By Benjamin Ross

September 18, 2018 | In April of this year, authorities in California identified and arrested the Golden State Killer by accessing the criminal’s genetic information through a public genealogy database. While this unique investigative method resulted in the capture of a notorious killer, many experts are voicing concerns about the potential such an event may set for the misuse of DNA testing.

Thomas May, Floyd and Judy Rogers Endowed Professor in the Elson S. Floyd College of Medicine at Washington State University, is one such voice, writing in a recently published article in the New England Journal of Medicine about the risks to privacy that come with using genetic information from a third party.

The article, “Sociogenetic Risks—Ancestry DNA Testing, Third Party Identity, and Protection of Privacy” (DOI: 10.1056/NEJMp1805870), posits that, “Failure to address concerns about misuse of genetic information will have important ramifications, not only in terms of unwanted intrusion into the lives of people who wish to remain anonymous, but for the continued advancement of genomic medicine.”

The concerning fact in the capture of the Golden State Killer, May wrote, was that the suspect didn’t submit his own DNA sample for testing; rather, the police sent his genetic data to a direct-to-consumer genealogic testing company and had it matched to his relatives.

“[The irony of the killer’s capture] on ‘National DNA Day’ was a startling public illustration of the reality that DNA information may be pertinent to people far removed from the one who was tested,” May wrote, “and the fact that information may derive from testing that an implicated person is not even aware has taken place.”

May told Clinical Informatics News that when the story initially broke, the issue of third party identification was already on his mind due to his attention on  initiatives like DNA Quest, which  offers pro bono services to adoptees to find birth relatives through DNA testing.

“For years, adoptees have faced similar issues of privacy versus the utility of genetic information,” May wrote in his article.

“Of course, this raises some issues of privacy as well,” May said. “Both the adoptee-parent scenario and the Golden State Killer relate back to the issue of identification of third parties who have not agreed to participate in this process.”

He continued this thought later in the article, writing that “adoptees have a right to access their basic birth records and heritage information. Yet there are myriad reasons why birth parents may not wish to have their identity revealed; our approach to assisting adoptees will have to grant birth parents’ desires due respect and carefully address the psychosocial ramifications of revealing their identities.”

There are laws in place, May said, that were made to address the need to regulate how genetic information is used, such as the 2008 Genetic Information Nondiscrimination Act (GINA). But the reality is that such regulations have limitations of their own.

“When GINA and other laws were passed, developing technologies were at an early stage, and the amount of information that could be inferred from these technologies was much different than it is today,” May said. “The limitations of these laws reflect the emerging nature of the technology, and we have to deal with it as it develops.”

That’s not to say that the laws have become useless, May says. “The reason I say this is because the most valuable aspect of this law is that it make a statement about social values.”

What GINA tells May is that society wants to take the privacy of genetic information seriously, but they are ill-equipped to properly manage it.

“This flawed mechanism, though well-intentioned, is hardly adequate to balance complex competing interests that might arise in DNA testing,” May writes in his article.

The solution is to consider these issues seriously.

“Under the Health Insurance Portability and Accountability Act (HIPAA) and the Common Rule that guides human-subjects research, for example, laboratories are expected to adhere to strict guidelines to protect health-related information,” May writes. “Although genealogic testing is not health care, it was derived from health technologies and presents privacy risks similar to those associated with health-related genetic testing.”

While May does not believe HIPAA and Common Rule would necessarily work in the direct-to-consumer (DTC) context, he does believe there are approaches that service the DTC industry, including the National Human Genome Research Institute’s Ethical, Legal and Social Implications (ELSI) research program, which offers basic and applied research on the ethical, legal, and social implications of genetic and genomic research for individuals, families and communities. 

According to May, addressing privacy regulations will first require a conversation between the public and the genomic medicine community.

May wrote: “Whatever implementable mechanisms are identified, regulatory oversight is needed to ensure the privacy of genetic information, determine who should be allowed to submit someone else’s sample for testing and for what purposes, and guide the drawing of inferences from DNA results and the relaying of information to persons other than the DNA source who may be implicated by those results.”

“Genetic testing has implications for individuals beyond the person tested,” May said. “This fact itself means we’re really going to have to consider the good of one person versus the good of communities and families.”