This week’s backpedalling by the government on the communications superdatabase came as a relief. But Snowdon won’t be celebrating. Information on every phone call, email and website visit will still be stored — just separately, rather than together (as the superdatabase would have done.) Moreover, the national ID card database is still moving forward and, significantly for the readers of Snowdon on Schools, ContactPoint, the national children’s database collating information from the NHS, social workers, the police, schools and other agencies, is still chugging along.
ContactPoint was rooted in the recommendations made by Lord Laming in his 2003 report following the Victoria Climbie inquiry. That report pointed to the necessity of a national information system given that many children access services in different local authority areas or move between areas. That recommendation led to the adoption in 2007 of the Information Database (England) Regulations which gave birth formally to ContactPoint. This all sounds very laudable, but as unfortunate as the cases of Victoria Climbie and more recently Baby P, were, the privacy and security risks to every child under the age of 18 (and some over the age of 18) just do not justify the possible benefits that ContactPoint was intended to bring.
The centralisation of so much information is bound to cause discomfort to anyone who has even a GCSE knowledge of the goings-on in Germany circa 1939.
But it’s not just the centralisation of information that is frightening, it is also the number of people who have access to that information. It has been estimated that approximately 330,000-480,000 individuals could legitimately access the ContactPoint database of the country’s 11 million under-18 year olds (plus a few over that age). Those who can access ContactPoint include NHS personnel, the police, social workers, school principals, deputy heads, heads of years at schools, and teachers with pastoral duties — in other words, an already potentially large set of busybodies or persons with malicious intent who happen to wear the necessary badge. It also includes several others such as “voluntary groups” and “administrators” at schools. What are “administrators”? Can any nosy parker who happens to be an employee at a school call himself an “administrator” and gain access to children’s files? There is something chilling about the ill-circumscribed list of those having access and its very size, even where “security vetting” (whatever that is) has been promised.
User names, passwords, security tokens and PINs (the hallmarks of ContactPoint security) are common in most workplaces —- but are often abused through sharing and disclosure. I have worked in several businesses where secrecy should have been the norm, but where confidential documents sat on scanners for any and all to see or in recycling boxes or rubbish bins (rather than being shredded) or where sensitive phone calls were conducted in airport lounges or on trains for anyone to overhear. And the fact that ContactPoint will log all those who access files is meaningless if no one regularly checks every child’s access log to see who has been accessing the information without a justifiable reason. It is human nature to be sloppy with processes; witness the MI6 agent who kept unencrypted top secret information on a USB stick which was subsequently stolen or Scotland Yard Assistant Commissioner Bob Quick’s appearance with a document stamped “top secret” under his arm for all to read when a photo was subsequently published on the web. Remember also our child benefit details which are also circulating somewhere thanks to an inability to follow procedures somewhere along the line as well.
The fact that the information on ContactPoint may be downloaded remotely is also alarming. The government assures us that users cannot download child data onto a desktop or removable media (such as a memory stick). This is not terribly convincing. Again, I have worked in environments with significant security concerns which have purported to have similar restrictions in place; I have found them to be susceptible to circumvention. Moreover, it matters little how information is disseminated, whether on a memory stick, a photo from a camera-equipped mobile, or through transcription or verbal transmission of information; the result is the same: a potential violation of a child’s privacy and the potential to put a child at risk. With up to 480,000 persons having access to the database, we have to assume that there are a few who might themselves pose threats to children. On this basis, I have visions of people remotely accessing ContactPoint from home, joined by their paedophile network in the same room or via computer link and no one to potentially report suspicions. On a less salacious level, I still abhor the idea of a gaggle of teachers sitting around the common room taking in the fact that little Johnny’s primary physician is a psychiatrist while one of teenager Mary’s doctors is an obstetrician who is well-known to specialise in teenage pregnancies. No nosy parker needs case notes to draw a few conclusions worthy of spreadable gossip. If the full implementation of ContactPoint goes ahead, parents should make regular requests for information under the data protection laws to monitor exactly what is held on their children and, by extension, on them.
Finally, although the database is ostensibly for the protection of children, it is disturbing that children’s details will not be erased when they turn 18 (or 25 for those who stay on until then.) The government hasn’t even pretended that the files will be erased when a child reaches adulthood. The regulation is clear: they are “archived”.
Snowdon on Schools 