Abstract
Recent expansions in databases containing clinical, research, or genetic information have created opportunities for other uses which differ from their original purposes. Legislative changes in some jurisdictions broadening the powers of law enforcement agencies to access these databases for criminal investigations have renewed concerns regarding protecting public safety through DNA profiling for criminal investigations and defending individuals’ interests in protecting their personal information. This article addresses the ethical and legal considerations around the widening of law enforcement agencies’ powers to collect DNA information and potential access to DNA databases for criminal investigations, focusing on the recent developments in Singapore in comparison with selected jurisdictions. It advocates for a tiered access approach to third-party research databases for specific crimes only. A tiered access approach facilitates the aims of safeguarding public interests through appropriate exercise of access powers, protecting individuals’ expectations of privacy of their personal information contained in these databases and supporting the continued sustainability of third-party research databases.
Keywords
Introduction
There has been recent growth in databases containing DNA or genome sequencing information that are developed for the purpose of advancing biomedical research and improving population health outcomes. 1 Databases containing genetic and personally identifiable or identifying information have increasingly become important sources for criminal investigations. There are various types of DNA databases, ranging from commercially established ones to public research databases, clinical DNA databases administered by hospitals, forensic databases and databases that are specifically created to deliver technologically driven health care initiatives such as precision medicine. Third-party research databases in this article refer to clinical or health research databases which are established for the purpose of health research and not for familial tracing, forensic investigations, or for commercial use/purposes. An example of state-administered forensic database is the Combined DNA Index System (CODIS) in the United States, while precision medicine-type databases include sequencing platforms at Genome Institute Singapore which contributes to the National Precision Medicine Programme, Precision Health Research, Institute of Precision Medicine and PreMedKB. 2 Public research databases may be held by universities or research institutes and vary in the amount of genetic and health-related information they hold. Some of these databases contain mitochondrial DNA information that are in aggregated and de-identified forms such as GenBank, mtDB (human mitochondrial genome databases) and HelixMTdb (helix mitochondrial database). 3 Commercially operated DNA databases include 23andMe, 4 CircleDNA, 5 Ancestry.com, 6 MyHeritage, 7 LivingDNA, 8 and FamilyTreeDNA 9 where individuals can provide their DNA samples in return for services in ancestry or familial tracing.
An expansion of commercial DNA databases is likely to attract access interest by law enforcement agencies for criminal investigations and other related purposes. However, these databases are mainly useful for investigative stage such as investigative genetic genealogy where potential suspects could be narrowed by relying on ancestry genetic information. Information from these databases rarely serve as key evidence that are admissible in court or provide incriminating power beyond a reasonable doubt in court proceedings. However, there are concerns about the extent that law enforcement agencies may gain access to these databases as DNA information stored in commercial databases could still provide investigative leads that will be of assistance during criminal investigations.
This article examines key legal and ethical concerns around the legislative broadening of law enforcement agencies’ powers to collect DNA information and potential access to third-party DNA databases (that are not originally established for forensic investigations) for criminal investigations in Singapore. While access to DNA databases is often justified for protecting public interest through maintaining public order and safety, the extent to which such powers could be lawfully exercised remain contentious. This article explores the legal and ethical concerns in the context of the recently enacted Registration of Criminals (Amendment) Act 2022 (‘RCAA’). The broadening of powers to collect from more sources of data poses the possibility that third-party research databases containing genetic, or DNA information could come within the purview of law enforcement agencies, given that the recent change to the law potentially enables these sources to be tapped for criminal investigations.
The article proceeds as follows. First, it outlines current practices in police accessing third-party DNA databases for criminal investigations with reference to examples from Australia, the United States, and the United Kingdom. References to international practices offer valuable comparative insights into the extent of such exercise of powers in the public interest. An examination of these practices in line with the broadening of police powers through legislation reveals problematic concerns that warrants drawing a line between protecting public safety and permitting access to third-party DNA databases for criminal investigations. Next, it draws on the example of police accessing data from the national COVID-19 personal contact tracing database in Singapore for criminal investigations and the ensuing legislative responses that underscore the continued significance of these practices. Key legal changes under RCAA affecting greater DNA data collection under the law are highlighted for further analysis. The article then outlines the limitations of DNA databases for criminal investigations, particularly with the use of DNA information. Key ethical and legal considerations that emerged from legislative-supported enhanced police powers are analysed, highlighting relevant implications to the public. Given these concerns, it shows that police powers to access third-party databases should be guided by a tiered access approach. This approach reduces the tensions between protecting public interest by resolving criminal investigations and defending the privacy interests of individuals who donated their DNA information to third-party databases. This is followed by a consideration of the advantages and drawbacks of a tiered access approach and a consideration of the criteria and circumstances under each tier, with a summary of recommendations.
Criminal investigations and access to third-party DNA databases: developments and controversies
DNA profiling has become the gold standard in forensic science over the past 30 years and is a valuable resource for criminal justice systems globally. 10 For example, in the United Kingdom, the need for continuous access to forensic investigations in the criminal justice system has motivated the development of DNA profiling programmes, such as the National DNA Database (NDNAD). 11 In the United States, the National DNA Index System and the CODIS were created in the 1990s to provide participating states access to the CODIS database, allowing state laboratories to upload samples onto the database, performing searches for investigations, or comparing samples. 12 These samples are DNA collections from three indexes namely convicted offenders (DNA profiles from samples collected from convicted offenders), people who were arrested and forensic database where DNA profiles were generated from biological samples collected from crime scenes or victims. Some legislation affecting DNA collection authority in the United States have been amended to widen the categories of people from whom samples can be collected. The retention of these samples for quality assurance purposes has; however, raised privacy concerns for fear that these could be misused. 13
While it has become increasingly common for police to build their own DNA databases for criminal investigations, they are also requesting access to third-party DNA databases through the relevant authorities. For example, arrangements exist between the Australian New South Wales (NSW) Commissioner of Police and the NSW Department of Health that allows police officers to access newborn screening blood samples (screening cards) in the custody of the Department for specific investigations, such as identifying human remains or to locate victims of crime. 14 A study exploring community views of newborn screening in NSW revealed that some groups were concerned with the potential misuse of stored samples and the possibility of creating a DNA database with reference to the arrangements between the NSW Police and NSW Health. 15 The study emphasised the need to improve communications about newborn screening usage and maintain public support for these health programmes. 16 Generally, however, police access to samples for criminal investigations was perceived as valuable, especially in identifying missing persons. 17
The Australian state of Victoria has brokered similar arrangements where, through a court order, Victoria Police can gain access to newborn screening cards held by Genetic Health Services Victoria. 18 This authority is in addition to existing powers under the Crimes Act 1958 (Vic) where police can obtain DNA samples from suspects or volunteers for criminal investigations. However, DNA samples can only be collected under specific circumstances, such as with the informed consent of the suspect, by court order, or upon the authorisation of a senior police officer and where there are reasonable grounds that the collection would confirm or disprove involvement of the person. 19 Subsequent legislative amendments to existing laws governing crime investigations have enabled law enforcement agencies in several Australian states to access the National Crime Investigation DNA Database. Under these arrangements, police may access the database across all the states and territories of Australia at any time and perform DNA sample matching. 20 The latter raised privacy concerns about people who would not normally fall within suspicion for a particular crime being identified through DNA matching. 21 Reports surrounding breaches of testing protocols in forensic crime labs in the Australian state of Queensland raised concerns about the use of collected DNA samples. 22 An inquiry into the breaches recommended the lab identify DNA samples that were previously incorrectly reported as insufficient for further processing and to report the grounds for such decisions. 23 The inquiry further recommended the lab rectify inaccurate statements regarding their previous findings on the DNA samples that were identified as ‘insufficient for further processing’ or ‘no DNA detected’. 24
The New Zealand Law Commission has recently recommended legislative changes to the Criminal Investigations (Bodily Samples) Act 1995 to accommodate the increasing use of DNA information in criminal investigations, including protecting participant privacy and establishing an oversight committee. 25 This approach is similar to the United States where access to forensic and third-party DNA databases is controlled. Meanwhile, China is reportedly developing comprehensive DNA databases drawn from various sources and administered by the police for criminal investigations, although it is unclear how these samples are used or what sort of consent, if any, has been obtained. 26 These legislative developments indicate growing attention to the utility of DNA which give rise to potential risks and implications to affected individuals pursuant to increasing police powers in accessing third-party DNA databases to facilitate criminal investigations.
