Submitting-agency information should include the location of the agency, its telephone number, names of the analysts who conducted the DNA typing, the name of the person who entered the data into the databank, and agency contact information.
Sample information should include entries that describe the type of sample (body-fluid stain, tissue, or known blood sample) and a unique sample identifier, the condition of the sample, unusual handling and storage, and other factors that might affect the quality of the DNA and the evaluation of partial patterns.
The DNA type at a locus must be entered in standard nomenclature. For example, for RFLP typing, fragment-size data from each locus successfully probed should be entered as the number of basepairs determined for each fragment. Sizing data for the human-DNA control should also be entered.
Entries into the convicted-offender files should include the name of the offender, dates of offenses and convictions, and DNA profile data. Only the profile index should be centrally stored. Case data should be stored locally, and their distribution should be under the control of the local agency.
Computer security should be ensured through use of the best available practices and technologies. Access to the databank should be limited to a small number of legally authorized persons and should be limited to what is required for specific official investigations. All instances of access should be audited and archived. An excellent discussion of computerized audit-trail systems is available.8
If the computer system and associated databank are to be made available for remote access by cooperating state and federal agencies, such as by telephone or networked by other means, the access mechanism (i.e., the network switch) should be made available only for specific, authorized remote-access sessions; that is, the system should not be continuously available to remote users. This type of limited access can be achieved either administratively or physically; it is a simple and inexpensive means of safeguarding sensitive information and is common practice in many national security situations. For example, secure computers are virtually never connected to unsecured computers at national defense laboratories; when newspaper headlines make statements that computers at these facilities have been breached, it has been the case that the computers were unsecured and not connected to the secure computers. In many cases, these unsecured computers have telecommunication connections available to employees for routine use, but they do not contain security information.