Skip to content

National DNA Databases: NDIS, NDNAD, India's Bill and EU Prum

How a profile becomes a database hit, and the laws that govern that database: the US National DNA Index System (NDIS), the UK National DNA Database (NDNAD), India's pending DNA Technology (Use and Application) Regulation Bill 2019, the EU Prüm decisions for cross-border DNA exchange, GEDmatch and FamilyTreeDNA on the opt-in side, and the retention and expungement debates each system has navigated.

Last updated:

Share

The decision to hold someone's genetic profile in a national database is simultaneously a law-enforcement tool and a civil-liberties flashpoint. A DNA database hit can initiate an investigation, confirm a suspect's connection to multiple crime scenes, or exonerate a wrongly imprisoned person. It can also draw in relatives never charged, flag someone arrested but acquitted, or expose genetic information extending far beyond a crime-scene question. Every jurisdiction that operates a national DNA database has had to negotiate these tensions through statute, case law, or both.

Key takeaways

  • NDIS (US) operates through the CODIS three-tier architecture (LDIS / SDIS / NDIS) and held over 21 million offender and arrestee profiles by early 2024; arrestee inclusion was authorised nationally by the US Supreme Court in Maryland v. King (2013).
  • The UK NDNAD (established 1995, the world's first national forensic DNA database) was reshaped by S and Marper v. UK (ECtHR, 2008), which ruled indefinite retention of unconvicted persons' profiles unlawful; the Protection of Freedoms Act 2012 introduced differentiated retention periods.
  • EU Prüm (Council Decisions 2008/615/JHA and 2008/616/JHA) enables automated hit/no-hit cross-border DNA searching across 25+ member states; profiles must meet the ESS17 locus set and come from an ISO/IEC 17025-accredited laboratory.
  • India's proposed SDDIS (System for DNA Data and Index Support) under the DNA Technology Bill 2019 has not been enacted; in the interim there is no statutory basis for compelled collection, retention limits, or expungement rights.
  • GEDmatch's October 2019 opt-in reset reduced the law-enforcement-accessible pool from approximately 1.3 million to around 185,000 profiles within 48 hours, illustrating how rapidly a de facto forensic database can change under consumer-privacy policy.

The United States launched NDIS in 1998, operating through the CODIS software architecture managed by the FBI. The United Kingdom created the NDNAD in 1995, the first national forensic DNA database in the world. Both databases have grown, contracted under legal challenge, and expanded again as legislatures revised the governing statutes. The European Union layered a cross-border exchange mechanism on top of member states' national databases through the Prüm framework in 2008. India has been debating an enabling statute, the DNA Technology (Use and Application) Regulation Bill, since 2019, without yet enacting it. On the opt-in side, consumer genealogy databases like GEDmatch and FamilyTreeDNA have been drawn into forensic use through investigative genetic genealogy, creating a new category of de facto forensic database that operates under consumer-privacy law rather than criminal justice statute.

Understanding how these databases work, who is included, how long profiles are retained, and under what conditions they can be searched and shared is essential context for any working forensic DNA examiner, since the profile they produce in the laboratory is the unit that enters this system.

NDIS and CODIS: The US National DNA Database Architecture

Every STR profile produced by an accredited US forensic laboratory eventually flows upward through a three-tier architecture toward a federal search pool that has now solved more than 600,000 investigations.

The US DNA database operates through the CODIS (Combined DNA Index System) software, which the FBI developed in the late 1980s and deployed nationally in 1998 under the DNA Identification Act of 1994. CODIS is a three-tier architecture: Local DNA Index Systems (LDIS) held by individual laboratories, State DNA Index Systems (SDIS) aggregating local profiles, and the National DNA Index System (NDIS) at the federal level, holding profiles from all contributing states.

The DNA Identification Act specified the original thirteen CODIS core loci. In 2014 the FBI announced an expansion to twenty loci (commonly referred to as the CODIS 20 expansion), effective January 2017, to improve discrimination power and harmonise with international standards including the European Standard Set (ESS17); the full locus-by-locus detail is in CODIS 20, ESS17 and India NDIS locus standards. The accreditation requirements that laboratories must meet to contribute to NDIS are covered in ISO/IEC 17025, SWGDAM and NABL accreditation. The expansion required all contributing laboratories to upgrade their multiplex STR kits to panels covering the additional loci, generating a multi-year transition period in which profiles from newer and older kits coexist in the database.

