In 1963 Prime Minister Harold Wilson gave Britain a vision of a new era forged in the ‘white heat’ of technology. Forty years on, Wilson’s political heir, Tony Blair, seeks to apply that technology to transform the way government interacts with its citizens and with itself.
Never mind the privacy and data sharing issues that lie at the heart of the proposed transformation. In government IT, the chief risk is a shift in direction of the political wind. When newspaper headline drive policy, expect choppy seas.
The British public sector spends some £14 billion a year on IT projects. This is about 2.5% of the £552 billion total Chancellor Gordon Brown budgeted to spend this financial year. As the government forges ahead with its e-government plans, spending on IT, as a percentage of the national budget, is likely to rise (see sidebar, ‘Lies, damned lies, and accounts’).
In recent years, the government didn’t seem to get much value for money. The litany of IT disasters felt endless: passports, magistrates’ courts, child support, tax credits, car licences, education, farm payments, job centres, the police. Even some systems that seemed to be working, such as those in the Home Office, are “unfit for purpose”, says the new Home Secretary, John Reid. To be fair, perhaps the purpose has changed.
The cost of these failed systems runs into hundreds of millions of pounds; the degradation of services promised but not delivered was embarrassing, and the distress to individuals as a result of the failures has damaged their trust and goodwill towards the government.
In the private sector, the financial director would have drawn the purse-strings and heads would have rolled. The consulting firm Accenture has contracts with the National Health Systems’ National Programme for IT (now called Connecting for Health) worth at least £2 billion. Reporting its latest financial results, Accenture CEO William Green said, “During the quarter, several issues increased the risks and uncertainties associated with the NHS contracts and affected our estimates of the expected contract
revenues and costs. Under GAAP, we were required to record this provision to reflect these new circumstances.”
iSoft, the former KPMG consulting arm that is Accenture’s partner for the NHS business, extended the time over which it recognises revenue. As a result profit forecasts fell from £17m-£22m to £3m-£7m. When its share price slid from 400p to 50p in response, it sacked its CEO Tim Whiston.
Such public recognition and punishment of poor performance hasn’t happened in Whitehall, at least not that anyone noticed.
It may prove harder to sweep similar public sector disasters under the table in future because two proposed multi-billion pound systems have hit the headlines and stayed there. These are the NHS’s Connecting for Health programme and the proposed biometric identity card. Government needed to been seen to be reining these with a firm stand.
Government should know better
It’s not that the government wasn’t aware of problems with large IT projects-on the contrary. And it knows what to do, at least in theory. The Office of Government Commerce, part of the Office of the Deputy Prime Minister (now called the Department of Communities and Local Development) has documented what makes projects go wrong (see table). It uses these benchmarks in the Gateway Review process it uses to assess government IT projects, ideally before contracts are signed.
The problem is, a spokesman said, that departments have to invite the OGC’s Gateway reviewers to run their eyes over the plan. But they don’t have to accept their verdict or follow their recommendations. “Gateway reviews do not have a function to allow/disallow projects to proceed, but simply make recommendations to the SRO (senior responsible officer) that will maximize the project’s chances of success,” the spokesman says. So, there is no head-on-block sanction against failure, nor is there a formal automatic measurement and review process.
The OGC says ‘465 projects and programmes that are recorded as ‘IT-enabled’ have undergone one or more Gateway reviews (these are Central Civil Government only)’. But it was unable to provide details of their capital or running costs.
The OGC’s parent body, the Department for Communities and Local Government, is also responsible for 22 national programmes for local government (see table, ‘Bang for the buck’). Here the relationship with individuals will be mostly more regular and more intimate than with anyone except the taxman.
The department says a study by consultancy Capgemini showed that just six of the projects would bring benefits worth £320m in saved costs, increase revenues by £60m while the improvement in services would be worth £1.3 billion. Better buying could save another £1.1 billion, and e-payments could save about £708m over five years, it claims. But it can’t or won’t say what return on investment that represents.
What of the future? In November 2005 the government published for comment a document called Transformational Government. This sets out a strategic view of how the government can apply information technology firstly to the benefit of citizens, secondly to improve its internal efficiency, and thirdly boost its professionalism in delivering and managing IT projects.
In one of the 124 responses, the Home Office’s John Golding said “Part of the problem with government IS (information systems) projects is the complexity of policy-generally government policies and solutions are vastly more complicated than private sector ones and we tend to pay, train and recruit less well and then we wonder why government is poor at delivery. But complex policy is seen as good and subtle and the rewards for developing it high, while the rewards for developing achievable policy are zero.”