In Singapore, its national DNA database, established in 2004, is held by the Singapore Police Force. The Singapore Forensic Biology Division of the Health Services Authority is responsible for processing DNA samples for law enforcement agencies and performs DNA testing for kinship investigations. 27 The Registration of Criminals Act, enacted in 1949 with subsequent amendments from 2002 onwards empowers police to record registrable particulars such as photographs, finger impressions, conviction records of offenders, and their DNA information on the Register of Criminals. The amended law, RCAA, enables police to collect DNA information from individuals involved in a wider range of crimes in support of swifter identification of suspects. 28
All states in the United States have enforced legislation supporting the operation of multiple levels of DNA databases drawn from local, state and national authorities. In the United Kingdom, the Police and Criminal Evidence Act 1984 has empowered police to take bodily samples from suspected or convicted offenders. 29 Campaigners in the United Kingdom have raised concerns about the expansion of DNA collection for the NDNAD, including suggestions to include samples from newborn babies in the national database. 30 Similarly, in the United States, concerns ranging from civil rights, liberty, and potential employment discrimination were raised in response to broadening the collection and maintenance of DNA databases by the police, 31 including proposed use of newborn blood samples for criminal investigations. 32
Companies offering DNA testing analysis using saliva or buccal samples contain rich sources of personal information that could be valuable for investigations, such as verification of identities of potential suspects or generating investigative leads. They offer autosomal DNA testing for familial tracing across generations, Y-DNA test to identify male relatives, or mitochondrial DNA testing for identifying relatives based on maternal lineage. 33 The growth of commercial DNA testing with millions of customer profiles on these databases with highly personal information of individuals, and their relatives have raised privacy concerns in so far as access by law enforcement agencies is concerned. 34 The differences in consent options available for customers in relation to potential information sharing with law enforcement agencies have further complicated existing privacy concerns. Some of these companies, such as Ancestry.com and 23andMe, have supported legislation controlling access by law enforcement agencies to their databases, with several states in the United States enacting laws that limit police powers in searching third-party commercial databases for criminal investigations. 35 The continued controversies surrounding the extent of access powers underscored the importance of balancing the benefits that could arise from permitting access to DNA databases and potential risks to personal privacy and public support for third-party databases. In Singapore, an incident involving TraceTogether contact tracing data spurred public attention to the broadening of the legislative powers for criminal investigations.
TraceTogether and legislative responses
In March 2020, the TraceTogether App was introduced in Singapore for contact tracing to mitigate the spread of COVID-19. Despite assurances from the government that the App would collect data solely for the purpose of contact tracing, the Ministry of Home Affairs revealed to the Parliament in December 2020 that the Singapore Police Force had accessed the data for a murder investigation. The murder occurred in May 2020 where a jogger was fatally stabbed in Punggol Field. 36 Because the incident had attracted much public attention, police investigators wanted to make an arrest promptly. However, the TraceTogether data were ultimately unhelpful as the suspect had not installed the App onto his phone. 37 The revelation nonetheless prompted public debate and raised concerns about police powers to access data being collected for public health purposes. 38 The public response suggests that many in Singapore were unaware that the TraceTogether data could or would be accessed. 39 Concerns were raised in relation to data privacy, confidentiality, and the potential for police misuse and misidentification in criminal investigations. 40 The public who came to learn about the incident criticised the government for not being upfront about these possible uses of the TraceTogether data and called for more transparency around how they will be used and the safeguards that are in place to minimise misuse. 41
The public response highlighted potential tensions between protecting the privacy of individuals and public safety. To balance both interests, the Parliament of Singapore swiftly passed the COVID-19 (Temporary Measures) (Amendment) Act 2021 (‘Act’) on 2 February 2021 to limit law enforcement’s use of the TraceTogether data to only very serious offences. 42 Schedule 7 of the Act lists seven types of offences that are considered as serious offences for the purpose of the law:
a. ‘unlawful use or possession of corrosive and explosive substances, firearms or dangerous weapons.
b. any offence relating to committing, aiding, conspiring, abetting or financing of acts of terrorism under terrorism laws.
c. any offence relating to causing death or concealment of death, or maliciously or wilfully causing grievous bodily harm where the victim’s injury is of a life-threatening nature.
d. a drug offence that is punishable with death.
e. any offence relating to escape from custody where there is reasonable belief that the subject will cause imminent harm to others.
f. kidnapping, abduction or hostage-taking.
g. any offence involving serious sexual assault such as rape or sexual assault by penetration.’
Section 82(2) of the Act only permits the disclosure of or access to any personal contact tracing data for investigations involving specified offences under Schedule 7. Furthermore, Section 82(4) stipulates that if police officers or law enforcement agencies request access to personal contact tracing information, individuals are not bound to comply with such requests as they are contrary to Section 82(2). Police officers who failed to comply with the law restricting access to information under Section 82(4) are subject to a penalty of fine or imprisonment or both. 43
In specifying that TraceTogether data could only be accessed in assisting investigations of serious offences within Schedule 7 of the Act, the government has attempted to balance the need for law enforcement agencies to access available data sources to facilitate their investigations while being mindful of the potential intrusiveness of such access to individuals. Although the Act seemed to resolve some potential concerns regarding the limits of authorities in accessing personal contact tracing data, 44 it raises other concerns, such as the possibility of widening the list of offences that may be considered as serious in the existing Schedule. This could result in access for a wider range of criminal investigations, and potentially affecting a wider pool of ‘suspects’. The TraceTogether controversy suggests the need to broadly align data access practices with public expectations. 45 The incident similarly highlighted the uncertainty of the boundaries constituting public interest and what constitutes serious crimes.
Following the TraceTogether data episode, the Parliament of Singapore introduced amendments to relevant laws governing police authority and their scope of power in criminal investigations. The Registration of Criminals (Amendment) Act 2022 (‘RCAA’) empowers police to collect DNA information from any data source and widen the use of DNA information for criminal investigations. This legislation has important implications to current and future third-party research databases containing DNA information regarding police access. The new law does not address the types of DNA databases, but only in relation to the types of crimes for which DNA samples can be collected from individuals and retained for criminal investigations. Due to the growth in research and commercial databases containing DNA samples, these DNA databases may be affected in the interest of resolving criminal investigations. While the powers of law enforcement agencies to access personal contact tracing data for criminal investigations are limited, arising from the TraceTogether incident, the legislative changes to RCAA signals a potential broadening of access powers to other data sources, which may include research databases that collect and store genetic information. It is thus essential to establish permissible access boundaries. The legal changes and implications are explored further in Section 4 Part B below. Further considerations regarding limitations of third-party databases warrant a rethink about its reliance for criminal investigations. We now turn to consider these limitations.
Limitations of third-party databases
DNA has been portrayed as sacred in socio-cultural and political contexts, reflecting its iconic cultural status. 46 Studies have shown that surveyed jurors in the United States regarded DNA evidence as highly persuasive compared to other types of evidence. 47 The study highlighted, however, that the reliability of DNA evidence could be weakened by human error, suggesting that lab integrity could negatively affect its strength as evidence. The lack of reliance on DNA evidence in prosecution could potentially occur as a result of doubts about the DNA profiles that are being tendered as evidence. Despite a high regard among jurors in the United States of DNA evidence, there are limitations surrounding DNA evidence in the literature and among the scientific community. This aspect may not be known to the jurors, and possibly the public who have favourable perceptions of the utility of DNA information from various sources such as popular culture (e.g.: the perceived superiority of DNA profiling) or the media (e.g.: television shows such as Crime Scene Investigations (CSI)). A recent study has similarly questioned the effectiveness of DNA databases generally in relation to their purpose and content, indicating doubts about common acceptance of their value for criminal investigations. 48 The authors’ systematic review of the literature found that although researchers are not opposed to the expansion of non-forensic DNA databases, they were not supportive of such expansion for crime-solving purposes owing to privacy concerns, among others. 49
Despite the continuing appeal of DNA databases in facilitating criminal investigations, there are notable limitations in their efficacy due to numerous variables that could weaken DNA as evidence for criminal investigations. A study in the United Kingdom has questioned the actual contribution of DNA samples in criminal investigations, citing the low level of crimes solved using DNA information. 50 The study further pointed out that factors such as the non-involvement of DNA evidence in most crimes, policing budgets, and the lack of DNA reference weakened the utility of using DNA for investigations. Other concerns include the risk of police becoming overly dependent on accessing DNA databases in their investigations. In Singapore however, when highly incriminating evidence such as DNA evidence and fingerprint evidence are presented in the court, the evidential values of these evidence are rarely contested. 51 DNA information is still being collected on the broad basis that they might be helpful in criminal investigations and prosecutions. This indicates that the infringement arising from the collection of these data which are then possibly accessed by law enforcement agencies could potentially outweigh the assumed utility of DNA information in assisting criminal investigations and any subsequent arrest, charge, or prosecution of suspects.
Its evidentiary value is only as strong as the application of proper and correct procedural steps when processing DNA information. For example, potential transfer (i.e. contamination) from DNA samples 52 will likely affect its quality. Proper collection, storage, and processing of DNA information is crucial in ensuring the accuracy and rigour of the results of DNA analysis of crime scene samples during criminal investigation. Such procedures however, are not strictly upheld when consumers collect their DNA for recreational testing as they are not forensically trained. As such, the quality of the DNA samples used in the analysis can be questionable, for instant their DNA samples may be contaminated due to incorrect DNA sample collection procedures. Other potential biases and investigative or deductive errors that impede the validity of DNA information extend to contamination risks at each stage of the investigation process and where evidence is unconsciously suited to favour the prosecution’s explanation. 53 Consequently, there is a likelihood that the forensic and third-party DNA databases contain errors, which limits its use for police seeking to use those DNA profiles.
As indicated above, there are various types of concerns surrounding the use of DNA samples for specific purposes, such as criminal investigation, familial testing, or genealogy tracing. The latter involves ethical and social issues regarding familial/individual privacy and implications to relationships while the former potentially affects individuals and relatives in the criminal justice system. For instance, within the administration of justice, the quality and quantity of DNA evidence obtained from the crime scene may not be suitable for use in cases where the DNA of multiple personnel are mixed in the same sample which poses significant difficulties in deconvolving DNA profiles of individuals thereby, impeding accurate identification of each person. DNAs collected from crime scenes may be degraded in quality and of insufficient quantity compared to samples donated to commercial databases.
Variations in DNA analysis for criminal investigative purpose and familial tracing may result in different profiling outcomes, further complicating decisions to use these samples for criminal investigations. A handful of highly profiled and publicised criminal investigative success examples using DNA information does not imply unrestricted access to third-party research or commercial DNA databases. Criminal investigations should take into account the totality of evidence, and while DNA evidence, which makes use of the value of DNA databases, provide undisputed evidential value, other corroborative forensic evidence and witness testimonies should be considered as well.
Given the constraints associated with DNA information for different purposes, it is vital to be cautious of its use. While accessing DNA databases can offer a wider range of potential matches to increase the prospect of identifying the correct suspect, access should remain within the specific scope of public interest. A blanket public interest ground based on criminal investigation is insufficient when weighed against risks arising from biases and limitations in DNA collecting, and processing that are not error-free which will likely cause miscarriage of justice. DNA is only valuable as confirmatory or supporting evidence among a collection of other forms of corroborative evidence.
In the following sections, this article will highlight important ethical and legal considerations arising from legislative changes in Singapore that empowers law enforcement agencies broader DNA collection authorities. The examples illustrate how a widening of these powers should align with public interest (public safety), societal expectations of benefits, and availability of protections (privacy interests) arising from potential access to third-party research databases and potential limitations of these databases.
Key ethical and legal considerations
Ethical issues with DNA profiling for crime investigations
The DNA expansion programme in the United Kingdom since 1995 and the identification of the Golden State Killer through genetic genealogy in the United States have re-ignited debates on law enforcement agencies accessing third-party/commercial DNA databases. 54 Key ethical issues include errors in DNA testing resulting in wrongful convictions 55 and privacy intrusion. 56 When an insufficient quantity of and/or degraded DNA samples are tested, false identifications may occur, 63 increasing risks of harm (e.g.: psychological, reputational, financial) and loss of liberty to innocent individuals. 57 In the United States, over 3,200 wrongful convictions have occurred since 1989 and of these, 52% resulted from unvalidated or improper forensic evidence. 58 In addition, the database includes individuals whose convictions were overturned following DNA evidence.
