Out of ideas

February 29, 2008

Truancy rates in England’s schools are at their highest since 1997.

An estimated 63,000 pupils truanted every day, equating to 1% of all school sessions missed without a valid reason. This is also a rise of a quarter, or 0.21 of a percentage point, on comparable figures from last year which were 0.79%.

The government has written to local authorities urging them to keep up the pressure on persistent absenteeism.

Um, because it’s worked so well in the past?

How much money is your local authority wasting on truancy sweeps, then? Go on, send them an FOI request and find out.

Fingers in ears

February 29, 2008

The latest output from the Cambridge review of primary education, this time on what they describe as the “state theory of learning”:

The biggest inquiry into primary education for 40 years concluded yesterday that Labour’s tight, centralised control of England’s primary schools has had a devastating impact on children’s education. Micromanagement, meddling and a succession of ministerial edicts have killed the spontaneity in the nation’s classrooms. Teachers have been stripped of their powers of discretion. And the net result of a decade of new Labour “reform” has almost certainly been a decline in the quality of education that the young receive.

The government has gone for one of its two preferred responses:

A spokeswoman for the Department for Children, Schools and Families dismissed the research as “recycled, partial or out of date”.

Presumably the ad hominem attack option will be saved for another day.

Damilola Ajagbonna

February 21, 2008


Ironic that the Home Office wants people to earn the right to stay in this country when they’re just about to deport a lovely young man who has done more than his fair share of joining in.

The Independent puts it like this:

A “remarkable” immigrant, honoured this week by the Church of England for his contribution to British society, has lost his legal battle to stay in this country.

Damilola Ajagbonna, 19, whose academic record has won him places at Cambridge and Sheffield universities, said he was bitterly disappointed after the Court of Appeal yesterday turned down his final appeal for the right to live here. He is expected to be ordered to return to Nigeria in the next few weeks.

Even the Daily Mail has joined in:

By any standards, 19-year-old Damilola Ajagbonna must be counted among those migrants who have triumphed against the odds to become shining assets to their adopted country.

There’s lots more about Dami here, here and here (the picture at the top comes from that story in ‘Bedford Today’) or try sticking his name into a google search.

Dami lost his last appeal a couple of weeks ago, and it’s now up to the mercy (or otherwise) of the Home Secretary whether he’s allowed to stay, or has to leave behind the aunt and uncle who have brought him up for the last 8 years and be shipped off to Nigeria.

Please write to Jacqui Smith and ask her to let Dami stay. As well as everything else you’ve read above, I know this guy and, believe me, he’s terrific. Everyone in the children’s sector is completely gutted about his impending deportation.

The details you need:

The Rt Hon Jacqui Smith MP
Home Secretary
Home Office
2 Marsham Street
London SW1P 4DF

emails: smithjj@parliament.uk or public.enquiries@homeoffice.gsi.gov.uk

Children’s Database briefing

February 21, 2008

By coincidence, a few days ago we put together a joint briefing on children’s databases with FIPR, Liberty, NO2ID, Open Rights Group and Privacy International with the idea of giving journalists some background detail when they write on the subject.

It’s not available online yet, but you can download it as a word doc here or click on the rolling banner at the top of the ARCH website.

Contactpoint: carry on regardless

February 21, 2008

The Government announced in a Written Ministerial Statement today that they will carry on as planned in introducing Contactpoint this autumn, despite clear warning in the security review commissioned by DCSF that it can’t be secured:

Database holding details of every child in England ‘can never be secure’

A controversial Government database containing the personal details of every child in England will always be at risk of security breaches, a report warned today.

An independent study by Deloitte called for “further controls” to be introduced over “access to data” on the £224 million ContactPoint system.

…The Deloitte report said: “It should be noted that risk can only be managed, not eliminated, and therefore there will always be a risk of data security incidents occurring.

“What is important is that all practical steps to reduce the risk of incidents occurring are taken and, when an incident occurs, that it is handled and managed effectively.”

