 Mine and Jared, you're ready to go. And it's all going great. OK, I'm going to make this microphone active. And a big thank you once again to James for his previous presentation on GDPR. And first of all, let's introduce the panel to you. We have James Irvin, who is a project administrator of the Clan Irwin DNA Project. We have Debbie Kennett, who is a project administrator of several DNA projects and the writer of the very popular log, Cruise News. We have John Cleary, who is the project administrator of several DNA projects, including the Scottish Prisoners Project, which has traced the descendants of 150 Scottish prisoners who went over to New England in 1650. We also have Donna Rutherford, who is a project administrator, and also has set up the DNA Health Virginia Allergy Facebook group, which has thousands of members. And she writes to all of them. And we also have Jared Corpran, who is the Iceland Ireland representative. So can you please give them one welcome to our panel of experts. Now, there's several questions that I've put together, having talked to a variety of different people. And I'm trying to come to address the questions that are relevant to the individual person taking a DNA test. And what we're going to do is start off with Jared at this end and move down along. First question is, what are the biggest issues for you today in regard to privacy and data protection? So that's the question for each of the members of the panel. And we'll start with you, Jared. What do you think are the biggest issues in terms of privacy and data protection if you use the microphone? Yeah, I'd probably divide it into two. I have my data, which is sort of multinational. And I think multinational are fairly well organized. We have to go through extensive training and examinations and so on and so forth. I think all of the big platform companies have to go through this process. So I think multinational are fairly well organized and prepared. It's more difficult when you get into organizations. Take, for example, the GAA, which is all over Ireland. They have hundreds of organizations. So it may not be so familiar with the use of IT systems. I think it can be a little bit more problematic there as a DNA administrator. I think the main thing is keeping it simple. I don't think we can dive into all of the volumes, which have been mentioned earlier, but certainly get consent. If someone wants to be forgotten, have the methodology to allow them to be forgotten. Donna? Well, like Jared, I also work in a big corporate and have been through a lot of training around GDPR and as it relates to, as in the guiding organization. And I also belong to several community organizations as well, where I help them understand what we need to do and actually get right to be forgotten as being something we've been quite careful about in community organizations. We've held a lot of paper on people's names and their addresses in a local area and we've actually gone through and destroyed a lot of that because of GDPR. We want to make sure we're not holding anything that people might think we could use at some point. And I think it's the same with really, really with DNA. If we're holding information that people might be uncomfortable with, I think they need to understand what information we're holding first. And then if they really are worried about it, then we should remove that and they should remove themselves from the project or they should not do a DNA test if it's really, really concerned about. But I think what we can't do is tell people how they should feel about their own privacy because I think privacy is a very personal thing. What I feel about privacy is probably very different to everybody else in this room. I'm quite a public person. You know, I'm quite open about a lot of things but I know a lot of people aren't. But I don't have the right to tell them they should be more open and they don't have the right to tell me I should be more private. So I think we've got a cater for people more individually than we have in the class. Very good. John, biggest issues to do for privacy and data protection from your point of view? I suspect we're probably going to be large in agreement on the panel about this. Clearly we all agree that the most important thing is what the testers feel about their data and the control they have over their data. So another way of looking at it is from the point of view how do we run a research project and what kind of involving people, involving living people who are submitting their data to their projects that we are partly administrators of projects. We're also people who are researching the surname or the group and are labelled by that project. So we need to make sure we're also following strict and stringent ethical procedures in respect of how our data is being handled and the half of those members and two big principles are do never harm and do good. And a lot of the research, ethics, principles and guidelines are shaped around the details that arise out of those two principles. So I think I agree with the first two speakers. We had to defend the interests of our testers. We can't tell them what they think. We can, of course, help to set their minds at rest and educate them about issues they may be uncertain about, which we may also be uncertain about. Clearly as we get into an era of whole genome testing there are huge new and issues being thrown about what kind of DNA data it may or may not be safe to post in public, which would be different to how many of them shade or responses in the age of Y testing and the ozone and smith testing. So we do have huge challenges. We need to educate ourselves. We also need to work with our members to make sure that they're not basing decisions on misapprentices, a lot of them actually is not a risk or a risk that's not related. Great, thanks, John. Debbie, biggest issues for the individual DNA tester today? I'm going to find a way of educating the genetic genealogy as a community as a whole, because I keep seeing people who think they have a right to other people's data. And especially in the age of Facebook and Twitter, I see people who've taken tests, they get carried away with their enthusiasm. They want to share, they want to ask questions, but in doing so they end up revealing all sorts of personal information about, say, people in their match list or other family members. And we need to find some way of sort of harnessing the enthusiasm, but also ensuring that they see things from other people's perspectives and not just their own perspective. And I think that also applies particularly when people are looking in unknown parentage cases. And quite often you see some very sensitive data that's being revealed about relationships. I think it depends on which Facebook group people are in as to how much those sorts of