National DNA database systems
43.1 As of February 2003, the Commonwealth had established three DNA databases for law enforcement purposes. The National Criminal Investigation DNA Database (NCIDD system) was established in June 2001 to facilitate intra-jurisdictional matching of DNA profiles, and inter-jurisdictional matching of profiles between participating jurisdictions, for law enforcement purposes. The Disaster Victim Identification database (DVI Database) was established in October 2002 to identify the victims of the terrorist bombings in Bali, Indonesia, and other similar overseas incidents. Finally, the Australian Federal Police (AFP) operates its own DNA database for law enforcement purposes.
43.2 The CrimTrac Agency operates the NCIDD system and the DVI Database pursuant to Part 1D of the Crimes Act 1914 (Cth) (Crimes Act). CrimTrac is an executive agency of the Commonwealth Government, established as a national law enforcement information system for Australia’s police services. The agency is underpinned by an inter-governmental agreement, signed by all of the Australian police ministers.
Regulation of DNA database systems
Crimes Act provisions
43.3 Part 1D of the Crimes Act regulates the use, storage, disclosure and removal of information held on a DNA database system. A ‘DNA database system’ is a database containing specified indexes of DNA profiles and information that may be used to identify the person from whose forensic material each DNA profile was derived.
43.4 Part 1D of the Crimes Act contains the following provisions for the use, storage and disclosure of information on a DNA database system:
a list of permitted purposes for which a person may access information stored on the DNA database system, and an offence where a person accesses the information other than as permitted;
a list of permitted purposes for which a person may disclose information stored on the DNA database system, and an offence where a person recklessly or intentionally discloses the information other than as permitted;
a table of permitted index matching, and an offence if a person recklessly or intentionally causes matching that is not permitted;
offences where a person recklessly or intentionally causes any identifying information about a person obtained from forensic material to be recorded or retained in a DNA database system after the forensic material is required to be destroyed;
a provision permitting the Minister to enter into arrangements with Ministers of participating jurisdictions for the sharing of information from a DNA database system for the purpose of the investigation of, or proceedings in respect of, an offence; and
provisions permitting access to, and disclosure of, information held on a DNA database system in relation to ‘incidents’ occurring outside Australia.
43.5 The Inquiry considers it likely that DNA profiles are covered by the Privacy Act 1988 (Cth) (Privacy Act). A DNA profile contains a set of numbers and a sex gene which, when combined with information held by the forensic laboratory, is capable of identifying the individual from whom the profile was obtained. As such, the Inquiry considers that DNA profiles fall within the definition of ‘personal information’, being information about an individual whose identity can reasonably be ascertained from the information.
43.6 Therefore, the Information Privacy Principles (IPPs) would apply to those DNA profiles held by AFP forensic laboratories and stored on a DNA database system; and the AFP and CrimTrac generally must comply with the IPPs regarding the storage and security, use and disclosure of, and access to, these profiles. The federal Privacy Commissioner reviews agencies’ compliance with the IPPs. Alternatively, the National Privacy Principles would apply to profiles held by independent forensic laboratories. Relevant state and territory privacy legislation may apply to any profiles held by state and territory health departments or forensic laboratories, or on state or territory operated DNA databases.
43.7 Finally, the National Association of Testing Authorities, Australia (NATA) accreditation requirements for forensic science include provisions addressing the information security of forensic material received and analysed by the laboratory. In practice, the confidentiality of information held in computerised files would be protected by the use of security clearances, passwords, and audit trails.
 Agreement for the Establishment and Operation of ‘CrimTrac’, A National Law Enforcement Information System for Australia’s Police Services, 13 July 2000, <www.crimtrac.gov.au/misc/ct_agreement.PDF>, 20 February 2003.
 Crimes Act 1914 (Cth) s 23YDAC.
 Ibid s 23YDAE.
 Ibid s 23YO.
 Ibid s 23YDAF.
 Ibid s 23YDAG.
 Ibid s 23YUD.
 Ibid ss 23YUG, 23YUI. See Ch 42 for more detail.
 See Privacy Act 1988 (Cth) s 6(1).
 However, the IPPs contain exceptions in relation to law enforcement, and in some circumstances these may apply.
 See National Association of Testing Authorities (Australia), AS ISO/IEC 17025: 1999 Australian Standard: General Requirements for the Competence of Testing and Calibration Laboratories (1999), NATA, Sydney; National Association of Testing Authorities Australia, ISO/IEC 17025 Application Document: Supplementary Requirements for Accreditation in the Field of Forensic Science (2000), National Association of Testing Authorities, Australia.