Data Ethics Club: A giant biotechnology company might be about to go bust.

# Data Ethics Club: [A giant biotechnology company might be about to go bust. What will happen to the millions of people’s DNA it holds?](https://theconversation.com/a-giant-biotechnology-company-might-be-about-to-go-bust-what-will-happen-to-the-millions-of-peoples-dna-it-holds-241557) :::warning ### :arrow_forward: What's this document? :computer: This page is a collaborative Markdown document. Usually someone in each group takes some notes here. :writing_hand: We use the notes here to write up these discussions for others! [See past write-ups here.](https://dataethicsclub.com/write_ups/write-ups.html) :question: You can be anonymous, or be named in the write-up by recording your name/pseudonym [below](##Introductions). :hand: Get Markdown help using the question mark in the toolbar above, or ask anyone! ::: ## Welcome Hi :wave:, welcome to Data Ethics Club! Thank you for being here! Here are some quick useful links: - [This Document](https://hackmd.io/@data-ethics-club/Bkx_2OyfJx) - [This week's discussion material](https://theconversation.com/a-giant-biotechnology-company-might-be-about-to-go-bust-what-will-happen-to-the-millions-of-peoples-dna-it-holds-241557) - [Code of Conduct](https://dataethicsclub.com/join_in/code-of-conduct.html) - [Our Website](https://dataethicsclub.com/) ## Introductions Please introduce yourself here if you'd like to. Feel free to use a pseudoname (this is a public document). __Name, Role, Affiliation, Where to find you, Emoji to describe your day__ - Huw Day, Data Scientist, Jean Golding Institute, University of Bristol, https://www.linkedin.com/in/huw-day/ - Amy Joint, Programme Manager, ISRCTN Clinical Study Registry, https://www.linkedin.com/in/amyjoint/ - Vanessa Hanschke, PhD student, Interactive AI, University of Bristol - [Jessica Woodgate](https://jessica-woodgate.github.io/), PhD student, University of Bristol - Virginia Scarlett, Data and Information Specialist, HHMI Janelia, Ashburn VA USA, :coffee: - Adrianna Jezierska, PhD student, Business School and current AskJGI team - Paul Lee, investor - [Kamilla Wells](https://www.linkedin.com/in/kamilla-wells/), Citizen Developer, Australian Public Service, Brisbane - Jarmila Regulova, London Borough of Tower Hamlets (hi all, I'm a new face here, a colleague recommended this meeting to me) - Brooke Morris, PhD Student, Diverse-Ability Lab (Bristol Interaction Group) (also new! invited by vanessa!) - Euan Bennet, Lecturer, University of Glasgow - Khadiza Laskor, PhD Student, University of Bristol - Emma Tonkin, Research Fellow, University of Bristol ## Discussion Each week, we split into breakout rooms of 4-6 people to discuss the material. Please make space for one another to talk - keep your eyes open :eyes: for people with their hands up :hand: and invite them to talk. As always we have provided some discussion points to get the conversation moving, but feel free to discuss anything relating to the materials! ### Discussion #### Suggested Questions - **Q1**: What are the potential risks that could come about with 23andMe using people’s data in the way they’ve outlined in their service agreements? - **Q2** If you were the Chief Executive of 23andMe, what would you be prioritising to make sure highly personal genetic data was being protected if the company is sold (or even if it isn’t!) - **Q3** Data security aside, would you want to take a DNA test knowing that you might find out things about your family or about health conditions you could develop? - **Bonus Question:** What change would you like to see on the basis of this piece? Who has the power to make that change? ::: info ### :information_source: What to write #### Writing things down is optional, but if you want you can include... - Any interesting quotes from the discussion - Links to other material that came up in the discussion - Parts of the reading material that you felt particularly strongly about ::: #### Room 1 Khadiza, Dina, Alex, and Euan Khadiza's PhD is looking into what happens to our data when we pass away - really clear overlap with today's topic! Alex's PhD also deals with genomics stuff - very relevant. Dina's PhD is on digital health. ##### Q1 Opening thoughts: the whole story is shocking. Feelings of despair because similar things have happened (regarding data breaches) e.g. Cambridge Analytica. There is a sense of not knowing exactly how dangerous these data could be in future in the wrong hands (on a scale of insurance scumbags -> biological weapons) There needs to be investment to prevent data breaches, but the private company element is the really worrying part. Who is going to be buying this data? Which horror show awaits if/when eugenicist white supremacist Elon Musk gets his grubby hands on it? Conflicts of interest for a private company to be doing any of this stuff for a profit motive. Unclear how it would be regulated. As a medical device company (which they