Mail-in genetic tests may offer a lot of information about your ancestry and possible medical risks, but the information you are providing can have consequences. Learn what you need to know about how to protect yourself.
Source: Samuel Velasco/Quanta Magazine (CC BY SA 3.0)
At home genetic tests like Ancestry.com, 23andMe and MyHeritage have become all the rage, as people are eager to learn about where they come from, who they are related to that they might not know about, and their risk of developing certain diseases. Yet in their excitement, they sometimes let curiosity outweigh good judgement in terms of learning what they need to know about where their data goes, and limiting their vulnerability regarding how their health information might be used in the future.
How Much Trust Should You Place in An At Home DNA Test?
The companies that sell at home DNA tests ask for a lot of trust in terms of your personal genetic information. You need to determine whether they deserve that degree of trust prior to taking the test. Legitimate companies promise not to sell or give this data away without your consent.
At the same time, however, their privacy statement also says, “In the event of a data breach it is possible that your data could be associated with your identity, which could be used against your interests.” Similar statements are included in the information provided by other testing companies.
Determining how much you trust these companies involves knowing and understanding potential risks. Even with legitimate companies, there are privacy concerns that could lead to negative consequences when you take the test and in the future.
Possible Risks of DNA Testing
There are a number of risks that you need to consider before sending your genetic material off to be tested. For this reason, it can be a good idea to wait after buying the test, reading the material that comes with it and visiting the company’s website before submitting your DNA sample.
This obviously is not something unique to genetic testing companies though they should have a higher standard of protection than other industries. As distressing and potentially damaging as it is for other hacking situations, for example, having your identity stolen, having hackers take your genetic data is far worse.
While some people hack companies just to prove they can or as a means of showing that the company needs to implement more stringent security measures, others do so for specific purposes. If someone is intentionally hacking a company that does genetic testing to steal data, they are doing so to benefit themselves somehow.
If your genetic data can be easily linked to you by the information in the database, this can lead to significant harm. Once your DNA information has been stolen and used for profit or a political or social statement of some kind, you will have lost control over who has access to it.
Opting In For Research
Legitimate testing companies give you the option of letting your data be used for research purposes on behalf of third party academic, nonprofit and industry organizations. You can also consent to studies involving specific diseases in which your DNA is used in conjunction with for-profit drug companies, such as Genentech and Pfizer.
This risk is strictly your responsibility to mitigate. Companies report that as many as 80 to 85 percent of people using these tests agree to let their DNA be sold to third parties for research purposes. You do not have to agree to this in order to receive your complete report and should think twice about letting your personal genetic information be used by anyone other than you.
Lack of Laws Covering Genetic Privacy
There are some laws that limit how genetic information is used. For example, the Genetic Information Nondiscrimination Act (GINA), prohibits U.S. employers from using genetic information in hiring, firing, promotion, and compensation decisions and insurance companies from using it to deny coverage or increase the price of premiums.
However, there aren’t any laws that truly protect privacy in regards to your DNA. Such laws may not even be feasible as it may be impossible to protect genetic information since DNA is unique to each person. Even if identifiers like name and Social Security number can’t be connected to it, it is still linked to only one person in the world.
Your Data Can Be Shared Without Your Permission
Many of these tests provide you with the names of your genetic relatives who have also been tested. This means that if a relative decides to release their information and your name is listed, that will also be released.
When your relatives, even distant ones, provide their DNA, they are also providing genetic information about you. So, for example depending on your genetic relatedness, there will be a certain probability that if your relative has a predisposition or genetic loading for a certain condition that you will also.
The amount of control you have over the information you have submitted and your physical DNA varies widely by company. With some companies, even if you have taken measures to limit the amount of information kept in their database, you may still be listed in their genealogy program.
Your Data Can Be Used to Identify You Even If You’ve Never Taken a Genetic Test
Since a person’s relatives are identified on these tests, anyone who wants to find out information about you, target you for something or possibly locate you may be able to learn about you through your relatives. This includes law enforcement.
A good example of how law enforcement can identify you even if you haven’t taken a test, is the Golden State Killer case. This case was recently solved after decades with genetic information from an at home DNA testing company. The killer’s arrest came about because 24 distant relatives had uploaded their genetic data to a public database.
The police created a fake profile with DNA obtained from a 1980 crime scene. Cross checking the DNA with the database and other records led them to the identity of the killer.
Privacy Statements May Change
Companies are bought and sold over time, and when this happens, the new owners may decide that different policies are in their best interests and the interests of the company. Companies can choose to do whatever they want in terms of privacy so long as they state it in their policy which they can decide to change whenever they choose without the need to notify you.
Protect Yourself Against Potential Risk
After reading all of this, you may be fearful of going through with one of these tests. You may be even more frightened if you’ve already taken one. The good news is that there are things that you can do to limit some of this risk, protecting or in some cases even deleting your information.
