How the gov's child protection database fails to add up

Risk-averse authorities likely to treble access

High performance access to file storage

Comment A day after yet another case of a child brutalised in its own home, despite massive intervention from a range of support services, hits the headlines, The Register takes a closer look at what the government has led the public to believe in respect of the ContactPoint database.

One "fact" that has been repeated ad nauseam by government ministers – and apparently swallowed hook line and sinker by the press – is that ContactPoint is likely to allow just 330,000 officials across England to "use" the contact details for children on the system. That total is already too high for many critics.

So we wonder what the reaction will be to the revelation that the number with "access" could top the million mark? Pay close attention to the choice of words here: government ministers have drawn a distinction between "use" and "access", which could be no more than careless use of language, or a much more deliberate misleading of the public over the scope of an increasingly unpopular project.

We have looked closely at the categories of individual that the DCSF claims will be able to access ContactPoint. These are set out in the Children Act 2004, refined by regulations published in 2007 and repeated by the Minister last week.

Using even conservative estimates of the proportion of each of the categories listed that will have access to ContactPoint, The Register comes up with a figure of just over one million. If the Department of Children, Schools and Families wishes to take issue with us, we are more than happy to share our spreadsheet model with them.

Ah yes, but surely access will only be on a "need to know" basis? We think not. There are three reasons for this.

The government case for ContactPoint is based on two arguments: first that tragedies such as the Victoria Climbié case would not have happened, had all the agencies that could have intervened been able easily to note that the child was already of concern to other agencies. The fact that this argument is wholly fallacious in the case of Victoria Climbié, who was subject to multiple interventions before her death, has never prevented ministers from repeating it.

However, the fear that this argument introduces into the equation is real enough. Managers of any body that might end up carrying the can for future failures will do all in their power to prevent being stuck with the blame. So the likelihood is that managers will err on the side of caution or (personal) risk minimisation. Better to have as many people in your department as possible able to access a child's details, than to perhaps one day have to explain why a particular child could have been saved had access been more widely distributed.

Earlier in the year, The Register looked at the numbers behind the government's proposed vetting database and came up with figures significantly higher than those put forward by government. The difference? We used the same approach, but counted those who were likely to end up being vetted in today's blame-averse culture, as opposed to those who needed to be vetted.

Second, as the government is at pains to point out, ContactPoint will pay for itself many times over in time saved by practitioners at every level. Such benefit is likely to be reduced significantly if teams have some individuals with access, and some without.

Finally, a factor that might add slightly to the final tally, is the way in which authorisation to use the system is managed. When an individual leaves their place of employment, the government guidelines suggest they should be stripped of their access to ContactPoint. We suspect, however, that where individuals are simply moved sideways, human nature will lead to some continuing to have access long after they strictly no longer need to know.

Where did the original figure of 330,000 come from? We have asked the DCSF, but at time of writing have had no answer. Our guess is that when the estimate was first drawn up, some use was made of responses to questionnaires sent out to local councils. An original survey was sent out last year, with a follow-up apparently due to be completed in September 2008.

If that is the case – and without DCSF confirmation we cannot be sure – then the estimation method may be badly flawed. Asking councils about their likely take-up of a new system nearly two years before it goes live is akin to product research that asks consumers about buying intentions for a non-existent product. It doesn't work.

Matters may be further complicated by suggestions that some individuals may need more than one log-on. This is because the system is designed so that users can only see data appropriate to their current role, which could be an issue for users with multiple roles.

Apart from the implications such an increase in numbers might have for security, there is the slight technical matter of whether the database has been designed with scaleability in mind. A system designed for 330,000 users is a very different beast from one designed for one million, and could suffer accordingly. ®

News: UK's 'secure' child protection database will be open to one million

How we reached our numbers

Our model starts with the categories that may have access to the new ContactPoint database and simply counts up from there. Before we hear cries of “that’s unrealistic”, we have also applied some very serious downward weightings on some groups, on the grounds of common sense.

We suspect our approach is different from that of the DCSF, as they will have started with Local Authority intentions – which, as experience of the Vetting Database shows, can very quickly be overtaken by events.

From the model:

Category Source UK Figure Access Assumption
General practitioners s 2 of the appropriate regs 196,814 157,451 Downweighted for England and some non-takeup – but assume about 80 per cent in total
Chiropractors As above n/a 0 We cannot believe any significant number of chiropractors will access the database
Police s.3 184,710 166,239 Slight downweight – but do we believe, in the long run this base will not be available to all officers? Also, no count included for other employees, who are included in this section
Teaching Staff s.9 767,050 153,410 Significant downweight, but given the number of categories intended to be allowed access, not unrealistic

The categories listed above are just examples of the categories drawn from our model. We have of course also included some nursing staff, social workers, midwives, health visitors - and more besides.

Where our model may actually be far too conservative is over the question of administrative staff who will have access to ContactPoint. These are included in the government guidelines, but are much vaguer than the above categories.

High performance access to file storage

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Big Content goes after Kim Dotcom
Six studios sling sueballs at dead download destination
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Alphadex fires back at British Gas with overcharging allegation
Brit colo outfit says it paid for 347KVA, has been charged for 1940KVA
Jack the RIPA: Blighty cops ignore law, retain innocents' comms data
Prime minister: Nothing to see here, go about your business
prev story


Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.