are) there should be stringent rules on the data. Is 23&me just a front to get the data? The connections of the CEO are with food&drugs and google. Were they ever intended to make profit? Now they've got that data they can utilise it elsewhere. There is no specific regulation for private companies in these areas. UK Biobank had problems with regulations and contentious ethics board appointments etc. Atomic bomb analogy - nuclear fission is actually useful for power, not just destructive. Is that worth the destruction? Currently, 23&me doesn't share certain data with researchers under the guise of protecting people from being identified, so why is it ok now to sell the data? The purpose of the system is what it does - the company has never made a profit but happens to have hoarded a huge amount of sensitive personal data about people. No point arguing that they ever had benevolent intentions (impossible under capitalism), and this was the inevitable consequence of a profit motive involvement in genetic sequencing. This whole thing damages public trust in gene sequencing type work, meaning that a knock-on effect could be people being less likely to donate genetic material for research (i.e. actually useful) purposes. After Cambridge Analytica, Zuckerberg was summoned to the UK Parliament to explain himself but could just blow them off with no consequences (nothing to do with the fact that a certain former UK deputy prime minister was/is on the Facebook board) ##### Q2 We just wouldn't even be in that position to be honest. Return the data to the consumers, or delete it all. Are they going to send an email to all their customers with a tick box saying "I agree for my data to be used this way"? How many people will actually read that? There is no guarantee of any rules and even if there were rules, there would be no guarantee of seeing them enforced. ##### Q3 Really difficult - no trust left in private companies, but that doesn't put other people off! ##### Bonus question ##### Misc #### Room 2 Vanessa, Emma, Blu, Amy ##### Q1 Would GDPR protect us from these situations when a company goes bust? Would we be able to apply the right to be forgotten? Can we anonymise data as specific as DNA? By the time it's gone it's gone. In the end of the day the data is a rack of computers. Who would have the responsibility in a succession process? Can genomic data be anonymised? https://www.ga4gh.org/news_item/can-genomic-data-be-anonymised/ - case by case basis https://www.bbc.co.uk/news/articles/cz7wl7rpndjo For specific datasets like a Parkinson's data set - if people have specific things like a brain implant, it makes them much more easily identifiable. So people with specific genetic characteristics would be easier to identify. Census data swaps info around so the statistical outputs are the same but people cannot be identified. Do people really know what they're signing up for? Some are using it just for a family tree. Data is used by the police somewhere (USA?). If you have a compelling reason to access data, you can normally justify it - Legitimate Interest. Legitimate Interest assessments should have to be registered publicly. Should be doing a Data Processing impact assessment. These should all be registered and shared really. Helen Nissenbaum - privacy paradox. If you spend the time writing down all the things you plan to do with data, nobody will actually do it. But still important to write it! Seems simple enough for someone to want to do a test for a family tree - but SO many implications on their life ie. do they have living relatives, will they want to meet you, does it affect wills and inheritance. This technology is an example of a use that people didn't predict. Eg. anonymous sperm donors didn't realise their offspring would be able to trace them. Unintended risk. Law changed in 2005 - removing protection for sperm donors to donate anonymously. Interesting that it tied into the timing of 23andMe launching, and first human genome being sequenced. Led to a decrease in sperm donations initially. Another unintended risk of genotyping - pet sequencing - people who unintentionally find out their dogs are illegal breeds Risk of finding out health genetic information and conditions without a genetic counsellor. There is a whole job involving genetic counselling for health conditions, so dropping this info into someone's emails with no context is inethical. Fwiw, a legal-ish question Emma had for a while is: if an EU/equivalent company goes bust and the hardware (as in rack mount devices) is sold in bankruptcy for example, is there any formal measure to halt export of that hardware or the data it contains to a non-EU environment and arbitrary use made of its content? The bankrupt company presumably can’t dispose of the assets because it has been dissolved. I would have imagined that export of the data is effectively blocked by GDPR if whoever is discharging the bankruptcy also inherits the data protection