How the gov's child protection database fails to add up

Risk-averse authorities likely to treble access

Combat fraud and increase customer satisfaction

Comment A day after yet another case of a child brutalised in its own home, despite massive intervention from a range of support services, hits the headlines, The Register takes a closer look at what the government has led the public to believe in respect of the ContactPoint database.

One "fact" that has been repeated ad nauseam by government ministers – and apparently swallowed hook line and sinker by the press – is that ContactPoint is likely to allow just 330,000 officials across England to "use" the contact details for children on the system. That total is already too high for many critics.

So we wonder what the reaction will be to the revelation that the number with "access" could top the million mark? Pay close attention to the choice of words here: government ministers have drawn a distinction between "use" and "access", which could be no more than careless use of language, or a much more deliberate misleading of the public over the scope of an increasingly unpopular project.

We have looked closely at the categories of individual that the DCSF claims will be able to access ContactPoint. These are set out in the Children Act 2004, refined by regulations published in 2007 and repeated by the Minister last week.

Using even conservative estimates of the proportion of each of the categories listed that will have access to ContactPoint, The Register comes up with a figure of just over one million. If the Department of Children, Schools and Families wishes to take issue with us, we are more than happy to share our spreadsheet model with them.

Ah yes, but surely access will only be on a "need to know" basis? We think not. There are three reasons for this.

The government case for ContactPoint is based on two arguments: first that tragedies such as the Victoria Climbié case would not have happened, had all the agencies that could have intervened been able easily to note that the child was already of concern to other agencies. The fact that this argument is wholly fallacious in the case of Victoria Climbié, who was subject to multiple interventions before her death, has never prevented ministers from repeating it.

However, the fear that this argument introduces into the equation is real enough. Managers of any body that might end up carrying the can for future failures will do all in their power to prevent being stuck with the blame. So the likelihood is that managers will err on the side of caution or (personal) risk minimisation. Better to have as many people in your department as possible able to access a child's details, than to perhaps one day have to explain why a particular child could have been saved had access been more widely distributed.

Earlier in the year, The Register looked at the numbers behind the government's proposed vetting database and came up with figures significantly higher than those put forward by government. The difference? We used the same approach, but counted those who were likely to end up being vetted in today's blame-averse culture, as opposed to those who needed to be vetted.

Second, as the government is at pains to point out, ContactPoint will pay for itself many times over in time saved by practitioners at every level. Such benefit is likely to be reduced significantly if teams have some individuals with access, and some without.

Finally, a factor that might add slightly to the final tally, is the way in which authorisation to use the system is managed. When an individual leaves their place of employment, the government guidelines suggest they should be stripped of their access to ContactPoint. We suspect, however, that where individuals are simply moved sideways, human nature will lead to some continuing to have access long after they strictly no longer need to know.

Where did the original figure of 330,000 come from? We have asked the DCSF, but at time of writing have had no answer. Our guess is that when the estimate was first drawn up, some use was made of responses to questionnaires sent out to local councils. An original survey was sent out last year, with a follow-up apparently due to be completed in September 2008.

If that is the case – and without DCSF confirmation we cannot be sure – then the estimation method may be badly flawed. Asking councils about their likely take-up of a new system nearly two years before it goes live is akin to product research that asks consumers about buying intentions for a non-existent product. It doesn't work.

Matters may be further complicated by suggestions that some individuals may need more than one log-on. This is because the system is designed so that users can only see data appropriate to their current role, which could be an issue for users with multiple roles.

Apart from the implications such an increase in numbers might have for security, there is the slight technical matter of whether the database has been designed with scaleability in mind. A system designed for 330,000 users is a very different beast from one designed for one million, and could suffer accordingly. ®

News: UK's 'secure' child protection database will be open to one million

How we reached our numbers

Our model starts with the categories that may have access to the new ContactPoint database and simply counts up from there. Before we hear cries of “that’s unrealistic”, we have also applied some very serious downward weightings on some groups, on the grounds of common sense.

We suspect our approach is different from that of the DCSF, as they will have started with Local Authority intentions – which, as experience of the Vetting Database shows, can very quickly be overtaken by events.

From the model:

Category Source UK Figure Access Assumption
General practitioners s 2 of the appropriate regs 196,814 157,451 Downweighted for England and some non-takeup – but assume about 80 per cent in total
Chiropractors As above n/a 0 We cannot believe any significant number of chiropractors will access the database
Police s.3 184,710 166,239 Slight downweight – but do we believe, in the long run this base will not be available to all officers? Also, no count included for other employees, who are included in this section
Teaching Staff s.9 767,050 153,410 Significant downweight, but given the number of categories intended to be allowed access, not unrealistic

The categories listed above are just examples of the categories drawn from our model. We have of course also included some nursing staff, social workers, midwives, health visitors - and more besides.

Where our model may actually be far too conservative is over the question of administrative staff who will have access to ContactPoint. These are included in the government guidelines, but are much vaguer than the above categories.

Top three mobile application threats

More from The Register

next story
EU: Let's cost financial traders $400m a day, because EVIL BANKERS. Right?
Wait 'til this one hits your pension fund where it hurts
Systems meltdown plunges US immigration courts into pen-and-paper stone age
Massive outage could last four weeks, sources claim
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
UK.gov chucks £28m at F1 tech for buses and diggers plan
Well, not really F1 but who's heard of LMP and VLN*?
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
Edward Snowden on his Putin TV appearance: 'Why all the criticism?'
Denies Q&A cameo was meant to slam US, big-up Russia
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Judge halts spread of zombie Nortel patents to Texas in Google trial
Epic Rockstar patent war to be waged in California
prev story


Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.