Friday, February 01, 2008

Government response to petition on ContactPoint

I just received an email from 10 Downing Street relating to the petition asking government to abandon plans to create the Information Sharing Index, a national database of all children aged between birth and eighteen. The email provides a links to the section of the pm website containing the government response. Extracts from the response:

"ContactPoint will provide a quick way for practitioners to find out who else is working with the same child or young person to make it easier for them to deliver better coordinated support to children and families...

No case information will be held on ContactPoint...

ContactPoint is being developed with extensive input from a wide range of stakeholders..

ContactPoint will cover all children in England because it is not possible to predict accurately, in advance, which children will need additional services...

The Government has been considering feedback and looking carefully at the implications that the proposed changes could have on the system. It is clear from the considerable work done so far that more time than originally planned is needed to address the changes to ContactPoint which potential system users suggested...

Security is, and always has been, of paramount importance...

Like all other Government Departments, the Department for Children, Schools and Families has recently conducted a review of how personal data is stored and protected. As a result of that review the Government is confident that there are very robust procedures in place for ContactPoint. In addition, the Secretary of State for Children, Schools and Families has commissioned Deloitte to undertake an independent assessment of ContactPoint security procedures. The independent assessment will report back in early in early 2008."

Whilst it is theoretically technically correct to say that ContactPoint will not contain any case information it is a open door index to the eCAF (electronic Common Assessment Framework) which will hold detailed case infromation, since it will contain "An indication as to whether a service or practitioner holds an assessment under the Common Assessment Framework or whether they are a lead professional for that child."

It will cover all children in England (apart from those of high profile politicians or celebrities for security reasons) because it is not possible to identify in advance those who will need help, so rather than focusing on identifying those who need help, by throwing more data hay on an already difficult to navigate data haystack you'll make it much more difficult to find those who really need support.

They're considering feedback so the system will take longer to get off the ground than originally planned.

As a result of the recent damaging personal data security leaks by government they have thought about the security of the ContactPoint system and are 'confident' that it will be secure. But just in case they are wrong they have commissioned Deloitte to look at the security issues.

Let's just repeat again that you cannot build a large database, containing significant amounts of personal data, to which hundreds of thousands of people are required to have access as a routine part of their jobs and expect it to be secure. No amount of misplaced confidence will make it secure and large numbers of false negative and false positive flags will lead to a significant amount of harm, as already over-stretched child support professionals get involved with cases where they are not needed and fail to be alerted to cases where there services are, in some instances desparately, required. And that is just how the system will fail naturally as a result of technical and human error. Add into the mix those with a malign intent to exploit the system for their own nefarious ends and you end up exposing children targeted by such people to serious risks.

Update: ARCH initial reaction here.

No comments: