Skip to main content
Icons of Progress

Pioneering Genetic Privacy

IBM100 Pioneering Genetic Privacy iconic mark

In October 2005, IBM became the first major corporation in the world to establish a genetics privacy policy. It prohibits current or future employees’ genetic information from being used in employment decisions. In an all-company announcement, CEO Sam Palmisano explained, “It has been IBM’s long-standing policy not to discriminate against people because of their heritage or who they are. A person’s genetic makeup may be the most fundamental expression of both.”

The watershed policy extended four decades of IBM leadership on issues of personal privacy. IBM has been able to anticipate both its own information needs and the impact of technology-enabled advances as they ripple out to larger society—while enabling data flows and undertaking a conscientious public response.

Executives at IBM had been quietly considering a genetics privacy policy for several years. In 2005, a landmark research endeavor pushed the issue front and center. IBM and the National Geographic Society embarked on a project to gather the world’s largest collection of human genetic samples in an effort to map human migratory history, and IBMers were encouraged to participate.

IBM Chief Privacy Officer, Vice President and Security Counsel Harriet Pearson remembers the response vividly. “A lot of questions and concerns from employees began appearing in my inbox, along the lines of, ‘You’re asking us to take a cheek swab—what are you going to do with the DNA?’” she recalls. “That really prompted a conversation as we began to consider the societal-level implications of the project.”

Research on developments outside of IBM showed that employee desire for reassurance was well founded. While national legislation and government-provided healthcare shielded many workers in developed economies throughout Europe and Asia from genetic discrimination, disturbing stories had begun to emerge in the US and Australia. Individuals there were reportedly being treated differently after they were found to be carriers of genetic markers that indicated heightened risk for costly diseases.

Such discrimination clearly harmed individuals—but it also had broader societal implications. If genetic data and medical histories could not be shared safely, many of the life-saving advances being pursued in medicine—and the promise held out by genetic testing and other innovations in the emerging field of personalized medicine—might be thwarted.

To IBM, this wasn’t simply a practical problem to be managed. It was a matter of values and policy. The company pledged that employees’ genetic data—if such data were ever to be shared with the company—would be handled with a high degree of security and respect for privacy, and would not factor into hiring decisions or eligibility for foundational health insurance. The global policy, a first among corporations, also predated US federal legislation protecting all Americans from genetic discrimination in the workplace, which wouldn’t arrive for another three years. In 2007, Pearson, the architect of IBM’s policy, testified before the US Congress, helping to push the Genetic Information Nondiscrimination Act, or GINA, into law on May 21, 2008.

IBM’s first foray into issues of privacy had taken place decades earlier, and, like the genetic privacy policy, also had its genesis in an employee inquiry. In the mid-1960s an IBMer asked to see his personnel file, an unusual request that ended up on the desk of Thomas Watson Jr. He granted the request, essentially creating IBM’s first privacy policy by simultaneously sending off a memo to the company’s managers that all employees were to be granted access to their own personnel files.

Data privacy concerns among the general public had intensified throughout the late 1960s as computers—and their swelling databases of information—became ubiquitous. In the early 1970s, under the leadership of CEO Frank Cary, IBM adopted a set of privacy guidelines aimed at preventing the collection of unnecessary personal data about its employees, a pioneering stance highlighted in a 1976 Harvard Business Review interview with Cary. In the 1980s, the company led efforts to enact medical privacy and electronic communications privacy laws.

In the decades since, IBM has publicly championed personal privacy protection, using its size and influence to drive policies and practices that help protect individuals in an increasingly information-rich world. It was one of the first corporations to post an online privacy policy disclosing what information it collects about virtual visitors, and in 1999 became the first company to adopt a policy to buy online advertising only from websites with visible online privacy statements—a move followed within months by other companies.

The reason data privacy protection must become stronger is that the radically freer flow of data around the world—inherent in the shift to more open economies and societies—is not just inevitable, it’s also vital to economic growth and societal progress. This is why IBM has supported simplified cross-border data flows though its involvement with Asia-Pacific Economic Cooperation and other intergovernmental groups throughout the world. At the same time, it also helped found TRUSTe, an independent Internet privacy services provider that helps businesses promote online safety and trust, and guides consumers to privacy-protecting sites.

In a move that revealed how essential privacy issues had become to its business operations, in 2000 IBM became the first Fortune 1000 company to create the position of chief privacy officer, appointing Pearson to the role. Pearson helped launch IBM’s social computing guidelines in 2005, an evolving body of guidance designed to help IBMers navigate—with privacy awareness—the burgeoning array of social media in a Web 2.0 world. The guidelines document, one of the first of its kind published by a large company, is accessible to the public through IBM’s website.

Today, IBM continues to engage with government, industry and others to help shape global privacy initiatives that can increase consumer trust, ease the secure worldwide flow of data and create privacy-enabling technologies. It is also a leader in developing privacy-and-security-protecting technologies, such as IBMer Craig Gentry’s fully homomorphic encryption breakthrough, which makes possible the deep and unlimited analysis of encrypted information—data that has been intentionally scrambled—without sacrificing encryption protections. The company understands that without security and privacy built by design into the fabric of our organizations and societies, we will not realize the full potential of electronic healthcare, online commerce, smart energy grids and other digital systems that power more and more aspects of our lives.


Selected team members who contributed to this Icon of Progress:

  • Caroline Kovac Retired General Manager, IBM Healthcare and Life Sciences
  • Harriet Pearson Vice President, Security Counsel and Chief Privacy Officer
  • Martin Sepulveda IBM Fellow and Vice President, Integrated Health Services, Human Resources