Human Genetics

, 130:383

Identifiability in biobanks: models, measures, and mitigation strategies

  • Bradley Malin
  • Grigorios Loukides
  • Kathleen Benitez
  • Ellen Wright Clayton
Original Investigation

Abstract

The collection and sharing of person-specific biospecimens has raised significant questions regarding privacy. In particular, the question of identifiability, or the degree to which materials stored in biobanks can be linked to the name of the individuals from which they were derived, is under scrutiny. The goal of this paper is to review the extent to which biospecimens and affiliated data can be designated as identifiable. To achieve this goal, we summarize recent research in identifiability assessment for DNA sequence data, as well as associated demographic and clinical data, shared via biobanks. We demonstrate the variability of the degree of risk, the factors that contribute to this variation, and potential ways to mitigate and manage such risk. Finally, we discuss the policy implications of these findings, particularly as they pertain to biobank security and access policies. We situate our review in the context of real data sharing scenarios and biorepositories.

References

  1. Adam N, Wortman J (1989) Security-control methods for statistical databases: a comparative study. ACM Comput Surv 21:515–556CrossRefGoogle Scholar
  2. Anonymous (2011) CODIS: the combined DNA index system. DNANews.org. http://dnanews.org/codis-the-combined-dna-index-system/. Accessed 27 May 2011
  3. Bayardo R, Agrawal R (2005) Data privacy through optimal k-anonymity. In: Proceedings of the 21st IEEE International Conference on Data Engineering, pp 217–228Google Scholar
  4. Bellazi R, Zupan B (2008) Predictive data mining in clinical medicine: current issues and guidelines. Int J Med Inform 77:81–97CrossRefGoogle Scholar
  5. Benitez K, Malin B (2010) Evaluating re-identification risk with respect to the HIPAA Privacy Rule. J Am Med Inform Assoc 17:169–177PubMedCrossRefGoogle Scholar
  6. Benitez K, Loukides G, Malin B (2010) Beyond Safe Harbor: automatic discovery of health information de-identification policy alternatives. In: Proceedings of the ACM International Health Informatics Symposium, ACM Press, New York, pp 163–172Google Scholar
  7. Bexelius C, Hoeyer K, Lynöe N (2007) Will forensic use of medical biobanks decrease public trust in healthcare services? Some empirical observations. Scand J Public Health 35:442PubMedCrossRefGoogle Scholar
  8. Botkin J (2001) Protecting the privacy of family members in survey and pedigree research. JAMA 285:207–211PubMedCrossRefGoogle Scholar
  9. Burke W, Psaty B (2007) Personalized medicine in the era of genomics. JAMA 298:1682–1684PubMedCrossRefGoogle Scholar
  10. Cassa C, Schmidt B, Kohane I, Mandl K (2008) My sister’s keeper? Genomic research and the identifiability of siblings. BMC Med Genomics 1:32PubMedCrossRefGoogle Scholar
  11. Chiang Y, Hsu T, Kuo S, Liau C, Wang D (2003) Preserving confidentiality when sharing medical database with the Cellsecu system. Int J Med Inform 71:17–23PubMedCrossRefGoogle Scholar
  12. Clayton D (2010) On inferring presence of an individual in a mixture: a Bayesian approach. Biostatistics 11:661–673PubMedCrossRefGoogle Scholar
  13. Clayton E, Smith M, Fullerton SM et al (2010) Confronting real time ethical, legal, and social issues in the Electronic Medical Records and Genomics (eMERGE) Consortium. Genet Med 12:616–620PubMedCrossRefGoogle Scholar
  14. Collins F (2010) Has the revolution arrived? Nature 464:674–675PubMedCrossRefGoogle Scholar
  15. Currie P (2005) Balancing privacy protections with efficient research: institutional review boards and the use of certificates of confidentiality. IRB 27:7–12PubMedCrossRefGoogle Scholar
  16. Dankar F, El Emam K (2010) A method for evaluating marketer re-identification risk. In: Proceedings of the EDBT/ICDT Workshops, ACM Press, New YorkGoogle Scholar
  17. Eiseman E, Bloom G, Brower J, Clancy N, Olmstead S (2003) Case studies of existing human tissue repositories: “best practices” for a biospecimen resource for the genomic and proteomic era. Rand Corporation, Santa MonicaGoogle Scholar
  18. El Emam K (2008) Heuristics for de-identifying health data. IEEE Secur Priv Mag 6:58–61CrossRefGoogle Scholar
  19. El Emam K, Dankar K (2008) Protecting privacy using k-anonymity. J Am Med Inform Assoc 15:627–637PubMedCrossRefGoogle Scholar
  20. El Emam K, Jabbouri, Sams S, Drouet Y, Power M (2006) Evaluating common de-identification heuristics for personal health information. J Med Internet Res 8:e28Google Scholar
  21. El Emam K, Dankar K, Issa R et al (2009) A globally optimal k-anonymity method for the de-identification of health data. J Am Med Inform Assoc 16:670–680PubMedCrossRefGoogle Scholar
  22. Glaser J, Henley D, Downing D, Brinner K (2008) Advancing personalized health care through health information technology: an update from the American Health Information Community’s Personalized Health Care Workgroup. J Am Med Inform Assoc 15:391–396PubMedCrossRefGoogle Scholar
  23. Golle P (2006) Revisiting the uniqueness of simple demographics in the US population. In: Proceedings of the ACM Workshop on Privacy in Electronic Society, ACM Press, New York, pp 77–80Google Scholar
  24. Green ED, Guyer MS, National Human Genome Research Institute (2011) Charting a course for genomic medicine from base pairs to bedside. Nature 470:204–213PubMedCrossRefGoogle Scholar
  25. Guttmacher A, Collins F (2005) Realizing the promise of genomics in biomedical research. JAMA 294:1399–1402PubMedCrossRefGoogle Scholar
  26. Haga S, O’Daniel J (2011) Public perspectives regarding data sharing practices in genomics research. Public Health Genomics. doi:10.1159/000324705 (published online March 24)
  27. Hamburg M, Collins F (2010) The path to personalized medicine. N Engl J Med 363:301–304PubMedCrossRefGoogle Scholar
  28. Hansson S, Björkman B (2006) Bioethics in Sweden. Camb Q Healthc Ethics 15:285–293PubMedCrossRefGoogle Scholar
  29. Hindmarsh R, Abu-Bakar A (2007) Balancing benefits of human genetic research against civic concerns: essentially Yours and beyond—the case of Australia. Pers Med 4:497–505CrossRefGoogle Scholar
  30. Homer N, Szelinger S, Redman M et al (2008) Resolving individuals contributing trace amounts of DNA to highly complex mixtures using high-density SNP genotyping microarrays. PLoS Genet 4:e1000167PubMedCrossRefGoogle Scholar
  31. Kaufman DJ, Murphy-Bollinger J, Scott J, Hudson KL (2009) Public opinion about the importance of privacy in biobank research. Am J Hum Geneti 85:643–654CrossRefGoogle Scholar
  32. Kaye J (2006) Police collection and access to DNA samples. Genomics Soc Policy 2:16–72Google Scholar
  33. Kayser M, Schneider P (2009) DNA-based prediction of human externally visible characteristics in forensics: motivations, scientific challenges, and ethical considerations. Forensic Sci Int Genet 3:154–161PubMedCrossRefGoogle Scholar
  34. Kohane I, Altman R (2005) Health information altruists—a potentially critical resource. N Engl J Med 353:2074–2077PubMedCrossRefGoogle Scholar
  35. Kullo I, Fan J, Pathak J, Savova G, Ali Z, Chute C (2010) Leveraging informatics for genetic studies: use of the electronic medical record to enable a genome-wide association study of peripheral arterial disease. J Am Med Inform Assoc 17:568–574PubMedCrossRefGoogle Scholar
  36. Langella S, Hastings S, Oster S et al (2008) Sharing data and analytical resources securely in a biomedical research grid environment. J Am Med Inform Assoc 15:33–373CrossRefGoogle Scholar
  37. Lemke A, Wolf W, Hebert-Beirne J, Smith M (2010) Public and biobank participant attitudes toward genetic research participation and data sharing. Public Health Genomics 13:368–377PubMedGoogle Scholar
  38. Lemrow S, Colditz G, Vaught J, Hartge P (2007) Key elements of access policies for biorepositories associated with population science research. Cancer Epidemiol Biomarkers Prev 16:1533–1535PubMedCrossRefGoogle Scholar
  39. Li G, Wang Y, Su X (2011) Improvements on a privacy-protection algorithm for DNA sequences with generalization lattices. Comput Methods Programs Biomed. doi:10.1016/j.cmpb.2011.02.013
