Trustworthy Tactics for Unlocking the Value of Genetic Data

An enterprise in the health/genetics space that manages a large amount of sensitive information is subject to a complex patchwork of laws and regulations, including privacy regulations, laboratory regulations, human subject protection requirements and ethical considerations. Invitae Corporation (NYSE: NVTA),¹ based in San Francisco, California, USA, is a medical genetics company engaged in diagnostics for hereditary disorders including breast, colon and pancreatic cancer; cardiovascular conditions; and rare diseases, among others. Its mission is to make comprehensive genetic information part of mainstream medicine by aggregating genetic tests into a single service. Invitae generated revenue of more than US$460 million in 2021, and its workforce currently exceeds 1,900 employees.²

Invitae generates a large volume of genetic data. There are many possible uses for these data, and each can be highly specialized. For example, data might inform a strategic decision by helping to identify the processes that would most benefit from automation. The same data might shed light on the answer to a scientific question by showing the prevalence of distinct types of genetic variations.

The use of data for secondary purposes is important for advancing the field of genetic medicine, but it is often challenging to explain all the nuances regarding their permissible use in a straightforward and accessible way. Consequently, data governance and stewardship are paramount. It is essential to protect the privacy interests of patients who agree to such use. For an organization that is growing quickly and expanding internationally, establishing mechanisms to operate effectively within the current legal and regulatory landscape can be challenging.

To further complicate the situation, existing laws occasionally may conflict. For example, data retention requirements may be at odds with the right to be forgotten.³ As set forth in Article 17 of the EU General Data Protection Regulation (GDPR), the right of erasure enables individuals to request removal of certain data from entities that hold their personal information.⁴

Prior to 2018, separate groups within Invitae managed the complex requirements governing its data use. Among the teams involved were Medical Affairs, Legal, Lab Operations and Scientific Affairs. An individual engaged in secondary research might need to speak with multiple experts from several groups about the requirements and then attempt to consolidate and implement their advice. As Invitae grew, it was sometimes difficult to know which expert was the appropriate one to consult, and researchers trying to do the right thing risked missing key stakeholders or involving them in the process only after solutions had been developed. In June 2019, Invitae initiated a three-pronged data governance program designed to eliminate inefficiencies and missed connections through the following actions (figure 1):

1. Formation of a data use committee (DUC)
2. Creation of a stewardship council of expert leaders
3. Launch of a data software platform

Handling Personal Data Responsibly

The health information Invitae handles includes personal identifiers for patients and clinicians, insurance information, and health history and phenotype data. Most Invitae tests require the collection of a specimen from a patient, the acquisition of health and other information about a patient (generally through the patient’s medical provider), the sequencing of DNA extracted from the specimen, the analysis of the sequenced information, and the reporting of results.

Invitae is committed to ensuring that patient preferences are respected and fulfilled. When working on research, it shares only deidentified patient data, provided the patient’s preference allows for sharing. Usually, the results that are shared are trends based on observations of the same or similar variants across many patients. Information specific to any individual patient is omitted, allowing the genetics community to learn from the signals and trends identified in the data without compromising patient privacy.

Invitae’s greatest business assets are individuals’ genetic data, and its greatest business challenge is protecting those data while maximizing their value for patients.

Invitae’s greatest business assets are individuals’ genetic data, and its greatest business challenge is protecting those data while maximizing their value for patients. Genetic data are complex, and interpreting their meaning requires deep domain knowledge and robust computing power. Invitae employs some of the leading experts in genetics, and as the field advances, Invitae’s ability to interpret genetic information is constantly evolving. The growth of its internal database improves Invitae’s ability to observe the patterns of genetic variation in the population and to use those observations to interpret genetic variations in individual patients.

Two core principles underlie Invitae’s mission:

1. Patients own and control their data.
2. Data are more valuable when shared.

Invitae works with industry partners who also hold valuable data. When combined with genetic information, these data can lead to insights into how genetics can improve healthcare decision-making. Partnering in this way benefits everyone involved: patients, clinicians, Invitae and its partners.

