Transcript International Symposium on National Databank Systems

1
International Symposium on National Databank
Systems
Auckland, May 2004
DNA DATABANKS: SOME
PRIVACY CONSIDERATIONS
Blair Stewart
Assistant Privacy Commissioner
2
Abstract
Using internationally recognised data privacy
principles as a frame of reference, the presentation
will consider privacy and data protection issues
associated with the establishment and operation of a
forensic DNA databank. Reference will be made to
two NZ statutes: the Privacy Act 1993 and the
Criminal Investigations (Bodily Samples) Act 1995.
Domestic law will be used to illustrate protections
for privacy, balances struck between privacy and
other competing public interests, and remaining
issues and dilemmas.
3
Many Issues: Discussion of just a few
The recent 1158 page Australian Law Reform
Commission report Essentially Yours: the protection of
human genetic information in Australia devoted 168 pages
to law enforcement and evidence issues. Much of
the report concerned information privacy issues: the
collection, holding, use and disclosure of genetic
information. This presentation touches upon just a
few.
4
Abbreviations
• CI(BS)A – Criminal Investigation (Bodily
Samples) Act
• Ipps – Information Privacy Principles
(Privacy Act 1993, s.6)
• OECD – Organisation of Economic
Cooperation and Development
5
OECD Principles
The OECD Guidelines on the Protection of
Privacy and Transborder Flows of Personal Data
(1980) represent a fairly universally accepted set of
information privacy principles.
The 8 principles of national application will be used
as a basis for discussion.
OECD Principles (Summary)
6
•
•
•
•
•
•
•
•
Collection limitation principle
Data quality principle
Purpose specification principle
Use limitation principle
Security safeguards principle
Openness principle
Individual participation principle
Accountability principle
7
Collection Limitation Principle
There should be limits to the collection of personal
data and any such data should be obtained by lawful
and fair means and, where appropriate, with the
knowledge or consent of the data subject
8
Collection Limitation Principle
(Comment)
• Need for clear limits in law as to what is to
be collected and added to databank
• Collection must be by lawful means (e.g.
consider governing legislation, civil and
human rights, no unlawful coercion etc)
• Collection must be by fair means (e.g. no
subterfuge)
• Usually with knowledge and consent of the data
subject (issues may differ between
investigation as against maintaining
databank)
9
Collection Limitation Principle
(NZ law and practice)
Criminal Investigations (Bodily Samples) Act 1995:
• s.26: limits information that may be kept on profile databank
• Part 3: detailed processes for collection of bodily samples
and associated information whether voluntarily or pursuant
to court order or compulsion notice
• ss.36 and 37: rights to withdraw consent
Samples may not be added to the databank except pursuant to
the statutory processes
Special care to ensure individuals are made aware of their
statutory rights, additional protections for young people
10
OECD Data Quality Principle
Personal data should be relevant to the purposes for
which they are to be used, and, to the extent
necessary for those purposes, should be accurate,
complete and kept up-to-date
11
Data Quality Principle (Comment #1)
Relevance to the purposes:
• Why is a particular person’s profile on the
databank? Is there a direct nexus to a legitimate
law enforcement function in a free society?
• Does all of personal data held meet the relevance
test? (details appropriately on an investigation file
may be inappropriate on the databank)
12
Data Quality Principle (Comment #2)
Accuracy:
• Stringent standards for collection processes, chain
of custody of sample, avoiding contamination,
security of database, laboratory performance,
alternative explanations for a match
• Personal data associated with the profile e.g:
identification details are critical
• Completeness: will information held mislead if not
coupled with further details? (e.g. if a criminal is
known to have engaged in “identity theft” or
“identity takeover”, how to avoid taking action
against the wrong individual in case of a match?)
13
Data Quality Principle (Comment #3)
Kept up to date:
• Policies needed on questions such as the death of
an individual, withdrawal of consent, records of
juveniles, acquittal of suspects or overturning of
convictions, clean slate legislation
• Police records in relation to personal information
associated with the profile may be updated: should
they also be updated in the databank?
14
Data Quality Principle (NZ law
and practice)
• Privacy Act ipp 8: accuracy etc of personal
information to be checked before use
• CI(BS)A, s.71: information stored on DNA profile
databank not admissible in criminal proceedings
(i.e the databank an investigative tool but best
evidence to be obtained for presentation in court)
• See Eichelbaum and Scott, Report on DNA
Anomalies (1999), Auckland concerning laboratory
contamination
15
Purpose Specification Principle
The purposes for which personal data are collected
should be specified not later that at the time of data
collection and the subsequent use limited to the
fulfilment of those purposes or such others as are
not incompatible with those purposes and as are
specified on each occasion of change of purpose
16
Purpose Specification Principle
(Comment)
• A State’s reason for establishing,
maintaining and using a DNA databank
should be transparent. The purpose for
placing samples on the databank should be
given before people are asked or compelled
to add their samples
• New purposes should not be introduced
arbitrarily
• When stored samples or information no
longer serve a purpose they should be
destroyed or rendered anonymous
17
Purpose Specification Principle
(NZ law and practice)
• IPP1: Purpose of collection of personal
information (see also ipps 9, 10 and 11)
• CI(BS)A s.27: the DNA profile databank may
generally only be accessed, and information
disclosed, for one purpose: “the purpose of
forensic comparison in the course of a criminal
investigation by the Police”
• CI(BS)A s.28: access to, and use of, blood samples
limited to the purpose of deriving a DNA profile
for storage on the DNA profile databank
• CI(BS)A s.60: Blood samples required to be
destroyed after 12 months
18
Use Limitation Principle
Personal data should not be disclosed, made
available or otherwise used for purposes other than
those specified in accordance with [the purpose
specification principle] except:
(a) with the consent of the data subject; or
(b) by the authority of law
19
Use Limitation Principle
(Comment)
• Samples and databank information should
only be made available or used for the
purposes specified
• Some change of purpose may be justified
by law (the legislature is supreme but has a
process
that
involves
democratic
accountability, transparency and adherence
to rule of law)
20
Use Limitation Principle
(NZ law and practice)
• In addition to the primary purpose of forensic
comparison, the NZ law anticipates the use of
DNA databank information in 2 limited
circumstances:
– for the purpose of making the information available to
the individual concerned in accordance with a subject
access request under the Privacy Act
– for the purpose of administering DNA profile
databank
• CI(BS)A s.27(2): permissible to use information
that does not identify a person (e.g. for research
purposes) if this otherwise complies with law and
has the agreement of the databank custodian
21
Security Safeguards Principle
Personal data should be protected by
reasonable security safeguards against such
risks as loss or unauthorised access,
destruction, use, modification or disclosure
of data
22
Security Safeguards Principle
(Comment)
• Security and privacy issues are not identical.
