Your DNA has become a valuable commodity. Companies such as 23andMe may charge you for an analysis of your genetic profile, but they make their real money from selling that data on to other companies.

Now healthcare providers are following suit by encouraging patients to take genetic tests that will create databases ostensibly for medical research. Britain’s National Health Service (NHS) recently announced that it was launching such a scheme in an attempt to build a database of anonymised genetic data for researchers.

But recent reports that Our Lady’s Children’s Hospital, Crumlin in Dublin – Ireland’s largest children’s hospital – allegedly shared patient DNA data with a private firm without appropriate consent highlights the potential risk that comes with giving up your genetic records. Your DNA contains sensitive information that can be used to make important personal decisions about you and your family members. When you hand over these details to a large database – whoever is building it – you are ultimately risking it being used in ways you can’t foresee and which aren’t always to your benefit.

The first questions are where your data will end up and who will have access to it. The NHS is attempting to keep control of the genetic data it gathers by sharing it with researchers at its own company, Genomics England. But there has been no indication of what purposes the data can be used for, or what limits will be placed on its use or transfer to other research centres or companies. In the past, Genomics England met with Google to discuss how the tech firm might help analyse genetic data gathered under a previous scheme, the 100,000 Genomes Project.

A spokesperson for Genomics England told The Conversation that it had “no formal contractual relationship between Genomics England and Google”. However, it said: “We have a mutual interest in secure data storage and we have meetings from time to time. As part of our mandate to stimulate the UK genomics industry, we are in touch with Google Ventures. They invest in life sciences companies which may be interested in working with us.”

The recent Irish example of data transfer apparently without appropriate consent also reminds us that agreements and rules over who can access data can be broken. In January 2019, an investigation was launched into the alleged supply of 1,500 DNA samples from the Crumlin children’s hospital to Genomics Medicine Ireland (GMI) without proper authorisation from patients.

If these allegations are true, it would represent a breach of European data protection law, which requires explicit consent for the processing of DNA data. What is perhaps more of a problem is that even when people are told what will happen with their data, they may not understand those uses or its potential consequences.

Initiatives such as the NHS project are justified by claims that they offer an efficient way to diagnose rare or undiscovered illnesses, speeding up treatment and improving patient outcomes. More broadly, proponents argue, sharing DNA data can allow researchers to spot patterns that would otherwise go unidentified, increasing scientific understanding and aiding in the development of treatments.

But having your DNA sequenced isn’t just a way of finding out if you are at risk of a disease or making an altruistic contribution to an abstract research project. DNA data exposes our most inherent characteristics, revealing ethnic or racial groupings, as well as outlining current and future health issues. Some people have even tried to link DNA tests to intelligence.

Concerns about linking individuals to the characteristics revealed by their DNA are usually countered by claims that the data is anonymised. But both practical experience and academic work have shown that anonymised data can often be reassociated with the people it was collected from.

Read more: Your NHS data is completely anonymous – until it isn't

So sharing your genetic information could expose you to potential discrimination if it ends up with the wrong people or is used for the wrong purposes. Being offered different health insurance coverage and at different prices is the most obvious risk. But depending on who buys the data, pharmaceutical companies, employers and even government authorities could access your DNA and make decisions based on it.

Democratic governments can’t typically gather DNA evidence without the permission of a judge or via another legal procedure. But in the case of the “Golden State Killer”, US law enforcement agencies used DNA data from a public genealogy database to obtain evidence they wouldn’t otherwise have been able to collect. This raises concerns about the willingness of governments to use genetic records originally made to explore people’s ancestry for a very different purpose.

Giving away family secrets

The Golden State Killer case is all the more important because it highlights the most fundamental issue with DNA-sharing initiatives. When you share your DNA, you’re also sharing data about your entire family, who haven’t necessarily consented. The Golden State Killer didn’t get a DNA test but one of his relatives did. When enough people share their DNA, the genetic profile of entire communities becomes available.

A study of the database that was used to catch the killer estimated that it contained the profiles of 0.5% of the US population, yet this represented family members (third cousin or closer) of 60% of white Americans. With 2% of the population, that figure would increase to 90%.

GMI currently plans to build the world’s largest whole-genome database of some 400,000 participants – roughly a tenth of Ireland’s population – from a presence in all the country’s major hospitals. This would likely give the firm information on almost every family group in Ireland and a huge proportion of the Irish diaspora (estimated at 70m), enabling it to identify the most private characteristics of a global population.

This shows how, when some people allow their DNA data to be shared, it could expose both them and their families to risk and erode the rights of everyone else, meaning we all have a stake in how genetic records are shared. Organisations must be required to be clearer about who will use the DNA data they collect, and for what to prevent risk of misuse.