Next on your agenda: Genetic privacy

Who could forget the scene in the film Minority Report where the police -- following a tip from mutants who could see the future -- raided a house and arrested a man before he could commit a foreseen crime? It was a fantastic scenario, but it framed a dilemma we in America may be approaching faster than we think: Can organizations ethically use personal information about an uncertain future to change a person's benefits or freedoms in the present moment?

The field of genetics may be bringing this policy dilemma to corporate doorsteps in the next few years. How? Scientists are already identifying an increasing number of genetic variations that indicate that people with them are more susceptible to certain diseases or behavior disorders. According to the Genetic Alliance, which lobbies against genetic discrimination in the marketplace, there already are tests for about 700 genetic disorders, with a sharp increase in that number expected in the future

What's fueling the increase? Biomedical companies and organizations such as the National Human Genome Research Institute are seeking ways to tailor medical treatments to people with known genetic risks. This is a good thing that we all stand to benefit from.

But there's a downside to the systematic collection of personal genetic information (PGI). Companies that know the PGI of their prospective customers and employees could save money and liability by avoiding relationships with genetically risky individuals or by charging those people higher prices and premiums.

Some DNA testing is already taking place in the workplace. The Genetic Alliance claims it receives regular reports of employees who encounter objectionable genetic testing by their employers. In October, the Chicago Bulls basketball team made the headlines when it traded its star center Eddie Curry after he refused to take a DNA test for a heart condition that kept him out for three months last season.

What's the current legal status for companies using PGI? Fairly wide open. In 2000, the U.S. government banned the use of genetic discrimination in the federal workplace, but no similar ban exists in the private sector. According to the National Conference of State Legislatures, 32 states have laws addressing genetic testing in employment, but few prohibit these tests as a condition for employment. In 1995, the U.S. Equal Employment Opportunity Commission defined the genetic predisposition to disease as within the scope of the Americans with Disabilities Act (ADA), but experts expect this to be challenged in court. Last February, the U.S. Senate passed the Genetic Information Nondiscrimination Act, but the legislation stalled in the House, where similar measures in the past eight years have also languished.

With few legal restrictions on genetic testing, where should we look for it to most quickly emerge? Perhaps in the health care industry itself, which is already collecting PGI via blood samples, biopsies and similar tests. It seems plausible that health insurers would want to include risky DNA disorders within their lists of pre-existing conditions that merit denial of coverage. Indeed, the health insurance industry argues that new federal legislation isn't needed.

And small employers -- especially those who have already shouldered higher insurance costs resulting from critically ill workers in their insurance pool -- would also be leading candidates for greater collection of PGI. If these companies could identify among their job applicants any genetic markers for cancer or organ failure, for example, they might seek to protect the financial well-being of their existing workers by not hiring risky applicants.

Other employers may also be tempted to take advantage of advances in PGI. Many American companies already use psychological tests on candidates for executive or highly sensitive positions in the hopes of predicting who would and wouldn't thrive under the pressures of the job. Genetic predictors of mental illness or anger-management problems could -- if they were highly accurate -- be attractive additions to those types of employment screens.

So what are the ethical principles involved in companies collecting PGI? They aren't as clear-cut as they would seem. You might want to apply the concepts of racial and sexual nondiscrimination to this situation, and say that it's just not fair to treat people differently based on their DNA. But your race and sex don't predict what kind of worker or customer you'll be. In time, your DNA may well do so, and therefore actors in a free market may be justified in making employment decisions based on all relevant information available to them. Law professor Richard Epstein has even argued that employees who conceal from their employers negative results from genetic tests are engaging in fraud.

A better framework for navigating the PGI dilemma may be the U.S.-EU Safe Harbor privacy principles. Applying the Safe Harbor standards to the collection and use of PGI would yield at least seven restrictions that would greatly curtail the potential for corporate abuse:

  • 1. The notice principle.An organization must clearly notify people at the point of PGI collection about all of the ways the organization may use the PGI, and what options people have to limit such uses.
  • 2. The choice principle. Organizations must obtain from people their explicit consent to collect and use their PGI, and they must clearly notify them of the consequences they could face if they decline to provide consent.
  • 3. The onward transfer principle. Organizations must not transfer PGI to other organizations without the consent of the person and without ensuring that the organization protects the information with the Safe Harbor standards.
  • 4. The access principle. Organizations must offer people an easy means of reviewing the PGI that has been collected about them and the conclusions that were drawn from that information.
  • 5. The security principle. Organizations must use the highest standard of due care to protect PGI from unauthorized access and alteration.
  • 6. The data integrity principle. Organizations must limit the collection of PGI for only relevant purposes and take steps to ensure its accuracy.
  • 7. The enforcement principle. Organizations must adopt independent methods to verify their adherence to these principles and provide people an independent means to issue complaints about the organization's PGI practices.

But employers may find living up to the security principle to be too much of a stretch for the foreseeable future. The drumbeat of security-breach incidents last year suggests there's still much work to be done to secure credit-card numbers, let alone more sensitive genetic information.

Meeting the data integrity principle may also be challenging, at least in the near term. While it may be easy for corporations to show on paper why there are relevant reasons for them to use genetic tests, the real arbiter of whether they can go ahead with them will be public reaction. To this end, the American public has shown no sign of accepting widespread DNA testing.

So despite the potential benefits of PGI use outside of the doctor's office, the legal and technical controls are still too immature. Companies should instead follow the path IBM pioneered in October (see article) by forsaking any use of PGI in its employment practices. Public trust in this area needs to be earned first.

Copyright © 2006 IDG Communications, Inc.

Shop Tech Products at Amazon