back to article Pupil database claimed to be breach-free

A government minister has claimed a clean record on security breaches for the National Pupil Database. Baroness Morgan, under-secretary of state at the Department for Children, Schools and Families, said the stringent security procedures around the database have prevented any breaches since it was set up in 2002. Access is …


This topic is closed for new posts.
  1. Number6


    So they've kept this one secure by restricting access to seven people. Contrast this to ContactPoint, where 300,000 people and the dog have access?

    Apparently on ContactPoint some children have multiple entries with different addresses, so it's not exactly a clean database anyway.

  2. Anonymous Coward


    "A government minister has claimed a clean record on security breaches for the National Pupil Database. However, we have no evidence on undetected breaches for obvious reasons."

  3. BristolBachelor Gold badge

    Red rag to a bull

    Anyone else think that this will be like one of the hacking contests run by suppliers of supposed bullet-proof systems?

  4. Anonymous Coward

    Retention policy, what's that????

    "In response to a question about how long information is held on the database, Morgan said a retention policy, including archiving data with National Archives, is currently being developed."

    That will be standard government retention policy then, keep it forever. But it will stop someone using your identity to steal free school diners when you are dead.

  5. Anonymous Coward
    Gates Horns

    Grandiose claim?

    Red rag meet bull.

    She'll regret gobbing off about that.

  6. The Vociferous Time Waster


    "Baroness Morgan, under-secretary of state at the Department for Children, Schools and Families, said the stringent security procedures around the database have prevented any breaches since it was set up in 2002."

    should read

    Baroness Morgan, under-secretary of state at the Department for Children, Schools and Families, said the stringent security procedures around the database have prevented any use since it was set up in 2002.

  7. Michael


    So, let me get this straight. The database has been running for around eight years and they haven't yet got a data retention policy?

  8. Jacqui

    national archives

    Next obvious question - when was the last NA breach?

    Note that I did not ask if there had been a breach - given the UK record on leaks^Wbreaches I assume it must happen at least annually unless told otherwise...


  9. Pete 2

    Might as well paint a target on it

    Isn't this just asking for trouble? Only the most technologically clueless among us would even think that software's secure, let alone say it out loud, let alone be quoted saying so. What he really meant was that there haven't been any breaches of security _yet_.

    Now that the challenge has been issued I would guess that it's only a matter of time before someone has a poke at this database. Whether that first attemp does break it, or whether it takes 50 tries, there can be no doubt that someone, somehow will find a hole. Whether we'll get the same level of publicity from our overlords and masters then, is anybodies guess.

  10. John Robson Silver badge
    Paris Hilton

    Known Breaches...


    PH - as smart as politicians.

  11. Anonymous Coward

    Bog standard government tripe.

    ``Lookit here, we havent't bolloxed it up (yet), and we're within the law (what there is of it) so it's perfectly alright. Retention? Vital other details? Er, we're working on it (we're making it up as we go along).''

    No retention policy in place after eight years makes me wonder what else they don't have. Do they track who accesses what, and if not, how can these claims, that only duly appointed personnel have access, possibly be believably backed? And if so, how about retaining those access logs? Who says the law guarantees there's no rotten apples in the user base? What happens when a breach does occur? Put any thought into that, you bog standard government muppets? I could go on, but there's no point, really.

    This sort of thing is important, but despite aeons of record keeping, very little thought has gone into the meta-details. And those who should aren't thinking about it now. That's not just silly politicians, but you and me, too. So until we come up with a concensus on how these details must be handled, we can't really blame any government. I for me know very well what I want, but do you? Yes, you, dear fellow commentard.

  12. The Original Ash
    Thumb Down

    List of personnel cleared for pupil database

    You and me, Darling, obviously. Field Marshal Haig, Field Marshal Haig's wife, all Field Marshal Haig's wife's friends, their families, their families' servants, their families' servants' tennis partners, and some chap I bumped into the mess the other day called Bernard.

    I am not inspired with confidence. Pessimist? You betcha.

  13. Tom 7 Silver badge

    So no-one can use it then?

    Given that there will probably be a router with a huge backdoor on it somewhere between the client and server I think to say its even vaguely secure is a downright lie.

  14. Ejit


    It was established in 2002 and the retention policy is not developed yet? Comforting.

  15. The BigYin

    I know how this goes.

    BM: We have not found any leaks

    Me: How hard and often did you look?

    BM: No need, we have mechanisms in place for stakeholders to report any leaks.

    Me: So you don't look?

    BM: As I said, we have stringent policies in place to gather this sort of intelligence.

    Me: But you don't actually, y'know, LOOK; do you?

    BM: I have already answered that question on more than one occasion.

    Me: Fine then. How about running simulated attacks. Y'know, test your own defences.

    BM: That would be in contravention of our stringent, industry leading policies and a complete waste of tax payer's money as we have no leaks.

    Me: But how do you know?

    BM: None have been reported.

    Me: Oh ffs.....

  16. Rob Clive


    ... 8 years, no breaches. One wonders how useful a database accessible by only 7 people in the entire country is though.

    One also wonders why the data retention policy is STILL being developed after 8 years. Clearly no hurry - better to hold on to everything.

  17. Anonymous Coward

    Wonder what

    Little Bobby Tables' mother has to say about that

  18. Guy Herbert
    Big Brother

    No breaches detected....

