ContactPoint.

Dear Mr Peasgill,

Request for information under the Freedom of Information Act 2000

We are writing to acknowledge receipt of your email dated 19^th February
2009, in which you request the disclosure of information under the
provisions of the above Act regarding ContactPoint.

We have begun a search for the information you require and shall contact
you again when we are in a position to respond further. Should we envisage
any delays, or require more details from you, we will contact you
immediately.

In the meantime, if you have any queries about the above, please do not
hesitate to contact us, quoting ref. RFI 138/2009.

Yours sincerely,

On behalf of the Freedom of Information Team

Freedom of Information | Access to Information Team

Lancashire County Council, PO Box 78, County Hall,

Preston, PR1 8XJ

Tel: 01772 531116 | Fax: 01772 530949

show quoted sections

A 4-star council: awarded top marks by the Audit Commission

********************

Dear Mr Peasgill,

Request for information under the Freedom of Information Act 2000

Further to your email, dated 19^th February, in which you request the
disclosure of information under the provisions of the above Act, we are
now in a position to respond, and answer each of your numbered questions
in turn below. Please accept our apologies for this being a day overdue.

1. The security arrangements for the ContactPoint implementation in
Lancashire will follow the national DCSF security requirements as
specified in a process called organisation accreditation; this must be
passed before any organisation can use or send information to
ContactPoint. The ContactPoint system itself will use the latest
technology and security measures, these measures make sure that
information is stored safely, and that it can only be used by the people
who need to use it.

Organisation accreditation ensures that the following rules are applied to
anyone who will have access to ContactPoint.

o It can only be used by authorised people who need it to do their job
o They must have passed security checks (an eCRB less than 3 yrs old)
o They must be trained to use the system, this training includes the
safe and secure use of ContactPoint and the Data Protection Act.
o They must have a user name, a password, a PIN and a security token (so
called 2 factor authentication)
o They must give a reason to look at a record
o All accesses by users will be recorded- who they are and what they
looked at. This audit trail will be looked at regularly to make sure
ContactPoint is being used in the right way. People can be prosecuted
if they have been found to misuse ContactPoint.

Other elements of organisation accreditation that require policies and/or
procedures to be in place which will ensure the security, trust,
confidentiality, privacy and integrity of ContactPoint are:

HR record keeping

Entry and Exit Procedures

Disciplinary procedures

Handling Security Breaches

Usage Report Monitoring

Mediated Access Procedure

Maintaining Personal data

Accurate and complete data recording

Subject Access Request procedure

Reporting child death

Handling Disputed Data

Network Infrastructure

Workstation requirements

As an authority we are currently working towards these criteria prior to
our deployment.

17 authorities in the North West are so called 'Early Adopters' who will
be using ContactPoint first. As Lancashire County Council are not an
Early Adopter, we will incorporate any of their lessons learned into our
deployment.

To ensure the integrity of the information held in ContactPoint, it will
be updated from local and national computer systems with data quality
processes in place to ensure accuracy.

2. Yes.

3. The disclosure/sharing of personal data is a complex area governed by
numerous statutory provisions; and each case or situation is dealt with in
accordance with the relevant legislation, including, but not limited to,
the Data Protection Act 1998, Human Rights Act 1998, Freedom of
Information Act 2000 and the common law of confidence, plus any other
relevant statutory provisions. Given the variety of personal data held by
the County Council and the range of purposes for which such data is
processed, it is not practical to have a general policy in place governing
all possible disclosure/sharing scenarios. However, the following is
intended to provide a general overview.

Requests from third parties for the disclosure of personal data should be
made in writing. If a third party makes a verbal enquiry, they will be
asked to submit a written request setting out the reasons for seeking
disclosure and, if necessary, to specify any statutory provision being
relied on in making the request. Records of any subsequent actions
(including disclosures) are maintained. Larger scale sharing of data is
usually covered by an agreement between partner
authorities/organisations. It is sometimes the case that sharing of
personal data is a statutory requirement, and the County Council may be
legally obliged to share data.

Although consent is often obtained for the disclosure of information to
third parties, in many cases this is neither necessary, nor practical. The
conditions required for the processing of personal data and sensitive
personal data are set out in Schedules 2 and 3 of the Data Protection Act
1998. Although consent (Schedule 2, processing of personal data) and
explicit consent (Schedule 3, processing of sensitive personal data) are
listed, they are not essential. Only one Schedule 2 condition must be
satisfied in order to legitimise the processing of personal data, and only
one Schedule 3 condition in addition to one Schedule 2 condition must be
satisfied to legitimise the processing of sensitive personal data.

All members of staff are under an obligation to respect the privacy of the
people whose data are processed by the County Council. Organisational and
technical security measures are in place to ensure that personal data is
processed in accordance with the data protection principles, and only
processed by those members of staff that are authorised to do so.
Organisational measures include staff training and suitable storage
facilities etc., and technical measures include password protection,
restricted access, etc. Such measures are intended to ensure compliance
with Principle 7 of the Data Protection Act 1998.

Should you require access to a copy of the Data Protection Act 1998, this
is available from the Office of Public Sector Information website at the
following URL: [1]http://www.opsi.gov.uk/acts/acts1998/199...

The County Council has produced draft template `Information Sharing
Agreements' that can be altered to suit particular sharing scenarios.
With specific regard to the ContactPoint database, you can obtain a copy
of the draft information sharing agreement from the following page of the
County Council's website:
[2]http://www.lancashire.gov.uk/education/e...

That page of the website also includes some information about the
`Information Sharing Toolkit' that was created by the DCSF, plus links to
information sharing guidance documents created by the Government.

4. Legal advice would be taken in such instances to determine whether a
referral to the police was appropriate in the individual circumstances,
although it is recognised that in most instances it would be required.

5. Please see the attached document, which contains relevant extracts

We trust that our response is satisfactory, but in the event that you wish
to complain about the manner in which your enquiry has been handled, you
should write in the first instance to The Freedom of Information Officer,
Lancashire County Council, PO Box 78, County Hall, Preston PR1 8XJ, or
email [3][Lancashire County Council request email]

If, after this stage, you remain dissatisfied, you have the right to refer
the matter to the Information Commissioner, whose contact details are as
follows:

The Information Commissioner

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Tel: 01625 545700

Email: [4][email address]

Website: [5]http://www.ico.gov.uk

If you have any queries regarding our response, or you require any
additional information, please do not hesitate to contact us.

Yours sincerely,

Freedom of Information

Lancashire County Council

PO Box 78

County Hall

Preston

PR1 8XJ

Tel: (01772) 531116

Fax: (01772) 530949

Email: [6][Lancashire County Council request email]

show quoted sections

Lancashire, a place where everyone matters

********************

References

Visible links
1. http://www.opsi.gov.uk/acts/acts1998/199...
http://www.opsi.gov.uk/acts/acts1998/199...
2. http://www.lancashire.gov.uk/education/e...
3. mailto:[Lancashire County Council request email]
4. mailto:[email address]
5. http://www.ico.gov.uk/
6. mailto:[Lancashire County Council request email]