Less than a week after Cabinet Office minister Ben Gummer announced the new government transformation strategy, its central premise is already in question after HM Revenue & Customs (HMRC) rejected one of the core systems at the heart of the digital plan.
HMRC has been in a fight with the Cabinet Office for months over the use of Gov.uk Verify, the online identity assurance service being developed by the Government Digital Service (GDS) as the standard ID platform for the public sector.
Verify is central to the GDS plan – Gummer set a target of 25 million users by 2020 in the new strategy. GDS’s vision of digital government starts from the basis that every citizen who wants to transact online with public services will use Verify to prove who they say they are. GDS is so confident in the system’s eventual ubiquity that it is courting banks, e-commerce companies and local authorities to take part.
But Verify has now been rejected by the department with the biggest single base of online users. The fight is over and HMRC has declared independence.
A blog post published by HMRC programme director Mike Howes-Roberts reveals that the taxman is going its own way and will not be using Verify.
“HMRC is developing its own identity solution for individuals, businesses and agents. Other departments will use Gov.uk Verify for all individual citizen services,” he wrote.
[Update 1: 14 February 3.45pm – This above quote has mysteriously been erased from the original HMRC blog post since this article was published – the screen grab below shows the original version]
Howes-Roberts added: “We’re exploring options around other government departments also using this replacement service. This would be restricted to business and agent-facing services only as Cabinet Office requires all other departments to use Gov.uk Verify.”
The “replacement service” Howes-Roberts refers to is the successor to the Government Gateway – the identity system used by HMRC for tax self-assessment and business tax submissions, which is also at the heart of the Making Tax Digital project. Gateway was introduced in 2001 and is being phased out by March 2018 – it’s old and antiquated and needs replacing, but GDS intended that replacement to be Verify.
Gateway has survived many attempts to phase it out, but has continued to be used for so long for a very simple reason – it works.
Howes-Roberts says that Gateway supports 123 live digital services across government, 406 million identity authentications a year, and has more than 50 million active accounts.
Compare that with Verify, which after nearly five years of development has just 1.1 million users, has been used for 2.6 million authentications, and is used by only 12 online services – and five of those are HMRC services where Verify has been tested against Gateway and, it seems, has lost.
HMRC has continually sidestepped GDS over Verify. One well-placed source told me late last year that HMRC CEO and permanent secretary Jon Thompson told GDS chief Kevin Cunnington that his department had rejected Verify after another attempt to prove that Verify was the better option.
The same source also suggested that HMRC is working on its own version of Gov.uk Notify – the GDS platform for electronic status notifications – despite being told by the Cabinet Office that it should not.
Presumably, Gummer knew about HMRC’s intention when he launched the transformation strategy last week, and still believes that Verify can expand to 25 million users over the next three years – but surely that figure assumed HMRC’s users would be migrated to Verify?
The next largest government service on Verify should be Universal Credit – but that won’t be fully rolled out until 2022. Trials are underway with local authorities, but Whitehall has no power to mandate use of Verify to councils – clearly it can’t even mandate to its own departments.
And will banks and online companies really adopt Verify at scale, if even the government’s own biggest potential user has rejected it?
HMRC’s main issue with Verify has always been that it is only intended for individuals to use, whereas Gateway also offers ID assurance for businesses and intermediaries (such as accountants who file tax returns on behalf of clients). GDS has stubbornly refused to expand Verify for use by organisations as well as individuals – a decision that may prove to be fatal flaw.
It is patently stupid – not to mention a huge waste of money – for government to maintain multiple identity systems for citizens to use when accessing public services. For the greater good, someone has to lose face and take the inevitable flak. If HMRC is developing a successor to Gateway with a user base nearly 50 times that of Verify, why not simply re-use the HMRC system across government?
It would appear that the Gateway replacement is already going to be used across Whitehall for businesses and intermediaries – but with Verify used everywhere except HMRC for individuals. Seriously, who thinks that make sense?