The government later issued an implementation plan that sets out a number of tasks, responsibilities and a timetable. There are two fundamental issues. The first is the secure and unmistakably unique identification of individuals and legal entities such as businesses. The second is agreement of the rules that govern what information government may legitimately collect and share about these uniquely identified individuals.
David Lacey started in infosecurity in the 1980s with firms like Royal Mail and Shell. He helped to develop the BS7799 standard, and is a founder of the infosecurity standards setting body, the Jericho Forum. Lacey says the government faces a difficult balancing act between data privacy and data sharing. “There is no quick solution. The balance underpins the whole concept, and if the people don’t trust it, well...”
The government is taking this very seriously. No fewer than three Cabinet Committees are addressing different aspects. Their respective remits are:
• To coordinate the government’s policy and strategy on identity management in the public and private sectors, and to drive forward the delivery of transformational benefits across government;
• To drive forward the government’s strategy for IT-enabled change in the provision of public services; to review delivery of departments’ programmes for making efficiency savings through e-enablement; and to make recommendations as necessary to the Committee on Public Services and Public Expenditure;
• To develop the government’s strategy on data sharing across the public sector.
Ian Watmore, the government’s former chief information officer, now heads the Prime Minister’s Delivery Unit. He is nominally responsible for making Transformational Government work. But he has to coordinate enough other cooks to make an alphabet soup of acronymed logorrhoeic committees (see table, ‘Alphabet Soup’).
Lacey notes that strategies are “aspirational”; what counts are action and delivery. He notes government’s preference for out-sourcing and thus reducing public visibility of its liabilities. He says, “There is a massive skills gap, particularly in managing out-sourced projects. (The government’s own project management system) Prince 2 is very bureaucratic and does not allocate responsibility to individuals. It is easy to lose that focused accountability among the committees that Prince 2 encourages. Delivering on this strategy will be like driving a bus without the steering column being connected to the wheels.”
Dennis Keeling, chief executive of the Business Application Software Developers’ Association (BASDA), is more sanguine. His members, mostly developers of accounting software, “have been e-filing (documents such as tax returns and year-end payroll reports) using the Government Gateway for six years. I don’t know of a single incident where security was compromised,” he says.
Keeling notes that there are stringent rules against data sharing. “For instance, there are times when we or the government can receive information but not send it on. Sometimes we cannot even say whether or not the data exists.”
He notes that the government has been “very guarded” about its intentions on identity and data sharing. Until his members have seen the government’s proposals, he is unwilling to comment. “However, I am satisfied that we have access to the highest levels should we need to discuss any related issue,” he says.
One of them might be the suitability of the National Insurance number as an individual’s primary identifier and index marker. Lots of government and institutions have used a number, such as the US’s Social Security number or a credit card number, as the primary means of authenticating the individual to the institution.
It is no longer enough. Boston-based market researcher Aberdeen Group reports that the cumulative losses from identity theft, now suffered by tens of millions of individuals and businesses worldwide, rose 1000-fold from an estimated $221 billion in 2003 to $2 trillion in 2005. A US Federal Trade Commission study found that two-thirds of ID theft cases stemmed from stolen credit card numbers, and Washington state survey found that one in nine families have been victims of ID theft. Some of them no doubt were affected by the theft of a laptop from a US Veterans’ Affairs staffer. It had the Social Security numbers and birthdates of 26.5 million ex-soldiers and their dependents.
As identity theft has risen, single factor authentication, such as a social security or ID number, has proven too vulnerable. Once stolen or otherwise abused, it is a skeleton key to that person’s entire documented existence.
Given initial problems with the credit card firms’ chip and PIN system, it seems inevitable that reliable authentication will have to integrate at least three factors. These could be a chip, a PIN and one or two biometric measures, and the data will be encrypted on-card and in transit. Moreover readers will also have to test for the subject’s vitality. When the South African pensions department introduced a fingerprint reader to authenticate payments, at least one family used their deceased pensioner’s severed, pickled digit to continue to draw his pension.
As many commentators have said, multifactor authentication will be expensive. But people may resist this less than expected. In the US, several retailers and banks now authenticate grocery payments by reading shoppers’ fingerprints. More and more passports carry biometric data. And as more people suffer the consequences of having their identity stolen, pressure for more secure forms of identity is likely to rise.
| Lies, damned lies, and accounts |
| There is at least one document that estimates the government’s spending on IT at £14 billion a year. But who knows what this bald figure really means? In fact, the government may have performed some sleight of hand with the sums. The regulatory impact assessment of Transformational Government says “The public sector spends some £14 billion per annum on major IT systems.” But the authors say their assessment specifically excludes “the impact of major change programmes already underway in the public sector, such as Connecting for Health; reform of the Criminal Justice System; the Harnessing Technology strategy in Education; the Local e-Gov programme; modernisation of the Defence Information Infrastructure and the Digital Strategy programme. Responsibility for RIAs for these programmes lies with the sponsoring department.” It is thus unclear whether the £14 billion they refer to includes these other liabilities. It is also unclear whether it includes financial liabilities that may have arisen under the government’s Public Private Partnerships and Private Finance Initiatives. The reason for adopting these programmes was to move the liabilities “off-balance sheet”, in other words, to hide them from the public. At the February meeting of the Public Accounts Commission, MP Austin Mitchell said to the Auditor General, Sir John Bourn, “You’ve brought to our attention the fact that 97% of health and local government projects are off-balance sheet.” A Treasury spokesman said “We don’t recognise that figure,” and claimed the government’s total off-balance sheet liability is closer to 53% of the contracted value of the projects. The spokesman declined to say what the total is, but a Treasury document called the PFI Signed Projects List records about 750 projects from 1989 with a total value of £48.4 billion. At least four of these are specifically IT projects. One is the Crown Prosecution Service’s 10-year contract for Compass, a national case management system; no capital value is given. HM Revenue and Customs ordered managed infrastructure services worth £14.3 million in 1999. When the contract was revised in 2003, the bill leaped to £156.0 million. In 2000 the Home Office spent £24.7 million on IT 2000 (Sirius). The accompanying note reads, “Home Office e-Business and IT project. OFF balance sheet. Believed to be 3rd party financed but no 3rd party rights within contract, as defined for PFI.” Perhaps the Comprehensive Spending Review due in 2007 will be more enlightening. |
| Bang for the buck |
|
The government is hoping for a 10:1 return on its investment in 22 so-called National Projects that make up the Local e-Gov programme.
|
| Below are some of the bodies that have a hand in planning and executing the government’s forthcoming IT strategy. The players Sir David Varney, CEO, HM Revenue & Customs Ian Watmore, PM’s Delivery Unit The cooks Prime Minister’s Delivery Unit Cabinet Office Office of the Deputy Prime Minister (now Department of Communities and Local Government) Devolved Administrations (Wales, Scotland, Northern Ireland) Chief Information Officer Council HM Treasury HM Revenue & Customs Whitehall Shared Services Forum Central Sponsor for Information Assurance Documentary drivers Capability Reviews Comprehensive Spending Review 2007 Kelly Report Executors Service Transformation Board Cabinet sub-committee on Electronic Service Delivery, PSX(E) Committee on data sharing, Misc 31 Customer Group Director (Older People - CE of the Pensions Service) Customer Group Director (Farmers - Director, Sustainable Farming Strategy) Common Infrastructure Board Information Assurance Policy Programme Board Foreign and Commonwealth Office National Hi-Tech Crime Unit (now Serious Organised Crime Agency) National Identity Register Department for Education and Skills e-skills UK IT Academy Accreditors’ Forum (for infosecurity) SFIA Foundation National School of Government Programme Delivery Director (Heavy-Hitter) Governance Service Transformation Board Pan-Government Shared Services Board CIO Council Advisors Chief Technology Officers’ Council Common Infrastructure Board Input providers Department of Constitutional Affairs National Archives Government Social Research Unit Departmental Communications and Marketing Units Service Design Authority Government Communications Group Office of Government Commerce Results delivery channels Directgov BusinessLink Government Gateway Government Connect Government Secure Intranet Knowledge Network Geographic Information Panel Intellect Government IT Profession Strategic Supplier Board Corporate Development Group (Cabinet Office) Improvement and Development Agency Affected sectors Education, Health, Home Office/Criminal Justice, Local Government Department of Work & Pensions Defence HM Revenue & Customs Multiple agencies (e.g. Dept of the Environment, Farming and Rural Affairs, Transport) Rest of central government organisations National Audit Office Audit Commission Key programmes Skills Framework for the Information Age National Programme for IT (now Connecting for Health) National programmes for e-Gov Professional Skills for Government Common Assessment Framework (suppliers) Common Assessment Framework (government) Source: Transformational Government implementation plan 2006 |