Samples used for DNA profiling may reveal much more information and identify the family members of those who are tested. In the search for the Golden State Killer, the US police partnered with a private lab to conduct familial genetic searches and assessed genetic data of individuals who were not suspects of the crime. Substantial concerns about privacy were voiced about the way the police accessed data which led to stricter policy measures on familial searches in some states. Other concerns were raised about risks of employment or insurance discrimination through re-identification of genetic data. 59 Although it has been argued that such risks are insignificant, 60 there has been considerable public opinion that there are risks associated with genetics regardless of evidence and existing protections. 61 However, it is postulated that appropriately rigorous data security measures that commensurate with the highly personal and sensitive nature of DNA information could minimise harm to people who have donated their DNA samples. This is because rigorous data security that is applied to DNA databases can reduce opportunities for unauthorised access and use and provide clear audit trails regarding access. This approach provides an assurance that safeguards relating to proper processes and procedures are followed where access is granted to these databases. Consequently, any potential harm to individuals arising from unauthorised access can be reduced. Policymakers should also reassure the public about the safeguards that are put in place to protect their data. While aiming to strike a balance may be a delicate task, it is necessary to maintain the social licence to use donated DNA information in third-party research databases. Meanwhile, concerns about privacy intrusion in the United Kingdom were addressed by its Protection of Freedoms Act in 2012 which aimed to rectify the imbalance between protecting public safety and personal right to privacy. This move has led to the removal of more than a million DNA profiles of adults and children from the NDNAD. 62 These ethical concerns will apply to the expansion of DNA databases and widening of police powers in accessing these databases for criminal investigations. It is thus important that these expansions are accepted by the public before the occurrence of adverse implications. 63
A scoping review of public opinion in Europe and the United States on forensic DNA testing in criminal investigations showed potential benefits in crime solving and concerns over improper access and risks to privacy rights. 64 The review revealed greater concerns regarding stigmatisation risks among younger participants. While the concern about existing disproportionate inclusion of certain racial/ethnic groups in forensic DNA databases may be less valid in genealogy databases, it may potentially become a societal issue with increasing use of genealogy databases in crime fighting. The review further showed that persons of European ethnicity were more likely to be knowledgeable about forensic DNA databases and reported greater trust in DNA use compared to other ethnic groups, while legal professionals were reportedly more likely to accept DNA databases as crime-fighting tools. This latter group did not regard DNA databases as intruding privacy and favoured long retention periods for convicted offenders’ DNA profiles. This may be attributed to varying levels of stigmatisation experienced by different groups in the review. The study highlighted that public attitudes towards forensic DNA testing are dependent on cultural contexts and associated with levels of public trust and views about the justice system. Discrepancies in knowledge and trust as well as how legal professionals view privacy intrusion underscore societal differences, which calls for a greater understanding of the nuances that exist which affect peoples’ views regarding the use of their personal DNA information.
In terms of attitudes towards laws governing forensic DNA testing, the review reported a range of considerations, from DNA sample retention and removal periods to inclusion criteria, availability of data protection, cross-border DNA data exchange regimes and governance of forensic DNA phenotyping and familial searching. Other studies showed that public support for police access to commercial DNA databases differ based on the types of crime, with greater public support for severe crimes such as murder and sexual assault. 65 This finding emphasised the importance of implementing policies that are socially and politically representative of the users’ interests in relation to participants’ informed consent and the powers of police investigations in accessing these DNA databases. 66 Due to the limited evidence supporting the effectiveness of DNA evidence in solving crimes, 67 a study proposed a trade-off could involve restricting police access to commercial DNA databases to only serious crimes. This approach aims to alleviate public apprehensions regarding privacy risks and genetic discrimination.
In GEDmatch, when the public were informed about police accessing its database and users were given the option to opt out of police access, approximately 90% of the users opted out. 68 Although this has significantly reduced the amount of data available for police use, it showed that the public were very mindful of how their personal data are used by law enforcement officers. This can be viewed as a potential drawback to informing the public about the use in advance. It is, however, unclear if Singaporeans would respond in a similar way to GEDmatch users. Based on the public response from the TraceTogether episode, it could be inferred that they would hesitate to permit access to their DNA information except with prior notification. Nevertheless, it remains questionable if they would opt out of police access for criminal investigations.
Broader ethical implications affecting relatives from using DNA information should be included in investigative genetic genealogy practices. 69 Researchers in Portugal found that while the study participants were generally willing to contribute to a national forensic database for crime-solving, they were concerned about risks to human rights protections arising from the absence of control and insufficient regulatory frameworks protecting their interests. 70 These attitudinal data underscored the importance of demonstrating public interest in exercising access powers by law enforcement agencies.
RCAA: legal changes, considerations, and implications
The police power to search is not new. These powers could be enhanced or curtailed through legislation or judicial decisions. In the United Kingdom, DNA samples are taken and retained under the Police and Criminal Evidence Act 1984, with further powers under the Criminal Justice Act 2003. The NDNAD was established under the Criminal Justice and Public Order Act 1994 that provides for the collection and retention of DNA samples for criminal investigations. The broadening of police authority to collect and retain DNA information became the subject of legal challenge, resulting in the removal of acquitted offenders’ DNA profile. 71
In the context of Singapore, the Criminal Procedure Code 2010 (‘CPC’) empowers police officers or authorised persons to order the production of, or access to documents or other things (which could include computer servers) considered necessary or desirable for any investigations. 72 An authorised person under the CPC refers to a person who is authorised by the Commissioner of Police, or officers under any prescribed law enforcement agencies. 73 This suggests that individuals who may not necessarily be police officers could have similar powers to access data if they are authorised to do so. In terms of police powers to access any data for criminal investigations 74 under the CPC, there are limitations, for example, they could access computer data and decrypted information for the purpose of investigating arrestable offences (i.e.: offences where the police can arrest without warrants such as criminal conspiracy, offences against the state or public peace, health and safety and decency). It is unclear whether these data include DNA information under the CPC. A broad interpretation could mean that in the context of third-party research databases, the information which is stored in computer servers could be subject to access or disclosure order where law enforcement agencies deem necessary or desirable for arrestable offences pursuant to Section 39(1). We now turn to an examination of the legal changes introduced by RCAA.
The Registration of Criminal Act, which was enacted in 1949 was recently amended to authorise law enforcement agencies to collect and store DNA information or other individually identifying information 75 from a wider pool of people than the pool of currently permitted individuals. The RCAA was first tabled in the Parliament on 1 August 2022 and read a second time on 12 September 2022. It came into force on 12 June 2023. Among the range of changes that are introduced under RCAA, the key legal changes are the broadening of the types of individuals who may be approached to provide their DNA information and identifying information such as fingerprints and photographs and the scope of offences that are not limited to registrable crimes (i.e. eligible crimes). This approach is aimed at swifter identification of suspects who reoffend. Data can be collected from a range of individuals, where previously it was limited to those who were arrested, convicted or detained. Law enforcement agencies can now collect information from individuals who are not suspects to any investigations, known as volunteers under Sections 14 and 23 of RCAA. Following the new provision for volunteers to provide their DNA information, there are procedural safeguards where their consent must be obtained and they will be informed about the purpose of the collection and how their data are used, with the opportunity to request for this information to be removed and which must be granted. The registrar must remove volunteers DNA information upon their application. On the contrary, Section 27 of RCAA now stipulates that it is an offence for those arrested, convicted, imprisoned or those charged under the Internal Security Act 1960 to refuse to give body samples without reasonable excuse, whereas previously only an adverse inference could be made against such refusals. Furthermore, DNA officers can use reasonable force to take the samples such as blood, head of hair or roots and mouth swab or others in the event of refusal (Section 25). However, such force cannot be used for collecting invasive samples (samples taken by invasive procedures).
DNA and identifying information can now be collected for eligible crimes (non-registrable i.e. crimes that do not attract criminal records, but offenders are subject to imprisonment and the offences are not compoundable except for specific offences e.g.: voluntarily causing hurt and affray). 76 An aspect that remains unchanged is the non-collection of DNA information for minor offences. A significant implication arising from the widening of the pool of individuals from whom their DNA information can be collected is the possibility of further access to genomic information which was previously unavailable.