Gummer talked last week about the importance of “culture change” and “collaboration” in delivering digital transformation across government – and he acknowledged that GDS and departments need to work better together. “When money is tight people have to look for new ways to do things, so it encourages reform. It encourages a degree of collaboration which is new,” he said.
If money is tight, it’s plainly nonsensical to develop two systems for the same purpose. If Gummer has failed to get the biggest potential Verify customer on board, what does that say for future attempts to promote collaboration and shared platforms? If culture change is needed, perhaps the culture in the Cabinet Office must do so first.
GDS needs to swallow hard and change course over Verify, no matter how much it feels let down by HMRC’s intransigence. The new transformation strategy promotes the idea of shared platforms, developed for use across government, and it encourages departments to share platforms wherever possible. GDS doesn’t have to build everything itself – and it doesn’t want to.
If HMRC is developing a new pan-government shared identity platform, it should become the standard. Let’s even call it Verify – that way you don’t have to reprint the new transformation strategy.
Update 2: 15 February 11.30am: After the HMRC blog post was amended, HMRC provided the following statement to Computer Weekly: “HMRC is committed to Verify as the single identification service for individuals and is fully focused on delivering this. The authentication service that HMRC is developing to replace the Government Gateway will complement the existing Verify service for business representatives.”
It’s worth noting that this line is almost the exact opposite of what was originally written in the blog post.
The long wait for the new government digital strategy may have caused frustration in some places, but clearly within the Cabinet Office the extensive delays have brought expectations to a peak of frenzy.
The plan – now renamed the government transformation strategy – is billed as “the most ambitious programme of change of any government anywhere in the world” by minister Ben Gummer.
It will be carried out “at pace and scale”, said Government Digital Service (GDS) chief Kevin Cunnington, and will “deliver meaningful change to the people who need it most, faster and more efficiently”.
Moreover, the strategy will “restore faith in our democracy” and fix “the interface between government and the people [which] has become increasingly fraught”, according to Gummer.
Wow. Who needs elections?
In a masterpiece of mixed metaphor, Gummer further went on to label Cunnington, the man charged with leading this once-in-a-lifetime democratic transformation, as the “Che Guevara of digital”.
This is all lovely rhetoric for journalists to chew on, but to paraphrase one of Cunnington’s predecessors, the strategy will be judged on delivery. Let’s not forget that GDS told us in 2013 that it had “400 days to change government”. This is not the first time we’ve been here.
There is little in the objectives of the strategy to criticise – as a statement of where digital government is in the UK, and where it now needs to go, it makes perfect sense.
The plan identifies five core areas: a back-office technology overhaul; developing digital skills; better IT for civil servants; better use of data; and creating shared platforms.
None of these are new, none of them are easy. All of them have – in some shape or form – been tried before, and have yet to be delivered. So perhaps the key question for this strategy is not what it aims to do, but what it will do differently to make it happen.
The plan is peppered with statements like “culture change” and “collaboration”. Gummer admitted publicly for the first time that troubled relations between GDS and departments – especially the Department for Work and Pensions – has been a hindrance in the past that has to be rectified. To his credit, admitting past problems is the first step to overcoming them, and he’s working on that.
Within each of those five core areas you can write a long list of challenges to overcome, raising questions about the feasibility of delivering the transformation strategy by 2020, its stated aim.
But the one hurdle that more than any other stands in the way of success is the same issue that has frustrated GDS leaders for years – the inertia and cultural resistance to change of the siloed and institutionalised civil service structure.
Gummer understands the problem and hopes that the need to save money and deliver on departmental plans will mean his strategy receives a positive welcome across Whitehall. We have to hope he is right, this time. One of his recent predecessors, Francis Maude, forced departments to work with GDS by bashing heads together – Gummer seems more collaborative – but once Maude left, the civil service reverted to type.
The ambition in the strategy is to be welcomed, but perhaps its biggest flaw is that it is not ambitious enough, nor transformational enough.
Former digital economy minister Ed Vaizey said what many people are thinking, in an interview with the Institute for Government published the day before the strategy was launched.
“I would completely re-engineer government. I would abolish government departments, I would have government by task,” he said.
