Why Private DNA Testing is a Threat to Our Privacy

If a hundred years ago a person wanted to learn about their ancestry, there wasn’t much they could do: marriage and birth records can only survive for so long in paper form. If they wanted to see what diseases they could be prone to based on their family’s trends? Forget about it.

Today, however, we have DNA testing. It can show you not only where your ancestors came from but also what health conditions they might have had that you need to be aware of. Even better, there are databases to which you can add your data and find matches.

We’re lucky to live in such interesting times, folks

Well, not really. Allowing somebody to take samples of and analyze your genetic data sounds a bit inconsiderate of your privacy. Awfully inconsiderate, if we’re being honest – after all, your DNA is literally what you are made of. But hey, we have doctor-patient confidentiality, so all is good, right?

The thing is, not everybody has a medical need to undergo genetic testing. So a doctor can decide that you don’t need to do it if they think you have no genetic diseases to worry about.

That’s when many people turn to commercial genetic testing companies. For a humble fee, those companies give you a home testing kit to store and send them a sample of your saliva to analyze. Apart from telling you about possible health risks, they provide you with access to their databases where you can find people potentially related to you.

However, it’s necessary to remember that you are giving away some of the most personal and sensitive data to a for-profit company. There have already been cases of law enforcement getting access to full DNA databases as well as private testing companies selling their customers’ data to third parties.

How is it possible? Isn’t it medical health data that should be private? Unfortunately, the situation is not as clear as it should be. In the US, the HIPAA (Health Insurance Portability and Accountability Act) only covers legal relations between a patient and a health care provider or plan. As private testing companies are not considered health care providers, they are not bound by the Act.

If you think that’s bad, you are right

While there are some additional regulations such as the GINA (Genetic Information Nondiscrimination Act), they are severely lacking in certain aspects. The GINA only covers companies with more than 15 employees, for example, and doesn’t apply to federal workers, soldiers and officers, etc.

Furthermore, it doesn’t prevent you from being discriminated against because of your genetic test results when you apply for life, disability, or long-term insurance. What it means is that if an insurance company buys your test results from the firm that conducted the test and doesn’t like what health risks you may have, it can charge you more for those types of insurance.

That’s the Land of the Free, what about the Old World?

The much-hailed GDPR, aimed at securing privacy in the EU, also leaves a lot to be desired when it comes to private DNA testing. Though companies have to comply with the Regulation, they tend to do it in a somewhat lackluster fashion due to not being located in the Union.

The worst thing about DNA testing and its implications for your privacy is that you don’t need to perform any tests yourself to compromise your data. What if you are a child whose parents decide to do a test on you? Much is said today about children’s privacy and safety. However, even people who take these matters seriously may fall to the temptation of testing their kids’ DNA. After all, if privacy comes at the expense of health – even if such an outcome is purely hypothetical – people tend to disregard the former.

If your siblings decide to test their genome? Congratulations, it’s almost as good as if you did it, too – around 50% of your DNA match.

Even if you imagine that the testing company takes precautions, it’s not legally obliged to and doesn’t disclose your information to anyone, you are still at risk. As your genetic data is stored in the cloud, it’s very much possible that hackers can get access to it.

There are efforts to recreate a person’s face based on their DNA even today. Talk about all the exciting new possibilities for identity theft!

It’s evident that the existing regulations are not enough to fully protect a person’s genetic data obtained and stored by a business. Moreover, no matter how much improvement they receive, there still is going to be an open question of whether or not prohibiting such tests without one’s immediate relatives’ explicit agreement can be considered lawful.

As commercial DNA tests are a huge privacy risk, it’s advisable not to undergo them unless absolutely necessary – in which case they can most likely be done by a healthcare provider anyway.

What’s Hot on Infosecurity Magazine?