After data breaches at MyHeritage and Ancestry.com ratcheted up concerns that “data” collected by genetic testing companies could be at risk for exposure or, worse, exploitation, the companies have joined forces with the Future of Privacy Forum to create guidance for handling and protecting DNA and any data drawn from it.
Noting that genetic data “warrants a high standard of privacy protection” because it could be used to identify future medical risks, reveals information on family members, contain unexpected information whose full implications may not be known until later or has cultural significance for some, the Privacy Best Practices for Consumer Genetic Testing Services recommends guidelines in broad categories of transparency, consent, data use and forward transfer, data access, integrity, retention and deletion, accountability, security, privacy by design and consumer education.
Companies should “obtain express consent for collection, analysis, sharing, or reporting of genetic data,” the guide noted, as well as commit to collecting, using, and sharing the data “in ways that are compatible with reasonable consumer expectations for the context in which the data was collected.”
The framework said that transfer of the data, which is not covered by HIPAA, to third parties should be prohibited particularly to employers, insurance companies, educational institutions or government agencies, unless the consumer has given express permission or where required by law.
Recently, law enforcement officials have used genetic genealogy to solve cold cases, including finding the Golden State Killer, responsible for at least 12 murders, dozens of rapes, and burglaries in California between 1974 and 1986.