Athugasemdir við yfirlýsingu Efnahags- og félagsmálaráðs Sameinuðu þjóðanna um erfðaefnisupplýsingar
Athugasemdir Persónuverndar, dags. 20. febrúar 2004
Regarding: ECOSOC resolution 2001/39
In connection with the United Nation's request from 24 November 2003 for the views of the member states in regard to ECOSOC resolution 2001/39 entitled "Genetic Privacy end non-discrimination" (reference: DESC/2003/218), the Icelandic Data Protection Authority (DPA) would like to make the following remarks:
1. Act on Biobanks
On 1 January 2001, the Icelandic Act on Biobanks, No. 110/2001, entered into force. It covers the storage of biosamples in biobanks, but not temporary storage, i.e., for the purposes of medical diagnosis or minor scientific research. The founding of a biobank requires a licence, issued by the Minister of Health. Amongst the conditions for a licence are that the biobank will be physically kept in Iceland, clear information is provided on the manner in which samples are to be stored, and that the security assessment and procedures regarding the harvesting and processing of the biosamples are in compliance with rules which the DPA publishes on the security of personal data in biobanks (Rules nr. 918/2001). The DPA is now evaluating the security of personal data in biobanks with regard to these rules.
The harvesting of a biosample for storing in a biobank requires informed, written consent by the biosample donor. On the other hand, storing of a biosample, which has been previously harvested for medical diagnosis purposes, requires only presumed consent. The biosample donor can at any time revoke his or her consent. If the biosample was collected for storage in a biobank, then revoking the consent requires the destruction of the sample. But if it was harvested for medical purposes, then revoking the presumed consent only constitutes a ban on the usage of the biosample except for the benefit of the donor or with his or her separate, express permission. However, if vital interests are at stake and the benefit outweighs the possible inconvenience for the biosample donor or other persons, the biosample may still be used for those purposes.
The purposes, for which a biosample may be used, are the clear and legitimate purposes for which it was collected; diagnosis of diseases; quality control, method development, and teaching purposes, as long as the biosamples are processed without personal identifiers; scientific research; and use for other purposes than those the samples were collected for if vital interests are at stake and the benefit outweighs the possible inconvenience for the biosample donor or other persons. For use of biosamples in scientific research and other purposes than those they were collected for, a permit from the DPA and the National Bioethics Commitee is needed (this overview of the Act on Biobanks is based on an unpublished description of the act from May 2003 by Hörður Helgi Helgason, consultant with The Legal Farm).
2. Act on a Health Sector Database
On 22 December 1998, the Act on a Health Sector Database, nr. 139/1998, entered into force. According to the act, a centralised database (which has not become reality yet) will contain data from medical records on the whole Icelandic population. The private company deCODE/Íslensk erfðagreining has been granted a licence by the Minister of Health to create and operate this database. According to the act, it shall only contain "non-personally identifiable health data with the aim of increasing knowledge in order to improve health and health services". Those who do not want to have data from their health records recorded in the database have the right to abstain, but consent is not required. The health data may be joined with data from a database containing genetic data and a database containing genealogical data. The results of the joining of these three databases must be non-personally identifiable. The DPA shall monitor the creation and operation of the Health Sector Database and the joining of databases, but some tasks concerning the supervision of the database shall be undertaken by the "Commitee on the creation and operation of a health service database" and an interdisciplinary ethics committee, which shall assess studies carried out within the licensee's company and research questions for the database which are received.
On 27 November 2003, The Supreme Court of Iceland delivered a judgement in a case concerning the Health Sector Database. The circumstances in the case were as follows: A woman wanted information on her late father not to be put into the database, but she was denied of this since the act on the database only grants this right to the data subject itself. However, The Supreme Court came to the conclusion that her claim should be accepted because health information on her father could be relevant in assessing her own health. Also, in the light of The Constitution of Iceland, which grants everyone the right to privacy, The Supreme Court considered the act on the database to be too vague in terms of data security, e.g., encryption of data, and security when matching the data in the Health Sector Database with data in the geneological database and the genetic database.
3. Informed Consent in Scientific Research
Informed consent is often required for the use of genetic data in scientific research. According to the Act on Patient Rights, No. 74/1997, the participation in scientific, medical research must be based on informed consent. However, research projects that are completely retrospective may, according to the DPA's interpretation, be performed without consent if there are some special circumstances justifying it, e.g., it is unavoidable to work with a very big sample of data subjects.
In permits, issued by the DPA, for the processing of personal data in scientific research, informed consent is often required. Such processing must not always be based upon such a permit. However, according to Rules on When to Notify or Obtain a Permit for the Processing of Personal Data, No. 90/2001, issued by the DPA, a permit is always needed for genetic research. Whether or not the consent of the data subjects is required in such permits or not, depends, of course, on the legal considerations described above.
When informed consent from the data subject in scientific, medical research is required according to law, regulations or permits from the DPA, the consent must be obtained in accordance with Rules on How to Obtain Informed Consent for the Processing of Personal Data in Scientific, Medical Research, Nr. 170/2001, issued by the DPA. Amongst other things, those rules state that a participant must be informed in writing on, e.g., the purpose of the project, how it will be conducted, possible danger, the kinds of information that will be processed, wherefrom information will be sought, security of data, when personal information and personal identifiers will be destroyed, whether data will be transmitted abroad or published on the internet, and whether he or she can revoke his or her consent and what implications it will have, amongst other things, on personal data that has been processed.
4. Act on a Police Genetic Data Register
On 31 May 2001, the Act on the Police Genetic Data Register, No. 88/2001, entered into force. By this act, the National Commissioner of the Icelandic Police shall be in charge of a digital register containing genetic data. The register shall be used for facilitating the investigation of criminal cases. Genetic data may only be registered on those that have committed certain severe crimes, such as murder, rape, battery, and sex-abuse of children, but also when there are "urgent reasons" and the information is of "special significance for the utility value of the register." The data subject shall be notified in writing of the registration. Data shall be obliterated no more than two years after the data subject has passed away, six months after he or she has been found innocent in a reopened case, or when it is discovered that the data is wrong or has been registered unlawfully. The processing of data shall be in conformance with Act No. 77/2000 on the Protection and Processing of Personal Data and is under the authority of the DPA.
5. Bill on an Act on Insurance Contracts
A bill on a new act on insurance contracts is now (February 2004) before the Icelandic parliament. According to the bill, an insurance company may not, before or after an insurance agreement is made, wish for, obtain by other means, receive, or exploit information on an individual's genetic characteristics. Also, it is prohibited for an insurance company to wish for investigations that are necessary to gain access to such information. However, this prohibiton does not apply to investigations of the current or former health status of the insurance taker or other individuals. The DPA has criticized that investigations may be made on the health of "other individuals". It consideres that such investigations cannot be anything else than investigations of genetic characteristics (contrary to the views that are expressed in the remarks in the bill to this clause).