next up previous
Next: When are de-identified data Up: The DeCODE Proposal for Previous: Executive Summary

Introduction

DeCODE Genetics Inc has sponsored legislation, currently before the Icelandic parliament, which would enable it to construct a database of Icelanders' medical records, genealogy and genetic data [1]. The stated objective is to facilitate research into hereditary diseases and thus enable DeCODE's clients, who will be mainly drug companies, to develop and test new products [2]. A number of secondary uses are envisaged, such as providing management information to the health service and supporting other research.

Of the three components of the database, the genealogies are essentially public domain, although the genealogical database being developed for DeCODE may be much more complete than the online sources which are currently available. This component of the database appears to have few privacy implications, as the underlying paper records are publicly available.

The genetic data will be gathered from patients who have given their consent to its use in research (there was an implication that historical data might be used, such as pathology samples from post mortems [3], but this appears to have been dropped). Privacy protection is a requirement for this data, in order to prevent its use in applications for which the patients have not consented.

As for the medical records, it is proposed that they will be collected from hospitals and health centres, de-identified to the extent that obvious identifiers such as names and social security numbers will be replaced with a single pseudonym (an encrypted social security number), and provided to the database [4]. Patients will have the right to opt out of the database, but will not be asked to give explicit consent [1].

Non-consensual secondary uses of medical records raise very sharp ethical concerns, which can sometimes be dealt with by de-identifying the records. The usual test for this technology is whether it will take an unreasonable amount of time and effort to identify a patient in the information that is subsequently made available. However, de-identification is not a panacea and it is important to understand its limits.


next up previous
Next: When are de-identified data Up: The DeCODE Proposal for Previous: Executive Summary
Ross Anderson
1998-10-20