- Hollis Johnson
- Taking a DNA test to learn about your ancestry or health can be fun, but it requires the transfer of sensitive information: your genetic data.
- When sending in your DNA sample, it’s important to get a clear picture of who owns that information and who will be able to see it.
- Before taking any test, always read the terms of service.
DNA tests can tell you where your family is from and what health conditions you might be predisposed to get.
They’ve gained significant popularity in recent years – over Thanksgiving weekend last year alone, shoppers bought 1.5 million AncestryDNA kits.
But the rise of consumer genetics tests has brought up a number of privacy concerns, since they deal with information that’s fundamental and unique to every individual. And there have been cases like the arrest of the Golden State Killer that used information from one of these databases to crack the case. It poses the question: When you spit into a tube and submit your sample for one of these reports, who has access to that information and who ultimately owns your DNA?
Two lawmakers – US Representatives Frank Pallone Jr. of New Jersey and Dave Loesback of Iowa – are now pressing DNA testing companies for more information about their security and privacy policies, Stat News reports. The hope is to resolve any issues around security and privacy.
Late in 2017, Senator Chuck Schumer also raised the issue, calling on the Federal Trade Commission to “take a serious look at this relatively new kind of service and ensure that these companies can have clear, fair privacy policies.”
In a blog post published December 12, the FTC recommended reading the fine print. “If you’re thinking about buying an at-home DNA test kit, you owe it to yourself – and to family members who could be affected – to investigate the options thoroughly,” it says.
James Hazel, a post-doctoral research fellow at Vanderbilt University’s Center for Biomedical Ethics and Society, has been looking into the privacy policies of consumer genetics tests. He said the FTC’s suggestion is very important.
“We are good at clicking ‘agree’ and not reading the terms of service,” he said.
When it comes to DNA tests, a lot of pertinent information hides in that fine print, including language about who owns your DNA, where your genetic information is going, and what the process of deleting your information from a database entails.
I’ve tried ancestry tests from from 23andMe, Ancestry, and National Geographic (a test run through the Helix DNA test platform), so I checked in with all of them to see how they stack up in terms of privacy.
- Hollis Johnson
Who owns your DNA?
For starters, there’s the question of who “owns” your DNA after you send in a spit sample. The 3 billion genetic building blocks, or base pairs, are what makes us who we are.
“You’re granting us the rights to share information, but fundamentally you own your data,” Elissa Levin, Helix’s director of policy, told Business Insider.
23andMe and Ancestry said the same thing – although the companies need some rights in order to analyze your sample and send results back, they don’t have total ownership. They can’t, say, bar you from taking another DNA test in the future.
“We believe that you own your data,” 23andMe privacy officer Kate Black told Business Insider. “So whoever’s data this is is ultimately the owner of that information. However, we do need certain rights and privileges to process their sample and provide them with our services.”
From there, it’s a matter of how far those rights go.
Who gets to see your de-identified information?
When providing a spit sample for a genetics test, your information can either be identified – that is, linked to your name – or de-identified. It’s most common for the sample of spit you submit to be processed without your name on it.
In many cases, an external lab might be involved in sequencing the genetic data to pass back to the company. For example, 23andMe works with contracted labs in North Carolina and California.
“The lab has some access but they don’t know who it relates to,” Eric Heath, Ancestry’s chief privacy officer, told Business Insider.
- Lydia Ramsey/Business Insider
Helix does the sequencing in its own lab, then sends some of that information to its test partners, such as National Geographic. Helix is trying to be like the “app store” for genetics, allowing you to submit your spit to them once, then use the sample for multiple tests based on what type of analysis interests you.
“The information we share with them is only the relevant piece,” Levin said. “For some partners it might be a few markers or it could be hundreds of genes.”
But there’s a key caveat to keep in mind: Because your DNA is unique to you, it’s can’t be totally de-identified.
“DNA is so unique, and there are so many data sources out there, that it is incredibly hard to fully anonymize – and more so to promise and provide any absolute guarantee that the data are anonymized,” Laura Lyman Rodriguez, director of policy, communications, and education at the National Human Genome Research Institute, told the magazine Undark in 2016.
How is the data that’s tied to your identifiable information used?
Your identifiable information includes any self-reported data and your name.
With 23andMe, Black said, nobody has access to both your email and genetic information – only one or the other. The system that combines the two pieces to give you a report is automated, she said.
The same goes for Ancestry. Heath said the personal identification and genetic data are “not commingled until we provide you with your results.”
Helix leaves the genetic information de-identified, and it’s up to the partners to recombine the analysis with the person who submitted a sample. Because each partner has their own privacy policies, it’s important to read those as well.
The three companies we spoke with all said they’ve created safeguards so that even if there’s a security breach, your genetic information and names aren’t connected.
- Lydia Ramsey/Business Insider
Can you opt out of giving research partners your genetic data?
Another privacy concern is the possibility that your DNA could get shared with other companies without your consent.
Both companies require you to consent to sharing your information if you want to participate in those programs. Unless you agree, your information will remain with just 23andMe or Ancestry (and the contractors they work with to do the test). The same goes for connecting you with potential family members.
Helix does not currently have research partnerships. Levin said if that changes, there would be a voluntary process users could opt into as well.
How to wipe your information after taking a test
After you’ve gotten your results back, your genetic data lives on with the company you sent it to, and likely in the tube of spit you submitted. If you’re not comfortable with that, the vast majority of your data can be stricken from databases and storage facilities.
Things get a bit trickier if you consented to share your information with third-party researchers. In that case, you can usually stop information from being used in new projects, but anything previously shared will still be out there.
Before taking any of these tests, it’s best to learn about the process of deleting an account, and find out whether your sample will be stored indefinitely.
When you register your test with 23andMe, you can opt to either have your sample stored or discarded after use.
To close your 23andMe account, search through the help center for a page titled “Requesting Account Closure.” On that page are links to submit a request or email customer service (firstname.lastname@example.org).
If you opt to have your spit sample stored but later change your mind, an option in the settings section of your report allows you to discard the sample.
However, there are a few places your information may continue to live. Under the regulatory standards that apply to clinical labs, Black said, 23andMe has to retain the bare lab test result for 10 years.
Ancestry stores your spit sample so it can be used for quality purposes, such as making sure the lab is running as it’s supposed to and the testing is accurate. That also allows the company to update your results if more accurate sequencing technology comes onto the scene.
To delete your DNA results on Ancestry, go to the DNA section at the top of the page – your test settings include a way to delete your results. If you want to remove your spit sample completely, you need to call Ancestry’s member services.
Helix also stores your spit sample. To get rid of that spit sample, you can fill out a request with customer services. Helix alludes to retaining data for regulatory purposes in its privacy section, however.
In the settings of your Helix account, there steps for how to close an account. Doing that would cut off the flow of data to Helix’s partners, Levin said.
“Even if you had previously consented to share info with National Geographic, closing would close out the data-stream,” she said.
Read the full privacy documents
For more information, here are the privacy pages and terms of service documents for the three tests described above:
- Helix’s privacy center and terms of service.
- 23andMe’s privacy center and terms of service.
- Ancestry’s privacy center and terms of service.
This post was originally published in December 2017.