Not-so-reassuring figures

October 31, 2008

From The Register:

The Identity and Passport Service has dismissed 14 people over the last three years, most for abusing access to the passport database.

Of 16 cases where data protection was breached, all but one involved members of staff who had legitimate access to the Passport Application Support System database, and who used this for unauthorised checks not related to their duties. The other case involved a contractor misusing data to which he had legitimate access.

I think this bit is meant to be reassuring:

IPS said it employs more than 4,000 staff, and the majority need access to personal data to carry out their work. “The fact that the systems IPS has in place have identified just 16 instances of unauthorised access over the past three years, and these resulted in 14 dismissals, is testament to the way in which the agency protects its data and the seriousness with which it views breaches,” said a spokesperson.

There will be 330,000 authorised Contactpoint users, so let’s see… 16 out of 4,000 is 4 per 1,000… That would mean 1,320 improper accesses to Contactpoint in a 3-year period would be testament to how seriously the PTB view breaches.


Not a good day for databases

October 29, 2008

Regular readers will remember that we blogged about the “not fit for purpose” Integrated Children’s System a few months ago.

More bad news for DCSF:

The government has been forced to re-examine the £60m Integrated Children’s System (ICS) following criticism by judges.

One of the aims of the standardised computer system for social workers was to reduce workload. But, in some cases, judges are refusing to accept information from the system, meaning social workers have to resubmit data to courts.

Judges say the ICS format does not give a full picture of a child’s case or assessment of risk and more detail is needed relating to the child’s case history, core assessment and care plan.

I expect the judges’ information is out of date or they’re just being horrid for the sake of it.

Fingers in ears again

October 29, 2008

We’ve remarked several times that the government reaction to unpalatable truths is either to (a) shoot the messenger or (b) claim that things have changed since the research was conducted. Beverley Hughes is obviously adopting a belt and braces approach to the Audit Commission’s report that the government has:

“…spent too much time and energy on setting up structures and processes at the expense of improving the lives of children and young people.”

Her two-pronged response?

“I am very disappointed that the commission appears to have gone for headline over substance. Not only are the messages a misrepresentation of what their own report as a whole says, but it is based on fieldwork which is now almost a year old. Significant changes have taken place since then”

Mobile Phone Registration

October 27, 2008

This speaks for itself:

The UK government is moving ahead with plans to force all mobile phone users, including all pay-as-you-go customers, to fully identify themselves using a passport or other ID. This information will then be used to identify, register, track and monitor all mobile phone users.

It’s widely expected that the plans will be in the forthcoming Communications Data Bill.

Privacy International has started a petition here.

Contactpoint politics

October 24, 2008

News of the UK’s inexorable slide into recession is diverting attention from some very grubby corners. Some may have noticed a story on The Register about a political memo sent out by DCSF explaining why Tory policy on Contactpoint is wrong (and, yet again, invoking Victoria Climbie).

Earlier this week the Department for Children, Schools and Families wrote to local authorities to argue that Labour’s plans for the forthcoming ContactPoint database are the best to protect children from abuse. The government will pool personal data on every child in England and Wales, while the Tories say only those identified by social workers as vulnerable should be included.

“It [Labour’s plan] is much less stigmatising – no judgement is required about who should be included or not. With a selective system, such as that proposed by the Conservatives, practitioners may make decisions about the needs or vulnerability of a child in absence of all of the available information,” the DCSF memo said.

You can see the full memo at Ideal Government, and judge for yourself whether it demonstrates an impartiality appropriate to civil servants.

The memo concludes with some utter tosh about Victoria Climbie, which I hope we’ve dealt with here.

On a lighter note, someone has posted this cartoon in Ideal Government’s comments. It’s a good one.

What will be on Contactpoint?

October 18, 2008

Following on from yesterday’s post about Woman’s Hour, it seems like a good idea to list the information that will be on a child’s Contactpoint record.

The ‘basic information’ is rather more than the simple name and address that the Under Secretary of State implied on the programme. You can see it here in the Contactpoint regulations.

