The Importance of Context with Genetic Privacy

As consumers, when we think of privacy, one of the first adjectives that springs to mind should be “inconsistent.” Consumers claim to want their personal information used only for the purposes they originally provided it, and protected until (somewhat famously) they are asked to exchange their passwords for chocolate. This privacy paradox has been supported both anecdotally and with data-based studies. Without biting into the question of the quality of chocolate offered in the password exchange, the general point remains that individuals’ comfort levels appear to be highly context-dependent. Ask a person, generally, whether their data may be used for “research,” and the response will often be rejection; ask with greater specificity about the nature of the research and how it will be used and protected, and the response will more often be approval.

And so it is, too, with some of the most sensitive personal information individuals have: their genetic data.

Genetic Data and Privacy Risk

Investigations into any number of diseases benefit from access to genetic data, so that variations between genes can improve the understanding of disease development and treatment. Health organizations, ranging from the National Institutes of Health to Harvard University, require the de-identification of genetic data to be used in research. The consent documents used when soliciting use of an individual’s genetic data typically promise that “it will be hard for anyone to find out anything about you personally from any of this research.” Except for when it isn’t so hard.  As far back as 2013, studies demonstrated the ability to triangulate the identity of a sample donor using genetic data and public databases.

Regardless of whether those solicited for genetic data use have seen the 1997 sci-fi movie Gattaca, study participants often cite privacy as a major concern. It is difficult enough to change a social security number, let alone your fingerprint, facial structure, or any other increasingly common biometric. The fear of one’s genetic data being misused is not unreasonable, and that fear translates into hesitancy to accept genetic testing in clinical care and to participate in genetic research.

The Vanderbilt Metastudy

Last week, a team of four researchers from Vanderbilt University Medical Center published a paper entitled, “A systematic literature review of individuals’ perspectives on privacy and genetic information in the United States.” The study’s authors reviewed 53 U.S.-based studies to determine how both the presentation of consent requests and the resolution of privacy concerns were handled.

The Vanderbilt team found that the quality of consent explanations yielded broad levels of confusion or concern from potential study participants. These often centered on the sharing of their data with others, including commercial entities. A consistent worry was access to their information by the government, an employer, or an insurer; however, individuals remained willing to provide genetic information in exchange for a benefit, whether that be lower premiums or insights into current or future health characteristics.

The bottom line of this metastudy is that the current consent management of genetic data – whether by a consumer-oriented service à la 23andme or a health provider – varies widely, with privacy concerns often unaddressed or addressed ambiguously.

Practical Tips for Managing Expectations

So how can the multitude of direct-to-consumer genetic-testing companies, as well as the health-sector research community, provide greater confidence to individuals and reduce genetic privacy concerns?

  • Provide clear and detailed privacy statements that outline specific categories of third-party recipients and use restrictions.
  • Educate individuals on the difference between “de-identified” data and “aggregated” data, with the understanding that one is indeed re-identifiable while the other should not be.
  • For the direct-to-consumer firms that share data with pharma companies (meaning most, if not all), de-identified genetic data may require supplemental details on what diseases or conditions the sharing is intended to combat.
  • Provide opt-out mechanisms where applicable law does not require opt-in, to give consumers and study participants a greater sense of control.
  • Consider adopting the best practices developed by the Washington, D.C.-based Future of Privacy Forum, which include a prohibition on sharing genetic data with certain third parties.