News

posted on 22 February 2008 10:37

A government minister has tried to reassure us all the ContactPoint, a database of information about every child in the UK, will be managed securely.

In a written statement  Kevin Brennan, Parliamentary Under-Secretary, Department for Children, Schools and Families (PUS, DCSF), referred to a Deloitte review into ContactPoint's security. Joint back-scratching commenced immediately: "I acknowledge Deloitte's recognition that security is ingrained in the ContactPoint project team's work. "

Brennan's statement said: "Security is of paramount importance in the development of the ContactPoint. A number of measures will be in place to ensure security:

- Access will be restricted to those who need it as part of their work and will be limited to that needed to fulfil each role.
- Everyone with access to ContactPoint, including operators or administrators, will be subject to stringent security checks, including enhanced Criminal Records Bureau clearance and membership of the Independent Safeguarding Authority (ISA) scheme.
- At least two-factor authentication will be used to access ContactPoint. Users will need a security token and a password.
- All users will be trained in the importance of security and the importance of good security practice.
- Every access to a child's record will be detailed in the ContactPoint audit trail. This will be regularly reviewed.
- Sanctions will be in place for any misuse. These sanctions can include, if appropriate, prosecutions under the provisions of the Data Protection Act and Computer Misuse Act which may lead to fines or imprisonment.
- The design and implementation of ContactPoint will continue to be reviewed by independent security experts during system build and before it is implemented. Security will of course be audited during operation.
- These issues will be reflected in the guidance and staff training that will govern the operation of ContactPoint."

These are fine words but don't, in the light of the HMRC disaster - 25 million people's details accessed by an authorised insider and subsequently lost - guarantee that people will be reassured.

The numbers of people needing access to it 'as part of their work' will run into the tens of thousands. Their authentication does at least look strong in this statement.