The coronavirus, as we all know, has brought our economy to its knees. As the search for vaccines and treatments accelerates, geneticists are now looking to our genes to understand why some recover quickly or show no symptoms, while others die. To do so, they are searching DNA databases and cross-referencing them with COVID-19 cases. This research holds great promise for addressing the pandemic. 

Yet if scientists do find answers in our genes, we need to consider the implications for genetic privacy. Armed with the ability to identify who is vulnerable and who is not, how will society proceed?

On the one hand, health care providers could use genetic testing to help vulnerable patients stay safe. But there would also be a temptation to use genetic testing in the workplace. Companies could use genetic test results to manage the risks for all employees, for example by controlling the activities of those who are most vulnerable. Businesses will also see opportunities to use genetic test results in the marketplace, for example by tailoring insurance offerings according to genetic risk. Currently, there are some limited legal protections against genetic discrimination and health privacy intrusions, but the pandemic has already led the federal government to scale back some of those protections for the time being. 

Although the rationale for expanded genetic testing is obviously meant for the greater good, such testing could also bring with it a host of privacy and economic harms. In the past, genetic testing has also been associated with employment discrimination. Even before the current crisis, companies like 23andMe and Ancestry assembled and started operating their own private long-term large-scale databases of U.S. citizens’ genetic and health data. 23andMe and Ancestry recently announced they would use their databases to identify genetic factors that predict COVID-19 susceptibility.

Other companies are growing similar databases, for a range of purposes. And the NIH’s AllofUs program is constructing a genetic database, owned by the federal government, in which data from one million people will be used to study various diseases. These new developments indicate an urgent need for appropriate genetic data governance.

Leaders from the biomedical research community recently proposed a voluntary code of conduct for organizations constructing and sharing genetic databases. We believe that the public has a right to understand the risks of genetic databases and a right to have a say in how those databases will be governed. To ascertain public expectations about genetic data governance, we surveyed over two thousand (n=2,020) individuals who altogether are representative of the general U.S. population. After educating respondents about the key benefits and risks associated with DNA databases—using information from recent mainstream news reports—we asked how willing they would be to provide their DNA data for such a database.

The results were surprising. Initially, we believed people would generally approve of donating their genetic data for altruistic reasons, such as for example, finding a vaccine for COVID-19, so we assumed they would be more willing to provide their data to a hospital or university compared with a tech company or pharmaceutical firm. But we found a fairly similar level of willingness regardless of who owns the database. While 37 percent were unwilling to provide their DNA data to a technology company (like 23andMe), about the same percent were unwilling to provide it to a hospital (40 percent), a government health institute (37 percent), a pharmaceutical firm (40 percent) or a university (35 percent).

The most important thing our survey revealed was that the willingness of individuals to provide their genetic data depended greatly on the kinds of policies that would govern that data. Thus, in order to find a vaccine for COVID-19, we must have genetic data governance policies that inspire confidence and that will prompt the public to donate their genetic data. Willingness to provide genetic data increased the most when people were told they would have the ability to control how their stored data is reused or shared in the future. This willingness also increased when people were assured they could have their data deleted at any point.

Conversely, one of the policies that reduced willingness to contribute the most was the retention of data indefinitely without a specified date for destruction. These patterns held equally among people who were willing to provide their data as an altruistic donation and people who were only willing to provide their data in exchange for payment of some kind. The patterns also held regardless of the type of organization the respondent was being asked about, that is whether tech company, hospital, government, pharmaceutical firm or university.

Not surprisingly, we also found that willingness to provide genetic data increased greatly when contributors knew that the organization would be using state-of-the-art cybersecurity to protect their data.

Together, these findings indicate two principles to guide needed regulation and any code of conduct for genetic databases.

The first is personal agency and control. People want to know that they can control the end uses of their DNA data. This principle puts the burden on database owners to obtain additional permissions when they want to reuse or share data. It also means designing databases so each entry has an expiration date and can be selectively removed. Technologies exist to support this principle, and some organizations are using them.

The second is equal treatment of all organizations. The same rules should apply regardless of an organization’s sector (e.g., for-profit, nonprofit, government); industry (health care, technology, consumer/lifestyle and so on); or size. Such distinctions make little sense in an era when data are routinely moved, shared and reused across organizations, sectors and industries—often without the full understanding of the people included in the data.

How can these principles be integrated with existing law and regulation? One approach would be to treat genetic sequence data as personal health information under HIPAA. This is consistent with the current understanding that genetic data can neither be truly de-identified nor completely stripped of sensitive informational content. Organizational policies for data access and cybersecurity can then follow health sector guidelines at a minimum.

Naturally, when biomedical researchers think about rules for genetic information databases, they want to avoid excessive limits on using the data. After all, such limits may slow scientific progress and reduce the societal benefits of the databases. But as suggested by the recent consumer genetics slowdown, without appropriate rules in place, the public may become wary of participating. Thus, it is imperative to consider public opinion of genetic data collection, the safeguarding of the data, and the use of DNA databases.

Our research suggests our proposed principles for genetic database governance will help preserve the public’s willingness to contribute their genetic information—which may be our only hope of defeating the coronavirus.

The authors are co-principal investigators on a grant by the Robert Wood Johnson Foundation to research the governance of genetic testing as part of corporate wellness programs. Their article “Evolving public views on the value of one’s DNA and expectations for genomic database governance: Results from a national survey,” co-authored with Allison Gaddis and Jennifer McCormick, was published by PLOS ONE.

Read more about the coronavirus outbreak from Scientific American here, and read coverage from our international network of magazines here.