Oversight of DNA database systems

Oversight of the CrimTrac agency

43.41 As noted above, the CrimTrac agency operates the NCIDD system and the DVI Database pursuant to Part 1D of the Crimes Act. The Australasian Police Ministers’ Council (APMC) is responsible for defining CrimTrac’s strategic directions and key policies, setting new initiatives, and appointing members to CrimTrac’s Board of Management.

43.42 CrimTrac’s operation of the NCIDD system is overseen by the CrimTrac User Advisory Group (UAG), which reports to the CrimTrac Board of Management. The UAG comprises senior police representatives, senior forensic laboratory managers, a representative from the National Institute of Forensic Science, a user representative representing the Biology Special Advisory Group of SMANZFL,^[39] and a CrimTrac representative. The CrimTrac Board of Management comprises a representative of the Commonwealth, several State and Territory Police Commissioners and several specialist advisers.^[40]The Chief Executive Officer reports to the federal Minister for Justice and Customs.

Federal Privacy Commissioner

43.43 As a Commonwealth agency, CrimTrac is bound by the IPPs in the Privacy Act in relation to any ‘personal information’ that it holds. The federal Privacy Commissioner has the power to investigate acts or practices of an agency that may breach an IPP in relation to personal information; and the Commissioner can also audit CrimTrac’s compliance with the IPPs.^[41]

43.44 CrimTrac advised the Inquiry that, in its view, the information held on the NCIDD system does not fall within the definition of ‘personal information’ for the purposes of the Privacy Act, because the information is held in a de-identified form.^[42] However, Privacy NSW commented that:

The current position of CrimTrac is that no personal information is held on the National DNA database and, because Crimtrac staff have no access to the identifying links, the database is therefore not subject to Privacy legislation. While this position may be technically correct at a given point in time, it could easily break down if illegitimate use is made of the database, or new uses arise, for instance a matching proposal arising out of a terrorist incident like the Bali bombing.^[43]

43.45 The Inquiry considers that information held on the NCIDD system (and other DNA database systems), would fall within the definition of ‘personal information’ under the Privacy Act. CrimTrac has advised the Inquiry that the data uploaded into the system generally consists of a DNA profile, a sample number, a case identifier, and the relevant jurisdiction.^[44] While this information does not directly identify the person to whom the profile belongs, the laboratory that uploaded the profile is able to re-identify it. The information held by CrimTrac is information about an individual whose identity can reasonably be ascertained from it—therefore, it should be regarded as ‘personal information’ for the purposes of the Privacy Act.

Commonwealth Ombudsman

43.46 The Commonwealth Ombudsman has the power to investigate complaints about the administrative actions and decisions of Commonwealth departments and authorities. The Ombudsman also can initiate investigations on his or her own motion.^[45] This provides a level of independent oversight of CrimTrac’s activities in operating a DNA database system.

Statutory independent review

43.47 The Crimes Act provides for an independent review of the operation of Part 1D as soon as possible after June 2002.^[46] The independent review committee was chaired by Mr Tom Sherman AO (Sherman review), and included nominees of both the Commonwealth Ombudsman and the federal Privacy Commissioner.^[47] As of March 2003, the report had not yet been tabled. If the report identifies inadequacies in respect of its review, a further independent review must be undertaken within two years of the tabling of the first report.^[48]

Oversight in participating jurisdictions

43.48 As noted in Chapter 7, some States and Territories have implemented information or health privacy legislation applicable to the handling of genetic information. This legislation applies privacy principles similar to those in the Privacy Act to ‘personal information’.^[49] Most States and Territories also have established ombudsmen to investigate complaints into the activities of a government department, agency and police service within that jurisdiction.^[50]

43.49 In practice, where genetic samples or profiles have been mishandled, the person to whom the information relates could make a complaint to that jurisdiction’s Privacy Commissioner (where one exists), or the Ombudsman. However, that official may only investigate complaints regarding activities within that particular state or territory jurisdiction, rather than complaints crossing jurisdictional boundaries.

