The general election has passed by, new ministers are in place, and so the Government Digital Service (GDS) is coming back out of its shell.
As it embarks on a new parliamentary cycle, GDS is a very different beast from the last time it emerged from election purdah – which was only 2015, of course. It has a different chief and an entirely different leadership team; it’s in a new location, Aldgate in London’s East End; and its language has changed too – the emphasis shifting from digital government to government transformation.
This week saw GDS reaching outside Whitehall for the first time since the election to push the government transformation strategy, launched back in February by then Cabinet Office minister Ben Gummer to “restore faith in democracy”. The strategy survives, even if Gummer didn’t – having lost his Ipswich seat, where clearly democracy was alive and well.
At a briefing for IT suppliers in London, GDS director general Kevin Cunnington went through some of his team’s priorities. Press weren’t invited to the event, but Computer Weekly has talked to some of the suppliers that attended.
Their view? They welcomed GDS reaching out to them after an extended quiet period, and said it’s good that Cunnington and team wanted to talk to suppliers and encourage their involvement in the strategy.
But they also said they didn’t learn much that was new, and left feeling there were more questions than answers – as one guest put it, they were more interested by what wasn’t said at the meeting.
In particular, the spectre of Brexit loomed large. According to our sources, Cunnington acknowledged that everything GDS expects to work on may have to be rescoped and reprioritised as the results of Brexit planning become clearer. GDS told delegates it is working with Whitehall departments to assess their digital needs in the light of Brexit negotiations.
The brutal reality is that almost everything GDS is working on remains pending those discussions.
Cunnington acknowledged some of GDS’s other challenges too – namely, historic under-investment in data, and a shortage of as many as 4000 people with digital skills across Whitehall. One delegate said Cunnington mentioned a figure of 1600 databases across government containing personal data of citizens, all in different formats, and the challenge of making all that data accessible and usable across government.
He said the new junior minister in charge of GDS, Caroline Nokes, had emphasised the importance of improving the citizen experience of digital services and making them more inclusive. The Conservative party election manifesto commitments on digital will be a particular area of focus.
But the suppliers we talked to were concerned at the lack of any mention of previous GDS policies for working with SMEs, nor about the Digital Marketplace and G-Cloud procurement frameworks. There was also no talk about disaggregating existing outsourcing deals with the big system integrators. One delegate said the “mood music” in these areas seemed to be changing.
As Computer Weekly reported, suppliers also highlighted a certain naivety in GDS’s suggestion that they adopt the GDS government as a platform (GaaP) services within their own product offerings. Most suppliers already use commercial services that perform a similar function, and GDS’s inability to provide contractual guarantees around support or service levels makes it almost impossible for suppliers to persuade their clients to use the GDS tools.
GDS said the GaaP tools are receiving investment, and it’s clear there is pressure from above to rapidly increase adoption of the services across Whitehall, to justify the cost and effort of having built systems that critics argue could easily have been purchased on the commercial market to serve a similar purpose.
The shift of emphasis to transformation is welcome – it’s what GDS is meant to be about, after all – but questions remain about relationships with departments and the willingness of the biggest departments to work with GDS. Cunnington said that departments will be “encouraged” to work with GDS, and that he would take a “collegiate” and collaborative approach, said one source.
One supplier gave a notable summary of where GDS sits – digitising government websites and services was the “low-hanging fruit”, they said; but transformation is the big stuff, and it’s not yet clear what GDS will do differently to make that change happen.
Ask business leaders to state which industry they feel is being most disrupted by the digital revolution, and they are likely to list sectors such as retail, media, music, movies, entertainment, maybe banking too.
But one area going through the most rapid change at the moment is sport. In recent months Computer Weekly has written about examples of significant digital change in football, tennis, rugby, cricket, Formula One and cycling, to name just a few.
Consider Premier League football club Tottenham Hotspur (unless you’re an Arsenal fan, in which case that’s the last thing you want). Spurs are building London’s biggest capacity club stadium, at a cost of about £800m. Right from the start, the club is designing in the latest technologies to help engage with fans and improve the matchday experience for a tech-savvy generation.
Chelsea aren’t far behind (in tech terms, at least), recently announcing plans to create a high-capacity small-cell network at their Stamford Bridge ground.
At Wimbledon this year, IBM showcased its Watson artificial intelligence system to help tennis fans experience more of the action and get better insights into the matches.
The International Cricket Council set out to digitise the world of cricket after selecting Intel to roll out drone technology, connected cricket bats and virtual reality at the 2017 Champions Trophy one-day international series.
