Forensic databases in Poland. Legal issues related to right to the protection of personal data and right to privacy

About 300 thousand of tenprint cards were uploaded to the database annually until 2006 (Figure 4). Nevertheless, article 20 of the Police Act, which was legal basis for processing data by the Police, was recognized by the Constitutional Tribunal as inconsistent with article 51 item 2 in connection with article 31 item 3 of the Constitution of Poland, because conditions of collection of information from suspects and type of information for processing were not specified properly [17]. The judgment forced changes in the law and article 20 item 2c was introduced to the Police Act. Thus, collection of the information, including the personal data of suspects, was prohibited if they were not useful for detection, identification, obtaining evidence in the conducted proceedings. This leaded to enormous reduction of annual submissions of reference fingerprints in 2008 and next years (Fig. 4), because law enforcements were allowed to collect tenprint cards from suspects only if latent prints were recovered during crime scene investigation in case related to the suspect.

Fig. 4 Number of annual submissions and deletions of reference fingerprint from 2004 to 2017 (source of data: [15])

The barrier in collecting tenprint cards from suspects was removed through implementation of Directive (EU) 2016/680 [7] by act of 14^th December 2018 on the protection of personal data processed in connection with the prevention and combating of crime. Presently the collecting of information, including personal or biometric data, is prohibited if the data will be not useful for detection, identification or to obtain the evidence (in accordance with article 20 item 2c of the Police Act). It means that collecting of reference fingerprints is allowed if they potentially can be used for detection, identification or obtaining the evidence. The amendment should increase submissions of tenprint cards to the database from 2019.

Number of cold hits, defined as a match between known person of offender (tenprint card) and fingerprint recovered from crime scene, from 2002 to 2007 and from 2014 to 2017 in the Polish fingerprint databases are presented in Figure 5. About three thousands of matches are provided annually in last years. It is clearly visible that the number of cold hits were reduced about 2000 hits annually after 2007 (Fig. 5), which is connected with lower amount of tenprint cards submitted to the database (Fig. 4). It confirms that database's performance in terms of person-trace matches is not always linked directly to size of the database. Crucial issue is permanent updating the database by tenprint cards collected from suspects.

Fig. 5 Annual number of hits (matches) in fingerprint databases from 2002-2017 (source of data: [18])

Moreover, by comparing the performance with the proportion of the population included in databases it can be concluded that fingerprint database is less effective than the DNA database.

Legal and ethical constrains of the processing of genetic and biometric data.

The DNA is very suitable for identification of offenders, but also it is huge resource of information about appearance, personality, health and origin (ethnic and genealogy) of the person and his relatives. Risks with the expansion of DNA databases were highlighted some years ago, especially in scientific papers from US and UK [3-5, 19], due to fast and large increase in the number of reference profiles in the DNA database. The current progress in using familial searching and phenotyping as an investigative tool and development of medical databases or biometric databases of foreigners caused that the following issues are more pronounced:

- obtaining and retaining DNA profiles and samples from innocent persons without having their consent;

- selective sampling of the population, that is ethnic biases in the DNA database [20];

- violation of the privacy and stigmatisation of close relatives (i.a. parents, siblings, children) of person who is in the database through searching potential suspects by partial matches of DNA profiles (familial searching);

- the risk of using the DNA database contrary to its intended purpose by law enforcements, that is beyond the investigation and detection of crime and identification of perpetrators;

- the individual's lack of control over storage, processing and using information from DNA analysis, because there is a risk that the access will be transmitted to public officials other than law enforcement or even to private sector (e.g. medical or pharmaceutical companies, insurance companies, employers, scientific institutions);

- the personal data are easily shared which allows for integration of the DNA database with biometric systems or medical records; Such large-scale genetic database can be used for surveillance of citizens;

- function creep, that is gradually widening of purposes for which DNA profiles and samples were collected and processed due to the technological innovation; In future biological samples stored in the database can be a source of more detailed information about person and his behaviour, for example for searching patterns of criminal, violent or “antisocial” behaviour (behavioural genetics). The gathered information can be potentially used for imposing legal restrictions or more intense activities (for example for an introduction of a curator, police surveillance, eviction from the home or arrest) in relation to persons with “bad” genes, especially for preventing home abuse.

The processing of fingerprints in databases is not so doubtful, because they provide only information about a person identity. This assumption is only partly true, because some general correlations were revealed between structure of fingerprints (type of print and minutiae) and job, gender and some morphological features (height, structure of the body and colour of eye, hair and skin) [22, pp. 162181]. Additionally some regularities were observed for ancestry [22, pp. 271-280] and selected pathologies [23, 24]. Nevertheless, research on using fingerprints beyond identification of persons was performed before implementation of DNA analysis in forensics and presently such approach is not applied in the practice.

Taking into account the mentioned concerns with expansion of DNA database it can be stated that precise regulations about processing of the personal data and maintenance of the database are necessary to ensure the balance between benefits for criminal justice systems and rights of the society. The legislator should specify at least the following issues:

- public bodies authorized and responsible for processing of the data;

- type of collected and processed data (samples or only profiles);

- purposes of collecting and processing of the data;

- categories of subjects, whose the data can be processed;

- retention time of processing of the data.

The European Convention of Human Rights statutes in article 8 that everyone has the right to respect for his private and family life, his home and his correspondence. Some interferences in the right to privacy by a public authority can be exceptionally introduces in the law if they are necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

More requirements for proper legislation about processing the personal and genetic data are given in Directive (EU) 2016/680 [7]. According to article 4 item 1 of the Directive the personal data should be:

a) processed lawfully and fairly;

b) collected for specified, explicit and legitimate purposes and not processed in a manner that is incompatible with those purposes;

c) adequate, relevant and not excessive in relation to the purposes for which they are processed;

d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed;

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

As stated above, the Directive was implemented in Poland through Act of 14^th December 2018 on the protection of personal data processed in connection with the prevention and combating of crime. The Act altered provisions in the Police Act for collecting samples and processing the personal data in the DNA database and fingerprints databases. Generally provisions can be rated as mostly sufficient, especially in comparison to former legal state. The Commander-in-Chief of the Police is controller (administrator) of the DNA database and fingerprint databases (articles 21a and 21h of the Police Act). Police units, other forces and public authorities, which delivered the personal data to the database, are obliged to assess purpose of processing of the data and indicate if they should be deleted as redundant (article 21e and 21e of the Police Act). The assessment should be perform at least every ten years from taking, obtaining, collecting or updating the data. Type of personal data and samples (tenprint and palm-print cards, specified biological samples) were given in articles 21a and 21h of the Police Act. Similarly, the purposes of collecting and processing of the data in specified databases were stated (articles 21d and 21k of the Police Act).

The most debatable issues for preserving the right to privacy and the right to protection of personal data are categories of subjects and retention time of processing of the data. As summarized in Tables 2 and 3, categories of subjects whose the personal data and samples can be included and processed in the database were specified in article 21a item 2 and article 21h item 2 of the Police Act. The direction of the development of databases in Poland can be assessed properly, because provisions allow to establish the elimination databases and searching the missing person or identifying corpse through DNA profiles of other persons (with consent of the person).

Nevertheless, analysis of the provisions of retention time for some categories of subjects clearly shows that some of them are not agreed with the Directive (EU) 2016/680 [7]. It was stated in the Act that the personal data and samples will be processed for various of categories of subjects, i.a. for suspects, accused and convicted persons for offenses publicly prosecuted (Tables 2 and 3), until they are 100 years old. It should be underlined that similar retention times were specified for juveniles whose acts which were prohibited as offenses publicly prosecuted. This means that processing of the data for such persons will be permanent.

Another issue is a general provision for removing the personal data and fingerprints from databases. According to article 21l item 4 of the Police Act the data is removed after obtaining „reliable information”. However it is not specified in the law what kind of information should be assessed as “reliable” to stop processing of the data. Thus too much freedom was left for law enforcements in taking the decision about erasure the data.

