More than three times as many officials will be able to access sensitive information on every child in England and Wales held in the forthcoming ContactPoint database than estimates circulated by the government suggest, research by The Register has found. ContactPoint is now scheduled to launch in January. It will store and …
No, no, no....
A million people with access to personal information on your child, your home address and whatever else will be required under compulsion?
Lets hope this gets delayed again----permanently
What rubbish !
Regarding the following "Publicly available staffing figures from education authorities, the NHS, social services and other organisations show that more than one million government employees will have access to ContactPoint."
Within each organisation the Users who are required to access contactpoint are selected on a strict critiea, its not just going to be given to all staff at a GP's surgery. Probably only the GPs themselves, Office staff and lower level practitioners will not have access.
Not all staff in educatiuon will have access, not all teachers in a school, only the child protection co-ordinator will have (normally just one or two teachers)
To raise this as an issue is missing the point as its not true....
@What rubbish ! (AC)
What you mean is the CP Co. will have access, the IT Manager and tech team will have access when the front end fails and needs to be fixed, and some student will have access when the CP Co. leaves their station unlocked, logged in, and goes to pick up a print out from another room. I've seen and been a part of sorting out the aftermath of all three, albeit with a different system.
Even if this database WAS a good idea, the fact that the people with access to this information are often not technically minded will cause issues that cannot be predicted or protected against. Security will give way to useability, and something will go wrong.
"Not all staff in educatiuon will have access, not all teachers in a school, only the child protection co-ordinator will have (normally just one or two teachers)"
In a primary school at least I'd assume that have to attend interagency case conferences (ie between teachers, social services and medical staff etc) would require access to the database as presumably this is where the rssults of these meetings will be documented and tracked. Even if they don't have to go to the meetings but review and fill in paper work would presumably need access. My wife is a primary teacher and I know that she attends these meetings for the children in her class. Obviously the head and deputy will need access as they too deal with interagency meetings as will the Special Educational Needs coordinator. Optimistically it may be limitted so that class teachers only gain access while they have a pupil on the list but realistically (at least in my wife's school) that is likely to be all the teaching staff. I'm guessing in a secondary school it may 'just' be limitted to heads, deputies, head of years and form tutors.
The current system doesn't work, my wife has only just found out that one of the children in her class is on the At Risk Register (meaning that seeing the child daily she should be watching out for suspicious behaviour, bruising etc and potentially if she failed to spot and report 'obvious signs of abuse' she'll probably be the sacrificial goat after the great newspaper inquisition after a child abuse death). The only reason she found out was through an accidental comment. If this (massively intrusive and over reaching) database existed at the start of each year (and probably throughout it) she'd need to check every child in her class to make sure they weren't on the database, that or risk being on the end of a headline "Teacher failed to protect child".
I don't like it, she won't like it but if we have the database practicioners will have to use it or be accused by the public (and lazy headline writers) that it was them who failed to do their duty and they let the child die.
Just one million? I can see that figure rising personally.
Why a national database anyway?
Why is it necessary for ANYONE outside the immediate area where a child lives to have access to that childs data?
The government seems to have a 1960s view of computers - one vast computer that everybody accesses. Far better to distribute the data to locations close to where it will be used.
"Secured" by Government Gateway
Access is controlled via Government Gateway. Yes, the one which was partially compromised by the loss of a USB stick a couple of weeks ago.
Hopefully nobody created a bunch of logins and enrolled them into Contactpoint to give them full access to this information whilst bypassing the checks which would normally be part of enrollment.
/ *crosses fingers and hopes*
Method of calculating figures
So how many GP's are there? How many teachers? How many Police?
If we were really so foolish as to just take the totals in each category and lump them together we would be being about as foolish as, well, a government spokesperson on the subject.
Official figures suggest around 190k GP's in the UK. Not all in England, so we downweighted those. And you honestly think not a single member of the Practice Admin would have access?
Despite the fact that the legislation apparently allows osteopaths to access ContactPoint we estimated that number would be nil or negligible.
Midwives. 40,000. Do you think a significant proportion of THEM would have access to the system?
Police. Another 180,000 or so. We think most of them would have access - but in the absence of a government line, we can't be sure. And ACPO think a fair number of support staff would definitely have access.
Teachers. Almost 800,000. We certainly don't think all of them will have access. Only a very small proportion.
Social Workers. 80,000. We didn't include all of those either.