Maximizing the Value of Genetic Information

The genetic data Invitae handles are highly personal in nature, and patients are understandably concerned about maintaining the privacy of their information and directing how it can be used, both in the short and long term. A number of high-profile cases have raised questions regarding how genetic information can be used and how it should be protected.

The April 2018 arrest of Joseph James DeAngelo, known in the United States as the Golden State Killer, for example, was based on genetic information gleaned from an open-source database.⁵ It only took a few months of DNA matching and testing for investigators to close a cold case that had stymied them for 32 years. However, the critical genetic data was provided not by the suspect but by one of his relatives. That prompted questions about privacy protections in light of the tendency of laws to lag behind technological advances.

Although privacy is an ongoing issue, many patients understand the power of sharing deidentified genetic information to fuel discoveries that could improve human health. For example, it is now widely understood that variations in the BRCA1 and BRCA2 genes are linked to breast cancer.⁶ This is an issue that US actress Angelina Jolie made famous years ago.⁷ Reaching that understanding, which is now a factor in the healthcare decision-making of millions of women each year, was possible only through the use of genetic information to advance medical research.

Invitae is committed to contributing to the genetics community. It is the top contributor to ClinVar,⁸ a database that collects genetic variant interpretations, with nearly 400,000 variants submitted.⁹ In addition, Invitae conducts studies, both independently and in collaboration with leading academic researchers.¹⁰ Its publications often focus on the clinical utility of genetic testing, highlighting the diagnostic yield in specific patient populations. Publications of this kind have led professional organizations to modify their guidelines on genetic testing.^{11, 12}

Another publication highlights Invitae’s use of broader genetic testing to benefit a patient who received an incorrect preliminary clinical diagnosis. The genetics showed that a different condition, with different treatment implications, was responsible for the patient’s symptoms.¹³

During the conduct of this important work, Invitae is bound by the same privacy requirements as all medical providers—a myriad of laws that govern genetic privacy at the state, national and regional level. These include the US Health Insurance Portability and Accountability Act (HIPAA),¹⁴ which is focused on entities in the healthcare sector, and GDPR,¹⁵ a comprehensive privacy law that applies to all industry sectors in the European Union. States in the United States, including California,¹⁶ Colorado¹⁷ and Virginia,¹⁸ have also passed robust privacy laws. Many other countries, such as Brazil¹⁹ and China,²⁰ have enacted rigorous privacy laws.

These laws may have different standards—for example, concerning what constitutes deidentified information. Collectively, they create a patchwork of requirements for organizations processing genetic data. The inability to demonstrate compliance with these requirements could lead not only to direct penalties, but also to potential loss of business.

In addition to laws regulating genetic privacy and data, Invitae’s laboratory is governed by the US Clinical Laboratory Improvement Amendments (CLIA) and the US College of American Pathologists (CAP). CLIA, instituted by a US law, applies to any entity that performs testing of human specimens for the diagnosis, prevention or treatment of a disease or health problem.²¹ Healthcare providers and suppliers that participate in Medicare, a US-based national healthcare program, must have accreditation, and CAP is an accrediting body. It is the one most relevant to Invitae, both in terms of the services it offers and its physical location.

Invitae’s laboratory research efforts are overseen by an institutional review board (IRB), which is a group designated under the US Federal Policy for the Protection of Human Subjects (i.e., the Common Rule) to review research studies involving human subjects.²²

Responding to Growth

Invitae has experienced rapid growth in recent years, necessitating operational changes to accommodate the complexities that come with increasing business scale. Initially, it made sense for separate internal teams to manage the company’s data use requirements. However, as Invitae’s business grew from handling the data of hundreds of patients to handling the data of hundreds of thousands of patients—and as its workforce grew and new laws and regulations were enacted—it meant that an individual engaged in secondary research was compelled to collaborate with multiple experts and stakeholders.