things are moderated. But I think we are in danger if we as individuals don't respect the privacy of others, then there could be regulation coming down upon us and it could endanger all of us. Okay, James, biggest issues for you today? First of all, I think all five of us and I'm fifth agree, I think there's no dissent in different degrees of emphasis. My personal concern is I'm now feeling a lot more confident as a project admin that if my individual members want advice on GDPR, I'm a lot more confident in the boundaries. The middle is a bit of a bit of a bit of a bit of boundaries to me, I'm much more clear and I've got more self-confidence. If they're in Europe, I'm much more worried about the American members or my project and the American customers of FTDNA, whether they're gonna get advice that is compatible with my attitude or our attitude, I think, on GDPR, that isn't much more difficult because there are cultural differences here, legal differences, but I don't think either side of the bomb feel comfortable about it. It's not a fundamental difference as a matter of degree, but they're approaching a common problem from two different directions in the way that one is a middle on that. Okay, while you're still at the microphone then, who owns our data? This was a question that came from individuals relating to privacy and data retention, who actually owns the data, just for clarity. I'm gonna be very radical on this, forget it. If we had four coffee cups here and I would grab some and say, I've got your DNA, because I have. If you drunk a cup of coffee, I can get that now analyzed and not only can I get your S3Rs, I could get your full genome. Your DNA is no more private today than private today in your photograph. You walk down the street. I might be breaking the law, but some people aren't worried about that. No, it's in Lucas. I could be, but if I hadn't had money behind me, and this is a radical, but I'm not suggesting, I'm not suggesting in the slices that that is the approach to be taken. But we are getting a little bit, a little bit, prima donna-ish of our DNA. Well, I mean, we all agree it's our family's DNA. It's not our personal DNA. It's shared by our immediate members of our family. I'm not suggesting the problem of this gets rid of the problem far from it, but to say this DNA is mine, it's both to my brothers or the testing companies or the project administrators, it's a great one. Sorry. Debbie, who owns the DNA? Well, I agree we own our own DNA, and we have the right to do what we want with our own DNA, but I also think that we should be very sensitive that our DNA is shared by our siblings, by our parents, by our cousins, and we also need to think of them when we are sharing our data. So it may be that there are situations where you need to get concern from them if it is something that's particularly sensitive. Not nothing to do with rights, but just purely out of respect. John, any concerns about DNA ownership? I was talking just through the James series, but he's talking about my DNA in a coffee cup, but actually that's not my DNA, that's my tissue. And something in the UK and the North, there is the Human Tissue Act which prevents you from taking that and using it. Yes, you can probably do it scientifically, but you can legally publish the data you can write from that test. I don't know what the law is and I don't know what that is, but I'm tempted to do it from a very general point of view. So, who owns our data? Is it if you have a question on this? Once the data has been derived, who has the right to publish that data? And ultimately, it's data that you have granted for some form of research project to have the right to determine how it's used, you have the right to draw it, unless it's been anonymised into a study which of course you must give consent for that to happen. So, I think there's actually a consent issue. It's your consent for the data derived from experiments done on your own personal human tissue to be used in certain ways and you have the right to put it into a project, you have the right to withdraw that. And it's not quite the same as what David was talking about, which is of course the issue that bits of my DNA, including almost all of my Y DNA, are replicated in the names of my family. So, if I publish that and publish something that may belong to them, what does belong to them? Because we don't necessarily know what proportions it may belong to other people. So, a pattern of DNA data that I have is unique to me. I believe I do have the right of disposal over that, but again, I have the right to decide whether it's into a project and the right to withdraw it. So, in that sense, there's ownership and that grants the right to use to other people that I have had in that. So, if I could start. Yeah, obviously I agree, we own our own DNA, but I think one of the things that's happening with DNA testing, it's probably more of a question really, is that when we're doing a DNA test, we're not only exposing our own information, we can actually be exposing a lot of information about our own family. And if we're hunting down by-appearance for adoptees and families and we're chasing people that are matches to those people, we could be, you know, we're identifying perhaps a family secret that someone hasn't realised has come out because they've done a DNA test. So, by doing a DNA test, I could actually find out that maybe one of my dads has a secret child because that child is tested and matches to me and is trying to find out who their biological family are. And I don't know that any of us think about that when we do a DNA test, we think about ourselves, but maybe not what we're exposing in our family. So, whilst we own our own DNA, do we actually own the right to expose our family? Secrets, yes. Yes, I believe absolutely that whoever tests their DNA, owns the DNA and should provide consent for it to be used and can withdraw that consent at any time for it to be used. In the same way, I believe we should own our own medical reports, which we don't. Very often they're hidden in filing cabinets and trying to get access to them is a major issue. I believe everyone should own their medical records and data. I welcome new business models come into the genomics because we're going from, you know, testing million steps to testing three billion steps, a lot of data. So, we need systems in place to manage that. I welcome the new business model like, for instance, Nebula Genomics, which is found by George Church, where you can offer to provide your DNA. It is registered on a blockchain, so it's in the mutable audit train. And whatever a researcher wants to use your DNA, they can subscribe to that. You are alerted to it. You can withdraw consent. You can permit it. They can provide you a small payment, micro payment for DNA. I think these