Language selection


Statement on the use of genetic test results by life and health insurance companies

July 9, 2014


Over the past five years, the Office of the Privacy Commissioner (OPC) of Canada has been examining the privacy implications arising from the collection and use of genetic information as one of its four policy priorities.Footnote 1 As part of this process, the OPC has monitored developments, commissioned research papers, consulted stakeholders and held expert roundtables in the area of genomics and privacy. Based on this work, the OPC has developed this statement on the use of genetic test results by life and health insurance companies.

Genetic Testing and Insurance in Canada

At this time, there are no laws in Canada that specifically address the use of genetic test results by insurance companies. In contrast, several countries have prohibited, or introduced moratoria on, the use of genetic information by insurance companies.Footnote 2

The Canadian Life and Health Insurance Association’s (CLHIA) Position Statement on genetic testing states that an insurer would not require an applicant for insurance to undergo genetic testing. “However, if genetic testing has been done and the information is available to the applicant for insurance and/or the applicant’s physician, the insurer would request access to that information just as it would for other aspects of the applicant’s health history.”Footnote 3 CLHIA’s policy is based on the general principle that “the insurer needs to have all available material information about the applicant’s risk, in order to properly assess that risk.”Footnote 4 The policy does not define what constitutes “material information” nor does it differentiate between different types of genetic tests or the purposes for which the testing was done. As a result, there may be uncertainty about when or how genetic test results are being used by insurers.

The absence of any specific prohibition on the use of genetic test results by insurers has raised concerns about genetic discrimination and the fear that potential discrimination might act as a deterrent to genetic testing even when clinically advisable.Footnote 5 Such concerns have prompted legislators to propose laws that prohibit organizations from requiring an individual to undergo a genetic test or disclose existing results of a genetic test as a condition of providing goods or services to the individual.Footnote 6 This proposed legislation and much of the discussion to date in Canada has looked at the issue from a human rights perspective.Footnote 7 The analysis that follows examines the collection and use of genetic test results by insurance companies from a data protection perspective. Footnote 8

The Importance of Purpose Specification

One of the fundamental principles of data protection and privacy laws is the concept of purpose specification and the expectation that personal information should only be used for the purpose for which it was collected.

According to the CLHIA Position Statement on Genetic Testing, “(i)t is extremely important that life and health insurers have access to and be able to utilize all relevant health information in order for the risk classification and underwriting process to function correctly. Information derived from genetic tests is medical information that is potentially relevant to risk classification”.Footnote 9

For their part, however, individuals may undergo genetic testing for many reasons. Sometimes it is for medical purposes. For example, an individual may undergo a well-established genetic test in a clinical setting to find out if they are at risk of developing a condition or disease that runs in their family, to confirm a suspected diagnosis at an early stage or for reproductive planning purposes, i.e., to determine if they are a carrier for a serious genetic condition that could be passed on to a child.Footnote 10

As a result of advances in science and the availability of more powerful computing technologies, genetic testing has become cheaper, faster and more readily available. Today, individuals may undergo testing for reasons other than these well-established clinical purposes.

Individuals may voluntarily undergo genetic testing as part of a health research project to help researchers identify associations among different genes or between genes and environmental factors in order to better understand how, and to what extent, genetic variations contribute to health and disease. Often, these research projects are carried out on very large sample sizes – sometimes millions of research participants. In this context, researchers are not examining the accuracy of specific individual results, but rather, looking for general associations among literally billions of data points. Whether individual results are offered to research participants depends on the research protocol and the preferences of the research participant.Footnote 11

As well, individuals may use direct-to-consumer (DtC) genetic testing companies that market their services directly to consumers, typically via the Internet. Some DtC companies offer tests they claim can identify an increased risk of developing certain conditions. Others claim to provide information about paternity or other biological relationships, ancestry, ethnicity, physical traits or even how one’s genetic make-up affects reaction to foods. Individuals who undergo these types of tests may be motivated by a variety of reasons; the purpose may be legal, genealogical, nutritional or it may simply be out of fun or curiosity.Footnote 12 What these companies purport to do with the personal information they collect from consumers varies widely from company to company.Footnote 13


The Privacy Commissioner of Canada oversees compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA sets out general rules that govern the collection, use and disclosure of personal information, including health and genetic information, by organizations engaged in commercial activity.