Another legal change is the creation of new identification databases where identifying and DNA information collected under registrable and eligible crimes, volunteers and those arrested under the Internal Security Act (1960) must be recorded in the database. 77 Identifying information is defined as descriptions of individuals (including sex, age, bodily appearance, and height), documents containing information identifying the individual, fingerprints, names, or photographs. 78 Pursuant to the authority to establish new identification databases, new classifications were introduced to the types of crimes referenced in the CPC, for example, serious crimes are designated as registrable crimes, non-registrable crimes are renamed as eligible crimes, and the last category is minor offences (non-serious crimes). DNA data can be collected by DNA officers for registrable and eligible crimes, while no data can be collected from those who commit minor offences such as making illegal U-turns, creating nuisance, or breaching Covid-19 rules. Consistent with the establishment and recording of identification databases, RCAA introduced new processes for the removal of DNA and identifying information from the databases and statutory safeguards aimed at strengthening the protection for recorded DNA and identifying information.
Another important legal change under RCAA is the expansion of the purpose for which collected DNA information can be used. For instance, collected DNA can now be used for purposes beyond criminal investigation such as death investigations, identifying deceased, and identification of individuals for the purpose of assisting them. 79 The information could also be used to enable comparisons to be made between information in databases administered under the Criminal Law (Temporary Provisions) Act 1955, Intoxicating Substances Act 1987 and Misuse of Drugs Act 1973. In contrast to the COVID-19 (Temporary Measures) (Amendment) Act 2021, police powers are significantly enhanced under the RCAA, as data could be collected without being strictly limited to serious (registrable) offences only. The power to compare and potentially share DNA information in the database with other law enforcement agencies’ existing database means that a richer pool of DNA information could emerge, affecting a wider range of individuals.
The legal implications to the people whose DNA information is collected and stored in third-party research databases could be substantial, as the RCAA affects other related legislation, such as the Employment of Foreign Manpower Act 1990, the Immigration Act 1959, the Internal Security Act 1960, the Intoxicating Substances Act 1987, the Misuse of Drugs Act 1973, the National Registration Act 1965, the Passports Act 2007 and the Police Force Act 2004. 80 For example, a law enforcement agency implementing the Misuse of Drugs Act 1973, such as the Central Narcotics Bureau officers who are empowered to arrest and investigate, could potentially request access to these databases to identify suspects who may be implicated in their investigations. Similarly, any Immigration and Checkpoints Authority (ICA) officers or Commercial Affairs Department officers enforcing the respective laws may be able to request access to this information to assist in their investigations. Relatedly, Singapore’s ICA administers biometric information (e.g.: fingerprints, iris data) of Singaporeans and residents as part of border control. These biometric details are managed in accordance with the National Registration Act 1965 (NRA). The NRA specifically provides that police officers are not prevented from exercising their authorities under the CPC and other relevant laws. 81 This signalled that law enforcement agencies are able to use biometric information stored in the database for their investigations if required. It may also be possible to infer that fingerprints or facial data used by mobile phone apps could be accessed for cross referencing of information to confirm or deny potential suspects.
While it appears that these enhanced powers in collecting, storing, and using DNA information is extensive, one of the proposed safeguards is the possibility to request for the removal of identifying or DNA information from the register, identification and DNA databases. However, requests for removals are subject to specific grounds such as for the purposes of assisting in investigations, ongoing prosecutions or in the security interests of Singapore. 82 In addition, an individual whose identifying or DNA information is held in the database could appeal against the Registrar’s determination to maintain the information. 83
Despite the option to appeal against the retention of DNA or identifying information, retaining information on the ground of national security is rather broad and open to interpretation. Future cases could shed light on the efficacy of this safeguard. The issue of DNA sample retention has been considered in the United Kingdom. For example, the European Court of Human Rights (ECHR) has determined that retaining DNA information widely is disproportionate to the freedom to private life. 84 This judicial decision led to the introduction of the Protection of Freedoms Act 2012 that limited the period of retention of samples contained in the NDNAD. 85 A review of the Protection of Freedoms Act 2012 revealed an improvement in privacy protection of individuals despite some risks to future criminal investigations. 86 The Investigatory Powers Act 2016 (United Kingdom) and the EU Law Enforcement Directive similarly provide for law enforcement agencies to access personal data for limited purpose only in view of considerations for privacy and protection of personal information. However, studies have shown that there remain challenges in implementation, particularly in balancing privacy interests and protecting public safety. 87 The following sections outline the argument for limiting access to third-party databases to serious crimes investigations and the advantages and drawbacks of this approach.
Safeguarding public interests through enhancing legal protections: Protecting public safety and privacy interests through restricted access
Tiered access to serious (registrable) and eligible crimes investigations
The RCAA represented an approach to protecting public safety by increasing the capability of law enforcement agencies in collecting and potentially accessing a wide range of data sources to facilitate police investigations. The authority to maintain their own identifying and DNA information databases implies that relevant data in third-party research databases could also be duplicated in these databases and used for purposes that are deemed necessary or desirable in the administration of justice. The decisions of the ECHR highlighted above emphasised the significance of considering other competing interests such as privacy protection, proper collection, use and maintenance of identifying and DNA information, and ensuring the legal and ethical use of these data by law enforcement agencies.
In achieving the aims of protecting public safety through efficient criminal investigations while safeguarding privacy interests and ensuring the sustainability of third-party research databases, access to third-party databases should be tiered for serious (registrable) and eligible offences. Tiered access means that law enforcement agencies can request access to third-party research/DNA databases for criminal investigations according to the categories of crimes outlined in RCAA. There are valid reasons for preferring this approach. The restrictions to serious crimes under the Covid-19 Act exemplified the necessity of using potentially sensitive personal information for the purpose of resolving serious crimes. While it could be argued that the Act was created for the purpose of contact tracing rather than criminal investigations, the gravity of serious crimes justifies access. Under the RCAA, registrable crimes are considered serious crimes, which are broader in scope compared to the seven types of crimes under the Covid-19 Act. Offences such as rioting, robbery and criminal intimidation are examples of serious (registrable) crimes. It is justifiable to collect DNA information and to allow access to third-party DNA databases owing to the gravity of the crimes. There should not be undue delay in serious crime investigations resulting from the need to request for consent from the participants of third-party databases. Time is of the essence in serious crimes due to risks to victims’ lives and the probability of suspects fleeing before they could be caught. Permitting access to third-party research databases for serious (registrable) crimes without requiring consent not only supports public interest protection, but it also goes further in resolving existing concerns with offering options for individuals to opt-out of permitting access to databases containing their genomic or DNA information, or obtaining informed consent, ultimately enabling law enforcement agencies to efficiently fulfil their roles. Advance notification is essential to support access. The lessons from the public responses in the TraceTogether incident suggest that prior notification of such access is preferable and more likely to be accepted by the Singapore public.
Permitting access to third-party DNA databases for eligible crimes similar to registrable crimes, however, may be subject to questions. Offences that fall within eligible crimes are punishable by jail and cannot be compounded, such as causing mischief, affray, or obstructing public servants from discharging their duties. These offences, under the new provisions, are subject to DNA collection and potential access. The amendments appeared to indicate that while these offences are not as grave compared to registrable crimes, they appeared to be treated as similar to registrable crimes. It is suggested that for eligible crimes, a court authorisation should be required before access is granted. This approach is justifiable for two reasons. First, it distinguishes the seriousness of registrable crimes from eligible crimes. This distinction is significant in reflecting the gravity of crimes in these two categories that permits immediate access to databases for serious (registrable) crimes. Second, it promotes the protection of public interest in protecting public safety and safeguards the administration of third-party databases from automatic access as these databases, unlike forensic databases, are not established for criminal investigations purposes.
