MyHeritage and Ancestry among research firms to have already signed up

New guidelines have been issued governing how DNA data should be stored by genetic testing companies, after a number of data breaches leaked the personal details of millions.

In the wake of a shipload of leaks affecting DNA testing firms, the aptly-named Privacy Best Practices for Consumer Genetic Testing Services was released last month by the Future of Privacy Forum (FPF).

The FPF, based in Washington, DC, drafted the framework in conjunction with ‘leading’ genetic testing companies including Ancestry, MyHeritage, and 23andMe.

It comes after multiple high-profile data breaches at some of the world’s most popular ancestry tracing firms – including the MyHeritage incident that leaked 92 million users’ details.

Email addresses and hashed passwords were discovered on servers outside of the company, and although no sensitive DNA data was taken, the incident sparked further concern that companies weren’t doing enough to protect sensitive information.

These new guidelines, launched at the end of August, provide companies with a set of best practices when it comes to collecting, handling, and storing this type of data.

Carson Martinez, FPF health policy fellow, who led the drafting of the document, told The Daily Swig that their key concerns with storing DNA data were related to security and transparency.

She added: “In the best practices [guidelines], we do not require any specific security practices or protocols, but rather require that companies maintain a comprehensive security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of the data through the use of administrative, technological, and physical safeguards.

“As genetic data requires high levels of confidentiality, we require that companies implement secure storage practices for the biological sample and genetic data through encryption of digital records, data-use agreements, and contractual obligations among other practices.

“We also require that companies be transparent regarding retention practices for both the biological sample and genetic data.”

The framework has now been adopted by 23andMe, Ancestry, Helix, MyHeritage, Habit, African Ancestry, and FamilyTreeDNA.

And though firms aren’t required to sign up to a rigid set of rules, Martinez said that the guidelines will change as the technology it governs does.

She told The Daily Swig: “As the industry evolves, so will the technologies to safeguard the data – we want to make sure we are not limiting those future safeguards by prescribing specific practices.”