Examination of Witnesses (Questions 60
- 79)
WEDNESDAY 21 APRIL 1999
MR GEORGE
MCCORKELL,
MR PETE
SHARKEY and MR
BRIAN BARNES
Chairman
60. Can I just follow up one question from
that, before I turn to Joan. What is the obstacle? We saw DSS
Direct, it is quite an impressive system, and, if I understood
it, it is one of these systems which is not as complicated as
you might imagine, so it could be rolled out. What is the obstacle,
what is the problem about that, why is not that system being used
much more extensively?
(Mr McCorkell) Again, I will hopefully ask Peter
to explain this, and I would like to start by saying that we are
now working both with the Benefits Agency, who are potentially
the main customers, and War Pensions Agency, and through our people
who have the connections to local authorities on Housing Benefit,
to work up plans for seeing where and when we can roll these out,
as part of an intercept strategy; so that work is taking place
and is ongoing. The only big technical issue behind it, again,
comes back to the network that needs replacing, but, as I did
say, we have plans to get on with that replacing of that network;
that, in the main, affects the local office end of the network,
where we have this specifically designed, 1980s Government data
network, which has limitations. It does not mean we cannot do
anything, but it will have limitations, there will be limitations
on what we can do in those offices until we replace the network.
There are other areas where, although we will be replacing the
network in these areas, we can enhance the network, so connections
to the main centres, like Lytham and Newcastle, we can do things
to that network, in order to make better use of these facilities.
So there is still an opportunity there to do significant things
in the coming years. The other thing, of course, that we have
to do, in terms of talking to our customers and people in Benefits
Agency, is we do have to fit it into their work programme. So,
although these things bring them advantage, it is a change, and
if they have a series of other changes, either driven by operations
or policy, or by Year 2000 and the need to keep work programmes
clear of big change during the Year 2000, then this has to go
with the other priorities. Now what we hope is that given it does
bring significant benefit to them, and we believe it brings benefit,
then we will be able to get a slot within those priorities, and
I believe we will, in certain places.
Mrs Humble
61. First of all, Chairman, can I make two
declarations? One, I know very little about computers and information
technology, and I am always impressed by people who, quite clearly,
do know what they are talking about; and, secondly, my constituency
borders on Norcross, and so many of my constituents are these
people with expertise who work for ITSA, so I am impressed when
I meet them, as well.
(Mr McCorkell) You might be my MP.
62. I noticed, when I was reading through
this memorandum, which was hard going, when I got to the section
on existing systems, it was the briefest one, so may I ask you
just one or two questions, some of which may seem very simplistic,
but, nevertheless. How many personal computers are there in the
DSS, do you keep these statistics, and who owns them; you were
talking about different Agencies, who actually owns all of this
stuff, and how many of them are there?
(Mr McCorkell) The personal computers are owned
by the Department; in fact, I think, everything we buy is actually
owned by the Secretary of State, because we sign all contracts
on his behalf. They are individually owned by the various Agencies,
who would define their requirement and put up a case for a procurement,
and we would purchase them on their behalf. We can let you have
the exact number, but I believe there are about 70,000 personal
computers.[4]
63. I know, from bitter experience, in my
own constituency office, that PCs are often the target of thieves;
can you let me know what security measures you have in place to
make sure that computers and chips are not stolen, and do you
have any records about how many are stolen from ITSA itself and
from the DSS generally?
(Mr McCorkell) We certainly will have records
on how many have been stolen, and I can let you have those.
Chairman
64. It will be useful to have a note.
(Mr McCorkell) I do not have them with me, so
I can let you have a note on that.1 But, yes, it is a very significant
issue, and all of our PCs are numbered and logged and monitored;
all of our IT equipment is numbered, logged and monitored, security
audits are done very regularly. And, I think, if you get the opportunity
to come and see us in Peel Park, you may well bump into some of
our security features, because you have quite a good chance, as
you drive out in your car, of being stopped at the gate and having
your car searched, and you have no right to refuse. And if you
have a PC, that is your own PC, in the car, you will have to convince
that man that it is your own, because if it is a departmental
PC you will have to carry with you authority to have it in your
possession, and you will find that on our sites we do take security
very seriously.
