The question that now arises is whether, given access to security expertise, the problems could be fixed.
As the New Zealand example has shown, it is possible to construct and operate a national healthcare database in a way that satisfies both medical and privacy interests. The obvious question to ask is whether a database can be built which would deliver adequate value to DeCODE and its customers for the exercise to be worthwhile, and also provide adequate privacy protection.
As noted above, in order to design or evaluate a de-identified health record system, it is necessary to have a detailed understanding of the use which will be made of the data.
I have had significant difficulty in finding out precisely what the database will be used for. The DeCODE proposals are not only very vague, but different accounts have been given at different times to different people. Their `non-confidential corporate summary' claims that the database will be marketed for two principal uses: to design disease management programs and to search for drug targets through genotypic/phenotypic correlation. Other claims are to `assess interplay of genes encoding members of a pathway' and to `identify biological pathways that are affected by a particular disease, into which a gene product fits, (or) that provide approaches to the search for drug targets'.
It is envisaged that subscribers to the database - which DeCODE said at the briefing on the 12th would be a large and changing population of users - would be able `to perform in silico mapping of individual disease genes as well as to determine how constellations of genes influence pathogenesis, natural history, response to treatment and complications of diseases'. These users will include pharmaceutical companies, biotechnology companies and insurance firms.
This would appear to require that analysts would be able to make very complex enquiries of the database and would thus need a powerful query language. However, it is in stark contrast with the version we heard on the 12th, following ethical objections by the IMA and others. We are now told that the database will not be used to identify possible subjects for genetic investigation, and that queries will only be answered if they are based on the records of ten or more individuals. When I asked what sort of queries could be made under such restrictions, the example given was `what is the likelihood that someone diagnosed with a disease such as asthma, and who has had a cancer case in the family, will also develop cancer?' This could indeed be done with simple, restricted queries, but one wonders whether it would justify the investment.
When I pressed for more details, the example I was given was that a disease might be traced to a certain marker on a certain chromosome by correlating available health records, genealogies and genotypic data. But as genotypic information is only available on patients who have given consent for their doctor to enter them in DeCODE's research programmes, such enquiries do not appear to require the records of patients who have not given consent and thus the proposed legislation is not required.
There thus remains the serious concern that if DeCODE were to construct a database which supported only very restrictive queries then they might find it uneconomic and would be forced to extend its functionality to that originally envisaged in [3].