1 International Symposium on National Databank Systems Auckland, May 2004 DNA DATABANKS: SOME PRIVACY CONSIDERATIONS Blair Stewart Assistant Privacy Commissioner

2 Abstract Using internationally recognised data privacy principles as a frame of reference, the presentation will consider privacy and data protection issues associated with the establishment and operation of a forensic DNA databank. Reference will be made to two NZ statutes: the Privacy Act 1993 and the Criminal Investigations (Bodily Samples) Act Domestic law will be used to illustrate protections for privacy, balances struck between privacy and other competing public interests, and remaining issues and dilemmas.

3 Many Issues: Discussion of just a few The recent 1158 page Australian Law Reform Commission report Essentially Yours: the protection of human genetic information in Australia devoted 168 pages to law enforcement and evidence issues. Much of the report concerned information privacy issues: the collection, holding, use and disclosure of genetic information. This presentation touches upon just a few.

4 Abbreviations CI(BS)A – Criminal Investigation (Bodily Samples) Act Ipps – Information Privacy Principles (Privacy Act 1993, s.6) OECD – Organisation of Economic Cooperation and Development

5 OECD Principles The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980) represent a fairly universally accepted set of information privacy principles. The 8 principles of national application will be used as a basis for discussion.

6 OECD Principles (Summary) Collection limitation principle Data quality principle Purpose specification principle Use limitation principle Security safeguards principle Openness principle Individual participation principle Accountability principle

7 Collection Limitation Principle There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject

8 Collection Limitation Principle (Comment) Need for clear limits in law as to what is to be collected and added to databank Collection must be by lawful means (e.g. consider governing legislation, civil and human rights, no unlawful coercion etc) Collection must be by fair means (e.g. no subterfuge) Usually with knowledge and consent of the data subject (issues may differ between investigation as against maintaining databank)

9 Collection Limitation Principle (NZ law and practice) Criminal Investigations (Bodily Samples) Act 1995: s.26: limits information that may be kept on profile databank Part 3: detailed processes for collection of bodily samples and associated information whether voluntarily or pursuant to court order or compulsion notice ss.36 and 37: rights to withdraw consent Samples may not be added to the databank except pursuant to the statutory processes Special care to ensure individuals are made aware of their statutory rights, additional protections for young people

10 OECD Data Quality Principle Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date

11 Data Quality Principle (Comment #1) Relevance to the purposes: Why is a particular person’s profile on the databank? Is there a direct nexus to a legitimate law enforcement function in a free society? Does all of personal data held meet the relevance test? (details appropriately on an investigation file may be inappropriate on the databank)

12 Data Quality Principle (Comment #2) Accuracy: Stringent standards for collection processes, chain of custody of sample, avoiding contamination, security of database, laboratory performance, alternative explanations for a match Personal data associated with the profile e.g: identification details are critical Completeness: will information held mislead if not coupled with further details? (e.g. if a criminal is known to have engaged in “identity theft” or “identity takeover”, how to avoid taking action against the wrong individual in case of a match?)

13 Data Quality Principle (Comment #3) Kept up to date: Policies needed on questions such as the death of an individual, withdrawal of consent, records of juveniles, acquittal of suspects or overturning of convictions, clean slate legislation Police records in relation to personal information associated with the profile may be updated: should they also be updated in the databank?

14 Data Quality Principle (NZ law and practice) Privacy Act ipp 8: accuracy etc of personal information to be checked before use CI(BS)A, s.71: information stored on DNA profile databank not admissible in criminal proceedings (i.e the databank an investigative tool but best evidence to be obtained for presentation in court) See Eichelbaum and Scott, Report on DNA Anomalies (1999), Auckland concerning laboratory contamination

15 Purpose Specification Principle The purposes for which personal data are collected should be specified not later that at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose

16 Purpose Specification Principle (Comment) A State’s reason for establishing, maintaining and using a DNA databank should be transparent. The purpose for placing samples on the databank should be given before people are asked or compelled to add their samples New purposes should not be introduced arbitrarily When stored samples or information no longer serve a purpose they should be destroyed or rendered anonymous

17 Purpose Specification Principle (NZ law and practice) IPP1: Purpose of collection of personal information (see also ipps 9, 10 and 11) CI(BS)A s.27: the DNA profile databank may generally only be accessed, and information disclosed, for one purpose: “the purpose of forensic comparison in the course of a criminal investigation by the Police” CI(BS)A s.28: access to, and use of, blood samples limited to the purpose of deriving a DNA profile for storage on the DNA profile databank CI(BS)A s.60: Blood samples required to be destroyed after 12 months

