Ministers are to press ahead with plans to develop the £224m children’s database, ContactPoint, despite an independent security review identifying a “significant risk” to the system due to differing security procedures from organisations who will access the data.
The decision follows the publication of the executive summary of the report by accountants Deloitte and Touche, commissioned last November to review security arrangements for the database, following the security failure by HM Revenue and Customs (HRMC) on child benefit data.
The summary said: “It should be noted that risk can only be managed, not eliminated, and therefore there will always be a significant risk of data security incidents occurring, due to the varied security procedures of local councils and other organisations accessing the database.
“What is important is that all practical steps to reduce the risk of incidents occurring are taken and, when an incident occurs, that it is handled and managed effectively.”
In a written response to the report, children’s minister, Kevin Brennan, said they acknowledged the review’s findings, and would take them into account as work restarts on the children’s database.
“The government welcomes the report from Deloitte on the ContactPoint data security review. We acknowledge their recognition that security is ingrained in all aspects of the ContactPoint project team’s work. We accept all the report’s recommendations and will address them. The first task is to undertake an impact assessment of the detailed recommendations contained in the report. An updated statement outlining ContactPoint’s security policy is available from www.everychildmatters.gov.uk/delivering services/contactpoint/security/.”
He added the full report could not be published in order to “minimise the kind of security risk our procedures are designed to prevent.”
The new system, originally due to go live this spring, is now due to begin operation no earlier than September.
Conceived after the Victoria Climbie enquiry, it is intended to hold records of all children in England from birth until 18 and will extract data from national and local sources – including NHS Connecting for Health.
Information about every child’s name, address, their parents or guardians as well as contact details for each government service they use, including which GP they go to, will be held on the system. This has raised concerns about the extent of access to such sensitive information about individual children.
ContactPoint will not, however, hold assessment or case information, or subjective observations about a child or their parents, or any other detailed personal information about a child or their family.
A Department for Children, Schools and Families spokesperson told E-Health Insider: “Security is of paramount importance in the development of ContactPoint, and will be reflected in the statutory guidance and staff training that will govern the operation of ContactPoint. A number of stringent measures will be in place to ensure security.
“Access will be restricted to authorised users who need it as part of their work. Users will be trained in the safe and secure use of ContactPoint, information sharing practice and the importance of compliance with the Data Protection Act and Human Rights Act. Robust procedures and mechanisms will be in place to guard against access by unauthorised users, and the inappropriate use of ContactPoint by authorised users.”
Denise Harrison, director of collaborative software specialist, Liquidlogic, told EHI she agreed with the government’s decision to resume work on ContactPoint, but felt the full review should be properly scrutinised.
She said: “Whilst it is essential that robust security structures are in place to protect all data held on the UK’s children, we can’t let the latest security failures cloud the need for a centralised view of vulnerable children in the UK. …the introduction of a central database is the obvious way of eradicating the problem of multiple case files being opened on a child, which can leave children vulnerable over a prolonged period of time.
“If we are to take collaboration to the next level, then we need to be confident that we have taken every measure to secure the details of children within this national database. Without a doubt, the Deloitte & Touche paper should be opened up for further scrutiny.”
However, opposition MPs called for a full version of the review to be published, or the system should be scrapped.
Shadow families minister, Maria Miller, said: "The government did not say that the Deloitte report would be confidential when it was announced in November last year and it is unacceptable for schools secretary Ed Balls to decide to withhold the findings now. ContactPoint cannot be allowed to go ahead when such fundamental problems have been uncovered.”
Liberal Democrat children, young people and families spokesperson, Annette Brooke said: “This review undermines all of the government’s previous assurances that the database would be secure. With doubts about security remaining, this intrusive project should be scrapped. “
ContactPoint is being built by Capgemini for the DCSF.