The search for the so-called Golden State Killer - who allegedly raped dozens of women and killed at least 12 people in the 1970s and 1980s - had hit a dead end when investigators decided to test DNA evidence from a crime scene against genetic data on GEDmatch, a website of volunteered samples. Eventually, this technique helped investigators close one of the most notorious cold cases in recent history - but it also raised important questions about the privacy rights of customers.
How and when should genetic testing companies share data with third parties such as researchers, websites or law enforcement officials? And do companies have an obligation to inform users that their information has been shared?
These concerns were heard in the genetic-testing industry. A number of popular companies recently committed to a new set of best practices governing how and when they would collect, use and share customers’ DNA. Among these guidelines are promises that the firms would obtain “separate express consent” from users before sharing their genetic information, use robust information security and publicly disclose the number of law enforcement requests received at least annually.
Though the guidelines do not cover the aggregated data often used in medical research, they apply to riskier forms of genetic data-sharing: that of individual-level, identifiable information. Critics fear that, in the wrong hands, this data could be used to discriminate based on disease risk or medical conditions; reveal information about an entire family, including someone’s future children; and even prove infidelity and parentage without a person’s consent.
With these risks in mind, the new commitments are an important step toward transparency and security in an industry that has faced little oversight.
Genetic-testing technology is progressing rapidly. The rules need to keep up.
-The Washington Post