A group of well-known genetic testing providers have partnered with the Future of Privacy Forum (FPF) to establish privacy guidelines for handling information about what is arguably the most personal private information there is: DNA.
Consumer-grade DNA testing – i.e., services that allow folks at home to swab or spit into a mail-in test kit to find out about their heritage, health predispositions and more – has been enjoying a boom, helped along by TV advertising blitzes and savvy marketing positioning as the perfect gift for any relative. Those wanting to find out, say, just how celebratory they should get on St. Patrick’s Day, or whether they should be concerned about diabetes, are asked to give permission for researchers to delve into their personal genetic profile. But what happens to that information beyond that? How is it being used and protected?
These are important questions, given recent high-profile data breaches at Ancestry and MyHeritage, in particular. The former discovered a public file on a RootsWeb.com server in December containing 300,000 passwords, email addresses and usernames (7,000 of which were for active accounts); while the latter gained the distinction of seeing the largest breach since Equifax, when it found account data tied to 92 million users of service on a third-party “private” server, back in June.
Both Ancestry and MyHeritage, along with 23andMe, African Ancestry, Habit, Helix and others, committed to the Privacy Best Practices for Consumer Genetic Testing Services this week, which provides a policy framework for the collection, protection, sharing and use of genetic data – starting with an effort at placing controls around how and when a person’s DNA information can be used. Taking a page from the recently implemented GDPR in Europe, the policy also calls for detailed transparency about how genetic data is collected, used, shared and retained, including ensuring that a high-level summary of key privacy protections is posted publicly and made easily accessible to consumers.
The document includes a requirement for separate express consent for the sharing and transfer of genetic data to third parties like employers, insurance companies, educational institutions and government agencies; being clear about access, correction and deletion rights; providing educational resources about what the testing specifically does; and clearly outlining the circumstances under which DNA information can be provided to law enforcement (with transparency reporting on at least an annual basis). It also calls for “strong data security protections and privacy by design,” and limits on marketing based on DNA.
Consumer genetic testing is becoming more accessible than ever before, with prices coming down, test results arriving quicker and more services entering the market, which makes these considerations ever more important. What many consumers don’t realize (accustomed as we are to trading sensitive data for convenience or information without reading the fine print), is that the testing isn’t constrained by HIPAA regulations (direct to consumer testing companies are not considered “covered entities” under the healthcare privacy law, according to the EFF), only individual companies’ own privacy policies; nor do many recognize exactly how valuable the information can be.
“The Best Practices recognize that genetic data is sensitive information that warrants a high standard of privacy protection,” said Carson Martinez, policy fellow at FPF. “Genetic data may be used to identify predispositions and potential risk for future medical conditions; may reveal information about the individual’s family members, including future children; may contain unexpected information or information of which the full impact may not be understood at the time of collection; and may have cultural significance for groups or individuals. It is therefore critical that the appropriate level of privacy protections is implemented.”