In a previous article, we addressed a few of the issues involved with the vulnerabilities of genetic information, from who can submit a sample of personal DNA (it doesn’t have to be the DNA’s owner) to how easily accessed information can be.
George Church, a Harvard geneticist told the New York Times that people who have their genetics analyzed should be counseled that a privacy breach is more likely than not. Church is participant in the Personal Genome Project, which he founded. The PGP is creating a database of whole genome (and microbiome, and health information) sequencing that’s available to any researchers to use to study human genomics. Participants in the study are all volunteers and because the data is open-source, there is a rigorous consent process according to the New York Times:
With the amount of data being shared, participants cannot be guaranteed of anonymity or privacy. While their names are not directly associated with their data, other information about them is, including birth dates, genders, ZIP codes, genomes and medical histories.
Once this data is in the public domain, it is there forever. Some of the risks mentioned in the consent form sound like the stuff of science fiction, like the possibility that someone could plant samples of synthetic DNA to frame a participant for a crime, or use the DNA to create human clones without a participant’s knowledge.
On the other end of the spectrum are direct-to-consumer and physician-consumer genetic testing agencies for which confidentiality of results is a major issue. What can direct-to-consumer companies do to protect consumers’ genetic data? The largest and most influential company, 23andMe, which has sequenced more than 500,000 genomes, doesn’t tell you. The company implores its consumers to safeguard their passwords (which are hopefully chosen with security in mind), security questions and other registration information, but leaves the particulars of their information security vague, probably as a further security protection.
One way data becomes vulnerable is when you move it around. 23andMe exchanges information with third parties that includes, according to their full privacy statement (but edited for brevity):
Partners or service providers (e.g. credit card processors or our contracted genotyping laboratory)… research contractors, and… qualified researchers (who must comply with certain requirements) may access your individual-level Genetic and/or Self-Reported Information for the purpose of scientific research, which could lead to commercial use.
It will also release personal and genetic information to law enforcement in the case of a warrant, subpoena or to ‘protect the rights of the public.’ But, as more people become sequenced, the ubiquity and availability of genetic data might make us less paranoid about its exposure, argues science writer Ronald Bailey.
But I think they’re all worried about the wrong thing. Some time before the end of this decade, kids are going to be running gene scans and maybe even whole genome sequencing experiments in their ninth-grade biology classes, just the way some of us did blood typing experiments back in the mid-20th century. Then they are going to share that information with their friends on whatever social media follow Facebook and Twitter, and they’ll do it without parental consent. We live in a society of increasingly radical self-disclosure and transparency, and genetic information will not be immune to this trend. Many genetic testing customers are already sharing information among themselves.
Bailey argues that genetic information is not so special, because it isn’t as meaningful as other medical information or as actionable as financial data.
- ‘Electronic genomes’ vulnerable to attack, Genetic Literacy Project
- Privacy and our genes: Is deCode’s DNA project ‘Big Brother’ or the gateway to a healthier future?, Genetic Literacy Project
- A genetic “Minority Report”: How corporate DNA testing could put us at risk, Benjamin Winterhalter, Salon