Now. I know what the government spin is about selected staff having access. The question really is just how selective the access is going to be and, where access is restricted, whether the two people in the office with access will be happy to have their work constantly disrupted by other staff asking them to carry out checks for them.
But please: look at the categories the legislation allows to have access. Tot them up. And then honestly say you believe the government figure of 330k.
Clue: the total number of individuals falling within the categories listed in the legislation is c. 3 million.
What makes you think that only 10% of them will have access, as opposed to a third?
Boffin, cause I'm wearing my statistician hat today.
Did you know?
I work for a certain government agency but am employed by an employment agency.
I have not had a CRB check or any security checks.
All that stops me from using my full access to a very large government database containing huge amounts of very personal (and, to a criminal, valuable) data is my contract, which I would breach if I decided to download it all onto a USB stick and, say, leave it on a train.
Is this the type of security they are talking about?
Of course THEIR children are on the special list..
I am surprised that no mention has been made today that the goverment has so little confidence in the security of the database that MP's children will be on a special restricted list.
They are saying that of course it's safe and all database users will be vetted, but just in case it's not then there is a special level of protection for their own children. Shows how much confidence they really have in it.
Only one milion?
Judging by previous government records with data, there'll be a whole lot more people able to access the database, and not many of them will be official...
security and child safety issue
I think it should be compulsary that everyone who 'could conceivably' manage to obtain access to any of this information should first undergo unrestricted and extensive criminal record checks, enhanced disclosure and in depth psychological profiling. The two that make it through this selection process can then each be issued with a CDRom to leave on the train.
What will happen is
Some other child won't get picked up by the system and access to the database will be expanded to include more people, its usage will become easier and security will go out the window.
Finally some novice case worker will leave their laptop on a train with the access to the wifi enabled VPN open to the system for all to access.
The tomb stone marks the last resting place of personal privacy.
Disengage brain and rant time
How the fuck can having a name on a database protect anyone when those toss-pots at social services can't even protect a child they visit and can see is being abused on a regular basis.
Tis rubbish I tell thee !
"would require access to the database as presumably this is where the rssults of these meetings will be documented and tracked"
No case notes or documents whatso ever are going to be held, just very basic stuff like name, address, dob, and name of agencies who work with the child.
"the IT Manager and tech team will have access when the front end fails and needs to be fixed, and some student "
No they wont, IT staff will not have access, only working, approved practioners.
here we go again
Of course not 'everyone' will have access to the data, that is until some berk posts it on two CDs or leaves there laptop on the train which weve all been informed will never happen again...
Irrelevant Title... Because its required...
it does raise an interesting question, is a system totally secure if one person is prevented from accessing it? you just say that everyone else is allowed...
Even more rubbish
Oh, and the data cannot be downloaded or exported to a CDROM, USB stick or laptop..
Its all based on line and in most cases accessed via the organisations own case management system.
So .. what is the percentage ..
.. of child abusers (in all the forms: sexual, psychological, physical, verbal) in the UK population. If we allow for 1 in 1 million that means there are only 55 in the UK. I don't think so !
If we're looking at several thousand or tens of thousands then that means that of the 1 million with access to this database perhaps several hundred to several thousand will be a abusers in some form.
The more I hear about this governments "utopia can be found through technology" plans the more I believe that this asylum (the UK) is being run by the criminally stupid.
I am sat here....
listening to the sound of everyone jumping on the "invasion of privacy" bandwagon without having any knowledge of how the system will be used or by who. Without any knowledge of the way data on vulnerable children is handled now and without knowledge of child protection procedures and the issues surrounding them"
Does anyone here really believe there is only one database?
What about system test; user acceptance test; and the inevitable full-scale volume test databases. Many of these stay around a lot longer than you would imagine.
Live data also gets recorded in real performance test script executions.
The mere existence of a monolith database inevitable means a single point of failure. I am in agreement with others, when did the idea of decentralised systems cease to become valid?
PH, because her performance gets rated daily !
Access will be strictly limited to...
...those with access to the credentials, written on a post-it note and stuck on the monitor.
get with the times
(1) they don't have it on CD any more....it's on my DVD....err, it's on A DVD; yeah, that's it.
(2) You think your local council isn't already looking at this to make sure you're not abusing your sprog by sending them to the wrong school in the first place?
(3) How will they ever tell one child from another without some form of rock-solid ID...like, say, maybe an ID card...Eureka, what an idea. Each child will have their own ID card for THEIR PROTECTION.
