National DNA Databases: NDIS, NDNAD, India's DNA Technology Bill and EU Prüm

The National DNA Database was established in 1995 under the Criminal Justice and Public Order Act 1994, operated by the Home Office and from 2012 by the National DNA Database Strategy Board. The original retention rule was simple: any profile obtained in a criminal investigation could be retained indefinitely, regardless of whether the person was charged or convicted. By 2008 the database held approximately 4.5 million profiles, with a significant proportion belonging to individuals who had never been convicted of any offence.

That retention policy was ruled incompatible with Article 8 (right to respect for private life) of the European Convention on Human Rights in S and Marper v. United Kingdom (European Court of Human Rights, 2008). The Grand Chamber held that the retention of the profiles and samples of persons who had been arrested but not convicted was a disproportionate interference with the right to private life, even though the underlying offences were serious. The UK government responded with the Protection of Freedoms Act 2012, which introduced a substantially revised retention regime: adults convicted of recordable offences retain their profiles indefinitely; adults not convicted of a qualifying offence have their profiles deleted after three years; profiles from children who have no conviction are deleted within five years. Samples (the physical biological material) must now be destroyed within six months of profiling, whereas the profile can be retained for its permitted period.

As of 2024, the NDNAD holds approximately 6.7 million subject profiles (convicted persons, arrestees, and volunteers) and around 800,000 crime scene profiles. The hit rate (proportion of crime scene profiles that generate a database match) runs consistently at around 65 percent, making it one of the highest-performing criminal intelligence databases in the world. The database contributed to the investigation in the Stephen Lawrence case in 2021 when a cold-case review produced a DNA match linking a suspect to fibres from Lawrence's clothing using a mixed profile generated from material that had been stored for nearly thirty years.

In Germany, the DNA database (the DAD, Datei der DNA-Identifizierungsmuster, managed by the BKA) operates under the DNA Identification Act 1998 as amended, with retention rules that allow deletion on request after three years for acquitted persons. France's FNAEG (Fichier national automatisé des empreintes génétiques) has faced repeated constitutional challenges over its breadth of inclusion. Both systems are subject to Prüm cross-border exchange, discussed in Section 4.

The DNA Technology (Use and Application) Regulation Bill 2019 was introduced in the Lok Sabha on 8 July 2019 and was referred to a parliamentary standing committee, which submitted its report in February 2021. As of 2025 the Bill has not been enacted. It is nonetheless important to understand its architecture because it has shaped how the CFSL network operates in anticipation of eventual passage and because its provisions reveal the contested design choices any country faces when building a national forensic DNA database.

The Bill proposes the creation of a national DNA database called the Suspect DNA Index, Offenders Index, Missing Persons Index, Unknown Deceased Persons Index, and Volunteers Index, collectively referred to in draft as the System for DNA Data and Index Support (SDDIS). The Bill would establish a DNA Regulatory Board with powers to accredit laboratories, set standards, and oversee the database. Collection of DNA would be permitted from individuals arrested for offences punishable by seven or more years of imprisonment, convicted persons, missing persons, and volunteers for exclusion purposes.

The parliamentary standing committee raised several significant concerns. It flagged the breadth of the offences triggering mandatory DNA collection, noting that the Bill would allow collection from arrestees charged with offences considerably less serious than those covered by equivalent UK and US provisions. It also noted the absence of robust expungement mechanisms and expressed concern about potential misuse given India's existing weak data-protection framework (the Personal Data Protection framework was still evolving at the time of the committee's report). The committee recommended that the Bill be sent back for revision before passing.

Civil liberties organisations in India have compared the Bill's trajectory to two international models. The UK's post-S and Marper reforms narrowed retention rules in response to a human-rights judgment. The US CODIS expansion went in a different direction after Maryland v. King, broadening arrestee inclusion. India's committee appeared more sympathetic to the narrowing model but did not produce a revised Bill.

The Prüm Convention, originally signed by seven EU member states in Prüm, Germany in 2005 and incorporated into EU law through Council Decisions 2008/615/JHA and 2008/616/JHA, created a framework for automated cross-border exchange of DNA profiles, fingerprints, and vehicle registration data between EU member states. The DNA exchange mechanism works through a "hit/no-hit" system: profiles are not transferred directly between national databases. Instead, one state's database software queries another state's database using the profile's STR data. The querying state receives only a confirmation that a match exists (a "hit") and the identity information associated with the matching profile is then exchanged through bilateral channels with appropriate legal safeguards.

For Prüm exchange, profiles must contain at least the European Standard Set (ESS17) loci and must have been generated by an ISO/IEC 17025-accredited laboratory. These quality requirements prevent poor-quality profiles from entering the cross-border pool and create a natural incentive for member states to maintain accreditation standards. As of 2023, over twenty-five EU member states plus associated non-EU countries (Norway, Iceland, Switzerland, Liechtenstein) participate in automated Prüm DNA exchange.

