Memorandum submitted by LGC Ltd
1.1 The Select Committee has invited comment
on a broad range of issues surrounding the "Surveillance
society", following last year's report by the Information
Commissioner. This response represents the views of LGC Ltd, one
of the two main suppliers of expert forensic services to law enforcement
agencies, regarding the handling of information associated with
the operation of databases. This is primarily based around our
experiences as one of the core suppliers of DNA profiles to the
National DNA Database (NDNAD).
1.2 We recommend that, when databases are
being planned, careful attention should be paid to the design
of data flows to ensure that the data provided to individuals
or organisations is the minimum necessary to permit them to perform
their role within the overall process. In particular, only a limited
number of authorised individuals at the core of a database should
be able to link personal data to the individual concerned.
2. THE NATIONAL
DNA DATABASE EXPERIENCE
2.1 There can be no doubt that the development
of the NDNAD has provided a valuable tool to underpin the work
of the police. The current system of operation embraces input
from a range of DNA processing laboratories, including private
sector laboratories, within a rigorously specified and assessed
quality structure. This approach has brought all the benefits
of competition into play, resulting in unit prices low enough
to permit the routine application of DNA technology in volume
crime and sample processing turn-round times measured in days
or hours, rather than weeks or months. The effectiveness of the
system is routinely demonstrated and is on a par with that of
the national fingerprint and palmprint system "Ident1".
As a result, the UK NDNAD is the envy of law enforcement agencies
around the world.
2.2 The systems developed to support the
operation of the NDNAD also provide a model for the development
of other databases to support UK law enforcement. The transformation
of the Home Office's DNA Expansion Programme into the Forensic
Integration Strategy reflects the move to support additional forensic
databases, such as a national footmark database, a National Ballistics
Intelligence Database (NABID) and a National Injuries Database.
2.3 However, there is operational experience
which has arisen over the life of the NDNAD which should be taken
into consideration as additional databases are developed. In particular,
there are issues surrounding the transfer and security of data
and samples where we think that appropriate design of future systems
could minimise the potential risk of inappropriate access to or
use of information.
3.1 When the NDNAD was originally established
in 1995, there was only a single authorised supplier of profiles,
the Forensic Science Service (FSS), which was at that time a Government
agency. The single suppler was unable to cope with the demand
for sample processing and backlogs rapidly built up, to the point
where turn-round times were in excess of six months. When a newly-privatised
LGC offered to invest to provide additional processing facilities
in 1996, a set of authorisation criteria for potential suppliers
of profiles was developed by the FSS, including accreditation
and proficiency testing requirements. Once LGC was able to offer
its services to police forces, the processing capacity available
expanded, turn-round times rapidly fell and the benefits of a
competitive market began to become apparent. Other suppliers have
subsequently been authorised to submit profiles to the NDNAD.
3.2 The role of "Custodian of the NDNAD"
was created to safeguard the integrity of the Database, including
setting standards for suppliers of profiles. Initially, this role
was associated with the NDNAD within the FSS but, as the status
of the FSS changed from a Government Agency to a Trading Fund
and then to a Government-owned Company, this led to increasing
tensions as other suppliers came to regard the FSS as being in
an ambiguous, and privileged, position, as they were effectively
regulating a market in which they were also competing as a service
supplier. The Custodian role has therefore been separated from
the FSS, and now sits within the newly-created National Policing
Improvement Agency (NPIA). Although the FSS continues to provide
some key supporting services to the NDNAD, such as IT support,
the separation of roles is essentially complete, and the FSS is
one supplier among others, all providing profiling services to
the NDNAD within a closely regulated quality and security structure.
3.3 The structure which has evolved therefore
consists of a range of quality-accredited suppliers profiling
samples on behalf of police customers, with profiles being submitted
to a central Database, and the resulting "matches" being
sent by the Database back to the police forces.
