DNA Privacy Policy

Over the years there has been an increased interest in DNA and what it can tell us about specific individuals and their traits. This interest has spawned companies which offer DNA testing services mostly in regards to tracking family lines through the ages. The most prominent of these are Ancestry.com and 23 & Me.

Ancestry.com has a fully organized page FAQ on the different aspects of their provided services that people would be curious about. Under the section ‘Your Security’, on how the DNA data is protected, they claim that the results of DNA tests are stored in secure databases which employ numerous security measures although there was nothing to substantiate this claim. The third-party lab processing the DNA samples also does not give any personal information and your DNA sample is associated with an Activation Code provided in the DNA kit that was submitted. After testing all remaining DNA is archived in a secure facility with 24-hour monitoring and limited-access. In regards to sharing personal information or data with third parties, Ancestry is stringent in that they would not divulge anything without proper written valid and legal documentation which has been approved by their committee as narrow enough parameters. The data’s owner is also informed, unless Ancestry is legally prevented from doing so, prior to the data’s release to give them the chance to appeal it. As to deleting data, once an account and results have been deleted they are completely removed from the site and will not show up in any matches’ in the future; although there was no information on what was done with any archived results or DNA samples after the fact. For your DNA to be entered into further research projects explicit consent would need to be given by the DNA’s owner and no personal information would be associated with them in any way.

23 & Me was quite similar in their ‘Privacy and Data Protection’ page. The main difference between the two was that 23 & Me listed security certifications under the globally recognized ISO/IEC 27001:2013, 27018 & 27701 standards after extensive audits with their certification linked in the section. Regarding hackers, they claimed to employ the multi-layered approach in staying ahead of hackers which included frequent internal assessments and simulated attacks, researcher assessments, and regular external third-party assessments. 23 & Me DNA analysis is conducted on information after it is stripped of identifying registration information. This is the same for participating in research studies as all personal identifying information is removed from the data. There is a listed caveat that in the event of  financial event or a turnover information might need to be accessed by other parties, although there is no information as to if they would inform the data owner in that case. Otherwise, no information would be shared to any outside entities without the owners’ consent unless legally obligated to do so. All access requests by law enforcement are scrutinized for validity and legality and all those affected would be notified unless prevented by law. In regards to data deletion, you can at any time delete your account and have the 23 & Me lab biobank the saliva sample or have it destroyed.

With the security measures each has given and the steps that both have listed in regards to security I would be able to trust both with my genetic information. As of present day, current technologies don’t quite worry me in regards to cloning or some type of identity theft. I do believe that 23 & Me has marginally better security measures then Ancestry.com based on the reports on their websites. 23 & Me lists specific security measures that they undertook to combat hackers and have a listed certification under their security information. Ancestry.com has no significant description of their security measures with the most descriptive security measure being a 24-hour surveilled storage site for DNA samples with restricted access. I also had concerns about the DNA samples as 23 & Me has measures to destroy the saliva samples it had taken upon request while Ancestry.com does not mention what would happen to the DNA samples that it had archived after a customer had deleted their accounts. Overall, based entirely on what each company had reported in their privacy pages, 23 & Me would be the company I would most likely use if I were to do DNA testing.