Invitae has experienced rapid growth in recent years, necessitating operational changes to accommodate the complexities that come with increasing business scale.

It was not always clear who belonged on the list or at what stage in the research each should be consulted. On occasion, a key collaborator might be overlooked or brought into the loop later in the process than desirable. Further, the researcher was tasked with consolidating and implementing advice from many disparate sources, which could be daunting.

In light of the company’s accelerating growth, the leadership team decided to expand its data-based business. In June 2020, Invitae hired a chief digital officer who spearheaded the formalization of data governance at Invitae, wrapping the existing DUC within a larger structure: a three-part system consisting of an enterprisewide DUC, a data stewardship council of experts and a new data software platform (figure 2).

1. Data Use Committee
Invitae’s desire to protect patient data in the most responsible way possible while balancing the need to leverage the information for the advancement of medicine was the catalyst for bringing together a diverse, cross-functional group in a new DUC. A natural coalition formed among key members of the collaboration teams to ensure that data sharing adhered strictly to both the spirit and the letter of applicable requirements. This informal coalition quickly matured into a formalized working structure with a clear charter and a specific set of functions:

• Working directly with data users to understand their needs and provide guidance on what data can be used and how
• Providing high-level guidance for common data use questions
• Coordinating and submitting IRB protocols for data uses that require review
• Collaborating with privacy team members to ensure that guidance is consistent with data uses communicated to clients and agreed upon by them

Comprising representatives with expertise in data governance, medical affairs, privacy law, laboratory regulations, research compliance and information security, the DUC was designed to function as a one-stop shop providing advice on legal, regulatory and ethical requirements associated with research using genetic data. The DUC has evolved into an operating mechanism that assesses risk, plays out scenarios and aligns standard operating procedures.

2. Stewardship Council
The next step in Invitae’s development of a new data governance system was integration of a stewardship council of expert leaders, chaired by the head of data stewardship, to help address key data-related questions, governance protocols, definitions, metadata and data quality issues through formal and informal interactions.
While Invitae regarded the DUC as a valuable first line of defense, it envisioned a data governance program with more institutional capabilities to manage the interplay of people, processes and technologies. Teams were highly motivated to work together to understand the data. However, with a rapidly growing workforce, it was becoming increasingly difficult to find developers who understood specific database fields and “data creators’’ who had deep knowledge of the nuances of stored data.

 

While Invitae regarded the DUC as a valuable first line of defense, it envisioned a data governance program with more institutional capabilities to manage the interplay of people, processes and technologies.

In January 2021, Invitae created a stewardship council composed of data stewards throughout the enterprise. It established robust operating rhythms, standard operating procedures, and training and other support for its data stewards, such as an exclusive communication channel and regular working group sessions to align on definitions, change management and tooling. The stewardship council adopted several methods for communicating data governance principles to the enterprise at large:

• Broadcasting meetings to the entire enterprise or to large teams
• Conducting informal interviews with individuals or teams that use data
• Providing documentation
• Inserting data governance questions into the product development process

3. Software Platform
Once the stewardship council was established, Invitae needed a systematic way of simplifying the operational management of the data governance community. This would require robust software and tooling to drive easy, compliant use of data. To meet those needs, Invitae launched a software platform in March 2021, which includes the following features:

• Data catalog
• Data lineage tracking
• Access management
• Usage pattern analysis
• Reporting

Additional process improvements included the integration of governance into how Invitae develops and releases products. Toward that end, data governance, privacy and security were deeply integrated into its product life cycle management processes—including conducting reviews much earlier in the life cycle.

Embracing Change

The need for speed vs. the need for proper controls, the sheer amount of manual work required and the complexity of managing knowledge across the enterprise had to be addressed as the gears of change began turning. The barriers Invitae had to overcome as it undertook the project to reimagine its approach to data governance included the following:

• Cultural—There can be tension between the desire to move fast, driven by a sense of urgency to address unmet patient needs, and the requirement to ensure that the appropriate controls are in place. There is a natural inclination to perceive the implementation of new controls as slowing processes. The governance team conducted a satisfaction survey of those submitting questions to the DUC to gain insights. It also performed an in-depth audit for a small number of DUC tickets to ensure compliance and to achieve a better understanding, based on anecdotal information, of how it might improve its processes.
• Technical—There was a vast amount of manual work to do with respect to curating, assimilating, interpreting and understanding certain data elements, including quality checks. The team has made steady progress in automating some elements of that work, but this area continues to be a priority for ongoing efforts, especially in establishing and institutionalizing a data catalog.
• Institutional knowledge—The number of personnel with a full understanding of data up and down the stack is limited, and each has an individual perspective on the data, depending on domain. In addition, the pace of change means that people with deep institutional knowledge may quickly become out of date regarding the latest developments. Establishment of the data stewardship community has helped immensely to achieve a shared understanding of the evolution of data and to spread the knowledge throughout the enterprise.

The number of personnel with a full understanding of data up and down the stack is limited, and each has an individual perspective on the data, depending on domain.

Business Benefits

Invitae’s data governance reorganization, while still nascent, has already yielded concrete business benefits for the enterprise (figure 3).

Invitae’s satisfaction survey led to an analysis of turnaround time and overhead that showed—with relevant data—that the new processes were, in fact, speeding up its ability to execute and prevent costly late-stage delays. Based on survey results, 85 percent of users were satisfied with the new approach and 98 percent indicated that it resulted in timely feedback.

In parallel, the data demonstrated that the new controls ensured that people did not misuse or misinterpret data. Invitae’s internal audits have shown good compliance with recommended actions.

Responsibly unlocking the value of genetic information without compromising patient privacy is a top priority for Invitae.

As deep integration of Invitae’s data governance reorganization continues to take place throughout the enterprise, the absence of adverse events is one of the top measures of its success in protecting patient data. Other measures to track success include operational metrics surrounding case volume and turnaround time. The hundreds of cases submitted to the DUC were resolved within a week.

Invitae’s strategic intent to evolve from a genetic testing company to a genetic network, and eventually a genome management company, has added emphasis to its recognition of data as a critical asset.

Conclusion

The impact of Invitae’s data governance program extends far beyond business benefits to the enterprise. Responsibly unlocking the value of genetic information without compromising patient privacy is a top priority for Invitae. One of its core principles is that the owners of genetic data are the patients themselves, and they must be able to control how their data are used. Fierce protection of genetic data is a prerequisite to being able to use that data to advance critical research. By establishing measures to keep genetic data safe and secure, Invitae is able to bring comprehensive genetic information into mainstream medical practice, ultimately improving the quality of healthcare for billions of people.

