ARCH members will know that we have put in a Freedom of Information request for the full security review of Contactpoint (following publication of the executive summary) so far without success.
Our internal appeal has now been rejected and so it’s onwards and upwards to the Information Commissioner and, probably, the Information Tribunal. Amongst other things, the rejection notice says that making the Deloitte report available would undermine security ‘by potentially making it easier for those seeking to access the system unlawfully to succeed.’
It’s alarming that Contactpoint is to rely on ‘security by obscurity’ – a phrase often used as a pejorative amongst the security engineering cognoscenti. How likely is it that the ‘secrets’ of a system accessed by more than 300,000 users – and potentially thousands more top-of-the-range hackers – are going to stay secret for long? Compare and contrast with Kerckhoffs’ principle.
Our appeal rejection notice goes on to outline the consequent loss of confidence in Contactpoint which, it says:
‘…would have a direct impact on the benefits ContactPoint is being designed to achieve – to provide a quick way to find out who else is working with the same child or young person, to help improve support available to those children and young people.’
Interesting to see Contactpoint still being presented as a passive directory, when this week’s ‘CYP Now’ tells us:
Monthly reports created by the ContactPoint database will be sent to local authorities listing the names of children not recorded at an education setting. The School Census for state schools and pupil lists from independent schools and pupil referral units will be used to complete the relevant field on ContactPoint. Children not accounted for will feature in the reports
Ah, so it will be used to generate reports! That’s even more confidential data flying around, and you can bet it won’t stop at ‘children missing education’.
We’ve recently been looking at some of the security protocols of local authorities. I paused for a quiet lie-down when I read the confident assertion of one LA that confidential data can be sent in Word documents – without any protection – to any other address within the same authority (NB not even on gsi). Should the information be sent outside the authority, then password protection was mandated. My word-search for ‘encryption’ drew a blank.
In our FOI request, we also asked for copies of all draft versions of the executive summary of the Contactpoint review. Apparently the DCSF doesn’t have any!
And finally, on the tedious nature of FOI requests about Contactpoint, Sir Bonar Neville-Kingdom has plenty to say.
I’m facing a blizzard of Freedom of Information requests from the self-appointed (and frankly self-righteous) civil liberties brigade about releasing details of the ContactPoint security review. Of course we’re all in favour of Freedom of Information to a point but there is a limit.