We’ve got a secret

ARCH members will know that we have put in a Freedom of Information request for the full security review of Contactpoint (following publication of the executive summary) so far without success.

Our internal appeal has now been rejected and so it’s onwards and upwards to the Information Commissioner and, probably, the Information Tribunal. Amongst other things, the rejection notice says that making the Deloitte report available would undermine security ‘by potentially making it easier for those seeking to access the system unlawfully to succeed.’

It’s alarming that Contactpoint is to rely on ‘security by obscurity’ – a phrase often used as a pejorative amongst the security engineering cognoscenti. How likely is it that the ‘secrets’ of a system accessed by more than 300,000 users – and potentially thousands more top-of-the-range hackers – are going to stay secret for long? Compare and contrast with Kerckhoffs’ principle.

Our appeal rejection notice goes on to outline the consequent loss of confidence in Contactpoint which, it says:

‘…would have a direct impact on the benefits ContactPoint is being designed to achieve – to provide a quick way to find out who else is working with the same child or young person, to help improve support available to those children and young people.’

Interesting to see Contactpoint still being presented as a passive directory, when this week’s ‘CYP Now’ tells us:

Monthly reports created by the ContactPoint database will be sent to local authorities listing the names of children not recorded at an education setting. The School Census for state schools and pupil lists from independent schools and pupil referral units will be used to complete the relevant field on ContactPoint. Children not accounted for will feature in the reports

Ah, so it will be used to generate reports! That’s even more confidential data flying around, and you can bet it won’t stop at ‘children missing education’.

We’ve recently been looking at some of the security protocols of local authorities. I paused for a quiet lie-down when I read the confident assertion of one LA that confidential data can be sent in Word documents – without any protection – to any other address within the same authority (NB not even on gsi). Should the information be sent outside the authority, then password protection was mandated. My word-search for ‘encryption’ drew a blank.

In our FOI request, we also asked for copies of all draft versions of the executive summary of the Contactpoint review. Apparently the DCSF doesn’t have any!

And finally, on the tedious nature of FOI requests about Contactpoint, Sir Bonar Neville-Kingdom has plenty to say.

I’m facing a blizzard of Freedom of Information requests from the self-appointed (and frankly self-righteous) civil liberties brigade about releasing details of the ContactPoint security review. Of course we’re all in favour of Freedom of Information to a point but there is a limit.

Read on…


2 Responses to We’ve got a secret

  1. ukliberty says:

    I hope my cynicism isn’t influencing my impression of the document but I’m inferring from the executive summary that there are several issues, which could even lead to project failure: security hasn’t been adequately designed in from inception (a common cause of security breaches); the right people haven’t been involved in the design of the security controls that do exist; stakeholders are unclear about responsibilities and accountabilities; technical and procedural controls are not subject to formal assurance under a recognised standard; processes for secure disposal of electronic and hard-copy media do not exist; there is unclear or no guidance about information security matters; there hasn’t ever been a formal risk assessment and there hasn’t been much of a risk assessment at all since 2004; there is no ‘formal assurance using a recognised framework’ for security controls and countermeasures; the self-certification process poses a significant risk

  2. […] allowed to see the ContactPoint security review Posted on September 19, 2008 by ukliberty ARCHrights: ARCH members will know that we have put in a Freedom of Information request for the full security […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: