DNA ancestry testing: can you trust your data is safe?

Some tests cost just $130, which might seem like a reasonable price to find out detailed information about your heritage. The catch? You’ll also have to hand over your most precious data – your DNA.

We all have unique DNA, and once extracted on a swab and tested, it transforms into something readable – a code made up of four repeating components called adenine, thymine, cytosine and guanine (As, Ts, Cs and Gs for short).

The difficulty is that, in digital form, your DNA becomes vulnerable to all the risks that other kinds of data face – misuse, privacy breaches and theft.

That’s why it’s important to know how the company offering the testing service will store and use your data.

Also, there are other considerations. DNA data is shared data – it doesn’t just impact the person taking the test. Testing your DNA may answer some questions but be prepared for it to raise some too.

Josie’s ancestry journey: ‘DNA doesn’t lie’

When Josie* lost her father 4 years ago, she decided it was time to put together her family tree.

It had been tricky for Josie to ask her dad about his family while he was alive. He had never really known his mother and didn’t know anything about his father. Family could be a sensitive topic for him.

“Dad’s mother privately fostered him out when he was around four years old … Dad was born in 1929 and as a child he was often punished for being illegitimate which understandably made asking about his childhood very difficult,” Josie said.

With the help of a friend, she started trying to piece together her history. But it wasn’t long before Josie hit a roadblock – a few women shared the same name and birth year as her dad’s mother.

“While I was fairly sure we had the right person, we found several documents that suggested she had never had children.”

For Josie, it was important to eliminate any doubt about who her dad’s mother was.

“It felt like dad was being denied a family all over again, so that’s when I decided to take a DNA test.”

Josie did her research and chose Ancestry.com. When her test results came back, she discovered a second cousin with a large family tree. She took a chance and reached out, hoping to hear back.

“Thankfully, she replied and was able to confirm that the person I thought was dad’s mum was correct. Since then, it’s been quite a journey finding out about her family … she was one of 17 children.”

Josie has since joined Facebook groups that help people understand how the matching process works, and she’s even got new leads on her dad’s possible half-sister.

“Where once I might have thought we had lost all chance of finding out who Dad’s father was, as more people do their DNA, the possibility of finding out more about his paternal line grows.”

But Josie found the journey can be bitter as well as sweet.

“I’m sad dad missed out knowing all of this but maybe after all this time he wouldn’t have wanted to know, that he would have felt abandoned all over again.”

Many people end up regretting their choice to take a test. A quick Google search reveals countless people who claim a DNA test ruined their family.

Josie knew when she took her test that it could have devastating consequences.

“People lie, which means documents, including legal ones, also lie. But DNA doesn’t. Some find that quite hard to take and I can imagine the results from a DNA test can cause massive cracks in family relationships.”

She also knew there were limits to how far she was willing to go when it came to sharing her DNA. Most testing services offer an opt-in research programme, where you agree to contribute your DNA data toward extra research conducted at the company's discretion. Some of the companies, including Ancestry.com, hold on to your data and can use it in perpetuity.

Josie didn’t opt in.

“I knew I was taking a risk just doing the DNA test. After all, why would anyone trust a business entity with their most private essence?

"That stuff is deeply, deeply personal but that urge to know where I come from, who I share a familial connection with, was so strong.”

Despite the risks, Josie has been able to uncover valuable information about herself and her ancestors. She’s also been able to help relatives on her mother’s side of the family.

“I don't regret taking the DNA test. It's been an exciting, rewarding, frustrating, mind-blowing journey that's not over yet. I guess the privacy thing is a price I was willing to pay.”

That’s the ultimate question potential test-takers need to ask. Is there anything it’s worth trading your DNA data to know?

Josie decided there was. “Following the trail of Dad's ancestors felt like one way I could honour him and have [his family] acknowledge and recognise him.”

*Name changed to protect privacy.

Privacy policies compared

It’s vital to know how DNA testing companies will treat your As, Ts, Cs and Gs before you post your saliva.