Oversight in overseas jurisdictions

43.50 Overseas jurisdictions have approached the operation and oversight of their DNA databases differently. In Britain, the National DNA Database is operated by the Forensic Science Service (FSS) under a Memorandum of Understanding with the Association of Chief Police Officers (ACPO), and with the support of the Home Office. The FSS also supplies profiles for the DNA database. The FSS Chief Executive and the ACPO DNA representative jointly chair the National DNA Database Board.^[51]

43.51 The United Kingdom’s Human Genetics Commission (HGC) has commented that in order to increase public confidence in the National DNA Database and the sample and profiling operations, there is a need for broader and more independent representation, and more openness about future plans. The HGC suggested several possible ways to achieve this and recommended that, at the very least, the Home Office and the ACPO establish an independent body (which should include lay membership) to oversee the work of the National DNA Database custodian and the profile suppliers.^[52]

43.52 In the United States, the Federal Bureau of Investigations (FBI) operates the national Combined DNA Index Systems (CODIS) database, with an external public advisory committee that includes ethicists and a Supreme Court judge.^[53] In 2001, the Department of Justice’s Office of the Inspector-General conducted an audit of the CODIS system. This involved reviewing documentation at FBI headquarters and at the National Institute of Justice, and conducting audits at eight CODIS-participating laboratories.^[54] Prior to that audit, the CODIS-participating laboratories were required to undergo an annual audit to determine if they were in compliance with the FBI’s quality assurance standards, as well as to undergo biennial audits by outside agencies representing an accreditation or certification agency.^[55]

43.53 In Canada, the Royal Canadian Mounted Police operates the national DNA Data Bank, with an advisory committee that includes specialists in policing, science, genetics, medical ethics and law, and a representative of the Privacy Commissioner of Canada.^[56] The DNA Data Bank is also subject to external oversight by the Privacy Commissioner.

Issues and problems

43.54 Chapter 40 outlines the privacy concerns regarding the sharing of genetic samples and profiles between the Australian jurisdictions for law enforcement purposes. The primary concern about such sharing of information is that the privacy and other safeguards existing in the jurisdiction in which the information was obtained could be undermined once the information has been transferred to a second jurisdiction.

43.55 Section s 23YUD(2) of the Crimes Act provides that, where information is transferred between the Commonwealth and another jurisdiction, the information must not be recorded or maintained in a database in an identifiable form after it is required to be destroyed in the original jurisdiction. However, it would be difficult to determine whether the information has been unlawfully retained if the second jurisdiction has inadequate oversight mechanisms.

43.56 The Commonwealth Ombudsman provides oversight of CrimTrac in its administration of the DNA database systems. As noted above, the federal Privacy Commissioner may have a more limited oversight role. However, once the Commonwealth has transferred information to a state or territory jurisdiction, federal oversight mechanisms generally will not extend to the handling of that information within the second jurisdiction.

The need for independent oversight

43.57 The Senate Legal and Constitutional Legislation Committee commented on the limited provision for independent monitoring of the database, the privacy aspects of the legislation, and the laboratories which process the samples for the NCIDD system, in its report on the Crimes Amendment (Forensic Procedures) Bill 2001 (Cth).^[57] The Committee recommended

an expansion of the role of the Federal Privacy Commissioner to include: oversight of the processes governing the retention of material on the DNA database; provisions for its destruction; oversight of the functioning of the new DNA database within the laboratory; and the operation of the database under the Bill.^[58]

43.58 During the second reading debate for the bill, the Minister for Justice and Customs, Senator Chris Ellison, recognised the desirability of ensuring the effective oversight of the overall operation of the NCIDD system:

Some serious issues have been raised in relation to the oversight of the national DNA database system. In addition to extending the legislation to include the Privacy Commission and the statutory review of Commonwealth forensic procedures, I have written to state and territory ministers with a view to getting agreement on cooperation between Commonwealth, state and territory bodies to ensure there is effective oversight of not only the operation of a DNA system within each jurisdiction but also the overall operation of the national system. This is best achieved by including formal independent monitoring mechanisms in the CrimTrac agreement with the states.^[59]

43.59 However, the Inquiry understands that APMC subsequently resolved not to support the imposition of additional accountability arrangements in relation to the operation of the NCIDD system.