Mrs Humble
65. There has been publicity recently about
people working in a variety of different settings with computers
that are linked up to the Internet, and they spend their time
surfing the Internet. I do not know what this means, I admit this,
but, nevertheless, I am assured that some people do. I am sure
that none of my constituents who work for ITSA would ever do such
a thing, but, partly seriously though, how many of these computers
are actually linked up to the Internet, and what sort of measures
do you have in place to make sure that people do not use them
for purposes other than the work that they should be doing?
(Mr McCorkell) Again, I may well ask Peter to
come in with some detail.
66. I am not politically asking you very,
very difficult questions that you cannot answer, honestly. I am
asking what I felt were simple questions, because I do not understand
any of the rest.
(Mr McCorkell) I am quite happy to pass over many
of the questions to my colleagues, but I would never claim to
know everything. But, obviously, as a Chief Executive, I do have
responsibility for the proper use of Government equipment and
Government facilities, and, therefore, it is important that I
know, when we provide facilities which are there in order to do
our business, that they are not misused in any way. And we have
processes in place, I personally do not know how many of our people
in ITSA or the other Agencies have direct access to the Internet
through our facilities, but I know some have, but that access
is monitored, and it is a disciplinary offence to use that access
for other than your business, just as it is a disciplinary offence
to use the telephone for your personal business, and that is monitored
as well. So we do monitor that.
Kali Mountford
67. Just on that issue, not just on the
Net, because not all of the computers will be connected to the
Net, but almost all of them are capable of e-mail, and I certainly
know of people who have long e-mail conversations, which must
be taking them away from the core business; but it is very difficult
to monitor e-mail conversations because people are apparently
working when you walk past them. Has this been a problem?
(Mr McCorkell) I am not aware of any problem in
people using our internal e-mail in doing general conversation
and chit-chat and gossip. I would not claim that it has not happened,
but I am not aware that it has happened in any way to the detriment
of our business. I believe I would know if it had happened, because,
again, our e-mail system is one that we are responsible for managing,
and therefore we have to manage the service on that system, and
therefore we do monitor its usage and we monitor the volumes going
through it and where the traffic is going, and we would be looking
for interesting conversations, shall we say.
Mrs Humble
68. Again, forgive my ignorance about computers,
but as I have visited DSS offices I have seen a variety of different
computers, some that do very, very simple tasks, that, increasingly,
people are having on their desks relatively powerful PCs, and
you were talking earlier about all these new networking systems
that you are putting in. Are you then looking at just what sort
of capability people need with their personal computers, are you
making sure that they have in front of them that which they need,
that they are not getting something that is too powerful for the
job that they actually need to do, but sufficiently powerful or
sophisticated to do the sort of networking that you were talking
about?
(Mr McCorkell) Yes; if you take the future IS/IT
strategy and the design of that IS/IT strategy, it is designed
to allow flexibility at the front end, so that we can specifically
target the facilities that people need, because, given the range
now, (a) the size of the Department and the range of information
technology that people need, you are quite right, not everybody
needs all of it. And part of the jargon we use is a thing called
BPSS, Business Processing Support System, and, while we will have
one database, we will have many Business Processing Support Systems,
precisely for the reason that we need to be able to target, to
particular sections, the precise use and the precise facilities
that they require.
69. We were having a debate earlier about
how much information is currently held, or will be held in the
future, can be held in computers, and I understand that there
was a Public Service Agreement for 25 per cent of all business
transactions in the DSS to be carried out electronically by the
year 2002. Can you give me an idea of just how many business transactions
you actually carry out, no doubt in millions, and what proportion
that you think actually can be carried out electronically?
(Mr McCorkell) We believe that the Government's
commitment for 2008, where it is possible to do all our business
transactions electronically, is something that we can achieve;
that does not necessarily mean you have to do them, because we
believe there may well be some people who will not wish to do
them electronically, and therefore we will have the facilities
to cater for that. But we do believe that we can meet that commitment,
in terms of if it is possible to do all of them electronically.