  40. Lin Z, Hewett M, Altman R (2002) Using binning to maintain confidentiality of medical data. Proc AMIA Symp 454–458Google Scholar
  41. Lin Z, Owen A, Altman R (2004) Genetics: genomic research and human subject privacy. Science 305:183PubMedCrossRefGoogle Scholar
  42. Lin Z, Altman R, Owen A (2006) Confidentiality in genome research. Science 313:441–442PubMedCrossRefGoogle Scholar
  43. Louie B, Mork P, Martin-Sanchez F, Halevy A, Tarczy-Hornoch P (2007) Data integration and genomic medicine. J Biomed Inform 4:5–16CrossRefGoogle Scholar
  44. Loukides G, Denny J, Malin B (2010a) The disclosure of diagnosis codes can breach research participants’ privacy. J Am Med Inform Assoc 17:322–327PubMedGoogle Scholar
  45. Loukides G, Gkoulalas-Divanis A, Malin B (2010b) Anonymization of electronic medical records for validating genome-wide association studies. Proc Natl Acad Sci USA 107:7898–7903PubMedCrossRefGoogle Scholar
  46. Lowrance W, Collins F (2007) Ethics: identifiability in genomic research. Science 317:600–602PubMedCrossRefGoogle Scholar
  47. Lunshof J, Chadwick R, Vorhaus D, Church G (2008) From genetic privacy to open consent. Nature Rev Genet 9:406–411PubMedCrossRefGoogle Scholar
  48. Mailman MD, Feolo M, Jin Y et al (2007) The NCBI dbGaP database of genotypes and phenotypes. Nat Genet 39:1181–1186PubMedCrossRefGoogle Scholar
  49. Malin B (2005a) An evaluation of the current state of genomic data privacy protection technology and a roadmap for the future. J Am Med Inform Assoc 12:28–34PubMedCrossRefGoogle Scholar
  50. Malin B (2005b) Protecting genomic sequence anonymity with generalization lattices. Methods Inf Med 44:687–692PubMedGoogle Scholar
  51. Malin B (2007) A computational model to protect patient data from location-based re-identification. Artif Intell Med 40:222–239CrossRefGoogle Scholar
  52. Malin B (2008) K-unlinkability: a privacy protection model for distributed data. Data Knowl Eng 64:294–311CrossRefGoogle Scholar
  53. Malin B, Sweeney L (2004) How (not) to protect genomic data privacy in a distributed network: using trail re-identification to evaluate and design anonymity protection systems. J Biomed Inform 37:179–192PubMedCrossRefGoogle Scholar
  54. Malin B, Karp D, Scheuermann R (2010) Technical and policy approaches to balancing patient privacy and data sharing in clinical and translational research. J Investig Med 58:11–18PubMedGoogle Scholar
  55. Malin B, Benitez K, Masys D (2011) Never too old for anonymity: a statistical standard for demographic data sharing via the HIPAA Privacy Rule. J Am Med Inform Assoc 18:3–10PubMedCrossRefGoogle Scholar
  56. McCartney C (2004) Forensic DNA sampling and the England and Wales National DNA database: a sceptical approach. Crit Criminol 12:157–178CrossRefGoogle Scholar
  57. McCarty C, Chisholm R, Chute C et al (2011) The eMERGE Network: a consortium of biorepositories linked to electronic medical records data for conducting genomic studies. BMC Med Genomics 4:13PubMedCrossRefGoogle Scholar
  58. McGuire A, Gibbs R (2006) Genetics: no longer de-identified. Science 312:370–371PubMedCrossRefGoogle Scholar
  59. McGuire A, Fisher R, Cusenza P et al (2008a) Confidentiality, privacy, and security of genetic and genomic test information in electronic health records: points to consider. Genet Med 10:495–499PubMedCrossRefGoogle Scholar
  60. McGuire A, Hamilton J, Lunstroth R, McCullough L, Goldman A (2008b) DNA data sharing: research participants perspectives. Genet Med 10:46–53PubMedCrossRefGoogle Scholar
  61. Miler G (2009) The looming crisis in human genetics. The Economist November 13Google Scholar
  62. Miller E (2010) Relative doubt: familial searches of DNA databases. Mich Law Rev 109:291–348Google Scholar
  63. National Institutes of Health (2002) NIH announces statement on certificates of confidentiality. NOT-OD-02-037 March 15Google Scholar
  64. National Institutes of Health (2003) Final NIH statement on sharing research data. NOT-OD-03-032 February 26Google Scholar
  65. National Institutes of Health (2007) Policy for sharing of data obtained in NIH supported or conducted genome-wide association studies (GWAS). NOT-O-07-088 August 28Google Scholar
