j.1748-121x.2007.00045.x

Legal Studies, Vol. 27 No. 2, June 2007, pp.
312–342
DOI: 10.1111/j.1748-121X.2007.00045.x
Are UK genetic databases governed

adequately? A comparative legal analysis
Susan MC Gibbons*
Researcher in Law, Ethox Centre, University of Oxford
Given the burgeoning of genetic research and proliferation of human genetic databases,
especially in the biomedical sphere, this paper explores whether the existing laws and
regulatory structures for governing genetic databases in England and Wales are adequate.
Through a critical survey of relevant rules, bodies and practices, it argues that the current
UK framework is far from ideal in at least five major areas: (1) forms and styles of law
used, especially the separate legislative regimes for physical biomaterial and data; (2)
core definitions; (3) formal regulatory bodies, licensing and notification requirements; (4)
ethics committees and other advisory panels; and (5) enforcement powers and sanctions.
Such shortcomings could have major implications for stakeholders, hamper efforts to
achieve European or international harmonisation of genetic database principles and
practices, and undermine the UK’s standing as a world leader in genetics and biotechnology.
Drawing on comparative analysis of governance strategies adopted in Estonia, Iceland
and Sweden, the paper identifies alternative options and lessons from experiences abroad,
suggesting possible avenues for reform that may warrant serious consideration in the UK.
INTRODUCTION
Over recent years, major advances in computing, automated DNA sequencing tech-
niques and related biotechnologies have fuelled an explosion in UK genetic research
activities. This has spurred the creation of many different forms of human genetic
databases. Known by various terms – including human genetics research databases,
genomic databases, biobanks, tissue banks, DNA databanks and gene banks – these
systematically organised collections variously hold tissue samples, DNA, other
genetic material and relevant personal, medical, lifestyle and genealogical data about
individuals for research purposes. Such collections are heterogeneous, differing mark-
edly in their origins, design, size, content, duration, ownership and purpose.1
The total number and nature of UK genetic databases is unknown, even for those
in the public sector. Most are thought to be relatively small scale, established to
identify the genes and genetic variations involved in single diseases such as diabetes,
cardiovascular disease, certain cancers and dementia. Traditionally, the individuals
* The author is grateful to Ants Nõmper, Hör~ur Helgi Helgason and Lotta Wendel for
providing helpful background information and materials, and to Jane Kaye, Roger Brownsword
and anonymous referees for invaluable comments and advice. This article was funded by the
Wellcome Trust Biomedical Ethics Unit (Award Ref: 076070/Z/04/Z) as part of a 3-year project
entitled ‘Governing Genetic Databases’.
1. See, eg, A Cambon-Thomsen et al ‘An empirical survey on biobanking of human genetic
material and data in six EU countries’ in BM Knoppers (ed) Populations and Genetics: Legal
and Socio-Ethical Perspectives (Lieden: Martinus Nijhoff Publishers, 2003) p 141. See also N
Palmour ‘A survey of the variability of DNA banks worldwide’, ibid, p 123.
© 2007 The Author. Journal Compilation © 2007 The Society of Legal Scholars. Published by Blackwell Publishing,
9600 Garsington Road, Oxford OX4 2DQ, UK and 350 Main Street, Malden, MA 02148, USA
Are UK genetic databases governed adequately? 313
involved – also known variously as participants, volunteers, research subjects and

gene donors – have tended to be patients or families already affected by illness.
Recently, however, far more ambitious initiatives have begun to spring up. Prominent
examples involving UK organisations include UK Biobank and the international
HuGENet™ and P3G consortia.2 Unlike traditional collections, these population-scale
projects aspire to be multipurpose and longitudinal. Their aim is to create substantial,
internationally accessible repositories capable of supporting a wide range of genetic,
biochemical and epidemiological research into common diseases.
Outside the medical sphere, several substantial genetic databases also exist for
other purposes.3 The most prominent – and most controversial4 – is the police’s
National DNA Database® (NDNAD). Thanks to permissive legislation authorising
DNA sample retention,5 since 1995 this intelligence database has become the largest
of its kind in the world. The NDNAD currently contains approximately 3.5 million
DNA profiles on individuals, including suspects who were acquitted, children and
people never charged. On average, 40,000 new individual DNA profiles are added
every month.6
This burgeoning of UK-based genetic research, proliferation of genetic databases,
emergence of cross-jurisdictional consortia and moves to integrate or cross-reference
separate databases (including, potentially, databases originally established for quite
different purposes)7 pose a host of challenges for law makers. This raises a funda-
mental question: just how adequate are the UK’s existing laws and regulatory struc-
tures for governing those entities that might be termed ‘genetic databases’? This paper
explores this question. Focusing primarily on the vast bulk of collections used for
biomedical research, it undertakes a critical factual survey covering five key topics
crucial to governing human genetic databases of all shapes and sizes: (1) forms and
styles of law used; (2) core definitions; (3) formal regulatory bodies, licensing and
notification requirements; (4) ethics committees and other advisory panels; and (5)
enforcement powers and sanctions.
In order to assess the adequacy of the existing framework, the Better Regulation
Commission’s ‘five principles of good regulation’ provide a convenient and timely
set of benchmarks.8 Those five principles – that regulation should be transparent,
2. Human Genome Epidemiology Network, available at http://www.hugenet.org.uk; Public
Population Project in Genomics, available at http://www.p3gconsortium.org/.
3. See, eg, genetic databases established by the Home Office Joint Entry Clearance Unit
(for familial immigration checks) and the Child Support Agency (for resolving disputed
paternity claims).
4. See, eg, Nuffield Council on Bioethics consultation paper Forensic Use of Bioinforma-
tion: Ethical Issues (November 2006). On the issues around forensic databases, see, eg, AA
Noble ‘Introduction: DNA fingerprinting and civil liberties’ and other articles in ‘Forensic and
police DNA databases’ (2006) 34(2) Journal of Law, Medicine and Ethics (special issue); R
Brownsword ‘Genetic databases: one for all and all for one?’ (2007) 18(2) King’s College Law
Journal (forthcoming); R Williams and P Johnson Forensic DNA Databasing: A European
Perspective (Interim report, June 2005), available at http://www.dur.ac.uk/resources/sass/
Williams%20and%20Johnson%20Interim%20Report%202005-1.pdf.
5. Especially the Police and Criminal Evidence Act 1984, s 64 (as amended).
6. Nuffield Council on Bioethics, above n 4, p 11.
7. Notably, forensic uses of non-forensic databases, potentially including medical research
databases such as UK Biobank: ibid, p 19.
8. Better Regulation Task Force Regulation – Less is More: Reducing Burdens, Improving
Outcomes: A BRTF Report to the Prime Minister (London, March 2005) Annex B, available
at http://www.brc.gov.uk/downloads/pdf/lessismore.pdf.
© 2007 The Author. Journal Compilation © 2007 The Society of Legal Scholars
314 Legal Studies, Vol. 27 No. 2
proportionate, accountable, consistent and targeted only at cases in which action is

needed – are enshrined in the Legislative and Regulatory Reform Act 2006.9 Analysis
within each of the five key areas explored in this paper accordingly proceeds against
the backdrop of these statutory principles. Broadly speaking, two general premises
that emerge from the principles are particularly pertinent. One is that the regulatory
regime should meet certain formal desiderata. These include it being clear, coherent,
efficient, effective, proportionate and properly targeted (so that the system is neither
over-inclusive nor under-inclusive, nor unduly onerous where differing levels of
regulation are warranted). The second premise is that it ought to be reasonably easy
for regulatees who wish to comply to identify and understand their regulatory
obligations.
Measured against these principles and premises, this paper suggests that the exist-
ing regulatory framework applicable to genetic databases in England and Wales10 is
far from ideal, in all five areas surveyed. Particularly problematic and challenging is
the fact that genetic databases involve the storage of both physical biomaterial (tis-
sue) and information (data) – or, as Parry has helpfully classified them, the ‘corpo-
real’ and the ‘informational’.11 This carries significant implications – not least,
because separate and somewhat inconsistent legislative regimes currently govern
these two kinds of material. As will be seen, fashioning a satisfactory regulatory
regime that straddles these two domains may not be feasible. Instead, a specific,
tailor-made framework for governing genetic databases may be required. In the
meantime, the many shortcomings in the existing framework could have major ram-
ifications, not only for stakeholders but also through hampering efforts to achieve
European or wider international harmonisation of genetic database principles and
practices.
To facilitate specific, informed critique – using concrete examples and illustrating
possible alternative options that UK law makers may wish to consider – the paper
compares and contrasts the current UK governance regime with those of three other
European countries: Estonia, Iceland and Sweden. All four countries recently initiated
pioneering population genetic database projects; albeit, attracting intense ethical
controversy and with little success to date.12 Consequently, all four countries have
grappled with broadly the same set of governance-related issues. Comparing them is
instructive because they have responded to the challenges in often quite distinctive
ways. This diversity affords a rich and illuminating backdrop for evaluating the UK
situation. Given the rapid evolution of multi-jurisdictional genomic networks, the four
countries also provide real-world case studies for testing alternative approaches to
regulating larger-scale genetic database initiatives, particularly in the biomedical
sphere.
9. See especially ss 2 and 21.

10. For clarity and simplicity, this paper concentrates on the legal and regulatory position in
England and Wales.
11. B Parry The Fate of Collections: Exploring the Dynamics of Trade in Bio-Information
(New York: Columbia University Press, 2004).
12. On these and other countries, see MA Austin, S Harding and C McElroy ‘Genebanks: a
comparison of eight proposed international genetic databases’ (2003) 6 Community Genetics
37; G Cardinal and M Deschênes ‘Surveying the population biobankers’ in Knoppers, above
n 1, p 37; H Rose ‘From hype to mothballs in four years: troubles in the development of large-
scale DNA biobanks in Europe’ (2006) 6 Community Genetics 184.
BACKGROUND – GENETIC DATABASE CHALLENGES, REGULATORY

RESPONSES
Before turning to the five selected topics, it is worth identifying some of the particular
challenges that genetic databases pose for regulators. It is also helpful to outline
briefly the governance frameworks in Estonia, Iceland, Sweden and the UK, and key
characteristics of their population genetic database projects.13 This information pro-
vides the necessary factual foundation for the subsequent analysis.
1. Challenges and issues around genetic databases

Human genetic databases present complex legal challenges. As Brownsword has
observed, ‘non-regulation, qua opting out or neutrality, is not truly an option; and,
like it or not, the dilemmas associated with the regulation of human genetics must be
confronted’.14 On the one hand, there is a pressing social need to foster legitimate
medical and scientific progress for the public good. Well-designed governance
schemes may facilitate this; for example by promoting transparency, legitimacy and
accountability which, in turn, bolster public trust and confidence and encourage
individual participation.
On the other hand, the amalgamation, long-term storage, sharing and dissemina-
tion (including internationally) of so much human tissue, genetic material and sensi-
tive data implicate significant interests and concerns. These too demand proper legal
recognition and protection. The lively international debate over population genetic
databases has highlighted a range of knotty substantive issues.15 These include the
prerequisites for valid, informed consent from gene donors to use their biosamples
and data (especially for unknown secondary research purposes); data protection and
IT security; privacy; confidentiality; controlling access to biosamples and information
(including by gene donors, family members, health professionals, researchers,
employers, insurance companies, social services, courts, the police, and security and
intelligence agencies); deciding whether donors should get feedback (for example
where research reveals a serious but treatable medical condition); benefit-sharing;
ownership; and intellectual property rights.16 Further issues relate to the hotly
13. For more detailed descriptions, see Cambon-Thomsen et al, above n 1; Austin, Harding
and McElroy, above n 12; R Chadwick et al (eds) The Ethics and Governance of Human
Genetic Databases – A European Perspective (Cambridge: Cambridge University Press, forth-
coming); B Godard et al ‘Strategies for consulting with the community: the cases of four large-
scale genetic databases’ (2004) 10 Science and Engineering Ethics 457.
14. R Brownsword ‘Regulating human genetics: new dilemmas for a new millennium’ (2004)
12 Med LR 14 at 15.
15. See, eg, J Kaye et al ‘Population genetic databases: a comparative analysis of the law in
Iceland, Sweden, Estonia and the UK’ (2004) 8 TRAMES 15; SMC Gibbons et al ‘Lessons
from European population genetic databases: comparing the law in Estonia, Iceland, Sweden
and the United Kingdom’ (2005) 12 EJHL 103.
16. See further M Sutrop ‘Human genetic databases: ethical, legal and social issues’ and other
articles in ‘Human genetic databases: ethical, legal and social issues’ (2004) 8 TRAMES
(special issue); G Árnason, S Nordal and V Árnason (eds) Blood and Data: Ethical, Legal and
Social Aspects of Human Genetic Databases (Reykjavík: University of Iceland Press and
Centre for Ethics, 2004); JV McHale ‘Regulating genetic databases: some legal and ethical
issues’ (1998) 12 Med LR 70; Knoppers, above n 1; Chadwick, above n 13; MJ Malinowski
‘Technology transfer in biobanking: credits, debits, and population health futures’ (2005) 33
contested notion of ‘genetic exceptionalism’, genetic discrimination, group exploita-

