Cracking the Code: Privacy, Consent Are Concerns in Gene Studies

OncologyLive, May 2013, Volume 14, Issue 5

The security of genetic data collected from research study participants has emerged as a concern after investigators proved they could ferret out individual identities from large databases.

Maurie Markman, MD

Editor-in-Chief of OncologyLive

Senior vice president for Clinical Affairs and National Director for Medical Oncology Cancer Treatment Centers of America, Eastern Regional Medical Center

An investigative team’s successful efforts to learn the identities of individuals who had submitted genetic specimens for research purposes—with the assurance that such identification was essentially not possible—has sent shock waves through the community of researchers whose programs require tissue or blood samples to undertake critical population-based research.1-3

These events should raise questions for prospective research subjects asked to participate in such projects, no matter how scientifically worthy. Yet, as another study has indicated, most people who allow researchers to compile their personal data are unlikely to spend much time even reviewing the consent forms they sign.

Fortunately, Gymrek et al1 conducted their research into the security of genomic databases under highly controlled circumstances, and no privacy was actually breached. However, the potential for such an event in the real world of genetics research can no longer be viewed as being farfetched. The investigators employed sophisticated laboratorybased techniques and data publically available on Internet sites to achieve this rather distressing outcome.

Of course, this does not mean others with considerably less knowledge and technical skills would be able to undertake this effort successfully, or even that one can easily define a current reason to do so. But that is not really the point. The sole issue to be addressed here involves the rights of the individuals who provide this genetic information to their privacy and the required security. If such safeguards are not possible, then it is essential that potential research subjects be informed of this fact. Imagine the truly devastating impact that the delivery of such a message could have on the future of vitally important and relevant population-based genetic research.

Even without the privacy issue, there are many questions about the informed consent process. In 2011, Desch et al4 evaluated the degree of attention that potential research subjects paid to the informed consent document discussing their participation in so-called “minimum risk” genomic research. The investigators had previously determined the “minimum predicted reading time” (566 seconds at a ninthgrade reading level) required for an appropriate review of an online informed consent document, and had also included a “masked hyperlink” to see how many individuals actually found this link as a means of evaluating the extent of more detailed reading. Remarkably, particularly considering the previously noted study results suggesting the potential for serious privacy and security concerns with genomic data, the median time for “signing the consent” among a sample size of 1209 individuals was less than 10% (53 seconds) of the minimum predicted time required. Further, one-quarter of the population completed the consent process within 10 seconds (suggesting they simply opened the documents and signed), and only 2.5% of the population “identified the hyperlink.” Overall, more than 90% of the entire population completed the process of reviewing and signing the consent in less than the suggested minimum reading time to permit adequate comprehension.

As is often the case with provocative clinical research, this study outcome raises more questions than it answers:

Does the failure of research subjects to read the consent document to achieve even a minimum predicted level of understanding of its content indicate a fundamental inadequacy in the investigator-directed informed consent process for such “minimal-risk” genetic studies?

Does the reported outcome suggest a relevant difference in the requirements for the necessary communication of hypothetical nonphysical (loss of privacy regarding individual genetic data) harm versus perhaps more understandable physical risks (damage to bone marrow or kidney function)?

Do “normal volunteers” who agree to participate in genomic research view the process differently from actual patients, particularly considering the meaning of “risk”? After all, an individual who has undergone surgery or chemotherapy for cancer will surely appreciate that the description of adverse events in an informed consent document is not merely words on a piece of paper in a consent form. But is this level of understanding the same for someone whose only direct risk of study participation is slight physical discomfort from a blood draw?

Finally, do potential study participants really understand what it means for an analysis of their “genes” or “genetic profile” to be undertaken? Indeed, is it realistically possible for any risks associated with such studies to be put into proper perspective in the absence of a genuine understanding of what the particular analysis entails, what the output possibly means (to them, their family members, or society), and the negative impact associated with loss of privacy (including theoretical misuse) regarding such information?

These are important questions that require contemplation, open and honest discussion, and, possibly, future action.


  1. Gymrek M, McGuire AL, Golan D, et al. Identifying personal genomes by surname inference. Science. 2013;339(6117):321-324.
  2. Rodriguez LL, Brooks LD, Greenberg JH, et al. The complexities of genomic identifiability [policy forum]. Science. 2013;339(6117):275-276.
  3. Bohannon J. Genealogy databases enable naming of anonymous DNA donors [news & analysis]. Science. 2013;339(6117):262.
  4. Desch K, Li J, Kim S, et al. Analysis of informed consent document utilization in a minimal-risk genetic study. Ann Intern Med. 2011;155(5):316-322.