ContactPoint has been subject to scrutiny at key stages throughout its development. My Department’s own Chief Security Officer—external to and independent from the project, has checked the Security Policy, the security architecture, and our risk assessment, and found them to be appropriate.
The news on 20 November of the loss of large volumes of child benefit data from HMRC has raised questions about the safety of large scale personal data in other Government systems, including ContactPoint. ContactPoint will not contain any financial information (such as bank details) or case information (such as case notes, assessments, medical records, exam results or subjective observations).
On 20 November, the department conducted an assessment of how personal data are stored and protected in the Department. As a result of that assessment, I am confident that we have very robust procedures in place.
On 21 November, the Prime Minister confirmed this approach when he asked all departments to check their procedures for the storage and use of data. In light of the security breach at the HMRC, we are continuing to check our procedures to ensure standards are as high as they can be. To this end, on 20 November, the Secretary of State for Children, Schools and Families decided to commission an independent assessment of its security procedures. This will be undertaken by Deloitte.
(2) what the outcome was of the feasibility work undertaken to identify the best source of a unique identifying number in relation to databases established under the Children Act 2004.
In relation to question 170208, The Children Act 2004 Information Database (England) Regulations (SI2007/2182) and the accompanying explanatory memorandum are available from the Office of Public Sector Information (OPSI) website:
http://www.opsi.gov.uk/si/si2007/20072182.htm, and:
http://www.opsi.gov.uk/si/em2007/uksiem 20072182_en.pdf
and can be accessed from the Library.
The Department consulted on draft ContactPoint Guidance between 4 May and 27 July 2007. I am arranging for a copy of the consultation draft of the ContactPoint Guidance to be supplied to the Library. We plan to publish the Guidance in June/July 2008 in advance of deployment to the Early Adopter local authorities in September/October 2008.
Section 12 of the Children Act 2004 provides for the Secretary of State for Children, Schools and Families to establish and operate a database (to be known as ContactPoint) and to make regulations and issue guidance and directions in relation to its establishment and operation. The Children Act 2004 Information Database (England) Regulations 2007 were approved by affirmative resolution in this House on 23 July 2007, and in another place on 18 July 2007, and have been in force since 1 August 2007. No directions have been issued under Section 12 of the Children Act 2004.
In relation to question 170209, the number to be used for identifying child records on the ContactPoint system will be an entirely new and unique number generated from the child reference number by ‘electronic code book encryption’.
This new number will thus be based on, but entirely different to the child reference number, which underpins the child benefit system, such that the unique link between the two numbers will be securely and separately held. This is the strongest form of such encryption, and no pattern or link can be made between these two numbers.