However, limitations on data use and disclosure
should be reinforced by security safeguards. Such
safeguards may include physical measures (e.g.
locked doors), organisational measures (such as
authority levels, staff training) and informational
measures (such as encryption, threat monitoring)
• Security safeguards contribute not only to privacy
protection but also the forensic rationale of the
databank (such as the avoidance of tampering, the
loss of data etc)
23
Security Safeguards Principle
(NZ law and practice)
• IPP5: Storage and security of personal
information
• CI(BS)A s.77: Offence to knowingly falsify a
DNA profile stored on a databank,
unauthorised addition to or deletion from a
databank of any information, to attempt to
gain access to or disclose information from
a DNA databank or similarly to gain access
to or use a blood sample
24
Openness Principle
There should be a general policy of openness about
developments, practices and policies with respect to
personal data. Means should be readily available of
establishing the existence and nature of personal
data, and the main purposes of their use, as well as
the identity and usual residence of the data
controller.
25
Openness Principle
(Comment)
No secret databases: while the content of the
database must necessarily be very secure and
not accessible to unauthorised persons, there
should be a transparency about the fact that a
database is maintained, the rules that control it
and the practices that are followed
26
Openness Principle
(NZ law and practice)
• IPP3: Collection of information from
individual
• CI(BS)A s.76: Databank reports are required
to be included in the NZ Police annual
report
• Under the Crown Research Institutes Act
1992, ESR is required to publish annual
report, other details on its website
27
Individual Participation Principle
An individual should have the right:
(a) To obtain from a data controller … confirmation of
whether or not the data controller has data relating to
him;
(b) To have communicated to him, data relating to him
i. Within a reasonable time;
ii. At a charge, if any, that is not excessive;
iii. In a reasonable manner; and
iv. In a form that is readily intelligible to him;
(c) To be given reasons if a request under … (a) and (b) is
denied, and to be able to challenge such denial; and
(d) To challenge data relating to him and, if the challenge is
successful to have the data erased, rectified, completed
or amended.
28
Individual Participation Principle
(Comment)
The right of individuals to access and
challenge personal data held about them is a
fundamental privacy protection
29
Individual Participation Principle
(NZ law and practice)
• IPP6: Access to personal information
• IPP7: Correction of personal information
• CI(BS)A s.27(1)(b): access may be given to
the databank “for the purpose of making
the information available, in accordance
with the Privacy Act, to the person to
whom the information relates”
30
Accountability Principle
A data controller should be accountable for
complying with measures which give effect
to the principles stated above
31
Accountability Principle
(Comment)
• There is more to privacy protection than setting rules:
must be measures to ensure such rules are met,
primary responsibility lies with the data controller
• The OECD notes that the data controller should not
be relieved of its obligations merely because the
processing of data is carried out on its behalf by
another party, such as a service bureau (on the other
hand, the OECD Guidelines do not prevent service
bureau and others being held accountable): sanctions
against breaches may be directed against all parties
entrusted with the handling of personal information
(e.g. both a law enforcement authority and a body
maintaining a DNA databank)
32
Accountability Principle
(NZ law and practice)
• Privacy Act 1993: can be enforced by complaint, and
if need be civil proceedings, against both the Police
and the agency maintaining the DNA databank (ESR)
• CI(BS)A s.27(3): nothing in this section limits the
jurisdiction of the Privacy Commissioner to
investigate any complaint
• CI(BS)A s.77: offences
• Privacy Commissioner is an independent statutory
body with powers to investigate complaints. In
addition, NZ has various accountability mechanisms
such as the Auditor General, Ombudsmen and
Human Rights Commission. In particular cases, the
government might set up special inquiries (e.g.
Eichelbaum and Scott)
33
Some Additional Issues Not Yet
Addressed in NZ
• New South Wales has an “innocence panel”
whereby prisoners may call upon State resources
for DNA testing
• Cross-border matching of samples with DNA
databanks: the CI(BS)A does not provide for that
nor address the many issues that might arise, yet
one knows that criminals may cross borders after
committing offences
• Were international databanks to be created, there
would need to be careful attention to rule setting,
oversight and accountability mechanisms
• Clean slate arrangements
34
Internet Resources
• Australian Law Reform Commission’s
Essentially Yours report
www.austlii.edu.au/au/other/alrc/publications/re
ports/96
• NZ Privacy Commissioner
www.privacy.org.nz
• ESR www.esr.cri.nz/features/esr_and_dna
• NZ Police annual reports
www.police.govt.nz/resources/#annualrepo
rt