| Previous Section | Index | Home Page |
5 Mar 2008 : Column 2635W—continued
when there is any significant change in the external threat level or any significant project change.
These plans will be kept under review. Decisions about making the reports public will be taken on a case-by-case basis.
In response to question 190736, the decision to publish only the executive summary of the Deloitte report was taken on 13 February 2008.
In response to question 190737, the executive summary includes all the recommendations. The Government have accepted them all.
In response to question 190738, ContactPoint is expected to be deployed to ‘Early Adopter’ local authorities and two of our seven national partners by the end of October 2008 and to all other local authorities and national partners in 2009.
In response to question 190739, an interim assessment has been conducted which indicates that the
recommendations can be implemented within the current planned budget and timescale. The full assessment can only be made once the updated risk assessment is completed.
In response to question 190740, ContactPoint will continue to be reviewed by independent security experts during system build and before it is implemented. Security will, of course, be audited during operation. It has not yet been decided who will conduct further independent reviews.
In response to question 190750, the Deloitte review did not identify any significant security issues, but made a number of minister recommendations for controls to be in place when the system goes live in addition to those already planned. The report observed that the importance of security appears to be ingrained within key areas of the ContactPoint Project. The first task, which is already under way, is to undertake an impact assessment of the detailed recommendations contained in the report.
Mrs. Maria Miller: To ask the Secretary of State for Children, Schools and Families (1) when the ContactPoint user acceptance test referred to in the written statement of 21 February 2008, Official Report, columns 55-8WS, on ContactPoint, will be undertaken; and what use will be made of the results; [190741]
(2) on what occasions ContactPoint will require (a) hard and (b) electronic data; [190742]
(3) what arrangements he has made for (a) independent accreditation and (b) ongoing monitoring of security procedures within organisations which have access to ContactPoint; [190743]
(4) what procedures will be put in place to ensure that all organisations accessing the ContactPoint database are aware of their responsibilities on security; what auditing will take place to ensure compliance; and if he will make a statement; [190745]
(5) what work has been undertaken to establish the level of risk of security breaches occurring in the ContactPoint database; and if he will make a statement; [190746]
(6) what level of security risk his Department has determined as acceptable for ContactPoint; [190747]
(7) what plans there are to review the role of self-certification as referred to in the written statement of 21 February 2008, Official Report, columns 55-58WS, on ContactPoint; and if he will make a statement; [190748]
(8) what plans he has to monitor compliance with self-certification procedures among organisations connecting to ContactPoint; and how this will be funded; [190749]
(9) what (a) security, (b) auditing and (c) other procedures will be followed when a ContactPoint user wants to gain access to a common assessment framework assessment for a particular child. [190751]
Kevin Brennan: In response to question 190741, ContactPoint User Acceptance Testing is scheduled to take place between July and September 2008.
We plan to engage a representative set of future ContactPoint users to:
Verify that CP meets the stated business requirements, and its practical readiness,
Ensure the end to end system and processes meet the defined acceptance criteria.
User Acceptance Testing will form an important part of assessing ContactPoint is in readiness for deployment.
In response to question 190742, all data inputs to ContactPoint will be delivered over secure electronic channels. The frequency of updates of this data will vary depending on what is practicable and desirable for each source.
In response to question 190743, (a) All partner organisations will be supported through their accreditation process by the local authority acting as an independent sponsor. Those performing the sponsor roles will be trained and appropriately qualified, (b) Ongoing monitoring will be performed at multiple levels across the ContactPoint delivery structure.
The following will be in place:
monitoring of user access by line management;
compliance checks—that line management is monitoring user access by each organisation's internal audit or compliance team;
monitoring—that line management are monitoring their users by the local ContactPoint management team;
compliance checks— that the local authority ContactPoint team is performing its monitoring role by each local authority's internal audit or compliance team;
monitoring - that line management are monitoring their users by the local ContactPoint management team;
compliance checks - that the local authority ContactPoint team is performing its monitoring role by each local authority's internal audit or compliance team;
local authorities will log and monitor complaints and data subject access requests, identifying where follow up checking needs to take place;
discussions will be held between local authority internal audit and the internal audit of those organisations using ContactPoint to ensure congruence of risk assessments and sharing of lessons learned;
regular reviews of local authority ContactPoint team activities;
spot checks by organisation, local authority and nationally;
national reviews of management information based on a range of security
parameters;
Any areas of concern flagged by monitoring will be linked to mandatory follow-up procedures, including internal disciplinary action which could lead to dismissal and/or criminal prosecution.
All monitoring is linked to a process of continual improvement, with the objective of strengthening the effectiveness of monitoring, detection and follow-up activity.
In response to question 190745, accreditation will ensure a range of organisational policies and procedures are in place in each accredited organisation. These include a requirement to appoint responsible and accountable officers, to train staff, to set out accountabilities, to plan and implement a programme of inspections and audits, and to report issues to the sponsoring local authority.
Auditing is a multi-level series of cross checks, executing monitoring activities, and checking that monitoring is taking place.
Responsibilities will be set out clearly and will be covered in training and supporting materials (such as guidance and user manuals). Regular meetings will be used (between local authorities and partner
organisations, and between the national team and local authorities) to ensure messages on responsibilities continue to be understood, to promote best practice, to raise and resolve issues around compliance, and to discuss other operational issues or difficulties.
