Government Handling Of Central Data

ORG community action points

• Write to your MP asking him/her to:
  • Write to the information commissioner
  • Sign the EDM
  • Attend the House of Commons on Monday 17th December and respond to any Parliamentary statement following the publication of the Poynter Review

ContactPoint

In the wake of the Victoria Climbie affair the government announced (Dec 2005) it would create a child-information sharing index across 150 councils in England by end 2008, costing £224m to implement and £41m/yr to run. The name given, ContactPoint, is uncomfortably similar to ChoicePoint, a brand associated at the time with the worst data breach in history.

Childrens' charities are horrified at the risk to children and the expense. FIPR wrote a damning report on this for the ICO, which took some time to publish it. The government claims the FIPR ICO report was out of date and had inaccuracies. The ContactPoint project team appears to believe it has addressed the key objections. FIPR sees this as part of a long pattern of brushing aside expert advice on the security implications of large centralised databases, and the childrens charities (notably ARCH) are not mollified.

Will be accessible to at least 330,000 users. There is no sign of any of the proposed safeguards that were promised.

Research by Office of the Children's Rights Director for England published Nov 07 maps out childrens' concerns. Eg (from KableNet):

Children feared that electronic security tags and passwords would not be enough to prevent some staff from passing data on to other people, exposing their details to unauthorised people. They said that only people with a high level of knowledge about a child beforehand should be permitted to use the database to find out more information.

"Children want to be assured that their information will remain safe and confidential and have asked specifically that the government will never in the future put a child's photograph or telephone number on the database," said Morgan. "There will always be a need to keep security under review, as the repercussions of information falling into the wrong hands could be extremely dangerous."

Concerns were also expressed that the database would not hold information about the children and young people who needed it most, such as homeless children or those seeking asylum. They also felt that it could be hard to find an approved person to look up information in an emergency, for example, when a child was admitted to hospital after an accident.

Partly due to her backing of the Child Database, Privacy International awarded Margaret Hodge MP the 2004 Big Brother Award for "Worst Public Servant".

[1]

"Unless the system is secure, the result will be that sensitive information will fall into the hands of potential abusers of children and traders of information," a letter signed by the Independent Schools Council, Privacy International and the Foundation on Information Policy Research said.

Concerns have been intensified by the admission that, while every child under 18 in England will have a record, ministers have allowed some children to be given extra protection. The “shielding” mechanism will mean that information on the offspring of some politicians and celebrities could be left off the main database.

Children’s rights campaigners and computer security experts say that this amounts to an acknowledgment that the database will not be secure. “The Government acknowledges the risks by instituting these protocols on celebrity and vulnerable children but all children are potentially vulnerable,” Terri Dowty, of Action on Rights for Children, said.

Children Bill to introduce surveillance of every child and record "concerns" about their parents

The information-sharing goes far beyond concerns that a child is at risk of significant harm. It is the Government's intention that it should include youth offences, educational issues and medical information about each child. It will also include information about other family members that may be considered relevant, such as suspected drug and alcohol misuse or mental health problems.

Why Social Workers Oppose the Child Database

The Children Act 2004 makes provision for a national child database which will contain records for every child under 18 and include contact details of parents/carers and education and health services involved with child. More alarmingly the database will also include information about the existence of any undefined 'cause for concern'. Social workers are being told that this database would help them identify children at risk and make it easier for them to keep families under surveillance. The truth is that the database is unnecessary, unworkable and uneconomic and the problems created by it would far outweigh the benefits. It is also a distraction from the real problems in children's services.

NHS

The Guardian Family doctors to shun national database of patients' records 20 November 2007

One doctor said "Our current record confidentiality has been breached by a local primary care trust manager and we only found out by accident. I cannot trust the security of a national scheme."

http://www.publications.parliament.uk/pa/cm200607/cmselect/cmhealth/422/422.pdf The House of Commons Health Committee in its report on "The Electronic Patient Record"

EPR systems also bring new risks, particularly to the privacy and safety of health information. Electronic systems allow access to data from many locations, increasing the likelihood of a security breach; they can also give individuals access to much more data than was previously possible, increasing the damage caused by system misuse. Personal health information is often highly sensitive, and it is therefore difficult to repair the damage caused by a breach of privacy. All these risks can be mitigated, but there is little doubt that EPR systems will create, as the European Data Protection Working Party acknowledged, "a new risk scenario" for personal health information. ...

Important components of the SCR [Summary Care Record] have not yet been completed. "Sealed envelopes" will allow patients to restrict access to particularly sensitive information and are an important safeguard for patient privacy. Meanwhile the HealthSpace website will allow patients to access their SCR from home and has great potential for making care more patient-centred. We therefore recommend that both “sealed envelopes” and HealthSpace are implemented as soon as possible. We also make specific recommendations for improving these features of the SCR.

Maintaining the security of the SCR and other NCRS systems is a significant challenge. Each SCR will be potentially available across the country to a wide range of different users, making operational security especially problematic. Connecting for Health, the organisation responsible for delivering NPfIT, has taken significant steps to protect operational security, including strong access controls and audit systems. However, the impact of these measures in the complex environment of the NHS is difficult to predict. We recommend a thorough evaluation of operational security systems and security training for all staff with access to the SCR.

This date may be critical. 17 November 2007

Electronic patient records will not be introduced across England until lessons from early adopter sites have been understood.