tion, unease over the role of commercial actors, and public concern over the integra-
tion, cross-referencing and sharing of multiple datasets, especially by and between
governments, governmental bodies and national and international law-enforcement
agencies.17
Such substantive challenges have tended to dominate the population genetic data-
base debate. Issues around governance have attracted less attention, particularly in
the UK. The recent organ retention scandals culminated in the Human Tissue Act
2004 (HTA).18 But its primary focus is on front-end concerns, notably ensuring
‘appropriate consent’ for the removal, storage and use of biosamples. Downstream
matters – including the actual conduct of research on biosamples and data, and
monitoring of genetic database activities – remain largely unregulated and unsuper-
vised. The HTA’s applicability to genetic databases also is limited. Overall, specific
questions as to how best – and, indeed, how far – we should control the setting up,
operation, management, transfer and termination of UK genetic databases through
legal, quasi-legal, formal, informal or other means remain under-theorised and in need
of urgent resolution. Some consideration has been given to such matters by UK law
makers and commentators, notably following the proposal to establish UK Biobank.19
Few, however, have considered such issues in depth.20 In practice, the measures used
to regulate genetic databases in the UK and elsewhere have varied considerably.
2. Regulatory responses in Estonia, Iceland, Sweden and the UK

Between them, the UK, Estonia, Iceland and Sweden demonstrate a spectrum of
possible (albeit not necessarily advisable) governance strategies and models. Broadly
speaking, at one end lies the precisely tailored, purpose-designed Estonian legislative
code; at the opposite end lies the piecemeal, pragmatic, largely reactive UK approach.
In between are the more mixed styles of legal provision discernable in Iceland and
Sweden.
Journal of Law, Medicine and Ethics 54; MA Majumder ‘Cyberbanks and other virtual research
repositories’ (2005) 33 Journal of Law, Medicine and Ethics 31; R Tutton and O Corrigan
‘Introduction: public participation in genetic databases’ in R Tutton and O Corrigan (eds)
Genetic Databases: Socio-Ethical Issues in the Collection and Use of DNA (London:
Routledge, 2004) and other essays in the same volume.
18. D Price ‘The Human Tissue Act 2004’ (2005) 68 MLR 798 at 798–799 and references
cited therein.
19. See, eg, House of Lords’ Science and Technology Committee, Fourth Report Report on
Human Genetic Databases: Challenges and Opportunities (London: TSO, 2001), available at
http://www.publications.parliament.uk/pa/ld200001/ldselect/ldsctech/57/5701.htm; Human
Genetics Commission Inside Information: Balancing Interests in the Use of Personal Genetic
Data (London: Department of Health, May 2002), available at http://www.hgc.gov.uk/
UploadDocs/DocPub/Document/insideinformation_summary.pdf.
20. For notable exceptions, see J Kaye ‘Do we need a uniform regulatory system for biobanks
across Europe?’ (2006) 14 European Journal of Human Genetics 245; P Martin ‘Genetic
governance: the risks, oversight and regulation of genetic databases in the UK’ (2001) 20 New
Genetics and Society 157; J Sándor (ed) Society and Genetic Information: Codes and Laws in
the Genetic Era (Budapest: CPS Books, 2003); R Brownsword, WR Cornish and M Llewellyn
‘Human genetics and the law: regulating a revolution’ (1998) 61 MLR 593; J Black ‘Regulation
as facilitation: negotiating the genetic revolution’ (1998) 61 MLR 621 and other essays in that
special issue; Brownsword, above n 14 and other articles in that special issue.
estonia
The Human Genes Research Act 2000 (HGRA)21 is a purpose-built statutory code,
tailor-made to govern the Estonian Genome Project’s Gene Bank. Other leading
enactments relevant to Estonian genetic databases generally include the Constitution
of the Republic of Estonia, Personal Data Protection Act 2003,22 Databases Act 199723
and European Convention on Human Rights and Biomedicine.24 The Estonian
Genome Project’s far-reaching goal is to include health status data, lifestyle informa-
tion, genealogical records and genetic profiles on at least 1 million Estonians.25 A
non-profit organisation, the Estonian Genome Project Foundation, is the ‘chief pro-
cessor’ under the HGRA, responsible for creating and managing the Gene Bank.
Researchers may purchase licences to access the database. To date, the project has
struggled to secure adequate funding.
iceland
Iceland was the first country in the world to embark upon a nationwide genetic
database project.26 Under the Act on a Health Sector Database, No 139/1998,27
deCODE genetics, a private biopharmaceutical company, controversially secured an
exclusive licence to build, run and sell access to a centralised database containing de-
identified data drawn from the medical records of virtually all Icelanders. Until it
ceased work on this Icelandic Health Sector Database (IHSD) project following
intense hostility and bruising ethical conflicts, especially over presumed consent and
privacy,28 the company cross-referenced data contained in the IHSD with an extensive
genealogical database and a biobank.29 The Act only governs the collection of medical
data for the IHSD. To that extent, Iceland exemplifies a partially project-specific
legislative framework. Genetic samples (still being collected by deCODE) are con-
trolled separately by the Act on Biobanks, No 110/2000.30 That Act governs the
21. Inimgeeniuuringute seadus, RT I 2000, 104, 685, together with its implementing
regulations.
22. Isikuandmete kaitse seadus, RT I 2003, 26, 158.
23. Andmekogude seadus, RT I 1997, 28, 423.
24. Council of Europe, Convention for the Protection of Human Rights and Dignity of the
Human Being with regard to the Application of Biology and Medicine (Oviedo, 4 April 1997,
ETS 164) (Convention on Human Rights and Biomedicine).
25. See the websites available at http://www.geenivaramu.ee/ (Estonian Genome Project);
http://www.genomics.ee/ (Estonian Genome Project Foundation).
26. See further OM Adnardóttir et al ‘The Icelandic Health Sector Database’ (1999) 6 EJHL
307; HT Greely ‘Iceland’s plan for genomics research: facts and implications’ (2000) 40
Jurimetrics 153; R A~alsteinsson ‘The constitutionality of the Icelandic Act on a Health Sector
Database’ in J Sándor (ed) Society and Genetic Information: Codes and Laws in the Genetic
Era (Budapest: CEU Press, 2003); the website available at http://www.decode.com/.
27. Lög um gagnagrunn á heilbrig~issvi~i.
28. Rose, above n 12, at 186.
29. See generally Office of Science Policy and Planning, National Institutes of Health Ice-
land’s Research Resources: The Health Sector Database, Genealogy Databases, and Biobanks
(June 2004), available at http://grants.nih.gov/grants/icelandic_research.pdf/; C Trouet and D
Sprumont ‘Biobanks: investigating in regulation’ (2002) 2 Baltic Yearbook of International
Law 3.
30. Lög um lífsynasöfn. While generally applicable, the deCODE project was its catalyst.
collection, storage, handling and use of human biological samples in all Icelandic
biobanks, in part through a licensing system. Several additional enactments have some
bearing on Icelandic genetic databases; in particular, relating to patient rights and
data protection.31
sweden
Several general-purpose statutes apply to Swedish genetic databases. Key domestic
instruments include the Biobanks in Medical Care Act (2002:297),32 Personal Data
Act (1998:204)33 and Ethical Review Act (2003:460).34 Overall, Swedish law pertain-
ing to genetic databases is still very much in the making. As in the UK, traditional
legal doctrines, concepts and regulations remain somewhat inadequate. One notewor-
thy feature is the major role that ethical concerns have played in shaping the Swedish
framework, especially since the much-criticised commercialisation of the Västerbot-
ten Intervention Programme collection.35 This forms the bulk of the Swedish Medical
Biobank of Umeå, which contains biosamples, DNA, clinical data, and environmental
and lifestyle information from over 100,000 individuals. The Västerbotten collection
was commercialised in 1998 when UmanGenomics AB, a private start-up biotech
company, was given exclusive rights to sell access to the resource. Users may include
pharmaceutical and other private companies on a fee-paying basis and academic
researchers. The Biobank’s owners (Umeå University and Västerbotten County Coun-
cil) maintain ultimate control over the genetic information that UmanGenomics may
disseminate. However, following bitter disputes over bioethics and intellectual prop-
erty rights, the company is effectively in mothballs.36
uk
No purpose-designed legal framework or dedicated legal instrument applies to genetic
databases in the UK. Instead, a bewildering array of statutes, legislative provisions,
regulations and common law doctrines, together with well over 30 codes of practice,
31. See especially Act on the Rights of Patients, No 74/1997 (Lög um réttindi sjúklinga);
Regulation on Scientific Research in the Health Sector, No 552/1999 (Regluger~ um vísin-
darannsóknir á heilbrig~issvi~i); Regulation on a Health Sector Database, No 32/2000
(Regluger~ um gagnagrunn á heilbrig~issvi~i); Act on Protection and Processing of Personal
Data, No 77/2000 (Lög um persónuvernd og me~fer~ persónuupplysinga) as amended; Regu-
lation on the Keeping and Utilisation of Biological Samples in Biobanks, No 134/2001
(Regluger~ um vörslu og nytingu lífsyna í lífsynasöfnum); Rules on the Security of Personal
Data in Biobanks, No 918/2001 (Reglur um öryggi persónuupplysinga í lífsynasöfnum). See
also the Operating Licence for the Creation and Operation of a Health Sector Database, issued
to deCODE by the Minister of Heath and Social Security, State Regulation No 691295-3549.
32. Lag om biobanker i hälso- och sjukvården mm (2002:297). See also the Biobanks in
Medical Care Ordinance (2002:746) (Förordning (2002:746) om biobanker inom hälso- och
sjukvården mm) and Administrative Guidelines concerning Biobanks in Health Care (2002:11)
(Socialstyrelsens föreskrifter och allmänna råd (2002:11) om biobanker i hälso- och sjukvården
mm).
33. Personuppgiftslag (1998:204). See also the Personal Data Ordinance (1998:1191) (Per-
sonuppgiftskungörelsen (1998:1191)).
34. Lag om forskningsetisk prövning (2003:460) and its supporting ordinances.
35. See further the website available at http://www.biobanks.se/medicalbiobank.htm/.
36. Rose, above n 12, at 186.
guidelines, circulars, letters, best practice guidance documents and statements of

ethical principles, plus numerous binding or non-binding but influential international
conventions, directives, declarations, recommendations, statements, resolutions,
decisions and guidelines, all have some obvious or potential bearing on genetic
databases or the professionals involved with them. These uncoordinated, overlapping,
often inconsistent instruments have emanated from, or are overseen by, a correspond-
ingly wide range of bodies. These include domestic and supra-national legislative,
policy-making, administrative, judicial, professional, advisory and ethical oversight
agencies.
Within this morass, principal domestic instruments include the HTA, Data Protec-
tion Act 1998 (DPA), Human Rights Act 1998 and codes of practice and guidelines
issued by the Department of Health, Medical Research Council, Human Tissue
Authority and Information Commissioner. Key EU instruments include the Tissue
and Cells Directive37 and Data Protection Directive.38 Additionally (and unlike the
other three countries), in the UK, many important substantive matters are governed
by case-law.39
Like the Estonian Genome Project, UK Biobank is to be a purpose-built epidemi-
ological and genetic research resource. It aims to establish a nationwide, prospective
database of 500,000 participants, aged 40–69 years at enrolment, whom it expects to
monitor for up to 30 years.40 Its database will combine physical and genetic samples
with lifestyle questionnaires, baseline measurements (eg height, weight, blood pres-
sure) and medical and family disease histories. It also will enjoy unparalleled, unlim-
ited access to participants’ NHS records. Researchers may purchase licences
following approval of their projects and access requests by UK Biobank’s board of
directors and the relevant research ethics committee. UK Biobank began recruitment
in 2006 after securing formal approval to proceed from its funders. However, as with
the Icelandic and Swedish initiatives, its establishment too has been highly conten-
tious. Criticisms have ranged from doubts over its scientific validity and concern over
its heavy consumption of limited medical research resources to bioethical and regu-
latory concerns – not least, over its ethics and governance structure (discussed below).
GOVERNING GENETIC DATABASES – FIVE KEY TOPICS
1. Forms and styles of legal regulation