At paragraph 9 of those regulations, you’ll see that various bodies specified in various schedules have to appear on Contactpoint if they are providing ‘targeted services’ to the child. To save you the trouble of chasing around the different bits of legislation, I’ve brought them all together in a single list. Here goes:

(1) a children’s services authority in England; (which in itself includes social work, educational welfare, learning support etc) or a district council which is not such an authority;

(2) a Strategic Health Authority;

(3) a Special Health Authority, so far as exercising functions in relation to England, designated by order made by the Secretary of State for the purposes of this section;

(4) a Primary Care Trust;

(5) an NHS trust all or most of whose hospitals, establishments and facilities are situated in England;

(6) an NHS foundation trust;

(7) the police authority and chief officer of police for a police area in England;

(8) the British Transport Police Authority, so far as exercising functions in relation to England;

(9) a local probation board for an area in England;

(10) a youth offending team for an area in England;

(11) the governor of a prison or secure training centre in England (or, in the case of a contracted out prison or secure training centre, its director);

(12) any person to the extent that he is providing services under section 114 of the Learning and Skills Act 2000 (c. 21) – ie. anyone providing a service to young people that the Secretary of State believes will “encourage, enable or assist (directly or indirectly) effective participation by young persons in education or training”

(13) the Learning and Skills Council for England;

(14) the governing body of a maintained school in England (within the meaning o f section 175 of the Education Act 2002 (c. 32));

(15) the governing body of an institution in England within the further education sector (within the meaning of that section);

(16) the proprietor of an independent school in England (within the meaning of the Education Act 1996 (c. 56));

** NB (17) a person or body of such other description as the Secretary of State may by regulations specify. ***

(18) a person registered in England for child minding or the provision of day care under Part 10A of the Children Act 1989 (c. 41);

(19) a voluntary organisation exercising functions or engaged in activities in relation to persons to whom arrangements specified in subsection (1) relate;

(20) the Commissioners of Inland Revenue;

(21) a registered social landlord;

(22) The governing body of a special school which is not maintained by a local authority and which has been approved as a special school under section 342 of the Education Act 1996.

(23) The Registrar General for England and Wales

(24) A health care professional regulated by a body mentioned in section 25(3) of the National Health Service Reform and Health Care Professions Act 2002 –, optician, osteopath, chiropractor, pharmacist, chiropodist, physiotherapist, speech therapist, dietician, occupational therapist, art/music/drama therapist, chiropodist

(25) The fire and rescue authority (determined in accordance with Part 1 of the Fire and Rescue Services Act 2004) for any area in England where the local authority (within the meaning in these Regulations) is not the fire and rescue authority for the area.

(26) The Children and Family Court Advisory and Support Service.

Woman’s Hour

October 17, 2008

Woman’s Hour majored on Contactpoint today, with yours truly trying to correct some of the misinformation that is flying around. A shame that the new Under Secretary didn’t seem to realise that Contactpoint will contain a great deal more than a simple name and address, and I didn’t have the opportunity to correct that. Still, the item is first on the menu here.

Update: Several people have asked me what information will actually be on Contactpoint. There’s so much that I’ve put it here in a separate post

‘Freedom not Fear’

October 12, 2008

Yesterday’s ‘Freedom not Fear’ event in Parliament Square resulted in this fantastic photo-mosaic

It was great fun lugging our sheets of photos around and watching the finished product emerge. More on the Open Rights Group blog, including links to more pictures.

Database debacles

October 11, 2008

I doubt if anyone has missed the news that EDS has lost a portable hard drive containing:

the names, addresses, passport numbers, dates of birth and driving licence details of those serving in the army, navy and RAF. It also includes next-of-kin details, as well as information on 600,000 potential services applicants

As you might imagine, while attention has focussed on serving forces personnel, it’s the 600,000 potential recruits that particularly worry us. Presumably a fair number of those are still in their teens and won’t discover for a while yet whether this latest data debacle has made them sitting ducks for identity fraud.

For several years now, the US media has been reporting the increasing use by fraudsters of children’s identities. The Federal Trade Commission points out that they are ‘perfect targets’ because they have clean credit histories, and are unlikely to know what has happened until they open a bank account or apply for credit.

MPs have apparently demanded ‘a “cultural change” in public sector data handling’. Good luck with that – the rot goes deep. Only last week, a company called Databarracks published the results of a survey of schools that showed:

92% of education institutions say they back up their data, however, analysing this further, the survey shows that while 60% take the data offsite, 55% of them have this function performed by a member of staff who takes the data home.

