Don't delay: Delete your DNA today

What to do now


Now that a European Court has decided that the retention of the DNA of innocent people is illegal - what should you do now?

Earlier this month, 17 judges on the Grand Chambers of the European Court of Human Rights (ECHR) ruled unanimously that the UK is in violation of the right to respect for private and family life (Article 8) by retaining the fingerprints, DNA samples and profiles of Messrs S and Marper. Mr S was arrested at the age of 11 and charged with attempted robbery. Mr Michael Marper was arrested and charged with harassment of his partner. Both were arrested in 2001, and both had their fingerprints and DNA samples taken. Later that same year Mr S was acquitted and the case of Mr Marper was formally discontinued, as he and his partner had become reconciled and the charge was not pressed.

The court found

that the blanket and indiscriminate nature of the powers of retention of the fingerprints, cellular samples and DNA profiles of persons suspected but not convicted of offences, as applied in the case of the present applicants, fails to strike a fair balance between the competing public and private interests and that the respondent State has overstepped any acceptable margin of appreciation in this regard. Accordingly, the retention at issue constitutes a disproportionate interference with the applicants' right to respect for private life and cannot be regarded as necessary in a democratic society.

Let's look at the consequences of this ruling. What you can you do - as soon as you've finished reading this article - and what is the likely impact on legislation and policies?

Don't delay - delete your DNA today

The ruling clearly affects the retention by England, Wales and Northern Ireland police forces of fingerprints and DNA samples, and derived DNA profiles of both those who have been acquitted and those for which a decision of no further action (NFA) was taken. If you are among the estimated 573,639 to 857,366 innocents whose DNA profile is on the National DNA Database (NDNAD), you should act now. Don't wait until the time the police will have to weed out these records and samples.

Writing to the chief of police

The first step is to write to the chief of police of the force that arrested you. This may seem obvious, but several responses to freedom of information (FOI) requests we sent out as part of the research for this article, before the outcome of the S and Marper UK case was known, reveal that few individuals have gone to the trouble of asking.

At one extreme, the Warwickshire Police force has not received any requests in the last three years even though they contributed 12,263 DNA profiles to the NDNAD in the same period. At the other end of the scale, the Metropolitan Police, which in the past three years has contributed 85,305 DNA profiles, close to a fifth of the DNA profiles added by all English and Welsh forces to the NDNAD, received only 23, 64 and 110 requests for the removal of DNA profiles from the NDNAD, and granted 11, 18 and 21 of these respectively for 2006, 2007 and 2008 (up to the end of November).

Even though the West Midlands Police has in recent years arrested for recorded crimes about a third the number the Met has, it has received a similar number of requests for removal: 58, 49 and 83, and granted 25, 7 and 28 of these respectively for 2006, 2007 and 2008 (to November 21). For forces with fewer arrests such as the Cheshire, Durham or Gwent Constabularies, you can count the number of requests granted, since recording them started, on one hand. Police guidelines (the Retention Guidelines for Nominal Records on the Police National Computer) ensured that received requests to get off the NDNAD were granted only exceptionally. As a consequence of the ruling, the exceptional will have to become the norm.

Several forces do not keep a tally of the requests they receive. For example, the Northamptonshire Police responded to our request for details: "There is no single database holding the information requested. Some information may be held on individual custody records but manual examination would take the request over the cost limit and any results would not be conclusive in any case." One force, the Derbyshire Constabulary decided "As a result of your request [I] have asked the staff who deal with exceptional cases to consider making a record of requests and decisions."

Dr Helen Wallace, Director of GeneWatch UK, a not-for-profit organisation that monitors developments in genetic technologies from a public interest perspective, which provided expert evidence on behalf of Messrs S and Marper to the ECHR, commented on the ruling: "[This] landmark decision vindicates all those innocent people who have struggled to get their DNA destroyed. It means that there must be strict new rules to limit DNA retention and prevent misuse."

How to write a formal request

Having decided to write to request destruction of your fingerprints and DNA samples, deletion of your DNA profile and deletion or updating of any other database records linking to this information, the next step is to figure out what you should write. You need to include enough information so the police can identify you, the circumstances in which you were arrested (and your fingerprints and DNA samples were taken), details of the NFA decision or of your acquittal, and the reason you are requesting your records to be deleted and your samples to be destroyed.

This initial letter doesn't have to be long but it must be precise otherwise the police won't be able to deal with it. In its FOI response, the Cheshire Constabulary explained that it "receives numerous 'requests' for the removal of DNA, [t]he majority of which could not be considered formal request as when asked why we should consider their request, they simply do not respond or they actually mean something different. We would seek to clarify requests to establish the identity of the requestor and the reasons why they are requesting removal of data. This is well before we can actually consider the merits of a request and whether or not it fits the requirements of the Exceptional Cases procedure."

GeneWatch suggests this as a reason to "[a]sk for them to remove your records and destroy your DNA in the light of the judgment of the European Court of Human Rights". You may want to send a copy of the letter to your MP and a copy of any reply to GeneWatch (and let us know how it goes as well).

Another suggestion is that you may also want to argue for the police to remove your records and destroy your DNA samples in "other cases (e.g. cautions, final warnings, spent minor convictions)". Although the ECHR decision only covers people who have not been convicted, it makes clear that an interference with personal informational privacy such as the retention and use of profiles and samples must be indispensable and proportionate with the legitimate aim of the criminal justice system (i.e., the seriousness of the offence).

The Court cannot, however, disregard the fact that, notwithstanding the advantages provided by comprehensive extension of the DNA database, other Contracting States have chosen to set limits on the retention and use of such data with a view to achieving a proper balance with the competing interests of preserving respect for private life... The Court considers that any State claiming a pioneer role [as the UK is] in the development of new technologies bears special responsibility for striking the right balance in this regard.

If you're in a situation where you find this balance has not been achieved, for example the indefinite retention for children given reprimands, then you may also benefit from this ruling.

Taking into account the ECHR ruling, the police are now likely to accept all legitimate requests as they would be in a very weak position if an innocent person were to seek a judicial review in case of refusal. Due to the small number of requests granted prior to the ruling, the actual deletions from the NDNAD and the Police National Computer (PNC) and destruction of samples is a very ad-hoc process. The Met promised a process last year and eventually did publish one (pdf), but it was not worth the wait.

Here's the process they go through: "If the decision to delete has been made, the Exceptional Cases Unit will contact the respective departments and agencies to ensure that the DNA, fingerprints and PNC records are deleted/destroyed accordingly."

The National Police Improvement Agency (NPIA) realises that "following the judgement last week in the S & Marper case heard at the European Court of Human Rights the DNA sample retention and destruction requirements are being reviewed." At least, once a DNA profile has been deleted from the database, it would appear that these transactions are propagated to all backups in short time:

The NDNAD has both a regular internal and a regular off-site back-up procedure. All transactions carried out on the NDNAD are backed up each working day. The deletion of profiles from the NDNAD would be treated the same as any other NDNAD transaction within this back-up procedure. Any record of a DNA profile will also be removed from all back-up media within 10 days of its deletion from NDNAD.

Until a comprehensive process is published giving stronger confidence in the deletion process, once you get confirmation that your request has been granted you may want to ask to be present when the physical samples are destroyed and electronic data is deleted and updated. If you go for this, ask speedily or possibly even with your request letter, as in my case the deletion process was started before informing me of the decision!

Observing the process by a large number of individuals would be costly in time and money; an easier alternative would be for the labs used by the police to generate DNA profiles from the samples taken from individuals to systemically destroy the DNA samples once a DNA profile has been derived. The DNA samples are not used for identification.

Next: What does the ECHR ruling change for the government and police?


Other stories you might like

  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading
  • China-linked Twisted Panda caught spying on Russian defense R&D
    Because Beijing isn't above covert ops to accomplish its five-year goals

    Chinese cyberspies targeted two Russian defense institutes and possibly another research facility in Belarus, according to Check Point Research.

    The new campaign, dubbed Twisted Panda, is part of a larger, state-sponsored espionage operation that has been ongoing for several months, if not nearly a year, according to the security shop.

    In a technical analysis, the researchers detail the various malicious stages and payloads of the campaign that used sanctions-related phishing emails to attack Russian entities, which are part of the state-owned defense conglomerate Rostec Corporation.

    Continue reading
  • FTC signals crackdown on ed-tech harvesting kid's data
    Trade watchdog, and President, reminds that COPPA can ban ya

    The US Federal Trade Commission on Thursday said it intends to take action against educational technology companies that unlawfully collect data from children using online educational services.

    In a policy statement, the agency said, "Children should not have to needlessly hand over their data and forfeit their privacy in order to do their schoolwork or participate in remote learning, especially given the wide and increasing adoption of ed tech tools."

    The agency says it will scrutinize educational service providers to ensure that they are meeting their legal obligations under COPPA, the Children's Online Privacy Protection Act.

    Continue reading
  • Mysterious firm seeks to buy majority stake in Arm China
    Chinese joint venture's ousted CEO tries to hang on - who will get control?

    The saga surrounding Arm's joint venture in China just took another intriguing turn: a mysterious firm named Lotcap Group claims it has signed a letter of intent to buy a 51 percent stake in Arm China from existing investors in the country.

    In a Chinese-language press release posted Wednesday, Lotcap said it has formed a subsidiary, Lotcap Fund, to buy a majority stake in the joint venture. However, reporting by one newspaper suggested that the investment firm still needs the approval of one significant investor to gain 51 percent control of Arm China.

    The development comes a couple of weeks after Arm China said that its former CEO, Allen Wu, was refusing once again to step down from his position, despite the company's board voting in late April to replace Wu with two co-chief executives. SoftBank Group, which owns 49 percent of the Chinese venture, has been trying to unentangle Arm China from Wu as the Japanese tech investment giant plans for an initial public offering of the British parent company.

    Continue reading
  • SmartNICs power the cloud, are enterprise datacenters next?
    High pricing, lack of software make smartNICs a tough sell, despite offload potential

    SmartNICs have the potential to accelerate enterprise workloads, but don't expect to see them bring hyperscale-class efficiency to most datacenters anytime soon, ZK Research's Zeus Kerravala told The Register.

    SmartNICs are widely deployed in cloud and hyperscale datacenters as a means to offload input/output (I/O) intensive network, security, and storage operations from the CPU, freeing it up to run revenue generating tenant workloads. Some more advanced chips even offload the hypervisor to further separate the infrastructure management layer from the rest of the server.

    Despite relative success in the cloud and a flurry of innovation from the still-limited vendor SmartNIC ecosystem, including Mellanox (Nvidia), Intel, Marvell, and Xilinx (AMD), Kerravala argues that the use cases for enterprise datacenters are unlikely to resemble those of the major hyperscalers, at least in the near term.

    Continue reading

Biting the hand that feeds IT © 1998–2022