(4) Of course, you will have to have your own ID card just to prove you are the child's parent(s) - no big deal; it's already in the works.
(5) Trust me, I know what I'm doing (this is your government speaking).
Of course as I have spent many years working with IT, Social Services and Education professionals, I know that everything the government says is true and anyone that tries to disabuse that (like this article) is clearly rubbish.
It is inherently safe, there is no need to worry about anyone having access to the information, its not like they could abuse it to take children away from families for some spurious reason....
@AC re Rubbish
You obviously sound like having a vested interest in the system, so your vision is a bit clouded.
Basically, any "privileged" data to which a million people can have access is as good as published in the FT. It does not matter how well do you think you've designed the access procedures they will be circumvented. You cannot enforce a 100% secure access regime among so many people. It's just impossible.
Besides, what is the probability that there will be members of a paedophile ring or two within the million? I'd say - extremely high. This is a generous gift to them pedofils from the control freaks in the Government.
It just takes one bad apple or one incompetent
It just takes one bad apple or one incompetent to "leak" the data out of this system. Once it's leaked, it's out there for the entire duration of several million childhoods. And it's an absolute goldmine for paedophile predators. If a million people have access, somewhere between ten and a hundred will themselves be paedophiles, and perhaps ten times that number so venal that they'll sell data to anyone who pays without a second thought.
Criminal records checks? No good, they haven't been caught yet so they don't have records. Catching them after the "big leak" event is too late. So for God's sake and our children's safety, kill this database before a single byte is stored in it!
"No they wont, IT staff will not have access, only working, approved practioners."
I'd be interested to hear just how you worked that out. Is the backend database going to be administered by an AI ? Clue : No. Will the system be so perfect that it will never need any intervention from a technician ? Clue : Not in this or any other lifetime. Given this, is it feasible for technical staff and developers to diagnose failures in complex multi tiered database systems entirely without access to the live data that was in use at the time of the failure ? Clue : No, it sodding well is not. Is it possible for the staff who will be charged with maintaining the database to load, de dupe and otherwise cleanse the data in the system without access to it ? Clue : Also no.
Even if the whole system were designed, implemented and maintained by "approved practioners", (Clue : Cap Gemini is an IT services shop, not a coalition of GPs and social workers who just happen to have 'leet coding and DBA skillZ), this would make them de facto technical staff, would it not ?
@ Tis rubbish I tell thee !
""would require access to the database as presumably this is where the rssults of these meetings will be documented and tracked"
No case notes or documents whatso ever are going to be held, just very basic stuff like name, address, dob, and name of agencies who work with the child."
Documented as in "a record that a meeting took place". Unless the database can be used to track each individual time that an agency has interacted with a child then it will be no use as it won't distinguish between a child that was only seen once and is at no risk and a child that has been seen dozens of times and IS at risk. And you don't need hand written notes of every conversation scanned in and attached to the child's record for it to be an invasion of privacy.
""the IT Manager and tech team will have access when the front end fails and needs to be fixed, and some student "
No they wont, IT staff will not have access, only working, approved practioners."
Someone in IT will have to create the logon credentials and so they will have access. Unless you're trying to tell me that a bunch of social workers, teachers and doctors with no IT experience are going to build and maintain this database.
You can't just keep repeating that everything will be fine. Eventually you're going to have to address the points people are raising and explain why this database will be uniquely different to every other database and why the people involved will be immune to human nature.
Lest we forget
"Beware the Four Horsemen of the Information Apocalypse: terrorists, drug dealers, kidnappers, and child pornographers. Seems like you can scare any public into allowing the government to do anything with those four." - Schneier
Even if !!!
Even if the lowest figure is taken its still far far too many to keep safe ..........the government proves time and again it is incapable of handling computer related projects........
We have to ask ourselves why use a computer at all ??? will it save a life for example ???
well take this recent case of the horrific murder would that child be alive if we had a database....i doubt it....
i can see no good reasoned argument for it being built and as with all computer projects it needs constant upgrading.....going through all the current projects they will cost in the region of £100Bn over the next 10 years i dont think thats money well spent for the stated aims.....
Re: Tis rubbish I tell thee !
>> No they wont, IT staff will not have access, only working, approved practioners.
Ha ha ha ha ha ha ha ha ha ha ha ha ha ha
How can they fail to protect a child they know about? Easily, because they don't really want to. The Supreme Goal is to keep families together,and if that means the occasional toddler kicked to death, it's a price worth paying.