Of principal importance is the requirement for consent. Insurance companies must obtain an individual’s consent for the collection and use of his or her genetic test results for insurance underwriting purposes. Typically, they do so through the insurance application process and acceptance of the terms of their insurance policies. In addition to consent, PIPEDA requires organizations to comply with other data protection obligations.

There are three principles in PIPEDA that are particularly relevant in terms of assessing the appropriateness of insurance companies collecting and using genetic test results of applicants. The Consent Principle (Principle 4.3.3) affirms that an organization shall not require an individual to consent to the collection, use, or disclosure of personal information beyond that required for an explicitly specified and legitimate purpose. The Limiting Collection Principle (Principle 4.4) limits collection to only that personal information which is necessary for the purposes identified by the organization. The “reasonable person” provision (subsection 5(3)) limits the collection, use or disclosure of personal information “only for purposes that a reasonable person would consider are appropriate in the circumstances.”

The question the OPC set out to address is whether requesting access to existing genetic test results goes beyond that which is necessary for legitimate business purposes or beyond that which a reasonable person applying for life or health insurance would consider appropriate in the circumstances.

In order to address this question, the OPC has adopted the following well-established four-point test as an analytical frameworkFootnote 14:

  1. Are the collection and the use of this personal information necessary to achieve a legitimate business purpose?
  2. Is the personal information likely to be effective in achieving that purpose?
  3. Are the collection and the use proportionate to the benefits gained?
  4. Are there less privacy-invasive alternatives?


One way to assess whether genetic test results are necessary to allow life and health insurance companies to assess risks accurately and fairly would be to examine the impact on the industry if it were not allowed to use this information. To help our Office assess this question, we commissioned two papers by experts in actuarial science and economics.Footnote 15

The two papers agree that, at the present time and in the near future, the impact of a ban on the use of genetic test results by the life and health insurance industry would not have a significant impact on insurers or the efficient operation of insurance markets.

In reaching this conclusion, both papers distinguish between complex (or multifactorial) disorders and monogenic (or single-gene) disorders. Both papers conclude that monogenic disorders – diseases caused by a mutation or abnormality in a single gene – are so rare that in an insurance market of reasonable size, the cost impact of any adverse selectionFootnote 16 (that might result from banning insurance access to genetic test results would be very small.

With respect to multifactorial disordersFootnote 17, both papers conclude that since the genetic contribution to most common complex disorders is small relative to other factors, prohibiting insurers from using results indicating the presence of a genetic marker associated with one of these disorders would not adversely affect the financial viability of insurance markets at this time.

Based on these expert conclusions, therefore, collection and use of existing genetic test results by insurance companies would not appear to be necessary for the legitimate business needs of the industry at the present time.


A number of tests for rare monogenic disorders have been clinically established as having high predictive value, but most common diseases are complex in nature. The genetic contribution to the incidence of most multifactorial, complex diseases is still not well understood relative to many other health and environmental factors. As such, most genetic test results in the clinical context are still of relatively low probabilistic value and are therefore not likely be effective for insurance underwriting purposes at this time.

Moreover, the clinical accuracy, validity and utility of DtC tests in the current unregulated market are open to question. Whether DtC companies are even subject to the Canadian Food and Drugs Act and related medical device regulations is not clear. In November 2013, the United States Food and Drug Administration (FDA) ordered 23andMe Inc., a high-profile DtC company, to stop marketing its Personal Genome Service (PGS) until it receives FDA marketing authorization for the device.Footnote 18 As a result, 23andMe has stopped providing health-related analyses, although it still provides ancestry-related genetic tests and raw genetic data. The FDA’s order was based on 23andMe’s failure to provide “assurance that the firm has analytically or clinically validated the PGS for its intended uses.”