1) Read Everything
Ideally, before buying a kit, research different companies through their website and other online sources. Read everything you can find. Once you decide on a kit, read everything that comes with it, and review the information online. Before sending off your DNA, make sure you understand exactly what you are signing up for and what they can and will do with your genetic information. There is usually a broad consent form that you have to agree with which you can’t opt out of.
There is a lot of fine print, which you may be tempted not to read or to just skim over. Often, we become accustomed to just clicking “agree” without reading through lengthy documents. This is too important not to make sure you are well aware of the implication of the test now and in the future. If anything is the least bit unclear to you, check with someone like a doctor and/or a lawyer to find out exactly what it means.
2) Select a Reputable Company
Having your DNA tested is not the time to try to save money. There are smaller companies that are cheaper than the bigger ones. However, the larger and more established companies like 23andMe, Ancestry.com and MyHeritage have more comprehensive privacy policies that include accountability for your data privacy compared to small companies without a track record.
3) Be Careful About What You Submit
Read each question several times before answering and review everything you submit at least twice. Check to see what your choices are in terms of the information they require you to submit besides your actual sample for testing. Make sure that there is a separate agreement that you can opt out of regarding disclosing your information to third parties such as pharmaceutical companies and research organizations.
If you allow the company to share your data with third parties, make sure that you can revoke this permission later. Just understand that it will likely be impossible to delete your data once a third party has received it. It’s difficult to prevent further sharing by third companies. This means that even if they agree to delete it, companies they shared it with, who you likely won’t know about, will still have your DNA on file.
4)Decide How You Feel About Having Your DNA Stored Long Term
These companies may request your permission to store your sample either to test it when new technology becomes available or in order to connect you with distant relatives you may not be aware of. Both of these are personal decisions, so consider them carefully before providing your consent.
5)Don’t Feel Pressured Into Providing Information You Don’t Want To
Sometimes, it is not made crystal clear that you aren’t required to answer certain questions in order to receive your results. The instructions may say that you don’t have to answer parts of the questionnaire but not doing so will limit the information that they provide and you may not receive a complete DNA profile. After you receive your results you may get repeated notifications in the form of emails or pop-ups telling you to complete your health profile in order to obtain your complete report. There may also be a statement about how the information you provide may benefit others by identifying factors related to diseases that could allow for early identification, new treatments or cures or prevention.
There is no reason that your DNA can’t be tested and fully mapped even if you don’t provide a lot of additional information. The other information requested is often not even for your benefit, it’s for the companies, or it increases the value of your data should they sell it to third parties. Furthermore, you shouldn’t feel like you owe it to anyone to give away information that you aren’t comfortable with.
6)How to Delete Your Data
If you have second thoughts after sending in your genetic sample, most legitimate companies have procedures for deleting your data. Be advised however, that genetic home testing companies are required to comply with U.S. federal quality control regulations. This means they must retain DNA information so even with reputable companies you can’t completely delete all of your information. Make certain you are aware of and comfortable with the permission you are granting the company before you send off your DNA.
Additionally, when reading the privacy agreement you will likely come across terms involving “de-identified data”. What these companies refer to as “de-identified aggregate data” can’t be traced back to a specific individual, while “de-identified individual-level data” possibly can.
To delete your data from the 23andMe database, go to your account settings. Under “23andMe Data” find the “Delete Your Data” option. You are able to download any of your data before deleting it. You can also request to have your sample destroyed, if you originally agreed to having your sample saved.
Be aware, however, that this company uses a laboratory that is required to follow the Clinical Laboratory Improvements Amendments (CLIA) regulations which means they can’t destroy some of your data (as is the case with any federally compliant DNA-testing company). This includes your DNA, sex and date of birth, but 23andMe won’t use the infomation any longer.
To delete your data from the Ancestry.com database, sign into your account and under the “DNA” tab select “Your DNA Results Summary.” Choose “Settings,” then click “Delete Test Results.” Re-enter your password to confirm that you want to delete your data.
Following these steps will delete all of your DNA data, and remove you from any family finder results. You are also able to delete your entire Ancestry.com account although due to the regulatory compliance issues your DNA information will be kept, though not used.
After logging into your account, click your name, select “Account Settings” and choose “Delete Account.” MyHeritage labs are also CLIA compliant so they will retain some limited information about you.
If you would like, you can also just delete your Family Tree Builder projects or sites without deleting the rest of your account, but this will not delete your data, just prevent your data from being accessible by relatives who have also been tested).
Remember that when you send away a tube of your saliva or a cheek swab, you are sharing your entire genetic code. Every cell in your sample carries the complete sequence of your DNA, including the mutation pattern that makes this sequence specifically and uniquely yours.
While most reputable companies have safeguards in place to protect your privacy, anytime your data is stored in a public database that you do not control, there is the risk of exposure. Should your data be disclosed without your permission, there could be long term ramifications that affect you and your family.
Make sure to educate yourself as much as possible before taking one of these tests. If you’ve already taken one, determine what you can do to limit risks to your privacy and potential unauthorized disclosure of your genetic information.