The Tour de France is using data capture from cyclists in harsh mountain terrains and remote French countryside to give unprecedented new insights into the highly tactical nature of elite road racing – in effect, pioneering an internet of things network delivering real-time data from complex off-network environments.
And under new owners Liberty Media, Formula One motor racing is talking about digital innovation such as real-time virtual racing against the actual drivers during a Grand Prix. Imagine watching Lewis Hamilton on a split-screen, as he races around Monte Carlo, with you on a simulator virtually competing against him on the adjacent screen. It’s likely this will happen.
Sports fans have become used to the reams of data used by broadcasters to bring greater depth and interest to their coverage, but now that data is increasingly being used to directly engage and involve supporters with their favourite events, as they happen.
If you’re not a sports fan, though – so what? Well, there are plenty of lessons here for IT leaders in any industry. The smart thinking in sport about how to use data, mobile and internet of things to engage with and grow their audience has parallels in any consumer-facing business – and in the public sector too.
Customers and citizens may not always be your biggest fans – but technology in sport might just hold some clues about how to change that for the better.
We are deluged with regulation, legislation and opinion on data protection and privacy these days, in a digital world where personal data is proliferating almost beyond control.
Enterprises are dedicating significant resources to preparation for the EU’s General Data Protection Regulation (GDPR), due to come into force in May 2018. It’s a hot topic in corporations and government; mentioned in any discussion around the internet and smartphones. You would think it’s impossible for any executive not to consider the privacy implications of decisions they make that affect the personal data they store about customers. You’d think…
But once more, we have a justified furore around a tech company, its client, and their lackadaisical attitude towards personal information. In the latest case, the Royal Free Hospital has been found to have broken data protection laws in an agreement that allowed access to 1.6 million healthcare records for Google’s DeepMind artificial intelligence subsidiary.
The information commissioner, Elizabeth Denham, got right to the point in saying, “The price of innovation does not need to be the erosion of fundamental privacy rights”.
Nobody would disagree that better use of medical data can help bring innovative new technologies to the benefit of patient care, but organisations can’t forget that the data they’re using doesn’t belong to them – it’s ours.
Royal Free and DeepMind issued suitable mea culpas, and stood behind legalese about the deal they had reached.
But at no time, so it seems, did anyone involved simply ask themselves, “How would a patient feel if they knew we were doing this with their data?” Applying simple common sense and human empathy would surely tell companies whether what they’re doing is right – before they get the lawyers involved to tell them if it’s also legal.
Without wishing to pick on the NHS, it does have form here. The controversial and now scrapped Care.data scheme to upload patient records from GPs to be used by medical researchers and pharmaceutical companies collapsed in 2016 after an outcry about public consent.
The lack of common sense shown in Care.data put back a genuinely beneficial use of medical data for years. Few people would argue against the likely positives for developing new medicines and treatments. But the scheme was run with so little consideration for the privacy and consent of people’s most sensitive data, that a backlash was inevitable.
It’s difficult to legislate for common sense, but in the increasingly controversial area of how our personal data can be used by companies and governments, it’s an attribute that needs to be applied at the start of every conversation.
I feel a little sorry for Caroline Nokes, announced this week as the latest minister responsible for digital government – the third to take on that mantle in less than a year. She’s clearly a diligent MP, ranked by MySociety in 2014 as the best MP for responding to constituents. She’s been involved in Parliament with issues she clearly cares about.
But her appointment has received a broad and general response from digital government observers of, “Really? Who?” Her former role as chief executive of the National Pony Society has led to inevitable gags about the state of digital as being a bit pony.
Before the election, the respected Institute for Government called for a digital minister to be appointed, with the experience and gravitas needed to drive through digital transformation. Computer Weekly issued a similar call, as did others.
So when Nokes was confirmed as being responsible for the Government Digital Service (GDS), the disappointment was justified. For one thing, hers is now a junior ministerial position, effectively a demotion in authority after Cabinet Office minister Ben Gummer and his predecessors Matt Hancock and Francis Maude. There is no evidence on her CV of any experience of digital or technology.
And given her previous role as a minister in the Department for Work and Pensions (DWP), where she worked for the now Cabinet Office minister and first secretary Damian Green – and with former DWP digital chief Kevin Cunnington running GDS along with several of his key ex-DWP lieutenants in his leadership team – there’s a perception that DWP has won its long-running battle with GDS.
