Light at the end of the tunnel

Here’s a headline that makes our last 5 years of hard slog feel more than worthwhile:

Conservatives would scrap controversial ContactPoint child database

A flagship database of every child living in England, which is due to be launched by the government next year, will be shutdown by a Conservative government.

I’ve just unearthed a briefing I wrote as a policy adviser to CRAE in 2003, when the plans for a giant database were first announced. It’s only available in archives now. The only response I received was a request from one of CRAE’s member orgs that a disclaimer was added to make it clear that the concerns it raised were not shared by all of the membership. The Guardian asked for an op-ed piece but I was forbidden to submit it. So I jumped ship and picked up the baton within ARCH.

Fortunately, I met the excellent Eileen Munro and we put on our first conference at LSE in April 2004: ‘Tracking Children’. A lot of people thought we were crazy and it was hard to get the media to take the problem seriously. We ploughed on.

Can you understand why I jumped up and down yelling like an idiot when I read that headline?

Advertisement

The Contactpoint Card?

At a Labour conference fringe event, Home Office minister Meg Hillier told the audience that the age for ID Cards could possibly be lowered to 14. This is now being denied.

Who are we to believe? Meg Hillier?

on Monday, Ms Hillier said a ministerial working group was thinking about extending the scheme to younger children and discussing the move with universities and youth groups.

Or Meg Hillier?

In a statement released later, Ms Hillier said: “I have made it clear that we have no intention of changing the minimum age for ID cards to below 16.”

As Phil Booth says:

“Having failed to convince the unions, the airline industry or the public at large, the government is now seeking any soft targets it can.”

And there are few softer targets than children. Give it a few weeks, and ID Cards will suddenly become an essential tool in the increasingly ill-defined ‘child protection’ armoury.

Talking of Phil Booth, he was meant to speak at the aforementioned event but fell victim to screw-ups in the issue of security passes. As he said to the BBC:

“if this is how they are organising the ID for their own party conference, how the heck are they going to organise ID cards for 50 million people?”

It reads like an object lesson in creating hostages to fortune.

Let them eat cake

Following Liberata’s complete IT screw-up of the Education Maintenance Allowance:

The Department for Children, Schools and Families said there was no guarantee that pupils would get their grants – worth up to £30 a week for 16- to 18-year-olds – this side of Christmas.

The Guardian adds:

It will prove deeply embarrassing to the government, particularly after the delays which hit this year’s Sats marking process. Both involved new companies promising new IT systems to improve large data projects, which have failed to deliver

Strikes me that it’s not nearly embarrassed enough if it can come out with crass drivel like this:

the government described the grants as “incentives”, saying no one should be in serious hardship because they had not received the money.

This is the kind of hardship that people already need to experience in order to qualify for EMA in the first place. (You may notice that the cut-off point is just under half of an MP’s basic salary)

Nothing to be proud of

Barnardo’s reports that the use of custody for children has risen 550% over the past decade.

The charity says the number of children and young people imprisoned in England and Wales is the third highest in Europe, behind only the Russian Federation and the Ukraine.

A quick question. Which shadow home secretary said this?

“It is really short-sighted beyond belief to invest large sums of money in building new penal institutions for 200 young people when we are neglecting programmes that are far less expensive and which may diminish the numbers that go to such institutions.”

Here’s the answer.

We’ve got a secret

ARCH members will know that we have put in a Freedom of Information request for the full security review of Contactpoint (following publication of the executive summary) so far without success.

Our internal appeal has now been rejected and so it’s onwards and upwards to the Information Commissioner and, probably, the Information Tribunal. Amongst other things, the rejection notice says that making the Deloitte report available would undermine security ‘by potentially making it easier for those seeking to access the system unlawfully to succeed.’

It’s alarming that Contactpoint is to rely on ‘security by obscurity’ – a phrase often used as a pejorative amongst the security engineering cognoscenti. How likely is it that the ‘secrets’ of a system accessed by more than 300,000 users – and potentially thousands more top-of-the-range hackers – are going to stay secret for long? Compare and contrast with Kerckhoffs’ principle.

Our appeal rejection notice goes on to outline the consequent loss of confidence in Contactpoint which, it says:

‘…would have a direct impact on the benefits ContactPoint is being designed to achieve – to provide a quick way to find out who else is working with the same child or young person, to help improve support available to those children and young people.’

Interesting to see Contactpoint still being presented as a passive directory, when this week’s ‘CYP Now’ tells us:

Monthly reports created by the ContactPoint database will be sent to local authorities listing the names of children not recorded at an education setting. The School Census for state schools and pupil lists from independent schools and pupil referral units will be used to complete the relevant field on ContactPoint. Children not accounted for will feature in the reports

Ah, so it will be used to generate reports! That’s even more confidential data flying around, and you can bet it won’t stop at ‘children missing education’.

