1+MG Transparency and Consent Guidance - version for 1+MG Framework

1. Introduction

1.1. Purpose

The transparency and consent guidance is a document that should help to compile GDPR and ethical compliant information necessary to provide if data are intended for secondary use. The document also includes a consent guidance where consent can be an informed consent under ethics regime and/or also consent as a legal basis under the GDPR. The guidance is therefore largely applicable independent of the chosen legal basis. Where consent as a legal basis is a relevant element, this is pointed out in the text. This document can serve as a general guidance for transparency and consent in secondary use also beyond the 1+MG initiative. It describes what elements have to be covered. The content of a concrete information and consent sheet can only be compiled if the data governance for the secondary use is agreed.

1.2. Background

The 1+MG initiative aims to promote responsible cross-border access and secondary use of genomic and related-health data across Europe for research, healthcare, and policy-making purposes. This document provides consent recommendations for prospective data collections intending on making data available cross-border through a repository for research (where the exact projects cannot be fully identified at the time of recruitment).1 The guidance focuses primarily on information and consent content elements, as consent models and processes2 may vary across countries and contexts. Information content is also important for the transparency requirements under the GDPR, which have changed from the requirements under the Data Protection Directive 95/46/EC and where not all information sheets have been adapted to these changes. These content elements can also be used to design information for re-consenting or notifying individuals that their data will be included in such a resource.

1.3. Nature of the Recommendations

Recommendations are made that 1+MG adopt 1) minimum requirements (MUST); 2) best practices (SHOULD); and 3) points-to-consider (non-directive). If a minimum requirement is missing, this may mean that a Data Holder cannot legally or ethically make data available through 1+MG, or can only do so subject to special data and access and use conditions. Best practices may also constitute national legal requirements in some countries.  The recommendations are informed by the legal requirements of the European General Data Protection Regulation (GDPR)4, the interpretive guidance of the European Data Protection Board (EDPB), research ethics principles5 and guidelines, as well as legal data governance principles, such as those outlined in the draft Data Governance Act, and implemented in the 1+MG Data Governance Policy. Ethical requirements are in particular based on the International Ethical Guidelines for Health-related Research Involving Humans by CIOMS. Justifications and explanations are provided. Legal consent requirements depend on the legal basis selected under the GDPR Art. 6 and the legitimation under Art. 9. The guidance provided is applicable for all legal bases, but always points out where a consent legal basis under the GDPR may lead to additional requirements, a stricter regime with respect to information related to consent, scope of the consent, interpretation of what counts as “freely given” as well as in consequences of withdrawal.6 Requirements for consent as a legal basis may also depend on national laws.7 Some illustrative examples are provided. National advisory bodies (e.g., ethics committees) are expected to provide additional, nationally-tailored guidance. It is the ultimate responsibility of the organisations involved in collecting data to identify and comply with all norms applicable to their activities. This guidance is agnostic to different collection and sequencing contexts across Europe8, including: population databases, genomic research projects, precision medicine clinical trials, genomic medicine initiatives, as well as clinical care (such as predictive, diagnostic or confirmatory genome sequencing). The guidance is designed for any organisation who plans to make data collected in a primary context available through a repository for research projects, where the details of these projects cannot be fully identified at the time of the data collection (or even at the time of the transfer to the repository). Some practical implementation examples are provided to facilitate application of the guidelines in specific contexts.

As 1+MG has not yet determined all aspects of its organisation structure, data governance and legal framework, some key information elements have not yet been fully defined. These elements are relevant to provide transparency and to obtain a valid informed consent.9 1+MG is working to clarify these elements so that concrete wording or even a 1+MG specific part of the information sheet, where applicable, can be provided as an appendix in future versions of these guidelines.

1.4. Background

The collection/generation of genomic and related-health data and widespread use for research and healthcare raises a number of ethical issues around informed consent. This includes the risk of privacy breaches; psychological distress due to the type and amount of personal data being processed and shared; risks of harm if data are misused or misinterpreted; the handling of results and incidental findings that have implications for the health of participants and/or their families, including limitations of health care systems to provide adequate follow-up care; and issues of vulnerability (e.g., to discrimination) related to factors including cultural, linguistic, and socio-economic considerations.10 Ethical issues in genetic/genomic research include the risk of therapeutic misconception; the risk of misunderstanding the purpose and design of this type of research as compared to clinical trials testing medical interventions; and misunderstanding of the risk–benefit ratio. Additional legal and ethical issues arise where genomic and health-related data are made available to broad communities of users and organisations for secondary use. Sharing sensitive and potentially identifiable genomic and related-health data raises concerns about increased risk of privacy breaches, affecting the rights and interests of data subjects and their families. Countries outside the EEA may not provide equivalent legal protections or ethics oversight mechanisms. Moreover, the specific purposes, recipients of data, and associated risks cannot be fully specified at the time of an initial consent, raising issues about transparency, and about whether the consent is sufficiently informed and specific. Even where the scope of consent is made clear and understood, there are concerns about the effectiveness of oversight and enforcement mechanisms to ensure data are only used for consented purposes. In short, transparent information is needed to enable individuals to make informed decisions about cross-border access and secondary use of genomic and related health data, combined with robust governance frameworks to ensure data are processed responsibly.

1.5. Methods

We have analysed ethics literature on practical and ethical challenges raised by the process of consent in the context of biobanks, genomic/genetic research, precision medicine, genomic medicine initiatives, and clinical care (see References). In our search in the PubMed databases and other relevant specialised journals, we have privileged two types of publications:

- findings and recommendations based on empirical studies, where conclusions of the study were drawn from concretely empirical evidence (e.g. qualitative and quantitative studies, e.g. assessment of research participants’ perceptions of research based on the information provided through the consent form/notice, etc.,);

- recommendations, reports, guidelines, models of consent developed by key leaders and initiatives in the field. We have also used conclusions from project workshops organised in the course of the B1MG project as well as the 1+MG use cases. We have also reviewed GDPR requirements and European Data Protection Board Guidance (EDPB). A sample of national data protection law implementations applicable in the research and healthcare sector were reviewed and are reported in the appendix.