I have been invited by the Icelandic Medical Association to evaluate the privacy aspects of DeCODE's proposal for a central database of Icelanders' medical records, genealogy and genetic data. The primary use of the proposed database is research into hereditary diseases by or on behalf of drug companies; its secondary uses will include providing management information to the health service and supporting other research.
Of the three components of the database, the genealogies are essentially public domain, and the genetic data will be gathered from patients who have given their consent to its use in research. The medical records will, however, be collected from hospitals and health centres, de-identified only to the extent that obvious identifiers such as names and social security numbers will be replaced with a single pseudonym. Patients will have the right to opt out of the database, but will not be asked to give explicit consent.
This creates a serious conflict with medical ethics and with data protection principles, both of which demand that with few exceptions, patients' consent be sought for the use of their personal health information.
Many countries permit data which have been made anonymous to be used in certain circumstances without consent. For example, health service managers routinely gather statistics such as numbers of operations and consumption of drugs. These statistics are typically compiled from current records which give only a snapshot of healthcare activity at a certain time or over a short period; de-identifying such records is relatively easy.
Some countries maintain databases of de-identified medical records which link together all, or many, of the health care encounters in a patient's life. Such records are in practice impossible to de-identify completely, as the combination of data is frequently enough to identify the patient. They do not even meet the more usual test of requiring unreasonable effort by an attacker who wishes to identify a patient. It is therefore necessary to have quite extensive controls to prevent abuse.
For example, New Zealand maintains a database called the National Medical Data Set which contains most citizens' health records, identified by an encrypted social security number. In addition, the system limits access to a small group of health service statisticians, limits the type of enquiry that can be made, and rejects any enquiry which would be answered by reference to the records of less than six patients. Even in the presence of such controls, special administrative measures are also thought necessary; all the national databases of which I am aware are operated by government agencies, and in many cases special legislation, or data protection regulation, is thought necessary.
But, for a number of reasons, the database proposed in Iceland lies well beyond the limits of established precedent:
In conclusion, the proposed database falls outside the boundaries of what would be acceptable elsewhere in Europe. If established as proposed, it would likely cause serious conflict with the ethical principle that identifiable health information should only be made available with the consent of the patient.
I therefore recommend that the Icelandic Medical Association oppose the current bill. This need not rule out the possibility of supporting an amended proposal, in which the uses of the database are clarified and appropriate security measures included.
Finally, I wish to point out that the proposed database is also in conflict with established data protection principles. If data protection authorities overseas acquire the view that Iceland is a country in which normal data protection controls can be bypassed easily by powerful vested interests, then this could have extremely grave consequences for trade and development. I therefore caution Icelanders against considering the matter to be a simple choice between national development and medical privacy.