To lend a hand, we’ve read the privacy policies of the three most popular test providers and summarised the key components, so you can choose one that suits your privacy needs.

Which personal information is collected?

How will my personal information be used?

How long will my personal information be held?

Who can my information be shared with?

What types of personal information are collected?

The Privacy Act defines personal information as any information about an identifiable individual. Within that broad category, DNA testing providers may collect, and hold on to, a range of different types of information.

• Account and profile information – information provided when you sign up to a service, such as your name, email, password, payment information, sex and location.

• Genetic information – information derived from your DNA, such as your genetic code in the form of DNA data (the As, Ts, Cs and Gs, and their order), and including the sample you provided, whether a swab or a test tube.

• Inferred information – new information created by analysing your DNA data. Inferred information can include things like eye colour or hair thickness, but may also extend to inferences about personality traits, ethnicity, preferences, and health and wellness.

• Self-reported information – other information you provide to the service, such as your health history, family history or personality traits.

• Sensitive information – information that could reveal very personal details, such as race, sexual orientation, religion, disability or political beliefs. Sensitive information can be self-reported information, or inferred information, depending on whether you provided it or the service inferred it from your DNA data.

• User content – additional information uploaded to a service’s platform, such as profile pictures and family trees.

The three test providers we examined all collected and kept most of these types of information, with no time limits on retention. All also allowed consumers to request that their information be destroyed, although Ancestry.com and 23andme will still hold onto some.

Who are the companies holding your information?

Ancestry.com

Ancestry.com is an American genealogy and family history platform. Its DNA ancestry service analyses your DNA to produce ethnicity information and genetic matches from its database. It also provides other information to help you learn more about yourself, your genetics and your family.

Ancestry.com reserves the right to change its privacy policy at any time but says it will give users “prominent advance notice” of any material changes. Non-material changes will also be notified.

23andme

23andme is a California-based genealogy testing service. It provides comprehensive ancestry and trait breakdowns, as well as health and wellness insights. 23andme suffered a data breach in October 2023, which resulted in exposure of 6.9 million users’ sensitive information.

23andme has the right to change its privacy policy at any time. It will let you know about those changes on the privacy statement on its website or by notifying you via email or its app. You can view the immediate previous version of the privacy statement, but not any before that.

FamilyTreeDNA

FamilyTreeDNA is another American genetic testing and genealogy service, providing consumers with insights derived from DNA into their family history.

FamilyTreeDNA has the right to update its privacy policy at any time and says it will do so “as needed”. It will provide you with “advance notice” of any material changes. Non-material changes will be notified but not in advance. You can view previous versions of the policy.

What to check before you spit

Privacy Commissioner Michael Webster said there were a range of things to consider before doing an at-home DNA test.

“Genetic data is highly sensitive personal information, not only for the individual, but also their whānau, so if you’re taking a test, be mindful that information does also show your family’s information.”

Webster said results from these tests might also impact your whānau’s ability to get health insurance cover. “Results can also be used in other unexpected ways if subject to a data breach.”

Webster recommended asking yourself a few key questions before you go ahead.

• Are you comfortable with how these agencies could use your information?

• How would you feel if a company sold your genetic data or used it for other purposes?

• How would you feel if your results reveal something unexpected or different from your sense of identity?

It’s also worth checking in with your whānau before you test. Remember, your DNA is also theirs.

While domestic affairs, like your family relationships, aren’t covered by the Privacy Act, Webster said companies carrying on business in New Zealand are still subject to the legislation. This means you have the right to access and correct your personal information that they hold.

DNA providers offering services here also have obligations. They aren’t allowed to keep your personal information for longer than is necessary to fulfil the purposes for which it was collected, or to use it for any other purposes, unless there are reasonable grounds to do so.

Consumers should also keep in mind that overseas companies’ privacy policies aren’t specifically designed for New Zealand users.