The Government does not intend to publish the full report. Since the Written Ministerial Statement won’t be up on Hansard until tomorrow at the earliest, here it is in full:



The Parliamentary Under Secretary of State for Children, Schools and Families (Lord Adonis): My hon. Friend the Parliamentary Under-Secretary of State for Children, Young People and Families (Kevin Brennan) has made the following Written Ministerial Statement:

I am publishing today the findings of the independent review of the security procedures of ContactPoint, conducted by Deloitte, and the Government Response. I acknowledge Deloitte’s recognition that security is ingrained in the ContactPoint Project team’s work. The Government accepts all the report’s recommendations and will address them.

ContactPoint is a key element of the Every Child Matters programme to transform children’s services by supporting more effective prevention and early intervention. Its goal is to improve outcomes and the experience of public services for all children, young people and families. ContactPoint will provide a tool to support better communication among practitioners across education, health, social care and youth offending. It will provide a quick way for those practitioners to find out who else is working with the same child or young person.

ContactPoint will be a simple basic online tool containing:

· minimal identifying information for each child; name, address, date of birth, gender, and contact details for parents or carers. Each child will also have a unique identifying number;

· contact details for the child’s educational setting and GP practice and for other practitioners or services working with them; and

· an indication as to whether a service or practitioner holds an assessment under the Common Assessment Framework or whether they are a lead professional for that child.

No case information will be held on ContactPoint.

Security is of paramount importance in the development of the ContactPoint. A number of measures will be in place to ensure security:

· Access will be restricted to those who need it as part of their work and will be limited to that needed to fulfil each role.

· Everyone with access to ContactPoint, including operators or administrators, will be subject to stringent security checks, including enhanced Criminal Records Bureau clearance and membership of the Independent Safeguarding Authority (ISA) Scheme.

· At least 2-factor authentication will be used to access ContactPoint. Users will need a security token and a password.

· All users will be trained in the importance of security and the importance of good security practice.

· Every access to a child’s record will be detailed in the ContactPoint audit trail. This will be regularly reviewed.

· Sanctions will be in place for any misuse. These sanctions can include, if appropriate, prosecutions under the provisions of the Data Protection Act and Computer Misuse Act which may lead to fines or imprisonment.

· The design and implementation of ContactPoint will continue to be reviewed by independent security experts during system build and before it is implemented. Security will of course be audited during operation.

These issues will be reflected in the guidance and staff training that will govern the operation of ContactPoint.

On 20 November, the Secretary of State for Children, Schools and Families decided to commission an independent review of ContactPoint’s security procedures, and I announced this in a Written Ministerial Statement to Parliament on 27 November. The review was undertaken by Deloitte. The Secretary of State and I received Deloitte’s confidential Report in early February. I am today publishing the Executive Summary of this Report, which includes Deloitte’s recommendations. This Statement includes the Government’s response to the recommendations. Both this Statement and the Executive Summary will be placed in the libraries for reference.

The main body of the Report necessarily includes information about the security arrangements for ContactPoint. We will not, therefore, publish the full report in order to minimise the kind of security risk our procedures are designed to prevent.




The Government welcomes the report from Deloitte on the ContactPoint Data Security Review. We acknowledge their recognition that security is ingrained in all aspects of the ContactPoint Project team’s work. We accept all the report’s recommendations and will address them. The first task is to undertake an impact assessment of the detailed recommendations contained in the report. A statement outlining ContactPoint’s security policy is available from http://www.everychildmatters.gov.uk/deliveringservices/contactpoint/security/. The statement will be updated to reflect changes as a result of ongoing work on security, including addressing the recommendations in this report.

The Report’s Recommendations

Clear communication of responsibilities and accountabilities when the governance process is communicated to sponsors and partner organisations

· We recognise the need for the Department to communicate clearly to Local Authorities and partner organisations, who will use ContactPoint, exactly what their responsibilities are and what is required of them. We are developing a comprehensive programme of training, readiness assessments and accreditation checks to ensure these organisations are properly prepared for these responsibilities. The review has identified a number of areas which will be critical to get right as these plans develop. We welcome this advice and will follow it as we finalise our plans.