types of business models will come in. Sheaf own are doing the same. So, I would welcome that. But definitely the tester owns the DNA. Very good. What are the dangers of publishing your data? This is a question, yeah, but you have the microjerk, so we start with you. And this is a question that a lot of people have. What are the dangers of actually having my data and how to do that? Well, I admire a few people like James Watson, published his DNA. James Flatley, the founder of Illumina. You can go up onto his website. You can download the Magnificent app for free. And you can download James Flatley's full genome. Also, I haven't looked at it and play around with it. A few other, George Church has said several people, of course. And in the Open Genome Project, that is the principle of the Open Genome Project. So as a volunteer citizen scientist, I would tend to share that type of it. There are dangers, of course. And they definitely shouldn't share children's DNA. Or it should be, consensuals should be adults who make that consent. And they can withdraw that consent. Dangers that publish in your data, don't they? Actually, this is something I'm really interested in, because I like to write a few blogs. And I've written some of that to my family from a genealogy point of view. And I'd really like to publish some of the things I found out about my family through doing DNA testing. But I don't really know how to do it without exposing who my DNA matches were. And I feel like I can't do that. But I have actually seen something happen with one of my matches. He wanted to publish a lot of information, including my family. Didn't ask for my consent. And I found all his blogs about the analysis he's done on his DNA matches, including me and my family. And Hetch had got my family the wrong way around. I had my mother as my daughter and my uncle as my father. And that was all written up in his blog pages. And although he didn't expose our last names, he exposed our first names. And I just felt that that was wrong, that at least he could have asked consent. So I actually hadn't published anything about my DNA matches. I wrote up a small booklet for my family when I went home in August, explaining a lot of stuff about other foods and things I found out through DNA testing. I did actually mention the name of the DNA matches. And at the end of that little booklet, I said, please don't show this to anyone, because I really felt quite concerned that I'd exposed some people. And not that they'd done anything wrong, but I hadn't asked if I could write about them and print a booklet out and take it to the other side of the world. So it's something I'm really interested in, is how we can share information and not expose data or not expose people. So I don't have an answer. It's just another question. Sure. That was very good to hear. I think I just have many questions about this as well. I mean, I wonder if it's publishing DNA as such as necessarily the problem. The problem really is what others might do with that data once it's published. So the very general problem is that you would lose control of that data. If you publish it, you can no longer draw it from other studies or other uses. You lose the power to consent to other uses because you publish it. So others can get their hands on it and use it as they will. But I wonder actually, is that necessarily a bad thing? I really don't know. And it's really something I'm wondering and thinking about a lot at the moment. A few years ago, I'm not quite sure this example is really directly committed, but a few years ago, one of the four was involved with the people at Norris and Debbie in genetic genealogy. Before we got lured onto the carousel of these talks every year in Dublin, we had cause to think about whether we should do some genetic testing with a particular variant that may relate it to a particular disease in our family. And one of my cousins was approaching me to say, would you take this test chart? And at this stage, knowing far less about even a little I know at the moment about genetics, I was reluctant to do it because my fear was that if I was a test for that particular variant and found it positive, would I then be required to report that to insurance companies and therefore potentially affect my insurance and insurability in the future? That's different than publishing. In a sense, that's a different usage because insurance companies are maybe saying, therefore, if you know something like yourself, you must disclose that before we can show you legally. If we go to a situation, I don't know, a thought experiment, if everyone just puts their DNA online by James Watson, would it actually affect us in terms of our insurability? Would insurance companies be able to use that data? It would be so much of it that we can process it. And you can't anyway make, in most cases, direct predictions about the likelihood that somebody would have disease or condition X or Y just from seeing the DNA sequence alone. So maybe perhaps we're a bit fearful about the effects of publishing and perhaps we can be better advised to move to a state where we just let it go and not worry about it because maybe it's not going to harm us that much. I don't know. Well, in Ireland, we have a very elegant solution. The Irish insurance companies overcharge us all equally. But do we actually publish our data, Debbie, because when you look at ancestry, my heritage, family tree DNA, say for all of us on the DNA, they're showing you your matches. That's not your raw data, is it? No, I wasn't quite sure about the question in the first place. I would actually, because I actually think there are a lot of benefits from publishing data. And that is how we advance our knowledge. That's how we advance science. So I remember if you take Biobank, they've gene-attacked everyone at UK Biobank, they are now going to be going ahead and doing whole genome sequencing on 5 million people. So the data is all non-analyzed. It's aggregated with our national health records. And they've now published hundreds and hundreds of papers. So they first presented at the ASH gene meeting. Nobody knew it existed. And then suddenly everyone realized there's this absolute gold mine. And so now we've got other countries following suit, trying to do exactly the same thing. And I think we need more and more of that, but it needs to be done responsibly. It needs to be done ethically. I think that's one of the problems too many people publish without the appropriate consensus in place. James, data is a publishing data, whether it's raw data or just matches. I'm awfully orthodox. I'm not controversial. My previous remarks were, of course, tongue-in-cheek that what I was suggesting, of course, is illegal. And I go on to John's point about insurance companies. By GDPR, they are not allowed to use the data we're talking about to tinker with your premium. It's against the law. Whether they follow the law is a different matter that's what I was even to. But I think I wouldn't want to write that down. On balance, generalizing, there are much more benefits to publishing than on our downsides. But that's a very stupid mistake. OK. While you still have the microphone, what about third party tools? Third party tools? Could you explain to people in the audience like me what you mean by third party tools? Tools like Jetmatch, DNAJetcom, any situation where you're downloading your raw data from the company that analyzed it initially and you are uploading it to third party website like Jetmatch, like DNAJetcom. And there's lots of Prometheus, the medical ones. There's a lot of different companies out there. This is a classic example of how personal it is. Personally, I am not awfully influenced by the benefits of that. And therefore, I would suggest on balance not to do so. But many would rightfully say, I'm very ignorant and biased and all rest of it. And I should see the bigger picture and helping society understand the benefits going down in this room. These things are awfully personal. And they are now the precautions of, I gather these companies have learned that they've got to be a bit more careful than they were in the past. So by and large, in principle, it's not a bad thing. But I'm not bursting to throw my DNA data at every possible person in my thing that can persuade me that it's going to be beneficial for their research and that to know what the benefits are for us. Demi, are you going to throw your DNA around? I'm quite happy to throw my DNA around. I think we have some absolutely wonderful third party tools developed by people like Johnny, Curtis Rogers and Rajan Olson, who created Jetmatch. But the thing we have to remember is all these people are doing it often more for love than for the money. And they're doing it often on very limited resources. So you cannot expect them to have the same, they're not going to have their own data protection officers, they're not going to have expensive lawyers who can advise them on all these issues. So you have to sort of bear that in mind when you use these websites. You may not get quite the same protection that you would expect from a big company. But I would hate to see over-regulation of small citizen science websites. I think we should all embrace them and support them and encourage them and if there's anything wrong, just provide constructive criticism behind the scenes rather than call them out in public or whatever. Very sensible. John. Yeah, well said. I fully agree. Not really much more to add on that. I would say these are tools. So they are primarily for the benefits of DNA testers to discover more about their DNA. Of course, you should be very careful if you're uploading someone else's DNA results to make sure you have the proper consent, to make sure you haven't formed your likely relatives that they would be about the risks. It's certainly true that if you download your raw data from the company's site that has done the test, it then becomes at least a little bit less secure, probably a lot less secure. When it's also rendered under GDPR, we have a right to portability of data. So if a data is ours, we should be assisted, in fact, by those companies to download them and make them accessible for other platforms and other tools that we wish to use them on in order to understand better the results of the test. If we rely purely on the native tools within the websites of the company to test, they tend not to be as satisfactory as some of the specialist tools we've developed elsewhere, which address very particular needs. So we do need portability of data, but as David said, we need to do it responsibly and not to expose other people's DNA results illegally or unfairly and make sure we treat them with all due respect and get all the proper consent. Very good. In fact, we had a good example exactly 12 months ago of what John was talking about, when FT DNA at this conference last year announced we had the triangulation tool on the FT DNA site. It was taken down about two weeks later because they suddenly realised that it was exposing other people's DNA because you could see matching segments. Now, we have other ways to do that, of course, on JetMatch. And in my heritage, 23 and allowed matching between the 20 gates. But I'm not sure if everyone realises that that is available on those sites. You see, the FT DNA didn't want to take that option and took that tool down. So, I mean, for me personally, I'm more than happy to have my DNA wherever. I've got it uploaded everywhere if I possibly can. And I admire what people are doing with the third-party tools to help us. But I think individuals need to understand what they're doing and maybe that's what we need to help and understand what they're doing when they're using those third-party tools. Great. So there is a need for education. I suppose I was initially concerned for the first two JetMatch to see that I could see all the emails not only my matches, but everyone else's matches. I thought it was a little bit, probably needs a little bit of tightening up on that side. How, in my analysis, I use cyber and Watson, right? For snip analysis, trying maps, data analytics and things like that. Does that mean I understand the algorithms which go into IBM, Watson, artificial intelligence? Not at all, right? But I have to trust this organization, IBM in this case. I have to trust that they've put in enough checks and balances to protect the data. I'd like to experiment with Google and Genomics and Amazon Genomics and so on and so forth. And I think generally the large platforms have made large efforts to protect the data. If they didn't, they wouldn't be in business. There have been some notable cases, the Facebook, Cambridge Analytics fiasco, right? And I think Facebook suffered from that. But I think the tools and the platform companies are learning and as long as there are no major leaks of data, I would continue this. Well, while you have that microphone, it raves on nicely to the next question is, who should we fear most? DNA websites, Facebook, are your bank? Definitely, our bank is our bank. Just to try and put things in perspective. I think historically we've had our banks around for a few hundred years, right? And we had a certain inbuilt trust because of financial protection and so on and so forth. Facebook, I think, has let people down and they need to work hard to regain the trust of people. And the third one was the DNA website. Yeah, you know, I would hope they are secure. I've seen some good examples. I've seen some very, very bad examples. That's a really tough question. I mean, yeah, I mean, your banks have been around for you, but Facebook's been around 10, 