avatar

Happy Data Privacy Day!

by Bradley Jansen January 28th, 2015 12:00 pm

Every year on January 28th since 2007, we celebrate Data Privacy Day (Data Protection Day to our European friends) going back to the start of the  Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.  The most important and pressing data privacy issue in the United States today is the fight to update the Electronic Communications Privacy Act.

The law that governs the privacy protections of your electronic communications (ECPA) such as text messaging, cloud computing, etc., was passed in 1986.  Needless to say, the general consensus is that the law needs updating. The Digital Due Process (DDP) coalition brings together a broad spectrum of groups from the left, including the American Civil Liberties Union, and the right including Americans for Tax Reform, as well as privacy groups, technology companies including Google, Microsoft, HP, Yahoo, Facebook, etc.

Importantly to this blog, I have to point out that the Records Preservation and Access Committee (RPAC) representing a more than critical mass of the genealogical community is part of DDP and helping in the fight to update ECPA.  Many of the reasons are spelled out in this letter to US Sen. Orin Hatch.

Yes, the genealogy community is active in the struggle to protect privacy.  For another example, check out Judy Russell's excellent post earlier today on this blog.

So here are some good privacy guidelines for genealogists:

  • Consent matters, as Judy explains.  Which dovetails with the general privacy principle of not sharing Personally Identifiable Information (PII) of living people without their consent, and
  • Law enforcement should need a warrant for content (except under well-established exceptions)--the Fourth Amendment should apply to the physical world and the digital one.

The more genealogists work to and respect privacy, the fewer problems we'll have with others wanting to restrict records access.

 


avatar

A matter of consent

by Judy Russell January 28th, 2015 10:00 am

[Cross-posted from The Legal Genealogist]

Ask first

The question posed to The Legal Genealogist on January 18th was whether the cousin who had paid for a DNA test should share the results with the cousin who took the DNA test.

The no-brainer answer is yes.1 Just because you paid for a test doesn't mean you can close off the results to the cousin whose DNA was tested.

blurAs noted then, we now have working standards for genetic genealogists to consult when it comes to ethical questions like this.2 And the applicable ethical standard here is that “Genealogists believe that testers have an inalienable right to their own DNA test results and raw data, even if someone other than the tester purchased the DNA test.”3

In the interim, the question that came in was about the flip side of this issue: whether the cousin who paid for the test should share the results far and wide -- with the name of the tested cousin, usually, still attached.

That answer should also be a no-brainer.

Unless you have consent, the answer is no.

No, no, no.

And in case that isn't clear enough:

No.

The ethical standards are as clear on this as they were on the first question: “Genealogists respect all limitations on reviewing and sharing DNA test results imposed at the request of the tester. For example, genealogists do not share or otherwise reveal DNA test results (beyond the tools offered by the testing company) or other personal information (name, address, or email) without the written or oral consent of the tester.”4

Even when it comes to writing about DNA results for scholarly research, the standards require that:

When lecturing or writing about genetic genealogy, genealogists respect the privacy of others. Genealogists privatize or redact the names of living genetic matches from presentations unless the genetic matches have given prior permission or made their results publicly available. Genealogists share DNA test results of living individuals in a work of scholarship only if the tester has given permission or has previously made those results publicly available.5

What this means, put in simple terms, is that we should not take a screen capture of DNA results from a testing company and post it in a blog post or on Facebook with the names or pictures of our matches still attached unless we've asked those matches specifically if we can post it.

And this isn't a new idea, springing out of genetic genealogy alone. This is the long-time ethical standard of the genealogical community. This concept of protecting the privacy of living people can be found for example in:

• The Code of Ethics of the Board for Certification of Genealogists, which requires that board-certified genealogists pledge that: “I will keep confidential any personal or genealogical information given to me, unless I receive written consent to the contrary.”6

• The Standards for Sharing Information with Others of the National Genealogical Society, which advises us to “respect the restrictions on sharing information that arise from the rights of another ... as a living private person; ... inform people who have provided information about their families as to the ways it may be used, observing any conditions they impose and respecting any reservations they may express regarding the use of particular items... (and) require some evidence of consent before assuming that living people are agreeable to further sharing of information about themselves.”7

• The Code of Ethics of the International Association of Jewish Genealogical Societies, which notes that “If data is acquired that seems to contain the potential for harming the interests of other people, great caution should be applied to the treatment of any such data and wide consultation may be appropriate as to how such data is used. ... Generally, a request from an individual that certain information about themselves or close relatives be kept private should be respected.”8

So as responsible genetic genealogists we don't just take a screen shot and post it. We take a second, using the tools in every photo program out there -- including my favorite free program Irfanview -- and blur out the names or photos of our matches as you can see in the image above of my own AncestryDNA results.

Or we do something really unusual.

We ask first.