If you really want to transform government through digital means, Vaizey is right – you do away with existing structures and hierarchies and start from the question of what is best for the citizen.
GDS – and the strategy itself – stress the importance of “user need”. But user need is still defined by the requirements of the civil service first, not of citizens. When developing a new digital service – choose one, whether carer’s allowance or Universal Credit or digital tax or any other – “user need” starts from the perspective of the department that owns the service and how its delivery is structured internally.
If you really start from user/citizen need, you don’t have fixed departmental structures. You start from how a citizen wants to interact with public services – and add the fact that for most citizens, that includes local government.
In reality, the transformation called for by the new strategy is a transformation in the way Whitehall departments work together – with the important digital stardust sprinkled on top – and little more. It relies on departments being nicer to each other (and to GDS) than they have at times in the past. It needs the Treasury to allow departmental budgets to be shared, and permanent secretaries to be incentivised to look beyond their role as accounting officer, and to be jointly responsible for delivery of services that are integrated between departments, not siloed within them.
That’s not a fundamental top-to-bottom, root-and-branch transformation of the way government engages with citizens, by any measure. It’s more of a “come along now, chaps, let’s all play nicely” strategy. But perhaps for Whitehall, that really would be a transformation.
If GDPR compliance is not near the top of IT leaders’ priorities for 2017, you have a problem.
GDPR – the European Union’s General Data Protection Regulation – was always going to be a major challenge, given that it widens the scope of issues that organisations need to consider when planning their data strategy.
GDPR introduces mandatory data breach notification for the first time; it brings higher penalties for non-conformance; strengthens citizens’ rights and the rules around obtaining consent to gather and exploit personal data; and it stresses the importance of self-assessment in managing data.
The law comes into force on 25 May 2018 – now less than 14 months away. If you’re in the UK and were hoping that Brexit means you don’t need to worry – think again.
For a start, the UK will still be in the EU by the deadline, so it will be law in the UK too. GDPR is not only for organisations located within the EU area – it covers the use of personal data about EU citizens by anyone, anywhere in the world. If your organisation stores information about an EU citizen, you need to comply, regardless of local laws, or you risk being prevented from trading with the EU.
Moreover, despite all the uncertainty about Brexit, the UK government has quietly confirmed that it intends to introduce new data protection legislation that exactly mirrors GDPR, even after we leave the EU.
The move, announced by digital economy minister Matt Hancock this week, will go some way to alleviating concerns about cross-border data flows post-Brexit. Public debate about the future relationship between the EU and UK concentrates on exports, customs, immigration and trade – glossing over the fact that perhaps the most important exchange that will need to continue is data.
Data, essentially, is what the City moves – not bank notes. Online shopping – it’s all reliant on data, especially when you consider that buying from Amazon, to quote just one example, means trading with a company in Luxembourg. Every UK tech startup or internet business that gathers identifiable data about its visitors needs access to data that flows freely across international borders.
Trade in data is central to the future of the recently announced UK industrial strategy that highlights the importance of science, technology and innovation to economic growth outside of the EU.
For IT leaders, GDPR compliance is going to be essential, but a burden. There’s a lot of work to be done. If you haven’t started already – get moving.
The mere existence of an industrial strategy for the UK – especially one that prioritises science, technology and innovation – is a hugely positive step for everyone in IT. But it’s nowhere near enough – yet – to put in place the foundations to ensure the UK tech sector thrives through Brexit and beyond.
IT is, by its very nature, an international industry. As trade body TechUK pointed out, the UK IT sector is heavily dependent on EU relationships, and anything that makes such partnerships more complicated is going to hold back future development. An industrial strategy for tech must be open, global and collaborative. If Brexit negotiations lead to obstacles in the UK’s trade relations then IT will suffer more than most.
The UK tech community is also more dependent than most on immigration – nearly one in five UK IT workers come from overseas. We already have serious skills shortages that threaten to hold back startups and the digital transformation of companies and government – we cannot lose that imported talent. If anything, we need to be open to more skills to help us grow – unless and until we are able to produce enough home-grown talent, which we are some way from doing.