@ I am sat here...
It's the very lack of knowledge of who will have access and on what basis, allied to the insanely disproportionate scope of inclusion which is the problem with ContactPoint. "The way data on vulnerable children is handled" is barely even relevant to the implementation of a database which will contain records for every single child in the country. It is simply **NOT POSSIBLE** to secure a centralised database which can be accessed by 300,000 people (whether or not they are "working approved practitioners") let alone 1m. If there is no potential for abuse here, why the reprehensible opt-out for the children of MPs?
@ Nomen Publicus
A good point about why the NuLabour fixation on gigantic national databases. A smidgen of history might help us understand better what's going on:
In the mid-1960s the Rand Corporation published a book proposing ways to use computers and databases in local government, "A Data Processing System for State and Local Government".
In essence it proposed a single comprehensive database with everything connected to everything else, land, people, schools, welfare, you name it. I found this book in a remainder bin somewhere and bought it as a curiosity, but with time I came to the realization that it was proposing a privacy-destroying Big Brother system — about what you'd expect from the Rand Corporation.
One has to wonder if that little book is behind NuLabour's fascination with all-encompassing databases; the parallels are too close for comfort.
PS: Copies of the book seem to be readily available, though not in great numbers. Anyone with a serious interest in the erosion of privacy via IT should familiarize themselves with it, if only so they understand how long the NL attitude has been around.
On the same day...
... that a policewoman is arrested over the murder of a teenage girl.
Yeah, let's give her kind even more power.
What's the problem?
These are government people, they wouldn't harm us or our children. The government screening programs are safe and never let anyone unsavoury into a position of trust with vunerable youngsters in society.
"Go back to sleep Britain. Go back to your TVs and beer, grow fat and stupid. You are safe. Your government is in charge."
Where do they claim it is "Secure?"
Can someone point me to a formal statement by the government (and/or its contractors) to the effect that this will be a secure database?
I ask because - if such a statement exists - I would argue that we have the basis for a legal suit of criminal negligence and/or fraud (depending who is making the statement) and I for one would be happy to donate a hundred quid to a class action to sue the arse off the bastards.
Use versus access???
Surely the number of people who have access to the database is almost identical to the number of people who use it. After all, if you don't use it then why would you be given access.
The most basic data security would seem to say that if you don't use the data, then you shouldn't have access to it.
What's it for??
How on earth does this database prevent someone from abusing their own chilldren ? We're not quite in a 24hr domestic surveilance society (yet) and as far as I know there aren't cameras in my home watching me bath my baby checking that I'm not taking /too/ much care washing his bottom...
@who ever it was
"No they wont, IT staff will not have access, only working, approved practioners."
sotty what would do you live in again?
That "special" database for MPs' children
It'll just be a flag on the record so when the MP loses in the next election his kids can be restored easily.
And who's going to guarantee that the programmers writing reports and DB access routines will always remember to omit the flagged records? Mr. Brown? Ms. Jacqui? Ha ha ha ha!
Britain needs to build a nice big new nuthouse, round up all members of the NuLab government and incarcerate them for "demonstrable madness and disconnection from reality."
PS: I am wrong if NL intends to have a permanent majority, but we know what happened to the political party in the US that tried that little stunt.
Only the Start...
Is child protection the only motive behind this? Each child will have a unique ID number. Seems a perfect starting point for a comprehensive national ID card database to me.
Three stooges could do better
This governments record with IT is thoroughly awful and we are a laughing stock when it comes to IT disasters, see this:
That's 5/16 of the most noted IT failures out of the entire world !
This database is a paedos dream, all the info they want from one nice leaky UK gov IT project.
I was thinking of moving to Australia to avoid this sort of nonsense, but it seems IT stupidity has infected the Aussie politicians too.
You are spot on! And the UK is not alone. See this page: http://tinyurl.com/38qg6x.
Yet further proof
That you lot on the other side of the atlantic are in dire need of a change in government. I've been reading about this database, the ID card scheme, etc etc via El Reg and other sources and I have to say some of it is genuinely scary stuff.
I haven't commented thus far because not being over there, these ill conceived schemes being put into place by your government don't necessarily directly affect me. Thus I feel that it's not really my place to weigh in on this. However from a pure human rights standpoint this and some of the other programs being proposed are an affront to basic human and civil rights, and as such I can't help but say, WTF??? I mean seriously anyone who thinks any government can safe guard this kind of database who's access control list seems to be... well just about anyone connected in some way to local or state government, is simply deluding themselves.