SOURCES

1. Judy G. Russell, “Whose DNA it is anyway?,” The Legal Genealogist, posted 18 Jan 2015 (http://www.legalgenealogist.com/blog : accessed 24 Jan 2015).
2. See ibid., “DNA: good news, bad news,” The Legal Genealogist, posted 11 Jan 2015.
3. Paragraph 3, Standards for Obtaining, Using, and Sharing Genetic Genealogy Test Results, “Genetic Genealogy Standards,” GeneticGenealogyStandards.com (http://www.geneticgenealogystandards.com/ : accessed 18 Jan 2015).
4. Ibid., paragraph 8.
5. Ibid., paragraph 9.
6. “Code of Ethics and Conduct,” Board for Certification of Genealogists (http://bcgcertification.org/ : accessed 24 Jan 2015).
7. Standards for Sharing Information with Others, 2000, PDF, National Genealogical Society (http://www.ngsgenealogy.org/ : accessed 24 Jan 2015).
8. “IAJGS Ethics for Jewish Genealogists,” International Association of Jewish Genealogical Societies (http://www.iajgs.org/ : accessed 24 Jan 2015).


avatar

Genetic Genealogical Privacy Standards

by Bradley Jansen January 18th, 2015 1:12 pm

The Genetic Genealogy Standards Committee recently came out with a document on Genetic Genealogy Standards that can be found here:

http://www.thegeneticgenealogist.com/wp-content/uploads/2015/01/Genetic-Genealogy-Standards.pdf

My take at first blush is that it's good that the genealogy community continues to update its standards with the times--and that it increasing recognizes the importance of privacy in those standards.

For example, there are several sections where the standards address areas of concern to this blog:

2. Testing With Consent. Genealogists only obtain DNA for testing after receiving consent, written or oral, from the tester. In the case of a deceased individual, consent can be obtained from a legal representative. In the case of a minor, consent can be given by a parent or legal guardian of the minor. However, genealogists do not obtain DNA from someone who refuses to undergo testing.1

3. Raw Data. Genealogists believe that testers have an inalienable right to their own DNA test results and raw data, even if someone other than the tester purchased the DNA test.

6. Privacy. Genealogists only test with companies that respect and protect the privacy of testers. However, genealogists understand that complete anonymity of DNA tests results can never be guaranteed.

7. Access by Third Parties. Genealogists understand that once DNA test results are made publicly available, they can be freely accessed, copied, and analyzed by a third party without permission. For example, DNA test results published on a DNA project website are publicly available.

8. Sharing Results. Genealogists respect all limitations on reviewing and sharing DNA test results imposed at the request of the tester. For example, genealogists do not share or otherwise reveal DNA test results (beyond the tools offered by the testing company) or other personal information (name, address, or email) without the written or oral consent of the tester.

9. Scholarship. When lecturing or writing about genetic genealogy, genealogists respect the privacy of others. Genealogists privatize or redact the names of living genetic matches from presentations unless the genetic matches have given prior permission or made their results publicly available. Genealogists share DNA test results of living individuals in a work of scholarship only if the tester has given permission or has previously made those results publicly available. Genealogists may confidentially share an individual’s DNA test results with an editor and/or peer-reviewer of a work of scholarship. Genealogists also disclose any professional relationship they have with a for-profit DNA testing company or service when lecturing or writing about genetic genealogy.

The committee explains their process, membership, review of comments, etc., all here
http://www.geneticgenealogystandards.com

It was pointed out that many of the members on the committee have ties to 23andMe and Ancestry.com which should have been disclosed properly.

The question then remains whether the community will be able to self-regulate.  We will have to come back to this subject soon.


avatar

23andMe and Genentech reach deal on genetic research

by Bradley Jansen January 12th, 2015 11:11 am

According to a Forbes article, 23andMe has reached a very lucrative deal with Genentech--the first of nearly a dozen agreements the company has reached with pharmaceutical and biotech companies.

Explains the "Surprise! With $60 Million Genentech Deal, 23andMe Has A Business Plan" story:

Such deals, which make use of the database created by customers who have bought 23andMe’s DNA test kits and donated their genetic and health data for research, could be a far more significant opportunity than 23andMe’s primary business of selling the DNA kits to consumers. Since it was founded in 2006, 23andMe has collected data from 800,000 customers and it sells its tests for $99 each. That means this single deal with one large drug company could generate almost as much revenue as doubling 23andMe’s customer base.

“I think that this illustrates how pharma companies are interested in the fact that we have a massive amount of information,” says Anne Wojcicki, 23andMe’s chief executive and co-founder. “We have a very engaged consumer population, and these people want to participate in research. And we can do things much faster and more efficiently than any other research means in the world.”

The prospects of advances in genetic research should not be unappreciated, but the story raises the privacy implications of the 23andMe customers:

People who have bought 23andMe kits and agreed to donate their data to research (that’s about 600,000 of the company’s 800,000 customers) automatically consent for 23andMe to sequence their genomes. 23andMe says that it is also able to share anonymous and pooled data about their self-reported health traits without asking. But Genentech wants even more: it wants to look at health and genetic data on an anonymous but individual basis. For that reason, the company will have to ask customers if they want to enter the study.

Let's hope 23andMe has worked out the way to respect consumer privacy and promote genetic research!