Children Act 2004 Information Database (England) Regulations 2007

rose to move, That the draft regulations laid before the House on 4 July be approved. The noble Lord said: My Lords, these regulations make provision in respect of the establishment and operation of a database, ContactPoint, under Section 12 of the Children Act 2004. The regulations place a requirement on local authorities to participate in the operation of the database. They specify what information will be held, who must or can provide this data, how long it can be retained, who can be granted access and how accuracy will be maintained. ContactPoint is essentially an electronic directory of practitioners providing services to children and young people. It will enable all practitioners working with children to find out who else is supporting a particular child to deliver better co-ordinated support. Our Every Child Matters programme aims to improve outcomes for all children. ContactPoint will help facilitate this by supporting effective prevention and swift intervention when problems arise, ensuring that children and their families gain the support of the services that they need as early as possible. These regulations have been considered by the House’s Merits of Statutory Instruments Committee, and we are grateful to it for its thorough report, whose findings will inform our implementation policy. In the course of the committee’s deliberations, concerns were raised about the rationale for the scheme and about security, accuracy, data management, cost and universality. I will address each issue in turn. First, why is this database necessary? Practitioners have told us that the process of identifying and contacting other professionals working with any one child is frustrating, time consuming and very costly. A recent survey of nearly 3,000 practitioners revealed that, on average, practitioners need to make contact with other services 107 times a year and it takes an average of four hours each time to do so. ContactPoint will significantly improve on this situation, freeing up an estimated 5 million hours per year of time currently spent by professionals in pursuing information, rather than delivering expert services. This time saving alone is equivalent to at least £88 million annually. On security, there has been a good deal of inaccurate comment on the amount of information that will be held on a child’s record. I stress that ContactPoint will hold only basic information: name, address, date of birth, gender and a unique identifying number on children on England until their 18th birthday, together with contact details of their parents or carers, GP practice, those providing education and specialist or targeted services to a child. ContactPoint holds no case data, no clinical data, no subjective assessments and no judgmental statements about a child, their carer or parents. Details of practitioners providing sensitive services, which, for the purposes of ContactPoint, are defined as services relating to sexual health, mental health and substance abuse, may be added to ContactPoint only with the informed and explicit consent of the young person concerned or, where appropriate, their parents. Furthermore, these sensitive practitioner contact details will be hidden from view, except for the very small number of local ContactPoint management teams who will be responsible for brokering contact between practitioners. Let me also state categorically, that ContactPoint will not hold information about a child’s school record or attendance, nor—as was described in one extraordinary press report—about how many portions of fruit and vegetables they may eat. Indeed, Section 12 of the Children Act 2004 specifically precludes such information being held. Nor will information be held about their parents’ circumstances, such as whether they have a drug or alcohol problem. Regarding parents, ContactPoint will hold only the name and contact details of any person responsible for the care of a child—nothing else. On data accuracy, each local authority in England will be responsible for the records of children in its area. Each will have a dedicated resource funded by my department to ensure that the data is accurate. We anticipate that when the system is operational, 300 people will be working specifically to ensure accuracy within local authorities. In line with the Data Protection Act, all organisations and local authorities must take reasonable steps to ensure that information supplied to, or held on, ContactPoint is accurate and up-to-date. Children and young people or, where appropriate, their parents or carers will have the right to see what is being held on their record and, where inaccuracies are found, to have them corrected. There will be a clear process enabling people to exercise that right, and fair processing notices will explain how the data may be used—which is also a basic right under the Data Protection Act. I now turn to safeguards to ensure the protection of the information collected—the issue raised in the Motion tabled by the noble Baroness, Lady Morris of Bolton. The security of ContactPoint is of the utmost importance. The design and operation will adhere to ISO 27001, the new international standard for information security management systems. This addresses physical, environmental and personnel security, communications and operations management. ContactPoint will conform to relevant government security standard and will be subject to review by independent security experts. Unauthorised access will be prevented by using a combination of methods. First, we are insisting on strong user authentication—not merely a user name and a password, but four system checks: a user name, a password, a PIN number and a physical token. Secondly, all users will be trained in the importance of security and good security practice. Users will receive mandatory training and their use of ContactPoint will be audited at every stage. Their activity on ContactPoint will be subject to continuous monitoring. Any suspected misuse will be investigated and could lead to disciplinary procedures within their organisation. Where appropriate, an investigation may lead to prosecution that could result in a fine or even imprisonment. A range of existing legislation includes penalties for the improper use of data. The Computer Misuse Act 1990 states that unauthorised access or attempted unauthorised access to a programme or data held on a computer may be punishable by imprisonment or a fine. The Data Protection Act provides that personal data unlawfully obtained or disclosed without the consent of the data controller is a serious offence, with a penalty or fine up to the statutory maximum, or an unlimited fine if the case goes to the higher courts. The Criminal Justice and Immigration Bill provides for these penalties to be increased to include imprisonment for up to two years on indictment, and up to 12 months on summary conviction. These increased penalties would apply to misuse of ContactPoint. Controlling access to ContactPoint is an important part of ensuring that the information within it remains secure. Access to ContactPoint will be restricted to those who can demonstrate a genuine need for it to facilitate their work. User numbers are estimated at about 330,000, and will include practitioners from education, health, social care, Connexions, the voluntary sector, youth justice and the police. Before being granted access to ContactPoint, users will need a current, enhanced Criminal Records Bureau disclosure and must also have been trained in the safe and secure use of the system, in compliance with the Computer Misuse Act 1990 and the Data Protection Act 1998. These regulations require users to renew the enhanced CRB disclosure every three years. Any conviction for offences against children, or for offences under the Computer Misuse Act 1990 or the Data Protection Act 1998, are likely to preclude access. I also note that the Information Commissioner’s office has offered valuable advice and comment throughout the development of this project. The commissioner’s memorandum to the Merits Committee concludes, "““we are satisfied with the overall design of ContactPoint””."