The UK participated in Prüm DNA exchange until January 2021 when its Brexit transition period ended. Negotiations over re-joining the Prüm framework as a third country stalled on issues related to data governance and the European Court of Justice's jurisdiction. As of 2025, the UK exchanges DNA profiles with EU member states through conventional mutual legal assistance treaty (MLAT) channels, which is significantly slower than the automated Prüm system. The UK government indicated in 2022 that negotiating access to Prüm data exchange was a priority but no agreement had been concluded.

A 2023 review of the Prüm framework (Council Decision proposal to update Prüm to Prüm II) proposed expanding automated exchange to facial recognition data and wider biometrics alongside the existing DNA and fingerprint channels. The DNA provisions would be updated to require a minimum of twenty loci (aligning with the CODIS 20 expansion) to improve discrimination power across the enlarged search pool.

Investigative genetic genealogy (IGG) uses profiles generated from crime-scene biological material to search consumer-facing genealogy databases, primarily GEDmatch and FamilyTreeDNA, identify distant relatives (third and fourth cousins) of the unknown contributor, and then construct family trees that progressively narrow toward the contributor's identity. The technique does not require the contributor to have uploaded a profile: any biological relative who has voluntarily uploaded their genetic data to a consumer platform can provide the genealogical lead.

GEDmatch was a free, open genealogy database founded in 2010. In 2018, investigator Barbara Rae-Venter and the FBI uploaded the Golden State Killer's crime-scene profile to GEDmatch without the platform's consent under a policy it had not yet established. The match to distant cousins allowed genealogist CeCe Moore to build a family tree that pointed to Joseph James DeAngelo, who was arrested in April 2018. Following the arrest, GEDmatch updated its terms of service to require users to opt in to allow their profiles to be used by law enforcement. In 2019, after a Florida sheriff searched GEDmatch profiles to investigate a violent crime without advance notice to users, GEDmatch changed again to make the default opt-out for law enforcement searches, requiring explicit user opt-in. As of 2023, approximately 280,000 GEDmatch users have opted in to law enforcement searches.

FamilyTreeDNA made a different choice: in 2019 it disclosed to BuzzFeed News that it had been voluntarily cooperating with FBI requests to search its database. It subsequently adopted an opt-in policy for law enforcement searches, with the opt-in being the default for users who actively agreed to cooperate. Maryland became the first US state to pass legislation specifically governing IGG in 2021, requiring that investigators obtain a warrant or the consent of a court before searching a genealogy database, and that suspects be confirmed by conventional casework DNA before arrest.

Outside the United States, the regulatory framework for IGG varies considerably. In the UK, the Forensic Science Regulator issued guidance in 2023 stating that IGG using consumer databases by UK police forces would require case-by-case Home Office authorisation. In Australia, the National Institute of Forensic Science (NIFS) began a consultation on IGG in 2022. In India, no specific framework exists, and neither the DNA Technology Bill 2019 in its current form nor existing data-protection law clearly addresses IGG with consumer databases.

The retention debate has distinct dimensions in different jurisdictions. In the UK, the S and Marper judgment forced a statutory revision of retention rules, and the Protection of Freedoms Act 2012 created a structured regime with different rules for different conviction outcomes, age groups, and offence categories. The Genewatch UK advocacy organisation and academic critics have argued that even the revised rules retain too many profiles of innocent people, given the DNA Database's statistical contribution to cold-case matches from persons arrested decades ago.

In the US, the arrestee-inclusion expansion following Maryland v. King opened a permanent population of pre-conviction profiles. Civil liberties organisations including the ACLU have documented cases where arrestees whose charges were dropped or who were acquitted were not informed of their right to expungement and remained in CODIS for years. The National Institute of Justice's DNA Capacity Enhancement Programme has funded outreach on expungement rights, but the structural problem, that expungement is opt-in rather than automatic, persists.

In the EU, member states under Prüm retain profiles according to their own national legislation, creating a patchwork. Germany deletes profiles after three years of no new offences for unconvicted persons; France retains FNAEG profiles for twenty-five years for misdemeanour offenders; the Netherlands deletes after three to eighty years depending on offence severity. The lack of harmonised retention rules means that a hit in the Prüm system can link to a profile that would have been deleted under another member state's own rules.

India's standing committee concern about the proposed DNA Technology Bill's retention provisions pointed to the absence of a clear right to expungement and the breadth of offences triggering inclusion. The committee specifically noted that the Bill would permit inclusion of persons accused of bailable offences and that the deletion mechanism was insufficiently defined.