The DNA trap: DNA testing companies and the potential misuse of sensitive personal data

The ability of any firm to demonstrate that there are robust ethical frameworks within it, intertwined with essential governance and corporate social responsibility is critical. Over the last decade and a half, a new form of firms known as DNA testing and genealogical companies has arrived on the radar of those who want to understand who they are, where they are from, as well as what links they have to others, known and yet unknown. They offer brand new and unique services such as single-ancestry checks or combined ancestral and health analysis. There are numerous advertisements and sales pitches on the television, as one scrolls through the internet and through the pages of the newspaper. Prices of services range between £59 to £149 depending on the choice of firm. There are also claims of nutrigenetics, which is being developed to fit diets and fitness to genetics, detailing how and what a person eats can be specifically tailored to their genes. Sometimes special seasonal/celebratory prices are available as well as promotions done by celebrities to generate sales.

In order to offer such a service, besides the payments, the firms request for members of the public to contact them for testing kits where the seemingly painless job of sending their saliva, swabbing their cheeks or pricking their fingers to harvest samples, which could potentially help the participants make discoveries that may transform their lives. These firms include, among others, AncestryDNA, 23andMe, MyHeritage DNA, LivingDNA, Vitagene and DNAFit. There is also the open-source genetic database known as GEDMatch. They are all involved in the business of acquiring DNA samples from their users which once analysed lead to DNA results which are used to generate DNA reports.

As the world metamorphosizes and firms continue to leverage technology to generate profits and increase their access to customers, some of whom are vulnerable, ethical considerations, corporate governance and social responsibility do not seem commensurate with the intensified pace of change. Technologies such as artificial intelligence (AI) are projected to affect billions of lives over the next decade and these trends represent both threats and opportunities. For instance, recent research from the ICSA – the governance institute shows that only half of respondents (51%) believe that their board fully understands, when asked whether their boards fully understands the challenges and opportunities that data and technology present to their organisations.

Despite this, the rate at which services like DNA and genealogical testing firms are developing and acquiring DNA datasets and targeting customers through their behaviour on the web, mobile apps, software and products through tracking technologies is calling for questions to be raised, thereby increasingly finding themselves being put under the spotlight with regards to their ethical conducts. Furthermore, the consumers of today have higher expectations of data privacy particularly in light of recent scandals as examined by Dr Costantino Grasso in the article entitled that focused on the Cambridge Analytica scandal and Facebook data breach. As a result, a series of questions arise as to whether offering such DNA testing services and gathering the related extremely sensitive and personal data represent business activities performed in an ethical way. This is a debate that requires further explorations.

This article will highlight the potentially irresponsible behaviour of these firms in the handling, protection and transfer of data harnessed from the millions of people responding to their call to test their DNA. In particular, it will be argued that there is a compelling need for corporate social responsibility measures where legal and regulatory frameworks or industry standards have been met but concerns still exist regarding ethical aspects of the involved business operations. Conversations coated with concerns in this realm have been regenerated in light of recent reports of law enforcement agencies using the services of genealogy websites to solve age-old crimes. The realisation of the possibility of relatives that were victims of crime or have committed crimes could be identified when a third cousin gives their own DNA sample to any of the DNA testing firms, have concentrated minds about data privacy and what consent actually means. Whether those signing up in the first instance know all the possible uses of their DNA is an urgent corporate social responsibility question that requires more concerted efforts on the part of the companies so as not to be seen as shirking their corporate social responsibility to society at large, which is unaccountable by definition.

From a survey done online, it emerged that, under the policies of the DNA testing and genealogical companies, individuals seeking their DNA analysis and information are promised their privacy is important to the firms, that their DNA samples, test results and all other personal data provided for the service are stored in accordance to industry standard security practices by encryption of both data-at-rest and data-in-flight phases. Furthermore, there are assurances that customers’ DNA test results and DNA samples are stored carefully without any names or any other common identifying information through de-identification and pseudonymization. That data garnered at registration are stripped from sensitive data. The sensitive data are then further randomised such that no individual is able to be “reasonably” identified. The customers are also convinced their DNA data are owned by them; that these and the DNA test results can be deleted at any time and their physical DNA saliva sample could be destroyed as soon as the customers require this to happen. Finally, these customers are told that their name or any common identifying information linked to their genetic data will not be shared except with their explicit consent or when they are legally required to do so.

Notwithstanding such formal reassurances, the processing of these collected data as well as the possible consequences of intended further processing for DNA subjects highlights potential irresponsible behaviour by the DNA testing companies. These companies cannot be run just like other consumer service companies, rather, they should have strict guidelines as they deal with a category of the most sensitive data that a human being has. As the European Union General Data Protection Regulation (GDPR), which is the most important data privacy regulation adopted in the last 20 years, expressly recognises DNA data are considered as an individual’s most personal and sensitive ones. As a matter of fact, the GDPR under Article 9, sections 1-4 spells out exactly how sensitive data are covered separately from general data. It clarifies that very sensitive data such as one’s DNA, that is, genetic and phenotypic data, are to be prohibited from processing except when data subjects give their explicit consent.