obligation, which I would have imagined they would in principle, but I have no idea if this happens in practice and how it is enforced. In principle in the UK: https://www.insolvencydirect.bis.gov.uk/freedomofinformationtechnical/technicalmanual/ch73-84/Chapter81A/Part%204/Part%2041.htm Having looked into it a bit, 23andme is based in California so in that instance the CCPA (california consumer privacy act) applies . Whether it is possible to sell or lease personal data from a bankruptcy apparently depends on the language used in the privacy policy: "a company may use, sell, or lease property of the estate, including customers’ data, unless its privacy policy prohibits “the transfer of personally identifiable information about individuals to persons that are not affiliated with the debtor.” U.S. Bankruptcy Code Section 363(b)(1)." - see https://www.fbm.com/publications/privacy-during-bankruptcy-proceedings-why-it-matters/ Therefore in the US if the privacy policy in question forbids this, a consumer privacy ombudsman is appointed to review the sale and applicable law. So one question would be what 23andme's privacy policy says on this. Another question would be: how much of the data held by 23andme is considered non-identifying, and how much effort has gone into assessing residual risk on that data - because no such limitations apply to the sale of that data. I would also ask what the implications are and what the potential is of doing an Elon and moving the company to a state with weaker consumer data protection. As far as I can tell the CCPA has nothing to say about regulating data transfers, whereas the GDPR is very specific in this regard. ##### Q2 ##### Q3 https://thenib.com/its-all-relatives/ https://thenib.com/roots-to-fruits/ https://www.vox.com/science-and-health/2019/1/28/18194560/ancestry-dna-23-me-myheritage-science-explainer ##### Bonus question ##### Misc #### Room 3 ##### Q1 - you can ask to delete and destroy the data but can't ask for it back if it's gone for research - how quickly does it go for research if you consent? - presumably deidentification works (could be big assumption) - what are the further implications of being used for 'research'; can you opt out of research for certain purposes? - E.g. identification of autism genes - if you contribute your data for research then could you be contributing to unethical purposes? - where exactly has it gone if it has been used for 'research' - could access to the data be bought by third party sectors if it is used for research by institutions with less detailed ethical reviews? - 'employers or insurance companies' is a short list - would market research count as research? - especially as a company with so much financial trouble; strong incentive to share data - there is a section where you can look to see what *published* research you have been a part of - seems to only be reported after publication - we'd like to know before that stage - what do other organisations do e.g. nhs? - more admin from company perspective - privacy concerns if they do identify you as someone used in a study? - nhs wales taking samples from babies and keeping for 10 years? - should relatives be consulted before someone shares their data? - 23 and me = big repository which might not otherwise exist; what other opportunities do you have to gather so many people's data? very rich data source ##### Q2 - moral obligation to destroy the data because of consent, but such a rich data source - otherwise would have to go out of your way to get involved in studies usually - might feel incentivised to contribute if we knew it was going to something good - what do you get back? here get a detailed report - tangible return - for studies sometimes don't get anything back or not for ages - direct incentive - reminds you of when you donate your body to research, when you get an organ donor sticker and you never know where its going to go (science students who are not respectful) - "Are my organs data?" - should I worry where it goes? - "I can't think of how you can use an organ in a bad way" - you could sequence the DNA from it and do bad things? - Genetic screening has a certain place but what are the limits? - Historical legacy - 23andMe is not the first time questions about using genetic data has been brought up - Long history of people using genetics as a way to "improve the human race" (Eugenics) - Risk with ANY sort of data collection, is there something particular about genetic data that makes it more 'risky' than other data, such as credit card history? - Other ways we can mitigate the risks of misuse - why ethics committees exist and to what extent can we rely on them - Tonnes of geenetic data being stored and used 'correctly' around the world - good examples from NHS/NHR - Jump through so many hoops to get your data from NHS/NHR knowing that its likely safe, why dont private companies have this same level of safekeeping? ##### Q3 - No, no, no - Wouldn't want to know if I had