But it’s not just Europe that is a potential concern. In the US, one of President Donald Trump’s early edicts has been to weaken protections for data held in the US about foreign citizens. This has been a thorny issue for some time – in the past year we’ve seen the longstanding Safe Harbour arrangements, allowing US companies to transfer EU citizens’ personal data, collapse over fears about US intelligence agencies’ bulk data collection activities.
The replacement vehicle – Privacy Shield – could become equally unworkable if Europe maintains the same level of concern about what Trump’s US does with its data.
A successful industrial strategy depends not only on free trade in goods and services, but in data too. Cutting the US or the EU off from the free flow of data would be disastrous – and not just for the tech sector.
The strategy rightly acknowledges the need for better education and skills in science, technology, engineering and maths (Stem) subjects. The proposal for £170m towards new Institutes of Technology promises to create a new generation of Stem-educated workers – but not for years yet. In the short term, government needs to incentivise employers to provide more training in the digital skills we need today. The much-delayed digital economy strategy needs to offer concrete proposals to support the industrial strategy’s aim for more retraining and access to lifelong learning.
A successful industrial strategy depends on people, not politics.
We should take some encouragement that this week’s gathering of the powerful, the rich and the even richer in Davos chose technology risks as one of its key agenda items for discussion.
The World Economic Forum (WEF) has acknowledged that emerging trends such as artificial intelligence (AI), 3D printing, the internet of things and others present potentially huge societal challenges – not to mention established and well-publicised risks such as cyber security.
But it would be even more encouraging if the powerful, the rich and the even richer showed any inclination to actually doing something about it.
The red flags waved at WEF will be familiar to any close observers of the digital revolution.
AI and automation is likely to destroy many existing white-collar jobs – threatening to decimate the middle class the way that working classes were affected by the decline in coal, steel or manufacturing in western countries.
Secure, full-time jobs are already being replaced by self-employment and “flexible” work patterns in so-called “gig economy” companies that are led by technology, such as Uber or Deliveroo – both already the subject of legal cases around workers’ rights.
Who stands to benefit most from these trends – from replacing staff with machines, and reducing the rights of those workers they still need? Could it be the powerful, the rich and the even richer?
Where are the incentives for business leaders to look after the employees displaced by automation, or to train them in the new skills needed for a digital world?
Who has the influence to regulate gig economy firms to protect the employment rights of the workers upon which they depend?
And where are the movements showing how technology can address the popular discontent over the downsides of globalisation, such as growing social inequality?
None of these are insurmountable problems. They are not complicated to solve – but they are hard, and require focus and effort. But the Catch-22 is that the people most inclined to solve the problems don’t have the power to effect change, while the people with the power to effect change are not inclined to solve the problems.
It is, therefore, a positive step that WEF leaders are acknowledging the issues – look at us, we care, honest we do. But there is a long way to go before they start to do something about it.
Wearables, smart homes, smart buildings, smart cities and autonomous vehicles are among the technological breakthroughs that are starting to gain traction.
The Consumer Electronics Show (CES) in Las Vegas gives a glimpse of what the tech pioneers think will be hot in coming years, and the era of internet-connected things is starting to capture people’s imagination.
Internet-connected “things” are not considered computers, according to Forrester principal analyst Jeff Pollard, who, in this week’s issue, assesses the challenges the industry faces. You can’t expect a homeowner to patch his or her internet-connected fridge, heating system or baby monitor, even though – as was demonstrated last year – such things can be exploited to launch massive distributed denial of service (DDoS) attacks, taking down some of the internet’s biggest players.
Worryingly, many of the companies at CES only expect their products to last a couple of years. Two years’ support, while generous in IT terms, is meaningless if the device is embedded in someone’s home or integrated into thousands of street lights in a smart city.
People balk at the idea of paying upfront extended warranties to cover new products such as refrigerators or washing machines for five years.
Smart TVs just a few years old no longer get firmware updates because their operating system is unsupported. That is not very smart, especially if that device could be exploited in a DDoS attack.
Manufacturers want people to buy the latest product, but, as with a smart TV, the one being replaced still works. It may well be used as a second television or handed down to a family member, who will happily plug it into the internet, so it can carry on being exploited.
The use of the internet of things (IoT) to improve society is limited only by our imagination, but at the World Economic Forum in Davos this week, experts will portray IoT nightmare scenarios to business leaders and politicians.
If the Ukrainian power grid can be crippled by an internet attack, what else is possible? Whether or not it is proved to be true that a US presidential election can be influenced by hackers illustrates the possible risks an internet-connected society will need to consider.
A new year brings new challenges, but the CIO faces the same issue every year – to drive the business’s technology agenda while doing more with less overall budget.
Computer Weekly’s annual IT Priorities survey found that while budgets for staff and on-premise servers are falling, IT decision makers are planning to spend more on cloud services.
That should not come as a surprise given that cloud services are well and truly coming of age. In September 2016, the Ministry of Defence became the first tenant in Microsoft’s UK-based Azure datacentre, and in December, AWS’s UK datacentre came online.
But 32% of the CIOs who took part in the IT Priorities survey said hybrid cloud would be their top area of investment this year. In one way, this makes perfect sense: hybrid gives IT departments the flexibility to choose which workloads to deploy in the public cloud and which to keep on-premise.
The challenge for CIOs is that, given a choice, business stakeholders may not feel the urge to move anything to the cloud, especially given current economic uncertainty. In the survey, 28% of respondents said they would implement virtual private networks in 2017.
But in this age of user empowerment, flexible working, cross-organisational collaboration and IT consumerisation, the idea that IT still sees a need for a hard network perimeter, with highly controlled access, seems at odds with modern working practices.
Similarly, you could argue that a hybrid cloud, where most workloads remain on-premise, does not reflect modern IT. It is a similar story with legacy applications.
The IT Priorities survey found that 15% of IT decision makers expect to increase their maintenance budget in 2017. There is nothing wrong with spending more on something that continues to add business value, but how many CIOs are faced with demands for higher and higher maintenance bills from their legacy software providers?
Given that a small but significant proportion of IT decision makers are thinking about investing in cutting-edge initiatives such as the internet of things and machine learning, which are normally way beyond the remit of corporate IT, perhaps 2017 should be the year the CIO breaks free of the chains imposed by traditional IT.
Computer Weekly’s UKtech50 list of the most influential people in UK IT provides a fascinating insight into the big issues affecting the tech community, as we watch how the leaders who make the list change year by year.
Twenty of last year’s top 50 dropped out of the list in 2016 – the fact that 40% of influencers changed in just 12 months reflects the pace of digital transformation, as organisations bring in new IT leaders with fresh ideas, and as startups play a growing role in the UK economy.
Twenty of this year’s top 50 also work in the public sector, where – despite many false starts – momentum around digital transformation is gathering pace and political profile.
And the list features 16 women – approximately a third of the top 50 – the highest representation ever and a very welcome sign that female leaders are breaking the glass ceiling, establishing themselves as role models for what we all must hope will become a new generation of young women entering the IT profession.
These trends offer optimism for the UK tech community in 2017. With all the uncertainty around Brexit, it’s been a tough year for a lot of people in UK IT.
The UK has long been one of the strongest IT markets outside North America – over the past year giants such as Google, Apple, Amazon, Microsoft and Facebook have all announced significant investments in their UK businesses. This is helping to counter any negativity around Brexit, as tech firms recognise that whatever the UK’s future relationship with the EU, it remains a country where businesses and government bodies invest heavily in IT.
Into 2017 and beyond, we will see a growing shift to the cloud among UK organisations – all the big cloud providers are setting up UK datacentres now to target that demand. The government is starting to put investment and support into rolling out full-fibre broadband which will only stimulate the UK’s digital economy further. Overall, while there remains a lot of economic uncertainty, IT professionals are leading the transformation of their businesses to better cope with the future.
Corporate IT infrastructure will go through a generational shift over the next five to 10 years, and that’s a huge opportunity for IT managers and their technology suppliers. We wish all the very best to the UK’s influential IT leaders – those on the UKtech50 this year, and those who may join it in the future.
Twice in the past week, the UK government has passed legislation despite overwhelming concerns from the technology community.
The Digital Economy Bill – a mostly sensible attempt to update laws around the digital economy – was waved through the House of Commons in the face of warnings from privacy experts about the data sharing aspects of the bill. The House of Lords now faces the challenge of tackling those concerns.
In both cases, the new legislation is an attempt to apply 20th century, industrial-era constraints to the emerging digital world. There is a very real risk that both – or either – could instead hinder the progress of the UK’s tech sector by anchoring it in politics that cannot keep up with digital change.
Privacy experts described the data sharing proposals as applying concepts developed for paper documents to digital information – as if data that needs to be shared has to be “photocopied”, creating a new version for whoever needs it. There was no understanding of simple concepts such as distributed databases or application programming interfaces (APIs), which would avoid duplication, enhance privacy, and improve security.
The new surveillance laws include clauses that could allow the government to force communications companies to break encryption or allow backdoor access to their products. All it will take is one example of a UK tech company being forced to fulfil such a provision, and nobody will ever trust a product developed by a UK supplier again. Some US companies have already suffered from similar issues with US laws.
Separately, health secretary Jeremy Hunt was pilloried by the tech community this week after suggesting that technology companies should take responsibility for preventing children accessing online porn, or being victims of cyber-bullying. While well intentioned – nobody would disagree that social media firms, for example, have a role to play here – Hunt’s comments displayed a fundamental misunderstanding of how technology works, and perhaps more importantly, how people actually use that technology.
Increasingly our politicians are running to keep up with technology – and failing. Sadly, this is nothing new. The tech community has long complained about the lack of digital literacy among MPs. Nothing has changed, and most of those MPs have little incentive to do so.
It will take a generational shift in MPs, as they are replaced by younger, tech-savvy politicians, for the situation to improve. In the meantime, perhaps the tech community ought to take a different approach – instead of simply shouting from the sidelines (although don’t stop doing that), wouldn’t it be good to see IT experts getting actively involved in politics as well, maybe even becoming MPs themselves to take the lead.
Chancellor of the Exchequer Philip Hammond’s Autumn Statement showed a welcome and necessary understanding of the need to look at the long-term future of the UK’s digital economy.
The £1bn investment in fibre to the premise (FTTP) broadband and 5G mobile infrastructure – along with £2bn for research and development and £400m to help tech startups go beyond the startup phase – represent the first time the Conservative-led governments of the past six years have looked beyond short-term, vote-winning policies when it comes to the technology sector.
As former digital minister Ed Vaizey will be quick to point out, the government has spent money on the digital economy before – helping to fund fibre to the cabinet (FTTC) broadband and giving marketing support to Tech City, for example. But those initiatives were essentially short-term, filling a gap that the market was failing to fulfil.
Computer Weekly and others have long called for a minimum 10-year perspective on the UK’s digital infrastructure. Telecoms watchdog Ofcom set that process in motion when its communications market review declared that supporting a full-fibre broadband network was its key regulatory priority for the next decade. The latest government policy supports that intent. Full marks are deserved for making full fibre the focus.
Fibre broadband to the home is perhaps the single most important digital investment the UK can make over the next 10 years.
But understandably, there are still many people who will say, we don’t even have decent broadband or mobile signals at home now – can’t we sort that out first?
They are right, of course. The last thing we want is a two-tier digital Britain. But now is the time to invest properly in FTTP. As the adoption of broadband over the past 15 years has shown, if you build it, they will come. You might not need gigabit speeds for the next two or three years, but you can be sure you will before much longer.
The details of how the new broadband cash will be spent are still unclear, but the government has signalled that priority will go to smaller providers – the so-called altnets – who tend to operate in the areas that BT has decided are not “economically viable”.
The best solution, therefore, if the government also wants to court vote-winning popularity , would be to target that investment at a rural leapfrog strategy – give full fibre first to the people without any fibre today.