ContactPoint will not hold detailed case information. In addition to basic identifying information for the child or young person, it will hold only contact details for the parent or carer, and for practitioners providing services to a child or young person. In the case of sensitive services—defined as sexual health, mental health or substance abuse—practitioner contact details will only be added to ContactPoint with informed, explicit consent. ContactPoint will also have the facility for practitioners to indicate to others if they are a lead professional and have undertaken a common assessment, in relation to a child or young person.
ContactPoint has developed a strong, collaborative relationship with the Information Commissioner's Office based on a shared desire to ensure that ContactPoint operates within the Data Protection Act. Richard Thomas, the Information Commissioner has recently written to the Project Director and confirmed that
"The information that you require to populate ContactPoint is of an administrative nature, it reveals nothing about an individual’s health or condition and it does not strike me as sensitive.”
ContactPoint will identify all users seeking access through a method of strong authentication involving physical security tokens, PIN numbers and passwords. Where access is mediated, ContactPoint will authenticate the identity of both the user and the mediator to the same high level. All ContactPoint activity will be audited, including the query parameters and the results returned.
User managers will regularly run analysis reports that will highlight potential inappropriate usage patterns for investigation. In addition, random samples of activity will be automatically extracted and analysed. The ContactPoint central team will monitor user managers to ensure that the audit reports are being run.
These measures provide a high level of assurance that the ContactPoint audit function is robust, and activity can be correctly attributed to an individual authorised user.
The only users who will be granted to access ContactPoint, without undergoing an enhanced Criminal Records Bureau (CRB) check, will be authorised members or employees of a police authority, a chief officer of police for a police area in England, or officers of the British Transport Police Authority. Their access will be granted by virtue of the fact that all officers and staff undergo equivalent vetting and checks but not the enhanced CRB check itself.