Clearly, we already do quite a high proportion of transactions
with the public electronically, it depends to what extent you
define electronically, because if electronically is `phones, you
can do transactions with us on the `phone.
70. But it is also things like paying people
directly into bank accounts, which you started doing a few years
ago with Child Benefit?
(Mr McCorkell) You are absolutely right, that
in terms of payment then, people whom we pay through ACT into
bank accounts, that is a pure electronic payment and that is done
electronically, and I believe it is something like 30 per cent
of our customers now opt to have payment into bank accounts.
71. But since the DSS is such a major player
in the game, do you have a rough idea about how many transactions
we are talking about? Clearly, if you cannot tell us now, if you
could drop me a note on it, as to millions?
(Mr McCorkell) I would certainly be very happy
to drop you a note, rather than guess some figures and get them
wrong, I will drop you a note on our current transaction levels,
what we currently do electronically, and our estimate of those
that are capable of being done electronically in the future.[5]
72. Can you explain to me a little about
to what extent you think it will be possible for people to make
claims electronically, and how you could have fraud-proof systems
in place; because, on the one hand, you have been developing systems
where you are dealing with the public and paying the public electronically,
having been given proof of identify, in the benefit claims, and
things, but what chance is there for people to use electronic
methods to talk to you, and you be assured who they are?
(Mr McCorkell) Again, I will ask Peter to come
in and explain in more detail. We certainly believe that, in technical
terms, it is perfectly possible, via the Internet, for us to take
electronic claims, so you can sit at home, or in a library, and
get on the Internet and fill out an electronic claim form; that
is something that is perfectly possible in the future. I believe,
and Peter may be able to explain, that there are currently some
restrictions on that, and they are around security and authenticity
and what can and cannot be secure over the Internet, and there
is work going on to change legislation and to change rules and
design secure systems to make that happen. But that is certainly
one of the things that we believe we have to position ourselves
to be able to do in the future, when these particular restrictions
are removed, and we are working on doing that.
(Mr Sharkey) Yes; some good news really, I suppose,
for the future. One, it is technically possible now, and we could
just whack a load of claim forms out on the Net, in an unco-ordinated
fashion. The secret is, what is the business process when they
come back, what do we do when somebody has filled this in, and
which clerk picks it up, how is it then entered into the system.
Because I do not think, at the moment, we go as far as having
an Internet claim form that then whacks straight through with
cheques done into, say, the JSA system; that is not here yet,
and it will be some years away. But, in terms of people having
the ability, and, as George said, it is not just in the home but
in Citizens' Advice Bureaux, or with their bank manager, or pensions
clubs, or whatever service delivery outlet you can think of, to
have the ability to make a claim. The interesting thing is, it
is one thing to have a set of claim forms, one for IS, one for
JSA, one for pensions, that is our view of the world; what the
person wants is "Excuse me, I've just lost my job, my circumstances
are ... and what routes can I go down?", or "I've just
become a single parent", or "I've just become a pensioner".
So, instead of focusing on a set of benefits chimneys, as George
was saying, with Modern Service I, we need to focus on the holistic
view, if you want, for the person and their circumstances. So
it is maybe not a matter of just having one claim form, it is
a matter of more doing what we did with the lone parent prototype,
which is to take some circumstantial evidence and then break that
down into a set of claims that we understand, because that is
the way we work; and we could do that now, quite quickly, the
technology is there. What is not there, at the moment, and it
is part of the evolving E-Commerce Bill that will come through,
and the whole business of electronic signatures, is the verification
of who is at the other end, importantly, certainly, when they
are sending us data, but even more importantly when we are sending
it back out. Because, if you could imagine the day, as they do
now with Internet banking, when somebody could say, instead of
ringing up an enquiry centre, "I'll just tap in and see when
my next pension payment is due and how much it is for"; now
given that you have got electronic signatures and you know who
is at the other end then you can send that out over the Internet,
and say "Your next payment is next week, it will be due in
your bank account, as agreed, and it's £56.93." So we
are not a million miles off this, certainly technologically, in
terms of sending and gathering, we can do that, and we can deploy
that fairly quickly, and probably will do, as part of Modern Service
I, or Modern Service I slightly later, and maybe even earlier
in pilot. It is the security bit that I think needs thinking through,
and you would not, certainly, as a Select Committee in Parliament,
want us to take risks with either the fraudulent aspect of claiming
in, or the data protection elements of putting out; but very near
to it.
73. I was interested in your reference to
the holistic approach, because, of course, that is exactly what
we are currently debating in the Welfare Reform Bill and looking
at the Single Work-focused Gateway, and, Chair, it will no doubt
be interesting to see how some of the pilots develop on that,
because some of the pilots are going to be call centres, and how
that then links in with the sort of information technology in
these developments that you have been talking about?
(Mr McCorkell) Again, you are absolutely right,
because the nature of the way the business is done with the Department
is changing, and hopefully we have a design of a future IT system
that can meet that, but what we need to do is to be very closely
connected with these pilots so that we do capture this information
and capture the requirements from that. And we are indeed quite
heavily involved in the Single Work Focus Gateway, in not only
assisting them with the pilots but in using that to feed back
information into our future requirements and design on, well,
in reality, how is this actually going to work, and what sort
of front end does a clerk need to deal direct, face to face with
a client, or does a call centre clerk need, to somebody over the
`phone, or potentially somebody saying "I want to do this
on the Internet". So we are very much working with the Single
Work Focus Gateway, to make sure that we capture that information.
Chairman: Just for
the last ten minutes, or so, can we turn to questions like business
continuity and maybe the European Monetary Union, and, indeed,
dare I say it, Scottish Parliamentary changes that might come,
if they decide to increase the tax rates north of the border,
once they are under way. Chris Pond has got some questions in
that area, to start off with.
Mr Pond: My first
question, Chair, is rhetorical, I am not expecting an answer;
but why do you not have a word with the Serjeant at Arms in this
place and make sure that each of us, as Members of Parliament,
does not end up with four different machines, which are normally
incompatible with any other Members' of Parliament equipment,
and very often incompatible with each other, but it does seem
to me that there is still a lot of work to be done in this place.
I wanted to ask a few questions about what I now know, using the
streetwise language, from Pete Sharkey, is called the Year 2K
issue, and some of the costs and the progress that has been made,
in trying to meet that challenge. Now I was not a member of this
Committee in February 1997, nor indeed a Member of Parliament,
but we have a terribly good secretariat who tell me that, at that
time, ITSA submitted a memorandum to that Social Security Select
Committee, talking about expected total costs of £30 million
for dealing with the Year 2K problem. But, in your memorandum,
which you have given us for today's session, in paragraph 6.6,
you say: "The total costs in the corporate business case
approved by HM Treasury and reviewed quarterly have remained stable
over the life of the project and are currently estimated at £45.7m."
Is this an inflation in the costs, or are they incompatible figures?
Chairman: Wage increases,
perhaps?
Mr Pond
74. Yes, wage increases to retain staff;
where do those different figures come from?
(Mr McCorkell) Again, I would be happy to give
you a note on the detail of why there are changes[6],
but I could give you an indication of the likely reasons, apart
from inflation or wage increases. At the time you would have been
given that figure, it would have been an estimate based on an
outline work programme. The position that we are in now is that
we are well through that programme, and just as well we are well
through it, because we are coming up to the crunch date. And,
therefore, we have now identified exactly what needs to be done
and we have done almost all of it. So what you are getting now
is a much firmer figure, based on actual experience and actual
work. We have reached a stage where all our internal systems have
been tested and proved to be Year 2000 compliant, we are in the
process of completing our interface testing with external systems,
because we have to test not just ourselves but the external interfaces,
and we are heavily focusing now on, what we term, in the Department,
this is not just an ITSA responsibility, business continuity planning.
Because all the evidence we have suggests that, no matter how
good you are at this, something can go wrong somewhere that can
be outside your responsibility, and, therefore, we still have
to deliver benefits to people, no matter if it is the electricity
goes down we still have to deliver benefits to people. So we are
currently working right across the Department and we are involved
in supporting this in rehearing business continuity plans, and
basically people sit down and they take scenarios like "Well,
what if the post offices all close, or what if the electricity
switches off?", or things like that, and work through are
our plans robust enough to deal with all of those sorts of contingencies.
We have had, quite deliberately, a number of external reviews
of our programme, and all have reported on us positively. The
key thing now, for us, is not to be complacent, because I will
not be around to do another one of these, I am going to get this
one right, and what you need to do, in Year 2000 compliant, is,
first of all, get it compliant, test it to make sure it is compliant,
and then make sure it stays compliant. So we will continue to
work on Year 2000 compliance throughout the rest of the year and
into next and subsequent years, because some of the events do
not actually happen until well after Year 2000.
75. So, if things do all go badly wrong
after midnight on December 31, it is not going to be your fault?
(Mr McCorkell) If things go badly wrong, we will
(a) have put the Department in a position where the things go
wrong because the Department has not been Year 2000 compliant
will be very, very minimal, and (b) we will put the Department
in the position where, if things go wrong elsewhere that are our
people's fault, we will be able to manage through that.
76. And, as well as managing through that,
do you have means of perhaps seeking redress, financial redress,
from those who have not sorted out the Year 2k problem, and who
therefore have caused additional costs to the DSS?
(Mr McCorkell) I believe, where it is people who
are suppliers who have direct contracts then most of those contracts
will have conditions in them that say "You have to be Year
2000 compliant, and we are entitled to compensation if you are
not and you cause us problems." But the effect on us could
come from something that has no direct contact with us; we do
not have a contract for bus services, but if bus services did
not work our customers could have a problem, and we may have to
have expense to do something about that and deal with that contingency.
We have no direct contract with the bus companies, but we have
to have a contingency plan to deal with that sort of thing.
77. But, thinking of things like that, who
is responsible for the non-IT problems that might arise, things
like lifts and fire alarms and bells, and all these things that
have got chips embedded in them but are not actually IT systems
as such; is that your responsibility also?
(Mr McCorkell) In terms of anything that has probably
a chip is a good way then I am directly responsible for the compliance
and ensuring the compliance, and the Year 2000 Programme that
I am responsible for covers all of those issues. In terms of the
business continuity planning, obviously, the individual Agencies,
who are the ones who will have to pick that up, are directly responsible
for their own business continuity planning; but, clearly, we work
very closely together on all of this, and I support them in it.
78. It is a big responsibility, is it not,
because there are chips with everything nowadays? And, thinking
about the responsibility going in the other direction, the costs
that might be imposed on the private sector, for instance, of
things not going right, and we have heard you say that if it goes
wrong you have done everything to make sure it has not, but let
us suppose it does, the risks involved, in terms of private sector
payroll banking and other commercial activities which might be
affected, as a result of the fact that the DSS systems break down,
is that part of the contingency planning as well, and thinking
about what might be the implications, perhaps financially, for
the public sector, if that happened?
(Mr McCorkell) We are certainly looking at in
detail scenarios for breakdown where we supply information outside
as well, and what the effect of that would be. I suppose, yes,
if our internal payroll system went wrong and did not correctly
interface with the banking system and caused overpayments within
the banking system, because we had given everybody too much money
and the banks could not get it back, then I am sure the banks
would be coming to talk to us about our responsibility.
79. Finally, you are kindly going to send
us a note about this £45.7 million versus the £30 million,
but any idea of the final cost to the DSS of making sure that
everything is sorted out and compliant and all the work that you
have done, are you getting any figures on that, what you think
the final cost is going to be?
(Mr McCorkell) I believe that cost quoted is our
current estimate of the final cost, and as we are now coming to
the end of the programme then it should be a much better estimate.
Mr Pond: Thank you
very much.
4 See Ev. p. 28. Back
5
See Ev. pp. 28-29. Back
6
See Ev. p. 29. Back
|