This FAQ has the following sections:
Member Dashboard Settings
DNA Testing Companies' Use of Customers' DNA
Law Enforcement Use of Genetic Genealogy Databases
MEMBER DASHBOARD SETTINGS
Q: Which settings in my account are most important to success within the project?
A: Project members will enjoy the most mutual benefit as everyone becomes familiar the various settings FTDNA provides in their account. By default these settings are at their most private (least amount of sharing), enabling members to opt in to the features they would like to use. While other settings are important, all members should take special notice of the following ones. You will find these in the upper right corner of your Dashboard where you click the down arrow to the left of your name and account number:
Privacy & Sharing Settings
The most important of the privacy and sharing settings to success of the project are:
- Under Family Tree Sharing choose sharing with members (or public) and be sure to add your family tree from your Dashboard.
- Under Project Sharing > Group Project Profile, opt in to 'Allow my Group Administrators to publish my pseudonymized DNA results and ancestor information in the public results pages.'
The tab just to the right of the Privacy & Sharing tab is the Project Preferences tab. This is where you set the level of access you want each administrator to have in each project you belong to.
- Group Project Access Only is the default setting. It is read-only to a limited degree but will prevent admins from being able to take a close look at your matches for analysis.
- Limited Access is also read-only but will allow the admin to take a close look at your matches for analysis.
- Full Access allows the admins to change some settings but most often this won't be necessary. It can be temporarily turned on and off again if needed.
[THIS SECTION IS STILL BEING WRITTEN DUE TO RECENT CHANGES IN THE ACCOUNT PAGES AT FTDNA]
DNA TESTING COMPANIES' USE OF CUSTOMERS' DNA
Q: If I get my DNA tested, won't I lose control over what the companies do with it?
A: Of the 'the big four' genetic genealogy testing companies — Family Tree DNA, AncestryDNA, 23andMe, and MyHeritage DNA (FindMyPast and LivingDNA will also deliver cousin matching soon too) — AncestryDNA and 23andMe used to assert the right to 'anonymize your genetic information and sell or otherwise utilize that information in aggregated format' (Roberta Estes). Under new laws, including the General Data Protection Regulation (GDPR; see below), companies are no longer allowed to assert this. Customers must opt in to allow the company to use their DNA for purposes other than providing them with genetic genealogy tools. Please see each company website for more information.
LAW ENFORCEMENT USE OF GENETIC GENEALOGY DATABASES
Q: I've heard law enforcement can use my DNA from genetic genealogy companies. I'm not sure what I think about this.
A: It's important to first clarify that the main DNA testing companies that genetic genealogists use — Family Tree DNA, AncestryDNA, 23andMe, and MyHeritage DNA — all require a search warrant for law enforcement to use their database. As of May 2018 no search warrant request from these companies has ever been successful. (See this TV interview with Cece Moore.)
This subject arose in the spring of 2018 when the 'Buckskin Girl' was identified (an unidentified crime victim) and a suspect was named in the 'Golden State Killer' cold case. These individuals were identified using the GEDmatch database. GEDmatch is a third-party database (not owned by any of the genetic genealogy DNA testing companies). Many people who have tested with 'the big four' companies choose to upload their raw data to GEDmatch, who provide additional tools for DNA interpretation and the ability to match with people who've tested at other companies.
In the Golden State Killer case, law enforcement had uploaded old, crime scene DNA to GEDmatch where they identified one or more distant cousin matches. After constructing an extensive family tree they and narrowed down to a suspect based on his locations and ages corresponding to the serial crimes that had been committed. Finally, they sampled DNA this man left behind in a public place, which is legal for law enforcement to do, and found a perfect match. This process did not reveal the match's autosomal genetics to law enforcement other than those specific segments that matched the crime scene DNA. It should also be noted that in this case there was a prior suspect found in the GEDmatch database. A warrant was issued to test his DNA, but this man voluntarily submitted it and was found not to match the crime scene DNA.
