Dublin-based company Genomics Medicine Ireland has had an awkward October and November.

It is owned by an independent subsidiary of a sprawling Chinese pharma and research giant that is also building pharma and vaccine plants in Dundalk, and it wants to create a privately owned and controlled Irish genomic database with DNA from a 10th of the Irish population. It has been seeking 400,000 DNA-donor “volunteers” through various means, such as offering “free” health and fitness testing.

That’s “free” in the same sense as services from online platforms are “free”. Google gives you “free” search; Google then extracts an endless flow of revealing data points about you and earns billions by profiling you and selling your data to third parties.

Unlike public genome projects, private genomic research is about making money for a private company, either through finding treatments with third party partners (often extremely expensive) or selling multimillion-euro access to those valuable databases.

In early November theIrish Data Protection Commissionlaunched what it termed a “widespread compliance and supervision” examination of Genomics Medicine Ireland and its clinical partners, following complaints about how it gathered and processed DNA data from some of the State’s largest hospitals.

Then last week, a decision by health research oversight body the Health Research Consent Declaration Committee ruled that the company must work to retrospectively gain consent from donors of brain tumour tissue given to it as part of a joint project with a Beaumont Hospital neurology researcher (who is also on the company’s advisory board).

Initially the committee had denied permission for the research, which uses samples from 9,000 patients, given concerns over consent and the potential sharing of project data with “unknown international third parties.”

Children’s DNA

This all follows the disclosure in October that Temple Street Children’s Hospital and the company carried out research for eight months using children’s DNA samples, before the project was halted to examine whether the work was compliant with General Data Protection Regulation protections.

By then GDPR had been in place for nine months. Its provisions had been public for more than two years prior to that, to give organisations plenty of time to comply.

Genomics Medicine Ireland employs at least three people whose job involves data compliance and privacy: a data protection officer, a “head of privacy” and at least one lawyer.

Last year its head lawyer wrote at length to the Department of Health, asking for “clarifications” around consent, GDPR and compliance in the State’s new health research regulations. Meetings took place between the company and department officials.

In a 2018 memo from one such meeting, a Department of Health official wrote: “It is fair to say that [Genomics Medicine Ireland] were not overly concerned with the policy or legal context but with how the regulations impacted on what they are doing.”

The official then noted that the company was asked: “Do you have informed consent of the data subject for all personal data provided to you?” The company’s answer: “Yes.”

Well, the oversight body has stated a different view.

Privacy advocates have raised a few questions about the Health Research Consent Declaration Committee’s appeals process, rightfully objecting that while the company and Beaumont Hospital brought an entourage of seven (outnumbering the four-member appeals panel), no patients advocate was present.

The most striking element of the committee’s decision is that the company will be required to place DNA data it receives from Beaumont into a public database. “Public” here means other qualified researchers can utilise a database safeguarded under stringent access and privacy protections, such as the gold-standard US National Institute of Health’s Database of Genotypes and Phenotypes. The EU equivalent is the European Genome-phenome Archive.

Responsible access

While valid general concerns continue over using and protecting DNA, and many complicated ethical issues remain to be addressed, carefully considered research for public benefit requires responsible access to genomic information.

For countless reasons, a national genome project, comprising DNA obtained in publicly funded hospitals, by publicly funded researchers, from Irish citizens, should not be in private control and ownership – not least as an entire population can be profiled from just 2 per cent of a nation’s DNA.

Ireland is an extremely rare case in ceding a national genome project to a private company for private enrichment, rather than returning value back to the taxpayer and public – not private – health initiatives. Genomics Medicine Ireland has tried to present private involvement as a norm, without noting that while private parties partner with national genome projects, they almost never run them.

The Health Research Consent Declaration Committee decision suggests it shares some of these concerns. It has essentially said the company can do this research only if it shares its results, thus pushing it into open research and undercutting its for-profit motive.

Will the committee take a similar view of the company’s other projects? More importantly: should it have to? When will the Government finally listen to the numerous genomic experts alarmed at a national Irish genome project in private hands, and instead fund the open, public genome project Ireland needs?