Last updated:

30th December 2024

See answers to previous information requests

How to search

  • Select a year and/or a month from the drop down list
  • Type a subject into the 'Subject keyword(s):' search (Optional)
  • Click 'Search' button
     

Alternatively click 'View' to browse through all received requests. 

This search is for our information requests from September 2020 onward. 

Sigital systems processing children's data

Request ID
22123
Date Received
Details

See notes

Notes
Date

I am requesting the following information under the Freedom of Information Act 2000. Where a question concerns a data protection document, I also ask that you treat it as a request to confirm the existence and status of that document. If any part is refused, please cite the specific exemption and provide the public-interest reasoning.

Systems and suppliers
1. Please list every third-party digital system the authority uses to process the personal data of looked-after children and/or children with Education, Health and Care Plans (for example ePEP Online, EHCP Online, or equivalent), naming the supplier and the start date of each contract, including any predecessor contracts before the current one.

2. Please state the procurement route used for each system (for example the Crown Commercial Service G-Cloud framework), and describe the due diligence carried out on the supplier's security claims at procurement.

3. For each supplier, please provide the security accreditations the authority relied upon (for example UKAS-accredited ISO/IEC 27001, Cyber Essentials Plus, NHS Data Security and Protection Toolkit), and describe how those accreditations were verified.

4.Please provide the total sums paid to each supplier in each financial year since the first contract.

Data protection governance
5. For each system, please provide the Data Protection Impact Assessment (DPIA) and the date it was completed and last reviewed. If no DPIA exists, please confirm this.

6. Please state the lawful basis under Article 6 UK GDPR, and the condition under Article 9 for processing special-category data, relied upon for each system.

7. Please provide the privacy / fair-processing information (Articles 13–14) given to children, parents and carers that names these systems and suppliers, and state when it was last updated.

8. Please confirm whether any independent penetration testing or security audit of each system has been carried out, and provide the dates.

9. Please provide records of any personal-data breach, complaint or safeguarding concern relating to each system.

10. Please state whether any child-facing communication feature within a system (for example a chat or messaging module) exists, and if so whether and how it is monitored.

AI and automated processing
11. Please list any artificial intelligence, machine learning or large language model tools used in children's services, adult social care, or in the processing of residents' data, naming the tool and supplier.

12. For each such tool, please provide the DPIA and state whether an Article 22 (automated decision-making) assessment was carried out, and what human-review safeguards apply.

13. Please state whether any personal data is transferred to, or accessible by, the supplier of any AI tool, and whether any data is transferred outside the UK.

Reorganisation, integration and accountability
14. Please confirm whether any children's services data systems are being merged or integrated as part of local government reorganisation, devolution, or any 'single view of the child' / data-sharing programme, and whether a DPIA and a Best Value assessment have been completed for that integration.

15. Please state which body the authority considers responsible for assuring the security and compliance of third-party systems processing children's data.

16. Please provide any data-sharing agreement between the authority and an Integrated Care Board (ICB) or other partner concerning children's data.

Give website feedback