Feeds

Did UK.gov break the law with its child database?

Whitehall promises answers on specs of binned ContactPoint

High performance access to file storage

Analysis Did the Department of Education (DoE) – or Children, Schools and Families (DCSF), as it was then known – knowingly break the law in its establishment of the ContactPoint database?

The instant answer is: we don’t know. However, a history of excuses, delay and avoidance of awkward questions is starting to mount up. If the department has nothing to hide, it is certainly acting as if it has.

Meanwhile, in a bizarre new development, the DoE contacted us to say that its previous refusal to reveal what data it had been planning to collect had been a mistake. In fact, the information coded as “commercially sensitive” was not after all commercially sensitive – and they are now free to release it to us.

The ContactPoint database was first mooted in 2004 as a response to failures in the social care system – most notoriously in the case of Victoria Climbié.

There, the fact that various case workers dealing with Victoria’s family failed to share their knowledge was considered to have contributed to the child’s eventual terrible death. As a result, the government determined that it would set up a database enabling any and every person likely to be called upon to look out for a child’s welfare to access current dealings with that child at the touch of a button.

That was the original vision: wide-ranging information about all children, available to all. It did not long survive public criticism, with fears that too much information on such a base would be a massive risk to child welfare in its own right. A slow but insistent whittling back of the categories of person allowed access to the base began.

Thus, from a base that would enable care workers and police to share information about children at risk, it dwindled to little more than a glorified interdepartmental telephone directory, linking the contact details of individuals who had had dealings with any particular child through a central online database. It would not even be available to all police or all care workers, being operated instead through a series of gatekeepers.

This, in turn, led to a number of arguments as to the numbers likely to have access to the database – and one of the first signs that the DCSF preferred to keep its good works hidden rather than see them exposed to the light of day. In 2008, following work by the Register looking at the categories that the government claimed would have access to the base, we suggested publically that far from the low figure trumpeted – of near 300,000 – the end result was likely to be closer to 1 million.

This was vigorously denied – but our story led, eventually, to a statement being sneaked out in the last days of the 2007/8 parliament to the effect that the numbers would be closer to 400,000 - or 25 per cent higher than originally announced.

However, the possible law-breaking lies in a rather different area. Instead of simply passing a law enabling the Secretary of State to set up a database for purposes of child protection, the Children Act 2004, refined by regulations published in 2007, went into mind-boggling detail as to what the Department might do. Section 12 of that Act reads rather more like a management data specification than UK legislation. It states that the Department may collect information such as the name, address, gender and date of birth, an identifying number and contact details of any person with parental responsibility.

Crucially, by including so much detail, it raises the possibility that collecting information not on this list is likely to be unlawful.

The categories of information included in that list are not many, nor are they difficult to capture. The largest cost, according to suppliers of systems of this kind, was likely to be around the ETL processes necessary for scraping contact details from a dozen or more different governmental systems in order to feed data into the ContactPoint base.

Nonetheless, the cost, widely publicised as £224m, looked well out of kilter with what was being proposed, and we began to wonder if the DCSF hadn’t actually exceeded its brief, and that it was not, in fact, collecting rather more than the legislation allowed.

An official statement from the DoE recently revealed: "The final total cost of setting up ContactPoint has not yet been determined but it will be less than the budget provision of £224m. The set-up costs cover the design, build and test of the system; however, the cost of coding and other individual elements of the work can not be separately identified."

High performance access to file storage

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Big Content goes after Kim Dotcom
Six studios sling sueballs at dead download destination
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Alphadex fires back at British Gas with overcharging allegation
Brit colo outfit says it paid for 347KVA, has been charged for 1940KVA
Jack the RIPA: Blighty cops ignore law, retain innocents' comms data
Prime minister: Nothing to see here, go about your business
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.