Commercial Testing

DNA provides a rich digital source of medical information; as a result it has great scientific value. But it is also ripe for data sharing and has significant commercial value as well.

Purchasing genetic testing services in an online commercial marketplace raises significant privacy concerns, as consumers may turn over their DNA and other personally identifiable information to companies without a clear understanding of the privacy risks and without clear guidance as to their legal and regulatory rights in this area.

There are currently no clear guidelines on the ownership of genetic material and the information derived from it, nor are there clear guidelines with respect to the protection of customer privacy by the commercial genetic testing industry. Indeed, consent forms and privacy policies vary widely within the industry and without standards can be unclear and often subject to change.

There are three specific areas where significant privacy concerns arise:

1) Controls on DNA Submitted by Customers

Current practices related to ensuring that customers are submitting only their own DNA are insufficient. At present, commercial personal genomics companies do require customers to confirm they have the legal authority to submit DNA samples, yet such statements are not clearly and conspicuously posted but rather often hidden within larger privacy and consent documents which are often visible to the consumer only after the registration process has begun. Moreover, they do not explicitly warn customers of the possible issues raised by submitting another individual’s DNA for analysis.

Considering how simple surreptitious collection of individual DNA can be, it is not hard to imagine how political, social and personal motivations could compel the improper submission of DNA samples. This is a particular concern since most of these companies allow for an individual to purchase multiple testing kits per order. Yet, few controls are offered beyond such statements to ensure that customers are actually complying with this requirement. No offer of proof is requested beyond the statement. This could easily be included as part of the sample submission process. Controls are possible. The commercial company 23andMe, for example, requires an amount of saliva to be submitted that would make it almost impossible for the collection to occur without consent.

2) Security of Genetic Information

Customers are often not limited to providing a DNA sample as part of their participation in the personal genomics marketplace. They are also offered a variety of surveys, blogs and other tools where they can provide personally identifiable information. Whenever identifiable DNA samples are collected and stored, there is a high risk that violations of genetic privacy will follow. The methods by which this information is secured are essential, yet without standards and oversight we still know very little beyond the assurances of the industry as to what specific controls are used.

Moreover, the privacy policies of commercial companies are not subject to the health privacy regulations issued pursuant to the Heath Insurance Portability and Accountability Act (HIPAA) and there few state and federal privacy laws that apply. It is essential that personal information should be protected by security safeguards appropriate to the sensitivity of the information.

Safeguards should include physical, technical and administrative measures to protect information and biological samples from unauthorized access, use, disclosure, alteration or destruction.

Almost all commercial company privacy policies make statements about security safeguards, though the degree of detail varies substantially.  Yet mistakes and other breaches of security can occur.

There is also no transparency as to the degree to which personally identifiable health information is de-identified. As the ability to share, store, and aggregate genomic data progresses, the capability of keeping this data anonymous becomes increasingly important. Because an individual’s genetic information is so personal and specific, it is vital to protect it from any unwarranted access or use. There have been several instances where de-identified data has been re-identified and personal information linked back to its owner. One such study(1) achieved re-identification of DNA data and established identifiable linkages in 33-100% of surveyed cases, which focused on eight gene-based diseases. The researchers used anonymized DNA database entries, and related the information to publicly available health information despite the fact that the database did not include any explicit identifiers, such as name, address, social security number, or any other personal information. Because not all de-identification techniques adequately anonymize data, it is important that the process employed by the industry is robust, scalable, transparent and shown to provably prevent the identification of customer information.

3) Third Party Disclosure of Customer Data

One significant unresolved issue relating to industry is exactly who owns the customer’s data. Most companies do not explicitly address this issue in their privacy policies. If the DNA sample and other information submitted by the customer are the property of the company, the company is free to sell or otherwise transfer that information to a third party.

Many  companies have adopted this approach as part of their business model without sufficiently explaining to customers the extent to which this may occur, what type of data is being transferred and the potential negative consequences.

Moreover how such information is to be treated upon sale of a company or if a company enters bankruptcy proceedings, particularly when the entities potentially acquiring such information have significantly less strict privacy standards, is less than clear and is certainly not expressed to customers.

Most companies do not ask for specific consent for these purposes. Some companies are moving in the right direction. 23andMe has  begun asking for specific consent for participation in published research.

The degree to which these types of partnerships and others have proliferated within the industry is still largely unclear. What is clear is that it is essential that affirmative written consent should be required before such companies can use any customer-generated genetic information in this way.

There is currently very little guidance on how consumers can protect their privacy. For example, the US Federal Trade Commission gives the following advice to consumers who are considering DTC genetic tests:

“Protect your privacy. At-home test companies may post patient test results online. If the website is not secure, your information may be seen by others. Before you do business with any company online, check the privacy policy to see how they may use your personal information, and whether they share customer information with marketers.” (2)

Such advisories are hardly satisfactory to ensure consumer privacy is protected.

It is essential that Congress, the Food and Drug Administration, the Federal Trade Commission, and the Centers for Disease Control all work together with the commercial genetic-testing industry to help set privacy standards and ensure that all issues regarding industry practice are adequately supervised to ensure compliance.

1. Bradley Malin and Latanya Sweeney, Determining the Identifiability of DNA Database Entries, 2001 Journal of the American Medical Informatics Association 423.

2. See, for example, United States, Federal Trade Commission, At-home Genetic Tests: A Healthy Dose of Skepticism may be the Best Prescription (2006), online: Federal Trade Commission (http://www.ftc.gov/bcp/edu/pubs/consumer/health/hea02.shtm)