In a 12-point response to concerns raised by BMA council chair Hamish Meldrum about the NPfIT (National Programme for IT), health minister Ben Bradshaw says there are no plans to implement the SCR (summary care record) until after an independent evaluation into how security and patient confidentiality have worked at the six PCTs piloting the scheme.

Mr Bradshaw writes: "The success or failure of the SCR depends on our being able to establish public and professional confidence in the confidentiality with which the personal health data it will contain is treated. There are no plans for deploying the SCR beyond the early adopter sites until we have understood the lessons from the independent evaluation from University College London."

In an August letter to Mr Bradshaw, Dr Meldrum says NPfIT is ‘important but contentious’ and the BMA wanted it to succeed.

He sets out 12 steps recommended by the BMA to renew engagement with system users, generate confidence in the SCR, tackle implementation issues and provide clarity about the secondary uses service. Under this service, data could be used for audits and monitoring health trends.

Delegates at this year’s BMA annual representative meeting in Torquay said the association should withdraw cooperation with the centralised storage of all medical records because of security and confidentiality concerns.

The SCR, which includes patient records on prescriptions and drug allergies, is a first step to building up the NHS Care Records Service, a national computer database that will enable doctors and nurses to access records during emergencies.

In his response, Mr Bradshaw says that an EU working party has suggested it might be legally difficult to provide electronic health records until the European Data Protection Directive can be amended.

He says it could be amended to"‘reflect better the realities of team-based modern healthcare and to allow for the impact of UK domestic common law [on] confidentiality".

The health minister also says:

• The NPfIT local ownership programme puts strategic health authorities in charge of designing, building and testing IT systems
• Public information campaign material has been developed to ensure PCTs have a standard package to explain SCR to patients
• A choice of IT systems for secondary care would ‘impede severely the NHS’s ability to work collectively, and trusts would then be relying on loosely interfacing IT solutions rather than … [an] integrated IT solution’
• The public will be fully informed about the secondary uses service, and ‘appropriate mechanisms’ will be put in place for this.

Identity cards

http://news.zdnet.co.uk/itmanagement/0,1000000308,39287089,00.htm Colin Langham-Fitt, acting chief constable of Suffolk Constabulary, slammed the proposed National Identity Register as creating a massive security threat.

Langham-Fitt said that criminals would pay unlimited amounts to subvert the national identity database. "In creating a national database you are creating a gold standard for ID [authentication]," said Langham-Fitt. "It will be worth whatever it costs to hack it, to mirror it and subvert it."

Annette Vernon, the chief information officer of the Identity and Passport Service "We're already in a society where a lot of information is held in a myriad of places. Data held centrally will be more secure."

---

http://www.publications.parliament.uk/pa/cm200506/cmselect/cmsctech/1032/1032.pdf

132. As already discussed, the Home Office has emphasised that the system may not necessarily be one database (see paragraph 22). Katherine Courtney explained that it “is an assumption that there is one database. We have not predetermined the architecture of this system”. Nigel Seed clarified the point by saying that “If industry comes back and says one single monolithic database is the best way and it meets all the requirements then there may be one database. Equally, they could come back and say the security is increased by having partial data here and partial data elsewhere”. The solution proposed by industry will have to meet the requirements of the security accreditors.

133. There have been numerous assertions that a single database would increase vulnerability and risk. The UK Computing Research Committee (UKCRC) said in evidence to the Home Affairs Committee, “if you create either a single card that has multi functions or a single database then you are adding to the nation’s critical infrastructure unnecessarily and by doing that you are making a very large range of services, probably a growing range of services, vulnerable to a single attack”. Jerry Fishenden, National Technology Officer at Microsoft has also been reported as saying that “putting a comprehensive set of personal data in one place produces a honeypot effect—a highly attractive and richly rewarding target for criminals”.

http://www.official-documents.gov.uk/document/cm69/6942/6942.pdf Point 42 is the government response:

42. The Government is very conscious of how important it is to ensure that the National Identity Scheme is secure and accepted a specific amendment to the legislation when it was going through Parliament which emphasises this requirement (This led to the requirement that the record of data should be "secure and reliable" in section 1.3 of the Act).

To that end, we have sought specialist advice in preparing both the security principles and requirements behind the scheme as the programme prepares for the commencement of a procurement process.

Security has been given a very high priority since the inception of the project, and continues to be addressed as a primary issue in all aspects of the Identity Cards Programme. There is a dedicated full-time team of security professionals, experienced in physical, electronic, procedural, personnel and information systems security, who work closely with all projects to ensure that security aspects are addressed appropriately and effectively. The in-house team are supplemented by readily available advice and practical assistance from CESG, (GCHQ’s Communications-Electronics Security Group47, the National Technical Authority for Information Assurance), NISCC (National Infrastructure Security Co-ordination Centre48), The Security Service and other government departments.

This group of experts are highly experienced in dealing with processes and systems that require a high level of security. Security threat and risk assessments have been undertaken as part of this work and such assessments are updated as the National Identity Scheme develops.

The Identity Cards Programme and the scheme which it will deliver are subject to Cabinet Office policies and will be accredited by the pan-Government accreditor through the design, procurement, rollout and operational life of the scheme. Systems will not be given approval to operate unless they meet all security requirements.

In building the scheme, account will be taken of technology and business processes that have already been proven in relevant implementations both in the UK and elsewhere.