Protecting Privacy in Cloud Based Genomics Research
Team: Adrian Thorogood, Mark Phillips, Edward Dove, Howard Simkevitz, and Yann Joly
Funding: Office of the Privacy Commissioner of Canada Contributions Program
Background: Genomic research and personalized medicine require an exponential amount of genomic and associated clinical data. A vast computer infrastructure is needed to enable large scale data storage and analyses. Genomic scientists are turning to cloud computing as a solution. Can participants’ privacy and trust be ensured as sensitive data shifts to the cloud? Can genomic research in the cloud achieve compliance with ethical and legal norms in Canada?
Method: We systematically review Canadian research ethics guidelines and privacy laws to identify gaps and impediments in privacy protection for genomic research in the cloud. We use a comparative law approach, analyzing cloud computing privacy solutions in the United States and European Union to see if they can be adapted to the Canadian context. We also analyze the terms of service of six cloud service providers (CSPs) to explore contractual mechanisms that researchers can use to safeguard participant privacy in the cloud.
Results: Canadian laws generally permit transfers of personal information to third party service providers. They also generally permit the cross-border flow of participant information as it is transferred to and within the cloud, but do little to allay participant concerns over foreign government surveillance. Researchers remain accountable for participant information transferred to the cloud and must employ contractual safeguards to protect data privacy and security. The sophistication of cloud services, however, creates two legal uncertainties. First, because researchers transfer control over data to the CSP, they cannot fulfill their duties to participants –confidentiality, accountability, openness, or limited use and access –without the cooperation of the CSP. Second, CSPs risk taking on direct liability towards participants if their services are not clearly defined under the contract. Standard terms of service agreements do not seem to adequately address these uncertainties, especially where CSPs reserve the right to change them unilaterally. Researchers and CSPs may, however, be able to ensure legal compliance and protect participant privacy if terms of service can be tailored to the health data context. We propose contractual best practices to facilitate the movement of genomic research to the cloud.