No doubt Databarracks has its own agenda, but its findings do echo an earlier study that found almost half of schools taking unencrypted pupil data off school premises.

You only need to read UK Liberty’s pages on data loss to see the scale of sloppy public sector data-handling practices.

It would be nice to think that things would have improved by the time the national Contactpoint and eCAF databases make their entry on to the scene, but it’s not likely. Just substitute ‘Contactpoint’ or ‘eCAF’ for any of the systems mentioned on UK Liberty, and you’re looking into the future.

Incidentally, on the subject of Contactpoint, you may have missed a letter in the Telegraph from the CE of Barnardo’s objecting to conservative plans to scrap the system. He says:

I would ask Mr Gove to think long and hard about whether or not Barnardo’s, which works with more than 100,000 of the most disadvantaged and vulnerable children in Britain, would support ContactPoint if we thought it would, as Mr Gove suggests, increase the risk of children being abused.

What a relief. If Barnardo’s says it’s OK, that must be right. We can go back to sleep.

Skewed priorities

October 7, 2008

Harry Fletcher talking about youth justice – or the lack of it – in Guardian Society:

Probation officers who once had caseloads of 30 and knew the individuals personally, now talk of 80, 100, or even more. The response of management to this crisis has been to increase the caseload limit and to advise staff to spend less time with less serious offenders. However time is made available to input endless data into computers to meet the demands for information and monitoring from the Ministry of Justice.

One we missed earlier

October 5, 2008

Given the potential for disaster here, it’s surprising that this story didn’t make it into the nationals:

An item of networking kit bought from eBay for just 99p ($1.79) gave privileged access to an internal network at an English county council…

Mason bought the remote access kit for his business, but was surprised when it automatically connected to the internal network of Kirklees Council in Yorkshire as soon as it was switched on and connected to the internet.

Rather than thanking their lucky stars that Andrew Mason is an IT security expert, Kirklees Council seems surprisingly unruffled. :

A spokesman for Kirklees Council described the issue as a concern, but stressed that none of its data was compromised by the breach. Mason said he didn’t do anything more than obtain a screenshot, which proved that internal access had been obtained. “It’s lucky for them I bought it, rather than a black-hat hacker,” he said.

UN report on children in the UK

October 3, 2008

The UK has duly been examined by the UN Committee on the Rights of the Child and their concluding observations are here. (pdf)

As we expected, they have majored on the treatment of asylum-seeking children, children in custody and our unacceptably low age of criminal responsibility. They have also given the government a sharp rebuke about ASBOs and their failure to control the use of ‘mosquitoes’ – the devices that emit a high-pitched scream, used to drive children out of public spaces.

It’s good to see privacy rights featuring in their report for the first time, as follows:

Protection of privacy
36. The Committee is concerned that:
a) DNA data regarding children is kept in the National DNA Database irrespective of whether the child is ultimately charged or found guilty;
b) the State party has not taken sufficient measures to protect children, notably those subject to ASBOs, from negative media representation and public “naming and shaming”;
c) children’s appearance in TV reality show may constitute an unlawful interference with their privacy.

37. The Committee recommends that the State party:
a) ensure, both in legislation and in practice, that children are protected against unlawful or arbitrary interference with their privacy, including by introducing stronger regulations for data protection;
b) intensify its efforts, in cooperation with the media, to respect the privacy of children in the media, especially by avoiding messages publicly exposing them to shame, which is against the best interests of the child;
c) regulate children’s participation in TV programs, notably reality shows, as to ensure that they do not violate their rights.

Unlucky 13

October 1, 2008

Recommended reading: Tony Collins’ examination of 13 government IT fiascos and his related analysis of why Labour has failed so dramatically on large IT-based projects.

Building a bridge from the US to England may seem a good idea in theory but it is not practical. Yet ministers embarked on the technological equivalent with the NHS’s £12.7bn National Programme for IT because nobody they would want to listen to told them it was fanciful.

One reason so many large public sector projects fail is that executives from some IT suppliers regularly propose to government unrealistic but ostensibly credible and beneficial solutions to problems civil servants did not know existed until suppliers explained what could be achieved with new technology.