DfES to build index of the UK's kids - all 11 million of them

How do you secure a multi-disciplinary information exchange system?


Government plans for an "Information Sharing Index" identifying every child in England will be subject to trials early next year, with a full scale system intended to be live by the end of 2008. The Index, which is intended to help a wide range of workers in education, health, social services and youth offending exchange information about children, was first mooted in 2003 via the Every Child Matters Green paper, in the wake of the death of Victoria Climbié.

The Index is not an ID card scheme as such, although, as under 16s won't qualify for National ID Cards, it could be said to be helpfully mopping up the ones the ID scheme will miss. And bear in mind that all schoolchildren have unique IDs and records already. The Index does however look rather like a privacy (or worse) disaster waiting to happen, and it's not entirely obvious how the Index described by the Department for Education & Skills this week can achieve its stated purposes. According to Secretary of State for Education Ruth Kelly, it is a key part of the Every Child Matters "programme to transform children's services by supporting more effective prevention and early intervention. Its goal is to improve outcomes and the experience of public services for all children, young people and families." Kelly says that better information sharing is "essential for early and effective intervention", and adds that the Index "will provide a tool to support better communication among practitioners across education, health, social care and youth offending. It will allow them to contact one another more easily and quickly, so they can share information about children who need services or about whose welfare they are concerned."

So far, so clear. In the specific case of Victoria Climbié, failures (including communications) on the part of several organisations made a substantial contribution to the child's death. And in the broader case of children in general it is, says the DfES, important to ensure that all children have access to services such as education and health care, and to identify early "those children with additional needs which should be addressed if they are to achieve the Every Child Matters outcomes." The DfES estimates that 3-4 million children have such needs at any one time, but as we don't know which these are, that's why all 11 million children in England have to be on the Index.

The Index itself will house information relating to children in all 150 local authorities in the country, and will consist of "minimal identifying information for each child; name, address, date of birth, gender, and contact details for parents or carers... contact details for their educational setting and GP practice and for other practitioners or services working with them; and where a practitioner judges it appropriate and necessary, an indicator showing that they wished to be contacted by other practitioners because they have relevant information to share, are taking action, or have undertaken an assessment in relation to that child."

That Index will not be a casework system or provide access to individual case data, which makes that last section particularly interesting. In essence, social workers, teachers, doctors, probation officers et almay flag the fact that they have taken action or opened a case of some kind, and then other interested parties will be expected to contact them to exchange information. Therefore it will not be the case that all such actions will be flagged, nor that flagging a child's record will result in an alert being issued to all other associated professionals who may have an interest in the child. A considerable measure of proactiveness would therefore seem to be necessary for the system to work, and that would seem to leave plenty of scope for the kinds of failures the system is intended to address.

The people who have access to the Index will certainly find it helpful in that it will provide a reference of address, and contact details for all of the other people concerned with a particular child - but how many people is that, and how will access be secured? Almost certainly the DfES is not yet in a position to say how many people will be allowed access, but it will inevitably be very many indeed. Local education authorities will need access, so will teachers and social workers, yet to be identified numbers of youth workers, health workers, probation officers and, according to the DfES, the parents and children themselves, so that they can check the record's accuracy. The DfES doesn't seem to mention police access, but the police were involved both in the case of Victoria Climbié and the subsequent enquiry, so it would seem logical that they too join the list.

Access "will be through the practitioner’s existing case management systems, via a web link or, where an approved practitioner has no access to appropriate IT facilities, via another approved user who does have IT access. Clear and secure arrangements will be in place to guard against access by unauthorised users, or inappropriate use of the index by authorised users."

So large numbers of people from numerous organisations throughout the country will be able to obtain basic information about any child in the country from the Index, which will make the system extremely difficult to secure and police, even if mobile and/or remote access isn't allowed. If (or should we say "when"?) security is compromised, then it would be possible for someone to get a child's home address and phone number, and to obtain more detailed information by spoofing the contact details of the professionals who know lots more about the child, or indeed the child's parents. We trust that the DfES will provide a detailed explanation of why all of this will be impossible, before the system goes live. ®


Other stories you might like

  • Pentester pops open Tesla Model 3 using low-cost Bluetooth module
    Anything that uses proximity-based BLE is vulnerable, claim researchers

    Tesla Model 3 and Y owners, beware: the passive entry feature on your vehicle could potentially be hoodwinked by a relay attack, leading to the theft of the flash motor.

    Discovered and demonstrated by researchers at NCC Group, the technique involves relaying the Bluetooth Low Energy (BLE) signals from a smartphone that has been paired with a Tesla back to the vehicle. Far from simply unlocking the door, this hack lets a miscreant start the car and drive away, too.

    Essentially, what happens is this: the paired smartphone should be physically close by the Tesla to unlock it. NCC's technique involves one gadget near the paired phone, and another gadget near the car. The phone-side gadget relays signals from the phone to the car-side gadget, which forwards them to the vehicle to unlock and start it. This shouldn't normally happen because the phone and car are so far apart. The car has a defense mechanism – based on measuring transmission latency to detect that a paired device is too far away – that ideally prevents relayed signals from working, though this can be defeated by simply cutting the latency of the relay process.

    Continue reading
  • Google assuring open-source code to secure software supply chains
    Java and Python packages are the first on the list

    Google has a plan — and a new product plus a partnership with developer-focused security shop Snyk — that attempts to make it easier for enterprises to secure their open source software dependencies.

    The new service, announced today at the Google Cloud Security Summit, is called Assured Open Source Software. We're told it will initially focus on some Java and Python packages that Google's own developers prioritize in their workflows. 

    These two programming languages have "particularly high-risk profiles," Google Cloud Cloud VP and GM Sunil Potti said in response to The Register's questions. "Remember Log4j?" Yes, quite vividly.

    Continue reading
  • Rocket Lab is taking NASA's CAPSTONE to the Moon
    Mission to lunar orbit is further than any Photon satellite bus has gone before

    Rocket Lab has taken delivery of NASA's CAPSTONE spacecraft at its New Zealand launch pad ahead of a mission to the Moon.

    It's been quite a journey for CAPSTONE [Cislunar Autonomous Positioning System Technology Operations and Navigation Experiment], which was originally supposed to launch from Rocket Lab's US launchpad at Wallops Island in Virginia.

    The pad, Launch Complex 2, has been completed for a while now. However, delays in certifying Rocket Lab's Autonomous Flight Termination System (AFTS) pushed the move to Launch Complex 1 in Mahia, New Zealand.

    Continue reading

Biting the hand that feeds IT © 1998–2022