In response to questions 190746 and 190747, in determining the security policy for ContactPoint, the Government guidance on risk assessment and security controls set out in the Cabinet Office's Manual of Protective Security was followed. A risk assessment was carried out, in 2005, at the start of the ContactPoint project before any solution design or requirements were specified. It was updated in June 2006. Deloitte concluded that the approach followed was valid.
ContactPoint has been designed to be highly secure and has controls at different levels to protect against security breaches. This will be kept under continuous review.
Security is, and always has been, of paramount importance to the ContactPoint project and this was recognised in the Deloitte report.
ContactPoint will not be deployed until it has been subject to rigorous penetration testing by people who are experts in the IT security field and approved by the Communications and Electronics Security Group.
The Department's aim is to ensure that any potential risks from ContactPoint will be less than the risks from not having it.
In response to questions 190748 and 190749, the accreditation plans were under development at time of the Deloitte review and indicated that self-certification would be used where appropriate in order to minimise burdens.
Self-certification will be reviewed as part of the risk assessment scheduled to be completed by May 2008. Unacceptable risks to security will not be introduced by the use of self-certification.
Self-certification of local partner organisations will be subject to verification by a local authority sponsor who will assure compliance with procedures. Funds have been allocated to local authorities to support these roles.
In response to question 190751, there will be no access to the CAP itself, nor any of the details within it, from ContactPoint. If the ContactPoint user believes that they should contribute to, or see, the CAP assessment they would contact the practitioner whose details have been provided to ContactPoint as the person ‘holding’ the CAP.
Practitioners will only become involved in CAP assessment with the informed, explicit consent of the child or young person (or their parent/carer where appropriate).
Departmental Accountancy
Mr. Hoban: To ask the Secretary of State for Children, Schools and Families what items of his Department's (a) revenue and (b) expenditure are uprated using (i) the consumer prices index, (ii) the retail prices index and (iii) other measures of inflation. [179944]
Kevin Brennan:
The Department uses a range of indices in order to uprate the grant payments it makes to its wide range of delivery partners. Decisions on the
appropriate indices to apply to the different types of grant expenditure are devolved to the individual business units within the Department and this information can be gathered only at disproportionate cost.
Departmental Data Protection
Keith Vaz: To ask the Secretary of State for Children, Schools and Families what procedures are in place in his Department to ensure that personal information relating to members of the public is (a) stored and (b) transported securely. [168482]
Kevin Brennan: I refer the hon. Member to the statement made by my right hon. Friend the Prime Minister on 21 November 2007, Official Report, column 1179. The review by the Cabinet Secretary and security experts is looking at procedures within departments and agencies for the storage and use of data. A statement on Departments’ procedures will be made on completion of the review.
Mrs. Villiers: To ask the Secretary of State for Children, Schools and Families whether personal data for which his Department is responsible is (a) stored and (b) processed overseas; and if he will make a statement. [176025]
Kevin Brennan: The Department collects and holds personal data. This data is used for a variety of purposes, including funding and for school accountability. Some of this data is stored overseas.
Departmental Email
Mr. Jenkins: To ask the Secretary of State for Children, Schools and Families if he will take steps to reduce the number of hard copies of emails being printed unnecessarily by officials in his Department. [179471]
Kevin Brennan: The Department has already taken steps to reduce the number of hard copies of emails being printed. We provide:
Flexible and robustly maintained systems for electronic reading, production, transfer and filing of all documents to reduce the volume and need for hardcopy prints; and
Information and best practice techniques on how staff can help the Department reduce waste through careful use of scarce resources and new ways of working.
To ensure sound environmental management systems are maintained we require policy leads to:
Keep reviewing the Department's waste management policy to ensure it aligns with Government intent and adopt any new initiatives relating to waste, where appropriate;
Encourage the generation of new ideas by staff to improve our waste handling;
Learn from our peers in the public sector and benchmark our progress against public and private sector organisations; and
Work with our recycling suppliers to develop more sustainable methods and reward innovation.
Departmental Equality
Roger Berry: To ask the Secretary of State for Children, Schools and Families what conclusions his Department has reached in fulfilment of the duty under section 3.111 of the statutory code of practice of the disability equality duty. [190761]
Kevin Brennan: The Department’s most recent conclusions can be found in our Single Equality Scheme which was published online in December 2007. The scheme can be found at
with the disability update available at
Departmental Finance
Michael Gove: To ask the Secretary of State for Children, Schools and Families how many agencies, organisations and non-departmental bodies receive funding from his Department; and how much was spent on such bodies in each of the last three years. [191294]
Kevin Brennan: ( )The Department for Children, Schools and Families was created in the( )machinery of government change in June 2007. The following table sets( )out the grant in aid received by each of the Department's non-departmental( )public bodies for the last three years taken from the resource accounts together( )with the funding provided to local authorities and other expenditure for the( )predecessor body the Department for Education and Skills. The ‘other( )expenditure’ may include expenditure not relating to organisations. To provide( )the detail requested for relating to just DCSF would involve disproportionate( )cost. The Department has no Agencies.
| Next Section | Index | Home Page |