Hi everyone, please find my presentation attached. I have also provided an approximate transcript below for easy reference, but please see the notes on the slides for any citations. I hope you will find it interesting!
“Hello everyone, today I will be telling you about privacy law in relation to genetic information. I was inspired by the reading in the syllabus about Lie Detection and Brain Privacy in the Criminal Justice System. It got me wondering – are there other bodily privacy issues we should be thinking about, beyond basic privacy within one’s own home? In my opinion, genetic privacy is also an important conversation to be having. I will be focusing on what legal protection genetic information has in Canada, particularly with respect to direct-to-consumer genetic testing companies.
First, you might be wondering why someone might undergo genetic testing. There are three main types of reasons that people may undergo a test: (1) to learn more about their health, for example to determine their risk of developing certain conditions; (2) to learn more about their ancestry or verify biological familial relationship; (3) to learn information recreationally, e.g. about your hair type or personality traits. It is also important to understand that genetic tests can sometimes be recommended by a physician to understand disease predisposition or potential response to medication, which would be under the first category — “health.” Genetic testing is also available from commercial companies, and that can be for any of the three reasons I mentioned, although there have been examples of companies being forced to stop providing health-related analyses due to concerns that they had failed to prove their accuracy. What these companies provide is called “direct-to-consumer” genetic testing.
Before I move on, I also want to acknowledge that there is a related conversation about so-called “ancestry tests” which is not the focus of this presentation but which I think is also important to mention. Essentially, it has been argued that the concept of being able to delineate someone as “25% x, 3% y, etc.” promotes racial essentialism. I also am not a geneticist and unable to speak to the accuracy of direct-to-consumer test results that may claim to tell you about your athletic aptitude or other qualities. So, I will not be talking about the accuracy of ancestry tests or whether ancestry is quantifiable in a way that it even can be accurate – I will just be focusing on how the genetic information can be used in the context of privacy.
In British Columbia, there are several relevant pieces of legislation. First, there is the Genetic Non-Discrimination Act (GNDA), which is federal and aims to prevent discrimination on the basis of genetic information or refusal to provide genetic information. There is also the Personal Information Protection and Electronic Documents Act (PIPEDA), which is federal and applies to “organizations that collect, use, or disclose personal information in the course of commercial activities.” Finally, there is the Personal Information Protection Act (PIPA), which is provincial and similar to PIPEDA, and applies to “private sector organizations in British Columbia.” Please also note that I will not be speaking about the Privacy Act, since it deals with personal information held by federal government organizations and it is beyond the scope of this presentation.
The Genetic Non-Discrimination Act came into force in 2017 through Bill S-201 which was constitutionally challenged but eventually upheld by the Supreme Court. It is a short statute so I recommend reading it yourself as well, but to sum it up, it stipulates that employers, life insurance providers, or any other relevant persons, are not allowed to force you to take a genetic test or share results of one as a condition of working for them/providing coverage/etc. No one may deny you service on the basis of the results of genetic tests. It also provides an exception for healthcare practitioners and researchers, so it really is about protecting citizens from discriminatory practices, especially from employers or insurance providers, rather than restricting scientific or health-related pursuits. Bill S-201 also added “genetic characteristics” to the list of prohibited grounds of discrimination under s. 3(1) of the Canadian Human Rights Act. Importantly, no one may use your genetic test results in any way without your written consent — this means that not only would a direct-to-consumer genetic testing company need your consent to collect your genetic information, they may not use or disclose it without written, voluntary consent.
PIPEDA and PIPA have been deemed substantially similar, so generally if a private company is subject to PIPA it will be exempt from PIPEDA with regard to “the collection, use or disclosure of personal information that occurs within the province.” Also, businesses that operate in Canada are subject to PIPEDA even if they are based extraterritorially. Finally, federally regulated organizations are subject to PIPEDA (e.g. banks, telecom companies, or radio and tv broadcasters). What you can take away from this is that there is fairly broad application, so if you make use of a “direct-to-consumer” genetic test, the company that provided it is likely subject to either PIPEDA or PIPA.
So, what protection do PIPEDA and PIPA provide for genetic information? According to the Office of the Privacy Commissioner of Canada, “genetic information” is considered personal information under PIPEDA and PIPA. The protections regarding personal information therefore also apply to genetic information. Since PIPEDA and PIPA have been deemed substantially similar, I will be talking about the relevant protection as if it comes from one piece of legislation. Both pieces of legislation include 10 principles of privacy, which are listed on the slide. I will give a brief description of each as described in BC government resources, but please note that the full requirements are more detailed:
1. Accountability – Companies must be responsible for all personal information in their control and ensure compliance with all ten principles. This includes designating a privacy officer and developing policies for handling personal information.
2. Identifying Purposes – Before or at the time of collecting information, they must identify the purpose for collecting the information and how it will be used.
3. Consent – Obtain consent from the individual whose personal info is being collected, used, or disclosed, with limited exceptions such as lack of mental capacity.
4. Limiting Collection – Collection must be limited to what a reasonable person would deem appropriate for the purpose, which was identified under Principle 2.
5. Limiting Use, Disclosure, and Retention – Companies can only use or disclose personal information for purposes that a reasonable person would deem appropriate. It can only be kept as long as required to serve those purposes.
6. Accuracy – Companies must make reasonable efforts to ensure that the personal information collected is accurate and complete.
7. Safeguards – Companies must have reasonable safeguards to protect personal information, and the security level should be related to how sensitive that information is.
8. Openness – Companies must have readily and publicly available information about their policies and practices, including the contact information of the privacy officer.
9. Individual Access – You are entitled to an explanation of how your personal information has been used, and if your request is refused you are entitled to a response that includes the legal reason(s) why.
10. Challenging Compliance (aka Provide Recourse) – Companies must have complaint handling procedures regarding the above principles and inform complainants of their avenues of recourse.
I have bolded some of the most relevant ones on the slide. Of course, what is “important” depends on what you are concerned about — if you are concerned about data breaches, number 7 will be most important to you. If you are concerned about your information being used for a purpose you don’t know about, then numbers 2, 3 and 9 might be most important to you.
Overall, remember that your main protections are your ability to give consent, and how a court construes what is “reasonable” or the “reasonable person.” So, before you give your genetic information to a Direct-to-Consumer genetic testing company, remember you have every right to ask them the purpose of collecting (since other principles also depend on the “purpose”), what safeguards it will have against data breaches, and to refuse to allow them to share your test results to third parties such as marketers or pharmaceutical companies. And, you have the ability to withdraw your consent at any time — though from a logistics standpoint, it is probably more convenient to refrain from giving your genetic information in the first place.
Thank you for listening to my presentation and I hope you found it interesting!”