3.4 Where there have been attempts to establish
within a single commercial organisation other databases which
were unarguably national in nature, as was initially the case
with both the footmark and the Ballistic Intelligence databases,
it rapidly became apparent that this was both commercially and
strategically inappropriate, and that the NDNAD model was preferable.
3.5 We feel that the model that has been
achieved, with an independent Custodian within Government setting
standards for, and overseeing the operation of, a range of service
suppliers from both the public and private sectors, represents
an extremely effective system for operating a national database
4. NDNAD SUBJECT
4.1 In the case of samples collected from
individuals for processing for addition to the NDNAD, the current
system involves a police force submitting a DNA sample, typically
in the form of a mouth swab, to the processing laboratory, together
with a card carrying details of the donor. Both the sample and
the card carry an unique bar-code number. The card also carries
a numerical link to any associated Police National Computer entry
(the "arrest/summons number" or ASN) as well as details
of the donor, including name, date of birth, ethnic appearance
and the type of offence involved.
4.2 In addition to processing the sample
and submitting the resulting DNA profile to the NDNAD, the laboratory
is required to capture some of the data from the card to submit
to the NDNAD with the profile and to store both the residual sample
and the card. This means that each processing laboratory holds
a store of samples of individuals' DNA and a store of data about
5. TOO MUCH
5.1 The laboratories do not need all of
the data about the donor which is provided to them in order to
be able to process the samples. The unique (and anonymous) barcode
should be sufficient to identify the sample and to link the profile
produced to the sample and therefore to the individual donor.
In practice, it is accepted that any system involving large-scale
sample and data collection and transfer can be prone to error,
such as occasional inadvertent "sample swaps", so some
additional data is of value in case it is necessary to resolve
a discrepancy. However, this could be limited to a less specific
identifier than a donor's name, for example a date of birth.
5.2 The residual samples are retained in
case rework is required, including reprocessing for quality assurance.
The ability to re-profile samples is of undisputed value, but
storage of samples, containing the full DNA of donors, has raised
issues of security, access and approval for use.
6. MANAGING THE
6.1 The data-related issue which emerges
is how the flow of sample-related data is managed, that is, which
parts of the overall data held on an individual are required by
each organisation within the data handling chain. Although all
the data gathered during the processing of DNA subject samples
is necessary at some point, not all data is required by all participants
in the process. There is therefore a case for a "data audit"
when establishing the flow of data to underpin a database, to
review which aspects of the overall data needs to pass to and/or
be held by each organisation involved. This contrasts with a "one
size fits all" approach, involving access to a data package
containing all the data required by all participants, so that
each organisation within the data-handling chain can abstract
the data they need.
6.2 We consider that, as the total amount
of data held on individuals increases, this should not automatically
be passed from one agency to another as a bundle to be "mined"
by the receiving agency for the aspects that they require. There
should instead be an effort to pre-screen data flows on a "need
to know" basis, so that the total information available at
each location is minimised.
6.3 The presumption should be that only
those data points which are necessary for them are disclosed to
each participant in the chain. In particular, the identity of
the individual involved should ideally be encoded in such a way
that those engaged in sample or data processing are not aware
of the identity of the individual and only those authorised staff
at the operational centre of, for example, law enforcement are
in a position to link the various components of the data to the
6.4 Similarly, where samples are involved
which potentially contain additional information about the donor,
access will be required by processing organisations when they
conduct their work, but any long-term storage should be undertaken
only in closely-controlled repositories, to minimise the potential
for unauthorised access.
7.1 Efficient construction and operation
of databases will usually require the involvement of a variety
of organisations, from within Government and the private sector.
In addition to the usual arrangement for security vetting the
individuals with access to data, any potential for "leakage"
of information can be minimised by careful attention to the design
of data flows and, in particular, by ensuring that only a limited
number of authorised individuals at the core of the Database are
able to link data back to the individual concerned. Although some
details of its operations are still subject to debate, the National
DNA Database has evolved to a position where it can offer a valuable
model for the design and construction of future databases holding
information about individuals.