    Is not the same as all breaches prevented.

    In any case, government's new obsession with information security is rather beside the point.

    Why is the DCSF collecting this information about individuals in the first place? And how is it using it, notionally legitimately? Who does it share it with without breaches of procedure?

    Those are things we should be worrying about, not accepting the misdirection in its request for a pat on the back for not losing records it shouldn't have in the first place. I'm sure the Stasi never allowed anyone unauthorised to look at its files before 1989.

  19. John Smith 19 Gold badge

    Retention policy "Being developed"

    After it's been running for 8 *years*.

    Let me guess. We'll archive the data when they leave.

    To the NIR.

    1. Anonymous Coward
      Anonymous Coward

      running for 8 years??? LOL

      they should upgrade the server ASAP otherwise it has alot of holes... whatever spreadsheet they use as DB till now... :)

      anyway good for me...hope UK.GOV invest in more DBs... it would mean more working options to consider :)

  20. Anonymous Coward
    Anonymous Coward

    Call me old fashioned but

    Why is it news that a govt dept has NOT screwed up, has done it's job and allegedly hasn't given data to unauthorised parties?

  21. Richard Porter

    Not much to crow about

    Well if the database isn't on a network then it relies on physical security and the honesty of those authorised to access it. Not a big deal really. It could just as easily be a filing cabinet.

    It's when you start putting data online or on a portable device or storage medium that you really have security issues.

  22. Anonymous Coward
    Anonymous Coward

    Oh dear....

    It ain't what you don't know that causes problems ... it's what you do know that ain't so....

  23. Anonymous Coward


    Would be more comforting to be told 0 breaches detected, >0 attempted breaches detected and prevented.

  24. Anonymous Coward
    Anonymous Coward


    300,000 people and the dog?

    Don't you mean, 300,000 dogs?

  25. Anonymous Coward
    Anonymous Coward

    Retention requirements

    The database goes live without a retention and archive policy. How convenient.

    What a great way to get this past any discussion in Parliament and the public.

    These fundamental requirements should be that, form part of the requirements *before* the system is even developed, let alone go live.

    Now, they can implement any retention policy they like and there won't be any opportunity for the public or government to discuss it.

    Now is that deliberate or what?

  26. Anonymous Coward


    I bet they do have a retention policy, it's an infininte retention period.

    Now of course, they can't have that as an official policy as there would be huge public outcry. So what to do? Let's not have an official retention policy, in that way, we can keep the data year on year because we haven't decided how to handle it. And we won't decide how to handle it, that's not in our interests.

    You think this is an accident? I think not.

  27. Anonymous Coward
    Anonymous Coward

    Unencouraging precedents

    "We have not found any leaks".

    They didn't find Burgess, Maclean, Philby, Blunt, etc. either. Not until it was far, far too late.

  28. Anonymous Coward
    WTF? consent & parents not informed!!!

    I have no idea of the accuracy of the below.... but if this is true I am staggered....


    The 1996 Education Act (s537) empowered the government to collect information about pupils directly from schools; however, this specifically could not include the name of any pupil. Since then, a series of amendments and regulations has changed that situation to enable, since 2000, a regular ‘pupil level’ (ie. individual) census of every pupil in a state-maintained school. The range of information collected has also increased incrementally, and currently more than 40 individual-level data items are collected.

    Because the legislation says that schools must supply the data (a ‘statutory duty’ - which provides an exception to certain requirements of the Data Protection Act) parents and children are nor asked for consent, nor informed that it is taking place. Once collected, the information is held on the National Pupil Database (NPD) and at the moment is principally used statistically or for research. LEAs can also obtain information that relates to pupils in their area.

    Capita, who carry out the census on behalf of the DfES, takes information directly from each school’s system on the dates prescribed by DfES. Until 2006, the census was held annually, but it is now termly, and collects more than 40 separate data items on each pupil.

    The census has been extended to include nurseries, playgroups and childminders. Those without Management Information Systems give the data directly to the local authority.

    More information is available on Teachernet

    1. Malcolm Boura 2

      Is this one end security with out end to end security?

      So only seven people have access, which I do not believe unless those seven also able to carry out every aspecty of the s/w and h/w maintenance, but that completly neglects diversion of the information before it even reaches the database. How many people at Capita have the opportunity to siphon it off? How is it guarantied that all copies are irrecoverably deleted from Capita's systems? How is that information transferred along the daisy chain?

  29. Anonymous Coward


    After a little more Googling (well, actually not very much....just putting her name in the search box is good enough to find this)...I found this article about Baroness Morgan which may amuse you.

  30. Ted Treen
    Big Brother

    Usual Gov't drivel...

    "Access is confined to a team of seven staff at the department's Darlington office, and they disclose information only to prescribed people for purposes defined by the relevant regulations."

    How many "prescribed people"?

    Who are they?

    What are the "purposes defined by the relevant regulations"?

    What are the "relevant regulations"?

    Without the answer to THESE questions, it's just a meaningless, patronising, pointless piece of government-speak. In other words, complete bollocks.

    Politics - the art of replying to a question without answering it - and more latterly, whilst keeping one's snout firmly in the trough and indulging one's megalomanic ego.

    A pox on the lot of 'em!

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2020