NDIS profiles are divided into indices by sample source: convicted offender profiles, arrestee profiles (allowed in all US states since the Supreme Court's decision in Maryland v. King, 2013, which held that DNA collection from arrestees does not violate the Fourth Amendment), forensic (crime scene) profiles, missing persons and unidentified human remains profiles, and elimination profiles for laboratory staff. The case-to-case index allows unsolved crime scenes to be searched against each other. As of early 2024, NDIS holds over 21 million offender and arrestee profiles and over 4.5 million forensic profiles, and has generated over 600,000 investigation aids (hits linking a profile to an offender or an unsolved case to another case).

Expungement provisions under CODIS allow an individual whose conviction was overturned, or who was arrested but not convicted, to request removal of their profile from NDIS. The process requires a state agency to submit an expungement request to the FBI. In practice, the rate of successful expungement requests is low relative to the population of profiles that would qualify, partly because individuals are rarely notified of their right to request removal.

LDIS (Lab A)LDIS (Lab B)LDIS (Lab C)SDIS (State 1)SDIS (State 2)NDIS (Federal, FBI)Upload: offender + forensic profilesHit notification returns down the chain
CODIS three-tier architecture from local laboratory to federal NDIS; arrows show profile upload direction and hit notification direction.

The UK National DNA Database: Thirty Years of Retention Battles

The NDNAD was the world's first national DNA database, and it has generated more legal controversy over retention rules than almost any other forensic database globally.

The National DNA Database was established in 1995 under the Criminal Justice and Public Order Act 1994, operated by the Home Office and from 2012 by the National DNA Database Strategy Board. The original retention rule was simple: any profile obtained in a criminal investigation could be retained indefinitely, regardless of whether the person was charged or convicted. By 2008 the database held approximately 4.5 million profiles, with a significant proportion belonging to individuals who had never been convicted of any offence.

That retention policy was ruled incompatible with Article 8 (right to respect for private life) of the European Convention on Human Rights in S and Marper v. United Kingdom (European Court of Human Rights, 2008). The Grand Chamber held that the retention of the profiles and samples of persons who had been arrested but not convicted was a disproportionate interference with the right to private life, even though the underlying offences were serious. The ethical and legal dimensions of DNA database retention are also explored through the admissibility and ELSI framework. The UK government responded with the Protection of Freedoms Act 2012, which introduced a substantially revised retention regime: adults convicted of recordable offences retain their profiles indefinitely; adults not convicted of a qualifying offence have their profiles deleted after three years; profiles from children who have no conviction are deleted within five years. Samples (the physical biological material) must now be destroyed within six months of profiling, whereas the profile can be retained for its permitted period.

As of 2024, the NDNAD holds approximately 6.7 million subject profiles (convicted persons, arrestees, and volunteers) and around 800,000 crime scene profiles. The hit rate (proportion of crime scene profiles that generate a database match) runs consistently at around 65 percent, making it one of the highest-performing criminal intelligence databases in the world. The database contributed to the investigation in the Stephen Lawrence case in 2021 when a cold-case review produced a DNA match linking a suspect to fibres from Lawrence's clothing using a mixed profile generated from material that had been stored for nearly thirty years.

In Germany, the DNA database (the DAD, Datei der DNA-Identifizierungsmuster, managed by the BKA) operates under the DNA Identification Act 1998 as amended, with retention rules that allow deletion on request after three years for acquitted persons. France's FNAEG (Fichier national automatisé des empreintes génétiques) has faced repeated constitutional challenges over its breadth of inclusion. Both systems are subject to Prüm cross-border exchange, discussed in Section 4.

India's DNA Technology Bill: A Framework Still Pending

The Bill has been in Parliament since 2019, and in its absence the country's largest national forensic investigation infrastructure operates without a statutory database framework.

The DNA Technology (Use and Application) Regulation Bill 2019 was introduced in the Lok Sabha on 8 July 2019 and was referred to a parliamentary standing committee, which submitted its report in February 2021. As of 2025 the Bill has not been enacted. It is nonetheless important to understand its architecture because it has shaped how the CFSL network operates in anticipation of eventual passage and because its provisions reveal the contested design choices any country faces when building a national forensic DNA database.

The Bill proposes the creation of a national DNA database called the Suspect DNA Index, Offenders Index, Missing Persons Index, Unknown Deceased Persons Index, and Volunteers Index, collectively referred to in draft as the System for DNA Data and Index Support (SDDIS). The Bill would establish a DNA Regulatory Board with powers to accredit laboratories, set standards, and oversee the database. Collection of DNA would be permitted from individuals arrested for offences punishable by seven or more years of imprisonment, convicted persons, missing persons, and volunteers for exclusion purposes.