The forms and styles of law used in the four jurisdictions to govern genetic databases
or biobanks cover a wide spectrum. The UK patchwork, with its lack of any specific,
37. Directive 2004/23/EC of the European Parliament and of the Council of 31 March 2004
on setting standards of quality and safety for the donation, procurement, testing, processing,
preservation, storage and distribution of human tissues and cells [2004] OJ L102/48. Two
technical annexes (Commission Directives 2006/17/EC and 2006/86/EC) provide detailed
rules.
38. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995
on the protection of individuals with regard to the processing of personal data and on the free
movement of such data [1995] OJ L281/31. Additional EU and Council of Europe instruments
pertain to clinical trials, biomedicine, genetics, databases and intellectual property rights.
39. Relevant common law rulings cover negligence, battery, consent, capacity, the duty of
confidence, privacy, property rights and intellectual property.
40. See the website available at http://www.ukbiobank.ac.uk/.
formal legislative framework and reliance on general-purpose instruments and infor-

mal techniques, suffers from several significant shortcomings. Four key problems,
discussed in turn, are inconsistent legal standards, ambiguities, disadvantages asso-
ciated with informality and gaps.
First, inconsistent legal standards are associated particularly closely with main-
taining separate, parallel regimes to govern the corporeal and the informational. All
four jurisdictions have implemented the Data Protection Directive via primary legis-
lation (albeit with material variations).41 However, in the UK, Iceland and Sweden
quite separate legal regimes cover biosamples and personal data. Standards often
differ. Rules for obtaining consent from participants and exceptions to consent are
good examples. Thus, in the UK, the HTA, common law principles and various
guidelines and codes of practice all apply to biosamples; whereas somewhat different
(and unfortunately widely misunderstood) rules apply to consent for research uses of
health data under the DPA, related guidelines and other statutory provisions.42
By contrast, uniquely in Estonia, the HGRA does not differentiate between tissues
and data. As explored further in the next section, both kinds of material simply are
treated as ‘data’. The HGRA regulates both the creation and maintenance of the
Estonian Gene Bank. It stipulates how the chief processor may collect, store, use,
disseminate, publish and destroy biosamples and personal data. Ambitiously, the
HGRA drafters sought to codify into one comprehensive, omnibus statute the majority
of rules needed to govern human genetic research and stakeholders’ interactions. By
following such a ‘hard law’ approach, relying almost entirely on legislation, the
Estonian law makers were able to fashion an innovative, purpose-centred approach
and to abandon the legal distinction between tissue and data in the genetic database
context. Estonia emerged from Soviet rule less than a decade before the HGRA was
drafted. In such a fledgling legal regime, characterised by a relative vacuum of
historical precedent and prevailing legal doctrine, the drafters enjoyed unusual free-
dom to take a ‘clean-slate’ approach. Yet, so long as any dedicated genetic database
legislation satisfies the UK’s obligations under the Data Protection Directive, there is
no reason to suppose that UK law makers could not follow a similar course, should
they wish.
Ambiguities are a second, related category of shortcomings associated with the
UK’s current lack of any dedicated genetic database laws. The HTA makes no explicit
reference to tissue banks. Its licensing provisions, ‘appropriate consent’ requirements
and criminal offences do encompass at least some genetic database types. But ambi-
guities are rife. For example, s 16(1) requires that anyone who wishes to store or use
‘relevant material’ for a scheduled purpose – including research in connection with
disorders, or the functioning, of the human body43 – normally must obtain a licence
from the Human Tissue Authority. According to parliamentary debates, licences are
intended ‘to regulate at the level of tissue banks’ that ‘collect, process and distribute
material for purposes such as research’. By contrast, individual ‘end user’ researchers
‘who hold a few samples for a particular project’, or clinicians who ‘store small
quantities of tissue for diagnosis and research involving their own patients’, should
41. Above n 38. See Personal Data Protection Act 2003 (Estonia); Act on Protection and
Processing of Personal Data, No 77/2000 (Iceland); Personal Data Act (1998:204) (Sweden);
Data Protection Act 1998 (UK).
42. In particular, Health and Social Care Act 2001, s 60; Health Service (Control of Patient
Information) Regulations 2002, SI 2002/1438.
43. Schedule 1, para 6.
be exempt.44 Those who store relevant material intending to use it themselves for
‘qualifying research’ are now exempted from the licensing requirement by Regula-
tions.45 But, as Liddell and Hall predicted, uncertainty persists. Many collections are
likely to fall into the large grey area between the sorts of enterprises identified by the
government as ‘tissue banks’ and those exempted under the Regulations.46 Moreover,
while the Human Tissue Authority ‘will licence [sic] some genetic databases because
they store tissues or cells, some will fall outside [its] remit as storage of DNA is not
licensable’.47
Once again, introducing specific legislation could help to obviate such ambiguities.
Estonia affords one possible model. Like Estonia, in Iceland a specific statute governs
the IHSD.48 But in Iceland many crucial governance issues – most notably security
matters and the functions of the numerous IHSD monitoring bodies – largely are left
to be dealt with in deCODE’s Operating Licence or via regulations. Otherwise, neither
Iceland nor Sweden has any legislation aimed directly at human genetic databases.
Both countries do, however, have general statutes pertaining to biobanks.49 But the
Swedish statute applies only to biobanks originally established as part of the profes-
sional activities of healthcare providers. Because this necessarily limits its coverage,
UK law makers may prefer a more encompassing regime. This could enable the
inclusion of genetic databases created and used for non-medical purposes, if wished.
It might also reflect the reality of changing database usage patterns – especially moves
for databases originally established for varying purposes to be interlinked or inte-
grated, and to be used for new or different purposes.
Thirdly, one notable stylistic feature of the UK legal landscape, in marked contrast
to the other three countries, is the sheer prevalence of quasi-legal or informal devices.
Many governance matters germane to genetic databases – including ethical review,
data-processing standards, confidentiality, privacy, disclosure of medical records,
aspects of consent and individual access rights – are controlled, wholly or partially,
via non-binding codes of practice or guidelines. Using informal devices may carry
numerous benefits not shared by ‘hard law’ techniques such as Estonia has favoured.
These include flexibility, harnessing expertise to reflect the state-of-the-art, and adapt-
ability to rapidly changing circumstances and technologies. But potential disadvan-
tages – and violations of the good regulation principles – include uncertainty over
what is (legally) required, conflicting standards, a lack of ‘teeth’ (the provisions being
legally unenforceable), reduced visibility and public scrutiny, and the conferral of de
facto law-making and policy-setting power upon often democratically unaccountable
institutions.
A fourth consequence of the UK’s piece-meal, ad hoc governance style to date is
that unfortunate gaps remain. A good illustration is the fact that UK Biobank’s funders
44. Hansard HL Deb, vol 664, col 371, 22 July 2004 (Lord Warner); Hansard HL Deb, vol
664, cols GC503–GC504, 16 September 2004 (Lord Warner); Hansard HL Deb, vol 664, col
GC504, 16 September 2004 (Lord Clement-Jones).
45. The Human Tissue Act 2004 (Ethical Approval, Exceptions from Licensing and Supply
of Information about Transplants) Regulations 2006, SI 2006/1260. ‘Qualifying research’
means research that is ethically approved in accordance with the Regulations.
46. K Liddell and A Hall ‘Beyond Bristol and Alder Hey: The future regulation of human
tissue’ (2005) 13 Med LR 170 at 214.
47. Email advice from Human Tissue Authority Regulatory Officer, 1 March 2006.
48. Act on a Health Sector Database, No 139/1998 and associated regulations.
49. Act on Biobanks, No 110/2000 (Iceland); Biobanks in Medical Care Act (2002:297)
(Sweden).
have had to invest heavily in developing UK Biobank’s own independent supervisory

scheme. UK Biobank has its own Ethics and Governance Council (EGC) and a
detailed Ethics and Governance Framework document.50 Within the biobanking field,
such non-legally binding self-regulation has been described as ‘something of a world
“first”’.51 Both measures have been seen as essential for promoting public trust,
confidence, credibility and participation given the absence of any publicly funded,
external monitoring system capable of offering such assurances. But they also dem-
onstrate the latitude that the absence of proper regulatory provision affords to larger,
well-resourced players to set their own rules – and thereby, potentially, to shape future
norms in the field more generally.
Yet, suitable standards, policies and procedures for governing larger-scale genetic
databases may be entirely unfit or disproportionate for managing other collections.
Also, the choices made may be dubious or contentious. One thorny example is
feedback. Aside from baseline physical measurements taken at enrolment, UK
Biobank’s blanket policy is not to feed back any health information to participants –
not even the discovery of serious but treatable conditions.52 This stance contrasts
dramatically with Estonian law. Under the HGRA, gene donors (and their doctors)
have a statutory right to access their genetic data and descriptions of state of health
in the Estonian Gene Bank, free of charge.53 UK Biobank’s justification is that the
project is a research resource, not a healthcare programme or health check. It would
be inappropriate and meaningless to give feedback outside a clinical setting, espe-
cially where no genetic counselling is available.54 Speaking publicly in 2004, how-
ever, UK Biobank’s former Chief Executive suggested that another, more strategic,
consideration also may underpin this policy stance.55 According to Professor Newton,
alerting participants to significant research results likely would lead them to change
their behaviour and treatment. This would impair UK Biobank’s ability to trace the
natural progression of diseases and disorders, and so to study the interplay between
genes, lifestyle and environment. It would also skew the data subsequently obtained
from those participants, undermining UK Biobank’s scientific integrity. Although UK
Biobank participants are not medical research subjects in the traditional sense, the
first principle of research ethics is that the individual’s interests, welfare and well-
being should take priority over the interests of science and society.56 Clearly, then,
50. UK Biobank Ethics and Governance Framework: Version 2.0 (May 2006), available at
http://www.ukbiobank.ac.uk/docs/EGF_Version2_July%202006.pdf.
51. UK Biobank Ethics and Governance Council Annual Report 2004–2005 p 2, available at
http://www.egcukbiobank.org.uk/assets/wtx032076.pdf.
52. UK Biobank Ethics and Governance Framework, above n 50, para I.B.3. By contrast,
participants in an equivalent project planned by the USA National Human Genome Research
Institute will be given the option to be told about such findings: A Coglan ‘One million people,
one medical gamble’ New Scientist 19 January 2006.
53. HGRA, ss 11 and 16(2).
54. UK Biobank Ethics and Governance Framework, above n 50, para I.B.3. Under the
HGRA, gene donors also have a (theoretical) right to genetic counselling: see further text to n
145 below.
55. Professor John Newton The UK Biobank: Opportunity or Threat? Oxford Medical Sem-
inar (University of Oxford, 21 April 2004).
56. See, eg, World Medical Association Declaration of Helsinki (1964, 2000 as amended)
para 5; Department of Health Research Governance Framework for Health and Social Care
(London, 2nd edn, 2005) paras 2.2.1 and 3.6.3; UNESCO Universal Declaration on Bioethics
and Human Rights (33rd session, 19 October 2005), art 3(2); Recommendation Rec(90)3 of
UK Biobank’s policy is at least ethically troubling, if not legally questionable as