12, maybe 15 years now. DNA websites and you, you know, I think there is a chance that we might see some sort of DNA controversy over the next four or five years or maybe earlier next couple of years that might hold back DNA testing for a while. I don't know what that controversy might be. Somebody goes to the news about something they've found out or who they might be related to, somebody in power or whatever. So I think there is a possibility you might see a big controversy around DNA websites in the next few years and that might cause a bit of a backward step for a while. But you know, Facebook, a lot of my friends left Facebook after the Cambridge Analytics scandal. They're all back in Facebook now. I think, on the last point, I think a lot of it is about public attitude, a perception to what we are or are not allowed to be public. I'll do it out in public or on social media. And why do more people not drop Facebook after the Cambridge Analytics scandal? Because it does what it does well enough to attract a critical mass of people to want to use it. And there is no real alternative for the people who use it at the moment. Maybe one can be created, but things Facebook is there. And so the convenient thing is to say, oh, well, they're back and then they've put it right. I hope Facebook is crossed. But I'm carrying using the things I do with it. And I think, I suspect we probably do the same with the DNA websites that we use. There may well be a huge deal in the data breach at some stage. And who knows what kind of public reaction there will be to that, what depends on what the nature of the data is, the many breach, but data breach isn't happening all the way across all kinds of sectors. I wouldn't think the DNA companies themselves are necessarily going to be immune from that. I didn't want to answer a lot of questions. I don't know what you know, but you can save the government, Morris. That's true if you live in China or if you live in Kuwait, where in China they have tested 50 million people surreptitiously. They put forward a, this is part of one of the newspaper reports I read. There was a health role type of initiative and they swapped people and didn't tell them that they actually were collecting their DNA. And now apparently they're using that to discriminate against the Uyghur community in northern China, which is Muslim, and a lot of them are being sent, apparently, to reeducation camps, which sounds very much like Nazi concentration camps. So it just brings back some of the horrors, perhaps, of what we experienced in Europe 80 years ago. Of course it would never happen here that we would elect a totalitarian regime. I think it's also fair to say that Facebook have evolved since the scandal of Cambridge Analytica. Have they evolved enough? Anyway, Debbie, what do you think about that question? I think all the big websites are equally prone to having data breaches. I don't think it makes any difference whether it's a bank or Facebook or a DNA website. My heritage had 92 million emails potentially stolen and hacked earlier this year generally. And I think if there is a risk of a data breach it's more likely to be one of the third party websites. Something like Genmatch is probably much more prone to that sort of activity. But I think it's actually more... It's not so much Facebook per se. It's the users and the information that they reveal. So I think you're more at risk than other users revealing information about you that you don't want to be revealed. And people just seem to have a very careless attitude often to other people's privacy. So I think there's more danger in that sort of thing happening or people revealing your address or your telephone number rather than actually the companies revealing anything for you. Because I think GD cameras encourage all of them to look again at what they're doing and I think that's actually been a big benefit. And Facebook especially has really had to make sure that everything is done with the consent whereas in the past they used to set everything really open and then you had to gradually shut everything down and they just assumed consent to share everything and now in most things you have to act to be opt-in. And I think it's also important to make the point that privacy and data protection are not static concepts. They're constantly evolving and our approach to safeguarding privacy and data protection that's evolving too as time goes on. James? I'm not qualified to answer because I don't use Facebook and I don't bank online and that's not what I'm frightened of. But yeah, what the others have said I agree with but I think the government would be a good last question, a last option. For example, the UK government when they sponsored the driving license centre set up a data bank had no shame at all in sending that to private companies for advertising purposes by mentioning it that it was breaching our whatever rights we're supposed to have as individuals and that was totally iniquitous and GDPR has got a lot of small print that gives wiggle room to governments to do all sorts of things. They're a bit tight on the police side, they're much about the medical side but when council, what governments can do with personal data there's loophole to the law. So I think that's probably the missing ghost there. Can I suggest before we go on to those last two questions, Maurice, that we go to the floor for questions if we run out of time to come back to those last two. Well, we have a few questions from the floor so I'm going to come round and first of all we'll go to Johnny Morris. Thanks, Morris. I have difficulty or doubt about whether we can say we own our DNA, we own mixtures of DNA which we've inherited from various other people and with which we share various proportions. So if my brother for example was in my share a huge amount of DNA he had to say, he then turns around and says he wants his DNA taken offline or not made available publicly. Does that mean I then have to redact those chunks of my genome which I share with him? So in question, it's mutually owned DNA that besides the mixtures each and every one of us has is our own but not the actual chunks. That's a great point. Any response to that from the panel? I think it's probably South Melbourne actually. John, questions from John? I'm a guest in the country of Ireland, the Republic of Ireland today in the European Union so I'm coming from an American viewpoint, child of Irish immigrants and because of that I'm an American and Irish citizen. The Americans had a completely different take as you guys kind of indicated when it comes to GDPR. Our viewpoint of regulation of non-elected bodies out of Brussels speaking regulations is part of our DNA in the United States. And the Americans may come from the viewpoint that you don't understand when publishing certain