Let’s not forget how poor relations between DWP and GDS once were. DWP actively lobbied for GDS to be broken up after its former chief Mike Bracken left. When GDS was awarded a £450m budget in the November 2015 spending review, a senior DWP civil servant told GDS leaders they had taken his money and he would get it back. More recently, civil service chiefs had to broker a ceasefire and put processes in place to help the two organisations work together more productively.
So overall, Nokes starts – from the perspective of outside observers at least – on the back foot, with much to prove. Every one of those observers would, for sure, be very happy to applaud her if she proves to be the able minister that GDS so sorely needs.
In the spirit of wishing her well, here are Computer Weekly’s suggestions for some of the priorities that she needs to address in the early days of her new job.
Is the government transformation strategy, launched in February by Gummer who hailed it as a way to “restore faith in democracy”, still going ahead in its current form? If so, Nokes needs to be clear on how it is to be funded, and to turn a worthy strategy with little detail into a more detailed implementation plan, with clear priorities, targets and milestones.
Clarify the role of GDS and its funding
The unexpected general election prevented the Public Accounts Committee from conducting an investigation into GDS after the highly critical report from the National Audit Office in March. As such, GDS has also been protected from responding to the report, which highlighted numerous problems with GDS, not least clarification of its role and direction, and the limited uptake of several of its core projects.
For the sake of GDS, and for the progress of digital government, its purpose, priorities and plans need to be refocused. Is it an advisor, a standards-setting body, a startup-style disruptor, the lead digital developer, a consultant – or all of those, or some, or none?
In particular, questions around the budget for GDS need to be addressed.
GDS promised to deliver £3.5bn savings by 2020 in return for its £450m budget. The business case was predicated on three main programmes: £1.1bn of savings would come from Common Technology Services, which has been largely mothballed. Another £1.3bn was to come from government-as-a-platform services, which have received a lukewarm reception from Whitehall departments, and notably little take-up from the biggest departments that are needed to justify the business case.
And a further £1.1bn was to come from Gov.uk Verify, the increasingly controversial identity assurance scheme that is meant to have 25 million users by 2020 – it currently has only 1.3 million.
It seems extremely unlikely GDS will deliver the savings expected – so what does that do for its budget?
The future of Gov.uk Verify
Verify has become something of a lightning rod for critics of GDS – and not without justification. As the NAO pointed out, Verify has repeatedly missed targets and deadlines. Despite this, it was the centrepiece of the transformation strategy and was even included as a manifesto promise by the Conservatives – a reflection of Gummer’s belief in Verify, since he co-wrote the manifesto, before losing his seat in the election. And yet it is still not fully trusted by departments – as the NAO said, “Of the 12 departmental services connected to Verify as of February 2017, nine also allow access by other means”.
The target of 25 million users depends almost entirely on Verify being adopted by HM Revenue & Customs (HMRC) for its tax self-assessment service, which has 7.4 million registered users. HMRC clearly does not want to use Verify – but is being told by the Cabinet Office it has to use Verify instead of its own redeveloped Government Gateway online login system.
Several senior figures in digital government privately describe Verify as “a disaster”. Outsiders with knowledge of the Verify application say the software itself is a mess – even if it works. Identity experts have called for a pause in Verify to review the direction of identity assurance – it is such a critical aspect of delivering digital government, and yet outside of the Cabinet Office there seems to be little confidence in Verify as it stands.
Nokes needs to determine – perhaps as her first priority – what’s happening with Verify, and if it continues on its current path, how it will achieve the 25 million user goal.
Relationships between GDS and departments
People close to former Cabinet Office minister Francis Maude – the man who set up GDS and gave it its initial remit and responsibility – say he is disappointed that GDS’s role as a strong centre for digital government has been eroded since his departure.
Some digital leaders in large departments are privately said to feel they don’t need GDS, and often deal with it only reluctantly. They are pleased that the spend controls, which allowed GDS an effective veto over their digital projects, are being relaxed, giving them greater autonomy.
But such views are usually accompanied by a willingness to work with GDS if the relationship is right. I’m told that departmental digital chiefs used to have a regular meeting in a Westminster pub, and spent most of their time moaning about GDS and sharing stories about the problems they’d experienced.
However, some have since said that they can see positive signs since Cunnington’s appointment last year – himself a former departmental digital leader.