This approach is consistent with international practices. For example, in stressing the importance of public interest vis-à-vis police access to new-born screening cards, the Australian Law Reform Commission and the Australian Health Ethics Committee advocated for compliance with legislative safeguards that require law enforcement agencies to collect DNA information via consent or court order. 88 Furthermore, some scholars have argued that a universal forensic DNA database is likely to disproportionately interfere with an individual’s right to respect for private life under EU laws, however, with appropriate safeguards there could be potential for its use. 89 The author rightly noted that ‘While a universal database will definitely assist the police and prosecutors in limiting the scope of their investigations, they should gather other supporting evidence if they want to’. 90
It is important to recognise the different purposes for which DNA databases are established. Even in cases where DNA databases are established for the purpose of forensic investigations, there is no consensus as to its acceptability of use. It would be unsurprising if there were more resistance to law enforcement agencies accessing third-party DNA databases that are built specifically for non-forensic investigations, such as clinical and research databases, direct-to-consumer DNA testing databases and genealogy ancestry tracing services. The recommendations for the destruction of DNA information of volunteers who assisted in investigations and the protection from self-incrimination when providing DNA information 91 are important considerations to adopt with the widening of police powers in accessing DNA databases. The recommendation provides an essential safeguard for volunteers who have donated their DNA information in limiting the use of their information to specific situations, such as identifying missing or deceased relatives and not for the purpose of investigating past crimes. Furthermore, it is right to support the idea that law enforcement agencies ‘should not have the legal right to access all types of DNA databases collected for other purposes’ 92 except in circumstances where there is reasonable suspicion of crimes being committed.
Tiered access is consistent with the basic safeguarding of privacy interests, balancing public interest based on the severity of the crimes and the necessity of facilitating criminal investigations that commensurate with the impact of registrable and eligible crimes on society. It reflects considerations of public interest in pursuing swift resolutions of criminal investigations and in protecting and maintaining the social licence in the continuity of research databases. The proposed tiered access for registrable and eligible crimes and minor offences is aimed at providing commensurate levels of safeguards to address concerns surrounding propriety of access in the event access requests are made by law enforcement agencies. The recommendations advocated in this paper bridge the gap left open by potential request access to third-party research databases that are not expressed or included in the law. It provides a clearer demarcation of the types of protective safeguards for different categories of crime. The following section considers the notion of public interest through protecting public safety and how tiering access to serious (registrable) and eligible crimes offers a justifiable boundary to the broadening of access powers.
Protecting public safety as a public interest with public support
Research databases containing DNA information has the potential to benefit the population from healthcare improvements perspectives. It could also be a useful source of information for maintaining population safety. There is an expectation of privacy for people who have donated their DNA data that their information would not be accessed by third parties except for the agreed purposes or with their permission, as shown by the GEDmatch incident, and Ancestry.com’s resistance to grant access to law enforcement agencies except with court orders. The two interests in protecting public safety and safeguarding individual privacy need not necessarily be in conflict. 93 As public interest appeals to the needs of the public, public opinion and values are crucial for conceptualisation of public interest. 94 This approach could generate public trust and support in the continuity of, and public participation in research. Similarly, public trust in and support for police powers could be strengthened or weakened in the light of how these powers are exercised.
The meaning of public interest is influenced by social and political arrangements and interpreted accordingly. 95 Examples include regulating genetically modified food and public health and safety in permitting the building of public infrastructure and utilities in preserved areas. Public interest in the context of granting consent waivers 96 considers the interests of affected individuals and groups with diverse values, commitments and circumstances, as well as their welfare, justice and human rights including privacy rights. 97 Public interest can sometimes be characterised by public benefit. For example, in data sharing practices, public benefit can be demonstrated through building a social licence. 98 In addition, the Public Sector (Governance) Act (PSGA) 2018, 99 Data Sharing Direction within PSGA, and the Government Instruction Manual (Data Sharing beyond the Public Sector) 100 provide some insights into how public benefit is determined in Singapore. However, the PSGA is limited to sharing data in the interest of the Singapore public sector, ranging from promoting Singaporean values, to securing business and economic continuity and ensuring accountable stewardship of Singapore’s public sector finances and resources. The Government Instruction Manual provides some examples of how public interest could be served through data sharing from a broad social, health benefit and safety perspective. 101 These perspectives are exemplified by financial assistance to individuals through workfare income supplement scheme, suppressing infectious diseases, law enforcement, criminal investigation or fraud detection and reviewing policies for emerging areas of concern and national security.
Public benefit is sufficiently broad to include protecting public safety through swift resolutions of criminal investigations. For example, Singapore’s Attorney-General’s Chambers definition of Compelling Public Interests outlines a range of interests that aims to protect public safety and national security. Examples range from conducting law enforcement, crime prevention, to criminal investigation, responding to life, health and safety emergencies and containing public health threats. 102 Public interest requires that benefits should have sufficient justification that they outweigh the risks. 103 Policies to reliably evaluate the public interest criterion should be designed to reflect procedural values such as reflexibility, transparency, reasonableness and accountability. 104 The range of public interests identified in the examples above are uncontroversial, however the boundaries in which law enforcement agencies can exercise their access powers can be more clearly specified.
A key advantage of tiered access is swifter acquisitions to key information contained in third-party DNA databases. Serious crimes often involve the deprivation of life and liberty, and threats to national security, which are within broadly accepted public interest goods. Police investigations should proceed without undue burdens of obtaining court order or individual consent in so far as third-party databases are concerned. It is plausible that more people are likely to support access for serious crimes investigations. 105 Serious crimes investigations often generate a collective social ‘agreement’ for swifter resolution of crimes and thus more likely to receive broad population support where access is sought. In this sense, societal commitment to justice is reflected by striving to ensure that serious crimes perpetrators are brought to justice swiftly. This is further supported by current understanding of public interest in Singapore identified in the examples above that are characterised by protecting public safety and deriving benefits from a safe and secure social environment. This approach similarly reflects important procedural values in public policy of reasonableness and accountability.
Another advantage of tiered access is ensuring compliance of access powers that occur within the social licence granted to the administration of justice. The RCAA enables police officers and law enforcement agencies to update their own database when accessing other research databases. This means that there could be a ‘waiting list’ of potential ‘suspects’ comprising relatives who may not even have consented to their use, threatening their interests to be protected from harm. However, where access is tiered for serious (registrable) and eligible crimes investigations, the concern raised above could be minimised. Furthermore, a wide range of complementary investigative tools, such as surveillance cameras in public areas, mobile phone connections and island-wide citizen reporting channels in a highly wired society such as Singapore indicated the availability of other investigative sources. Consequently, requests for access to third-party databases for non-serious crimes could be justifiable where these available resources are exhausted and information in the databases could assist with generating leads. However, current practice requiring court declarations is already the default and taking away this power would require considerable debate.
Furthermore, requiring consent from participants to allow access by police for criminal investigations in third-party databases may not always be feasible. While informed consent is an important first step in alerting potential participants to the possibility of third-party access to their information in addition to the specified purpose (e.g.: familial tracing or clinical research), it may not necessarily be adequate in some circumstances. This arose from the nature of obtaining consent through ‘click-and-accept’ mode in these types of databases, where people do not usually read or comprehend the use policies. Public criticism arising from access being provided to law enforcement agencies by commercial third-party DNA databases, such as FamilyTreeDNA and GEDmatch, have forced these companies to revise their privacy policies to restrict access through customer choice. Despite these measures, law enforcement agencies continue to request access to these databases for their investigations.
