UK govt told to tighten child database security

Technical and procedural controls are recommended

A proposed £224 million (NZ$546 million) UK child database will never be totally secure experts have warned.

A report commissioned by ministers on the security procedures of ContactPoint, the database that will contain information on every child under 18 in the country, recommends further controls are introduced over the access to data by "central system users, such as database administrators and report programmers."

The report, commissioned by the Department for Children Schools and Families and conducted by accountants Deloitte and Touche, states that security risks can "only be managed, not eliminated, and therefore there will always be a risk of data security incidents occurring."

"What is important is that all practical steps to reduce the risk of incidents occurring are taken and when an incident occurs, that it is handled and managed effectively," says the report.

On a positive note, the review stated that information security had "been ingrained" within people, processes, policy development, requirements definition and architecture.

The report made a number of recommendations, notably that technical and procedural controls are subject to formal assurance under a recognised standard. Other recommendations include that processes are defined for the safe destruction of physical and electronic media and that clear security advice is given to all helpdesk staff on the production system.

Deloitte also calls for a further review of the system be carried out when all systems and procedures were in place.

ContactPoint will begin operation in September or October this year, as part of the government's Every Child Matters programme to improve childrens' services. Details stored on the database will include name, address, gender, date of birth and a unique identifying number for every child in Britain under the age of 18. The database will record whether a child has been assessed by a school or social services, but no case information will be stored. It will also hold the name and contact addresses for parents, schools and GPs.

According to the ContactPoint website, access to ContactPoint will be "limited to those who need it as part of their work and subject to stringent security controls." Authorised users will include those working in health, education, youth justice, social care and voluntary organisations.

Kevin Brennan, the under-secretary of state for children, young people and families, accepted the report's findings and said the government "will address them."

"The design and implementation of ContactPoint will continue to be reviewed by independent security experts during system build and before it is implemented. Security will of course be audited during operation," says Brennan.

Brennan detailed the security measures that will be in place, including two-factor authentication for all users that will consist of a security token and a password.

Join the newsletter!

Error: Please check your email address.

Tags securitySecurity IDuk child database

Show Comments
[]