Therefore, the retention time is not appropriately established in the view of article 5 of the Directive (EU) 2016/680 [7] and violated the right to privacy. There is no reason for collecting and processing biometric and genetic data for whole life of the person. It could be possibly justified exceptionally for perpetrators of violent crimes against life or health or sex offenders. For other perpetrators retention time should be strictly correlated with type of the offence and the personal data should be deleted from the database after expunction of the sentence.

Conclusions

Various forensic databases were established in Poland which are necessary for law enforcements in daily-routine practice. Analysis of number of individuals included in the DNA database showed that it is still small, but volume of the database has doubled from 2015. The fingerprint databases in Poland are relatively large, but number of cold hits were reduced in recent years due to limited collecting of tenprint cards from suspects. It clearly shows that the performance of database is connected with its size, but also with permanent uploading crime scene stains and reference profiles from persons, whose could be really connected to the crime.

General Data Protection Regulation and the Directive (EU) 2016/680 implied changes in national law and policy in processing the genetic and biometric data by law enforcements. Provisions in the Police Act can be generally assessed as suitable, especially in comparison to former legal state. Different categories of data subject and retention time of personal data were specified. Nevertheless, some regulations about retention time of the data are not agreed with the right to privacy and right to the protection of personal data, because processing of the data collected from several categories of subjects will be permanent.

Посилання

1. Santos F., Machado H., Silva S. Forensic DNA databases in European countries: is size linked to performance? Life Science, Society and Policy. 2013, vol. 9, article 12.

2. Lapointe M., Rogic A., Bourgoin S., Jolicoeur C., Seguin D. Leading-edge forensic DNA analyses and the necessity of including crime scene investigators, police officers and technicians in a DNA elimination database. Forensic Science International: Genetics. Elsevier, 2015, vol. 19, P. 50-55.

3. Wallace H. The UK National DNA Database: Balancing crime detection, human rights and privacy. EMBO Reports, European Molecular Biology Organization, 2006, vol. 7, P.26-30.

4. Roman-Santos C. Concerns associated with expanding DNA databases. Hastings Science & Technology Law Journal. University of California Hastings College of the Law, 2010, vol. 2, P. 267-299.

5. Levitt M. Forensic databases: benefits and ethical and social costs. British Medical Bulletin. Oxford University Press, 2007, vol. 83, P. 235-248.

6. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Official Journal of the European Union from 4th May 2016, no. L119, P. 1-88.

7. Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA,

References

1. Santos, F., Machado, H., Silva, S. (2013). Forensic DNA databases in European countries: is size linked to performance? Life Science, Society and Policy. vol. 9, article 12. (in English).

2. Lapointe, M., Rogic, A., Bourgoin, S., Jolicoeur, C., Seguin, D. (2015). Leading- edge forensic DNA analyses and the necessity of including crime scene investigators, police officers and technicians in a DNA elimination database. Forensic Science International: Genetics. Elsevier, vol. 19, P. 50-55. (in English).

3. Wallace, H. (2006). The UK National DNA Database: Balancing crime detection, human rights and privacy. EMBO Reports, European Molecular Biology Organization, vol. 7, P.26-30. (in English).

4. Roman-Santos, C. (2010). Concerns associated with expanding DNA databases. Hastings Science & Technology Law Journal. University of California Hastings College of the Law, vol. 2, P. 267-299. (in English).

5. Levitt, M. (2007). Forensic databases: benefits and ethical and social costs. British Medical Bulletin. Oxford University Press, vol. 83, P. 235-248. (in English).

6. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Official Journal of the European Union from 4th May 2016, no. L119, P. 1-88. (in English).

7. Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Official Journal of the European Union from 4^th May 2016, no. L119, P. 89-131.

8. ENFSI DNA Working Group DNA database management. Review and recommendations, 2016. https://enfsi.eu/wp- content/uploads/2016/09/final_version_enfsi_ 2016_document_on_dna- database_management_0.pdf

9. Interpol. Global DNA Profiling Survey Results 2019, https://www.interpol.int/content/download/154 69/file/INTERPOL%20Global%20DNA%20Profiling%20Survey%20Results%202019.pdf

10. Home Office. National DNA Database statistics, 2020. https://www.gov.uk/govern- ment/statistics/national-dna-database- statistics

11. Jurga A., Mondzelewski J. Functioning of DNA Database in Poland. Issues in Forensic Sciences. Central Forensic Laboratory of the Polish Police, 2017, vol. 297 (3), P. 59-65.

