Your genome is the most personal data that exists. It contains information not just about you — your health risks, ancestry, physical traits — but about every biological relative you have. It cannot be changed, anonymized with certainty, or contained once shared. As genomic testing becomes accessible to millions of Vietnamese individuals, the ethical frameworks governing genetic data privacy, informed consent, and data stewardship have never been more important.
What Makes Genomic Data Different
Personal data regulations in Vietnam (Decree 13/2023/ND-CP) and internationally distinguish between regular personal data and "sensitive" personal data requiring heightened protection. Genetic data falls firmly in the sensitive category — but its sensitivity has dimensions that standard personal data protections are not fully designed to address.
Unlike a password or financial account number, your genome cannot be changed if compromised. Unlike most health information, your genome reveals information about family members who never consented to disclosure. A parent's genomic data exposes approximately 50% of their children's genomes; siblings share roughly 50% of their variant profiles. This "genetic relatedness" problem means that individual consent frameworks — designed for data that affects only the consenting individual — are conceptually insufficient for genomic data.
Additionally, the predictive power of genomic data creates forward-looking privacy risks. Variants identified today as scientifically uninformative may become highly sensitive as genomic science advances. Information shared for ancestry analysis today could yield disease risk predictions tomorrow as research progresses. Genomic data has a uniquely long shadow into the future.
GeneStory's Privacy Architecture
GeneStory has built its data governance framework with these genomic-specific considerations at its core. Our approach rests on four pillars:
1. Informed and Specific Consent
We obtain granular, specific consent for each distinct use of customer genomic data — clinical health report generation, ancestry analysis, research participation, and database inclusion are each consented separately. Customers have the right to withdraw consent for research participation at any time without affecting their clinical services. No customer genomic data is shared with third parties for commercial purposes without explicit, separately-obtained consent.
2. Data Minimization and Purpose Limitation
GeneStory adheres to the principle of data minimization: we collect and retain only the genomic data necessary for the specific services consented to. Raw sequencing data is retained in encrypted, access-controlled storage with strict internal access limitations. Processed variant data is handled separately from identifying information using a pseudonymization framework that prevents re-identification even by most GeneStory employees.
3. Secure Infrastructure
All genomic data is stored on servers located within Vietnam, in compliance with Vietnam's data localization requirements under Decree 13/2023. Data encryption uses AES-256 at rest and TLS 1.3 in transit. Access control follows zero-trust principles with multi-factor authentication requirements. Our information security management system has achieved ISO 27001 certification.
4. Deletion and Data Subject Rights
Customers have the right to request deletion of their genomic data at any time. Upon receiving a verified deletion request, GeneStory deletes raw genomic data, processed variant files, and health report data within 30 days. Where data has been contributed to anonymized research datasets, we implement data removal procedures to the extent technically feasible.
The Incidental Findings Question
One of the most ethically complex questions in clinical genomics is how to handle incidental findings — clinically significant genetic variants discovered during analysis that are unrelated to the test's original purpose. If a customer submits DNA for ancestry analysis and GeneStory's analysis detects a BRCA2 pathogenic variant, what should we do?
GeneStory's policy, developed in consultation with our clinical ethics advisory board, is transparent opt-in disclosure. At the time of enrollment, customers actively choose whether they wish to receive medically actionable incidental findings. Those who opt in receive findings meeting ACMG (American College of Medical Genetics) Tier 1 criteria for clinically actionable secondary findings. Those who opt out do not receive incidental medical findings — though our genetic counselors remain available for consultation if customers later change their preference.
Research Participation: Benefits and Protections
GeneStory's VietGenDB research database provides the scientific foundation for our Vietnamese-specific genomic tools. The value of this database — in terms of improved clinical accuracy for all Vietnamese customers — depends on broad participation. But research participation must be genuinely voluntary, fully informed, and free from coercion.
Our research consent process clearly explains: what data will be used, how it will be protected, who will have access, what types of research will be conducted, what the potential scientific and public health benefits are, and what risks (however limited) participation may entail. Research participation has no effect on service pricing or access. Withdrawal is unconditional.
The Discrimination Risk: Insurance and Employment
In countries with strong genetic non-discrimination legislation (like the US GINA Act), genetic data's insurance and employment implications are legally constrained. Vietnam currently lacks comprehensive genetic non-discrimination law. This creates a legitimate concern: could a Vietnamese insurer deny coverage or charge higher premiums based on genetic risk data? Could an employer discriminate based on revealed health predispositions?
GeneStory actively supports the development of Vietnamese genetic non-discrimination legislation and advises customers to understand the current legal landscape when deciding what genetic information to disclose to insurers or employers. We do not provide genomic data to insurance companies, employers, or government entities except where required by law. Our advocacy positions include support for Vietnam's National Assembly considering genetic non-discrimination protections modeled on international best practices.
The Path Forward: Genomic Ethics as Infrastructure
Genomic ethics is not a constraint on precision medicine — it is infrastructure that makes precision medicine sustainable. An industry that loses public trust through privacy failures, coerced consent, or discriminatory practices will ultimately harm the patients it was built to serve.
GeneStory's commitment to ethical genomics practice is not primarily about regulatory compliance — it's about building a genomics ecosystem in Vietnam that Vietnamese people can trust with their most intimate biological data. That trust, once earned, is the foundation of everything else we're trying to build.
