| Previous Section | Back to Table of Contents | Lords Hansard Home Page |
Children Act 2004 Information Database (England) Regulations 2007
7.19 pm
The Parliamentary Under-Secretary of State, Department for Children, Schools and Families (Lord Adonis) rose to move, That the draft regulations laid before the House on 4 July be approved.
The noble Lord said: My Lords, these regulations make provision in respect of the establishment and operation of a database, ContactPoint, under Section 12 of the Children Act 2004. The regulations place a requirement on local authorities to participate in the operation of the database. They specify what information will be held, who must or can provide these data, how long they can be retained, who can be granted access and how accuracy will be maintained.
ContactPoint is essentially an electronic directory of practitioners providing services to children and young people. It will enable all practitioners working with children to find out who else is supporting a particular child to deliver better co-ordinated support. Our Every Child Matters programme aims to improve outcomes for all children. ContactPoint will help facilitate this by supporting effective prevention and swift intervention when problems arise, ensuring that children and their families gain the support of the services that they need as early as possible.
These regulations have been considered by the House’s Merits of Statutory Instruments Committee, and we are grateful to it for its thorough report, whose findings will inform our implementation policy. In the course of the committee’s deliberations, concerns were raised about the rationale for the scheme and about security, accuracy, data management, cost and universality. I will address each issue in turn.
First, why is this database necessary? Practitioners have told us that the process of identifying and contacting other professionals working with any one child is frustrating, time consuming and very costly. A recent survey of nearly 3,000 practitioners revealed that, on average, practitioners need to make contact with other services 107 times a year and it takes an average of four hours each time to do so. ContactPoint
18 July 2007 : Column 312
On security, there has been a good deal of inaccurate comment on the amount of information that will be held on a child’s record. I stress that ContactPoint will hold only basic information: name, address, date of birth, gender and a unique identifying number on children on England until their 18th birthday, together with contact details of their parents or carers, GP practice, those providing education and specialist or targeted services to a child. ContactPoint holds no case data, no clinical data, no subjective assessments and no judgmental statements about a child, their carer or parents. Details of practitioners providing sensitive services, which, for the purposes of ContactPoint, are defined as services relating to sexual health, mental health and substance abuse, may be added to ContactPoint only with the informed and explicit consent of the young person concerned or, where appropriate, their parents.
Furthermore, these sensitive practitioner contact details will be hidden from view, except for the very small number of local ContactPoint management teams who will be responsible for brokering contact between practitioners. Let me also state categorically that ContactPoint will not hold information about a child’s school record or attendance, nor—as was described in one extraordinary press report—about how many portions of fruit and vegetables they may eat. Indeed, Section 12 of the Children Act 2004 specifically precludes such information being held. Nor will information be held about their parents’ circumstances, such as whether they have a drug or alcohol problem. Regarding parents, ContactPoint will hold only the name and contact details of any person responsible for the care of a child—nothing else.
On data accuracy, each local authority in England will be responsible for the records of children in its area. Each will have a dedicated resource funded by my department to ensure that the data is accurate. We anticipate that when the system is operational, 300 people will be working specifically to ensure accuracy within local authorities. In line with the Data Protection Act, all organisations and local authorities must take reasonable steps to ensure that information supplied to, or held on, ContactPoint is accurate and up to date. Children and young people or, where appropriate, their parents or carers will have the right to see what is being held on their record and, where inaccuracies are found, to have them corrected. There will be a clear process enabling people to exercise that right, and fair processing notices will explain how the data may be used—which is also a basic right under the Data Protection Act.
I now turn to safeguards to ensure the protection of the information collected—the issue raised in the Motion tabled by the noble Baroness, Lady Morris of Bolton. The security of ContactPoint is of the utmost importance. The design and operation will adhere to ISO 27001, the new international standard for information security management systems. This
18 July 2007 : Column 313
First, we are insisting on strong user authentication—not merely a user name and a password, but four system checks: a user name, a password, a PIN number and a physical token. Secondly, all users will be trained in the importance of security and good security practice. Users will receive mandatory training and their use of ContactPoint will be audited at every stage. Their activity on ContactPoint will be subject to continuous monitoring. Any suspected misuse will be investigated and could lead to disciplinary procedures within their organisation. Where appropriate, an investigation may lead to prosecution that could result in a fine or even imprisonment.
A range of existing legislation includes penalties for the improper use of data. The Computer Misuse Act 1990 states that unauthorised access or attempted unauthorised access to a programme or data held on a computer may be punishable by imprisonment or a fine. The Data Protection Act provides that personal data unlawfully obtained or disclosed without the consent of the data controller is a serious offence, with a penalty or fine up to the statutory maximum, or an unlimited fine if the case goes to the higher courts. The Criminal Justice and Immigration Bill provides for these penalties to be increased to include imprisonment for up to two years on indictment, and up to 12 months on summary conviction. These increased penalties would apply to misuse of ContactPoint.
Controlling access to ContactPoint is an important part of ensuring that the information within it remains secure. Access to ContactPoint will be restricted to those who can demonstrate a genuine need for it to facilitate their work. User numbers are estimated at about 330,000, and will include practitioners from education, health, social care, Connexions, the voluntary sector, youth justice and the police. Before being granted access to ContactPoint, users will need a current, enhanced Criminal Records Bureau disclosure and must also have been trained in the safe and secure use of the system, in compliance with the Computer Misuse Act 1990 and the Data Protection Act 1998.
These regulations require users to renew the enhanced CRB disclosure every three years. Any conviction for offences against children, or for offences under the Computer Misuse Act 1990 or the Data Protection Act 1998, are likely to preclude access. I also note that the Information Commissioner’s Office has offered valuable advice and comment throughout the development of this project. The commissioner’s memorandum to the Merits Committee concludes,
Lord Brooke of Sutton Mandeville: My Lords, before the noble Lord leaves that subject, can he give an assurance that those who must have access to the system in order to maintain it—there will be technical inputs in that respect—will be governed by exactly the same rules that he has adduced?
18 July 2007 : Column 314
Lord Adonis: Yes, my Lords; that will be the case.
The issues of cost and universality were raised in the Motion tabled by the noble Baroness, Lady Walmsley. Why should ContactPoint hold records for every child? First, a universal system has no stigma attached; since every child is included, no judgment will be made about a child merely because they are on the database.
Secondly, the system principally supports early intervention for children who, at some point in their lives, need additional services. This is not a small proportion. It is estimated that it will comprise about 30 per cent of children at any one time and 50 per cent during their lives. However, children move in and out of that spectrum of need, and it is not possible to predict who will need these services or when. Without a universal system, practitioners would have to make decisions about the needs or vulnerability of a child without all other available information. We would be faced with a continuation of the current system, where practitioners are often able to contact only those other practitioners whom they can easily track down. Holding records only for children judged at risk or to have a need for specialist or targeted services would prove very difficult. Judgments about whether a child meets the threshold for inclusion on the database would be subjective and inconsistent.
Thirdly, the cost was also raised by the noble Baroness, Lady Walmsley, in her Motion. We are advised that it would be more expensive to try to filter out records for different categories of children. It is proportionate to hold a small amount of information on all children rather than continually making threshold decisions, each of which would have to be input into the system, about which children should be put on it and which to take off.
Our conservative estimate is that from 2009 ContactPoint will free up about 5 million hours a year for practitioners, which, as I said earlier, is the equivalent of investing an additional £88 million a year in children’s services. ContactPoint is expected to cost an initial £224 million to set up and to have annual operating costs of £41 million. Less than a fifth of the £224 million is to set up the infrastructure itself. Almost half of the funding, £103 million, is earmarked for local implementation, including workforce training, and the remaining investment is to fund project activity during the set-up period.
The Motion tabled by the noble Baroness, Lady Walmsley, asserts that investment in ContactPoint would be better spent on front-line staff. However, in an important sense it is being spent on front-line staff: it will free up their time to do their job and it will enrich their knowledge of relevant practitioners also working with a child. Furthermore, improving children’s services is not simply a matter of increasing staff numbers. Practitioners must also be able to work better together, and ContactPoint will support that much more effectively than under the status quo.
In developing ContactPoint, we have worked closely with all relevant partners to ensure that the system meets their needs. All 150 local authorities in England are preparing to start using ContactPoint during 2008. An advisory group has been set up, with membership
18 July 2007 : Column 315
Let me also stress that there is strong support for our proposals from children’s welfare organisations, which I believe should not be lightly set aside in the debate. The Merits Committee hearing report includes, for example, written evidence from Barnardo’s, which describes ContactPoint as,
- “a challenging project, but worthwhile in that it harnesses the technologies of the 21st century in support of those who work with children in the interests of the children themselves”.
The National Children’s Bureau submission to the committee also acknowledged ContactPoint’s potential,
Consultation and engagement with children, young people and parents has also been invaluable. Using questionnaires, workshops and online consultation, and engaging organisations such as the former Commission for Social Care Inspection and the British Youth Council, we have consulted more than 1,100 children and young people. At least 183,000 parents and carers have been provided with information by the trailblazer authorities, and we value greatly the feedback we have received from all these groups. With the Information Commissioner’s Office, the Children’s Rights Director at Ofsted and the Children’s Commissioner we are developing communication materials aimed at children, young people and families. These will describe what ContactPoint is, what data are to be held on it and how they can exercise their right to see their own data and, where necessary, to have them corrected. They will be developed nationally to ensure consistency and will be disseminated to local authorities so that local information can be added.
To conclude, these regulations, in providing for the operation of ContactPoint, will significantly improve the safeguarding of vulnerable children and enhance the provision of information and support for the children’s workforce in carrying out its vital responsibilities to our children and young people. I commend them to the House and I beg to move.