Each individual tester must weigh the rewards vs. risks, or risks vs. rewards if you prefer, of joining GEDmatch and marking their kit 'public'. (It can also be marked 'private' or 'research', see below.) Many fully support law enforcement using this database to apprehend violent criminals, identify victims, and otherwise support law enforcement efforts to ensure a safer world. For those who prefer not to have a public kit at GEDmatch, the next best step is to upload to GEDMatch and mark your kit 'research'. You and others whom you choose will still be able to run one-to-many comparisons against public kits or one-to-one comparisons with either a public kit or another private kit for which the GEDmatch ID has been shared.
This FAQ is meant as a starting place for members to explore these developing issues where science intersects with the hobby of family history research that we're passionate about. As stated in our Terms of Service, each tester and kit manager is responsible for their own ongoing education in all areas relating to use of their genetic information. The volunteer project administrators' role is to recommend steps members can take that more specifically will enhance their genetic genealogy research.
GENERAL DATA PROTECTION REGULATION (GDPR)
Q: What is the GDPR?
A: On May 25, 2018, the European Union (still including the UK) implemented the GDPR to provide its citizens with greater control over their personal data while ensuring that organizations adequately protect that data when they store and process it.
Q: If GDPR doesn't specifically address the area of genetic genealogy, and it exempts hobbies, why are you seeking to comply with it?
A: There are two answers to this:
(1) The admins could not administer this project if it weren't for FTDNA. FTDNA provides members with amazing products while providing admins with useful tools and web pages that allow us to build projects around unique research interests that in turn benefit the members. While admins have quite a lot of latitude how they design and manage their projects, our activities are made possible by and an extension of FTDNA's services. As a business with international scope, FTDNA must comply with GDPR, and both members and admins must comply with FTDNA's policies. It would be difficult to argue that FTDNA must comply with the GDPR and not the volunteer project administrators who use the data and tools FTDNA provides. (Link)
(2) The GDPR includes a section dedicated to 'special category data' (Link). One of the special categories is genetic data. It is quite clear in the GDPR that the use and storage of genetic data warrants clear user controls and assurances. While the GDPR exempts hobbies from its purview, and in this project we do engage in genetic genealogy as a hobby, it seems quite clear that the regulation's intent is to provide EU citizens with the necessary ability to control and protect their 'sensitive' information, including genetic data. It is my interpretation that the latter takes precedence over the former.
Q: What 'lawful basis' applies to the admins' processing of members' personal data?
A: The lawful basis (Link) applicable to this DNA project is Consent (Link). Project members need to provide opt-in consent to having their data used and/or stored in various ways. The most important set of opt in mechanisms can be found in each FTDNA customer's Dashboard. Project admins may provide additional opt in mechanisms to address our use of your data. [We are still working on our opt-in procedures.]
Q: What GDPR 'condition for processing special data' (genetic) applies to the admins' processing of members' personal data?
A: '(e) processing relates to personal data which are manifestly made public by the data subject'. (Link)
Technically the admins are not expert enough to know if this is the correct choice. The data being processed and/or stored is not necessarily public. We're doing the best we can with all this new verbiage.
Q: What is the purpose of the member Consent Form for data processing and/or storage that admins perform for members beyond the tools FTDNA provides admins through the Group Administrator's Pages (GAP)?
A: The purpose behind our seeking consent for use of personal data beyond the web pages at FTDNA is to help further the project Goals. This is a large project with a long time-frame. FTDNA's project pages don't provide admins with enough space to collect, preserve and maximize the use of all the information that will further these goals. Over the years admins collect information that project members provide at Facebook or by other means including email and other internet postings. The only way to efficiently manage the project and research is to collect and centralize this information by participant in a repository outside of FTDNA. [We are still working on our opt-in procedures.]
Q: If GDPR is intended to protect EU citizens, why does this project apply it to Australians, Americans, Canadians and other non-EU project members?
A: Administering a DNA project at FTDNA is a labor of love, but it does require a lot of time, and the larger the project grows the more time is involved. It would be impractical to apply different standards and expectations to different people in the project. Perhaps more importantly, GDPR answers a great and growing need in our information-rich world: to ensure that individuals are as safe as possible from illegitimate or unapproved use of their data.