(2) what security measures will be put in place to protect the data stored on the National Child Database; and if he will make a statement;
(3) what procedures will be put in place to ensure that information stored on the National Child Database is accurate; and if he will make a statement;
(4) whether details of a child kept on the National Child Database will be destroyed once that child reaches the age of 18 years.
The purpose of ContactPoint is to support practitioners in fulfilling their duties under section 10 (duty to co-operate to improve well-being), and section 11 (safeguarding and promoting welfare of children) of the Children Act 2004, section 175 of the Education Act 2002 (duty to safeguard and promote the welfare of children), and the local authority duties established by section 436A of the Education Act 1996 (to identify children not receiving education).
In response to question 231716, regulation 9(2) of the Children Act 2004 Information Database (England) Regulations 2007 provides that access to ContactPoint may only be granted, in line with this purpose, by a local authority to the persons specified in schedule 3 (listed at annex A). Regulation 9(3) provides that such access to ContactPoint may only be granted, in line with the same purpose, by a ‘national partner’, (listed at annex B), to an employee of that ‘national partner’.
In response to question 231717, a number of robust security measures will be in place to ensure security:
ContactPoint has multi-layer, ‘defence-in-depth’ security controls, meeting industry best practice and Government security guidelines;
As an accredited Government system, its security has been and will continue to be audited and approved, at all stages, by relevant security bodies;
additional assessments and rigorous testing will be undertaken by independent security experts during build and before the system goes live—ContactPoint will not go live until it has passed these tests;
these tests will be repeated annually to ensure continued compliance and to take account of emerging threats;
all data supplied to ContactPoint will be strongly encrypted and extensive measures are being ‘taken to ensure that the data will be transmitted securely;
auditing will continue during operation;
ContactPoint access is tightly controlled, such that the application can only be seen at all by users in accredited organisations;
access will be strictly regulated to those who need it as part of their work;
users will have current enhanced Criminal Records Bureau clearance (renewable every three years), or a police equivalent;
users must undertake compulsory ContactPoint training in the safe and secure use of the system, including compliance with the Data Protection Act and Human Rights Acts;
users must sign an acceptable use policy form to acknowledge that they understand the conditions of use;
minimum search criteria will be required in order to prevent ‘trawling’ and other misuse of ContactPoint, and parameters for number of records which can be returned from a search will also be limited in order to reduce such a risk;
all users will be strongly authenticated using ‘two-factor authentication’ (a security token with separate password and PIN) in order to gain access to ContactPoint,
all users will have to state clear reasons for why they are accessing ContactPoint;
all use of the system will be continuously audited and monitored—every access to a child’s record will be recorded in the ContactPoint audit trail, which will be regularly monitored to ensure that any misuse is detected and followed up.
Security is of paramount importance in the development and operation of ContactPoint. The independent security assessment by Deloitte which ran until February 2008 confirmed that robust measures are in place for the security of ContactPoint and acknowledged that the importance of security is ingrained within the project. The review did not find any areas of significant weakness. While, overall, the report was very positive about security across the project, it made some recommendations about controls and measures to consider, in addition to those already planned, to be in place when the system goes live. We have accepted all the recommendations and are implementing them.
In response to question 231718, wherever possible, ContactPoint will be automatically updated from existing systems so that practitioners will not need to enter the same information twice. The aim is that the system should not impose burdens on front-line practitioners and that it should fit conveniently into their daily work. All data supplied will be in accordance with and constrained by section 12 of the Children Act 2004 and the supporting regulations, which specifically prohibit the inclusion of any case information.
Records from a range of national and local sources will be combined using data matching technology to produce a comprehensive set of basic information about each child. This will mean that ContactPoint builds a ‘best view’ of all information on a child from both national and local data sources. This makes it highly resilient to errors in any individual source; where these occur, they will be identified and flagged back to the source for correction.