Other viable population-type databases, such as the UK Biobank and the 100,000 Genomes Project, could face similar outcomes if access limits are not imposed. In addition, the GEDmatch drawbacks highlighted above, where customers opted out of permitting access to police when given the option to do so could have originated from the reluctance to provide DNA information for all types of criminal investigations. That said, it is unknown if such reluctance would decrease where access is only granted for serious crimes, though given public support for access to databases for serious crimes, this might be the case. Nonetheless, given continued interest in accessing third-party databases, it would be more useful to permit access to serious (registrable) crimes, while for non-serious crimes, access requests should be determined either on a case-by-case basis or subject to court orders. Court orders may be the strongest safeguard available to the participants of third-party databases as law enforcement agencies are required to apply to the courts with justifications as to the reasons for accessing these databases for non-serious (minor) crimes. This approach is preferable to pre-empt blanket access by law enforcement agencies and to reassure participants that their DNA information are primarily used for the purposes for which these databases are established. 106 An alternative for access request for non-serious crimes investigations is to come to an arrangement with law enforcement agencies outlining the exact purpose and scope of access, instead of relying on existing, standard clauses on informed consent, which are often broadly worded. This approach could eliminate any potential ‘fishing’ expedition by law enforcement agencies for any criminal proceedings or investigations.
Justifiable incursion into privacy interests
When police officers collected a DNA sample from a crime scene and want to access genome sequencing data from research databases to identify a possible match, the match itself would not necessarily be problematic. However, it may lead to identifying relatives that have contributed to the database with similar genetic markers. Almost all privacy legislation (including the GDPR) provides for access to personal data connected with criminal offences. However, Article 10 of the GDPR also requires appropriate safeguards when processing this data. 107 This layer of protection is likely to prompt support for access within acceptable boundaries that are not unduly intrusive. Consequently, the public would be more likely to be supportive of data sharing to respond to crime and security where appropriate safeguards are in place.
Commercial DNA testing databases are viewed as desirable options for law enforcement agencies due to richer information being available from customers who provided their personal information compared to existing information that are available from police or forensic databases such as CODIS. 108 The identification of relatives leads to another concern, where, if police were to access these research databases, stigmatisation could occur. 109 This possibility could not be ruled out because associations with law enforcement agencies usually entail provision of information which could be intrusive in nature and sometimes embarrassing, with the potential to implicate family members or other relatives. This type of familial searching creates opportunities to identify more members of families who share genetic relationships, implicating their involvement with law enforcement investigations and contravening the original purpose for which their DNA information is collected initially. While some types of involvement are necessary, such as police interviewing family members about a suspect’s whereabouts as part of legitimate police investigations, the potential for stigmatisation for family members arises by associated genetic relationships. The grounds for removing any identifying or DNA information from the database under the RCAA, except for requests from volunteers, present further complexities for affected individuals to eradicate that perception, given that the Registrar has the power ultimately to decide if that information could be removed or otherwise. An advantage of a tiered access approach for serious (registrable) and eligible crimes and minor offences is protecting individual privacy to their DNA information in the least intrusive manner. It is postulated that people will be more likely to accept these incursions into their privacy interests owing to the gravity of serious crimes. This would result in less privacy incursion compared to broad access for non-serious crimes investigations. In addition, the proposal for court authorisations where access is sought for eligible crimes demonstrates the state’s commitment to respecting individuals’ informational privacy for information contained in third-party databases.
A further implication is retention of DNA and identifying information on the respective registers and databases which gives rise to questions about the extent of privacy intrusion for affected individuals. The RCAA does not specify any storage period in which stored data could be removed. The only option is for affected individuals to request for its removal. This may create a situation where data stored could be used, or accessed multiple times by law enforcement agencies as the need arises. However, where access is tiered, it would be useful to quickly identify the profiles of repeat offenders while reducing the chances of implicating individuals whose profiles are on the database for non-serious crimes. This is because the latter’s profile could only be accessed under court orders as proposed above.
Finally, data security and cyber security vulnerabilities are important aspects in protecting individual privacy for DNA data stored in electronic systems. The retention of DNA and other personally identifying information in police and forensic databases risks security breaches if no appropriate infrastructure is implemented. Any unauthorised access to these databases risks compromising not only the integrity of the information but could harm profiled individuals and their relatives through disclosures of highly personal information and misuse of their identities. RCAA provides some safeguards in this aspect. It amended Section 49 of its principal law to provide for further rules to be made regarding implementation of security safeguards to protect the information contained in the registers, identification database or DNA database, and any computer system that are used to maintain these records. 110 This statutory protection is aimed at safeguarding data loss, alteration, destruction, and any unauthorised access, disclosure or copying. The Registration of Criminals (DNA Database, Identification Database and Register) Rules 2023 which came into force on 12 June 2023 outlined broad safeguards for DNA, identification and register databases. 111 Safeguards include ensuring storage and maintenance of separate back-up databases, surveillance of premises hosting databases through CCTVs, implementation of protocols protecting information in the databases from loss, modifications, destructions or unauthorised access supported by periodic reviews, ensuring that changes to the databases are recorded and secured against intrusion and that databases are inaccessible from the Internet. 112
An option to address concerns with data security and privacy intrusion arising from vulnerabilities of cyber security for DNA data stored in electronic systems is establishing clear responsibilities at the outset. Those responsible for administering research databases have assumed the duty to protect the safety and security of the data. If they are to facilitate any access arrangements for law enforcement agencies for non-serious crimes, it is important to clarify the scope of access, including specifying a limited number of authorised persons who could access these data. The provision of privacy assurances as a fundamental criterion for all types of crimes, such as prescribed limits to the scope of access and limits to the number of authorised persons who could access this information and databases demonstrates accountability in using these databases for justifiable but limited purposes. This could be done at the initial stage of establishing the databases in anticipation of potential access, and with advance notification to the users when they signed up as participants. This approach is likely to offer privacy assurances to participants that safeguards are established in protecting their data. For instance, central coordinating authorities could anticipate and build in clear access-and-use agreements for non-serious crimes. In the alternative, they could be empowered to negotiate the terms of access, such as requiring court orders prior to access or giving advance notice to participants. It is similarly crucial to ensure how data access is being conducted where third-party databases are owned or administered by government agencies, as different data management systems apply. For example, in Singapore, data management is governed under a separate legal framework while commercial entities are governed under the PDPA. Intermediary bodies that permit access to law enforcement agencies should be considered if any access agreements apply. As data protection standards may vary according to different entities, the proposed safeguards become more essential than ever.
Criteria and circumstances of access
Third-party research or commercial databases have been used for criminal investigations, particularly in serious crimes where other investigation leads have failed to provide clues or proved to be insufficient. The complete DNA profiles from these databases were sought after to confirm or disprove the suspects’ involvement. Similarly, the information in these databases could be potentially accessed and used more broadly. This article does not object to all access requests by law enforcement agencies; rather it advocates for a balanced approach in accommodating the competing interests outlined above. The proposed tiered access considers the experiences from the Singapore public responses to the use of TraceTogether information by the police force and current research on the use of DNA information across international practices for criminal investigations.
