As genetic databases grow in number and size, they are amassing huge troves of highly personal information on large numbers of people. The genetic testing that feeds information into these databases was once confined to the diagnosis and treatment of a few inherited diseases. Now, it is used in a variety of clinical settings and is directly available from commercial companies for anyone interested in tracing their ancestry, Professor Robert Field explains in his article “Am I My Cousin’s Keeper: A Proposal to Protect Relatives of Genetic Database Subjects,” which was published in Indiana Health Law Review in 2021.

With the proliferation of stored data, hacking and leaks are ever-present threats. While databases usually maintain information anonymously, tech-savvy data analysts are finding it increasingly easy to de-anonymous it. And it is not always clear who ultimately owns the data and has rights of access. For example, who can access the information in a commercial company’s database (such as those maintained by 23andMe, Inc. or Ancestry.com, LLC) if the company is acquired by or merged with another one?

Even more concerning is that the risk of disclosure extends to individuals beyond those who contribute their data. Genetic information reveals attributes of relatives, even distant ones. The Golden State Killer case in California and many subsequent criminal investigations have demonstrated the power of genetic databases to identify a data subjects’ distant relatives who have no way of knowing that information about them has been collected.

There are laws that address some of the disclosure risks surrounding genetic data, but the protections they provide are limited. In clinical settings, the Health Insurance Portability and Accountability Act (commonly known as HIPAA) limits unauthorized disclosure of medical information, but only by medical personnel and insurance companies. It does not apply to commercial database companies and others who may have access to data. In research settings, Institutional Review Boards (IRBs) oversee research that may present risks to human subjects, but their involvement is legally mandated only for research that is funded by the federal government or used to support an application for approval of a new drug. The Genetic Information Nondiscrimination Act (GINA) prohibits the use of genetic information in employment and some kinds of insurance, but its application is limited to those contexts.

To address concerns over genetic database privacy, Field and his co-authors have proposed a new regulatory approach. It would create new oversight bodies known as Data Protection Review Boards, modeled on IRBs, that would provide decentralized, expert oversight of external data sharing by commercial database companies. The proposal would empower a federal agency—either the Federal Trade Commission or a newly created privacy agency—to oversee the boards’ operations.