DNA firms’ rules have privacy ‘gap’
Genetic-testing companies that have decoded the DNA of millions are pledging to prioritize consumer privacy and transparency with a set of industry guidelines governing users’ data.
But the new best practices introduced by 23andMe Inc., Ancestry and other industry leaders don’t address concerns about one of the most common ways that data is shared — with pharmaceutical giants, academics and others, often for a profit.
Just how lucrative the business of genetic testing is came into light last week when British drugmaker GlaxoSmithKline agreed to buy a $300 million stake in 23andMe to gain access to anonymized data with the hope of identifying new targets for drugs. That kind of data — stripped of identifying details and aggregated — isn’t strictly subject to new rules in the guidelines. That means consumers will still have little way to know when and how their information is combed for research.
“This new policy is a positive step forward in the sense that it’s starting a conversation,” said James Hazel, a researcher at Vanderbilt University in Nashville, Tennessee, who recently surveyed the privacy policies of 90 direct-to-consumer genetic-testing companies. “The glaring gap is that it doesn’t apply to de-identified genetic data.”
Amid increased public focus on privacy, the largest genetic-testing companies had already taken action — for instance, by providing annual reports on requests from law enforcement. The new guidelines reflect those efforts.
“It’s a really important step forward for the industry, to take a stand as an entire industry to say individual privacy is important to us,” said Kate Black, 23andMe’s chief privacy officer.
Ancestry and Helix, another DNA-testing company, echoed Black’s comments.
“This is really a jumping-off point,” said Elissa Levin, Helix’s director of clinical affairs and policy, who worked on the guidelines. “We know privacy is a large issue.”
Under the guidelines, genetic-testing companies must obtain “express consent” before sharing an individual’s data with third parties. They can’t hand it over to employers, insurance companies, educational institutions, or government agencies without being legally compelled.
That addressed mounting concerns that a company could share a customer’s information with the authorities — an issue that became front and center in recent months after police combed an open-source genealogy websites to track down a suspect believed to be the Golden State Killer, a serial murder and rapist who terrorized California in decades past.
But most genetic-testing companies, like social networks before them, have also made a business out of DNA data collected from customers. They have partnerships with companies like Glaxo or Pfizer Inc., giving access to their trove of data for research.
23andMe says it will notify customers should it seek to include their data in research on “sensitive topics” such as sexual orientation or drug use. The new industry guidelines, however, don’t call for specific transparency in how research data is used.