As has already been stated it just takes one numpty to leave their laptop on the train or "secure" USB key in a pub and the security of this thing is (at least temporarily) totally and completely fucked. I wish I could be more eloquent about what a phenomenally bad idea this is but when governments start going down this path I can't help but be pissed. I've railed even more strongly against things over here like the "patriot act" etc, but to no avail under Gee Dubya's staz...err regime.... err administration. But I digress.
The cases which spurred these actions are indeed tragic and no one would deny that. However it seems the failing was on the part of the local social service and law enforcement agencies not the lack of something such as this rather Orwellian datase. Or the inevitable ID cards that will soon follow on the heels of this database being forced upon you to "enhance security" of said database, read: government will be able to track and tag anyone they feel is a threat. Wether that threat is real or imagined wont matter at that point because they will have control from the top down.
I feel for those who have expressed genuine concern over this and other schemes which seem designed to do nothing more than erode your privacy and will not only do that but may indeed put people directly in the kind of danger that it purports to protect them against. All the while the government officials, their favored contractors, etc etc will profit and be one step closer to being able to heard the populace into the pens of it's choosing to "protect the unwashed masses from themselves".
Still wrong, wrong, wrong
The article trumpets the 1 million users figure but conveniently forgets that access to ContactPoint does not mean access to all records.
GPs can only see details of children registered with their surgery; teachers can only see children enrolled in their school; social services can only see children in their "area". And so on.
In other words, ContactPoint users cannot see any more childrens' records than they *already have access to*.
So why have the database if access is so restricted? Because they can see more info. For example a GP almost certainly won't currently know who a child's teacher is. So when the child comes into the surgery with unexplained bruising, the GP can't easily contact the teacher to ask if the parents are lying when they claim the child has been bullied at school, or fell over in the playground or whatever. With ContactPoint access they can.
[Aside: Personally I think this is a "good thing". However, it's all a total waste of money if more "Baby P's" are going to be allowed to happen. There's no point giving those involved with a child easy ways to warn about abuse if social services are going to do fuck all about it.]
There are occasions when a user would want to search for a child that they do not normally have access to. For example, police in one town find a runaway child from the other end of the country. To search for this child they need to invoke "break glass" functionality. Doing so automatically warns that user's supervisor (who may not have access to children's records at all but has access to ContactPoint for management purposes). The supervisor is trusted to determine whether the break glass facility is used legitimately or not. (E.g the duty sergeant may do it ten times a week whereas an ordinary constable may never need to do so.)
Yes, the two of them could abuse this arrangement but that requires collusion.
To the other posters with concerns:
@Ash: users can obviously leave the terminal logged in. However, login is two-factor so the owner of the token that had been (ab)used would get the blame for any accesses carried out. All accesses are audited.
@Nick: ditto the need for a token to log in. So even if Gov. gateway data is out in the open, it can't be used to log in.
@Norman Publicus: You are exactly right and I hope my explanation above goes some way to addressing your concerns.
@John Ozimek: all these people *already* have access to child details by the nature of their jobs.
@AC 14:07: just because the agency you work for is poor at data security, does not mean that ContactPoint will be. From what you say, you should be invoking whistleblower legislation to make a formal complaint.
@AC 14:10: "special" cases include MPs sprogs, celebrities sprogs etc. It is inevitable that some user somewhere will ill-advisedly "test the security of the system" by trying to look up a celeb's kid's details. The user's attempt will be audited, flagged-up and they will be spoken to by a supervisor. It's better that they fail and be warned/disciplined rather than succeed and be warned/disciplined.
@AC 14:51 The test databases are as carefully controlled as the real one in. (Same data centre security, same DBA employment vetting etc.) But no access from the outside world - so actually more secure than the real one.
@Chris Thorpe: two factor authentication is used. That doesn't stop the user leaving their token on the desk with a post-it with their pin on. However they would be effing stupid to do so: all accesses are logged so if a child is kidnapped and abused, for example, the first thing the police will find is that the child was the subject of a ContactPoint search and will be round to that user PDQ.
1) The database is not on DVD, trust me. :-)
2) The council already have a legal obligation to ensure that your child is educated so they *must* know whether he/she is enrolled in a school or being educated at home.
3) The same way that schools identify children now: first name, middle name, surname, dob, address etc. No id card required.
@AC 15:26 All access to ContactPoint is audited. A user could always try to add an unfounded allegation onto the system but they would always be traceable.