well.57
Another example is the nature of UK Biobank’s ethics and governance structure
itself, which also has proven controversial – not least, due to its lack of ‘teeth’. The
EGC acts as independent guardian of the Ethics and Governance Framework. But
neither it nor the framework document possesses any formal legal status. UK Biobank
may amend its framework at will. Meanwhile, the EGC is not a legal entity. Its role
in advising UK Biobank’s board of directors on standards and safeguards, monitoring
UK Biobank’s compliance with its own stated objectives and procedures, and engag-
ing in public consultation and reporting is purely advisory. At most, the EGC could
threaten to report any ethical concerns to UK Biobank’s funders, go public with its
criticisms, or its members could publicly resign in protest.58 Such options fall well
short of the ‘robust systems with strong oversight mechanisms’ which the House of
Lords’ Science and Technology Committee thought necessary ‘to ensure that research
on human genetic databases is carried out to the highest ethical standards’.59 Since
resignation en masse by EGC members would leave UK Biobank without any over-
sight body, this seems an especially unattractive prospect. Accordingly, UK Biobank’s
current self-governance structure may not set the most desirable precedent.
From this survey, it is clear that the forms and styles of regulation used vary
markedly between the four countries. Within the UK, the lack of any tailored legis-
lation, tortuous wording of the HTA, convoluted structure of the DPA, sheer volume
of informal guidance materials, and their complete lack of coordination all make it
extremely hard – even for lawyers – to say precisely what laws do govern genetic
databases, and how they should be interpreted and applied. This state of affairs falls
well short of satisfying the good regulation principles and the two premises outlined
above. Genetic database operators and researchers face a very real risk of acting
unlawfully.60 Rightly or wrongly, a fear frequently voiced during the passage of the
HTA was that introducing yet more statutory provisions, regulations and codes of
practice into a scientific area already beset by complex, partial rules and regulations
could stifle UK medical research by engendering a climate of excessive caution within
an already anxious research community.61 Other stakeholders too, including research
participants, may lack appropriate legal protections because of gaps in the law.
Experience abroad, as outlined above, suggests that having focused, tailor-made
legislative provision may well be an option worth pursuing. However, if in future the
UK’s genetic database governance regime is to embody the good regulation princi-
ples, then careful design, coordination and integration will be vital.
the Committee of Ministers to Member States concerning Medical Research on Human Beings,
Principle 2(1).
57. For debates around a possible duty of care to alert participants to personally meaningful
research results, see, eg, C Johnston and J Kaye ‘Does the UK Biobank have a legal obligation
to feedback individual findings to participants?’ (2004) 12 Med LR 239.
58. UK Biobank Ethics and Governance Framework, above n 50, para III.A.3.
59. House of Lords’ Science and Technology Committee, above n 19, para 7.34.
60. Kaye, above n 20, at 245.
61. See, eg, S Pincock ‘Human Tissue Bill could jeopardise research, scientists warn’ (2004)
328 BMJ 1034; Liddell and Hall, above n 46, at 172–173 and references cited therein; Hansard
HC Standing Committee G, cols 82, 131–132, 29 January 2004 (Dr Murrison); Hansard HL
Deb, vol 664, cols 384–387, 22 July 2004 (Lord Winston), Hansard HL Deb, vol 664, cols
395–395, 22 July 2004 (Baroness O’Neill).
2. Core definitions
Fascinating differences mark out how the four countries define core concepts. Of
particular note are the distinctive approaches to defining: (a) genetic databases; and
(b) their contents – that is, biological materials, DNA or other genetic samples, and
various categories of data. These differences are extremely important. For, how each
concept is defined in the law (or not, as the case may be) can exert a major influence
over its governance. It is therefore illuminating to examine specific attempts at
defining these key terms, where they exist, in order to tease out particular problems,
pitfalls and possibilities of which UK law makers should be aware.
biobanks, gene banks, tissue banks, genetic databases

No formal definitions of ‘genetic databases’ or similar entities appear within UK law.
There is no informal consensus over preferred terminology either. Broadly speaking,
UK regulators appear to favour the term ‘tissue bank’ and its derivatives.62 Yet,
without clear, settled definitions one cannot be sure that different speakers mean the
same thing even when they do use similar terminology. In 2001, the House of Lords’
Science and Technology Committee defined ‘genetic databases’ as ‘collections of
genetic sequence information, or of human tissue from which such information might
be derived, that are or could be linked to named individuals’.63 As Tutton and Corrigan
have observed, this definition covers both the corporeal and the informational.64 But
it is simultaneously too broad and vague to serve as a statutory definition, and too
narrow. In referring only to ‘genetic sequence information’ it omits collections of
personal, medical or genealogical data.65 Requiring individual identifiability is
another restriction. Meanwhile, the definition makes no reference to other potentially
relevant differences between collections that UK policy makers may or may not wish
to regulate – or, alternatively, may wish to regulate with varying degrees of stringency.
Examples of other factors that a more sophisticated definition might address include
the purposes for which collections are created or maintained; their (potential) uses;
design aspects including the degree of technical sophistication, accessibility, struc-
tural organisation, arrangement and searchability; intended duration; location; own-
ership; management structure; and size.
The UK is not alone in lacking clarity on this crucial point. No single, consistent
term is used to denote human genetic databases, either in the literature or legal
instruments worldwide.66 Even within the four countries surveyed here multiple terms
62. For example, the Medicines and Healthcare Products Regulatory Agency Trading Fund
Order 2003, SI 2003/1076 defines ‘tissue bank’ as ‘any place where human tissue or cells are
stored or processed’. The glossary to the Medical Research Council guidelines Human Tissue
and Biological Samples for Use in Research (2001) defines ‘human tissue or sample collection’
as ‘any samples of human biological material to be kept for reference, teaching or future
research use’. During parliamentary debates over the Human Tissue Bill, ‘tissue bank’ was the
term most frequently used.
63. House of Lords’ Science and Technology Committee, above n 19, paras 3.3–3.4.
64. Above n 16, p 2.
65. Ibid.
66. ‘Population genetic database’ is relatively well understood. For a definition of ‘population
biobank’, see, eg, Council of Europe Recommendation Rec(2006)4 of the Committee of
Ministers to Member States on Research on Biological Materials of Human Origin (adopted
15 March 2006) art 17. Amongst commentators, the term ‘human genetic database’ seems
widely accepted. See, eg, Árnason, Nordal and Árnason, above n 16, p 14.
are employed. Although similar, these terms do not share a uniform conceptual
foundation. In part, the discrepancies stem from a worrying lack of basic empirical
knowledge about precisely what sorts of databases exist, what they contain, where
they are located, how they are used, by whom, and for what purposes. Indeed, the
very concept of ‘genetic databases’ is problematic, seeking to reflect, as it does, a
disordered universe of activities within which distinctions blur.67 As Kaye has sug-
gested, terminological confusion probably also reflects the fact that we are still in a
period of technological innovation out of which the (legally) material distinctions
between different genetic database types have yet to emerge clearly.68 Nevertheless,
until a sufficiently comprehensive typology of genetic databases is compiled – a
formidable but crucial task – formulating an accurate, suitably nuanced definition of
‘genetic database’ will remain an elusive goal.
Where, then, might UK law makers look for insights? Statutory definitions cover-
ing at least certain forms of genetic databases or biobank collections can be found in
Iceland, Sweden and Estonia. All are limited in scope, failing to capture the full
universe of database types. In Iceland, art 3(1) of the Act on a Health Sector Database,
No 139/1998 defines the IHSD as ‘a collection of data containing information on
health and other related information, recorded in a standardised systematic fashion
on a single centralised database, intended for processing and as a source of informa-
tion’. This definition applies only to the IHSD project; and then, only to one of
deCODE’s three federated databases. ‘Biobank’ is defined in art 3(2) of the Act on
Biobanks, No 110/2000 as ‘a collection of biological samples which are permanently
preserved’. Again, the definition is narrower than the full range of what we may wish
to define (and regulate) as genetic databases. For example, it makes no reference to
the holding of data. Consequently, the concept extends neither to the collection of
health-related data or familial data, nor even to data derived from biosamples, such
as through DNA analysis. The definition also excludes biosamples stored for finite
periods, usually meaning less than 5 years.
In Sweden, the term ‘biobank’ also is favoured. The Biobanks in Medical Care
Act (2002:297), Ch 1, s 2 defines a biobank as ‘biological material from one or several
human beings collected and stored indefinitely or for a specified time and whose
origin can be traced to the human or humans from whom it originates’. This definition
is similar to the Icelandic definition, although slightly more nuanced. Interestingly, it
shares the individual identifiability component of the House of Lords’ Science and
Technology Committee definition. But, once again, the focus is solely on biosamples.
Biobanks that do not meet the definition fall outside the Act, and are only partially
regulated by other Swedish legislation. This is significant, for the Act also applies
only to those biobanks that were originally established as part of a healthcare pro-
vider’s medical activities; and, then, only to those that hold biosamples from identi-
fiable human beings or fetuses.69 UK Biobank too has appropriated the term ‘biobank’
to identify itself – even though its contents and activities stretch far beyond those of
‘biobanks’ as the concept is understood elsewhere.
67. See further SMC Gibbons et al ‘Governing genetic databases: challenges facing research
regulation and practice’ (2007) 34(2) JLS (forthcoming).
68. J Kaye ‘Regulating human genetic databases in Europe’ in Chadwick et al, above n 13;
Kaye, above n 20, at 246.
69. Chapter 1, s 3. Care providers include providers of professional medical care, and
laboratories that receive biosamples from such persons or entities and preserve them in
biobanks: Ch 1, s 2.
By contrast, Estonian law describes the Estonian Genome Project as a ‘gene bank’
and calls its participants ‘gene donors’. Under s 2(10) of the HGRA, ‘gene bank’ is
defined as ‘a database . . . consisting of tissue samples, descriptions of DNA, descrip-
tions of state of health, genealogies, genetic data and data enabling the identification
of gene donors’. Unlike the term ‘biobank’, it has been suggested that Estonian law
emphasises the collection of data rather than biosamples.70 In fact, the Estonian
approach is even more unique. For, the HGRA effectively collapses the distinction
still drawn everywhere else between the corporeal and the informational.
biological materials, dna, data

As the radical Estonian approach indicates, genetic databases challenge traditional
legal categories and concepts. In particular, they confound the usual dichotomy
between tissue regulation and data protection. By incorporating the characteristics
both of biobanks (physical biosamples and their genetic derivatives) and standard
databases (informational records), many genetic databases straddle the tissue regula-
tion and data protection domains. Yet, to date, only Estonia has grappled with this
fact. The four jurisdictions also diverge over how they define and treat biological
materials and data.
In respect of biosamples, in the UK under the HTA the key term ‘relevant material’
excludes sub-cellular and intra-cellular material and extracted DNA.71 Section 53(1)
defines ‘relevant material’ as ‘material, other than gametes, which consists of or
includes human cells’.72 This lynchpin term is meant to encompass essentially all
human tissue regulated under the HTA. As noted above, the HTA is intended to
regulate UK tissue banking activities. That being so, this definition seems extraordi-
narily inapt. Properly construed, it excludes cytological specimens, acellular serum
and plasma. DNA and RNA also fall outside its range, since neither ‘consists of or
includes human cells’ (or even a cell).73 Additionally – and as with the Swedish and
Icelandic definitions, noted below – it is problematic when applied to genetic data-
bases. It omits the information that can be derived from, or may be connected with,
biosamples. It also ignores the reality of genetic research. Practitioners simply do not
draw bright line distinctions between physical samples, information derived from
them, and associated personal, medical, genealogical or lifestyle data.
Iceland and Sweden are much alike. Article 3(1) of the Icelandic Act on Biobanks,
No 110/2000 defines a ‘biological sample’ very broadly as ‘organic material from a
human being, alive or deceased, which may provide biological information about him/
her’. Sweden’s Biobanks in Medical Care Act (2002:297) similarly defines ‘tissue
samples’ as ‘biological material from human beings’ (including persons living or
dead, or embryos).74 Neither definition refers explicitly to genetic material such as
70. Árnason, Nordal and Árnason, above n 16, p 13.
71. Also genetic material stored in DNA pellets or other extra-cellular media: Liddell and
Hall, above n 46, at 204 (discussing the largely identical definition of ‘bodily material’ in HTA,
s 45(5)).
72. Gametic materials and embryos created ex vivo are regulated separately under the Human
Fertilisation and Embryology Act 1990.
73. ‘Acellular materials are not themselves within the scope of the Bill, but the control of
cells from which they come is within the scope of consent’: Hansard HC Standing Committee
G, cols 58–59, 27 January 2004 (Dr Ladyman). See also Price, above n 18, at 800; email advice,
above n 47.
74. Chapter 1, s 2.
DNA. However, both appear sufficiently broad to include DNA in its natural state
and other biosamples capable of yielding genetic data.
By contrast, the Estonian HGRA plots a fundamentally different course. As already
seen, its definition of ‘gene bank’ refers both to ‘tissue samples’ and five distinct
kinds of data. Each sub-component is further defined. So then, s 2(2) defines a ‘tissue
sample’ as ‘cells, intercellular substance and body fluids taken from a human being
for the purposes of genetic research’. Interestingly, and unlike the other countries,
this definition introduces the purpose for which biosamples are held as a material
factor. More importantly, all six components of the Estonian Gene Bank – tissue
samples and the five kinds of data – are accorded precisely the same protections and
treatment. For example, s 7(1) extends the application of the Personal Data Protection
Act 2003 provisions that regulate the processing of personal data to the taking of
tissue samples, preparation of descriptions of state of health, coding, decoding and
database maintenance by the chief processor. Under s 28, the Estonian Data Protection
Inspectorate is mandated to supervise the collection and processing of tissue samples
and data alike. Section 22, which sets out further ‘data protection’ specifications,
similarly applies them equally to biosamples. Thus, the HGRA simply abandons any
legal division between tissue-banking activities and tissue protection measures, and
data-processing and data protection mechanisms.
Everywhere else – including in the UK – separate, parallel regimes still apply to
data protection. Because all four countries have implemented the Data Protection
Directive,75 their definitions of ‘data’, ‘personal data’, ‘sensitive’ data and ‘medical’
or ‘health’ data are expansive and largely consistent, as are the principles and rules
governing data processing.76 Nevertheless, all four regimes rest on one crucial starting
point presupposition, traceable back to the Data Protection Directive – namely, that
‘data’ are information on identifiable natural persons.77 Defining ‘data’ exclusively
as ‘information’ has important ramifications in the genetic database context; for, it is
extremely difficult to pin down precisely when biosamples and their derivatives move
from being corporeal ‘tissue’ to being potential or actual ‘information’. As Liddell
and Hall have observed, genetic biosamples recorded in incorporeal form may be just
as powerful and precious as their physical manifestations.78 DNA in particular can be
conceptualised simultaneously both as tissue and as a data source or data carrier of
information. In this sense, genetic materials potentially fall through another gap in
the legal framework – part of the legacy of maintaining dual, overlapping, yet incom-
plete and inadequately coordinated governance regimes. This is especially worrying
in the UK context. Arguably, many genetic materials in the UK may not be captured
by either the definition of ‘relevant material’ or of ‘data’.79
It seems evident, once again, that current UK genetic database governance mea-
sures are manifestly inadequate. Without clear, targeted provisions, setting out settled,
core definitions of genetic databases and their contents, we cannot say for sure which
bodies, actors, materials and activities are subject to the existing rules – or which
75. See text to n 41 above.

