Genetic privacy


Genetic privacy involves the concept of personal privacy concerning the storing, repurposing, provision to third parties, and displaying of information pertaining to one's genetic information. This concept also encompasses privacy regarding the ability to identify a specific individual by their genetic sequence, and the potential to gain information on specific characteristics about that person via portions of their genetic information, such as their propensity for specific diseases or their immediate or distant ancestry.
With the public release of genome sequence information of participants in large-scale research studies, questions regarding participant privacy have been raised. In some cases, it has been shown that it is possible to identify previously anonymous participants from large-scale genetic studies that released gene sequence information.
Genetic privacy concerns also arise in the context of criminal law because the government can sometimes overcome criminal suspects' genetic privacy interests and obtain their DNA sample. Due to the shared nature of genetic information between family members, this raises privacy concerns of relatives as well.

Significance of genetic information

In the majority of cases, an individual's genetic sequence is considered unique to that individual. One notable exception to this rule in humans is the case of identical twins, who have nearly identical genome sequences at birth. In the remainder of cases, one's genetic fingerprint considered specific to a particular person and is regularly used in the identification of individuals in the case of establishing innocence or guilt in legal proceedings via DNA profiling. Specific gene variants one's genetic code, known as alleles, have been shown to have strong predictive effects in the occurrences of diseases, such as the BRCA1 and BRCA2 mutant genes in Breast Cancer and Ovarian Cancer, or the eFAD gene in Early-Onset Alzheimer's Disease. Additionally, gene sequences are passed down with a regular pattern of inheritance between generations, and can therefore reveal one's ancestry via genealogical DNA testing. Additionally with knowledge of the sequence of one's biological relatives, traits can be compared that allow relationships between individuals, or the lack thereof, to be determined, as is often done in DNA paternity testing. As such, one's genetic code can be used to infer many characteristics about an individual, including many potentially sensitive subjects such as:
Dr. Yaniv Erlich conducted a study in 2013 that revealed vulnerabilities in the security of public databases that contain genetic data. Erlich's study reported a method to discover the identity of anonymous research subjects whose genomes had been sequenced as part of a genomics project. As a result, research subjects could sometimes be identified by their DNA alone.
Mark Bender Gerstein, a Yale professor who studies large genetic databases notes that "research subjects who share their DNA may risk a loss of not just their own privacy but also that of their children and grandchildren, who will inherit many of the same genes".
Furthermore, the vast databases of corporations or states are susceptible to get breached by criminals or governments. There is a controversy regarding the responsibility that a DNA testing company has to ensure that leaks and breaches do not happen. Regulation rules are not clearly laid out. What is still not determined is who legally owns the genome information: the company or the individual whose genome has been read. There have been published examples of personal genome information being exploited. Additional privacy concerns, related to, e.g., genetic discrimination, loss of anonymity, and psychological impacts, have been increasingly pointed out by the academic community as well as government agencies.
Dr. David Altshuler of the Broad Institute of Harvard and M.I.T. notes that the amount of genetic data that has been gathered so far is minuscule compared with what will be coming in the next few years, making it important to address the problems before the data deluge makes them worse, saying that they "see substantial issues" and "want to have serious discussions now".
The American Society of Human Genetics has brought up issues about administering genetic tests on children. Moreover, they infer that this could lead to negative consequences for the children. Some of the negative consequences that this could lead to include the child's likelihood of getting adopted which as a result could lead the child to suffer from self esteem issues; the child's well-being could also suffer because of things like paternity testing or a custody battle requiring this type of information.
Additionally, for criminal justice and privacy advocates, the use of genetic information in identifying suspects for criminal investigations proves worrisome under the Fourth Amendment—especially when an indirect genetic link connects an individual to crime scene evidence. Since 2018, law enforcement officials have been harnessing the power of genetic data to revisit cold cases with DNA evidence. Suspects discovered through this process are not directly identified by the input of their DNA into established criminal databases, like CODIS. Instead, suspects are identified as the result of familial genetic sleuthing by law enforcement, submitting crime scene DNA evidence to genetic database services that link users whose DNA similarity indicates a family connection.  Officers can then track the newly identified suspect in person, waiting to collect discarded trash that might carry DNA in order to confirm the match.
Despite the privacy concerns of suspects and their relatives, this procedure is likely to survive Fourth Amendment scrutiny. Much like donors of biological samples in cases of genetic research, criminal suspects do not retain property rights in abandoned waste; they can no longer assert an expectation of privacy in the discarded DNA used to confirm law enforcement suspicions, thereby eliminating their Fourth Amendment protection in that DNA. Additionally, relatives’ expectations of privacy in their genetic information used to link evidence with suspects are likely irrelevant under current caselaw since Fourth Amendment protection is “personal” to criminal defendants.

