Data Privacy and Security

Should we worry about DNA testing?

First, a bit of background. When the Human Genome Project was initiated in 1990, its budget was set at a staggering $3 billion and the resulting analysis took over four years. In 1998, a new initiative was launched at one-tenth of the cost – $300 million. Just over a decade later, a device costing just $50,000 was used, aptly, to sequence Intel co-founder (and Moore’s Law author) Gordon Moore’s DNA in a matter of hours. And today, costs have dropped to under a thousand dollars for a full sequence, and even less if only a subset of the data is analysed. 

A consequence of this falling cost threshold is an explosion in different research studies, not least in research involving mitochondrial DNA to trace our collective history through the maternal line (leading to hyped-up announcements about our origins such as this one). Healthcare research quite clearly stands to benefit a great deal. And, meanwhile, out in consumer land, different types of study (usually based on Autosomal testing) are used to demonstrate paternity, report on congenital health risks and establish family origins. 

It’s exciting stuff but, as with any topic which involves finding things out, it comes with risks attached. One might argue that knowing something is better than not knowing something, and this will frequently be true — not least in healthcare where a diagnosis can lead more quickly to treatment. Equally, however, knowledge can open doors that might better be left shut. And the question of privacy looms large: while you might want to know about your characteristics or health conditions, you might not want certain others, or indeed your employer or government, to know. 


An accurate indicator?

An exacerbating factor concerns the accuracy of such tests. Just two years ago, the Google-funded DNA testing service 23andMe was investigated by the US Government Food and Drug Administration, which accused the company of basing its results on poor science. “After ... many interactions with 23andMe, we still do not have any assurance that the firm has analytically or clinically validated” its technology, stated the FDA. For a time the company stopped providing information on health risks but has now recommenced.

Concerns have been also raised about inconsistencies between tests.

“The discrepancies were striking,” wrote Kira Peikoffdec, who sent her saliva to three different labs for genetic testing (again in 2013). The American College of Obstetricians and Gynecologists reached the conclusion that such profiling was “not ready for prime time”. Similarly, ancestry tests have been pooh-poohed as offering little more than “genetic astrology”. Of course, things may be so much better by now. While costs have fallen still further, there is little indication of any breakthrough in terms of reliability and consistency of testing, however. 

But does it really matter, for example for an armchair ancestry hobbyist or for someone who has a specific concern that no official is prepared to address? The answer to this question lies in the fact that even if tests may still be inconsistent and unreliable today, this may not always be the case in the future. Any assessment therefore needs to take into account the privacy of the information concerned, or indeed in three kinds of information: the genetic sample (usually saliva); the raw test data; and the resulting analysis and interpretation. 


Privacy Ts and Cs

As it turns out, there is even less consistency in the terms and conditions of the different DNA testing service providers, than has been reported about the tests. A spectrum of terms and conditions exist across providers, from those offering highly restrictive policies that minimise any possible risk to the customer, to organisations that have less restrictions on what they can do with the data. 

While this can give no indication as to the quality of the actual service, noteworthy is Slovenian-headquartered Gene Planet with a sales office in Dublin and independent labs in Italy and the US. Keeping it simple, the company’s privacy statement states:

“The genetic data provided by you and generated during the course of your relationship with us is regarded as sensitive personal data under Irish data protection law on the basis it is health data. We only process this data in connection with our genetic testing service. We will keep this data confidential and will only use it to the extent necessary to provide you with the specific results you have requested.”

More specific is Scotland-headquartered BritainsDNA, which states:

“Your genetic information will be held confidentially by BritainsDNA and not shared with others without your permission. Your name, address and other identifiable details will be held separately from your ID code which will be attached to your genetic information.”

And it goes on to say:

“The laboratory will not analyse your saliva for any biological or chemical components, markers or agents other than your DNA. The laboratory will not have access to your name or your other personal information, the sample will only be known by an ID number and unique bar code."

At the other end of the scale is AncestryDNA, a subsidiary of what started as US genealogy publisher Ancestry.com. A number of clauses in the organisation’s UK privacy statement are worth pulling out:

- “By providing AncestryDNA with personal information, you specifically consent to the transfer and storage of personal information to and in the United States.”

- “All samples are stored either at the testing laboratory or other storage facilities in an anonymised format and may be kept by us unless or until circumstances require us to destroy the saliva sample, which you can request at any time by contacting us.”

- “In addition, if you voluntarily agreed to the Research Project Informed Consent we may use the Results and other information for the purposes of collaborative research and publication and in accordance with the Informed Consent.”

- “Third party service providers: Under the protection of appropriate agreements, we may disclose personal information to third party service providers we use to perform various tasks for us, including for the purposes of data storage, consolidation, retrieval, analysis, or other processing.”

In other words (and unlike other providers including 23andMe, which states, “Unless you choose to store your sample… your saliva samples and DNA are destroyed after the laboratory completes its work, unless the laboratory’s legal and regulatory requirements require it to maintain physical samples.”), the customer has to specifically ask for source materials to be destroyed. In addition, phrases such as “appropriate agreements”, “various tasks” and “other processing” mean that the organisation could pretty much do what they like with any results (again unlike 23andMe, which requires “explicit consent”).


Future shocks?

Why does any of this matter, if after all you were just looking at your heritage? As already noted, genetic profiling is a work in progress — as it gets better, it will be possible to find more out. Which brings us back to the point about need to know. As mentions BritainsDNA’s own policies, “Once you get any part of your genetic information, it cannot be taken back.” If you find something out which could jeopardise your health insurance for example, and then you do not declare it, then you could be accused of fraud. BritainsDNA goes on to specify a “hold harmless” clause, exonerating itself in the case of such discoveries. 

It is perhaps not just the CIA, but ourselves, that should see the benefit of plausible deniability. And speaking of US authorities, one of the spin-off advantages of having vast computer resources is that it is possible to store increasing amounts of information about individuals. The downside, as notes the Web We Want campaign, is that “sometimes, innocent people are swept up in systems for tracking criminals.”

Jurisdictions are all too important here: it would appear highly inadvisable to allow your most personal of information — your DNA profile — to leave your national boundary, and thus be subject to different and possibly contradictory laws, many of which (such as the US genetic discrimination act) are still works in progress. 

Perhaps even more important than third-party access to your data comes back to what you, and your peers, might find out about yourself. Perhaps based on experience, BritainsDNA goes in pretty hard on this point:

“You may learn information about yourself that you do not anticipate. This information may evoke strong emotions and have the potential to alter your life and worldview. You may discover things about yourself that trouble you and that you may not have the ability to control or change (e.g., surprising facts related to your ancestry).” 

So what, say the optimists. So, say the DNA test providers themselves, the example where you discover the person you have known for 30 years as your father turns out not to be, responds the privacy agreement. It’s not hard to imagine the potential for anguish, not indeed the possibility of being cut out of a will or causing a marital break-up. 


Buyer beware

Perhaps the point is not to say “don’t do it”; rather, to recognise the potential risks that knowledge can bring, and to ensure that they are mitigated before they cause problems (as afterwards would be too late). An incomplete, but still important, list of things to consider is as follows:

- First, think about the consequences of each possible outcome. Perhaps, like Julie M. Green, you would rather know that you had a risk of a degenerative condition. Or perhaps not, like Alasdair Palmer, to be sure in advance.

- Recognise that the results may be inaccurate. Despite the advances, these remain early days for genetic testing. Have particular concern for the ‘nocebo effect’ — the propensity to start displaying symptoms of a disease you think you might have. 

- Ensure you minimise the scope of the research to what you are comfortable with. If all you are after is a bit of ancestry fun, do that — but make sure that is all you are getting. 

- Decide what to do with your raw data. Your choices are to request it, download it and store it safely, or request for it to be destroyed. If in doubt, take it out — you could always have the test done again, and probably more cheaply. 

- Control what others can do with your data. After reading up, you might decide you are happy to have yourself used as a live sample for any and all further genetic research, whatever the outcome. Or you may prefer to know who is using your data, anonymously or otherwise, and to what end. 

- Choose an organisation which complies to your own national laws. If your DNA crosses a national boundary, then you have pretty much said goodbye to any controls that could be placed on it, particularly as many laws are only applicable to their own citizens.

- Consider looking for a completely anonymous service. (Cygene claims to do so, in the US), albeit recognising that absolute anonymity is very hard to achieve.

- Above all, read and be comfortable with the T’s and C’s, privacy policy or participation agreement. Ensure that your sample is only going to be used for the purposes you intend, and that you are not ‘volunteering’ to share your data or participate in research projects you know nothing about.

These are exciting times for science in general, and for genetics in particular. In five to ten years’ time we will know much more, and we will also have international legal frameworks that may have caught up with how we deal with such knowledge. In the meantime perhaps consumers can dabble with genetic testing as a bit of fun, but let’s remember it was our own curiosity that killed Schrödinger's cat. 


« Rack. Tack. Relax. How to build a future-ready data centre


News Roundup: Sexual harassment, Amazon logistics and witchcraft anti-virus »
Jon Collins

Jon Collins is an analyst and principal advisor at Inter Orbis. He has over 25 years in experience of the tech sector, having worked as an IT manager, software consultant, project manager and training manager among other roles. Jon’s published work covers security, governance, project management but also includes books on music, including works on Rush, Mike Oldfield and Marillion. See More

  • Mail


Do you think your smartphone is making you a workaholic?