The scheme involves centralised vetting of people who work with minors (and vulnerable adults) and who come into contact with children once a month or more. Such people include volunteers who coach sports teams or who visit schools for reading aloud. The scheme features criminal record checks covering a potential nine million adults.
Following a review led by Sunita Mason, the national government's Independent Adviser for Criminality Information Management, those criminal record checks will be notionally restricted to people who have "intensive contact" with the minors, around half the existing number of people meant to be vetted. As importantly, the emphasis will be shifted to employers ensuring that "the right staff" are screened. The results of the criminal record checks are to be sent to individuals before the data is provided to potential employers, allowing affected people to challenge any inaccuracies.
The current scheme attracted criticism from incoming Home Secretary Theresa May as "draconian" - an echo of the tag used in damning the National Identity Card scheme - and claims that over 12,000 innocent people had been incorrectly labelled as thieves, violent criminals and paedophiles. There appears to have been some hyperbole in reports that local councils banned parents from playgrounds on the basis that only vetted "play rangers" were acceptable in those places.
The Independent Adviser previously undertook an Independent Review of Policy on Retaining and Disclosing Records held on the Police National Computer (PNC). That review was to include recommendation of proposals
that will deliver a clear, principled approach that is fair and proportionate and balances the needs of the individual and protecting the public.'Records' in the review are defined as records of convictions and of any other penalties (such as cautions, warnings, reprimands and penalty notices for disorder) which are or may be recorded on the PNC.
It was expected that the Adviser would consider -
• whether records should be subject to deletion and what criteria should be applied to that process;Forecasts that the VBS will be restricted on a "common sense" basis coincide with reports that the Education Bill to be debated in the Commons next week will allow English schools to search pupils for mobile phones and to delete data from those devices without consent in combatting cyber-bullying. Schools are currently able to confiscate mobiles but are not legally allowed to search for them without pupil consent.
• whether there should be arrangements for limiting access to records and what criteria should be applied to that process;
• what information regarding deletion/limitation of access should be provided to the subjects of records by the police and at what stages;
• how any suggested arrangements might be applied and monitored including, where possible, an indication of any additional cost.
• whether records should be subject to deletion and what criteria should be applied to that process;
• whether there should be arrangements for limiting access to records and what criteria should be applied to that process
• the relationship between retention arrangements and national systems supporting employment vetting, especially the CRB process (including the provisions contained in Part V of the Police Act 1997) and the Vetting & Barring Scheme;
• the arrangements for the retention of such records in other jurisdictions within the UK and in those overseas countries she thinks it helpful to consider;
• the arrangements for retaining DNA and other biometric data such as fingerprints, together with the research and evidence base supporting the current development of new proposals in this area;
• the need to strike a proportionate balance between public protection and personal privacy;
• the impact of retention arrangements on the roles and responsibilities of other criminal justice agencies such as the courts and the Crown Prosecution Service.
The Bill, if passed, will authorise schools to search for alcohol, drugs, weapons, pornography, stolen goods and other banned items if they -
reasonably suspect [the item] has been or is likely to be, used to commit an offence, or to cause personal injury to, or damage to the property of any person.In Australia the NSW Privacy Commissioner is reported to be investigating a long term data breach at the University of Sydney. It has been claimed that records of thousands of current and past students have been readily accessible online, with the University supposedly being told about illicit access in February 2007 but failed to secure the information. The data supposedly include a student's full name, residential address, email address, the courses and how much the course cost.
In the time-honoured tradition the Vice-chancellor is reported as stating that he was "appalled to be notified that some records could be accessed in this manner", the breach was an "anomaly" and the University would of course act immediately. The Commissioner is reported as indicating that the University appeared to have breached s12(c) of the Privacy and Personal Information Protection Act 1998 (NSW) and that he would investigate the matter if it was formally reported to him.
The Vice-Chancellor subsequently emailed students, stating that -
I am sorry to confirm that the story in this morning's Sydney Morning Herald is correct in identifying a security flaw in our student records system which would allow a computer-literate person to access some private information from student records using a student ID, and without using a login or password. This flaw was immediately identified and rectified. It is important to note that such information could only be viewed and could not in that way have been changed.There is no indication of whether the students are somewhat unimpressed.
It is also true, as reported in the Herald, that the University was advised of such a flaw in our security in 2007. At that time the matter was swiftly rectified as it has been today. Regrettably some time later as a result of a software update, the security patch was inadvertently removed without anyone becoming aware of its function in protecting the security of student records.
This is, of course, a most serious lapse in the standards which we should be able to expect of our ICT services, for which I can only apologise. I am somewhat relieved to note that since 2007 we have substantially upgraded our ICT processes generally and specifically around the implementation and “penetration” testing of new or updated software.
