This is a site designed to make it easier to take the core of large published reports and allow anyone to comment on them.


20. The Department for Children, Schools and Families has reminded all staff about their data and information security responsibilities. It has commissioned an independent review of the current and proposed information security arrangements for the ContactPoint project — a key element of the Data Handling Procedures in Government: Interim Progress Report project to transform and combine information on children's services. An initial positive report has been given, with the main report due for completion in January 2008.

Email this to a friend.
Previous itemNext item.


ContactPoint is inherently insecure, because it has a very large number of users (300,000+) and a large number of data administrators (each LA will have its own data administration team). Data in ContactPoint will be of interest to:

+ disaffected parents wishing to contact - or even abduct - children contrary to directions of a court + those seeking to locate former partners to inflict violence on them + paedophiles + nosey neighbours + vigilantes (e.g. when a child has committed a crime) + press + perspective employers of school leavers

Although ministers maintain that only "basic" data will be maintained in ContactPoint, this underestimates what can be concluded from data concerning a child's contacts with agencies, especially criminal justice agencies such as youth justice and police and health agencies. It also seems likely that the audit log will contain highly sensitive and subjective data which could be very damaging to the data subjects and their relatives if ever released.

ContactPoint must be considered together with the associated system eCAF - a field in ContactPoint points to an eCAF record. eCAF will contain unstructured and highly subjective data concerning all aspects of children's lives (including data classified as "sensitive" under the DPA 1998, such as race/ethnic origin, health, mental health, sexual health/orientation, religion etc.). Most of the data will consist of "assessments" undertaken by a variety of practitioners. Many of these assessments will be highly subjective and judgemental. Parents/children will be asked to consent to the information being stored and shared via the computer system, but they will be doing so in situations in which they are being assessed for a service and may feel compelled to agree. In any case their data must be secured.

eCAF is a a very high risk system which does not seem to be considered in the present review. Highly confidential personal data, some of which will be of a salacious or even lurid nature (consider for example assessments of children suffering soiling, wetting, mental health, sexual dysfunction etc), will be contained in the assessments.

Like ContactPoint eCAF will have a large usership and systems admin. teams in every local authority area.

In my view it is not possible to secure such systems. They are like "honeypots" to cunning, devious and unscupulous people (e.g. paedophiles) who are prepared to go to great lengths to gain information about children and young people. The large userships make them highly insecure. Simply issuing additional procedures to users will be ineffective.

The consequences of getting security wrong here could be catastrophic - children and young people sexually or physically abused, or even killed. Young lives could be permanently scarred by the release of embarrassing or derogatory information concerning development, health or intimate family details.

Posted by Chris Mills on 2007-12-22 09:32:39.
Link. Report abuse to Back to the main document list


(You must give a valid email address, but it will not be displayed to the public.)

We only allow the following html tags em strong blockquote p br. After posting, there may be a short delay before your comment appears on the site