DNA testing startups are known to offer a detailed look into our genes. The risks of giving out your DNA, however, are less known. Thanks to new rules from the Future of Privacy Forum, companies that study our genes will be tasked to safeguard them as well.
The Future of Privacy Forum’s best practices guidelines offer common sense protections for DNA test users. For one, companies are required to be transparent about how genetic data is collected, used and shared. The mandate also requires companies to give users the ability to delete their DNA; additionally, the guidelines include rules asking companies to be transparent with customers about when law enforcement accesses DNA data — which can happen.
The rules were agreed to by DNA testing companies 23andMe, Ancestry, Helix, MyHeritage and Habit.
“I remember last year, seeing the DNA testing kit companies doing all this holiday promotion, but without also raising any of the privacy concerns,” Jules Polonetsky, CEO of the Future of Privacy Forum, said in a call with Mic. “The concerns were some really hard issues, so we pulled together the companies to start negotiating.”
According to Polonetsky, the group spent approximately one year working with the DNA testing companies to agree on the rules.
“One of the key issues was around secondary uses of user DNA,” Polonetsky said. “A lot of companies typically reserve the right to do anything with your DNA once they have it. One of the rules we added to this document was once you do something that’s a secondary use — not sharing the data, but a remote business that would be very surprising to people — you need to get separate permission.”
An example of remote usage can be seen in 23andMe’s partnership with pharmaceutical company GlaxoSmithKline. In late July, 23andMe announced that it would share genetic data to further the company’s medical research. Users can opt out of having their DNA shared with GSK. However, 23andMe confirmed to Outline that those who consent to sharing their DNA data with GSK lose their ability to get their genetic info back, even upon deleting their account.
According to 23andMe, participation in this kind of research requires explicit permission from users.
“Our research program has always been entirely voluntary (requiring an affirmative opt-in) and overseen by an independent, third-party ethics review board, in line with the new privacy principles,” Kate Black, 23andMe global privacy officer, said in a statement to Mic. “Only individuals who choose to participate will be included in analyses run in-house by 23andMe researchers and only summary statistics from those analyses will be shared with GSK.”
The FPF guidelines offer a good starting point for genetic testing companies, but Polonetsky wants to see more government action when it comes to addressing privacy concerns.
“We need comprehensive privacy rules that cover all companies, and then the really specific details can be filled in by best practices or self-regulation,” Polonetsky said. “There needs to be general legislation that holds companies accountable for basic privacy rights.”
The entire list of rules can be found on the FPF site.