76. Definitions of ‘genetic data’ feature only in Estonia (HGRA, s 2(9)) and Iceland (Act on
a Health Sector Database, No 139/1998, art 3(7); Act on Protection and Processing of Personal
Data, No 77/2000, s 2(8)(c), defining ‘health data’ as including ‘genetic data’).
77. Article 2(a) of the Directive deems ‘personal data’ to mean ‘any information relating to
an identified or identifiable natural person’ (emphasis added).
78. Liddell and Hall, above n 46, at 175.
79. HTA, s 53(1); DPA, s 1(1).
ones should be regulated, when, why, and to what extent. In any future quest to redress
these shortcomings, helpful lessons may be learned from attempts to define core
concepts abroad, as illustrated above. The tissue–data dichotomy also arguably war-
rants urgent attention. In tackling the substantive question of whether or not we should
continue to separate tissue and data regulation, again UK law makers may derive
assistance from a closer critical examination of the Estonian approach.
3. Supervisory bodies, licensing and notification requirements

To ensure such matters as legitimacy, accountability, credibility, protection of impor-
tant rights and interests, technical security, prompt compliance with applicable rules
and standards, and public trust and confidence, it is necessary to have effective,
appropriate mechanisms to identify and monitor those who create, operate, manage
and use genetic databases. Common techniques include appointing oversight bodies
and requiring licences or notification. Here, comparing the four countries’ population
genetic database projects provides invaluable insights. Because of their size, ambi-
tious goals, controversial nature, the many substantive concerns that they raise and
high-level media attention, their oversight and scrutiny have been taken very seri-
ously. Even so, analysis uncovers a mixed picture.
formal supervisory bodies

In all four countries, various administrative agencies or officials share formal legal
responsibility for overseeing different genetic database-related activities. The primary
division is between data protection and tissue handling. But the roles and powers of
comparable authorities vary considerably. UK bodies lag behind their continental
counterparts. While data protection oversight is relatively consistent and well devel-
oped, the same cannot be said for biosample regulation – again, most acutely evident
in the UK.
Turning first to data protection, in accordance with the Data Protection Directive
all four countries have data protection authorities.80 Amongst other things, these
independent bodies are charged with ensuring that data controllers respect key data
protection principles and the requirements for fair and lawful processing of personal
data (including genetic data). They are empowered to monitor, investigate and, if
necessary, take formal steps to compel compliance or punish misconduct. European
harmonisation efforts have produced broadly equivalent minimum standards. Never-
theless, the authorities’ respective roles and powers still vary in several noteworthy
respects. Overall, the UK Information Commissioner’s powers are the narrowest and
most circumscribed.
For example, the Icelandic Data Protection Authority81 has greater powers than the
police to enter and inspect premises, seize materials and perform tests or control
measures – without need of a court order.82 By contrast, the UK Information Com-
missioner first must obtain a judicial warrant.83 The Swedish Data Inspection Board
oversees both data processing in general and personal data processing under the
80. Above n 41.

81. This body replaced the former Data Protection Commission.
82. Act on Protection and Processing of Personal Data, No 77/2000, s 38.
83. DPA, Sch 9.
Biobanks in Medical Care Act (2002:297). The Icelandic Data Protection Authority
and Estonian Data Protection Inspectorate84 similarly have specific statutory oversight
in respect of their population genetic database projects – again, unlike the UK. But
the Estonian Data Protection Inspectorate’s mandate is broader still. Under s 28 of
the HGRA, the Estonian Data Protection Inspectorate is required, as the designated
Gene Bank ‘data protection supervisory authority’, to supervise not only all process-
ing of personally identifiable data, but all processing of personally identifiable tissue
samples as well.85 The Inspectorate also wields broad powers to prohibit, suspend or
terminate processing of data or biosamples. Potentially, this may include requiring
their destruction.86 Anyone may notify the Inspectorate of suspected infringements
of the data protection laws or HGRA provisions and seek its official opinion or
intervention.
To UK observers, this bifurcated role may seem curious, incongruous even. Scep-
tics may wonder whether UK data protection officials and staff (at least, as currently
chosen and trained) possess the requisite knowledge, expertise and resources to
supervise tissue-related activities on top of their normal duties. Certainly, it is a live
issue whether the Estonian synthesis of information and bodily (or genetic) material
is conceptually sound and desirable, or unduly reductive and problematic.87 But the
possibility – and potential advantages – of fashioning a unitary governance system at
least merit serious attention in this country.
Also warranting serious attention is the question of oversight for the police’s
NDNAD, particularly to safeguard individual privacy and confidentiality. Although
the NDNAD is subject to the DPA, wide exemptions apply in the criminal justice
context. The HTA, too, excludes criminal justice activities. Neither its consent
requirements, the Human Tissue Authority’s remit, the licensing regime, nor the new
s 45 offence relating to non-consensual analysis of DNA applies to anything done for
criminal justice purposes.88 Instead, the NDNAD is predominantly self-regulated.89
In 2001, the House of Lords’ Science and Technology Committee noted the ‘clear
potential for conflicts of interests’ due to the Forensic Science Service® acting as
both NDNAD user and custodian. It recommended that the government establish an
independent body, including lay membership, to oversee the NDNAD’s workings.90
Currently, the NDNAD is governed by a tripartite Strategy Board, with members from
the Home Office, Association of Chief Police Officers and Association of Police
Authorities. Two Human Genetics Commission members have ethical input into the
84. To the extent that the Personal Data Protection Act 2003 and its associated regulations
apply under the HGRA.
85. The Personal Data Protection Act 2003 provisions do not apply where coded tissue
samples or coded data are processed as part of a dataset that includes five or more gene donors:
HGRA, s 7(2).
86. Personal Data Protection Act 2003, s 36(2).
87. Opinions differ. Some commentators argue that dual systems simply produce complexity,
regulatory redundancy and arbitrary inconsistency: Liddell and Hall, above n 46, at 212 and
223; McHale, above n 16, at 94. Conversely, the House of Lords’ Science and Technology
Committee, in its Fourth Report (above n 19), rejected a unified regulatory regime as being
‘impossibly cumbersome’ (para 3.16). Others point to qualitative differences between tissues
and data, arguing that the two are not legally synonymous vis-à-vis their nature or implications:
Price, above n 18, at 820.
88. HTA, s 39, s 45, Sch 1 and Sch 4, Pt 2.
90. House of Lords’ Science and Technology Committee, above n 19, para 7.66.
Strategic Board’s decisions.91 The Home Office’s NDNAD Custodian Unit took over
custodianship and overnight responsibilities from the Forensic Science Service®
when the latter became a partally privatised government-owned company in late 2005.
While data-processing governance structures are largely consistent and well devel-
oped across the four jurisdictions, the quality of oversight for tissue collection, storage
and handling – both on paper and in practice – is substantially weaker and more
haphazard. Weakest of all is the UK. Aside from the Human Fertilisation and Embry-
ology Authority (HFEA), whose remit covers only gametic materials and embryos
created ex vivo, no UK authority has a specific mandate to monitor the creation,
management or operation of genetic databases. Various professional bodies, advisory
boards and committees do exert quasi-legal or informal influence.92 Also, the Human
Tissue Authority provides oversight and guidance, issues codes of practice, and
superintends compliance with the HTA and its own codes of practice.93 Its remit and
powers encompass at least some genetic database activities. However, no formal
governance system, specifically tailored, streamlined and engineered to meet the
particular needs and demands of genetic databases, currently exists.
The Human Tissue Authority and HFEA look set to merge in 2008–2009 to form
the Regulatory Authority for Tissue and Embryos (RATE). Before then, the two bodies
will share a joint chair. The government plans to introduce draft legislation during
2007 and to consult stakeholders about RATE’s design and the regulatory principles
and values that it should hold. At present, the HFEA licenses and monitors clinics
that carry out in vitro fertilisation, donor insemination and human embryo research,
and regulates the storage of gametes and embryos. RATE will combine the statutory
functions of the two bodies. It will be a single regulator responsible for monitoring,
licensing and inspecting a diverse range of activities across the whole spectrum of
human materials, including tissue, cells, gametes, embryos, blood and organs.
The proposed merger forms part of an ongoing rationalisation of arm’s length
bodies, driven principally by efficiency goals. Perceived advantages include avoiding
unnecessary bureaucracy, costs and overlaps. Particularly relevant here is the fact that
the two bodies currently share responsibility, as dual designated competent authori-
ties, for implementing the EU Tissue and Cells Directive.94 Their proposed merger is
not, however, universally welcomed. While the Human Tissue Authority’s powers to
license, inspect and produce codes of practice were modelled on the HFEA, some
have criticised the HFEA for being unduly expensive and duplicative, and lacking a
culture of transparency and public consultation.95 Others have voiced serious concern
over the distinctive characters of the two bodies’ regulatory ambits and functions,96
noting the different ethical issues implicated within each and questioning whether
one single body will be capable of dealing effectively with so many specialist areas.97
91. Nuffield Council on Bioethics, above n 4, pp 17–18.

