Genetic Testing Companies Pledge Privacy Changes in Self-Regulation

Several major companies in the consumer genetics testing industry have pledged today to follow a set of Privacy Best Practices that were developed with the help of Future of Privacy Forum. The list of companies that participated in the development of the guidelines include 23andMe, Ancestry, Helix, MyHeritage, and Habit.

There has been a lot of discussion over the need for government regulation of privacy practices over the past few months. However, this effort in the DNA testing industry appears to be one of the first expressions of industry self-regulation following the privacy concerns that have come to light in 2018.

Consumers and the media have been expressing concerns about the privacy of personal information would be handled by the industry after police in California obtained a suspect by matching decades old DNA from the crime scene with a crowdsourced database of DNA sets compiled by volunteers.

The best practices established include:

– Transparency: Clear and complete information about the collection, use, sharing and retention of genetic data.

– Sharing Restrictions: Express consent for the transfer of genetic data to third parties. Vendors and Service Providers should be bound to the same level of privacy commitments as the company. Ban on sharing genetic data with third parties without consent or as required by law.

– DSAR Rights: The right to access, correct and delete personal data.

– Children’s Rights: Processing should occur with parental consent.

– Marketing: Restrictions on marketing based on genetic data and companies should be able to opt out of communications.

– Law Enforcement: Disclose without consent only when required by a valid legal process and when possible, notify the consumer.

– Privacy by Design: Ensure only appropriate data is collected and reasonable retention practices are put in place.

– Data security protections: Maintain a comprehensive security program designed to protect against unauthorized access, use, or inappropriate disclosure through administrative, technological and physical safeguards appropriate to the sensitivity of the information.

– Consumer Education: Inform consumers about the risks, benefits and limitations of genetic and personal genomic testing.

– Accountability: Designated a responsible official or office as accountable for compliance with these privacy practices. Implement training programs for personnel handling data. Provide commitments enforceable by the FTC, State Attorneys General or other authorities.

– Deidentified and Aggregated Data: Deidentified information is excluded from the privacy best practices as long as measures were taken to establish strong assurance that the data is not identifiable.

The move is similar to the pledge taken by 20 automakers in 2014 to meet or exceed the standards in the Automotive Consumer Privacy Protection Principles, designed to protect personal information collected by technology in cars. Those principles included a promise to provide customers with clear, meaningful information about the types of information collected and how it is used, provide ways for customers to manage their data, and obtain affirmative consent before using geolocation, biometric or driver behavior information for marketing and before sharing such information with unaffiliated third parties for their own use.

The PDF with the best practices for the consumer genetic testing industry is available via this link.

Improve Data Privacy for GDPR or CCPA with Clarip

The Clarip team and privacy management software are ready to meet your compliance automation challenges. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.

If compliance with the California Consumer Privacy Act is your focus until 2020, ask us about our CCPA software. Handle automation of data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with the consent software.

Need to improve your GDPR compliance solution? Clarip offers modular GDPR software that can fill in gaps in your privacy program. Choose from the data mapping software for an automated solution to understanding your data collection and sharing, conduct privacy risk assessments with DPIA software, or choose the cookie consent manager for ePrivacy.

Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.