ContactPoint offers tokens for access
Restricted to three government departments, 100 local authorities
The Department for Children Schools and Families has begun to roll out the authentication process for access to the ContactPoint database.
The first registration authority for the Employee Authentication Service (EAS) went live on 8 June 2009, beginning to issue tokens to a few hundred staff involved in the department's extranet services.
Under the EAS, staff with approved access to ContactPoint will be issued with a token, smaller than a credit card, on which they can type in their personal identification numbers. It will then generate a code on an LCD display which they can use one time for access to the database through an authorised computer.
The extent of access depends on what has been approved for the individual. ContactPoint will provide details of contact with the state for every child in England. It has attracted intense criticism from privacy campaigners, but the DCSF has said the EAS provides a robust method of authentication which will protect the system from abuse.
John Skipper, design authority for the EAS, told GC News that the DCSF and Department for Work and Pensions, which together with Communities and Local Government have sponsored the EAS programme, have signed up as registration authorities, along with more than 100 local authorities.
With early adopters beginning to use ContactPoint, the first local authority will begin to issue EAS tokens in July, and a national roll out is planned for October.
"We're doing this in a measured way because it is a security critical project," Skipper said. "We're not rushing to push it out indiscriminately."
He added that the EAS has been developed as a shared service which could be used for authentication for a range of other government services.
This article was originally published at Kable.
Kable's GC weekly is a free email newsletter covering the latest news and analysis of public sector technology. To register click here.
Suppose we have a child, lets call that child 'P".
Can we have a list of the names of all the people that can access 'P''s records? Would that list be 10 names long (e.g. 'P's teacher, headmaster, social worker, doctor....) or would it be 100 names long (e.g. every teacher, every headmaster, every social worker) or 1000 names long (I see they're including police and charities and civil service unconnected with children and plastic police and local government and pretty much anyone dressed in a high visibility jacket)?
Or are we talking about anyone among 300,000 plus people ultimately can dig into 'P's details?
Also I see the rozzers have their own child database 'Merlin' which doesn't have these controls on it. Can the rozzers fill their own database with data taken from Contact Point?
Also I notice that MPs think their own children are not on the database. When I reckon they are on that database, just that those records are shielded from some of the roles. So how many thousands of people in which roles can see the data on children of MPs?
Seems to me, they are talking in general terms about logging in to the database with tokens, and general stuff about background checks, which is a sure sign of major design flaws. As the saying goes, the devil is in the detail.
Is the the DWP or HMRC that are responsible for Child Tax credits?
RE: Tokens, labels and blu-tack.
Even better than that -- I bet the system they use allows for "temporary passwords" used when the token is "mislaid" and that a significant number of people will end up with such passwords.