92. Especially the Medical Research Council, General Medical Council and Human Genetics
Commission.
93. HTA, ss 14–15.
94. Above n 37. The Directive requires accreditation of tissue banks, and sets minimum
standards of quality and safety for the donation, procurement, testing, processing, preservation,
storage and distribution of human tissue and cells intended for human application.
96. Price, above n 18, at 811.
97. British Medical Association BMA Response to the Queen’s Speech (15 November 2006),
available at http://www.bma.org.uk/pressrel.nsf/wlu/SGOY-6VKGC5?OpenDocument&vw=
wfmms.
In terms of lessons from abroad, UK law makers may benefit here from seeing
what has not worked particularly well elsewhere. Estonia and Iceland have appointed
specific oversight bodies for their population genetic database projects. The Estonian
Data Protection Inspectorate operates generally as the HGRA supervision authority
for both data and tissue handling. Additionally, an Estonian Genome Project Ethics
Committee, established under the HGRA, may assess the chief processor’s activities.
However, its approval is mandatory only where the chief processor plans to decode
materials in order to identify a gene donor for specified purposes.98 In Iceland, the
Minister of Health and Social Security is generally responsible for overseeing
biobanks. But actual experience, especially with the deCODE project, has been less
than ideal. The Act on a Health Sector Database, No 139/1998 and its associated
regulations provided for three bodies to oversee the IHSD: (a) the Monitoring Com-
mittee;99 (b) the Data Protection Authority; and (c) a special Interdisciplinary Ethics
Committee. The Monitoring Committee was responsible for supervising the building
and day-to-day operations of the IHSD (insofar as such activities fell outside the Data
Protection Authority’s remit) to ensure compliance with the legislation, regulations
and Operating Licence. It also was meant to follow deCODE’s contractual negotia-
tions with health data suppliers. In practice, however, it did not fulfil these tasks;
particularly the latter. Furthermore, it is unclear precisely what the Monitoring Com-
mittee was meant to do once the IHSD was up and running. The provisions describing
its role and responsibilities are somewhat vague.
In Sweden, the National Board on Health and Welfare oversees biobanks, but only
those subject to the Biobanks in Medical Care Act (2002:297).100 All others effectively
operate without external public supervision. The National Board can issue binding
regulations and guidelines and make non-binding recommendations. It also can inves-
tigate and sanction unlawful practices. But actual control over biosamples lies entirely
in the hands of biobank operators, including UmanGenomics. Potentially, the absence
of any appeal right to an independent monitoring body, like the National Board, could
lead to disadvantage, especially for academic researchers, who, in Sweden, do not
have to pay a fee for access. Researchers who are unfairly refused access to biosam-
ples by biobank operators may complain to the National Board. But it is powerless
to offer them any remedy.
With the HTA now fully in force, the existing key UK supervisory bodies –
especially the Information Commissioner’s Office, Human Tissue Authority, Depart-
ment of Health and COREC101 – face an unenviable task. The co-existence of separate
but overlapping and partially inconsistent legal frameworks governing biosample
collections, data collections and ethical review of research proposals will necessitate
some awkward negotiations in relation to genetic database oversight. Each body (and
others, including the HFEA) will have to navigate its way around the rest and mark
out its own turf within a crowded and chaotic regulatory space. This is yet another
area in which UK governance appears to fall short of the good regulation principles.
Key issues highlighted above include streamlining and coordinating the bodies
98. For example, to contact gene donors, or renew, supplement or verify their descriptions
of state of health: HGRA, ss 24(2)(4) and 29(1).
99. Formally, the Committee on the Creation and Operation of a Health Sector Database. See
Act on a Health Sector Database, No 139/1998, art 6; Regulation on a Health Sector Database,
No 32/2000, arts 15–17.
100. Chapter 6, s 3.
101. Central Office for Research Ethics Committees, discussed further below.
involved and perhaps revisiting their roles, responsibilities and powers to achieve
proper consistency, transparency, accountability and effective enforcement.
licensing and notification

A similar pattern emerges in respect of registration requirements. In all four jurisdic-
tions, data controllers must notify the data protection authority of their activities and
keep their registration records accurate and up to date. In turn, each authority main-
tains a public register. These are core obligations under the Data Protection Direc-
tive.102 But the comparable procedures for tracing dealings with biosamples again
diverge markedly. Under the EU Tissue and Cells Directive103 – which applies only
to tissues and cells intended for human applications, and so excludes most (if not
all)104 genetic research activities – the relevant ‘tissue establishments’ must be
‘accredited, designated, authorised or licensed by a competent authority’.105 This
provision leaves a number of implementation strategies, of varying degrees of strin-
gency, open to EU Member States. Interestingly, similar strategies have been
employed in the genetic database context. Yet, the differences remain substantial.
Without some form of notification system at least, external monitoring of biobank-
ing activity is virtually impossible. It cannot be said what databases or collections
exist, how they are being used, by whom or to what ends. Until recently, such blind
ignorance characterised the UK situation. Outside the data protection and human
reproduction contexts,106 no formal mechanisms for identifying or controlling genetic
database operations existed at all. Decisions about the lawfulness of biosample-
handling activities were guided loosely by the courts, the Department of Health and
research ethics committees.107 Widely criticised, this gap in the law has been narrowed
partially by the HTA requirement that certain tissue banks storing relevant material
for research use must be licensed. The Human Tissue Authority monitors and enforces
the licensing system. Yet, without any core statutory definition of regulated tissue
banks, and with the prospect of exemptions, it is unclear exactly which collections
will, and will not, be captured.
By contrast, the Icelandic licensing regime is more specific. It applies only to
‘permanently preserved’ biobank collections, and explicitly excludes biosamples held
temporarily (under 5 years) for clinical testing, treatment or specific scientific study,
provided they are either destroyed when the work is completed or transferred into a
licensed biobank.108 In Estonia, anyone who wishes to use materials held in the Gene
Bank must obtain a licence. In Iceland, it is biobank operators who must be
102. Articles 18–21.

103. Above n 37.
104. Like the HTA, the Directive’s Art 3 definitions of ‘tissue’ and ‘cells’ do not descend to
a sub-cellular level, and so apparently exclude extracted genetic material – although, genetic
testing of tissue and cells subject to the Directive is covered. See text to n 71 above.
105. Article 6(1).
106. The Human Fertilisation and Embryology Act 1990 lays down a licensing and inspection
scheme. Following the organ retention scandals, the Chief Medical Officer conducted a limited
census of organs, body parts, still-births and fetuses held by NHS pathology services: Depart-
ment of Health, Department of Education and Employment and the Home Office Report of a
Census of Organs and Tissues Retained by Pathology Services in England (January 2001).
108. Act on Biobanks, No 110/2000, art 2.
licensed.109 Amongst other things, Icelandic biobank licences set out specific obliga-
tions and standards, and biobanks may not be set up or run without them. Yet, even
strict licensing schemes, such as in Estonia and Iceland, do not guarantee rigorous
policing. In principle, the Icelandic Minister of Health and Social Security is meant
to monitor licence-holders’ activities. Each Icelandic biobank must appoint a board,
which must keep the Director-General of Health, the Data Protection Authority and
the National Bioethics Committee informed regarding the biobank’s biosamples and
operations.110 In practice, however, there is little effective supervision – even of the
deCODE project – except in relation to data protection and IT security.111
Arguably, the UK system would benefit from having much greater definitional
clarity over which entities should count as licensable, as in Iceland. However, given
that data processing merely requires notification, whereas tissue biobanking requires
a licence, if in future the tissue–data dichotomy were to be resolved in respect of
genetic databases, then one key decision would be which monitoring mechanism (and
supervisory body) to use.
Despite the seemingly overwhelming trend in favour of biobank licensing, licens-
ing is not the only option. Sweden is a case in point. Like its data protection regime,
Sweden’s Biobanks in Medical Care Act (2002:297) simply imposes a compulsory
notification requirement on biobank operators.112 No licences are needed. Decisions
to establish healthcare sector biobanks need only be reported to the National Board
on Health and Welfare, which administers a public register. Operators also must notify
any decisions to supply biosamples to third parties.113 The biobank register was
designed to function as a tool for supervision, introducing some measure of public
control. A notification must identify the biobank’s purpose, physical location, scope
and the person responsible. In practice, much biobanking activity in Sweden still goes
on unsupervised and unchecked. Not least, this is because (as noted already) the Act’s
ambit is limited,114 omitting some research biobanks. Nevertheless, in principle,
Sweden’s approach may well be attractive; not least, from a research and innovation
perspective. It avoids potentially disproportionate bureaucracy and interference, while
still facilitating some degree of public scrutiny and accountability. It also highlights
the need for law makers to show sensitivity and wisdom in discriminating between
appropriate and necessary oversight measures and unwarranted (or unduly prescrip-
tive) red tape. This is especially relevant for genetic databases, given that potential
regulatees vary significantly in size, sophistication, activities and resources.
4. Ethics committees and other advisory panels

Maintaining ethical standards is integral to good governance. Fundamental ethical
considerations around genetic databases include ensuring that data, biosamples and
research results are obtained and disseminated appropriately and fairly, and used only
for legitimate purposes, under conditions that preserve their integrity and protect
109. Ibid, arts 4–6.
110. Ibid, art 6.
111. The Icelandic Data Protection Authority uses independent contractors to conduct annual
security reviews of the handling and storage of biosamples in specific biobanks.
112. Other statutes also provide for registers for health and research purposes. See, eg, the
Medical Care Registers Act (1998:544) (Lag (1998:544) om vårdregister); Health Data Reg-
isters Act (1998:543) (Lag (1998:543) om hälsodataregister).
113. Chapter 2, s 5.
114. See text to nn 49 and 69 above.
donors’ rights and interests. To these ends, and reflecting established international
norms, seeking prior ethical reviews of research projects involving human subjects
or human biosamples has become standard practice in all four countries since the
1960s.115 This has been thought especially important where the law permits research
without participants’ explicit consent. Nevertheless, the roles and characteristics of
ethics boards in the four countries differ markedly.
The UK structure remains the least well developed in formal terms. This is despite
the fact that, in practice, research ethics committees (RECs) are the external bodies
that exercise by far the greatest measure of control over genetic database activities.
Over 200 RECs, comprising unpaid expert and lay members, presently exist within
the NHS. (Moves are afoot to rationalise the number of RECs and improve their
overall efficiency, effectiveness, consistency and proportionality.)116 Other RECs are
located within universities and the private sector. Until recently, the REC system was
informal and voluntary. Since the 1990s, however, it has become more organised and
RECs have received greater formal acknowledgement. Also, since 2000, a Central
Office for Research Ethics Committees (COREC) has existed to advise the Depart-
ment of Health, issue guidance and encourage consistent policies and standards across
the country. Nevertheless, the legal status, authority, accountability, functions and
powers of UK RECs all remain somewhat ambiguous or narrowly circumscribed, and
the system is beset by inconsistency.
Until recently, all UK RECs were non-statutory bodies. Today, RECs operating
within the NHS may be graded as ‘recognised’ or ‘authorised’ under the Clinical
Trials Regulations.117 Certain ‘recognised’ RECs may review any research proposals,
including clinical trials involving medicinal products for human use and projects
involving prisoners. ‘Authorised’ RECs may review any single-site research proposals
except for the latter categories. For present purposes, either kind of REC will qualify
as a ‘research ethics authority’ whose approval may permit the use of relevant
material, or results of DNA analyses obtained from bodily material, for research
purposes without appropriate consent (which otherwise would constitute an offence
under the HTA).118 Yet, outside the clinical trials context – where the impetus for
legislative provision was EU-driven119 – RECs are not governed by statute law. The
115. From 1989 in Estonia: T Veidebaum ‘Research ethics in Estonia’ in D Beyleveld, D
Townend and J Wright (eds) Research Ethics Committees, Data Protection and Medical
Research in European Countries (Aldershot: Ashgate, 2005) p 245.
116. National Patient Safety Agency/COREC Building on Improvement: Implementing the
Recommendations of the Report of the Ad Hoc Advisory Group on the Operation of NHS
Research Ethics Committees (August 2006), available at http://www.corec.org.uk/
consultation/ImplementationPlan.pdf. That document outlines the plan for implementing nine
recommendations.
117. Medicines for Human Use (Clinical Trials) Regulations 2004, SI 2004/1031, Pt 2. See,
generally, A Hedgecoe et al ‘Research ethics committees in Europe: implementing the direc-
tive, respecting diversity’ (2006) 32 J Med Ethics 483 at 484–485; SD Pattinson Medical Law
and Ethics (London: Sweet & Maxwell, 2006) s 11.4.3.
118. The Human Tissue Act 2004 (Ethical Approval, Exceptions from Licensing and Supply
of Information about Transplants) Regulations 2006, SI 2006/1260. Other necessary conditions
are that the material came from a living person and that the researcher will not be able to
identify the source.
119. Directive 2001/20/EC of the European Parliament and of the Council of 4 April 2001 on
the approximation of the laws, regulations and administrative provisions of the Member States
relating to the implementation of good clinical practice in the conduct of clinical trials on
medicinal products for human use [2001] OJ L121/34.
principal documents relating to them are standard operating procedures issued by