For example, they like Cunnington’s digital academy as a means to help train civil servants – although this is another area that needs clarity. Cunnington said in October last year that he wanted to open four new locations for the training centre, yet still there are only the two he brought with him from DWP. One insider described the London academy as little more than a meeting room above Fulham Broadway underground station. Investment in rolling out the academy programme would help cement relations with departments.
Much of this issue circles back to the wider need to clarify GDS’s role – but for the wider development of digital government to make progress, that relationship between the centre and the departments needs to be agreed and made to work.
Brexit and digital government
Brexit per se is clearly outside Nokes’ remit – although her boss, Damian Green, is closely involved. But Brexit will have a huge impact on plans for digital government – just think of all the IT systems that will need to be adapted or redeveloped to meet the new realities of life outside the EU. From customs and immigration systems, to farm subsidies, to the proposed new identity cards for EU citizens residing in the UK post-Brexit – there are many, perhaps hundreds of digital systems likely to be affected.
What takes priority? The realities of Brexit, or the goals of digital government transformation? Is there a better way to bring the two together to use Brexit as an opportunity to genuinely transform the state of government IT?
These, like so many others, are critical questions to address. We wish minister Nokes well – she has much to keep her busy.
In one throwaway line, largely ignored among the wider Brexit comments in his Mansion House speech today (20 June 2017), chancellor of the exchequer Philip Hammond exposed the true scale of the challenge for government IT over the next few years.
This is what he said:
“How do we achieve this ‘Brexit for Britain’? Firstly, by securing a comprehensive agreement for trade in goods and services. Secondly, by negotiating mutually beneficial transitional arrangements to avoid unnecessary disruption and dangerous cliff edges. Thirdly, by agreeing frictionless customs arrangements to facilitate trade across our borders – and crucially – to keep the land border on the island of Ireland open and free-flowing.
“To do this in the context of our wider objectives will be challenging. It will almost certainly involve the deployment of new technology.”
That last sentence is the killer. Note that “almost certainly” is a euphemism – it’s absolutely certain that Brexit will require new government IT systems in many areas, and significant changes to existing systems in others.
Hammond talked about customs – let’s look at that as an obvious example.
All movement of goods in and out of the UK is handled by an HM Revenue & Customs system called Chief – an acronym for “customs handling of import & export freight”. Chief collects some £34bn of tax revenue every year – it is a critical national system.
But it’s also 25 years old and can only handle around 60 million customs declarations per year. It was originally developed to run under the VME operating system on ICL mainframes – younger readers may need to Google “VME” and “ICL”.
As it stands, Chief is not fit for purpose in a Brexit world, and HMRC is already working to replace it. However, in March this year, the Treasury select committee said that confidence in the replacement system had “collapsed”.
According to then committee chairman Andrew Tyrie, the new system needs “to handle a possible five-fold increase in declarations that could occur when the UK leaves the EU. The consequences of this project failing, or even being delayed, could be serious. Much trade could be lost.”
Let’s look at immigration, another topic discussed by Hammond in his speech.
The current UK border systems centre on two main applications – Warnings Index, which is over 20 years’ old; and Semaphore, developed as a pilot project in 2004 but still used today.
A 2013 report by the independent chief inspector of borders and immigration, found that Semaphore and Warnings Index were known to contain “critical system vulnerabilities”. A National Audit Office report in December 2015 found that Warnings Index “suffers from an average of two high-priority incidents a week”, including a component of the system not being available, or “30% or more of border control points being unavailable”.
A plan to replace both systems, the e-Borders programme, started in 2003 with the aim of improving the use of data to track people moving in and out of the UK’s borders. The programme was eventually scrapped in 2014 at a cost of £830m, four years after the then home secretary, Theresa May, cancelled a £750m contract for the IT project. The contractor, Raytheon, subsequently sued the UK government and won £224m in damages.
The programme has since morphed through at least one, possibly two further iterations since. A smaller system for exit checks at borders went live in April 2015, but is not used everywhere. Exit checks will be critical to post-Brexit borders, because without them the government will not know who has left the country or when.
Indeed, the previous lack of exit checks has been cited as a factor that prevented the UK government from introducing EU laws that could have been used to limit freedom of movement without needing to leave the EU.
The Home Office is working on the eventual replacements for Warnings Index and Semaphore, which are clearly not fit for a new immigration regime outside the EU.
So there are two critical areas of Brexit – customs and immigration – already reliant on ageing IT, with ongoing and long-lasting problems in replacing them. And we don’t yet even know what our new customs and immigration rules will be.
Think of agriculture – the Department for Environment, Food and Rural Affairs (Defra), through its Rural Payments Agency (RPA), has seen two of the biggest IT disasters in its attempts to keep up with changes to EU agricultural subsidy schemes. Outside the EU, the UK government will need a whole new system to replace those subsidy payments to farmers.
That’s one major system at each of three departments – HMRC, Home Office and Defra. However, according to the Treasury committee, HMRC is also reviewing 24 other systems that may require changes to be ready for day one of Brexit.
Has anyone counted the number of existing government IT systems likely to be affected by Brexit? Has anyone made an assessment of the amount of work and resource required to adapt or redevelop new systems for Brexit? I don’t know the answer to those questions, but I’m willing to guess it’s a no.
Meanwhile, the government has committed to an ambitious transformation strategy, aiming to deliver vital reforms such as better use of data, identity assurance, an overhaul of back-end systems, development of more digital skills and creation of other cross-government digital platforms.
Whitehall departments are already straining to recruit enough IT and digital expertise to meet these existing plans – let alone what else might be needed to deliver the unquantified scope of Brexit-related technology.
Something has to give
If you take a positive view, Brexit is an opportunity to redevelop Whitehall IT systems and create a digital government infrastructure fit for the 21st century. Realistically, political pragmatism means that’s unlikely to happen – resources will be focused piecemeal where they are needed most, even if there is a clear opportunity to impose digital standards across any new such projects.
Something will have to give. We’ve already learned that plans to scrap costly and inefficient outsourcing contracts are being put back or shelved because of resource limitations. The civil service surely will not have the capacity to deliver new Brexit technology at the same time as existing plans for the digital transformation of government.
The time and resources needed to develop Brexit-compliant systems has to be a factor in any transitional deal that may be agreed to avoid the damaging “cliff edge” of leaving the EU, a risk highlighted by Hammond.
The next five years were already a critical time for the progress of digital government. As Hammond has unwittingly revealed, the pressure is going to be even greater thanks to Brexit.
While British Airways counts the cost of its May bank holiday system outage – £80m and growing so far – much of the datacentre industry has listened to the supposed cause of “human error” and thought, “Are you sure?”
Willie Walsh, CEO of BA parent IAG, said the problem was caused by an engineer disconnecting the power supply to one of its datacentres, before reinstating the power incorrectly, leading to a power surge that damaged equipment.
Most experts that Computer Weekly talked to felt this scenario was – or should be – near impossible in a modern, well-designed datacentre. Either there is more to the issue than has yet been revealed, or it reflects badly on the datacentre design or set-up at BA.
It smacks of an over-reliance on legacy systems – BA is believed to still have software written decades ago for ageing mainframes. Modernity costs money – sometimes it’s seen to be better to maintain the creaking status quo, at least until it becomes too expensive not to.
The UK’s big retail banks are notoriously reliant on extraordinarily complex legacy systems that would cost billions to replace or modernise. So far, only Royal Bank of Scotland has suffered the sort of catastrophic outage on a similar scale to BA – but you can bet that CIOs at the other high-street banks knew it could have been them.
Not all legacy systems are bad, of course. But maintaining legacy that is clearly a long-term hindrance to any organisation is a management decision, not a technical one. It cannot be long before large, well-established companies start to lose market share and fail to compete sufficiently because of their legacy systems – which will then become the root cause of the collapse of a business, not just the cause of an IT outage.
CEOs and CIOs at the sort of large organisations likely to be at risk rarely stay in the job more than three to five years these days – not long enough to have the courage or mandate to take on such an enormous task as overhauling all that legacy complexity. In some cases, it’s simply too big a problem for anyone to take on.
But many of the industries least affected by digital disruption so far are also those with the biggest legacy investments – banking, manufacturing, insurance, for example. When digital revolutionises those sectors – and it will – the legacy laggards will be in serious trouble.
Companies die – that’s inevitable. The FTSE100 in 1990 looks very different to today. But increasingly the factor that determines success or failure will be the managed withdrawal of the sort of legacy systems that remain all too common.
Amid all the chaos, recriminations and excitement on the morning after the General Election, the future of digital government is far from the minds of anyone other than those of us with a personal interest. But it’s worth remarking on one of the high-profile Conservative losses – Cabinet Office minister Ben Gummer lost his Ipswich seat.
No matter how the next government shakes up, this means we will have our third minister in charge of digital government in barely a year, after Gummer succeeded Matt Hancock in Theresa May’s prime ministerial coronation reshuffle in 2016.
It’s no coincidence that the progress of digital transformation across Whitehall has stuttered and stalled in the last couple of years, following five years of consistent leadership from the previous Cabinet Office minister, Francis Maude.
Staff at the Government Digital Service (GDS) will no doubt be nervous, after a year when they have already seen their entire leadership team replaced. Gummer was a big supporter of GDS. Will whoever replaces him feel the same way?
After all, any new minister will look at GDS’s books and wonder what is happening to the £3.5bn savings promised when the team was given its £450m budget in the November 2015 spending review. A big chunk of the business case – £1.1bn – was predicated on the Common Technology Services programme, which has been largely mothballed. Another £1.3bn was to come from government-as-a-platform services, which have received a largely lukewarm reception from Whitehall departments, and notably little take-up from the big departments that are needed to justify the business case.
In particular, Gummer was a big supporter of Gov.uk Verify, the GDS-developed identity assurance system – earmarked to provide a further £1.1bn of savings. He even made delivering Verify one of the Tories’ manifesto commitments, repeating the hugely ambitious target of 25 million users by 2020 that was first introduced in the government transformation strategy in February.
It’s difficult to find anyone in GDS willing – or allowed – to talk publicly about Verify, but they are still recruiting people into the team which suggests confidence in its future. It’s very easy, however, to find people outside GDS willing to label Verify as a disaster. Even before the election there was speculation that Verify could be merged with the Government Gateway programme at HM Revenue & Customs – a move that Gummer arguably might have resisted. It’s too soon, of course, to say that his departure would make it more likely.
Judging by early indications, one thing the election result tells us is that young people have engaged with politics in huge numbers. When he launched the transformation strategy, Gummer said he believed that digital could “restore faith in democracy”. Certainly that younger generation will be expecting their government to engage with them using the digital means they consider routine in the rest of their lives.
It is, of course, far more important to get a functioning government in place, one that can address the many economic and global challenges the country faces. But however that comes to pass, any new administration needs to understand that significant and urgent decisions are needed on the future progress of digital government.
You would expect, of course, that a publication such as Computer Weekly would call on whoever wins the 2017 general election to put the digital economy on its list of immediate priorities.
While the Conservatives, Labour and Liberal Democrats all made important digital promises in their manifestos (the SNP made barely any mention other than a paragraph about broadband roll-out) there will never be an election more timely and vital for the UK’s place in the digital revolution.
As the most international of industries, technology must be at the heart of the UK’s post-Brexit economy if we are to retain any leading role on a world stage. We have an opportunity to plan for the digital economy of the 2020s, not simply to continue among the mass of followers reacting to digital change and not leading it.
That means an education, skills and training programme to prepare the workforce at all ages and career stages for the increasingly central role technology will play in the way we live and work in 10 years’ time. Alongside that, there need to be employment laws that reflect the changing nature of work while protecting the rights of workers who seek a living through firms that operate in ways that were impossible to conceive in the industrial age.
It means putting in place a security and regulatory environment that allows innovation to flourish and attracts inward investment through a safe but open tech environment that allows startups and small businesses to compete and thrive alongside their more established rivals, while respecting an individual’s control and privacy over their own data.
It requires as a minimum a broadband and mobile network infrastructure that is regarded among the world’s best – not simply one that compares favourably to European laggards.
And it needs a government that engages with citizens and delivers public services using modern, digital methods that enhance the ability to adapt policy and services in a faster changing world than current public sector IT could ever cope with.
Not much, then.
The next 10 years are when the leaders in the digital revolution will be established – it is still early days, and there will be much greater technology led social change in the next 20 years than in the last 20.
No government has yet put digital at the heart of its administration. Policy is split between different departments, ministerial responsibility is shared, with co-ordination seeming patchy and inconsistent.
Whoever wins the election, it’s now time to appoint a digital minister, with a seat at Cabinet, and the accountability and authority to put the UK at the forefront of the global digital revolution.
It’s easy to read too much into any party election manifesto, but the Conservatives’ plans – should they win the election, as the polls suggest they will – offer plenty of scope for speculation around the next steps for digital government.
Cabinet Office minister Ben Gummer was closely involved in writing the Tory manifesto, and his hand is certainly apparent in the recognition of digital being highlighted as one of the “five great challenges” faced by the UK over the next five years. Gummer is, after all, a man who sees digital transformation as a means to “restore faith in democracy”.
