Select Committee on Social Security Minutes of Evidence


Examination of Witnesses (Questions 60 - 79)

WEDNESDAY 21 APRIL 1999

MR GEORGE MCCORKELL, MR PETE SHARKEY and MR BRIAN BARNES

Chairman

  60.  Can I just follow up one question from that, before I turn to Joan. What is the obstacle? We saw DSS Direct, it is quite an impressive system, and, if I understood it, it is one of these systems which is not as complicated as you might imagine, so it could be rolled out. What is the obstacle, what is the problem about that, why is not that system being used much more extensively?
  (Mr McCorkell)  Again, I will hopefully ask Peter to explain this, and I would like to start by saying that we are now working both with the Benefits Agency, who are potentially the main customers, and War Pensions Agency, and through our people who have the connections to local authorities on Housing Benefit, to work up plans for seeing where and when we can roll these out, as part of an intercept strategy; so that work is taking place and is ongoing. The only big technical issue behind it, again, comes back to the network that needs replacing, but, as I did say, we have plans to get on with that replacing of that network; that, in the main, affects the local office end of the network, where we have this specifically designed, 1980s Government data network, which has limitations. It does not mean we cannot do anything, but it will have limitations, there will be limitations on what we can do in those offices until we replace the network. There are other areas where, although we will be replacing the network in these areas, we can enhance the network, so connections to the main centres, like Lytham and Newcastle, we can do things to that network, in order to make better use of these facilities. So there is still an opportunity there to do significant things in the coming years. The other thing, of course, that we have to do, in terms of talking to our customers and people in Benefits Agency, is we do have to fit it into their work programme. So, although these things bring them advantage, it is a change, and if they have a series of other changes, either driven by operations or policy, or by Year 2000 and the need to keep work programmes clear of big change during the Year 2000, then this has to go with the other priorities. Now what we hope is that given it does bring significant benefit to them, and we believe it brings benefit, then we will be able to get a slot within those priorities, and I believe we will, in certain places.

Mrs Humble

  61.  First of all, Chairman, can I make two declarations? One, I know very little about computers and information technology, and I am always impressed by people who, quite clearly, do know what they are talking about; and, secondly, my constituency borders on Norcross, and so many of my constituents are these people with expertise who work for ITSA, so I am impressed when I meet them, as well.
  (Mr McCorkell)  You might be my MP.

  62.  I noticed, when I was reading through this memorandum, which was hard going, when I got to the section on existing systems, it was the briefest one, so may I ask you just one or two questions, some of which may seem very simplistic, but, nevertheless. How many personal computers are there in the DSS, do you keep these statistics, and who owns them; you were talking about different Agencies, who actually owns all of this stuff, and how many of them are there?
  (Mr McCorkell)  The personal computers are owned by the Department; in fact, I think, everything we buy is actually owned by the Secretary of State, because we sign all contracts on his behalf. They are individually owned by the various Agencies, who would define their requirement and put up a case for a procurement, and we would purchase them on their behalf. We can let you have the exact number, but I believe there are about 70,000 personal computers.[4]

  63.  I know, from bitter experience, in my own constituency office, that PCs are often the target of thieves; can you let me know what security measures you have in place to make sure that computers and chips are not stolen, and do you have any records about how many are stolen from ITSA itself and from the DSS generally?
  (Mr McCorkell)  We certainly will have records on how many have been stolen, and I can let you have those.

Chairman

  64.  It will be useful to have a note.
  (Mr McCorkell)  I do not have them with me, so I can let you have a note on that.1 But, yes, it is a very significant issue, and all of our PCs are numbered and logged and monitored; all of our IT equipment is numbered, logged and monitored, security audits are done very regularly. And, I think, if you get the opportunity to come and see us in Peel Park, you may well bump into some of our security features, because you have quite a good chance, as you drive out in your car, of being stopped at the gate and having your car searched, and you have no right to refuse. And if you have a PC, that is your own PC, in the car, you will have to convince that man that it is your own, because if it is a departmental PC you will have to carry with you authority to have it in your possession, and you will find that on our sites we do take security very seriously.

