KnowYourDNA is reader-supported. This means we may receive a commission when you buy something from one of the links on this page.
Learning about your family heritage or genetic health information is fascinating and extremely useful. But is it safe to submit your DNA sample to a testing company?
DNA testing experts have varying opinions.
As much as DNA testing companies want customers to believe their information is safe and protected once submitted, it’s impossible to keep any information 100 percent safe. This issue of security became extremely apparent when police used information from an open-source DNA storage website to identify a serial killer. Mystery solved, but what does this mean for DNA testing company customers?
Complicating the issue more, the killer wasn’t even the one who submitted a DNA sample. It was his cousin. Police used genetic links to track a killer from the 1970s.
In response to security issues, some DNA testing companies have changed their terms of use for customers. Some changed public databases to private and others have chosen to close their databases completely. They understand the privacy issues and the legal risks they face if anyone accesses this information without permission.
If you’ve submitted your DNA to a testing company and they still have your information, should you be concerned? Should you worry if a relative submitted their information to a DNA testing company?
Here’s what you should know about DNA and privacy:
If you submitted your DNA information to a testing company, you signed a consent form regarding the use of your DNA. The average person who submits their DNA for testing does not read all of the fine print, but it’s there if you want to learn about the privacy policies of a particular company. You have the option of not consenting to the sharing of your information, but statistics show more than 80 percent of testing company customers agree to the release of their information.
A lot of people even assume they have nothing to worry about when they submit their DNA. They’re assuming that the companies will keep the information safe and take for granted that there is no risk. Unfortunately, there’s no security guarantee.
One of the biggest concerns privacy advocates have with DNA testing companies is a company’s right to sell customer information to third-parties.
Each DNA testing company has its own policy, but in general, data is sellable to third-parties. Most companies only sell the information in a bundle, which means the buyer isn’t able to link your DNA information to your identity. They’d see more of a big picture of DNA information of a large group of people, as opposed to knowing that one specific sample belongs to Jane Doe or John Smith.
You might be wondering who would be interested in buying DNA information. After all, why would someone who doesn’t know you want to know your ethnic heritage or whether you are at risk for being overweight or developing vision problems?
In most cases, the buyers of DNA information are pharmaceutical or biomedical companies. They use the information they purchase for research. For the most part, this is a good thing and the information is used to better explore genetic health issues.
But there are concerns that if private employers or insurance companies buy information, it could be used against customers and employees. There are no broad protections against this and nobody is sure what will happen if and when it becomes an issue.
Federal laws do prohibit health insurance companies from using genetic information to deny coverage, but those restrictions only apply to health insurance. Life and other types of insurance companies do not currently have the same restrictions.
For the most part, yes. It makes sense, too. Larger companies tend to have larger budgets for setting up more secure data storage. They have bigger reputations to protect and don’t want to put their businesses at risk.
But we’ve seen enough data breach issues arise in the last decade to know that even the most reputable companies are at risk when it comes to keeping data safe.
The most well-known companies, including Ancestry and 23andMe, have the most reliable security and control the DNA information you submit. The bigger risk occurs when these companies sell your information to third parties that lack the same security.
Also note, though, that despite decent security efforts by DNA testing companies, the Federal Trade Commission (FTC) has looked into company policies regarding the handling of genetic information and the sharing of that information with third parties. Security concerns are warranted if federal agencies have raised concerns.
What are the Biggest Privacy Risks You Face When You Submit DNA to a Testing Company?
Data hacking is an issue for any company that is storing data of any kind. Financial data is the most common target, but nobody should assume health and DNA information isn’t on the criminal radar.
At least one hacking incident already occurred when MyHeritage had more than 92 million accounts hacked. There was no DNA data exposure during the hack, but it’s still a concern.
You might assume your DNA information is of no value to anyone besides you, but this isn’t true. It might even seem absurd that your DNA would have any financial value, but again, this isn’t true.
Medical research and biotech companies pay for DNA data all the time. All of the major testing companies ask you to sign a consent form concerning the use and sale of your data, but most companies agree to third-party use policies.
Many assume this means their DNA could be used to find a cure for cancer or create a drug that treats a serious illness. They fail to consider that their DNA could be used to help a pharmaceutical company make a large profit without making the world safer.
Think about all of the drugs developed then later pulled from the market due to safety issues. Are you comfortable with your DNA being used to develop products such as this?
It’s no secret that lawmakers struggle to keep up with technological developments. The genetic world is no different. There is only one law – the Genetic Information Non-Discrimination Act (GINA) – is the only one that addresses genetic privacy. And many believe this law is inadequate and far too narrow to offer any significant protection. Some people don’t even receive protection under GINA.
Those familiar with genetic privacy concerns believe too many consumers take genetic testing companies at their word and are putting their most sensitive information at risk.
Police investigators understand the value of genetic information and have no issue using it to solve crimes. Many of the larger genetic testing companies have policies in which they promise to resist law enforcement as much as possible, but ultimately the matter is out of their hands. If you’ve handed over your DNA to a company or a relative has done so, law enforcement can access it.
There’s no reliable way to ensure that what you agree to when you submit your DNA to a company will continue to be the policy of a company forever. Companies are sold and they change their policies. If your DNA is with these companies forever, it is subject to the whims of whoever is controlling the company at a given time.
Baram, Marcus. “The FTC Is Investigating DNA Firms like 23andMe and Ancestry over Privacy.” Fast Company, Fast Company, 5 June 2018, www.fastcompany.com/40580364/the-ftc-is-investigating-dna-firms-like-23andme-and-ancestry-over-privacy.
“The Genetic Information Nondiscrimination Act of 2008: ‘GINA’ | U.S. Department of Labor.” www.dol.gov, www.dol.gov/agencies/oasam/centers-offices/civil-rights-center/statutes/genetic-information-nondiscrimination-act-of-2008/guidance. Accessed 15 Feb. 2021.
“Hack of DNA Website Exposes Data from 92 Million Accounts.” Bloomberg.com, 5 June 2018, www.bloomberg.com/news/articles/2018-06-05/hack-of-dna-website-exposes-data-from-92-million-user-accounts. Accessed 15 Feb. 2021.