18 Use Limitation Principle Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with [the purpose specification principle] except: (a) with the consent of the data subject; or (b) by the authority of law

19 Use Limitation Principle (Comment) Samples and databank information should only be made available or used for the purposes specified Some change of purpose may be justified by law (the legislature is supreme but has a process that involves democratic accountability, transparency and adherence to rule of law)

20 Use Limitation Principle (NZ law and practice) In addition to the primary purpose of forensic comparison, the NZ law anticipates the use of DNA databank information in 2 limited circumstances: –for the purpose of making the information available to the individual concerned in accordance with a subject access request under the Privacy Act –for the purpose of administering DNA profile databank CI(BS)A s.27(2): permissible to use information that does not identify a person (e.g. for research purposes) if this otherwise complies with law and has the agreement of the databank custodian

21 Security Safeguards Principle Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data

22 Security Safeguards Principle (Comment) Security and privacy issues are not identical. However, limitations on data use and disclosure should be reinforced by security safeguards. Such safeguards may include physical measures (e.g. locked doors), organisational measures (such as authority levels, staff training) and informational measures (such as encryption, threat monitoring) Security safeguards contribute not only to privacy protection but also the forensic rationale of the databank (such as the avoidance of tampering, the loss of data etc)

23 Security Safeguards Principle (NZ law and practice) IPP5: Storage and security of personal information CI(BS)A s.77: Offence to knowingly falsify a DNA profile stored on a databank, unauthorised addition to or deletion from a databank of any information, to attempt to gain access to or disclose information from a DNA databank or similarly to gain access to or use a blood sample

24 Openness Principle There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.

25 Openness Principle (Comment) No secret databases: while the content of the database must necessarily be very secure and not accessible to unauthorised persons, there should be a transparency about the fact that a database is maintained, the rules that control it and the practices that are followed

26 Openness Principle (NZ law and practice) IPP3: Collection of information from individual CI(BS)A s.76: Databank reports are required to be included in the NZ Police annual report Under the Crown Research Institutes Act 1992, ESR is required to publish annual report, other details on its website

27 Individual Participation Principle An individual should have the right: (a)To obtain from a data controller … confirmation of whether or not the data controller has data relating to him; (b)To have communicated to him, data relating to him i.Within a reasonable time; ii.At a charge, if any, that is not excessive; iii.In a reasonable manner; and iv.In a form that is readily intelligible to him; (c)To be given reasons if a request under … (a) and (b) is denied, and to be able to challenge such denial; and (d)To challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended.

28 Individual Participation Principle (Comment) The right of individuals to access and challenge personal data held about them is a fundamental privacy protection

29 Individual Participation Principle (NZ law and practice) IPP6: Access to personal information IPP7: Correction of personal information CI(BS)A s.27(1)(b): access may be given to the databank “for the purpose of making the information available, in accordance with the Privacy Act, to the person to whom the information relates”

30 Accountability Principle A data controller should be accountable for complying with measures which give effect to the principles stated above

31 Accountability Principle (Comment) There is more to privacy protection than setting rules: must be measures to ensure such rules are met, primary responsibility lies with the data controller The OECD notes that the data controller should not be relieved of its obligations merely because the processing of data is carried out on its behalf by another party, such as a service bureau (on the other hand, the OECD Guidelines do not prevent service bureau and others being held accountable): sanctions against breaches may be directed against all parties entrusted with the handling of personal information (e.g. both a law enforcement authority and a body maintaining a DNA databank)

32 Accountability Principle (NZ law and practice) Privacy Act 1993: can be enforced by complaint, and if need be civil proceedings, against both the Police and the agency maintaining the DNA databank (ESR) CI(BS)A s.27(3): nothing in this section limits the jurisdiction of the Privacy Commissioner to investigate any complaint CI(BS)A s.77: offences Privacy Commissioner is an independent statutory body with powers to investigate complaints. In addition, NZ has various accountability mechanisms such as the Auditor General, Ombudsmen and Human Rights Commission. In particular cases, the government might set up special inquiries (e.g. Eichelbaum and Scott)

33 Some Additional Issues Not Yet Addressed in NZ New South Wales has an “innocence panel” whereby prisoners may call upon State resources for DNA testing Cross-border matching of samples with DNA databanks: the CI(BS)A does not provide for that nor address the many issues that might arise, yet one knows that criminals may cross borders after committing offences Were international databanks to be created, there would need to be careful attention to rule setting, oversight and accountability mechanisms Clean slate arrangements

34 Internet Resources Australian Law Reform Commission’s Essentially Yours report ports/96 ports/96 NZ Privacy Commissioner ESR NZ Police annual reports ort ort