@Nigel: I would like to say that it is "impossible" for a single person to "leak" all of the data. However that can never be true. Someone could always turn up, shoot the security guards and threaten the DBAs with a pistol until they get the data on a single disk. But a person with the that kind of motivation and access to weaponry is unlikley to want data.
@The Other Steve
It's true. IT staff won't have access. It is perfectly possible to administer a faulty webserver without needing access to the database. If there is a fault on a DB server, the DBA can be supervised by a, well, supervisor, to ensure that he only does DBA things and not look at the data.
Can you cleanse, de-dupe data without looking at it? Of course you can: no single person is going to look at n million records and de-dupe them. Automated matching eliminates most duplicates. Somethings will inevitably be impossible to resolve atuomatically. These are reported back to the local authority of the child in question to resolve. So the person doing the de-duping is a local authority employee who already has access to the records in question.
@AC 16:19 Actually it is relatively easy to secure a *centralised* database. Securing a *decentralised* one is much harder.
Only a million?
Or. if this lot keep up their outstanding record on data security, 6200 million or so.
I see (AC 1930) we have readers in HMG too ...
All police employees to get ContactPoint access
"As well as all police officers and staff covering a geographic area, the system will be available to healthcare professionals and their assistants; officers of local probation boards and youth offending teams; heads, officers and administrators at prisons and secure training centres; and all social-care workers." (http://news.zdnet.co.uk/itmanagement/0,1000000308,39547402,00.htm)
Hmm - secure?
re still wrong....
Obviously insider knowledge must be assumed if we are to believe your answers (not to say you shouldn't be believed,just stating observations)
and yet you have to post AC which is surely self-defeating?
If the government doesn't want people to know this much about how secure the DB is and you are posting this then isn't that a security breach? Also raises the question as to why we shouldn't have this information?
Surely the detailed rebuttal of legitimate concerns you posted could easily be handled by the government issuing a release with the details you've given, then no-one would have to worry about their jobs and those with concerns could satisfy their own curiosity?
Or maybe this is just more spin, a bit like leaked documents that serve the establishments interest that just happen...cough....to get left somewhere near a journalist.
I wonder though could you enlighten us as to how this DB has been populated as I left the country earlier this year so wonder exactly what they will hold on my children...maybe my daughter will be flagged as at risk as she's not been registered with a school or a GP after all no one's asked me to verify any information.
I refute your impressive looking list of unaccredited justifications with one time-proven statement.
No lock with more than one key is secure.
For the others, it's not the pedos you want to worry about, they are the least sophisticated group drooling over this database.
Think about extreme jihadists looking for impressionable disaffected foot soldiers, or drug traffickers wanting new customers, and more importantly agents who will get their 'product' to new markets. Then of course there is the spy fraternity. Nice convenient selection of future sleepers. All these groups are patient. They don't mind waiting while their 'investment matures.
"It's true. IT staff won't have access"
It's not, they will, and in fact your following statement contradicts what you've just said, also :
"It is perfectly possible to administer a faulty webserver without needing access to the database"
That very much depends on the nature of the failure. If the webserver is accessing a DB, and there is a data dependent bug, you need access to the data in order to recreate the bug. EOF. Perhaps in la la land where you live this is not the case, those of us who get our hands dirty with this kind of problem every day know different.
"If there is a fault on a DB server, the DBA can be supervised by a, well, supervisor, to ensure that he only does DBA things and not look at the data."
_When_ there is a fault on _one of_ the multiple servers. And again, you are ignoring the classes of failure mode that involve the data, not simply the hardware or software. Also, your notional DBA (in fact, multiples thereof) has indeed got access to the data, quite the opposite of what you suggest above. Sure, some untainted do gooder _could_ stand behind every DBA every minute of the day and make sure they don't peek (perhaps you could could volunteer your services), but they won't.
"Can you cleanse, de-dupe data without looking at it? Of course you can"
I didn't ask if you can do it without _looking_, I asked weather you can do it without _access to the data_, the answer to which is still no.
"@AC 16:19 Actually it is relatively easy to secure a *centralised* database. Securing a *decentralised* one is much harder."
By what metric ? A decentralised data set is inherently more robust in the face of (inevitable) security or trust breaches, since the exposure is limited to the data available, for instance.
And in any case, your suggestion that any data maintenance requiring manual intervention will be kicked back to a local authority means that access control _is_ decentralised.