COREC and governance arrangements, guidelines and circulars published by the
Department of Health.120
Their remit and functions, too, arguably are confined in suboptimal ways. Cur-
rently, REC approval is required only for research projects involving NHS staff, facil-
ities, premises, patients or users (including relatives and carers), and/or NHS patients’
data, organs or bodily material.121 By definition, the REC approval process only
applies in the (medical) research context. REC approval is therefore unnecessary and
irrelevant for many genetic databases and associated activities – including the
NDNAD.122 Moreover, traditionally RECs have acted as ‘gatekeepers’, determining
whether or not research initiatives are ethically fit to proceed. Their primary concern
is to safeguard the rights, safety and dignity of research participants. But REC deci-
sions rest on the proposed procedures and protocols for obtaining consent, data and
biosamples, and for running specific projects or research tissue banks (which now may
seek ‘generic’ approval)123 – not on the actual conduct of research or genetic database
operations. Once projects are approved, UK RECs do not have a clearly established,
proactive monitoring or quality assurance role such as would enable them to guarantee
that researchers adhere to their initial protocols, objectives or any conditions imposed.
Increasingly, UK RECs do include progress reporting conditions in giving approv-
als. These require researchers to provide information about the progress of studies so
that RECs can review their advice about ethical acceptability. NHS staff also must
inform RECs if they intend to depart from approved protocols. Yet, RECs themselves
do not possess formal investigatory or enforcement powers. They can neither veto
uses of data or biosamples, nor halt projects that violate ethical requirements – unlike
their Swedish and Icelandic counterparts (discussed below). Instead, powers to
enforce REC conditions and impose sanctions on those who violate ethical require-
ments lie entirely with other bodies. For example, wrongdoers may face disciplinary
actions by their NHS employers124 and/or professional misconduct proceedings
brought, for example, by the General Medical Council. Where applicable, they may
face criminal proceedings under the Clinical Trials Regulations.125 As Pattinson notes,
funding bodies also may withdraw or refuse future funding, and reputable journals
almost certainly would refuse to publish research outcomes.126
120. See, eg, Department of Health Research Governance Framework for Health and Social
Care (2nd edn, 24 April 2005), available at http://www.dh.gov.uk/assetRoot/04/12/24/27/
04122427.pdf. Note that COREC’s policy under the Standard Operating Procedures for
Research Ethics Committees in the United Kingdom: Version 3.1 (October 2006) p 10, available
at http://www.corec.org.uk/applicants/help/docs/SOPs.pdf, is to apply the Clinical Trials Reg-
ulations standards generally to all NHS REC reviews of research involving human participants.
121. COREC Governance Arrangements for NHS Research Ethics Committees (July 2001)
para 3.1, available at http://www.dh.gov.uk/assetRoot/04/05/86/09/04058609.pdf.
122. Note that the Home Office is establishing an Ethics Committee to advise the NDNAD’s
Strategy Board on new proposed uses of the NDNAD and research proposals, and to review
its decisions: Nuffield Council on Bioethics, above n 4, p 17.
123. See COREC, above n 120, pp 39 and 205–212.
124. While the Research Governance Framework (above n 120) lacks legal force, it declares
research governance in compliance with its principles and standards to be a ‘core standard’
expected of all public health organisations. Any failures will trigger normal accountability and
performance management procedures: paras 5.6–5.7.
125. Regulations 12 and 49.
126. Pattinson, above n 117, p 364.
While the authority of UK RECs is largely informal and non-statutory, in practice

they enjoy considerable status and influence. Despite their lack of ‘teeth’, in reality
REC approval is mandatory for genetic database research activities – at least, in the
biomedical sphere. Partly, this is because the Department of Health, professional
bodies (such as the General Medical Council) and leading research funders (notably
the Medical Research Council) invariably insist upon independent ethics approval.
UK Biobank’s work will be integrated into the NHS REC framework. In addition, its
EGC acts as an independent guardian of the Ethics and Governance Framework.
Unlike RECs, the EGC’s remit includes an ongoing monitoring role. But, as discussed
above, neither the EGC nor the framework possesses any formal legal status or
coercive power. Being merely an advisory body, the EGC is powerless to vet or to
veto access requests – all in stark contrast to the Icelandic approach (discussed below).
This somewhat loose, informal UK position lags considerably behind develop-
ments elsewhere. Historically, Sweden too relied on a voluntary approach. Now, the
Ethical Review Act (2003:460) has given mandatory ethical review full statutory
force. All Swedish scientific research projects and clinical trials involving certain
sensitive personal data127 or traceable (including de-identified) biosamples must be
reviewed by a Board for Research Ethics.128 Undertaking research without ethical
approval (where needed), or in contravention of any conditions imposed, is a criminal
offence punishable by a fine or imprisonment for up to 6 months. A Central Board
for Research Ethics has a limited monitoring role under the Act and, notably, may
hear appeals from Regional Boards. However, the Act’s narrow scope – which entirely
excludes both sensitive personal data used with consent and anonymised biosamples
– has been criticised.129 Iceland and Estonia similarly have enshrined within legisla-
tion ethical reviews of projects seeking to use their population genetic database
projects. Would-be Estonian Gene Bank users must seek prior approval from the
Estonian Genome Project Ethics Committee. Its role and powers are circumscribed;
not unlike UK Biobank’s Ethics and Governance Council. In particular, its consent
is mandatory only where the chief processor wishes to decode data to identify gene
donors for certain purposes.130
Iceland alone has placed both prior ethical review and ongoing surveillance on a
statutory footing as standard practice. Since 1997, by law all serious scientific or
medical research in Iceland involving human subjects has required prior ethical
approval.131 The Data Protection Authority’s permission is mandatory where genetic
research involves medical records. Additionally, three types of ethics committees, all
established by regulations, oversee Icelandic genetic research. The first two are
hospital-based interdisciplinary ethics committees and the National Bioethics Com-
mittee (whose Icelandic name more accurately translates as the ‘National Science
Ethics Committee’).132 Additionally, the IHSD has its own dedicated Interdisciplinary
Ethics Committee.133 That body was supposed to evaluate research proposals for the
127. Principally, research involving the processing of such data without explicit consent.
128. Sections 3–4.
129. E Rynning ‘The Swedish system for ethics review of biomedical research and processing
of sensitive personal data’ in Beyleveld, Townend and Wright, above n 115, pp 251–253.
130. See text to n 98 above.
131. Plus informed consent from participants: Regulation on Scientific Research in the Health
Sector, No 552/1999, arts 4 and 5.
132. Established under the Regulation on Scientific Research in the Health Sector, No 552/
1999, issued under the Act on the Rights of Patients, No 74/1997.
133. Regulation on a Health Sector Database, No 32/2000, arts 25–28.
IHSD. Yet, despite having a legislative foundation, its functions and powers are even
less detailed in the law than those of the Monitoring Committee. Significantly – and
in stark contrast to the UK – Icelandic ethics committees have a legislative duty to
monitor the progress of approved research projects. They have power to revoke
permits and thereby to halt studies that depart from their approved protocols or breach
any stipulated conditions.134
Comparing the four countries shows a clear trend towards increased formalisation
of ethical governance. This accords with recent United Nations Educational, Scientific
and Cultural Organisation declarations,135 and arguably warrants serious further con-
sideration in the UK. Certainly, formal measures would be needed to expand the role
of UK RECs – or, perhaps, to create some other bioethics monitor(s), such as a
national bioethics committee – to engage in ongoing supervision with enforcement
powers, as in Iceland. Together with bringing greater clarity and enforceability,
legislative reform could expand the range of genetic databases and research activities
subject to independent, external monitoring. The NDNAD and other non-health-
related databases are conspicuous omissions. The NDNAD’s lack of public scrutiny
and firm statutory foundation raise very serious questions about confidentiality, poten-
tial for misuse, and the possible desirability of introducing more transparent, account-
able governance measures. Legislative reform also may help to standardise UK RECs’
policies and procedures. Despite COREC’s efforts to date, empirical evidence shows
that RECs still systematically differ in their responses to research proposals. They
vary in the procedures followed, conclusions reached, conditions imposed and time
taken.136 This is especially burdensome for applicants who require multiple REC
approvals. Overall, the UK system (even taking account of the planned reforms)
breaches all five good regulation principles.
Before moving on to the final topic, two points warrant mention. First, in none of
the four countries does ethical approval confer any positive right to proceed with
research, or to receive sought-after biosamples or data from a genetic database. It is
a necessary but not sufficient condition. Actual access and use are still governed by
the relevant data protection and biobanking or human tissue laws – as well as
discretionary decision making by database operators. So then, additional permits must
be sought from, or notifications made to, the relevant data protection and biobanking
or genetic database supervisory bodies. Secondly, in all four countries unitary ethical
review regimes cover all biomedical research projects – whether involving biosam-
ples, data or both. This contrasts with the legal distinction still maintained in the UK,
Iceland and Sweden between data and tissue regulation. It suggests a widespread
consensus that equivalent ethical principles and standards should apply whatever the
human ‘raw material’ to be studied. Interestingly, ss 7–11 of the Swedish Ethical
Review Act (2003:460) explicitly list the principles that must form the basis for all
134. Regulation on Scientific Research in the Health Sector, No 552/1999, art 6.

135. Universal Declaration on the Human Genome and Human Rights (29th session, 11
November 1997), art 16; International Declaration on Human Genetic Data (32nd Session, 16
October 2003), art 16(b); Universal Declaration on Bioethics and Human Rights (33rd session,
19 October 2005), arts 19 and 22(2).
136. E Angell et al ‘Consistency in decision making by research ethics committees: a con-
trolled comparison’ (2006) 32(11) Journal of Medical Ethics 662 and references cited therein.
See also Department of Health Report of the Ad Hoc Advisory Group on the Operation of NHS
Research Ethics Committees (No 268110, 2005) (the Warner Report), paras 3.5 and 3.8,
available at http://www.dh.gov.uk/assetRoot/04/11/24/17/04112417.pdf.
ethical vetting decisions. These include respect for human dignity, human rights and
fundamental liberties.
5. Enforcement powers and sanctions

A final core governance concern is to ensure proper adherence to applicable require-
ments. Ensuring that regulatees can and do comply with their duties and responsibil-
ities, and treating wrongdoers appropriately, goes to the very heart of all five good
governance principles. One strategy is to render rules legally enforceable, and to
impose sanctions or penalties where they are violated without lawful excuse. Over
recent decades, traditional ‘command and control’ regulatory styles have fallen out
of favour somewhat. Regulatory theorists have developed a range of alternative
strategies, which many perceive to offer greater hope for influencing behaviour
positively through fostering voluntary compliance.137 Possible techniques include
incentive-based approaches; harnessing market forces; consent-based options includ-
ing negotiation and self-regulation; deploying public wealth strategically; requiring
compulsory information disclosures; strengthening individual rights; and expanding
private rights of action. One particularly influential notion within the UK has been
that of establishing a ‘pyramid’ of enforcement strategies, with command measures
kept as a last resort.138
In the genetic databases context, relatively little theoretical analysis of optimal
regulatory techniques has been undertaken. In the UK especially, such structures as
exist have emerged largely ad hoc, without coordination, deliberate design or any
overarching strategic vision. The UK system features a wide array of regulatory tools.
These include self-regulation by default (based on practitioners’ shared cultural
understandings of best practice, plus unilateral, project-specific mechanisms such as
for UK Biobank); limited oversight by professional bodies, RECs and courts; infor-
mation disclosure requirements (especially under data protection laws and potentially
the Freedom of Information Act 2000); certain private law rights of action; and the
HTA licensing scheme. Criminal offences and penalties also feature. Indeed, across
all four countries formal enforcement powers and sanctions serve as a central tool.
As well as criminal prosecutions and penalties, all four countries allow at least some
scope for civil remedies. Nevertheless, considerable discrepancies exist. Potential
gaps or deficiencies in the webs of enforcement also can be detected, in the UK and
elsewhere.
Looking first at data protection, the approach to enforcement mostly is consistent
and in accordance with Arts 22–24 of the Data Protection Directive. Those provi-
sions require EU Member States to put in place appropriate judicial remedies, com-
pensation rights and sanctions for unlawful data processing. Each data protection
authority may institute proceedings against law breakers. In Estonia, however, such
violations are classed merely as administrative wrongs (misdemeanours);139 not as
criminal offences, unlike in the UK, Iceland and Sweden. Moreover, the only
137. See, eg, R Baldwin and M Cave Understanding Regulation: Theory, Strategy and Practice
(Oxford: Oxford University Press, 1999) ch 4; A Ogus Regulation: Legal Form and Economic
Theory (Oxford: Hart Publishing, 2004); T Daintith ‘The techniques of government’ in J Jowell
and D Oliver (eds) The Changing Constitution (Oxford: Clarendon Press, 3rd edn, 1994).
138. A Ayres and J Braithwaite Responsive Regulation: Transcending the Deregulation Debate
(Oxford: Oxford University Press, 1992).
139. Personal Data Protection Act 2003, s 42.
penalties available in Estonia and the UK are fines;140 not fines or imprisonment, as
in Sweden and Iceland.141 By contrast to the comparatively lenient Estonian and UK
positions, the Icelandic Data Protection Authority wields quite awesome enforce-
ment powers. For example, it has direct authority to levy daily fines of up to
ISK100,000 (around £750) against data controllers who fail to comply with its
orders, until such time as the Authority deems that they have made the necessary
improvements. Daily fines may be on top of any criminal penalties. The Authority
also may order the cessation of processing until its requirements are met. It may
direct the Commissioner of Police to terminate processing temporarily, and even to
close down immediately premises being used for unlawful processing. Failing to
comply with an order from the Authority itself constitutes a criminal offence, pun-
ishable by a fine or imprisonment for up to 3 years.142 In all four countries, individ-
uals have a statutory entitlement to seek civil compensation from data controllers for
wrongful damage caused by unlawful processing; although, in respect of the specific
data processing conditions applicable to the IHSD, this right is limited to recovering
for financial loss.143
Turning to the tissue regulation realm, in the absence of specific legislation,
historically much English law pertinent to biosample handling has stemmed from
common law principles and doctrines.144 But judicial law making offers only very
limited – not to mention slow, expensive and somewhat unpredictable – means to
redress misconduct or abuse. Informal sanctions, such as the threat of professional
disciplinary proceedings or refusal or withdrawal of funding, also play a major
background role. Yet traditionally, overall, there has been a woeful lack of effective
means in the UK to prevent, punish, or compensate victims for violations of appro-
priate norms and standards.
The general biobank laws and specific population genetic database statutes in
Sweden, Estonia and Iceland confer various individual rights. But, in many instances,
no explicit enforcement procedures are laid down. For example, under the HGRA,
Estonian gene donors possess many express ‘paper’ rights. These include a right to
have their data (including biosamples) destroyed if their identities are disclosed
unlawfully; a right of access to their genetic data free of charge; and even a right to
genetic counselling upon accessing their genetic data.145 But the HGRA contains no
enforcement mechanisms. Nor is any resource allocation made, or duty imposed on
any actor under Estonian law, to fund the cost of delivering these entitlements. Nor,
indeed, does the HGRA create any actionable wrongs – civil or criminal – in respect
of any violations of its terms.146 The chief processor is expected to police any
authorised processor’s activities. But this expectation is implicit only. These startling
omissions leave the Estonian enforcement web seriously deficient.
140. Ibid; DPA, s 60.