things both on Facebook groups and blogs and different things and you're like, oh my God, this is unbelievable. It's just a viewpoint that's completely different and I think I'm just raising that voice of difference because with all regulations whether you like them or not your point or your philosophy comes from a different viewpoint there's a pendulum swing here and I wonder if the viewpoints of the panel members have changed since GDPR came into versus where they maybe stood three or four years ago before all this and I'll give you a perfect example of the pendulum swinging. You brought up the idea that UK law enforcement agencies have had to purge people of prior convictions for example, which is absolutely insane from American viewpoints. That's not actually true. People who have convictions they stay over database forever. People who haven't been charged for their database. And the point I'm trying to make here is the pendulum can go crazy here because there was citizenry on criminal activity in the United States is 68% within three years and in a lot of Western countries it's over 50%. So if you wanted to find out who robbed the bank most likely person who's robbed the bank previously. One viewpoint I want to make on Facebook I've seen on a lot of the Irish genealogy Facebook groups why disparity between their viewpoints on GDPR and I'm interested in your viewpoint on this because some of these groups most of them are closed groups that you have to have membership on but you have somewhere matching is not a problem and talking about DNA is not a problem I find that sometimes you're on a particular group that's less DNA friendly or don't bring up anybody that's alive today. We don't want to know about them. It's all over the place and I think it's again a symptom of this pendulum swinging way too far over before it goes back to the middle and it's affecting behavior today when it comes to learning and data that we all want to learn from things and understand respect that there had to be but I think the regulation of this industry has to come from where it came in all previous industries it has to come from within organizations like ISOC have to set up guidelines for what is a genetic genealogist they have to set up guidelines of what is our own viewpoint in my opinion of data security and sharing of kid information and stuff and where do we stand as volunteer army genetic genealogists out there when it comes to volunteering as project admins and having blogs and coming up with all kinds of wonderful Johnny Perle formulas and Robert Casey uses this L21 SNP predictor tool on his blog that all of us tend to love on the Y side all of these things take data from our sites whether it's in a CSC form or whatever it's in a pseudonized form on jetmatch and we're using it and I think guidance needs to come from within because the history has a way of regulating people that don't regulate themselves Can I respond to that? I'm completely empathized with the points that you made the pendulum thing I think is very significant and the difference in how the pendulum is swinging at a particular point in time in different places in the world I think in Europe generally the pendulum is swinging back towards the middle quite a bit in the last six months we were very apprehensive I wouldn't become involved in this if I hadn't been really scared and I'm now quite relaxed whereas I think in further field across the pond there's some pretty radical views and you voice some of them from a common sense point of view or where the hell was Europe going it would seem to be ridiculous and if you get two good lawyers and you pay them they will develop these arguments to the end of the degree this is a lawyer's paradise this business and they will learn a fortune either attacking or defending whatever the issue is and they've got plenty of ground to work with and unfortunately the other ones are going to win out not in the long run but in the short term the point about ISOG I endorse completely I think it may be more difficult to revise our guidelines and to conceive them because we want to work with some degree of union imagery and consensus and if we're going to have American underwriting of the next generation of our guidance so I'm not rushing fences on that I'm hoping the American pendulum or the pendulum of American administrators is going to swing back a bit more towards the middle and when we come to revising it a bit less of this I would say unjustified concern because in America I think it is very justified for the recognition that at least in Europe this legislation is not intended to be proclaiming for our activities at all I'm sure of that we had a regulator here in the audience who unfortunately couldn't stay for this panel discussion but I told him that it would be available on YouTube it was the chap in fact who corrected you on the Irish situation and he has been responsible for ensuring that GDPR is rolled out into at a state level in the state regulatory body he's worked for a state body and GDPR is to catch the big fry and not the small fry and we are small fry I think that's very reassuring for everybody that whatever GDPR sounds, however scary it sounds it actually is not aimed at us it's aimed at Facebook it's aimed at Google it's aimed at these big multinationals who have access to huge slates of data which may be used perhaps to change the direction of a presidential election for example but that would never happen Maurice, you're right that was the intent but unfortunately the American lawyer will say it says the individual is liable for nearly as much as the corporation those words will put in very deliberately it would seem and there is prima facie cause of concern I think practice is not going to happen but the wording is bad law from a legal point of view that the concerns are justifiable in an academic theoretical context I think we're justifying and being very relaxed but that doesn't mean the threat isn't there okay in the last few minutes I'm going to take more questions from the audience but I just want to throw up a few slides about how to optimize your privacy and data protection and to reiterate what the panel said it's very important that you choose the level of privacy and protection that you are personally comfortable with so that's just to emphasize what the panel said that it is a very personal thing but for example you can use a force, well first of all you don't have to do a DNA test at all so the one great way of maintaining your privacy is not to do a DNA test you can also delete your kid but you can also use a force profile maybe not Clintings but maybe John Smith would be appropriate you can use an alias or a pseudonym or letters and numbers instead of a number never use your real date of birth trying to look 20 years younger I always take 