  66. Ng P, Murray S, Levy S, Venter C (2009) An agenda for personalized medicine. Nature 461:724–726PubMedCrossRefGoogle Scholar
  67. Ollier W, Sprosen T, Peakman T (2005) UK Biobank: from concept to reality. Pharmacogenomics 6:639–646PubMedCrossRefGoogle Scholar
  68. Ossorio P (2006) About face: forensic genetic testing for race and visible traits. J Law Med Ethics 34:277–292PubMedCrossRefGoogle Scholar
  69. Phillips C, Salas A, Sanchez JJ et al (2007) Inferring ancestral origin using a single multiplex assay of ancestry-informative marker SNPs. Forensic Sci Int Genet 1:273–280PubMedCrossRefGoogle Scholar
  70. Ritchie M, Denny J, Crawford D et al (2010) Robust replication of genotype–phenotype associations across multiple diseases in an electronic medical record. Am J Human Genet 86:560–572CrossRefGoogle Scholar
  71. Roden D, Pulley J, Basford M et al (2008) Development of a large-scale de-identified DNA biobank to enable personalized medicine. Clin Pharmacol Ther 84:362–369PubMedCrossRefGoogle Scholar
  72. Roses A (2004) Pharmacogenetics and drug development: the path to safer and more effective drugs. Nat Rev Genet 5:645–656PubMedCrossRefGoogle Scholar
  73. Samarati P (2001) Protecting respondents identities in microdata release. IEEE Trans Knowl Data Eng 13:1010–1027CrossRefGoogle Scholar
  74. Sankararaman S, Obozinski G, Jordon M, Halperin E (2009) Genomic privacy and limits of individual detection in a pool. Nat Genet 41:965–967PubMedCrossRefGoogle Scholar
  75. Subcommittee on Disclosure Limitation Methodology, Federal Committee on Statistical Methodology (2005) Report on statistical disclosure limitation methodology. Statistical Policy Working Paper 22, Office of Management and Budget. Revised by the Confidentiality and Data Access CommitteeGoogle Scholar
  76. Sweeney L (1997) Weaving technology and policy together to maintain confidentiality. J Law Med Ethics 25:98–110PubMedCrossRefGoogle Scholar
  77. Sweeney L (2002a) k-anonymity: a model for protecting privacy. Int J Uncertain Fuzziness Knowl Based Syst 10:557–570CrossRefGoogle Scholar
  78. Sweeney L (2002b) Achieving k-anonymity privacy protection using generalization and suppression. Int J Uncertain, Fuzziness Knowl Based Syst 10:571–588CrossRefGoogle Scholar
  79. U.S. Department of Health and Human Services (2002) Standards for privacy of individually identifiable health information, final rule. Federal Register, 45 CFR: 160–164Google Scholar
  80. Vinterbo S, Ohno-Machado L, Dreiseitl S (2001) Hiding information by cell suppression. Proc AMIA Symp 26–730Google Scholar
  81. Wang D, Liau C, Hsu T (2004) Medical privacy protection based on granular computing. Artif Intell Med 32:137–149PubMedCrossRefGoogle Scholar
  82. Wang R, Li Y, Wang X, Tang H, Zhou X (2009) Learning your identity and disease from research papers: information leaks in genome wide association study. In: Proceedings of the ACM Conference on Computer and Communications Security, ACM Press, New York, pp 34–55Google Scholar
  83. Willenborg L, De Waal T (1996) Statistical disclosure control in practice. Springer Lecture Notes in Statistics. Springer, New YorkGoogle Scholar
  84. Wolf L, Zandecki J (2006) Sleeping better at night: investigators’ experiences with certificates of confidentiality. IRB 28:1–7PubMedGoogle Scholar
  85. Zerhouni E, Nabel E (2008) Protecting aggregate genomic data. Science 322:44PubMedCrossRefGoogle Scholar

Copyright information

© Springer-Verlag 2011

Authors and Affiliations

  • Bradley Malin
    • 1
    • 2
  • Grigorios Loukides
    • 1
  • Kathleen Benitez
    • 1
  • Ellen Wright Clayton
    • 3
    • 4
    • 5
  1. 1.Department of Biomedical Informatics, School of MedicineVanderbilt UniversityNashvilleUSA
  2. 2.Department of Electrical Engineering and Computer Science, School of EngineeringVanderbilt UniversityNashvilleUSA
  3. 3.Department of PediatricsSchool of MedicineVanderbiltUSA
  4. 4.Center for Biomedical Ethics and Society, School of MedicineVanderbilt UniversityNashvilleUSA
  5. 5.School of LawVanderbilt UniversityNashvilleUSA

Personalised recommendations