Direct-to-Consumer Genetic Testing and Privacy
May 2, 2017 — On April 4, 2017, Bill S-201: An Act to Prohibit and Prevent Genetic Discrimination was passed by the Senate and is currently awaiting Royal Assent.
Bill S-201 is an important piece of legislation, designed to protect Canadians from the adverse impacts of genetic discrimination. The Act prohibits genetic discrimination across Canada. It bars any entity from requiring individuals to undergo a genetic test or disclose the results of a genetic test as a condition of providing goods or services, or entering into a contract. It also requires those entities to obtain an individual’s written consent to collect, use or disclose their genetic test results.
As the bill will soon become law, we are reviewing and updating our information and advice on direct-to-consumer genetic testing.
As direct-to-consumer genetic tests become increasingly available, particularly over the Internet, it is important to understand their privacy risks. This document explains some of the key privacy risks associated with these tests and encourages individuals to ask themselves a series of questions before buying one online.
What questions should I consider before purchasing a direct-to-consumer genetic test?
Does the company explain:
- What personal information it will collect, including any biological samples and test results and are you satisfied with its explanations regarding how it will process and protect the data?
- What kind of lab performs the testing and whether it is certified by an accredited body?
- The purposes for the genetic test? Are they consistent with your expectations?
- Whether your information will be disclosed to third parties, for what purposes and whether you can refuse?
- Whether your information will be disclosed outside Canada?
- If your information may be used for research purposes and if so, by whom and under what conditions?
- How long your personal information, biological sample and test results will be retained and why, and can you request that remaining samples be destroyed and that your information be deleted?
- How you can access the personal information about you that is on file, including a record of how your data has been used and to whom it has been disclosed?
You should also ask yourself the following:
- Would talking to my doctor or genetic counsellor help me make a more informed decision about whether a direct-to-consumer genetic test would meet my needs?
- Am I comfortable finding out things about myself or my family members that I did not expect?
- Have I spoken to my family members about the potential implications this may have for them?
- Have I considered that my insurance company may ask me to disclose the results of my test and that this may have long-term consequences for my insurance coverage?
If the policy does not clearly answer your questions and explain what will happen to your personal information, including your biological samples and test results, contact the company directly for more information. They should provide contact information for somebody who can answer privacy-related questions.
What is direct-to-consumer genetic testing?
Direct-to-consumer genetic tests allow individuals to purchase a genetic test directly from a company — often over the internet. You may be asked to answer a range of personal questions and to provide a biological sample (i.e., saliva or a cheek swab) in the mail, from which the genetic test results are generated.
Traditionally genetic tests were ordered by a physician for specific medical purposes, and only in exceptional circumstances. Today, companies may offer genetic tests for a number of purposes, including for example:
- Health related tests that indicate the relative risk of developing a health condition, indicate whether you carry a particular genetic variant that may be passed on to your children, assess sensitivity to particular drugs (pharmaco-sensitivity tests), or assess responsiveness to certain foods (nutritional genomics);
- Identity related tests that enable individuals to learn more about their ancestry or to verify paternal or maternal relationships; or,
- Recreational tests such as those that are likely to tell you things about yourself that you already know (i.e., your eye colour, height, or type of hair you have) or things that are interesting but for which genes are not determinative (i.e., personality traits or athletic potential).
Proponents of direct-to-consumer genetic tests argue that they can empower individuals to learn more about themselves and their health, which can lead to healthier choices. They may also provide knowledge or closure to individuals and families who are seeking to learn who their relatives were or are.
Others point out that direct-to-consumer genetic tests are not regulated and there is no assurance the results are accurate. And, in the case of genetic tests conducted for ancestral purposes, there is no guarantee that they will provide the answers an individual or family is looking for.
What are the potential privacy risks associated with direct-to-consumer genetic testing?
As direct-to-consumer genetic tests become increasingly available it is important to understand their privacy risks. Genetic information can be highly sensitive personal information. Combined with contact, health, lifestyle, and financial information, genetic information paints a very detailed picture of you, and potentially your family members.
Improper handling or misuse of your sensitive personal information, particularly in circumstances where you have not been fully informed, could increase the risk to your privacy and expose you and your loved ones to undesirable outcomes.
- Notice and Consent
When collecting personal information, including biological samples and test results, direct to-consumer genetic testing companies should be open and transparent about the purposes for collection. This includes explaining any other, less obvious ways, data may be used, such as for health research.
When companies are not open or clear about their practices, or when individuals do not take the time to review their privacy policies, there is a risk of undergoing a genetic test without knowing or fully understanding what is being agreed to.
Therefore, before consenting to a genetic test you should be able to understand what personal information is being collected, why, whether your information will be used for other purposes or shared with others.
Given the sensitive nature of genetic or genomic information, you should provide your explicit consent. In other words, companies should not be able to simply assume you have given your implied consent, but rather, you should be asked to provide it expressly.
- Sharing Genetic Test Results
Some companies allow their customers to make their data available online for others to see and use, or to share their results with others through social media sites. Websites have also emerged that allow individuals to upload their genetic test results for download by anyone on an "anonymized basis".