20 years off my date of birth create a bespoke email address especially if you're posting on Jetmatch where your email as Jared said is going to be open to public view you can create a bespoke email address like 1234567.gmail.com which will completely dispel you where you're coming from only give the minimum amount of information for example I don't think there's any need at all to put your postal address or telephone number on the FamilyTreeDNA order forms because it's not something that is ever really going to be used as long as you have your email address there I think that's going to be fine any comments on those or any additions to those? I think the FamilyTreeDNA of course needs the postal address to be sent to to be sent to but in any case one of the changes since GDPR is that administrators can no longer see the postal address so I think the FamilyTreeDNA has a date of birth protecting it from people who don't need to have it we can if they set their advance yeah so so the safeguard of FamilyTreeDNA have you involved Jens? there's two details I think we ought to bear in mind one we do want the surname the true surname because in my DNA that's absolutely critical it's important for genealogy it's important for genealogy and secondly we want the country of residence A so we can trace the diaspora and B so we know which legal regime they're coming in and I think the surname and the country of residence which are two important parts of the postal address shouldn't be excluded when we say for example postal address other than for the obvious purposes sure and we have a comment or question down here so I'm just going to come down can I can I go against the false profile we're trying to make contact with other members of our family through DNA I don't like making contact with a false profile I'm giving my information I'm just going out there to share I didn't want to contact in digital I want to contact another topic I want to contact another Rutherford I want to contact another whatever that's why you know who you're talking to can I suggest maybe I can see where Morris is coming from with this I phoned this time my people who were uploading I think in the company sites I wouldn't go for quite this extent of concealing of data I think the third party sites GEDMAT for example I understand why many people would rather conceal their identity but I would suggest if you do create a spoke email address use it so make sure it's one you're going to check to find the messages coming in about this and many will do create special email addresses to handle for the volume of email cross funds which they can receive I do understand that if you're pointing we do need to be able to contact people matching there's no point going into these tools if we don't we should have really options for optimizing rather than these are the recognitions it's just to show what you can possibly do to protect yourself I'm not suggesting that everybody should do this apologies if that came across but I see now I should be saying options for optimizing and it's not something that you should do in all cases but if something is particularly paranoid about the privacy of the relation protection then these there are safeguards out there that you can use should you so desire to actually optimize your privacy and your relation protection does that answer hopefully that answers some questions I think most people can be discovered anyway so why why go for it most people with a really good google research and a little bit of hard work you can trace most people anyway we have everything else we have everything else there is so much of this it's just like everybody that actually I mean I've had one of these where I find they didn't respond and I've gone through various other things I find to be still not responding but I now know there's a good point it's very easy to actually find people online just by doing google jump I'd like to just make one particular point alright and this was there was a reference to public publishing data publishing data and what people do with it the example of James Watson and his genome that was published but he redacted part of it because he didn't want his risk for neurodegenerative disease to be known but there were techniques used that were able to interpolate the redacted part of that particular sequence so he clearly did have concerns but what people did third party people did was obviously to be able to work it out from the sequences either side so that's just a point I would make on that the other point is really is a question I would ask of you as project administrators I know that it's a relatively short time the GDPR has been in place and the like but have you found that that has actually adversely affected the work of your project your targeting of would-be testees and you know bringing forward your project I would say that the biggest drawback I found is not having access to the person's country of residence and being able to access the most distant known ancestor information because quite often I used to be able to help people to do that and now I can't do that without having to ask permission and having extra access which I don't really need just to do that one simple thing so I would hope that eventually we will get some changes so that we can get that information made accessible and we can actually have access to the most distant known ancestor field so that we can optimise it for our projects and if people want us to help them then we should be able to help them without having to put them through extra groups to do so I've lost six months work of my project in being diverted on to GDPR that's about that it might even be more and secondly progress in the future was otherwise Debbie's a little bit of some of the aspects I think that there may be ways around but the whole process has got more labor intensive the reward of being administrator and unless you're lucky and you've got that motivation in the first place it's much greater the incentive to become an administrator is diminished considerably I hope we can ride this storm and what we do continue but I think it's taken a dent that's going to take a long time to pull out of but with our enthusiasm we can overcome that I don't want to pessimistic but we've got a bigger hill to climb than we had before have we lost project administrators as a result of this we have lost work well families can't completely and a lot of people depended on that to a considerable extent it's a masquerade of rhetorical we know it's happened the question is is this damage every time you lose talent and you lose resources I think some of the things like why search and why to search I think GDPR was used as an excuse to kill them off I think with all of these things something could have been done with GDPR which is they chose not to invest