In the research context, the validity and accuracy of individual test results cannot always be guaranteed.Footnote 19 This is particularly the case in the context of very large population-based research studies where the researchers’ purpose is to look for general associations across billions of data points and not for test results for specific individuals per se. In the clinical research context, the whole purpose of the study may be to look for the genetic contribution to disease and find clinically-relevant associations that have not yet been established and are still in the testing phase.


Individuals undergo genetic testing for a variety of purposes. Individuals may undergo testing as part of a research study, to determine if they are a carrier for a condition for family planning purposes or they may simply be curious about what they can learn from a DtC test. Individuals undergoing genetic testing for reasons completely unrelated to their future health would not necessarily expect that the results will be used for unrelated purposes such as assessing insurance risk.

In addition to looking at the impact of a ban from an economic efficiency perspective, Professor Hoy and Maureen Durnin also look at the impact in terms of societal welfare as a whole. They conclude that even if a ban resulted in a higher price for the many low-risk individuals and a lower price for the fewer higher-risk individuals, the resulting reduction in coverage would not be significant and the ban would improve overall well-being from a distributive justice and equity perspective.

Hoy and Durnin also point out that, given the highly sensitive nature of the information, a ban on insurance use of genetic test results could increase incentives (or at least decrease disincentives) for individuals to seek out clinically relevant information that could help them make important healthcare decisions. Such instrumental benefits of privacy would not only potentially improve an individual’s wellbeing, “it is also possible that the overall health care system could be made more efficient and less costly.”Footnote 20

Less privacy invasive alternatives?

The type of information collected is a particularly relevant factor in determining whether it is appropriate for an organization to collect personal information. Where the personal information being collected is perceived to be of a particularly sensitive nature (such as genetic test results), the need to consider less privacy invasive alternatives is particularly strong.

Insurers already have access to large amounts of health-related information collected through detailed application forms and access to medical records. They already use a number of well-established risk factors including age, sex, medical history, family history, smoking habits, blood pressure and occupation to assess applicants from a risk-based perspective.

In addition, life insurers in some jurisdictions are either prohibited from using or have very limited access to existing genetic test results without any apparent negative consequence for the industry.Footnote 21 This suggests that relying on other available information is a viable, and less privacy-invasive, alternative.


Under subsection 5(3) of PIPEDA, an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances. Subsection 5(3) involves a balancing of interests, consistent with PIPEDA’s overall purpose of balancing an individual's right to privacy with an organization’s commercial need for collecting, using and disclosing personal information. Insurance companies need to collect and use personal information to assess risk – assessing risk is critical to the underwriting process. However, a legitimate need does not give an organization the authority to collect any and all personal information on the grounds that it might be useful or relevant.

Based on our analysis, it is not clear that the collection and use of genetic test results by insurance companies is demonstrably necessary, effective, proportionate or the least intrusive means of achieving the industry’s objectives at this time.

Taking into consideration:

  • the highly sensitive nature of genetic test results;
  • the low predictive value of many genetic test results;
  • that, at the present time, few people hold actuarially significant test results;
  • the rare occurrence of monogenic disorders;
  • the unregulated nature of the DtC industry and questions about the accuracy, validity and utility of DtC results;
  • the public interest in encouraging individuals to voluntarily participate in health research without fear that their test results will be used for unrelated purposes;
  • the importance of creating an environment in which individuals feel free to undergo medically valuable genetic tests without worrying about the impact on their ability to obtain insurance; and
  • evidence that restricting insurers’ access to genetic test results would not have a significant adverse impact on the viability of the life and health insurance industry,

we, therefore, urge the life and health insurance industry to expand its voluntary moratorium, that currently calls on its members to refrain from asking applicants to undergo genetic testing, to also refrain from requesting access to existing genetic test results until such time as they can be shown to be demonstrably necessary and effective. Recognizing that the state of medical technology is changing rapidly, this position should be revisited on a periodic basis.

Date modified: