Knowing how to protect your DNA data is incredibly important, because your genetic code is the blueprint for much of who you are. Thanks to the development of cheap genomics, at-home DNA testing kits from Ancestry, 23andMe, MyHeritage and others can now reveal a wealth of information about your genetic identity.
By sending in a sample of your DNA, usually in a swab or saliva sample, you can discover long-lost relatives, hints about ancestry, or genetic risk factors for a variety of health conditions.
For whatever reason you choose to take a DNA test, it's important to understand how your DNA data might be used, and how you can protect your information.
The risk of losing control of your genetic information is both more and less serious than the risks of other kinds of private data, such as credit cards or social security, according to Michael Edge, a qualitative and computational biologist at the University of Southern California.
"If I know your genome, usually I don't know all that much particularly compromising about you," Edge told Live Science. "It's way less disruptive to your life than if somebody nefarious steals your credit card or your social security number."
On the other hand, as scientific knowledge improves, an individual's genome will probably reveal more and more about them personally, Edge said. Unlike a credit card or social security number, genetic information also reveals facts about family members. And it can't be changed. "Once it's out, it's out," Edge said.
Related: How do DNA ancestry tests really work?
This means DNA test kits are buyer beware, and it's wise not to click "I accept" on a privacy policy you haven't read. Most industry leaders have fairly comprehensive privacy policies, but a 2017 survey of policies found that 35 of 90 companies operating in the United States provided no information on how they would handle biological samples or genetic data.
Several companies share data with third parties by default, and even those that require consent to share data give themselves broad discretion about sharing once that consent is given.
Below you'll find out how your data data might be used, the current rules around privacy, how to check your data is secure, plus a brief rundown on the privacy policies of the major testing companies.
How to protect your DNA data
There are a few big things consumers can look for if they're concerned about privacy and security concerning their data, Edge said.
First: does the platform allow the uploading of genetic data by users? If the answer is yes, this is likely a bit more vulnerable to privacy breaches, and hacking, according to Edge.
It can be difficult to gauge a company's encryption standards, but one potential entry point for hackers is the ability of users to upload genetic data themselves.
This isn't possible for 23andMe and Ancestry. Users of these services can only get into the company databases by paying for the company's proprietary test. However, other sites, including MyHeritage and GEDMatch, allow users to upload genetic information from outside sources.
Second: does the platform reveal which genes potential relatives share? If a company reveals which genes are shared and how long the shared genetic sequences are, that is more revealing than broad estimates such as "this person may be a third cousin."
Related: Mysterious protein makes human DNA morph into different shapes
As an example, GEDMatch does reveal this sort of detailed genetic information, though a company spokesperson told Live Science that there are countermeasures in place to mitigate risk.
Third: does the platform allow users to conduct precise searches? Check the size of matches that companies allow you to search for. If users can look for very short segments that match, it allows them to glean more genetic information from more people — including those they are likely not related to in any meaningful way.
These segments are measured with a unit called centimorgans. A parent and child share something between 3,000 and 4,000 centimorgans, while a pair of first cousins twice removed share something in the range of 40 to 530 centimorgans, according to FamilySearch.
Some services allow users to search for smaller segments than others, which can be a privacy tradeoff. In short, the more precise a platform's search functionality, the more potentially vulnerable your information potentially becomes.
DNA data privacy rules
When you return a test kit with your sample, the testing company will analyze your genome and deliver you the results, usually in an online report. For the most part, information on how companies will store and use your DNA data is held within their privacy policies. This is because there are few federal laws in the United States governing the use of genetic information.
The protections that do exist are partial. In the U.S., the Genetic Information Nondiscrimination Act (GINA) prevents an individual's genetic information from being used to deny them health insurance coverage and from being used to discriminate against them in an employment setting.
Related: Could genetic testing companies violate your privacy?
Essentially, you can't lose your health insurance or your job if a direct-to-consumer genetic test indicates that you're at risk for developing early-onset Alzheimer's or some other heritable condition. However, if you develop symptoms of the disease or disorder, GINA no longer applies.
Important to note is that GINA does not cover life insurance, long-term care insurance, or disability insurance, so this genetic information leaking out could still have consequences.
Quality of laboratory testing and analysis is regulated by the Centers for Medicare and Medicaid Services (CMS) under the Clinical Laboratory Improvements Amendments (CLIA). The Food and Drug Administration (FDA) regulates some specific health-related tests provided by companies like 23andMe, but has been largely hands-off otherwise, particularly with regard to tests focused on ancestry and genealogy.
The Federal Trade Commission (FTC) regulates advertising by direct-to-consumer genetics companies, putting some limits on the claims companies can make about their technology.
Some state law also governs genetic privacy. For example, California residents are entitled to receive information from genetic testing companies about what kind of third parties they share information with, and Nevada residents may direct companies not to sell certain kinds of personal information.
Ancestry
Ancestry pledges not to sell its customers' personal information, which includes profile information users provide to the company and the data their DNA holds, including ethnicity estimates, communities, traits, and genetic relative matches, according to its privacy statement. The company may internally use personal information for marketing purposes to customers, though users can exert some control over what kind of advertisements they see on the company's Related Brands page.
Saliva samples and actual DNA are not defined as personal information, and can be stored for future testing, though the company claims it will not share these samples with outside entities for research unless users sign an informed consent form.
This informed consent gives Ancestry wide latitude to share samples, genetic data, family tree data and personal information with third-party academic or commercial researchers around the world. This information is shared in anonymized form, without a name attached.
The company warns that this sharing involves some risk, noting that a data breach could expose information that might be used to identify individuals. Users can withdraw their consent for research at any time, and while it will not be withdrawn from any ongoing projects, it will not be incorporated into any new research moving forward.
Users can request to have their biological samples destroyed by contacting the company's Member Services.
Ancestry does not voluntarily cooperate with law enforcement, but can be compelled to release personal information if a court order or search warrant requires it. The company releases a biannual transparency report listing requests made by law enforcement and how many of those requests the company fulfilled.
The company can make changes to its privacy policy at any time, but pledges to alert users to changes with "prominent advanced notice" such as posting a notice on its website or sending an email.
23andMe
23andMe also pledges not to sell, lease, or rent user information to third parties without consent, and not to share data with third parties except for service providers (such as testing laboratories and shipping companies) that are necessary for analyzing samples, according to its privacy statement.
Users can choose whether to have their samples destroyed or stored after the DNA information is extracted. The company can share aggregate information, which is anonymized and deindividualized, with third parties, but requires consent to share or sell any information that could be used to identify an individual. For example, the company might share that a certain percentage of its users share a genetic trait, but could not share enough detail to identify those users.
Users can delete their account in Account Settings. Any user data that had previously been incorporated into third-party or 23andMe research will remain part of those projects, but the data won't be incorporated into any new projects starting 30 days after the account closure.
Users must consent to participate in 23andMe research using the company's consent form. Genetic and personal information shared with third-parties is de-identified, though individual-level data can be used internally for 23andMe research.
23andMe may disclose information to law enforcement in response to a lawful order, such as a warrant or subpoena. The company issues a quarterly transparency report tracking these requests.
Changes to the privacy policy are posted on the company's website or sent to users via email.
MyHeritage
MyHeritage's privacy policy states that it has never sold or licensed personal information or genetic data and will not do so in the future. The company does not share information with insurance companies and prohibits law enforcement from using its databases. Genetic information is only released to law enforcement when there is a valid subpoena or warrant issued.
Users can opt in to the company's DNA Informed Consent Agreement, which will allow their genetic information to be used by research conducted by MyHeritage. This consent allows the publication of aggregate data without identifying information.
Unless directed otherwise, MyHeritage may store DNA samples for 10 years, but will ask for consent before carrying out further testing on the samples. Users can request the destruction of their DNA samples by contacting privacy@myheritage.com, which is also where users should address concerns about personal information that might be posted by another member or genetic relative.
Users can delete their accounts permanently at any time by following the instructions on this FAQ page.
Other companies
Because the direct-to-consumer genetic testing industry is largely self-governing, there is wide variability with how companies operate. The industry standard is the Privacy Best Practices for Consumer Genetic Testing Services, which were developed by 23andMe, Ancestry, MyHeritage, Helix and Habit.
Helix details its terms and conditions in its privacy policy, available on the company's website.
Habit, which claims to use genetic information to personalize users' diet plans, is now owned by Viome, which makes its privacy policy available here.
GEDMatch is a free genetic genealogy research platform, and details its data sharing in its privacy policy.
Originally published on Live Science
