Privacy Impact Assessment National DNA Index System (NDIS)
February 24, 2004
This PIA is conducted pursuant to the E-Government Act of 2002, P.L. 107-347, and the accompanying guidelines issued by the Office of Management and Budget (OMB) on September 26, 2003.
The FBI's Senior Privacy Official has reviewed the National DNA Index System (NDIS), and taking into account the need for this system and the privacy risks and protections discussed herein, the FBI approves the FBI's use of this system.
Pursuant to the Privacy Act of 1974, 5 U.S.C. §552a, notice for NDIS was published in the Federal Register at Volume 61, Number 139, in 1996, but a PIA was not previously submitted. The NDIS system has not been materially altered from the time that the system notice was published in the Federal Register. Therefore, NDIS records are covered by the Privacy Act system notice already published in the Federal Register, and a new Privacy Act system notice is not required
National DNA Index System (NDIS) is a system of DNA profile records input by criminal justice agencies (including state and local law enforcement agencies). The Combined DNA Index System (CODIS) is the automated DNA information processing and telecommunication system that supports NDIS. Pursuant to the DNA Identification Act of 1994 (DNA Act), certain categories of information must be collected: 1) DNA identification records of persons convicted of crimes; 2) Analyses of DNA samples recovered from crime scenes; 3) Analyses of DNA samples recovered from unidentified human remains; 4) Analyses of DNA samples voluntarily contributed from relatives of missing persons; and 5) known reference sample from missing persons. At state and local levels, in addition to the above specimen categories, state law determines what categories of specimens and what offenses may be included in the database. NDIS does not retain information that would allow the NDIS Custodian to personally identify the record by name or other personal identifier. Individuals seeking to review their records are directed to contact the Federal, State, or local authority that received the DNA sample to obtain instructions on how to access their records.
DNA profiles are stored electronically and searched for possible matches. Matches made between the Forensic and Offender Indexes provide investigators with the identity of the suspected perpetrator(s). Matches made among profiles in the Forensic Index can link crime scenes together to ascertain identifying serial offenders. Based on a match, police in multiple jurisdictions can coordinate their respective investigations, and share the leads they developed independently. After CODIS identifies a potential match, qualified DNA analysts in the laboratories responsible for the matching profiles contact each other to validate or refute the match. Access to the database will be granted only to Federal, State and local crime laboratories performing DNA analysis.
A. What information is to be collected?
The NDIS system contains agency identifiers representing the agency submitting the DNA profile; the specimen identification number; the DNA profile; and the name of the DNA personnel associated with the DNA analysis.
B. Why is the information being collected?
The information is being collected pursuant to the DNA Act which requires certain DNA categories be collected. This Act also formalized the FBI's authority to establish a national DNA Index System for law enforcement purposes. In order to carry out that authority, the FBI collects the aforementioned information to assist state and local labs in processing DNA profiles. These DNA profiles are then stored electronically and searched for possible matches.
C. What is the intended use of the information?
The information in NDIS is used to match DNA profiles with crime scenes and human remains (missing persons). DNA profiles are stored electronically and searched for possible matches. Matches made between the Forensic and Offender Indexes provide investigators with the identity of the suspected perpetrator(s). Matches made among profiles in the Forensic Index can link crime scenes together to ascertain identifying serial offenders. Based on a match, police in multiple jurisdictions can coordinate their respective investigations, and share the leads they developed independently. After CODIS/NDIS identifies a potential match, qualified DNA analysts in the laboratories responsible for the matching profiles contact each other to validate or refute the match.
D. With whom will the information be shared?
Access to the database will be granted only to Federal, State and local crime laboratories performing DNA analysis. If a match is found, it will be shared with the Federal, state or local law enforcement investigating the crime or searching for the missing person.
E. What notice or opportunities for consent would be provided to individuals regarding what information is collected and how that information is shared?
NDIS consists of two primary areas of collection and retention of DNA profiles. The first, The Relatives of Missing Person Index, consists of DNA records from the biological relatives of individuals reported missing. Inclusion in this index is strictly voluntary and the person contributing the sample is required to fill out a "Consent and Information Form" which sets forth the elements of the Privacy Act. All DNA profiles in the population file are anonymous and are used for statistical inferences. The data file does not contain personal information, nor any identifying association, to the donor.
The second primary area of collection and retention is the convicted offender index. No notice is given to convicted offenders about what is being collected and how it will be shared. Convicted offenders do not have the option of not consenting and Federal law authorizes the force necessary to obtain the sample (Reference: DNA Identification Act of 1994, Public Law 103 322). Those samples, consisting of DNA profiles originating from and associated with evidence found at crime scenes, are included in the Forensic Index (a part of NDIS). The Convicted Offender Index consists of DNA records from offenders convicted of qualifying federal and/or state crimes.
F. How will the information be secured?
All records are maintained in a secure government facility with access limited to only authorized personnel or authorized and escorted visitors. Physical security protections include guards and locked facilities requiring badges and passwords for access. Records are accessed only by authorized government personnel and contractors and are protected by appropriate physical and technological safeguards to prevent unauthorized access. Access to the database has been granted to Federal, state and local crime laboratories performing DNA analysis who meet the aforementioned standards.
G. Is a system of records being created under section 552a of title 5, United States Code, (commonly referred to as the "Privacy Act")?
Yes. CODIS/NDIS does qualify as a system of records for the purposes of the Privacy Act. However, the NDIS system has not been materially altered from the time that the system notice was published in the Federal Register. Therefore, NDIS records are covered by the Privacy Act system notice already published in the Federal Register, and a new Privacy Act system notice is not required.
H. What choices the did the FBI make regarding an IT system or collection of information as a result of performing the PIA?
The FBI chose to require the following actions as a result of performing the PIA. The CODIS Unit has:
Ensured that any contracts with outside entities regarding the NDIS system specify that contractors will be subject to the requirements of the Privacy Act as provided in 5 U.S.C. 552a(m). The CODIS Unit also ensured that any contractor personnel sign Non-Disclosure Agreements. This was made a part of the contract. . In addition to past action, the FBI requires that the CODIS Unit contact OGC for guidance especially if NDIS is modified in the future.