Privacy Commissioner Marie Shroff is calling on the government to create an independent oversight body to monitor New Zealand’s DNA Databank following Computerworld’s revelations of a security breach last week.
“The Government is currently proposing expansion of the criminal DNA database. I have recommended an independent oversight body be set up to ensure that the interests of individuals in such a state-run scheme are balanced and protected,” Shroff said in a statement following our report.
According to the Police, an as yet unnamed woman was due to appear in the Auckland District Court last Friday charged with unlawfully disclosing information from a DNA database.
(Update: Alexandra Monique Cranstoun, 27, entered no plea to the charge in the Auckland District Court. She is bailed until August 28 under a diversion scheme.) Section 252 of the Crimes Act states sets a penalty of up to two years for intentional access to any computer system without authorisation.
“Our DNA contains powerful information about each of us and that information requires expert handling and secure storage,” Shroff says. “The DNA databank has strong legislation and protections around it. However, a system will only be as strong as its weakest point, as the current incident highlights. If, as a society, we choose to gather and store the DNA of New Zealanders, we must also make sure that it has state-of-the-art protection.”
Meanwhile, a senior barrister says inappropriate disclosure from the DNA databank is concerning but he can’t see that it will affect any court cases.
Jonathan Krebs, the convenor of the Law Society’s criminal law committee, says some defence counsel may try to make some mileage out of the incident, but until more is known about what was released and to whom, it’s too early to comment.
Crown Research Institute ESR released a statement last week after Computerworld began querying it about rumours of a breach.
“ESR is treating this matter very seriously,” ESR said in its statement at the time.
“The Police were informed of the allegation and initiated a criminal investigation. A staff member has been suspended pending the outcome of the police and internal investigations.”
ESR says it is undertaking a number of steps to continue to ensure every measure is in place to protect the integrity of the databank information and how it is accessed.
“This includes an independent audit and review of all systems, policies and procedures related to the DNA databank,” it says.
“Having said that, ESR is confident that there has not been any impact on the integrity or outcome of past or current criminal cases or on the ongoing operation of the DNA databank.”
The DNA Profile Databank is on a separate dedicated secure system, ESR says. The system is physically isolated and contains a number of security features.
“External parties, including Police, cannot access any information on it. Access by ESR staff is limited, both physically and by system security features, to those staff working within the forensic DNA facility,” the Crown Research Institute says.