Those persons or bodies required or permitted to supply information to ContactPoint must take reasonable steps to ensure the information is accurate; they already have obligations for data accuracy under the Data Protection Act 1998. If a local authority considers that there are inaccuracies or omitted information in a record for which it is responsible, the authority must also take reasonable steps to correct the inaccuracy or to complete the record.
In response to question 231719, regulation 4 (1) of the Children Act 2004 Information Database (England) Regulations 2007 sets out that ContactPoint will contain information on all children in England up to their 18 birthday. There is provision (in regulation 4(2)) for certain young people who receive additional services—care leavers and those with learning disabilities—to remain on ContactPoint up to age 25 but only with their informed, explicit consent. This is to help facilitate the transition to adult services for those young people that may have multiple, additional needs. For the majority of children however, their record will be archived after their 18 birthday and remain there for six years, after which it will be permanently deleted.
Persons or bodies permitted by a local authority to access ContactPoint
1.—(1) A person employed in relation to the exercise by or on behalf of a local authority of the functions specified in paragraph (2).
(2) The functions referred to in paragraph (1) are:
(a) social services functions (within the meaning of the Local Authority Social Services Act 1970;
(b) functions under—(i) Parts 4 (special educational needs) and 6 (school admissions, attendance and charges) of the Education Act 1996;
(ii) section 175 of the Education Act 2002 (duties of LEAs and governing bodies in relation to welfare of children);
(c) functions under Part 1 of the Fire and Rescue Services Act 2004 (fire and rescue authorities) so far as relating to a fire and rescue service strategy for children and young people;
(d) functions under section 10 (co-operation to improve well-being) or 11 (arrangements to safeguard and promote welfare) of the Act;
(e) functions conferred on the authority by these regulations.
2. A health care professional regulated by a body mentioned in section 25(3) of the National Health Service Reform and Health Care Professions Act 2002, or a person assisting such a professional in the exercise of his profession.
3. A member or an employee of a police authority, a chief officer of police for a police area in England, or a member or any other employee of a police force for a police area in England.
4. An officer of the British Transport Police Authority, so far as exercising functions in relation to England.
5. An officer of a local probation board for an area in England.
6. A member of a youth offending team for an area in England.
7.—(1) The governor of a prison or secure training centre in England (or, in the case of a contracted out prison or secure training centre, its director).
(2) An officer of a prison or a secure training centre (or, in the case of a contracted out secure training centre, a custody officer).
(3) An administrator assisting an officer of a secure training centre (or, in the case of a contracted out secure training centre, assisting a custody officer).
8. A person (other than the Secretary of State) providing services under section 114 of the Learning and Skills Act 2000, or employed by such a person to provide those services.
9.—(1) A person employed at a school specified in sub-paragraph (2) as:
(a) the head teacher;
(b) a deputy head teacher;
(c) an administrator;
(d) a head of year or a teacher other than a head of year who has pastoral or child protection responsibilities;
(e) a teacher of children with special educational needs;
(f) a co-ordinator of special educational needs provision, or who is carrying out functions equivalent to the functions of a person referred to in paragraphs (b) to (e).
(2) The schools referred to in sub-paragraph (1) are:
(a) a maintained school in England (within the meaning of section 175 of the Education Act 2002);
(b) an independent school in England (within the meaning of the Education Act 1996), and
(c) a special school which is not maintained by a local authority and which has been approved as a special school under section 342 of the Education Act 1996(b) (approval of non-maintained special schools).
10. A person employed at an institution within the further education sector (within the meaning of section 91 of the Further and Higher Education Act 1992(c)) as:
(a) the principal;
(b) a deputy principal;
(c) a tutor with pastoral or child protection responsibilities or responsibilities in relation to special educational needs;
(d) an administrator, or who is carrying out functions equivalent to the functions of a person referred to in paragraphs (b) to (d).
11. An employee of a voluntary organisation exercising functions or engaged in activities in relation to persons to whom arrangements specified in section 12(1) of the Act relate.
12. A social care worker within the meaning of section 55(2) of the Care Standards Act 2000 who is registered with the General Social Care Council.