Submissions and consultations

43.60 DP 66 proposed that forensic procedures legislation should be amended to provide for independent, coordinated and nationally consistent monitoring of the operation of the entire national DNA database, and in particular the interaction of the forensic procedures regimes operating in each jurisdiction that participates in the national DNA database system.^[60]

43.61 Several submissions and consultations supported the proposal.^[61] The Human Genetics Society of Australasia submitted that the proposal would assist in increasing public confidence in the quality of the operation of the database.^[62]

43.62 In its submission to the Sherman review, the Australian Privacy Foundation submitted that

[a]ccountability arrangements featured prominently in the parliamentary debates and committee inquiries on the Bill in 1999. The then Minister gave certain assurances which do not all appear to have been implemented—particularly those involving inter-jurisdictional agreements on oversight and accountability. It is not good enough in matters that impinge on rights and liberties to simply accept the difficulty of achieving inter-governmental co-operation. In our view, until adequate oversight and accountability arrangements were in place, the DNA testing regimes and database should not have been allowed to ‘go live’.^[63]

43.63 The Office of the Victorian Privacy Commissioner urged the Inquiry to address this issue as a priority, commenting that:

The overall effect of the arrangements is that while control of CrimTrac is centralised, accountability for it is dispersed. It is mostly spread among various ombudsmen and privacy commissioners, where they have appropriate jurisdiction …

In view of the interjurisdictional nature of the scheme it is vital that we have arrangements that ensure that the oversight function is like the system itself: interconnected and properly coordinated. These arrangements must also ensure that complaints can be investigated easily without jurisdictional barriers becoming a problem …^[64]

43.64 The Office of the Victorian Privacy Commissioner noted that neither the Commonwealth nor any one participating State or Territory can adopt and enforce a role as independent auditor of the collection and handling of the data held on the NCIDD system. The submission urged that at a minimum, the accountability measures for the NCIDD system should address:

a. clear, uniform, purpose-built statutory basis for the broader CrimTrac system, to be adopted by each participating jurisdiction;
b. independent audit, investigation and complaints-handling mechanisms with appropriate powers and a duty to report directly to Parliaments;
c. provision for redress;
d. sanctions against misuse;
e. provision for mandatory annual reporting, in a uniform fashion, by all participating jurisdictions, and by the National DNA Database administered by CrimTrac, as relevant …^[65]

43.65 The OFPC commented that legislative arrangements for the nationally coordinated, independent and objective monitoring and oversight of the entire DNA forensic procedures system will be fundamental to assuring the public that there are privacy and accountability safeguards for the system.

No less important will be a seamless, transparent national framework for complaints-handling, audits and investigations. It will be critical that an individual complainant does not ‘slip between the cracks’, simply because their DNA profile has passed from one jurisdiction to another, with the attendant risks of breaches of privacy in the profile’s passage between jurisdictions. The audit and investigation functions should command a high level of independent analytical resources, capable of responding to the development in the forensic applications of DNA technology.

… the goal of complete uniformity of forensic procedures legislation may be some years away. Hence it may be advisable, at this stage, to use the existing mechanisms in a more strategic fashion. For example, the Ombudsman, Privacy Commissioners and auditors in each jurisdiction could work together to develop and agree upon reporting, auditing and complaint-handling mechanisms. The mechanisms can be designed to meet the imperatives of effective oversight and accountability. In the event of any further review of Part 1D, the success or otherwise of these measures could be evaluated. This would ensure that any inadequacies within the system can be identified and remedied by effective measures.^[66]

43.66 The OFPC noted that Part VIII of the Telecommunications (Interception) Act 1979 (Cth) provides for the Commonwealth Ombudsman to inspect the AFP records at least twice a year to ensure compliance with legislative requirements for the retention and destruction of interception records:

The similarities in privacy intrusiveness between the investigative tools for telecommunications interception and the taking of forensic DNA samples, indicates that as independent oversight operates successfully for the former, it is surely similarly appropriate for the latter.^[67]

43.67 The Law Institute of Victoria agreed that the operation of the entire national DNA database must be coordinated and monitored independently.

