How safe is your DNA data?

As concerns mount over DNA privacy, a group of DNA collection and genealogy websites has released a set of best practice guidelines for handling sensitive genetic and family data. Will it give consumers much more protection though? Probably not.

23andMe, Ancestry, Helix, MyHeritage, and Habit worked with the Future of Privacy Forum to release the guidelines, which explain how to handle information about a family’s genetic makeup. Sites like 23AndMe offer genetic tests to consumers who send in a simple saliva swab. They can then use this to tell you about your ancestry and to let you know about genetic health risks.

The guidelines apply to any data about an individual’s inherited genetic characteristics. This includes three types: Data that comes directly from sequencing a person’s DNA, data that a company can create by analyzing that raw data (such as particular gene information or data about physical characteristics) and finally data that a person reports about their own health conditions.

The document broadly replicates many of the rules laid down by the EU’s General Data Protection Regulations (GDPR), which any company holding data on EU residents is already beholden to. It also draws on other guidance, including the Health Insurance Portability and Accountability Act (HIPAA), the Genetic Information Nondiscrimination Act and the Americans with Disabilities Act.

It includes statements on accountability (companies should release reports on what they’re doing with peoples’ data) and privacy by design (implementing technical controls to support the other rules) among others. It also says:

Genetic Data, by definition linked to an identifiable person, should not be disclosed or made accessible to third parties, in particular, employers, insurance companies, educational institutions, or government agencies, except as required by law or with the separate express consent of the person concerned.

This document still leaves some privacy concerns. Let’s start with the timing of its release.

The companies have released the guidelines because genetic data is so sensitive, they say. It can be used to predict future medical conditions, reveal information about someone’s family members, or have cultural significance for groups of individuals.