Endnotes

¹ Invitae, www.invitae.com/en
² US Securities and Exchange Commission (SEC), Form 10-K, Invitae Corporation, Annual Report for the Fiscal Year Ended 31 December 2021, https://ir.invitae.com/financials/sec-filings/default.aspx
³ GDPR.eu, “Everything You Need to Know About the ‘Right to be Forgotten,’” https://gdpr.eu/right-to-be-forgotten/
⁴ GDPR.eu, “Art. 17 GDPR Right to Erasure (‘Right to be Forgotten’),” https://gdpr.eu/article-17-right-to-be-forgotten/
⁵ Scutti, S.; “What the Golden State Killer Case Means for Your Genetic Privacy,” CNN Health, 1 May 2018, www.cnn.com/2018/04/27/health/golden-state-killer-genetic-privacy/index.html
⁶ US Centers for Disease Control and Prevention (CDC), “Hereditary Breast and Ovarian Cancer,” USA, www.cdc.gov/genomics/disease/breast_ ovarian_cancer/genes_hboc.htm
⁷ Igoe, K.; “The ‘Angelina Jolie’ Effect,” Harvard Medical School, 14 December 2016, https://hms.harvard.edu/news/angelina-jolie-effect
⁸ National Center for Biotechnology Information (NCBI), “What is ClinVar?” www.ncbi.nlm.nih.gov/clinvar/intro/
⁹ National Center for Biotechnology Information (NCBI), “Submitters and Their Submissions,” www.ncbi.nlm.nih.gov/clinvar/docs/submitter_list/
¹⁰ Invitae, “A Dedication to Sharing,” www.invitae.com/en/presentations/
¹¹ Beitsch, P.; P. Whitworth; K. Hughes; R. Patel; B. Rosen; G. Compagnoni; P. Baron; R. Simmons; L. Smith; I. Grady; M. Kinney; C. Coomer; K. Barbosa; D. Holmes; E. Brown; L. Gold; P. Clark; L. Riley; S. Lyons; A. Ruiz; S. Kahn; H. MacDonald; L. Curcio; M. Hardwick; S. Yang; E. Esplin; R. Nussbaum; “Underdiagnosis of Hereditary Breast Cancer: Are Genetic Testing Guidelines a Tool or an Obstacle?” Journal of Clinical Oncology, 20 February 2019, https://ascopubs.org/doi/10.1200/JCO.18.01631
¹² Nicolosi, P.; E. Ledet; S. Yang; “Prevalence of Germline Variants in Prostate Cancer and Implications for Current Genetic Testing Guidelines,” JAMA Oncology, 7 February 2019, https://jamanetwork.com/journals/jamaoncology/fullarticle/2723582
¹³ Winder, T.; C. Tan; S. Klemm; H. White; J. Westbrook; J. Wang; A. Entezam; R. Truty; R. Nussbaum; E. McNally; S. Aradhya; “Clinical Utility of Multigene Analysis in Over 25,000 Patients With Neuromuscular Disorders,” Neurology Genetics, 9 March 2020, https://ng.neurology.org/content/6/2/e412
¹⁴ US Department of Health and Human Services (HHS), “Summary of the HIPAA Privacy Rule,” https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
¹⁵ GDPR.eu, “What Is GDPR, the EU’s New Data Protection Law?” https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
¹⁶ US State of California Department of Justice, “California Consumer Privacy Act (CCPA),” USA, https://oag.ca.gov/privacy/ccpa
¹⁷ Robinson, J.; J. Odubeko; “Another Data Privacy Law? Colorado Enacts the Colorado Privacy Act,” The National Law Review, 22 July 2021, https://www.natlawreview.com/article/another-data-privacy-law-colorado-enacts-colorado-privacy-act
¹⁸ Diaz, M.; K. Hunt; “Virginia Becomes Second State to Adopt a Comprehensive Consumer Data Privacy Law,” The National Law Review, 8 March 2021, https://www.natlawreview.com/article/virginia-becomes-2nd-state-to-adopt-comprehensive-consumer-data-privacy-law
¹⁹ Kadish, J.; L. Thomas; “Brazil’s Comprehensive Privacy Law Now in Effect,” The National Law Review, 29 September 2020, https://www.natlawreview.com/article/brazil-s-comprehensive-privacy-law-now-effect
²⁰ Bezanson, P.; S. DuCharme; L. Tyson; C. Cahoon; “China’s New Data Privacy Law Is Sweeping and Serious: Avoid the High Cost of Noncompliance,” The National Law Review, 24 August 2021, https://www.natlawreview.com/article/china-s-new-data-privacy-law-sweeping-and-serious-avoid-high-cost-noncompliance
²¹ Centers for Disease Control and Prevention, Clinical Laboratory Improvement Amendments (42 USC 263a), USA, 6 August 2016, https://www.cdc.gov/clia/law-regulations.html
²² US Food and Drug Administration (FDA), “Institutional Review Boards (IRBs) and Protection of Human Subjects in Clinical Trials,” https://www.fda.gov/about-fda/center-drug-evaluation-and-research-cder/institutional-review-boards-irbs-and-protection-human-subjects-clinical-trials

Mick Brady

Is a freelance technology communicator with more than 20 years of experience editing and writing for technology-focused publications.