a genetic condition - Once you find out you have a condition from 23andMe, what happens next? Where is the safeguarding? If you find out from a medical professional there should be steps in place afterwards to help/support you ##### Bonus question ##### Misc #### Room 4 Huw, Paul, Adrianna, Jarmila, Kamilla https://freakonomics.com/podcast/why-is-23andme-going-under-update/ (this was shared in the slack by Robin Dasler) ##### Q1 How can you deidentify things that are so identifiable? It's interesting if a gene sequence is functionally unique to a person, but just knowing the sequence isn't sufficient to identify a person. It's a bit like being told "this is a password that someone, somewhere uses" However, it might link with the data that other people are shared. I.e. if your siblings or cousins have shared data then genomes are associated. DNA data is interesting because you're not just giving up your own data, it's a privacy issue for other people. 1 in 20 people found out their "parent" isn't their biological parent. Building a family tree uses so much more of people's data. You can change a password if I'm hacked, but I can't just change my DNA if 23&ME data is hacked Family member getting tested... are you willing to share could be considered a protected characteristic Share it once and that's it Is 1 in 20 representative? Maybe not because it's 1 in 20 users who were interested in their family history. We wonder how many of those people white middle class affluent activity who just sort of did it. It would be cool to ask people why they wanted to know it, e.g. family history or something like that. ##### Q2 Who wants to delete all the data? does that make good business sense? Make a profit... but "IF I had respect and decency..." make it clear and transparent If they've not made a profit for 18 years, maybe they should just get rid of the data, no sense trying to profit if they're already bankrupt. If they wanted an ethical "spin", they could talk about an ethical spin of the environmental impact GSK paid 3 million (which is probably less than they paid for like wifi in a year). In the podcast, associating the brand with a potential cure by connection with pharma companies was an approach the CEO made. 3 out of 13 for passing the stage 1 of clinical trials is actually kind of a job well done. It sounds like if they go into bankruptcy then the controls and constraints on the use of the data fall away, there's a financial inscentive to go bankrupt and then sell the data. The rational business step might be to go bust. Down with capitalism, would save the situation ##### Q3 Some of us would if there were no data security considerations. The more we know about our health the better? If we can change something then maybe we would. Hannah Fry ... Huw will link later even with knowing, may still have same success rate... ignorance is bliss https://www.bbc.co.uk/iplayer/episode/m0017wzq/making-sense-of-cancer-with-hannah-fry But what if you only had two years to live, you'd want to stop doing overtime and start spending more time doing things you love. It's a very personal decision. Questions raised about how accurate health predictions are from this genetic data. https://www.cbc.ca/listen/live-radio/1-63/clip/16109125 How much does DNA determine our health outomes? can simply look to family history Such a personal decision Datascience hat on... image how many more insights we could get if we increase the dimensions of our dataset! Could a dna test actually help with targetted medicine? link to previous dec write up https://dataethicsclub.com/write_ups/2024-10-09_writeup.html ##### Bonus question ##### Misc ## After this session You have a week to add anything else that you'd like to to this document. After that, we'll try to make this document a little more cohesive, then we'll send a link around to the write up of the discussion in the next mailing list email. ## Feedback on the format Please feel free to leave us some notes below on how the discussion group went for you this time, positive or negative, and any suggestions to improve (you can always [email us](mailto:grp-ethicaldatascience@groups.bristol.ac.uk) or fill in our [survey](https://us7.list-manage.com/survey?u=48bd2e5df74c466acb63f18d0&id=9d541e0964&attribution=false). instead). We do read these and make changes :sparkles: * Suggestion here * Another suggestion here

Syntax	Example	Reference
# Header	Header	基本排版
- Unordered List	Unordered List
1. Ordered List	Ordered List
- [ ] Todo List	Todo List
> Blockquote	Blockquote
Bold font	Bold font
Italics font	Italics font
~~Strikethrough~~	~~Strikethrough~~
19^th^	19^th
H~2~O	H₂O
++Inserted text++	Inserted text
==Marked text==	Marked text
[link text](https:// "title")	Link
![image alt](https:// "title")	Image
`Code`	`Code`	在筆記中貼入程式碼
```javascript var i = 0; ```	`var i = 0;`
:smile:		Emoji list
{%youtube youtube_id %}	Externals
$L^aT_eX$	L^aT_eX
:::info This is a alert area. :::	This is a alert area.