In particular, there must be independent monitoring of the interaction of the forensic procedures regimes operating in each jurisdiction that participates in the national DNA database system. This is particularly important while jurisdictional inconsistencies exist, as seems likely.

The standards to which such monitoring and coordination occur must be open to public scrutiny and must be reviewed and upgraded on a regular basis, to maintain pace with the rapidly developing law and science in relation to DNA testing. We understand that the Federal Privacy Commissioner has oversight of all aspects of the DNA database which fall within that Commissioner’s jurisdiction. It is recommended that similar oversight capacity should be given to State privacy commissioners, either jointly or independently.^[68]

43.68 By contrast, several submissions considered that such monitoring should be a matter for each state and territory jurisdiction.^[69] For example, the New South Wales Police Service commented:

This proposal has already been raised in a number of forums, including the 41^st Meeting of the Australasian Police Ministers’ Council, and is not supported.

NSW Police believe that within NSW there are already ample monitoring/auditing systems (and complaint handling mechanisms) in place and that such systems are open and transparent. In the circumstances, it is the opinion of NSW Police that no further systems need to be put in place to monitor the operation of the NSW legislation. It is also considered that the standardisation of monitoring/auditing systems across jurisdictions in neither viable nor warranted.^[70]

Inquiry’s views

43.69 When DP 66 was published, the NCIDD system was the only national DNA database operating pursuant to Part 1D of the Crimes Act. As the DVI Database has subsequently been established, the discussion below refers to oversight of these DNA database systems generally, rather than the NCIDD system only.

43.70 Many of the submissions acknowledged the need for greater oversight of the national DNA database system. Several of these highlighted the need for nationally co-ordinated, independent oversight in the form of ongoing monitoring and auditing of the information held by CrimTrac and by each jurisdiction.

43.71 As noted above, the Minister for Justice and Customs has recognised the desirability of ensuring the effective oversight of the national operation of the NCIDD system. The Minister suggested that this would be best achieved by including formal independent monitoring mechanisms in the CrimTrac agreement. CrimTrac has advised the Inquiry that it will enter into a Memorandum of Understanding (MOU) with each jurisdiction participating in the NCIDD system. A standard form has been drafted.

43.72 The Inquiry has not seen an official version of the draft MOU, and therefore cannot comment on its contents. In any case, the Inquiry has some reservations about this approach. First, an MOU is not a legally enforceable agreement. Second, the Inquiry considers that the public interest in ensuring the operation of transparent and accountable DNA database systems requires that any oversight must be independent of the organisations operating or using them, and must be publicly accountable.

43.73 The Inquiry noted above that several comparable overseas jurisdictions have provided for some measure of independent oversight of their DNA databases. For example, the FBI’s operation of the CODIS database in the United States is subject to an external advisory committee including ethicists and a Supreme Court judge, and has been subjected to an audit by the independent Inspector-General of the Department of Justice.

43.74 The Inquiry recommends that CrimTrac’s board of management should include independent members, such as nominees of the Office of the Federal Privacy Commissioner and the Commonwealth Ombudsman, legal academics and ethicists. While the operation of DNA database systems is only one of CrimTrac’s responsibilities, the Inquiry considers that the public interest in ensuring a transparent, accountable database system requires such representation on its board.

43.75 Second, the operation of DNA database systems should be subject to ongoing monitoring by an independent body. This process should involve the auditing of CrimTrac and the forensic laboratories participating in a DNA database system to ensure that, for example, only permitted DNA profiles are uploaded on to these systems, profiles are uploaded into the correct indexes, and destruction dates are adequately managed in the jurisdiction in which the material was obtained and any jurisdictions to which it has been transferred. The Commonwealth Ombudsman or another independent body could carry out this auditing function. In the interests of transparency, the audit report should be made publicly available—for example, by requiring its tabling in Parliament.

43.76 Finally, the Inquiry recommends that the Australian Federal Police, in its annual report to Parliament, provide information on the number and category of samples obtained pursuant to Part 1D of the Crimes Act in that year; the authority under which these samples were obtained; and compliance with the required destruction dates for those samples and profiles.