12. Act of 27^th July 2001 amending the Act on the Police, the Act on the Insurance Activity, the Banking Law Act, the Act on County SelfGovernment and the Act about regulations introducing the acts reforming public administration. Journal of Laws of 2001, No. 100, item 1084. (in Polish).

13. Central Forensic Laboratory of the Polish Police. Statistical data about the DNA database, 2021 https://clkp.policja.pl/clk/baza- danych-dna/dane-statystyczne (in Polish).

14. Krzeminska B. AFIS system in the Polish Police - yesterday, today, tomorrow. Issues of Forensic Sciences. Central Forensic Laboratory of the Polish Police, 2018, vol 300 (2), pp. 76-86.

15. Central Forensic Laboratory of the Polish Police. Statistical data about the AFIS database, 2021. https://clkp.policja.pl/clk/ zbiory-danych-d/dane-statystycz/163191, Liczba-kart-w-zbiorze-danych-Framework Decision 2008/977/JHA, Official Journal of the European Union from 4^th May 2016, no. L119, P. 89-131. (in English).

16. ENFSI DNA Working Group (2016). DNA database management. Review and recommendations. Retrieved from: https://enfsi.eu/wp- content/uploads/2016/09/final_version_enfs i_2016_document_on_dna- database_management_0.pdf (in English).

17. Interpol (2019). Global DNA Profiling Survey Results 2019, Retrieved from:https://www.interpol.int/content/downlo ad/15469/file/INTERPOL%20Global%20DN A%20Profiling%20Survey%20Results%202 019.pdf (in English). Home Office (2020). National DNA Database statistics. Retrieved from:https://www.gov.uk/government/statisti cs/national-dna-database-statistics (in English).

18. Jurga, A., Mondzelewski, J. (2017). Functioning of DNA Database in Poland. Issues in Forensic Sciences. Central Forensic Laboratory of the Polish Police, vol. 297 (3), P. 59-65. (in English).

19. Act of 27^th July 2001 amending the Act on the Police, the Act on the Insurance Activity, the Banking Law Act, the Act on County Self-Government and the Act about regulations introducing the acts reforming public administration. Journal of Laws of 2001, No. 100, item 1084. (in Polish).

20. Central Forensic Laboratory of the Polish Police (2021). Statistical data about the DNA database. Retrieved from: https://clkp.policja.pl/clk/baza-danych- dna/dane-statystyczne (in Polish).

21. Krzeminska, B. AFIS system in the Polish Police - yesterday, today, tomorrow (2018). Issues of Forensic Sciences. Central Forensic Laboratory of the Polish Police, vol 300 (2), P. 76-86. (in English).

22. Central Forensic Laboratory of the Polish Police. (2021). Statistical data about the AFIS database. Retrieved from: https://clkp.policja.pl/clk/zbiory-danych-d/ dane-statystycz/163191,Liczba-kart-w- daktyloskopijnych.html (in Polish).

23. National DNA Database Strategy Board. Biennial Report 2018-2020. https://assets.publishing.service.gov.uk/gover nment/uploads/system/uploads/attachment_d ata/file/913011/NDNAD_Strategy_Board_AR_2018-2020_Web_Accessible.pdf

24. Judgement of the Constitutional Tribunal of 12 December 2005, reference number K 32/04.

25. Central Forensic Laboratory of the Polish Police. Statistical data about hits in the AFIS database, 2021. https://clkp.policja.pl/clk/zbiory-danych- d/dane-statystycz/163193,Liczba-dopasowan- HIT.html

26. Human Genetics Commission. Nothing to hide, nothing to fear? Balancing individual rights and the public interest in the governance and use of the National DNA Database. 2009. http://www.statewatch.org/news/2009/nov/uk- dna-human-genetics-commission.pdf