money and you can understand why search and why to search two last slides and then I'm going to throw it up to general discussion if you want to privatise your kit you can do so you can deprivatise it to work on it and then reprivatise it again afterwards and just putting that there's an option not as a recommendation and the option is it allows you a greater level of security and it doesn't mean that you are unprivatised all the time so if you're very paranoid about it that's something you can do where from do you think you can privatise it on Jetmatch you can also privatise it on the company websites as well it's just been deleted from Ancestry yeah absolutely you can also delete it from any website and you can delete it completely if you wanted to work on another website you could transfer it and then work on it and then delete it if you want to be paranoid and just want a very high level of protection there are options out there that will help you achieve that level and then the last slide here is privatise your family tree very very important for all of us is that especially for dealing with living people most of the time the companies will privatise the living people sometimes they're glitches and they don't something I discovered if you put anything in the death field on Ancestry so just be very careful of that so those are just in general options that you can use but now I want to throw it open to the floor again any questions or other comments that you want to raise with the panel we have a leader down here I'll hold this for you Hi I just want to go back to the point about who to be more scared of Facebooker and I know you guys said the government would be a forward culture I think we're underestimating the potential there I know Spotify at the moment are trying a new feature where you can link from your Spotify account into your 23andMe profile and they will suggest songs to you based on your composition so if you're over 50% Spanish they'll suggest Spanish music to you for example but now we're going to be in a situation where people will be lured by that little feature and then they'll be giving their data into Spotify so we've seen what Facebook has done with people's data what's to prevent Spotify from doing that for example with Facebook I fought for years for them not to know my phone number I never installed messenger never gave them my phone number when they asked for it but yet somebody else gave their phone book to Facebook which had my full name in it and so Facebook kept suggesting is this your phone number and they had it right so I'm worried that we're going to go down that route with DNA, especially if Spotify now is going to get its hands on everybody's 23andMe profile I wonder what you guys thought about that or had you thought about that if you're worried about things today you ain't seen nothing yet because technology is growing exponentially they say in 10 years time we'll have computers which are more processing capacity than human brain in 20 years time more processing capacity than the entire humankind so we are going to a what we call technology is singularity and that is the existential trend to humanity not the small issues of privacy we have today it's a huge issue but you mentioned there social networks can combine features like between Facebook and Spotify it's very easy to do and it's a threat to privacy yes but I believe in the longer term we've much bigger challenges to face yeah I agree and you would find that's happening with advertising there's something on Amazon next minute on your Facebook and all the same things come up that you've just seen on Amazon that is because everything can slip up online and you're followed and tracked in the same way in London I have an oyster card so I'm tracked around London every time I go out with my oyster card, my credit card my mobile phone is on all the time somebody at O2 knows I'm in Dublin this is what's happening but I know it causes concern it doesn't necessarily worry me so much but I know it is a concern for people I fully agree I think it's this linkage across databases I think it's the issue here and it's happening and I don't know what kind of regulation is of it perhaps what we need is a super GDPR the issue of which databases may or may not cross link our data and that's the only way we can prevent this maybe one non-elected body could form another one this is all being done by sophisticated algorithms and I think the answer will eventually be better algorithms that actually have privacy built in and you've got things like blockchain that can encrypt data so I think eventually it should be possible to control these things better with technology whereas at the moment we're sitting in the early stages of these algorithms and there was in fact the the houses of parliament in the UK they've recently set up an inquiry to look into algorithms because there's very little transparency about how these algorithms work and what information is behind the decision making process but I would have thought things like revealing telephone numbers that shouldn't be done but not that from happening it's just they're not doing that at the moment can I the spotify thing I think the big word here is informed consent and what is informed consent to a teenage girl if any of you have got grand authors and teens the problems that are around the corner horrible any other questions or comments Patti come over here Patti I'll hold it for you and then you just speak I have always got far more emails than I can handle and I've been very concerned about keeping my email address off webpages but Family Tree DNA as part of GDPR has put every project administrator's email address on its public webpages where it can be seen by people who are not Family Tree DNA customers can James or anyone tell us which section of GDPR has forced FTDNA to do this and are they in breach of GDP by actually advertising arena and the rest of that your consent this is part of the privacy statement if you feel obliged to do a privacy statement which to me is the the first step we take you've got to declare who you are and how you can be contented that's asked for I think that's where I interpret it a lawyer could find another excuse not to but it's you can't get all this is a compromise on the one hand we want to share data on the other hand we want privacy and the two are in irreconcilable red clash and we've got to live with that there are all sorts of wrinkles and so forth but the idea is never going to be there well we have to call it a day at that point in time I think it's been a fascinating discussion I think you've raised some very interesting points thanks to the audience for participating and I'd just like to say thank you to all of your patients and thank you to our expert panel for their expertise and experience