There is a form of data that is far more personal than your Social Security number, a history of the websites you’ve visited, or a record of your phone calls: It’s your genetic data.
Your genetic data isn’t information about you: It is you. It uniquely identifies who you are, including your ethnicity and ancestry. That data is typically derived from blood or saliva that has been taken for a DNA test, which generates single nucleotide polymorphisms, or SNPs—the variations in DNA that make you uniquely you. The entirety of your genetic data is called your genome. Genomic testing is sometimes done in cases of cancer and rare diseases.
There are many reasons for getting a DNA test. You could sign up with a company such as 23andMe to find out about your ancestry or other genetic information. More than 15 million Americans have undergone these direct-to-consumer (DTC) genetic tests.
Your doctor may order a DNA test because he suspects you have a hereditary disease, such as cystic fibrosis. Genetic tests are increasingly becoming a part of routine medical care—in a practice called precision medicine—to determine the likelihood of a therapeutic response to a drug, a treatment side effect, or a drug interaction. You could participate in a scientific study that includes a DNA test. For example, nearly 80 percent of clinical trials on cancer include genetic testing.
But here’s the problem with this seemingly straightforward test: The privacy of your genetic data is not guaranteed. From police departments to pharmaceutical companies, more institutions and businesses are asking to see genetic data and using it for their own purposes.
Case in point: The Golden State Killer—a serial killer who terrorized Californians in the 1970s and 1980s—was tracked down using genetic data. Investigators used crime-scene evidence to upload the killer’s DNA into GEDMatch, a DTC genealogy site used by 1.2 million people. It was a match for about 15 third cousins as well as great-great-great grandparents from the 1800s. Investigators used that information to piece together family trees that contained thousands of possible subjects and used data such as the location of the crimes to narrow down the suspects and find the killer.
Apprehending a heinous criminal is obviously positive, but the same technique could be used to expose the biological identity of individuals without their knowledge or consent or even redline access to basic products and services, such as denying an application for life insurance because of life-shortening genetic tendencies.
In addition, some of us don’t want our genetic data shared. For instance, researchers at Penn State and Cornell surveyed more than 2,000 Americans and found that 38 percent said they didn’t want their genetic data shared under any circumstances. Another 51 percent said they would share their data only if they were paid for it.
Here’s everything you need to know to help ensure that your data from a DNA tests stays private or is shared only with your permission and in ways you want it to be shared.
When it comes to risk from exposed genetic data, there’s good news and bad news. The Genetic Information Nondiscrimination Act is a federal law that prevents anyone from using genetic data to deny you health insurance or employment. The bad news is that the burden is on you to prove that a health insurer or employer is discriminating against you based on genetic data—a legal case that would be potentially expensive and hard to win. The law doesn’t cover life insurance, disability insurance, or long-term care insurance. California and Florida have introduced bills to fill those gaps, with the California bill moving toward passage.
More good news: Genetic data generated by your doctor or by scientific research is covered by HIPAA—the Health Insurance Portability and Accountability Act, which protects the privacy and security of personal health information. Like your other medical records, your genetic data cannot be disclosed in a medical context. However, such information can or must be shared with the Medical Information Bureau, a corporation of more than 400 insurance companies. As mentioned, the information could then be used to deny you life insurance, disability insurance, or long-term care insurance.
In July 2020, hackers accessed the online database at GEDMatch, overriding privacy settings and making user profiles on the site visible to all other users.
The fate of your genetic data is so uncertain that the Pentagon recently advised military personnel not to use DTC testing. A passage from the memo from the Department of Defense (DoD) reads: “There is increased concern in the scientific community that outside parties are exploiting the use of genetic data for questionable purposes, including mass surveillance and the ability to track individuals without their authorization or awareness.” The DoD also said that genetic testing could disclose genetic markers that affect service members’ readiness to perform and negatively affect their careers in the military.
To protect yourself when you get DTC testing, use only services that meet the following guidelines, issued by the Future of Privacy Forum, which advocates for privacy in the use of advanced technologies such as genetic testing.
Transparency. The site should offer you an overview of key privacy practices, including a detailed explanation of how your genetic data is collected, used, and shared. It should provide educational resources about the basics, benefits, and risks of genetic testing. You should have access to an annual report describing law enforcement requests the site has received, and whether the requests were fulfilled.
A usable privacy policy. The site should include a “terms of use agreement” or “privacy policy” that you can read—and understand. Most people just click “yes” to these lengthy, dense documents, because they’re difficult to read and evaluate. Fortunately, you can now use three “deep learning” online tools to help you understand a privacy policy, available at www.pribot.org.
Polisis gives you a summary of any privacy policy. It shows you what information the company is collecting about you, what it’s sharing, and much more—without having to read the full privacy policy and all its legal jargon.
Pribot is an automated question-
answering chatbot. You can ask it questions about the privacy policy, and it responds with high accuracy.
PoliCompare allows you to compare privacy policies, so you’re sure the one you’re about to sign is truly protective compared to others.
Protection. You should have the option to give express consent for the collection and use of your genetic data, including informed consent for research. The service should commit to not sharing your genetic data with employers, insurance companies, and educational institutions without your consent. The service should require a valid legal process for disclosing genetic data to law enforcement. And the company should use strong security practices. You should also be able to access, correct, and delete your genetic data, and you should be able to request the destruction of biological samples. (See the box for a list of companies that have agreed to these practices.)
If your genetic test is done in a medical or research setting, talk to a genetic counselor (preferably one who is certified by the National Society of Genetic Counselors) before you get the test. Ask how your privacy will be protected and about the risks of insurance discrimination. As with DTC genetic testing, you should be assured that you have control over your genetic data and that it will be used and shared only with your consent.