We’ve recently been looking at some of the security protocols of local authorities. I paused for a quiet lie-down when I read the confident assertion of one LA that confidential data can be sent in Word documents – without any protection – to any other address within the same authority (NB not even on gsi). Should the information be sent outside the authority, then password protection was mandated. My word-search for ‘encryption’ drew a blank.

In our FOI request, we also asked for copies of all draft versions of the executive summary of the Contactpoint review. Apparently the DCSF doesn’t have any!

And finally, on the tedious nature of FOI requests about Contactpoint, Sir Bonar Neville-Kingdom has plenty to say.

I’m facing a blizzard of Freedom of Information requests from the self-appointed (and frankly self-righteous) civil liberties brigade about releasing details of the ContactPoint security review. Of course we’re all in favour of Freedom of Information to a point but there is a limit.

Read on…

An asset to youth justice?

The importance attached to risk assessment tools is increasing, with news that the Youth Justice Board is introducing a ‘scaled approach’ to young offenders:

Young people committing the same crime could get different sentences under the Youth Justice Board’s (YJB) Scaled Approach, charity Nacro has claimed. Under the plans, the Scaled Approach policy would see the intensity and duration of an offender’s community sentence depend on their risk of committing further crimes, as assessed by their Asset score.

‘Asset’ is part of the stable of risk-assessment processes (eCAF, Onset, APIR) that look at every area of a child or young person’s life in order to make predictions and decide on ‘interventions’ purported to prevent them from coming true.

It’s actually been around since 2000, during which time re-offending has risen by 4%.

An evaluation (pdf) in 2003 (coincidentally, carried out by the person who designed Asset) found that this tool had an overall 67% accuracy rate. I wonder how much comfort that will offer to those who receive extended community punishments because they were in the remaining 33%?

A week’s-worth of security breaches

An impressive hat-trick this week. On the bright side, it’s good to see that nobody has made any of those irritating claims about taking data security ‘very seriously’.

First off the blocks:

The discovery at a Cornish nightclub of a computer memory stick with details of troop movements on it is being probed by the Ministry of Defence (MoD).

And then two in quick succession:

Discs containing personal information on almost 18,000 NHS staff have gone missing from a north London hospital.

Followed by:

A police force has undertaken an urgent hunt for a computer memory stick after admitting it has been lost by an officer on duty. West Midlands Police would not confirm or deny reports that the data stick contained information on terrorism.

Two on the same day, eh? The pace is hotting up. UK Liberty is keeping a tally.

Update 7pm: We spoke too soon. It’s now four this week:

An NHS trust has apologised after a computer memory stick, containing the confidential files of 200 patients, was found in a street.

Tees, Esk and Wear Valleys Trust said the stick was found by a member of the public in Barnard Castle, Co Durham. It stored a summary of medical histories and patients’ national insurance numbers and addresses.

This is just ridiculous.

Contactpoint: the problems escalate

It would be nice to say we’ve been dozing on a beach in the Maldives for the past three months, but in fact we’ve been travelling to Leeds, Manchester, Birmingham, Liverpool… the closest we came to the sea was Cardiff, where it rained so hard that we could only watch the waves breaking on Penarth beach by keeping the windscreen wipers going.

All in a good cause, though. In the course of our project to investigate whether children can consent to having their sensitive data shared, we’ve met lawyers and legal academics from all over the country. It’s been a fascinating Summer. Next comes the really hard bit: knuckling down to produce a report that does justice to the expertise of our generous and eminent interviewees.

Meanwhile, as the introduction of Contactpoint approached – and then receded, various problems made it into the papers. First of all, the media noticed that the police will have access to Contactpoint. Not a huge surprise, given that they were made partners in the children’s service authorities by Part 2 of the Children Act 2004.

The next problem concerned the ‘shielding’ proposals. Children and families who could be put at more risk than usual by the inevitable security breaches are meant to have their records hidden on Contactpoint. The problem is that the government doesn’t appear to have realised that if they populate the entire database but leave the shielding to local authorities as they join the scheme, it potentially puts a hell of a lot of people in danger. The Guardian and The Register have the full story – though the Guardian’s decision that such a serious story only merited entry in the education supplement was, well, surprising – and it had disappeared from the front page within 24 hours of publication.

The latest revelation concerns PA Consulting. That’s right, the same PA Consulting that has just been sacked by the Home Office after losing a memory stick containing the unencrypted details of 84,000 prisoners. The Home Office vote of no confidence doesn’t appear to have dented the optimism of DCSF:

…the firm is being allowed to continue working on the highly sensitive £224million ContactPoint scheme to create a computerised record of the names, addresses, dates of birth, parents, schools and GPs of all 11 million children in England

DCSF said:

“We have confidence in PA Consulting to provide client-side services to the ContactPoint project.”

And PA Consulting said:

“PA Consulting remains confident that we can complete our work on ContactPoint.”

Is it me, or does that read a bit like a ‘Janet and John’ book?

PS Recommended reading: Sir Bonar Neville-Kingdom has plenty to say about Contactpoint