In the age of information, you need to keep your personal data safe. If you ever feel like you’re handing out personal information every day, you’re probably right. Your phone calls, bank transactions, and email are all logged, after all. Even so, most people are vigilant when it comes to giving out personal information. But what about our DNA? With rapidly advancing technology that can reveal so much about our biological origins (paired with natural human curiosity), many of us are quick to submit our DNA to mainstream services such as Ancestry or 23andme. Nevertheless, how often do we think about whom we’re giving our DNA to and what they could do with our genetic records? Do you know who is retaining your genetic records and for how long?
Recently, there have been a string of articles that cover how genetic sites such as Ancestry and 23andMe use and store our genetic samples. You might be thinking, “Ok, so what’s the problem?” It all boils down to this: we don’t necessarily know what we’re signing up for when we send our sample to these companies. Let’s face it, most of us don’t read the fine print before we spit in that vial and send it off to these companies for testing.
However, knowing the answers to five central questions can help us make better decisions and protect our personal information. Take these questions into consideration before you send your genetic information away for testing:
Who owns your DNA? According to Ancestry and 23andMe, you retain ownership of your DNA and your genetic records. When you sign up for an account, you give the organization permission to analyze and share your results with you and others on their site. Both sites allow you to request to delete your account, clear all data collected using your DNA results, and destroy your sample entirely at any time. Still, each site has a unique process for destroying and deleting your data that goes beyond merely removing your online account. Both organizations outline how to deactivate your account in their online privacy policies. While they’re not riveting reads, they contain vital information to help you make an informed decision with your DNA.
What happens to your sample? Both Ancestry and 23andMe send your sample to a third-party lab for testing. The good news is, the samples are de-identified, which means your name isn’t associated with your DNA sample. Instead, the code is applied to the sample. Ancestry and 23andMe then associate your account with that code. This is so they know which sample belongs to you. After testing, both organizations store your samples on-site for future testing. If you opted into either organization’s “Research” program, your sample could be shared with third-party lab for research purposes. Neither organization lists a timeframe for how long they can save your sample.
How can you get these sites to destroy your samples? To have Ancestry destroy your sample, along with all genetic records they created or have in their system, you must contact “Member Services” directly. However, if you opted for having your DNA used for research purposes, Ancestry will not remove your genetic information from active or completed research projects. It’s also important to note that some of your personal information may be included in other Ancestry members’ family trees, which can only be removed if the other Ancestry member deletes it. This transference of ownership means your genetic information can’t be fully removed from Ancestry’s records. 23andMe has a very similar process for removing your genetic information from their site.
What legal protections does your genetic information have? There are two primary laws that regulate genetic information: The Genetic Information Nondisclosure Act (GINA) and the Health Insurance Portability and Accountability Act (HIPAA). GINA prevents insurance companies and employers from discriminating against you because of your genetic information, and HIPAA limits the disclosure of genetic and other protected health information. However, Ancestry and 23andMe are not considered “covered entities” and fall outside the scope of HIPPA. The bottom line is that the only protection for the genetic information you submit to public testing companies is embedded in their privacy policies.
What does your consent mean? When you submit your DNA and consent to testing, you should consider that you are consenting for your whole family. Your genetic information also has information about your siblings, parents, and children. You should ask yourself if they would want their information retained or shared without their consent or knowledge.
Learning about your DNA had never been this easy, but what seems like a simple test comes with many strings attached. Before you share your DNA with a third-party organization, it’s essential to weigh the benefits and potential consequences. Once it’s shared, it’s hard if not impossible to unshare. Moreover, when it comes to personal information, the more thorough you can be, the better off you are.
As of the date of this blog, Fast Company is reporting that these and other consumer-facing genetic testing companies are under investigation by the FTC over concerns related to data sharing and privacy. Stay tuned for updates on the outcome of the study, and steps you can take to protect your personal information further.
Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.