13. A member of the staff of the Children and Family Court Advisory and Support Service appointed under paragraph 5(1) of Schedule 2 to the Criminal Justice and Court Services Act 2000.
14.—(1) A person employed by a fire and rescue authority to which this paragraph applies in relation to a fire and rescue service strategy for children and young people.
(2) This paragraph applies to a fire and rescue authority (determined in accordance with Part 1 of the Fire and Rescue Services Act 2004) for any area in England for which the local authority (within the meaning in these regulations) is not the fire and rescue authority.
15. An employee of the Child Exploitation and Online Protection Centre (an affiliate of the Serious Organised Crime Agency), so far as it is exercising functions in relation to the sexual abuse of children.
1. KIDS (registered charity number 275936);
2. Barnardo’s (registered charity number 216250);
3. The National Society for the Prevention of Cruelty to Children (registered charity number 216401);
4. Action for Children (Registered charity Nos. 1097940/SC038092) (Formerly NCH);
5. Church of England Children’s Society (registered charity number 221124);
6. The Child Exploitation and Online Protection Centre (an affiliate of the Serious Organised Crime Agency);
7. The Children and Family Court Advisory and Support Service.
(2) what enhanced Criminal Records Bureau checks are proposed for (a) professionals who can access ContactPoint and (b) in-house and contracted IT staff responsible for maintaining the ContactPoint system;
(3) which groups of people will be subject to additional security measures before their details may be accessed on ContactPoint; and what additional security arrangement will be put in place on ContactPoint for the details of children who are subject to the Witness Protection Scheme;
(4) what progress has been made with shielding arrangements for ContactPoint; and if he will make a statement.
[holding answer 3 November 2008]: In answer to question 232461, the original circular is already in the public domain. However I have today placed in the Library a copy of this note, together with a copy of the covering email. Names have been redacted pending the outcome of standard disciplinary procedures regarding the precise circumstances of the note's release which has been commissioned by David Bell, Permanent Secretary of the Department for Children, Schools and Families. As Mr. Bell said in his letter of 24 October to the hon. Member for Surrey Heath (Michael Gove) (also in the Library), Ministers neither commissioned the note nor approved its release. The note was sent by officials to ContactPoint implementation co-ordinators; the covering email said that they might pass it on to implementation managers in local authorities.
In answer to question 232463, all access to ContactPoint will be strictly restricted to those staff who need it as part of their work. One of the conditions of access is that they must, as a minimum, have a current enhanced Criminal Records Bureau clearance which is renewable every three years. IT staff, whether in-house or contracted by the Department, who are responsible for maintaining the ContactPoint system will also be subject to the same standard of enhanced Criminal Records Bureau clearance.
In answer to question 232464, records of some children, whose circumstances may mean that they, or others, are at increased risk of harm (for example, those fleeing domestic violence), may be subject to ‘shielding’, whereby some of their details which could give an indication of their whereabouts will be hidden from users' view. The decision to shield will be taken on a case-by-case basis and will be based on the level of threat posed if their information becomes more widely available. Such a decision can only be undertaken by a local authority which is under a duty to consider the views of the person to whom the record relates, the views of their parent or carer, and of any schedule 4 or schedule 5 body (as specified by the Children Act 2004 Information Database (England) Regulations 2007), involved with the child or young person. This is not unique to ContactPoint and is already used in other systems, and is entirely consistent with the Data Protection Act.
The Department has been working closely with officials in the National Policing Improvement Agency with regards to shielding, specifically how to manage records of children and young people who are subject to witness protection.
In answer to question 232465, local authorities are undertaking local analysis using the shielding assessment—a means by which they will report their progress to the ContactPoint national team on pre-deployment shielding preparations and action. Local authorities are currently engaging with local partners to ensure that those partners understand the shielding guidance and agree how their data can be securely transferred to ContactPoint. Thereafter, identified local authority staff will be trained how to shield records, and in January/February 2009 shielding of these records will commence.