Underlying all of the widespread uses of genetic testing—diagnostic testing, carrier testing, prenatal testing, consumer-oriented genetic testing, etc.—few issues loom as large, and as loud, as privacy.
One prominent example: despite the potential for wide-ranging medical benefits to patients presented by the recent deal between 23andMe and GlaxoSmithKline, wherein GSK will use 23andMe’s genetic database to further the development of novel medical treatments, the deal immediately set off a noisy, public reaction regarding privacy concerns. Many noted that 23andMe would now give its customers an opt-out option via email to share data with GSK, rather than the opt-in option 23andMe customers previously had to choose for the company to share their data with GSK and the six other companies with which 23andMe partnered. Many worry about the security of genetic data as it moves from one organization to another.
Setting aside for the moment some of the other swirling general privacy concerns, such as law enforcement pressure, legal subpoenas, and the selling of genetic information, we’ll focus today on two key issues: (1) communicating the risks of anonymized genetic information in public databases; and (2) the privacy and security of genetic data within the data supply chain.
Can Anonymized Genetic Data be De-Anonymized?
When genetic data is anonymized and transferred to public genetic depositories, it appears there is a very real risk of such data being cross-referenced against public demographic data and used to re-identify the genetic donors and their families.
In addition to consumers’ genetic information being shared by companies, online databases allow individuals to anonymously upload their genetic results directly. One of these databases, GEDmatch, famously helped lead to the arrest of the suspected Golden Gate Killer. Multiple studies have indicated that re-identification of genetic donors is possible: See Identifying Participants in the Personal Genome Project by Name; and De-anonymizing Genomic Databases Using Phenotypic Traits.
And a recent study concluded that up to 60% of Americans of European descent—even those who have not undergone genetic testing—could be identified on the basis of available genetic information.
23andMe cofounder Linda Avey has said that “it’s a fallacy to think that genomic data can be fully anonymized.” Peter Pitts, the outspoken former commissioner of the FDA and current president of the Center for Medicine in the Public Interest Forensic Genetics Policy Initiative, believes companies who handle genetic data owe it to consumers to be more forthright about the possibility of such re-identification as well as other real-world privacy concerns.
In light of the increasing scrutiny under which companies who handle genetic material must operate, they would do well to heed Pitts’ plea for transparency with regard to the risks and benefits of participation.
The Importance of Air-Tight Genomic Data Privacy within the Data Supply Chain
It has become axiomatic that genetic data requires an even greater degree of protection than other protected health information, in part due to the interfamilial and multi-generational implications of a genetic data breach that could affect millions of individuals who have never participated in nor consented to genetic analysis.
Many worry that the hacking of genetic data could be the new identity theft – but with more profound privacy implications. The recent hack of more than 92 million accounts from MyHeritage held on a private server underscores ongoing DNA privacy concerns.
Against the backdrop of ethical, legal, and reputational scrutiny, all companies who handle genetic information must aim to provide the highest level of data security possible. This includes practicing diligent cloud computing by leveraging up-to-the-minute security practices and processes. As we noted last year in our 2018 Pharmaceutical and Life Sciences Trends, “where the privacy and security of both patient information and intellectual property may have been a concern in the past, hybrid cloud solutions ensure that information is protected while also enabling the key capabilities of the cloud.”
Relevant companies must make continuous investments to strengthening and updating their security measures.
While the Genetic Information Non-discrimination Act (GINA) covers genetic privacy, bear in mind that genetic privacy laws are still broadening, and with public pressure, genetic data privacy is a hot issue at the forefront of legislators’ minds. It’ll be best to have a data supply chain that reflects the trajectory of genetic data privacy law, rather than scrambling to play catch-up.
Coauthor and contributions by Susan Lowe