Does this consent once given, cover all multitudes of usages over the entire period of it being held? And how does the industry manage relatives that could be identified alongside the one who gave consent, when such relative may not even be aware of such ongoings and has specifically not given consent to be identified. Also, the current lack of clarity during advertisements on what the privacy implications are or immediate knowledge of the privacy policies of the DNA testing companies even on visits to their online privacy pages indicate a state of affairs that must be immediately worked on and corrected. Some policies use acronyms and words that mean little or nothing to the average user, other documents present several layers of superabundant information before getting to full privacy statements, other statements include clauses characterised by significant ambiguity and differences in relation to what exactly happens to the data. Finally, as regards the age to be able to use the service, it is concerning that some firms affirm that one needs just to be over the age of 13.

Also, when mergers and acquisitions are being done which will profit pharmaceutical companies or when 31 details of individuals are handed over to law enforcement agencies out of 34 requests made, are these necessary for reasons of substantial public interest as advocated by GDPR. Therefore, the question of ethics, data privacy and governance issues are further raised, for which are yet to be full clarifications from DNA testing and genealogical companies. These companies though, have become multi-million dollar firms with the largest player AncestryDNA with over 10 million customers, making over a billion dollars in 2017 alone. So, for customers to have reassurances about how their data is used, stored and passed on at the DNA testing and genealogical companies, there needs to be greater transparency and accountability by their board of directors and management. They need to adopt better practices promoting long-term value instead of the short-termism of the acquisition of data and profits.

Firstly, a consistent approach to dealing with privacy issues is urgently required. This includes putting privacy at the front of the advertisements and online platforms and promotions. Also, the age of adulthood for the users of these platforms should be globally adopted to be 18, which is a more universally recognised period of coming of age that an individual will be potentially better informed of the consequences of use and handing over of their data than at 13. The case of companies getting royalty-free, worldwide licences from their customers for their DNA samples, results and reports should be discouraged but data protection regulations in various jurisdictions be strictly adhered to. Technology is for good and though its changing nature both in advancements and pace is dynamic, CEOs and leaders of DNA testing and genealogy companies, together with their boards should adopt ethical practices especially in the burning issue of data privacy using some of the quick wins espoused herein. These will help ensure that they remain alive to their corporate social responsibility obligations and the outcomes for data privacy do not have worryingly different results like some of their DNA testing results.

2 thoughts on “The DNA trap: DNA testing companies and the potential misuse of sensitive personal data

  1. Thank you for this interesting article who demonstrate how much some companies can abuse people trust or if I can say imprudence. It is true that nowadays people give easily to big or famous companies such as Facebook their confidential informations because they think that it is safe and that nobody will have access to those informations without their consent. They also are curious to know their roots or just make as other people do and follow a trend; for example, American genealogy TV shows. However, people do not realize that those companies are not interested in their customers or user’s safety but by their benefits.
    In one hand It is clearly unethical and intentional and those companies which have theses confidential and personal data must provide the highest level of transparency. But on the other hand, people are also responsible when they give their data. This kind of information should not be given easily, and people should think about before. Nobody read entirely policies and just click on “I have read, and I agree with” and this is a pure act of imprudence.
    By giving their consent they protect those companies which now have the legal right to the process of personal data. In my opinion, some measure must be taken to aware people of the consequences of their consent. Because of the expansion of the internet and technologies the government should raise awareness of the danger of providing personal data. Moreover, sanctions should be created to punish unethical companies’ actions. Unfortunately, technology development and the internet are faster than Law.
    Last December, the CNBC has published a good article which warns people about the danger of “sharing DNA”, this is the kind of article that people should read before giving their consent and that companies should prevent from.


  2. Thank you for your comments Celia. You have articulated very well some of the concerns highlighted in the paper. Lack of access to information, lack of education, poverty, being imprudent, just not being well-informed or also just being altruistic may account for the various reasons why consumers hand over their genetic data to corporations who may or may not pass them to third parties. These are concerns that we continue to see and more research will be needed in this area. A burning issue was the concern as seen in this paper for the age of consent, where some require just being 13 years old to sign up. You also correctly identified whether more governmental action is required in the regulatory space as pertains to privacy. The US has the Genetic Information Nondiscrimination Act of 2008 (GINA) whilst Europe has the GDPR of 2018. You may already sense that GINA needs a lot of work to catch up with the emergence and rapid expansion of the DNA testing and genealogical companies. These companies however need to adopt ethical practices and remain alive to their corporate social responsibility obligations for a better future for citizens, society and the corporations themselves as argued in the paper.

    Liked by 1 person

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.