Mrs Humble

  65.  There has been publicity recently about people working in a variety of different settings with computers that are linked up to the Internet, and they spend their time surfing the Internet. I do not know what this means, I admit this, but, nevertheless, I am assured that some people do. I am sure that none of my constituents who work for ITSA would ever do such a thing, but, partly seriously though, how many of these computers are actually linked up to the Internet, and what sort of measures do you have in place to make sure that people do not use them for purposes other than the work that they should be doing?
  (Mr McCorkell)  Again, I may well ask Peter to come in with some detail.

  66.  I am not politically asking you very, very difficult questions that you cannot answer, honestly. I am asking what I felt were simple questions, because I do not understand any of the rest.
  (Mr McCorkell)  I am quite happy to pass over many of the questions to my colleagues, but I would never claim to know everything. But, obviously, as a Chief Executive, I do have responsibility for the proper use of Government equipment and Government facilities, and, therefore, it is important that I know, when we provide facilities which are there in order to do our business, that they are not misused in any way. And we have processes in place, I personally do not know how many of our people in ITSA or the other Agencies have direct access to the Internet through our facilities, but I know some have, but that access is monitored, and it is a disciplinary offence to use that access for other than your business, just as it is a disciplinary offence to use the telephone for your personal business, and that is monitored as well. So we do monitor that.

Kali Mountford

  67.  Just on that issue, not just on the Net, because not all of the computers will be connected to the Net, but almost all of them are capable of e-mail, and I certainly know of people who have long e-mail conversations, which must be taking them away from the core business; but it is very difficult to monitor e-mail conversations because people are apparently working when you walk past them. Has this been a problem?
  (Mr McCorkell)  I am not aware of any problem in people using our internal e-mail in doing general conversation and chit-chat and gossip. I would not claim that it has not happened, but I am not aware that it has happened in any way to the detriment of our business. I believe I would know if it had happened, because, again, our e-mail system is one that we are responsible for managing, and therefore we have to manage the service on that system, and therefore we do monitor its usage and we monitor the volumes going through it and where the traffic is going, and we would be looking for interesting conversations, shall we say.

Mrs Humble

  68.  Again, forgive my ignorance about computers, but as I have visited DSS offices I have seen a variety of different computers, some that do very, very simple tasks, that, increasingly, people are having on their desks relatively powerful PCs, and you were talking earlier about all these new networking systems that you are putting in. Are you then looking at just what sort of capability people need with their personal computers, are you making sure that they have in front of them that which they need, that they are not getting something that is too powerful for the job that they actually need to do, but sufficiently powerful or sophisticated to do the sort of networking that you were talking about?
  (Mr McCorkell)  Yes; if you take the future IS/IT strategy and the design of that IS/IT strategy, it is designed to allow flexibility at the front end, so that we can specifically target the facilities that people need, because, given the range now, (a) the size of the Department and the range of information technology that people need, you are quite right, not everybody needs all of it. And part of the jargon we use is a thing called BPSS, Business Processing Support System, and, while we will have one database, we will have many Business Processing Support Systems, precisely for the reason that we need to be able to target, to particular sections, the precise use and the precise facilities that they require.

  69.  We were having a debate earlier about how much information is currently held, or will be held in the future, can be held in computers, and I understand that there was a Public Service Agreement for 25 per cent of all business transactions in the DSS to be carried out electronically by the year 2002. Can you give me an idea of just how many business transactions you actually carry out, no doubt in millions, and what proportion that you think actually can be carried out electronically?
  (Mr McCorkell)  We believe that the Government's commitment for 2008, where it is possible to do all our business transactions electronically, is something that we can achieve; that does not necessarily mean you have to do them, because we believe there may well be some people who will not wish to do them electronically, and therefore we will have the facilities to cater for that. But we do believe that we can meet that commitment, in terms of if it is possible to do all of them electronically. Clearly, we already do quite a high proportion of transactions with the public electronically, it depends to what extent you define electronically, because if electronically is `phones, you can do transactions with us on the `phone.

  70.  But it is also things like paying people directly into bank accounts, which you started doing a few years ago with Child Benefit?
  (Mr McCorkell)  You are absolutely right, that in terms of payment then, people whom we pay through ACT into bank accounts, that is a pure electronic payment and that is done electronically, and I believe it is something like 30 per cent of our customers now opt to have payment into bank accounts.

  71.  But since the DSS is such a major player in the game, do you have a rough idea about how many transactions we are talking about? Clearly, if you cannot tell us now, if you could drop me a note on it, as to millions?
  (Mr McCorkell)  I would certainly be very happy to drop you a note, rather than guess some figures and get them wrong, I will drop you a note on our current transaction levels, what we currently do electronically, and our estimate of those that are capable of being done electronically in the future.[5]

  72.  Can you explain to me a little about to what extent you think it will be possible for people to make claims electronically, and how you could have fraud-proof systems in place; because, on the one hand, you have been developing systems where you are dealing with the public and paying the public electronically, having been given proof of identify, in the benefit claims, and things, but what chance is there for people to use electronic methods to talk to you, and you be assured who they are?
  (Mr McCorkell)  Again, I will ask Peter to come in and explain in more detail. We certainly believe that, in technical terms, it is perfectly possible, via the Internet, for us to take electronic claims, so you can sit at home, or in a library, and get on the Internet and fill out an electronic claim form; that is something that is perfectly possible in the future. I believe, and Peter may be able to explain, that there are currently some restrictions on that, and they are around security and authenticity and what can and cannot be secure over the Internet, and there is work going on to change legislation and to change rules and design secure systems to make that happen. But that is certainly one of the things that we believe we have to position ourselves to be able to do in the future, when these particular restrictions are removed, and we are working on doing that.
  (Mr Sharkey)  Yes; some good news really, I suppose, for the future. One, it is technically possible now, and we could just whack a load of claim forms out on the Net, in an unco-ordinated fashion. The secret is, what is the business process when they come back, what do we do when somebody has filled this in, and which clerk picks it up, how is it then entered into the system. Because I do not think, at the moment, we go as far as having an Internet claim form that then whacks straight through with cheques done into, say, the JSA system; that is not here yet, and it will be some years away. But, in terms of people having the ability, and, as George said, it is not just in the home but in Citizens' Advice Bureaux, or with their bank manager, or pensions clubs, or whatever service delivery outlet you can think of, to have the ability to make a claim. The interesting thing is, it is one thing to have a set of claim forms, one for IS, one for JSA, one for pensions, that is our view of the world; what the person wants is "Excuse me, I've just lost my job, my circumstances are ... and what routes can I go down?", or "I've just become a single parent", or "I've just become a pensioner". So, instead of focusing on a set of benefits chimneys, as George was saying, with Modern Service I, we need to focus on the holistic view, if you want, for the person and their circumstances. So it is maybe not a matter of just having one claim form, it is a matter of more doing what we did with the lone parent prototype, which is to take some circumstantial evidence and then break that down into a set of claims that we understand, because that is the way we work; and we could do that now, quite quickly, the technology is there. What is not there, at the moment, and it is part of the evolving E-Commerce Bill that will come through, and the whole business of electronic signatures, is the verification of who is at the other end, importantly, certainly, when they are sending us data, but even more importantly when we are sending it back out. Because, if you could imagine the day, as they do now with Internet banking, when somebody could say, instead of ringing up an enquiry centre, "I'll just tap in and see when my next pension payment is due and how much it is for"; now given that you have got electronic signatures and you know who is at the other end then you can send that out over the Internet, and say "Your next payment is next week, it will be due in your bank account, as agreed, and it's £56.93." So we are not a million miles off this, certainly technologically, in terms of sending and gathering, we can do that, and we can deploy that fairly quickly, and probably will do, as part of Modern Service I, or Modern Service I slightly later, and maybe even earlier in pilot. It is the security bit that I think needs thinking through, and you would not, certainly, as a Select Committee in Parliament, want us to take risks with either the fraudulent aspect of claiming in, or the data protection elements of putting out; but very near to it.

  73.  I was interested in your reference to the holistic approach, because, of course, that is exactly what we are currently debating in the Welfare Reform Bill and looking at the Single Work-focused Gateway, and, Chair, it will no doubt be interesting to see how some of the pilots develop on that, because some of the pilots are going to be call centres, and how that then links in with the sort of information technology in these developments that you have been talking about?
  (Mr McCorkell)  Again, you are absolutely right, because the nature of the way the business is done with the Department is changing, and hopefully we have a design of a future IT system that can meet that, but what we need to do is to be very closely connected with these pilots so that we do capture this information and capture the requirements from that. And we are indeed quite heavily involved in the Single Work Focus Gateway, in not only assisting them with the pilots but in using that to feed back information into our future requirements and design on, well, in reality, how is this actually going to work, and what sort of front end does a clerk need to deal direct, face to face with a client, or does a call centre clerk need, to somebody over the `phone, or potentially somebody saying "I want to do this on the Internet". So we are very much working with the Single Work Focus Gateway, to make sure that we capture that information.

Chairman:  Just for the last ten minutes, or so, can we turn to questions like business continuity and maybe the European Monetary Union, and, indeed, dare I say it, Scottish Parliamentary changes that might come, if they decide to increase the tax rates north of the border, once they are under way. Chris Pond has got some questions in that area, to start off with.

Mr Pond:  My first question, Chair, is rhetorical, I am not expecting an answer; but why do you not have a word with the Serjeant at Arms in this place and make sure that each of us, as Members of Parliament, does not end up with four different machines, which are normally incompatible with any other Members' of Parliament equipment, and very often incompatible with each other, but it does seem to me that there is still a lot of work to be done in this place. I wanted to ask a few questions about what I now know, using the streetwise language, from Pete Sharkey, is called the Year 2K issue, and some of the costs and the progress that has been made, in trying to meet that challenge. Now I was not a member of this Committee in February 1997, nor indeed a Member of Parliament, but we have a terribly good secretariat who tell me that, at that time, ITSA submitted a memorandum to that Social Security Select Committee, talking about expected total costs of £30 million for dealing with the Year 2K problem. But, in your memorandum, which you have given us for today's session, in paragraph 6.6, you say: "The total costs in the corporate business case approved by HM Treasury and reviewed quarterly have remained stable over the life of the project and are currently estimated at £45.7m." Is this an inflation in the costs, or are they incompatible figures?

Chairman:  Wage increases, perhaps?

Mr Pond

  74.  Yes, wage increases to retain staff; where do those different figures come from?
  (Mr McCorkell)  Again, I would be happy to give you a note on the detail of why there are changes[6], but I could give you an indication of the likely reasons, apart from inflation or wage increases. At the time you would have been given that figure, it would have been an estimate based on an outline work programme. The position that we are in now is that we are well through that programme, and just as well we are well through it, because we are coming up to the crunch date. And, therefore, we have now identified exactly what needs to be done and we have done almost all of it. So what you are getting now is a much firmer figure, based on actual experience and actual work. We have reached a stage where all our internal systems have been tested and proved to be Year 2000 compliant, we are in the process of completing our interface testing with external systems, because we have to test not just ourselves but the external interfaces, and we are heavily focusing now on, what we term, in the Department, this is not just an ITSA responsibility, business continuity planning. Because all the evidence we have suggests that, no matter how good you are at this, something can go wrong somewhere that can be outside your responsibility, and, therefore, we still have to deliver benefits to people, no matter if it is the electricity goes down we still have to deliver benefits to people. So we are currently working right across the Department and we are involved in supporting this in rehearing business continuity plans, and basically people sit down and they take scenarios like "Well, what if the post offices all close, or what if the electricity switches off?", or things like that, and work through are our plans robust enough to deal with all of those sorts of contingencies. We have had, quite deliberately, a number of external reviews of our programme, and all have reported on us positively. The key thing now, for us, is not to be complacent, because I will not be around to do another one of these, I am going to get this one right, and what you need to do, in Year 2000 compliant, is, first of all, get it compliant, test it to make sure it is compliant, and then make sure it stays compliant. So we will continue to work on Year 2000 compliance throughout the rest of the year and into next and subsequent years, because some of the events do not actually happen until well after Year 2000.

  75.  So, if things do all go badly wrong after midnight on December 31, it is not going to be your fault?
  (Mr McCorkell)  If things go badly wrong, we will (a) have put the Department in a position where the things go wrong because the Department has not been Year 2000 compliant will be very, very minimal, and (b) we will put the Department in the position where, if things go wrong elsewhere that are our people's fault, we will be able to manage through that.

  76.  And, as well as managing through that, do you have means of perhaps seeking redress, financial redress, from those who have not sorted out the Year 2k problem, and who therefore have caused additional costs to the DSS?
  (Mr McCorkell)  I believe, where it is people who are suppliers who have direct contracts then most of those contracts will have conditions in them that say "You have to be Year 2000 compliant, and we are entitled to compensation if you are not and you cause us problems." But the effect on us could come from something that has no direct contact with us; we do not have a contract for bus services, but if bus services did not work our customers could have a problem, and we may have to have expense to do something about that and deal with that contingency. We have no direct contract with the bus companies, but we have to have a contingency plan to deal with that sort of thing.

  77.  But, thinking of things like that, who is responsible for the non-IT problems that might arise, things like lifts and fire alarms and bells, and all these things that have got chips embedded in them but are not actually IT systems as such; is that your responsibility also?
  (Mr McCorkell)  In terms of anything that has probably a chip is a good way then I am directly responsible for the compliance and ensuring the compliance, and the Year 2000 Programme that I am responsible for covers all of those issues. In terms of the business continuity planning, obviously, the individual Agencies, who are the ones who will have to pick that up, are directly responsible for their own business continuity planning; but, clearly, we work very closely together on all of this, and I support them in it.

  78.  It is a big responsibility, is it not, because there are chips with everything nowadays? And, thinking about the responsibility going in the other direction, the costs that might be imposed on the private sector, for instance, of things not going right, and we have heard you say that if it goes wrong you have done everything to make sure it has not, but let us suppose it does, the risks involved, in terms of private sector payroll banking and other commercial activities which might be affected, as a result of the fact that the DSS systems break down, is that part of the contingency planning as well, and thinking about what might be the implications, perhaps financially, for the public sector, if that happened?
  (Mr McCorkell)  We are certainly looking at in detail scenarios for breakdown where we supply information outside as well, and what the effect of that would be. I suppose, yes, if our internal payroll system went wrong and did not correctly interface with the banking system and caused overpayments within the banking system, because we had given everybody too much money and the banks could not get it back, then I am sure the banks would be coming to talk to us about our responsibility.

  79.  Finally, you are kindly going to send us a note about this £45.7 million versus the £30 million, but any idea of the final cost to the DSS of making sure that everything is sorted out and compliant and all the work that you have done, are you getting any figures on that, what you think the final cost is going to be?
  (Mr McCorkell)  I believe that cost quoted is our current estimate of the final cost, and as we are now coming to the end of the programme then it should be a much better estimate.

Mr Pond:  Thank you very much.


4   See Ev. p. 28. Back

5   See Ev. pp. 28-29. Back

6   See Ev. p. 29. Back


 
previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries

© Parliamentary copyright 1999
Prepared 19 May 1999