https://publications.parliament.uk/pa/ld199900/ldselect/ldsctech/115/115we34.htm. Accessed 24 July 2017
  3. European Commission. (2016) MEDDEV 2.1/6 Guidelines on the qualification and classification of stand-alone software used in healthcare within the regulatory framework of medical devices. https://ec.europa.eu/docsroom/documents/17921 Accessed 26 July 2017
  4. EU Data Protection Directive (1995) 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995) http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML Accessed 24 July 2017
  5. EU General Data Protection Regulation (2016) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN Accessed 24 July 2917
  6. EU In Vitro Diagnostic Medical Devices Directive (1998) 98/79/EC of the European Parliament and of the Council of 27 October 1998 on in vitro diagnostic medical devices http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:01998L0079-20120111&qid=1489068115776&from=EN Accessed 24 July 2017
  7. EU In Vitro Diagnostic Medical Devices Regulation (2017) 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2017:117:TOC Accessed 26 July 2017
  8. EU Medical Devices Regulation (2017) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2017:117:TOC Accessed 15 August 2017
  9. Human Genetics Commission (2010). A Common Framework of Principles for direct-to consumer genetic testing services. 2010. http://webarchive.nationalarchives.gov.uk/20100303164049/http://www.hgc.gov.uk/UploadDocs/Contents/Documents/Principles%20consultation%20final.pdf Accessed 24 July 2017
  10. Loi n° 17 (1978) Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000000886460 Accessed 24 July 2017
  11. Loi n° 800 (2004) Loi n°. 2004–-800 rélative à la bioéthique https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000000441469 Accessed 24 July 2017
  12. Loi n°. 267 (2011) Loi n°.2011-267 d’orientation et de programmation pour la performance de la sécurité intérieure https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000023707312&categorieLien=id Accessed 24 July 2017.
  13. Loi n° 814 (2011) Loi n° 2011-814 du 7 juillet 2011 relative à la bioéthique https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000024323102 Accessed 24 July 2017
  14. Medicine and Healthcare products Regulatory Agency (2016) Guidance: Medical device stand-alone software including apps (including IVDMD’s) https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/610189/Software_flow_chart_Ed_1-03.pdf Accessed 26 July 2017
  15. Sheikh AA (2008) The Data Protection Acts 1988 and 2003: some implications for public health and medical research. Health Research Board Discussion p102. http://www.hrb.ie/uploads/tx_hrbpublications/Data_Protection_Opinion.pdf Accessed 24 July 2017
  16. Wet bescherming persoonsgegevens (2000) Data Protection Act http://wetten.overheid.nl/BWBR0011468/2017-07-01. Accessed 24 July 2017

Articles from Journal of Community Genetics are provided here courtesy of Springer

RESOURCES