Technical and procedural controls are subject to formal assurance under a recognised standard

· In determining the security policy for ContactPoint, the Project followed Government guidance on risk assessment and security controls set out in the Manual of Protective Security. The Manual was updated in August 2007. The design of ContactPoint is currently undergoing a re-baselining exercise. Once this is complete, we will fully update the risk assessment against the new criteria and initiate a formal, external assessment to ensure these risks are effectively controlled. The scope of this will include the self-certification and Local Data Quality Tool process issues highlighted by the review.

Further controls are introduced over the access to data by central system users such as database administrators and report programmers

· The review has correctly identified that we have significant controls in place to ensure the security of the core database, but has identified some areas in which these could be further improved. The ContactPoint project will undertake a rapid impact assessment to determine the most effective approach in our specific context, and will build this into the deployment plan.

Processes are defined for the secure disposal of electronic and hard-copy media

· Temporary guidance was issued to ensure secure storage and/or disposal of media used for initial load of data into the database. This was effective at the time, and will be reviewed against latest government-wide best practice to inform standards for production processes. These additional controls will be in place before any data is loaded into the User Acceptance Test or Live systems. The Live system will also be designed to minimise, and where possible eliminate, the use of physical media.

Clear guidance about information security matters is provided to all helpdesk staff on the production system

· The Deloitte review has highlighted one occasion where helpdesk guidance did not reflect best security practice. Formal helpdesk training has not yet taken place, and training plans will be reviewed to ensure that helpdesk staff are aware of security best practice, including the areas highlighted by the review.

The Project Board should consider the appropriateness of obtaining formal independent assurance and accreditation of the supporting security operating procedures at connecting organisations before allowing connectivity or sponsorship

· The Department is still preparing plans for accreditation of connecting organisations, and will take this recommendation into account as those plans are finalised.

The DCSF participate in government-wide security initiatives

· DCSF is already participating in these initiatives through our Chief Information Officer, especially those focused on data security, privacy and strong user authentication. We will take into account all best practice guidelines arising from this work to keep ContactPoint at the leading edge of security practice.

More skeletons

February 21, 2008

It’s just endless:

The Ministry of Defence is launching a new inquiry after admitting to the loss of two more laptops containing unencrypted personal details. The additional losses came to light during the investigation of the theft earlier this year of a laptop containing 600,000 peoples’ personal details.

This takes the biscuit:

Departmental minister Parmjit Dhanda told MPs, “The official data on each of the laptops was not encrypted because none of the information was classified.” In an attempt to reassure MPs, he added, “Each laptop was password protected.”

The real security risk

February 20, 2008


1) This morning the papers are full of the news that a disc containing data about convicted criminals was ‘mislaid’ for a year, eventually turning up covered in dust on someone’s desk. Doubly appalling is this gem from the CPS statement:

“This is not a data security issue as this information was always in the possession of the CPS.”

2) BBC local news a couple of nights ago carried this story about a heap of files that turned up in a derelict council building in North London. When Lynne Featherstone, MP for Haringey, challenged the council, she was astonished to be told that they were only ‘old’ files.

3) You may remember that we blogged in December about schools taking unencrypted pupil data off school premises – a story covered on BBC R4’s ‘Learning Curve’ last week.

After we spoke to Annette Brooke MP, LibDem spokesperson on children, she asked the following question – and got a deeply worrying answer:

Annette Brooke: To ask the Secretary of State for Children, Schools and Families what steps his Department is taking to prevent school staff removing unencrypted sensitive pupil data from school premises. [178044]

Jim Knight: Becta is responsible for producing and publishing guidance for schools on how to ensure the security of their IT systems. Becta’s latest guidance was published in September 2007 and is available on its website. This guidance includes information for schools on monitoring the physical security of ICT equipment, data security and the security of pupil information and data.

In other words the government abrogates all responsibility for data security in schools to a Non-Departmental Public Body.

Three separate examples, but one underlying factor. Despite the CPS insistence that “this is not a data security issue” (“these are not the droids you want”?) all three go to the heart of the real problem: the biggest threats to data security come from insiders who do not take their responsibility for other peoples’ data seriously enough.

No amount of money spent on ‘secure’ systems is going to stem the tide of data breaches if those in charge of the data cannot recognise that their attitudes are the real data security problem. And until that culture-change happens, our private information is simply not safe in their hands.