141. Sweden has a maximum of 2 years’ imprisonment, but only for ‘grave’ violations:
Personal Data Act (1998:204), s 49(d). In Iceland, imprisonment may be for up to 3 years: Act
on Protection and Processing of Personal Data, No 77/2000, art 42.
142. Ibid, arts 40–42.
143. Act on a Health Sector Database, No 139/1998, art 17.
144. See above n 39.
145. HGRA, ss 10–11.
146. The HGRA, s 31 amended the Estonian Criminal Code by adding offences relating to
inducing people to become gene donors, non-consensual research and breaches of professional
medical confidence. All are punishable by fines, detention or imprisonment for up to 1 year.
The Icelandic State similarly may revoke the IHSD Operating Licence for any
material breach, either of the applicable laws or of the Operating Licence, and claim
the database.147 Likewise, under art 14 of the Act on Biobanks, No 110/2000 the
Icelandic Minister of Health and Social Security may revoke any biobank licence
where a licensee violates the law or fails to fulfil its licence terms and conditions.
But, unlike in Estonia, in Iceland all such actions are criminal offences. Possible
sanctions are fines, imprisonment for up to 3 years and licence revocation.148 In
Sweden, too, intentional or neglectful violation of the Biobanks in Medical Care Act
(2002:297) is punishable by a fine. The National Board on Health and Welfare, which
is responsible for supervising compliance with the Act and bringing legal actions
against violators, also can impose fines for non-cooperation with its investigations or
demands (such as failing to produce information).149
Recent legislative developments – albeit lacking the specificity and muscle of
comparable measures abroad – have bolstered the UK enforcement regime. Under
the Human Rights Act 1998, reliance by litigants on Sch 1, Pt 1 art 8 especially (the
right to private and family life), coupled with judicial proclamations that the pre-
existing duty of confidence has ‘absorbed’ art 8 ‘values’, have spurred a dramatic
expansion in privacy protection.150 The HTA has introduced several new offences
relating to storing or using relevant material for various purposes (including research)
without ‘appropriate consent’ or other explicit authorisation, non-consensual DNA
analysis, and storing or using relevant material for various purposes otherwise than
under the authority of a licence.151 In all three cases, wrongdoers face up to 3 years’
imprisonment, potentially unlimited fines and (where applicable) licence revocation.
But this raises a curious point about inconsistencies in the civil and criminal
sanctions available for (legally) different forms of wrongdoing. Only in Iceland do
the same penalties apply to equivalent offences involving data and biosamples –
namely, fines and/or imprisonment for up to 3 years. Sweden has higher penalties for
data (and ethical review)152 violations than for tissue offences. In the UK the opposite
is true. Meanwhile, in Estonia only the data protection law sets out any relevant
offences and penalties. Strictly speaking, then, both data and biosample abuses are
treated alike under the HGRA. But this is only true in the sense that no relevant
offences or penalties exist at all. The penalty discrepancy is widest in the UK, where
the maximum sentences range from an unlimited fine alone for data misuse, to an
unlimited fine plus 3 years’ imprisonment for unlawful tissue handling. Very recently,
the Information Commissioner called for an increase in the penalty for unlawfully
obtaining personal data (an offence under s 55 of the DPA) to a maximum of 2 years’
imprisonment and/or an unlimited fine. His specific aim is to tackle the perceived
pervasive and widespread ‘industry’ devoted to illegal trade in personal information,
particularly between private investigators and journalists.153 Even if successful, this
narrow proposal, relating to a single DPA offence, still falls well short of the HTA
penalties.
147. Act on a Health Sector Database, No 139/1998, art 13.
148. Ibid, arts 14–15; Act on Biobanks, No 110/2000, art 15.
149. Chapter 6, ss 1 and 3.
150. See, eg, A v B plc [2002] EWCA Civ 337, [2003] QB 195 at [4] and [6]; Campbell v
MGN [2004] UKHL 22, [2004] 2 AC 457 at [17] and [50].
151. Sections 5, 45 and 25 respectively.
152. Ethical Review Act (2003:460), s 38.
153. Information Commissioner’s Office What Price Privacy? The Unlawful Trade in Confi-
dential Personal Information (London: TSO, 2006) Foreword and para 7.8.
In part, the UK discrepancy has historical origins, being a legacy of the furore and
highly charged political climate surrounding the HTA.154 During its legislative pas-
sage, researchers, clinicians and scientists roundly condemned the HTA’s penalties as
disproportionate and excessively harsh. But the government was adamant that they
should stand as a powerful deterrent, and be a sufficient response to egregious
wrongdoing. The UK discrepancy also might be said to reflect (perhaps by accident
rather than design) a socio-cultural perception that human tissue possesses greater
moral status, sensitivity and value than information. If so, then, again, it is curious
that Swedes, Icelanders and Estonians appear not to share this viewpoint – or, at least,
do not reflect it in their laws. From the perspective of the often commensurate harms
that may flow from misuse of data and biosamples in the genetic context, it is
questionable whether diverging penalties are justifiable or desirable. Here, again,
Iceland may present options worth considering in the UK. However, this could depend
on the conclusion reached over whether biosample and data governance schemes
should be integrated or kept separate – thus far, an issue largely overlooked in the UK.
Only Swedish law offers a civil remedy to individuals who suffer damage or
violation of their personal integrity through unlawful tissue handling by biobanks.155
As Liddell and Hall have noted, in the UK there may be some prospect of living
donors bringing successful civil actions under the Human Rights Act 1998 or for
negligence. Recent experience, however, suggests that they may find it very difficult
indeed to secure compensation from the courts.156
CONCLUSION – THE WAY AHEAD?
This article has explored a fundamental question: how adequate are the existing
laws and governance structures applicable to genetic databases in England and
Wales? Comparative analysis, looking at five key topics against the backdrop of the
Better Regulation Commission’s five principles of good regulation, has exposed
many significant shortcomings. Undoubtedly, many more exist. Taken together, such
defects and deficiencies carry major implications. They highlight just how far short
the existing regulatory treatment of genetic databases falls from the government’s
own statutory test for good quality regulation. Not only does the system fail to fulfil
key formal desiderata, regulatees cannot reasonably find out what is expected of
them. As well as hampering the prospects of international harmonisation of genetic
database governance principles and practices, the palpable lack of any clear, coher-
ent or coordinated governance regime has the potential to thwart important rights
and interests, stifle beneficial research, inhibit cross-jurisdictional collaborations,
and undermine the UK’s standing as a world leader in genetics, genomics and
biotechnology.
Examples drawn from the UK, Estonia, Iceland and Sweden demonstrate various
pitfalls of failing to get the legal regulation of genetic databases right. But they also
provide numerous insights and lessons from experience. These both reveal promising
alternative options that UK law makers may wish to consider, and – no less valuably
– expose avenues that may best be avoided, or that may be worth pursuing if
154. See Price, above n 18.

155. Biobanks in Medical Care Act (2002:297), Ch 6, s 2.
156. See AB v Leeds Teaching Hospital NHS Trust [2004] EWHC 644 (QB), [2004] 2 FLR
365; Price, above n 18, at 809.
appropriate corrections and adaptations can be made, including to reflect the UK’s
unique socio-legal culture and conditions.
As technological advances increase the possibilities for amassing and exploiting
huge genetic resources, nationally and internationally, the need for an appropriately
tailored, flexible and nuanced governance regime, suitable for regulating genetic
databases of all shapes and sizes, will become ever more acute. Appropriate regulatory
systems and controls are vital for a host of reasons. They are needed to ensure
minimum standards, safeguard individual rights and public interests, and resolve
conflicts between competing rights, values and interests. They are essential for pro-
moting legality, clarity and consistency. They are important for facilitating scientifi-
cally valuable and ethically sound research, free from unwarranted interference,
disincentives, anxiety and confusion. Finally, they are needed to reassure, support and
empower database operators, researchers, societies and individuals, by fostering legit-
imacy, efficiency, transparency, accountability and proportionality.
For now, the UK governance regime is demonstrably inadequate to the task.
Creative, principled, normatively sound, practically workable and properly coordi-
nated reforms are urgently needed. But they should be properly informed by current
practice among UK genetic database operators, researchers and clinicians, so as to
embody the characteristics identified by them (and other key stakeholders) as signif-
icant. They should be accessible and readily adaptable to reflect future developments
and changing needs. They should learn from regulatory approaches attempted else-
where – including the insights and lessons gleaned from the countries surveyed in
this paper. They should consider relevant guidelines and protocols drafted by national,
European and international bodies, the extensive population genetic database litera-
ture, and theories of regulation. Finally, three preparatory steps are essential: (1)
conducting a comprehensive audit to produce an accurate working typology of UK
genetic database types; (2) settling core concepts and basic definitions; and (3)
agreeing a set of substantive principles that are capable of addressing the many
challenging issues posed by genetic databases.

j.1748-121x.2007.00045.x

Uploaded by

Copyright:

Available Formats

j.1748-121x.2007.00045.x

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

j.1748-121x.2007.00045.x

Uploaded by

Copyright:

Available Formats

Legal Studies, Vol. 27 No. 2, June 2007, pp.

Are UK genetic databases governed

involved – also known variously as participants, volunteers, research subjects and

proportionate, accountable, consistent and targeted only at cases in which action is

9. See especially ss 2 and 21.

BACKGROUND – GENETIC DATABASE CHALLENGES, REGULATORY

1. Challenges and issues around genetic databases

contested notion of ‘genetic exceptionalism’, genetic discrimination, group exploita-

2. Regulatory responses in Estonia, Iceland, Sweden and the UK

guidelines, circulars, letters, best practice guidance documents and statements of

GOVERNING GENETIC DATABASES – FIVE KEY TOPICS

1. Forms and styles of legal regulation

formal legislative framework and reliance on general-purpose instruments and infor-

have had to invest heavily in developing UK Biobank’s own independent supervisory

UK Biobank’s policy is at least ethically troubling, if not legally questionable as

biobanks, gene banks, tissue banks, genetic databases

biological materials, dna, data

75. See text to n 41 above.

3. Supervisory bodies, licensing and notification requirements

formal supervisory bodies

80. Above n 41.

91. Nuffield Council on Bioethics, above n 4, pp 17–18.

licensing and notification

102. Articles 18–21.

4. Ethics committees and other advisory panels

principal documents relating to them are standard operating procedures issued by

While the authority of UK RECs is largely informal and non-statutory, in practice

134. Regulation on Scientific Research in the Health Sector, No 552/1999, art 6.

5. Enforcement powers and sanctions

140. Ibid; DPA, s 60.

CONCLUSION – THE WAY AHEAD?

154. See Price, above n 18.

You might also like