Direct-to-consumer genetic testing and privacy

Office of the Information and Privacy Commissioner of Alberta logo

Office of the Privacy Commissioner of Canada logo

Office of the Information and Privacy Commissioner of British Columbia logo

Updated: December 2017

As direct-to-consumer genetic tests become increasingly available, particularly over the Internet, it is important to understand their privacy risks. This document explains some of the key privacy risks associated with these tests, informs individuals of their rights and encourages them to ask themselves a series of questions before buying one online.

IMPORTANT NOTE: Readers should note that on May 4, 2017, Bill S-201, the Genetic Non-Discrimination Act received Royal Assent. Canadian law now prohibits any person from requiring an individual to undergo a genetic test or to disclose the existing results of genetic tests.

Essentially, the Genetic Non-Discrimination Act puts you in control of your personal information. It is prohibited for any person to collect, use, or disclose your genetic test results without your written consent.

This means that you are entitled to obtain a genetic test without having to consent to further disclosures that are not directly related to providing you with the service that you want.

It also means that you are in no way obliged to disclose your genetic test results to your employer or insurance company or any other business, nor should you feel any pressure to do so. If, on the other hand, you wish to disclose your results voluntarily, your consent must be in writing, fully informed and freely given.

What questions should I consider before purchasing a direct-to-consumer genetic test?

A good starting point before buying a genetic test is to ensure the company has a privacy policy, which you should be able to locate on the company's website.

Questions you may ask the Company:

  • What are the purposes of the genetic test (health-related, ancestry, paternity or maternity testing) and are they consistent with your expectations?
  •  What personal information will the company collect in addition to your biological sample and are you satisfied with its explanations regarding how it will process and protect the data?
  • With whom does the company propose to share your test results (e.g. researchers, pharmaceutical companies, marketers, patient groups, related or affiliated companies, etc.) and have you been given the opportunity to consent to this voluntarily and in writing? You are within your rights to refuse such disclosures.
  • What kind of lab performs the testing and is it certified by an accredited body?
  • Will your information be processed outside Canada?
  • How long will your personal information, biological sample and test results be retained and why?  Once the service is completed and the related retention period is expired, will your sample be destroyed and your related personal information be deleted?
  • How can you access the personal information about you that is on file, including a record of how your data has been used and whether and with whom it has been shared (in accordance with your prior consent)?

If the policy does not clearly answer your questions and explain what will happen to your personal information, including your biological samples and test results, contact the company directly for more information. They should provide contact information for somebody who can answer privacy-related questions or concerns. If you are still not satisfied with the responses provided, know that you can contact one of our Offices and consider filing a privacy complaint.

Personal questions you may ask yourself:

In addition to the questions you may ask the company, you may also wish to reflect upon and ask yourself these more personal questions:

  • Would talking to my doctor or genetic counsellor help me make a more informed decision about whether a direct-to-consumer genetic test would meet my needs?
  • Am I comfortable finding out things about myself or my family members that I did not expect or that I may not want to know?
  • How will receiving this information affect me and the kinds of life choices I will make?
  • Have I spoken to my family members about the potential implications this may have for them?

What is direct-to-consumer genetic testing?

Direct-to-consumer genetic tests allow individuals to purchase a genetic test directly from a company — often over the internet. You may be asked to answer a range of personal questions and to provide a biological sample (i.e., saliva or a cheek swab) in the mail, from which the genetic test results are generated.

Traditionally genetic tests were ordered by a physician for specific medical purposes, and only in exceptional circumstances. Today, companies may offer genetic tests for a number of purposes, including for example:

  • Health related tests that indicate the relative risk of developing a health condition, indicate whether you carry a particular genetic variant that may be passed on to your children, assess sensitivity to particular drugs (pharmaco-sensitivity tests), or assess responsiveness to certain foods (nutritional genomics);
  • Identity related tests that enable individuals to learn more about their ancestry or to verify paternal or maternal relationships; or,
  • Recreational tests such as those that are likely to tell you things about yourself that you already know (i.e., your eye colour, height, or type of hair you have) or things that are interesting but for which genes are not determinative (i.e., personality traits or athletic potential).

Proponents of direct-to-consumer genetic tests argue that they can empower individuals to learn more about themselves and their health, which can lead to healthier choices. They may also provide knowledge or closure to individuals and families who are seeking to learn who their relatives were or are.

Others point out that direct-to-consumer genetic tests are not specifically regulated and there is no assurance the results are accurate. And, in the case of genetic tests conducted for ancestral purposes, there is no guarantee that they will provide the answers an individual or family is looking for.

What are the potential privacy risks associated with direct-to-consumer genetic testing?

As direct-to-consumer genetic tests become increasingly available it is important to understand their privacy risks. Genetic information can be highly sensitive personal information. Combined with contact, health, lifestyle, and financial information, genetic information paints a very detailed picture of you, and potentially your family members.

  • Notice and Consent

When collecting personal information, including biological samples and test results, direct to-consumer genetic testing companies should be open and transparent about the purposes for collection.

In some cases companies provide quite detailed information about the purposes of the tests and what will happen to the information collected, while other direct-to-consumer genetic testing companies hardly provide any information at all. In some cases they may not even have a privacy policy on their website.

When companies are not open or clear about their practices, or when individuals do not take the time to review their privacy policies, there is a risk of undergoing a genetic test without knowing or fully understanding what is being agreed to.

Therefore, before consenting to a genetic test you should be able to understand what personal information is being collected, why, whether your information will be used for other purposes or shared with others. NOTE that under the newly passed Genetic Non-Discrimination Act it is prohibited for organizations to collect, use or disclose your genetic test results without your written and voluntary consent.

Given the sensitive nature of genetic or genomic information, companies should not be able to simply assume you have given your implied consent or otherwise pressure you into accepting the proposed collection, use or disclosure.  Rather, they must first ask you if you agree to do so voluntarily, and if you do, your consent must be provided in writing.

  • Sharing Genetic Test Results

Some companies allow their customers to voluntarily make their data available online for others to see and use, or to share their results with others through social media sites. Websites have also emerged that allow individuals to upload their genetic test results for download by anyone on an "anonymized basis" and some individuals may freely wish to do so for their own personal reasons.

Should you voluntarily agree to have your genetic test results posted online, it is difficult, both legally and practically, to have that information removed if you change your mind later. Everything posted online is potentially viewable and shareable by millions, and it could surface months or years after posting, in a variety of contexts, intended or not.  Even if it is said to be anonymized, be mindful of the possibility that your genetic information could potentially be linked back to you if it is re-identified, and could be used in ways you did not intend.

  • Use of Genetic Information for Research Purposes

Some direct-to-consumer genetic testing companies may request to use biological samples for research purposes. If you consent to provide your genetic information for research purposes, you have the right to withdraw your consent; however, once your personal information has been analyzed as part of a research study and aggregated into the final results, it may not always be easy, or even possible to withdraw your consent retroactively.

You may also wish to ask who will be conducting the research — the company itself or some third party. What are the research objectives of the study and for whose benefit? Will the research be reviewed and approved by an independent research ethics board? Will you be informed of the research results?

Prior to agreeing to participate in a research study, consider the consent form carefully. It should clearly explain whether the information will be re-identifiable (associated with you) and whether and how any incidental findings (results you were not expecting) would be communicated to you.

Note that once you agree to participate in research, the prohibitions in the Genetic Non-Discrimination Act do not apply to the person who is conducting medical, pharmaceutical or scientific research.

  • Retention and Destruction

Before ordering a genetic test you should also be able to identify how long the company will retain your personal information, including test results and biological samples, and how and when they will dispose of them. Personal information that is no longer required to fulfill the purposes for which you provided it must be destroyed, securely deleted, or rendered anonymous.

It is important to consider what will occur to your personal information in the event the company winds down its operations, files for bankruptcy, merges with, or is acquired by another company.

  • Receiving Your Test Results

It is also important to be aware that under Canada's federal and provincial private sector privacy laws you have the right to request access to your personal information, including records of how it has been used and whether it has been disclosed (in accordance with your consent).

Although you have a right to access your own personal information, you should be prepared for the possibility of finding out information you did not anticipate, about yourself or your parental linkages—some of which you may not want to know.

  • Safeguarding Your Personal Information

You should be satisfied with the company's privacy and information security practices prior to purchasing a genetic test. Companies should develop and implement strong policies and security controls in order to protect against the risks of unauthorized access, loss or theft, and to ensure that personal information is not further disclosed or used for purposes it was not collected for in the first place.

Some companies may store genetic or genomic data in the cloud or transfer it to another jurisdiction for processing. Keep in mind that personal information transferred to another country will be subject to the laws of that country.

  • Accuracy of Genetic Test Results

Under most data protection laws, companies must ensure that the personal information they have about you is accurate. However, because direct-to-consumer genetic testing laboratories may not be legally subject to any accreditation or certification standards—depending on the jurisdiction in which they operate—there is no guarantee about the quality of the test results you receive. The test results you receive may not be valid or even reliable.

Before placing an online order for genetic testing, you may also wish to ask about the company's laboratory or about the laboratory they outsource their testing to. Where is it located? Is it duly accredited or certified? If so, in accordance with which regulatory standards?

What to do if you are concerned about your privacy?

The Office of the Privacy Commissioner of Canada and provincial Privacy Commissioners in provinces that have adopted similar private sector privacy laws (Alberta, British Columbia and Quebec) are responsible for overseeing compliance with their respective laws. They are empowered to investigate complaints, publicly report on the privacy practices of organizations and promote privacy awareness.

If you have a privacy concern or a complaint about how a direct-to-consumer genetic testing company has collected, used, or disclosed your personal information, and you have not received satisfactory answers from the company, you may contact one of our offices:

The Office of the Privacy Commissioner of Canada

Alberta

British Columbia

Quebec

Which privacy laws apply?

Direct-to-consumer genetic testing companies are subject to Canada's federal and provincial private sector privacy laws if they are situated in Canada or have a real and substantial link to Canada. The applicable privacy legislation includes:

Date modified: