The Government announced in a Written Ministerial Statement today that they will carry on as planned in introducing Contactpoint this autumn, despite clear warning in the security review commissioned by DCSF that it can’t be secured:
Database holding details of every child in England ‘can never be secure’
A controversial Government database containing the personal details of every child in England will always be at risk of security breaches, a report warned today.
An independent study by Deloitte called for “further controls” to be introduced over “access to data” on the £224 million ContactPoint system.
…The Deloitte report said: “It should be noted that risk can only be managed, not eliminated, and therefore there will always be a risk of data security incidents occurring.
“What is important is that all practical steps to reduce the risk of incidents occurring are taken and, when an incident occurs, that it is handled and managed effectively.”
The Government does not intend to publish the full report. Since the Written Ministerial Statement won’t be up on Hansard until tomorrow at the earliest, here it is in full:
DEPARTMENT FOR CHILDREN, SCHOOLS AND FAMILIES
CONTACTPOINT: DATA SECURITY REVIEW AND GOVERNMENT RESPONSE
The Parliamentary Under Secretary of State for Children, Schools and Families (Lord Adonis): My hon. Friend the Parliamentary Under-Secretary of State for Children, Young People and Families (Kevin Brennan) has made the following Written Ministerial Statement:
I am publishing today the findings of the independent review of the security procedures of ContactPoint, conducted by Deloitte, and the Government Response. I acknowledge Deloitte’s recognition that security is ingrained in the ContactPoint Project team’s work. The Government accepts all the report’s recommendations and will address them.
ContactPoint is a key element of the Every Child Matters programme to transform children’s services by supporting more effective prevention and early intervention. Its goal is to improve outcomes and the experience of public services for all children, young people and families. ContactPoint will provide a tool to support better communication among practitioners across education, health, social care and youth offending. It will provide a quick way for those practitioners to find out who else is working with the same child or young person.
ContactPoint will be a simple basic online tool containing:
· minimal identifying information for each child; name, address, date of birth, gender, and contact details for parents or carers. Each child will also have a unique identifying number;
· contact details for the child’s educational setting and GP practice and for other practitioners or services working with them; and
· an indication as to whether a service or practitioner holds an assessment under the Common Assessment Framework or whether they are a lead professional for that child.
No case information will be held on ContactPoint.
Security is of paramount importance in the development of the ContactPoint. A number of measures will be in place to ensure security:
· Access will be restricted to those who need it as part of their work and will be limited to that needed to fulfil each role.
· Everyone with access to ContactPoint, including operators or administrators, will be subject to stringent security checks, including enhanced Criminal Records Bureau clearance and membership of the Independent Safeguarding Authority (ISA) Scheme.
· At least 2-factor authentication will be used to access ContactPoint. Users will need a security token and a password.
· All users will be trained in the importance of security and the importance of good security practice.
· Every access to a child’s record will be detailed in the ContactPoint audit trail. This will be regularly reviewed.
· Sanctions will be in place for any misuse. These sanctions can include, if appropriate, prosecutions under the provisions of the Data Protection Act and Computer Misuse Act which may lead to fines or imprisonment.
· The design and implementation of ContactPoint will continue to be reviewed by independent security experts during system build and before it is implemented. Security will of course be audited during operation.
These issues will be reflected in the guidance and staff training that will govern the operation of ContactPoint.
On 20 November, the Secretary of State for Children, Schools and Families decided to commission an independent review of ContactPoint’s security procedures, and I announced this in a Written Ministerial Statement to Parliament on 27 November. The review was undertaken by Deloitte. The Secretary of State and I received Deloitte’s confidential Report in early February. I am today publishing the Executive Summary of this Report, which includes Deloitte’s recommendations. This Statement includes the Government’s response to the recommendations. Both this Statement and the Executive Summary will be placed in the libraries for reference.
The main body of the Report necessarily includes information about the security arrangements for ContactPoint. We will not, therefore, publish the full report in order to minimise the kind of security risk our procedures are designed to prevent.
CONTACTPOINT DATA SECURITY REVIEW
The Government welcomes the report from Deloitte on the ContactPoint Data Security Review. We acknowledge their recognition that security is ingrained in all aspects of the ContactPoint Project team’s work. We accept all the report’s recommendations and will address them. The first task is to undertake an impact assessment of the detailed recommendations contained in the report. A statement outlining ContactPoint’s security policy is available from http://www.everychildmatters.gov.uk/deliveringservices/contactpoint/security/. The statement will be updated to reflect changes as a result of ongoing work on security, including addressing the recommendations in this report.
The Report’s Recommendations
Clear communication of responsibilities and accountabilities when the governance process is communicated to sponsors and partner organisations
· We recognise the need for the Department to communicate clearly to Local Authorities and partner organisations, who will use ContactPoint, exactly what their responsibilities are and what is required of them. We are developing a comprehensive programme of training, readiness assessments and accreditation checks to ensure these organisations are properly prepared for these responsibilities. The review has identified a number of areas which will be critical to get right as these plans develop. We welcome this advice and will follow it as we finalise our plans.
Technical and procedural controls are subject to formal assurance under a recognised standard
· In determining the security policy for ContactPoint, the Project followed Government guidance on risk assessment and security controls set out in the Manual of Protective Security. The Manual was updated in August 2007. The design of ContactPoint is currently undergoing a re-baselining exercise. Once this is complete, we will fully update the risk assessment against the new criteria and initiate a formal, external assessment to ensure these risks are effectively controlled. The scope of this will include the self-certification and Local Data Quality Tool process issues highlighted by the review.
Further controls are introduced over the access to data by central system users such as database administrators and report programmers
· The review has correctly identified that we have significant controls in place to ensure the security of the core database, but has identified some areas in which these could be further improved. The ContactPoint project will undertake a rapid impact assessment to determine the most effective approach in our specific context, and will build this into the deployment plan.
Processes are defined for the secure disposal of electronic and hard-copy media
· Temporary guidance was issued to ensure secure storage and/or disposal of media used for initial load of data into the database. This was effective at the time, and will be reviewed against latest government-wide best practice to inform standards for production processes. These additional controls will be in place before any data is loaded into the User Acceptance Test or Live systems. The Live system will also be designed to minimise, and where possible eliminate, the use of physical media.
Clear guidance about information security matters is provided to all helpdesk staff on the production system
· The Deloitte review has highlighted one occasion where helpdesk guidance did not reflect best security practice. Formal helpdesk training has not yet taken place, and training plans will be reviewed to ensure that helpdesk staff are aware of security best practice, including the areas highlighted by the review.
The Project Board should consider the appropriateness of obtaining formal independent assurance and accreditation of the supporting security operating procedures at connecting organisations before allowing connectivity or sponsorship
· The Department is still preparing plans for accreditation of connecting organisations, and will take this recommendation into account as those plans are finalised.
The DCSF participate in government-wide security initiatives
· DCSF is already participating in these initiatives through our Chief Information Officer, especially those focused on data security, privacy and strong user authentication. We will take into account all best practice guidelines arising from this work to keep ContactPoint at the leading edge of security practice.