It will be interesting to see how the timing of the election affects the Government Digital Service (GDS), which sits at a crossroads in its evolution, after being heavily criticised in March by the National Audit Office and told by the watchdog that it needs to redefine its role.
Nine months into his reign, GDS chief Kevin Cunnington has completely overhauled his leadership team. Insiders suggest the changes at the top have not fully filtered down to the troops, but the start of a new parliamentary cycle offers an opportunity to drive forward afresh.
Cunnington is redefining the scope of GDS’s responsibilities – in particular, much of the legacy of former CTO Liam Maxwell is slowly being dismantled.
The role of CTO itself appears to have been abandoned, with no apparent prospect of a replacement for Maxwell’s successor, Andy Beale, who left GDS earlier this year.
The Common Technology Services (CTS) team – set up to roll out better technology for civil servants and to advise departments on ending their large outsourcing deals – has been mothballed, according to several sources, now that its director, Iain Patterson, has left. CTS is continuing certain existing projects, but not taking on any new work, say sources, who claim that Cunnington never saw CTS as part of GDS’s future.
It’s worth noting that as part of the £450m budget GDS was given in the 2015 spending review, the CTS programme was projected to deliver £1.1bn of the forecast £3.5bn savings to be achieved in return.
Computer Weekly asked the Cabinet Office to confirm the status of CTS, but they were unable to comment due to the “purdah” rules that prevent Whitehall discussing future government plans during an election period.
Meanwhile, Maxwell’s other big initiative, spend controls – responsible for a significant portion of the savings GDS claims to have made from government IT costs – has been watered down, handing greater control back to the departments the policy was intended to rein in.
The Tory manifesto gives only a few clues as to where GDS – and wider digital government plans – go next. Much is simply repeating the past.
“We will create a new presumption of digital government services by default”, it says – replacing the old and presumably identical presumption that’s been in place for the last five or six years.
“We will publish operational performance data of all public-facing services,” says the document – presumably that’s the Gov.uk Performance Dashboard that’s been around for some time.
There are references to open data, publishing more information online, and rationalising the use of personal data – which presumably tee-up the imminent appointment of a chief data officer (CDO), for which recruitment has been underway for a few months.
Notably, sources suggest the new CDO will also be positioned outside of GDS.
A few eyebrows were raised to see a specific commitment in the manifesto to Gov.uk Verify, the sometimes controversial online identity assurance scheme. Plenty of outside observers have questioned progress on Verify, some calling for a formal review, but minister Gummer clearly remains a strong supporter.
Perhaps the most interesting manifesto line, in the context of digital government, is the most vague: “We will incubate more digital services within government and introduce digital transformation fellowships, so that hundreds of leaders from the world of tech can come into government to help deliver better public services.”
The use of “incubate” is interesting – past manifestos might have used the word “develop”. Does this suggest a desire to push more development out to suppliers?
What exactly is a “digital transformation fellowship”? Given that so many IT contractors have stepped back from government IT work after the April reforms of IR35 tax laws, is this simply a way to bring them back? Is it some new status of employment that allows Whitehall to pay private sector market rates for IT professionals to get over the limits imposed by civil service pay structures?
Cunnington has been leading a review of digital jobs, skills and pay structures, so perhaps this is one of the fruits of that work.
We can conclude with some confidence that work on Verify and other common platforms will press ahead after the election, but we will have to wait to see whether there are further changes in the structure and delivery of digital government.
In all the debate about the NHS ransomware attack, much has been made of a government decision in 2015 to end a contract with Microsoft to provide support for the ageing Windows XP operating system that was widely in use across the NHS at the time.
Continued use of XP has been highlighted as one of the factors that enabled the ransomware attack – although the bigger issue is the lack of discipline in patching newer versions of Windows, which allowed the attack to target PCs without a fix for a known bug that has been available for two months.
The XP support deal has even become a political issue, with Labour criticising the Conservatives for “cancelling” support for XP. The truth is very different, and sheds light on the deep organisational and structural issues within NHS IT that made a cyber attack on this scale inevitable. It also raises questions about how the prevailing political ideology directing the NHS contributed to the situation.
Computer Weekly has talked to several people directly involved with the decision not to renew the original 2014 support deal with Microsoft – they have asked to remain anonymous – but they provide insights into why the NHS was uniquely vulnerable to this attack.
A purely commercial agreement
The £5.5m XP support contract with Microsoft, signed in 2014, was trumpeted by the Crown Commercial Service (CCS) and the Government Digital Service (GDS) as a helping hand for public sector organisations that had yet to migrate off XP – the end of support had been flagged for years, and Microsoft had long encouraged users to upgrade to newer versions of Windows.
However, the contract was purely commercial – a volume pricing agreement. It added no new capabilities for XP support to that which individual government bodies already had. CCS simply negotiated a pricing deal – a volume discount – to take advantage of the large number of XP support contracts already in existence, and thereby to reduce the overall cost to the government IT estate.
GDS used this opportunity to put pressure on laggards to upgrade XP, saying effectively they had one year left to do so. GDS, however, had no mandate or ability to force any organisations to upgrade.
A year later, CCS proposed a renewal of the deal, but this was turned down by a group called the Technology Leaders Network (TLN), which was set up by GDS for tech chiefs across Whitehall to collaborate and, where appropriate, make collective decisions on IT policy.
What’s important is this: the TLN did not cancel support for Windows XP. They decided to end the volume pricing deal, leaving any organisation still using XP to continue with XP support if they chose to do so. This was clearly communicated to affected departments.
The tech leaders felt the volume pricing deal was acting as a “comfort blanket” for laggards who would prefer – for their own local reasons – not to have to worry about upgrading from XP. There was never a central decision to end support for XP – any such decisions were left entirely to local decision-makers.
Relations between GDS and Microsoft at the time were also not good. Microsoft was reeling from GDS decisions around open standards that threatened the supplier’s dominance of government IT. GDS, in turn, felt Microsoft was behaving badly, unnecessarily playing hardball in its commercial relationship.
The extended support deal already had fees set to double every six months after April 2014 until April 2016, when those charges would have been renegotiated.
The contract agreed by CCS in 2014 was purely about saving money – not about extending support for XP beyond what was already in place. Its cancellation was not about ending support for XP, purely about putting responsibility for the decision to pay for XP support back on those people who still used the system.
Every one of the tech chiefs agreed to the decision to end the contract. Each took responsibility for ensuring any XP users in their departments were fully aware of the implications.
Furthermore, GCHQ had advised the TLN that the XP support deal was practically worthless in terms of protecting XP users from IT security vulnerabilities. While the contract covered the availability of critical patches for XP, GCHQ said there were so many vulnerabilities in the ageing software, that even those critical patches would never be enough to protect users.
GCHQ was well aware that XP was, and would remain, an insecure and vulnerable system whether there was a support deal in place or not.
IT governance in the NHS
Crucially, however, while the Department of Health (DoH) was represented in the TLN, the NHS was not. GDS had no governance role over IT in the NHS. The DoH tech chief told the meeting he could not take a decision on behalf of the NHS – although clearly he could communicate the decision.
The NHS, meanwhile, was still grappling with the reforms introduced by the 2012 Health and Social Care Act, which controversially separated decision-making powers in the NHS, and removed legal responsibility for healthcare from the secretary of state for the first time. NHS organisations were effectively federated, with greater local control over budgets and decision-making, delivering services “commissioned” by GP-led Clinical Commissioning Groups.
As a result, there was no longer any central organisation with responsibility for IT in NHS trusts. The Health and Social Care Information Centre (HSCIC) – now NHS Digital – is responsible for certain central issues, such as data standards, managing the run-down of contracts from the failed National Programme for IT, and driving digital transformation. HSCIC had no responsibility to set technical standards for IT across the NHS, in the way that GDS was able to do across Whitehall.
GDS was worried enough about this situation that it met with then DoH minister George Freeman, to emphasise the need for a central body to set technical standards across the NHS, with the authority to ensure trusts and other organisations followed best practice, and with the transparency to highlight those who chose not to.
One source claimed that secretary of state for health Jeremy Hunt was also briefed on the security risks that a lack of IT standards would create in such a heavily federated NHS organisation, but it was never a priority at that level. “Hunt never grasped the problem,” said the source.
As a result, accountability for IT standards – including security – varies widely in the NHS. Not all trusts have a single person with responsibility for IT on their board. There is no way to know whether trusts include information security on their risk registers unless they choose to publish them.
As Computer Weekly has reported elsewhere, there were further warnings about the security risks to the NHS, including from national data guardian Fiona Caldicott, and from CareCERT, the NHS Digital organisation that now co-ordinates IT security activity across the health service.
But ultimately, decisions and priorities are set locally by managers in each NHS organisation. As we now know, there were plenty who failed to recognise the cyber security risks they faced, and only now has the inevitable end result been made painfully apparent.