Consumer Genetic Tests and Privacy:
What Librarians Should Know

Genetic data, like much other personal information, should be safeguarded from sharing with third parties unless consent is freely and knowingly given.

By John Verdi

More than 26 million people have used consumer genetic tests to learn about their ancestry, connect with family members, and identify health risks. Reviewing the results can be fun or informative. Some tests even predict what types of wine best fit your DNA test profile or generate a playlist of songs that reflect your genetic ancestry.

This article explores what librarians and information managers should know about the privacy implications of consumer genetic tests. It turns out that while many companies offering these tests have signed on to voluntary privacy principles, others are much more aggressive in sharing their users’ genetic information.

Genetic data is one of the most sensitive categories of personal information. It may be used to identify risks regarding future medical conditions, contain unexpected information that could be unsettling, or reveal sensitive information about the test taker’s family members. Recent research indicates that Americans of European descent can be identified by their DNA 60 percent of the time if a relative is in a genetic database.

Companies in the consumer genetic testing space are well aware of the sensitive nature of the information in their care. That is why industry leaders worked with the Future of Privacy Forum (FPF) in 2018 to develop privacy and data principles that both privacy advocates and the personal genomics industry can embrace. FPF and privacy experts at the companies incorporated input from the Federal Trade Commission, a wide variety of genetics experts, and privacy and consumer advocates.

FPF’s Privacy Best Practices for Consumer Genetic Testing Services establish standards for the collection, use and sharing of consumer genetic test data. These standards require the following:

  • Transparency about how genetic data is collected, used, shared, and retained. Companies that abide by the best practices post a high-level summary of key privacy protections that is easily accessible to consumers.
  • Separate express consent before any transfer of genetic data to third parties. Companies should never share individual-level genetic information with third parties, particularly with insurers, employers, or educational institutions, without consent or as required by law.
  • Educational resources about the risks, benefits, and limitations of genetic testing.
  • Access, correction, and deletion rights. For example, companies should be clear about their retention practices and offer prominent ways to delete genetic data or direct the company to destroy individuals’ biological samples.
  • A valid legal process before the disclosure of genetic data to law enforcement. Companies should require that government entities obtain a court order before they disclose genetic data, and they should report on their disclosure practices at least annually.
  • Restrictions on marketing based on genetic data. Companies should not market based on genetic test results unless there is an explicit opt-in to that type of marketing.
  • Robust data security protections and privacy by design.

Strong and transparent industry-wide guidelines provide people with confidence that companies in this growing field will protect their privacy. These best practices are essential to engendering trust in this nascent business sector.

Access to Genetic Profiles
But best practices are meaningless if they are not followed by their signatories. Earlier this year, FPF dropped one company that had signed on to support the privacy best practices because its actions did not align with its promises. Houston-based DNA testing company FamilyTreeDNA struck a secret deal with the FBI permitting the agency to search for matches between the company’s database of genetic information and DNA collected from crime scenes. Users who had uploaded their genetic data to FamilyTreeDNA were surprised to learn that the company permits the FBI to search for matches without a warrant.

When used appropriately, technology can provide substantial benefits to law enforcement agencies, victims, and society. Genetic testing of crime scene DNA evidence—a technique utilized by police since the 1980s—can be a powerful tool to catch criminals and exonerate innocent suspects. But crime scene forensics are fallible, and giving police access to genetic profiles can put innocent individuals (and their relatives) in the crosshairs of a criminal investigation.

Powerful tools require powerful safeguards, which is why leading genetics companies like 23andMe, Ancestry, Helix, Habit, and others worked with the Future of Privacy Forum to publicly endorse the privacy best practices, including the practice that genetic data should not be disclosed to government agencies without a warrant. These companies take legal and technical measures to prevent police from accessing consumers’ DNA profiles without legal process.

Warrant requirements are a longstanding mechanism for solving crimes and protecting privacy. Warrants are issued based on evidence, and they typically target a specific person when a criminal predicate exists. The warrant process allows a neutral judge to determine whether there is probable cause to suspect that a particular individual is linked to a crime. These protections help prevent individuals from being erroneously swept up in criminal investigations.

Warrant protections are important safeguards, especially with regard to crime scene forensics. DNA analysis and other forensic techniques can erroneously identify innocent people. Experts agree that DNA matches, absent other evidence, are insufficient to prove an individual’s guilt. DNA samples may be misidentified, damaged through exposure to moisture or extreme temperatures, or contaminated with other DNA.

For example, between 1993 and 2009, European police searched for a serial criminal who was linked to six murders and numerous robberies through crime scene DNA. The search ended when officials discovered that the genetic information linking the cases matched an innocent Bavarian woman. She had not committed a crime, but instead worked in a factory that produced cotton swabs used for DNA sample collection.

FamilyTreeDNA’s sharing of its users’ genetic data raises substantial privacy and civil liberty concerns for individuals and their relatives. Users who contribute their DNA data for law enforcement scanning aren’t simply providing their own information—DNA samples can implicate anyone in a person’s genetic family tree, from close relatives to people they have never met.

Some states have wisely restricted or banned the type of familial matching technique that could be employed by the FBI in DNA databases. These rules help prevent individuals from becoming “genetic informants” by subjecting their relatives to unwanted government scrutiny, but they have not been implemented in all states.

Librarians and information professionals, especially those who manage and share health care and legal information, can suggest to Individuals that they think long and hard about the consequences (both for themselves and their relatives) before they upload their DNA information to any entity that does not have explicit policies against sharing it with law enforcement. DNA is extraordinarily revealing and persistent. Its use should demand the utmost caution.

John Verdi is vice president of policy at the Future of Privacy Forum, a nonprofit organization that serves as a catalyst for privacy leadership and scholarship and advances principled data practices in support of emerging technologies. He can be reached at jverdi@fpf.org.

©2024 Special Libraries Association. All Rights Reserved
Special Libraries Association
X

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close