Moved, That the draft regulations laid before the House on 4 July be approved. 23rd report from the Statutory Instruments Committee and 27th report from the Merits Committee.—(Lord Adonis.)
7.30 pm
Baroness Morris of Bolton rose to move, as an amendment to the above Motion, at end to insert “but this House regrets that adequate safeguards are not in place to ensure the protection of the information collected”.
The noble Baroness said: My Lords, I thank the Minister for his thorough explanation of the regulations. While the debate will and must focus on the safeguards
18 July 2007 : Column 316
The Motion I have tabled goes straight to the heart of my deep concerns about these regulations, which set up a database to store the intimate details of millions of children. Doctors’ details, contact with practitioners dealing with sexual and mental health and substance abuse and contact details of parents are just some of the information fields that will be included. The legislative web surrounding these regulations renders them far wider-reaching and threatening than has been made clear. Even though the Department for Children, Schools and Families has claimed that the ContactPoint database will not contain information on cases, since 2000 under the e-Government Interoperability Framework, otherwise known as e-GIF, it has been mandatory for all public sector databases to facilitate the sharing of data across systems. Currently, a range of databases holding detailed information about children already exist in education, social care and youth justice. Can the Minister give a guarantee that ContactPoint will be exempt from the requirements of e-GIF? What steps will be taken to ensure that the child in question may not be identified by other associations in the information provided? Indeed, what protection will be provided for the list of names behind the numbers?
My first and deepest concern is for the children whose personal information is stored on the database and, if accessed by fair means or foul, could result in them being placed in great danger and in deeply vulnerable situations. It will be extremely difficult to secure such large quantities of sensitive information. Eleven million children will have their details stored on the database, and upwards of 330,000 people will have legitimate access to it. While I hope that those 330,000 people will be trustworthy, function creep develops at an alarming rate in data systems, which is all the more disquieting given the wider context of online fraud, growing at 300 per cent a year. It raises serious questions about whether we can, in reality, trust in the assurances that we are given, even though they are given in good faith at the time.
I am grateful to the Minister for confirming what training those handling the information will have and what checks they will undergo, including enhanced CRB checks. However, noble Lords will know that CRB checks only cover known criminals and fail to cover overseas workers, who now comprise a large part of the health and social care workforce. Has the Minister considered the danger of exposing such sensitive information to the extremely wide range of users, including many subgroups. Is the Minister at all concerned that employees of contracted-out services—often temporary staff—might be given access to the database?
Above all, it is vital that we do not unwittingly provide a resource indicating children’s whereabouts
18 July 2007 : Column 317
I draw attention to the 27th report of the Merits of Statutory Instruments Committee and I pay tribute to the committee for its customary diligence and excellence. It was noted that while the DCFS may be acting with good intentions, the huge number of users of the database will,
- “inevitably increase the risks of accidental or inadvertent breaches of security, and of deliberate misuse of the data ... which would be likely to bring the whole scheme into disrepute”.
I am sure that the Minister will remember fondly the amendment that I tabled last year to the Childcare Bill which would have ensured that any information collected under Clause 99 would have to be destroyed within a year. It was my understanding then that the regulations were intended to provide safeguards against the collection and processing of disproportionate amounts of information and that they would include stringent security and safeguarding measures; yet only a year later, the regulations before us contain a contradiction on the vital point of safeguarding.
A particular concern is the drafting of Regulation 6. Regulation 6(2) places a duty on local authorities to ensure that no one can access sensitive service details, archives and ID numbers on other systems. However, Regulation 6(4) is so widely drafted that it appears to negate Regulation 6(2). In effect, when the two provisions are read together, they seem to say that a local authority must hide the details but can decide not to. To allow loopholes to rest in regulations of this importance and sensitivity is nothing less than unacceptable.
A survey of local authorities carried out by my honourable friend Tim Loughton MP shows the state of disarray on the ground. Authorities do not feel ready for the system. Moreover, in light of the appalling records around the country, as expressed in the Information Commissioner’s latest report, councillors have expressed,
The Government intend to use the system to improve the care of and provision for children. Their intentions are of the best kind and are shared in principle by all noble Lords. Yet it is the very system that they seek to rely on that risks stigmatising children and discouraging them from seeking help where necessary.
The Minister said that the regulations had the backing of many children’s welfare organisations. However, the majority of young people and parents consulted
18 July 2007 : Column 318
The ContactPoint system, we are told, is intended to prevent another Victoria Climbié situation. However, that is not quite accurate. The agenda for the collection of children’s data began with the programme originally called “identification, referral and tracing”, which predates the Laming inquiry and does not mention child protection in its original criteria. Moreover, the child protection specialist Chris Mills has already ascertained that the system would not have applied to Victoria Climbié, given her temporary residency in this country.
| Next Section | Back to Table of Contents | Lords Hansard Home Page |