The parliamentary standing committee raised several significant concerns. It flagged the breadth of the offences triggering mandatory DNA collection, noting that the Bill would allow collection from arrestees charged with offences considerably less serious than those covered by equivalent UK and US provisions. It also noted the absence of robust expungement mechanisms and expressed concern about potential misuse given India's existing weak data-protection framework (the Personal Data Protection framework was still evolving at the time of the committee's report). The committee recommended that the Bill be sent back for revision before passing.

Civil liberties organisations in India have compared the Bill's trajectory to two international models. The UK's post-S and Marper reforms narrowed retention rules in response to a human-rights judgment. The US CODIS expansion went in a different direction after Maryland v. King, broadening arrestee inclusion. India's committee appeared more sympathetic to the narrowing model but did not produce a revised Bill.

EU Prüm: Cross-Border DNA Searching Between National Databases

A profile generated from a burglary in Warsaw can automatically search against the database in Amsterdam and return a hit within twenty-four hours, all without a treaty request or diplomatic channel, because of two Council Decisions signed in 2008.

The Prüm Convention, originally signed by seven EU member states in Prüm, Germany in 2005 and incorporated into EU law through Council Decisions 2008/615/JHA and 2008/616/JHA, created a framework for automated cross-border exchange of DNA profiles, fingerprints, and vehicle registration data between EU member states. The DNA exchange mechanism works through a "hit/no-hit" system: profiles are not transferred directly between national databases. Instead, one state's database software queries another state's database using the profile's STR data. The querying state receives only a confirmation that a match exists (a "hit") and the identity information associated with the matching profile is then exchanged through bilateral channels with appropriate legal safeguards.

For Prüm exchange, profiles must contain at least the European Standard Set (ESS17) loci and must have been generated by an ISO/IEC 17025-accredited laboratory. These quality requirements prevent poor-quality profiles from entering the cross-border pool and create a natural incentive for member states to maintain accreditation standards. As of 2023, over twenty-five EU member states plus associated non-EU countries (Norway, Iceland, Switzerland, Liechtenstein) participate in automated Prüm DNA exchange.

The UK participated in Prüm DNA exchange until January 2021 when its Brexit transition period ended. Negotiations over re-joining the Prüm framework as a third country stalled on issues related to data governance and the European Court of Justice's jurisdiction. As of 2025, the UK exchanges DNA profiles with EU member states through conventional mutual legal assistance treaty (MLAT) channels, which is significantly slower than the automated Prüm system. The UK government indicated in 2022 that negotiating access to Prüm data exchange was a priority but no agreement had been concluded.

A 2023 review of the Prüm framework (Council Decision proposal to update Prüm to Prüm II) proposed expanding automated exchange to facial recognition data and wider biometrics alongside the existing DNA and fingerprint channels. The DNA provisions would be updated to require a minimum of twenty loci (aligning with the CODIS 20 expansion) to improve discrimination power across the enlarged search pool.

FeatureNDIS (US)NDNAD (UK)India (proposed SDDIS)EU Prüm
Legal basisDNA Identification Act 1994 / CODIS legislationPACE 1984 / CJ&PO Act 1994 / Protection of Freedoms Act 2012DNA Technology Bill 2019 (not enacted)Council Decisions 2008/615/JHA + 2008/616/JHA
Inclusion triggerConviction + arrestee (post Maryland v. King 2013)Conviction; arrestee for qualifying offence only (post Protection of Freedoms Act 2012)Proposed: arrest for offence punishable by 7+ yearsProfiles from national databases only; entry rules set by each member state
Retention after acquittal / no chargeExpungement on request; low compliance rateDeletion within 3 years for unconvicted adults; 5 years for childrenProposed provisions; no enacted rules yetDetermined by national law of the database holding the profile
Approximate size (subject profiles, 2024)21 million+6.7 millionNot yet operationalVaries by member state; Prüm pool is the aggregate across 25+ databases
Cross-border sharing mechanismMLAT / bilateral MOUPrüm (until 2021); now MLAT onlyNot yet applicableAutomated hit/no-hit query; identity data via bilateral channel on hit

GEDmatch, FamilyTreeDNA and the Opt-In Forensic Database

The Golden State Killer investigation broke a conceptual dam: within two years of DeAngelo's arrest in 2018, law enforcement in the US, UK, and Australia were routinely using consumer genealogy databases to build familial leads, with millions of user-uploaded profiles as the effective search pool.

Investigative genetic genealogy (IGG) uses profiles generated from crime-scene biological material to search consumer-facing genealogy databases, primarily GEDmatch and FamilyTreeDNA, identify distant relatives (third and fourth cousins) of the unknown contributor, and then construct family trees that progressively narrow toward the contributor's identity. The technique does not require the contributor to have uploaded a profile: any biological relative who has voluntarily uploaded their genetic data to a consumer platform can provide the genealogical lead.

GEDmatch was a free, open genealogy database founded in 2010. In 2018, investigator Barbara Rae-Venter and the FBI uploaded the Golden State Killer's crime-scene profile to GEDmatch without the platform's consent under a policy it had not yet established. The match to distant cousins allowed genealogist CeCe Moore to build a family tree that pointed to Joseph James DeAngelo, who was arrested in April 2018. Following the arrest, GEDmatch updated its terms of service to require users to opt in to allow their profiles to be used by law enforcement. In 2019, after a Florida sheriff searched GEDmatch profiles to investigate a violent crime without advance notice to users, GEDmatch changed again to make the default opt-out for law enforcement searches, requiring explicit user opt-in. As of 2023, approximately 280,000 GEDmatch users have opted in to law enforcement searches.

FamilyTreeDNA made a different choice: in 2019 it disclosed to BuzzFeed News that it had been voluntarily cooperating with FBI requests to search its database. It subsequently adopted an opt-in policy for law enforcement searches, with the opt-in being the default for users who actively agreed to cooperate. Maryland became the first US state to pass legislation specifically governing IGG in 2021, requiring that investigators obtain a warrant or the consent of a court before searching a genealogy database, and that suspects be confirmed by conventional casework DNA before arrest.

Outside the United States, the regulatory framework for IGG varies considerably. In the UK, the Forensic Science Regulator issued guidance in 2023 stating that IGG using consumer databases by UK police forces would require case-by-case Home Office authorisation. In Australia, the National Institute of Forensic Science (NIFS) began a consultation on IGG in 2022. In India, no specific framework exists, and neither the DNA Technology Bill 2019 in its current form nor existing data-protection law clearly addresses IGG with consumer databases.

Retention, Expungement and the Ongoing Policy Debate

Every national DNA database is a permanent record of a biological fact, and the question of how long that record should be held is one that courts and legislatures have answered differently, and continue to revise.

The retention debate has distinct dimensions in different jurisdictions. In the UK, the S and Marper judgment forced a statutory revision of retention rules, and the Protection of Freedoms Act 2012 created a structured regime with different rules for different conviction outcomes, age groups, and offence categories. The Genewatch UK advocacy organisation and academic critics have argued that even the revised rules retain too many profiles of innocent people, given the DNA Database's statistical contribution to cold-case matches from persons arrested decades ago.

In the US, the arrestee-inclusion expansion following Maryland v. King opened a permanent population of pre-conviction profiles. Civil liberties organisations including the ACLU have documented cases where arrestees whose charges were dropped or who were acquitted were not informed of their right to expungement and remained in CODIS for years. The National Institute of Justice's DNA Capacity Enhancement Programme has funded outreach on expungement rights, but the structural problem, that expungement is opt-in rather than automatic, persists.

In the EU, member states under Prüm retain profiles according to their own national legislation, creating a patchwork. Germany deletes profiles after three years of no new offences for unconvicted persons; France retains FNAEG profiles for twenty-five years for misdemeanour offenders; the Netherlands deletes after three to eighty years depending on offence severity. The lack of harmonised retention rules means that a hit in the Prüm system can link to a profile that would have been deleted under another member state's own rules.

India's standing committee concern about the proposed DNA Technology Bill's retention provisions pointed to the absence of a clear right to expungement and the breadth of offences triggering inclusion. The committee specifically noted that the Bill would permit inclusion of persons accused of bailable offences and that the deletion mechanism was insufficiently defined.

Key terms
CODIS (Combined DNA Index System)
The FBI-managed software architecture for the US national forensic DNA database, operating through a three-tier structure of local (LDIS), state (SDIS), and national (NDIS) index systems.
NDNAD
National DNA Database (UK); the world's first national forensic DNA database, established in 1995, operated by the National DNA Database Strategy Board. Holds profiles from convicted offenders, arrestees, and crime scenes.
EU Prüm framework
The legal framework created by Council Decisions 2008/615/JHA and 2008/616/JHA allowing automated hit/no-hit cross-border searching between EU member states' national DNA, fingerprint, and vehicle-registration databases.
Maryland v. King (2013)
US Supreme Court decision holding that the collection of a DNA sample from an individual arrested for a serious offence does not violate the Fourth Amendment, permitting all US states to include arrestee profiles in CODIS.
S and Marper v. UK (2008)
European Court of Human Rights Grand Chamber judgment finding that the UK's policy of indefinitely retaining DNA profiles of unconvicted persons violated Article 8 ECHR; this led directly to the Protection of Freedoms Act 2012.
Investigative genetic genealogy (IGG)
A technique that uses forensic DNA profiles to search consumer genealogy databases, identify distant biological relatives of an unidentified contributor, and build family trees that narrow to the contributor's identity. The DeAngelo case (2018) was the paradigm-setting application.
SDDIS
System for DNA Data and Index Support; the proposed national DNA database architecture under India's DNA Technology (Use and Application) Regulation Bill 2019, comprising five indices covering suspects, offenders, missing persons, unknown deceased, and volunteers.
JurisdictionInclusion triggerRetention after noconvictionExpungement mechanismUS (NDIS)Conviction or arrest(all states post-2013)Indefinite unlessremovedRequest-only; low compliancerateUK (NDNAD)Conviction or arrest forqualifying offenceDeleted after 3 years(adults); 5 years(children)Automatic deletion onscheduleGermany (DAD)Conviction or judicialorderDeleted after 3 years ofno new offenceRequest or automatic afterclean periodFrance (FNAEG)Broad: many offencecategories25 years formisdemeanour offendersOn request only; limited inpracticeIndia (proposed)Proposed: arrest for 7+yr offencesNo enacted rulesNo statutory mechanismProtective (time-limited or automatic)Permissive or absent safeguardJurisdiction
Retention of unconvicted persons' DNA profiles: US keeps profiles indefinitely unless the individual requests removal (low compliance), UK mandates automatic deletion after 3 years for adults, Germany deletes after 3 years with no new offence, France retains for 25 years, and India has no enacted rules at all.

Frequently asked questions

What is the difference between CODIS, NDIS, SDIS, and LDIS?
CODIS is the FBI-managed software architecture for the US national DNA database. NDIS (National DNA Index System) is the top tier, searchable across all contributing states. SDIS (State DNA Index System) is the state-level tier, which may hold profiles meeting state but not federal criteria. LDIS (Local DNA Index System) is the laboratory tier. The three-tier design lets local labs retain profiles locally while contributing qualifying profiles upward to state and national tiers.
Who can be included in the UK NDNAD and how long are profiles retained?
As of 2024, the NDNAD holds approximately 6.7 million subject profiles. Persons convicted of a recordable offence are retained indefinitely. Adults arrested but not convicted of a qualifying offence have profiles deleted after three years (with a possible two-year extension on police application). Profiles from children with no conviction are deleted within three to five years depending on offence type. Physical samples (not profiles) must be destroyed within six months of profiling under the Protection of Freedoms Act 2012.
What is India's SDDIS and how does it relate to the DNA Technology Bill?
SDDIS (System for DNA Data and Index Support) is the proposed national DNA database under the DNA Technology Bill 2019, comprising five indices: Suspects, Offenders, Missing Persons, Unknown Deceased, and Volunteers. The Bill passed the Lok Sabha in September 2019 but lapsed before Rajya Sabha consideration and has not been re-introduced. In the interim there is no statutory basis for compelled collection, retention limits, or expungement rights in India.
What was the legal basis for the Maryland v. King (2013) decision and why did it expand CODIS?
Maryland v. King challenged Maryland's DNA Collection Act, which allowed a DNA swab from any person arrested for a serious crime without a warrant. The Supreme Court held 5-4 (Justice Kennedy) that the swab is a reasonable Fourth Amendment search analogous to fingerprinting, serving the legitimate interest of identifying arrestees. The dissent (Justice Scalia) argued the real purpose was cold-case solving, not identification. The decision permitted all US states to include pre-conviction arrestee profiles in CODIS.
Practice
Question 1 of 5· 0 answered

The CODIS three-tier architecture (LDIS, SDIS, NDIS) was created partly to allow state laboratories to retain control of profiles that meet state but not national inclusion criteria. Which of the following best describes what happens when an NDIS search generates a hit?

Test yourself on Forensic Biotechnology with free, timed mocks.

Practice Forensic Biotechnology questions

Found this useful? Pass it along.

Share

Spotted an error in this page? Report a correction or read our editorial standards.

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.