RCAA has clarified the different levels of crimes and broadened the possibility of data collection from individuals by law enforcement agencies. The classification of registrable, eligible and non-serious (minor) crimes is helpful in determining the criteria and circumstances in which non-forensic databases such as research databases containing DNA information could be accessed by law enforcement agencies for criminal investigations. The article has so far outlined justifications for tiered access for serious (registrable), eligible crimes and minor offences to aid the courts in decision-making for eligible and non-serious crimes. These recommendations are underpinned by the recognition of protecting public safety in the public interest, safeguarding privacy interests and enabling the sustainable functioning of third-party research databases that are valuable to clinical research and socially beneficial for familial tracing purposes.
In view of the gravity of serious (registrable) crimes, the law could go further in enabling law enforcement agencies to access potential leads in their investigations, with fundamental privacy assurances in place. This could be achieved by permitting access sans consent for serious (registrable) crimes, and access with court orders for eligible and non-serious crimes (minor offences). An alternative that could be considered is to permit the brokerage of access agreements between law enforcement agencies and third-party databases. Prior public consultation for such access agreements however is essential to gauge public acceptance of this option. For serious (registrable) crimes (i.e. crimes that involve offences against the person or property and where commission of such offences entail criminal records), access to DNA databases, including research databases can be permitted automatically to facilitate swifter investigations by law enforcement agencies from multiple sources to identify the perpetrators. Although this may appear to be unrestricted access, it is not the case as only a court authorisation is dispensed with for requests to access third-party research databases for serious (registrable) crimes. Basic privacy safeguards apply and supported by advance notification to users. Law enforcement agencies are required to demonstrate that access to such databases is limited in scope as opposed to a ‘fishing expedition’ and only limited, designated individuals could access this information and databases. Advance notification of access could be a feasible compromise as it coheres with the need for greater transparency following the TraceTogether experience.
Eligible crimes are non-registrable crimes under RCAA. Examples of such crimes are stalking, making obscene films, or drink driving. Although the offences under this category do not entail criminal records, the commission of such offences is punishable by jail and not compoundable (except for specific compoundable offences). Eligible crimes are considered less serious than registrable (serious) crimes, and therefore should require court authorisation to access research databases containing DNA information. For access requests under this category, an example of a potential circumstance that could permit law enforcement agencies to access research databases is where there are multiple potential suspects and confirmation is needed to eliminate other suspects.
For non-serious crimes or minor offences, no data are collected under RCAA and any request to access non-forensic or third-party research databases should require court authorisation. Law enforcement agencies are required to demonstrate the necessity of accessing these databases, for instance in circumstances where there are no investigative leads at all or where any remaining complementary investigative tools have been exhausted and the information in the database could reasonably generate potential leads. Other potential circumstances include reasonable suspicion of the offender’s potential links to any registrable or eligible crimes that merit further investigation to confirm or eliminate the possibility. Ultimately, access to research databases containing DNA information for the purpose of investigating non-serious crimes should be assessed on a case-by-case basis and supported by court authorisations.
There is also the issue of what the public should be told regarding the differentiated levels of police access. This issue is paradoxically, the more widely this is publicised and known, the less likely it is to be effective. However, respect for citizens requires that the people know how the State operates, and the rules, whatever they are, should be publicised. It should also, ideally, be a requirement of informed consent that participants are informed of these implications of providing DNA. One objection to access to genomic data from health research by legal authorities is that it will reduce participation in valuable research. While such an objection could be raised, they should also be informed that any blood, tissue or other bodily samples used in medicine or clinical purposes can be used for the same purpose. Similarly, the same problem exists for access to genomic and non-genomic biological samples generated during newborn screening. Inevitably, values must be weighed. If the public interest in genomic research (or newborn screening) is greater than the interest in investigation of crime using genomic instruments, perhaps Courts, police and legal authorities ought to be barred from accessing such samples or databases. This is a topic for future discussion.
Conclusion
DNA databases, including forensic and third-party databases have increasingly been recognised as essential in criminal investigations. However, a combination of probabilities arising from different circumstances, criteria and standards of match affect the integrity of DNA samples. The way in which DNA samples are collected, transported, stored, and analysed by third-party DNA databases affect the value of the samples, and raise questions about their authenticity, both from the scientific and legal admissibility aspects. Forensic laboratories have varying standards in sample analysis, resulting in different outcomes that might be subject to doubts. These drawbacks in the process of obtaining and processing DNA samples are liable to disputes in court proceedings and may be limited in public benefits. Despite these limitations, they could be supportive tools to advance criminal investigations.
International norms emphasise the importance of informed consent, clear policies, and regulatory frameworks to address privacy concerns and foster public trust. The reference to the TraceTogether incident suggests that Singaporeans may be particularly concerned about how their personal data are used by authorities and appeared to prefer prior notification of use. As compared to international norms, Singapore could be viewed as slightly diverging from prevailing public expectations and international standards on transparency and individual control over personal data. A consideration of the scope of public interest in granting law enforcement agencies access to databases for criminal investigations is important especially to people who have contributed and will donate their personal data, including genetic information to a range of third-party databases. It is thus essential to safeguard against potential risks arising from greater access powers that could potentially undermine the long-term sustainability of research databases, especially those that are established for health improvement and scientific developments. As rightly noted by the Victorian Privacy Commissioner in its supplementary report to the Victoria Newborn Screening Review Committee, continued public support in the new-born screening programme is essential and that police access should be supported by court order rather than access without notice. Similar conclusions were reached by the New Zealand Law Commission with reference to New Zealand’s DNA database.
This article has demonstrated the importance of permitting police access to third-party databases following a tiered approach based on considerations of public interest and enhancing legal safeguards via court orders for access request for eligible and non-serious (minor) crimes. Consequently, access may be granted provided there is a clear justification to do so, with adherence to fundamental privacy safeguards across all levels of access, including limitations regarding who could access their information, the purpose for which such access is granted and the implications to them. In summary, in recognition of the time-sensitive nature of apprehending potential suspects and acknowledging the grave implications of such crimes to victims and their families, access to third-party research databases for serious (registrable) crimes is granted automatically with prior notification to users. A court authorisation should be required before access is granted for investigations involving eligible crimes, while for non-serious (minor) crimes, a court authorisation is required for each access request. The circumstances where such access can be permitted would be assessed by the judge who has the authority to grant requests for access. All request for access to third-party research databases for serious (registrable) crimes, eligible crimes and non-serious (minor) crimes are required to comply with minimum standards of privacy assurances. The presence of this limitation provides a safeguard in terms of accountability in using non-forensic databases for criminal investigations. This approach is likely to cohere with the social sentiments and contexts of Singapore with regard to prior experience concerning the handling of TraceTogether data. Finally, a tiered access approach could pre-empt challenges arising from the different purposes for which forensic and third-party research databases are established – the latter primarily created to improve health outcomes, deliver tailored healthcare services and ancestry or familial tracing services. Clear rules that safeguard people’s interest are essential to avoid undermining the valuable purpose for which DNA databases are created originally.
Footnotes
Acknowledgements
The authors are grateful to James Scheibner for comments to the earlier drafts of the manuscript and to the anonymous reviewers for their feedback to the manuscript.
Declaration of conflicting interests
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
Funding
The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This research is supported by the National Research Foundation, Singapore under its Campus for Research Excellence and Technological Enterprise (CREATE) programme.