Should your genetic test results be posted online, it is difficult, both legally and practically, to have that information removed if you change your mind later. Everything posted online is potentially viewable and shareable by millions, and it could surface months or years after posting, in a variety of contexts, intended or not. Even if it is said to be anonymized, be mindful of the possibility that your genetic information could be linked back to you if it is re-identified, and could be used for purposes that you did not intend, such as for assessing insurance eligibility or employability. Sharing, or permitting others to share your genetic data, explicitly or anonymously, in a manner that could be linked back to you personally, may potentially lead to discrimination, stigmatization, or financial or reputational harm.
- Collection of Genetic Test Results by Life and Health Insurance Companies
There are no laws in Canada specifically prohibiting insurance companies from collecting genetic test results, whether conducted in a clinical setting or a commercial direct-to-consumer context.
Although insurance companies do not require applicants to undergo a genetic test, they may ask individuals to disclose existing test results — including any results from a direct-to-consumer genetic test — as part of their risk assessment. This could potentially have an impact on the premiums or insurability of applicants.
For more information on the privacy implications of the collection of genetic test results by life and health insurance companies please see the Office of the Privacy Commissioner's policy statement Footnote 1.
- Use of Genetic Information for Research Purposes
Some direct-to-consumer genetic testing companies may request to use biological samples for research purposes. If you consented to provide your genetic information for research purposes, you have the right to withdraw your consent; however, once your personal information has been analyzed as part of a research study and aggregated into the final results, it may not always be easy, or even possible to opt-out retroactively.
You may also wish to ask who will be conducting the research — the company itself or some third party. What are the research objectives of the study and for whose benefit? Will the research be reviewed and approved by an independent research ethics board? Will you be informed of the research results?
Prior to agreeing to participate in a research study, consider the consent form carefully. It should clearly explain whether the information will be re-identifiable (associated with you) and whether and how any incidental findings (results you were not expecting) would be communicated to you.
- Retention and Destruction
Before ordering a genetic test you should also be able to identify how long the company will retain your personal information, including test results and biological samples, and how and when they will dispose of them. Personal information that is no longer required to fulfill the purposes for which you provided it must be destroyed, securely deleted, or rendered anonymous.
It is important to consider what will occur to your personal information in the event the company winds down its operations, files for bankruptcy, merges with, or is acquired by another company.
- Receiving Your Test Results
It is also important to be aware that under Canada's federal and provincial private sector privacy laws individuals have the right to request access to their personal information, including records of how it has been used and whether it has been disclosed.
Although you have a right to access your own personal information, you should be prepared for the possibility of finding out information you did not anticipate, about yourself or your parental linkages—some of which you may not want to know.
- Safeguarding Your Personal Information
You should be satisfied with the company's privacy and information security practices prior to purchasing a genetic test. Companies should develop and implement strong policies and security controls in order to protect against the risks of unauthorized access, loss or theft, and to ensure that personal information is not further disclosed or used for purposes it was not collected for in the first place.
Some companies may store genetic or genomic data in the cloud or transfer it to another jurisdiction for processing. Keep in mind that personal information transferred to another country will be subject to the laws of that country.
- Accuracy of Genetic Test Results
Under most data protection laws, companies must ensure that the personal information they have about you is accurate. However, because direct-to-consumer genetic testing laboratories may not be legally subject to any accreditation or certification standards—depending on the jurisdiction in which they operate—there is no guarantee about the quality of the test results you receive. The test results you receive may not be valid or even reliable.
Before placing an online order for genetic testing, you may also wish to ask about the company's laboratory or about the laboratory they outsource their testing to. Where is it located? Is it duly accredited or certified? If so, in accordance with which regulatory standards?
What to do if you are concerned about your privacy?
If you have a privacy concern or a complaint about how a direct-to-consumer genetic testing company has collected, used, or disclosed your personal information, and you have not received satisfactory answers from the company, you may contact one of our offices.
The Office of the Privacy Commissioner of Canada and provincial Privacy Commissioners in provinces that have adopted similar private sector privacy laws (Alberta, British Columbia and Quebec) are responsible for overseeing compliance with their respective laws. They are empowered to investigate complaints, publicly report on the privacy practices of organizations and promote privacy awareness.
Which privacy laws apply?
Direct-to-consumer genetic testing companies are subject to Canada's federal and provincial private sector privacy laws if they are situated in Canada or have a real and substantial link to Canada. Under these laws, personal information — including biological samples and genetic test results — should only be collected, used or disclosed for an appropriate purpose with your knowledge and consent. It must also be properly safeguarded and retained only as long as necessary. The applicable privacy legislation includes:
- The Personal Information Protection and Electronic Documents Act which applies federally to organizations that collect, use, or disclose personal information in the course of commercial activities;
- The Personal Information Protection Act which applies to private sector organizations in Alberta;
- The Personal Information Protection Act which applies to private sector organizations in British Columbia; and,
- An Act Respecting the Protection of Personal Information in the Private Sector which applies to private sector organizations in Quebec.
- Date modified: