A group of consumer genetic and personal genomic testing companies have released a set of best practices for handling consumers’ personal genetic data.
Designed to ensure privacy and promote transparency, the guidelines include a requirement for separate express consent before a company can transfer genetic data to a third party, such as an insurer or employer.
“Supporting strong and transparent industry-wide guidelines that provide people with confidence that companies in this growing field will protect their privacy is critical to the continued success of this nascent business sector,” Jules Polonetsky, CEO of the Future of Privacy Forum, a nonprofit that worked with the companies to draft the guidelines, said in a statement. “That is why we have been working with the industry leaders for the past year to develop privacy and data principles that we and our peers in the personal genomics industry can embrace. We believe that these best practices are essential to engendering trust so that all people can safely access their genetic information.”
Consumers groups and lawmakers have advocated for increased protections regarding genetic testing data for some time. While many concerns have revolved around business advantages that could come from revealed disease predispositions or risks, the calls became louder following the controversial case of the Golden State Killer, in which investigators linked a DNA sample found at a crime scene to a distant relative of suspect Joseph James DeAngelo Jr. using several consumer genomics services.
The newly released guidelines — which were also created with collaboration from Helix, MyHeritage, and Habit; are supported by African Ancestry and FamilyTreeDNA; and included input from the FTC, advocates, and genetics specialists — outlined a “baseline of responsible practices” falling under eight major categories: transparency; consent; use and onward transfer; access, integrity, retention, and deletion; accountability; security; privacy by design; and consumer education. The rulings are not legally binding, and at this point would need to be self-enforced by these companies.
Highlights among these commitments included the requirement for “initial express consent” upon first use of individual-level data, “separate express consent” when transfering individual-level genetic information to third parties for any reason, and “informed consent” when data is transferred to a third party specifically for research. In addition, the companies also supported increased notification of privacy policies and any changes to them, maintaining strong measures to ensure de-identified genetic data remains safe from re-identification tools, and the annual publishing of public reports that describe any requests for data that a company receives from law enforcement
“Everyone who participates in a genetic testing service deserves to have their information protected, no matter which service or product they use. It’s imperative that all consumer genetic testing companies adhere to comprehensive privacy protections, and clearly communicate their policies to consumers in a transparent manner,” Kate Black, global privacy officer at 23andMe, said in a statement. “With over a decade of experience as a leader in consumer genetic testing, we’ve built incredibly strong privacy practices. We are happy to now work with the industry and an organization like the FPF to solidify best practices, and help ensure proper protection of consumers’ genetic information more broadly.”
The complete “Privacy Best Practices for Consumer Genetic Testing Services” document can be found here.