Regulations

When the access of genetic information is regulated it can prevent insurance companies and employers from reaching such data. Further, this could avoid issues of discrimination which could oftentimes leave an individual whose information has been breached without a job or without insurance.

In the United States

Federal Regulation

In the United States, biomedical research containing human subjects is governed by a baseline standard of ethics known as The Common Rule, which aims to protect a subject's privacy by requiring "identifiers" such as name or address to be removed from collected data. A 2012 report by the Presidential Commission for the Study of Bioethical Issues stated, however, that "what constitutes 'identifiable' and 'de-identified' data is fluid and that evolving technologies and the increasing accessibility of data could allow de-identified data to become re-identified". In fact, research has already shown that it is "possible to discover a study participant's identity by cross-referencing research data about him and his DNA sequence … genetic genealogy and public-records databases". This has led to calls for policy-makers to establish consistent guidelines and best practices for the accessibility and usage of individual genomic data collected by researchers.
Privacy protections for genetic research participants were strengthened by provisions of the 21st Century Cures Act passed on 7 December 2016 for which the American Society of Human Genetics commended Congress, Senator Warren and Senator Enzi.
The Genetic Information Nondiscrimination Act of 2008 protects the genetic privacy of the public, including research participants. The passage of GINA makes it illegal for health insurers or employers to request or require genetic information of an individual or of family members. This protection does not extend to other forms of insurance such as life insurance.
The Health Insurance Portability and Accountability Act of 1996 also provides some genetic privacy protections. HIPAA defines health information to include genetic information, which places restrictions on who health providers can share the information with.

State Regulation

Three kinds of laws are frequently associated with genetic privacy: those relating to informed consent and property rights, those preventing insurance discrimination, and those prohibiting employment discrimination. According to the National Human Genome Research Institute, forty-one states have enacted genetic privacy laws as of January 2020. However, those privacy laws vary in the scope of protection offered; while some laws "apply broadly to any person" others apply "narrowly to certain entities such as insurers, employers, or researchers."
Arizona, for example, falls in the former category and offers broad protection. Currently, Arizona's genetic privacy statutes focus on the need for informed consent to create, store, or release genetic testing results, but a pending bill would amend the state genetic privacy law framework to grant exclusive property rights in genetic information derived from genetic testing to all persons tested. In expanding privacy rights by including property rights, the bill would grant persons who undergo genetic testing greater control over their genetic information. Arizona also prohibits insurance and employment discrimination on the basis of genetic testing results.
California similarly offers a broad range of protection for genetic privacy, but it stops short of granting individuals property rights in their genetic information. While currently enacted legislation focuses on prohibiting genetic discrimination in employment and insurance, a piece of pending legislation would extend genetic privacy rights to provide individuals with greater control over genetic information obtained through direct-to-consumer testing services like 23andMe.
Florida passed House Bill 1189, a DNA privacy law that prohibits insurers from using genetic data, in July 2020.
On the other hand, Mississippi offers few genetic privacy protections beyond those required by the federal government. In the Mississippi Employment Fairness Act, the legislature recognized the applicability of the Genetic Information Nondiscrimination Act, which "prohibit discrimination on the basis of genetic information with respect to health insurance and employment."

Other

To balance data sharing with the need to protect the privacy of research subjects geneticists are considering to move more data behind controlled-access barriers, authorizing trusted users to access the data from many studies, rather than "having to obtain it piecemeal from different studies".
In October 2005, IBM became the world's first major corporation to establish a genetics privacy policy. Its policy prohibits using employees' genetic information in employment decisions.

Breaching techniques

According to a 2014 study genetic privacy breaching by Yaniv Erlich and Arvind Narayanan techniques fall into three categories:
; Identity Tracing
; Attribute Disclosure Attacks via DNA
; Completion Techniques