Select Committee on Public Accounts Minutes of Evidence


APPENDIX 3

Supplementary memorandum submitted by Capita Group Plc

INTRODUCTION

  1.  Capita welcomes the opportunity to submit this memorandum of supplementary evidence. This complements the oral evidence given by Capita's Executive Chairman and Director of Policy and Public Affairs at the Committee's meeting on 4 November 2002.

  2.  Capita regrets that such an innovative and creative scheme has had to be stopped with the resultant losses for learning providers, lost training opportunities for learners and such high levels of fraud and inappropriate use of public money.

  3.  Capita wishes to contribute to all inquiries into the scheme and identification of the lessons arising from it, as well as with the current criminal and other investigations which are being undertaken.

  4.  Capita believes the shortcomings of the ILA scheme hold lessons for all future public private partnership schemes.

CAPITA'S ROLE AND RESPONSIBILITIES

  5.  Capita administered specific elements of the ILA scheme, in accordance with the specification and business rules set by the DfES.

  6.  Capita's role in the administration of the system and elements of the scheme in England was to:

    —  process account holder applications and issue membership forms via a call centre

    —  process learning provider registration applications at an administration centre

    —  produce a "claim for incentive payments" file for each learning provider for approval by the DfES

    —  issue forms for membership cards and account holder "welcome packs" via a subcontractor called Standard Group which operated under Capita's direction

    —  develop, implement and operate the computer system in accordance with the DfES requirements to support these processes via Capita Group's Data Centre

    —  allow access to the computer systems by approved learning providers approved in accordance with the Department's Business Rules Handbook so that they could register account holder applications for learning and confirm commencement and hence a claim for the appropriate level of incentive payment

    —  produce management information and audit reports to the DfES to agreed formats and agreed schedules

    —  undertake the responsibilities of Data Processor as defined in the Data Protection Act.

  7.  Capita was not responsible:

    (i)  for the decisions not to:

      verify or accredit learning providers

      verify that account holders have received learning for which provider payments have been claimed and/or made

      evaluate the quality of the learning,

    (ii)  under the contract for:

      making the payments to the learning providers—this was undertaken by the DfES;

      pursuing fraud enquiries directly—though Capita passed on any suspicion evidence of abuse or fraud to the DfES.

  8.  The DfES retained responsibility for:

    —  determining policy and the composition of the project board (the Department chose not to include Capita in the project board, thereby seriously diminishing the opportunity for their private partner to influence the decisions made);

    —  setting the business rules and processes including quality assurance of the learning and learning providers;

    —  ensuring the verification or accreditation of learning providers (although the Department chose to drop this activity in order to attract larger numbers of new learning providers and so grow the market);

    —  making and authorising payments to learning providers;

    —  monitoring the performance and effectiveness of the scheme (Capita provided management information to the DfES to support this);

    —  client monitoring and management of the contract with Capita; and

    —  undertaking the responsibilities of Data Controller as defined in the Data Protection Act.

  9.  Although this was meant to be public private partnership the DfES chose, as the National Audit Office report found, to treat Capita as a contractor and excluded Capita from the project board. This meant that the DfES was unable to benefit from Capita's operational expertise and experience as would be standard in good partnership arrangements. Capita sought membership of the project board on several occasions, but was denied this. (C&AG's Report para 2.23.)

  10.  An official who was not a member of the project board, and who reported to a member of the board, managed the contract relationship between Capita and the Department. Escalation of concerns was difficult because of these arrangements.

  11.  In Capita's view, this lack of partnership was a fundamental cause of the problems that arose. It prevented risk transfer to Capita and prevented Capita from having the opportunity to escalate swiftly concerns, which it identified as the scheme was implemented and after it became operational.

  12.  Capita accepts that it should have circumvented the contract management arrangements and relationships put in place by the Department, and that it should have made attempts to raise its increasing concerns about the integrity and progress of the ILA scheme with senior DfES officials and Ministers.

  13.  Capita is so concerned about the impact of a lack of effective partnership between client and provider that it would have to seriously consider whether it would be appropriate to bid for any future central Government contract unless the partnership arrangements are changed, demonstrating commitment and capacity within the procuring department.

MAJOR ISSUES

Policy and Business Processes

  14.  It should be noted that although the original target was to have been 1 million learning account holders by March 2001, by the time the scheme was suspended in November 2001 there were in excess of 2.5 million account holders—the vast majority of which were legitimate. The scheme also led to the development of the learning provider supply market and to market diversity. This was an indication of the value of the scheme and the importance that people were attaching to learning and training.

  15.  Capita was selected as the service provider for elements of the ILA scheme as a result of a competitive procurement process. Although the set up period was challengingly short, Capita was able to ensure that the scheme was operational in accordance with the Department's timetable. Capita had existing infrastructure and expertise in successfully setting up major schemes such as this one to tight timetables. For example, Capita established the Theory Driving test within six months.

  16.  Immediately prior to and in the early weeks of the operation of the scheme, the DfES made some changes to the original business rules for which the ICT system had been designed to support. These included the dropping of requirements for validation of learning providers, and authenticating the addresses of account applicants. These changes weakened the integrity of the overall ILA scheme.

  17.  The lack of verification of account holders' addresses make it easier for illegitimate multiple applications. Capita brought these to DfES attention seven days after the start of the scheme in September 2001, but was told by the Department that it was a low priority.

  18.  The Department, in response to requests from learning providers, introduced "blank" application forms. Originally learners had been expected to apply for membership by contacting the ILA centre and then receiving a partly completed form. Capita was concerned that the use of these "blank" forms could lead to abuse of the ILA scheme. Capita raised these concerns throughout the contract, and especially in April and June 2001 when the level of activity increased significantly.

  19.  Capita kept logs of all activity on the system, but did not have the controls to prevent or detect unusual behaviour as it occurred, as the NAO Report rightly finds. It goes on to state that Capita had requested the Department to consider such a control as a matter of priority, but that the DfES decided against pursuing it at that time (C&AG's Report para 2.49)

  20.  Capita regularly provided the Department with a range of management information on service provision, as required and specified by the DfES. According to the NAO Report, the Department did not have the capacity to study and act upon this information. (NAO Report card 3)

THE IT SYSTEM AND SCHEME SECURITY

  21.  The failings in the integrity of the ILA scheme resulted from the policy and business rules on which the overall ILA scheme was based, and not from any inherent insecurity in the IT system.

  22.  The computer and associated IT systems that Capita implemented were discussed and agreed with the Department and its advisors. They were designed to enable access for a closed community of learning providers for legitimate purposes, using an individual User ID and a password, in accordance with the Department's policy.

  23.  The IT system met contemporary industry standards—ISO/IEC 17799:2000.

  24.  Capita expected existing databases would be used to accredit learning providers and the learning courses they offered. The DfES chose not to do this. The Department subsequently proposed that learning providers would be a closed community of learning providers. Without prior accreditation, all learning providers were therefore placed in a position of trust in relation to the quality and appropriateness of learning they offered, and the way in which they could claim incentive payments for providing learning. Capita raised this with the DfES as a concern.

  25.  The ILA Account Holder number was designed as a membership number, based on a sequential number plus a check digit, in accordance with the ILA policy and business rules and not as a security measure.

  26.  The issuing of account statements to account holders would have provided an additional security check for the scheme. Originally these were meant to be issued annually, but the Department delayed their use in July 2001. Capita also suggested that statements be issued on a more regular basis as a means of ensuring that account holders would be able to confirm that they had received training for which payments were being made. An additional security check was that payment would be authorised by and transferred from the DfES following its approval of the claims for each learning provider.

  27.  On 24 October 2001, the Secretary of State for Education and Skills, Estelle Morris MP, announced the suspension of the ILA scheme in England due to the requirement to assess value for money and concerns about the promotion and sales practices of some learning providers, and not due to concerns about the IT system.

  28.  On 23 November, the DfES informed Capita that there was an allegation that account holders' information was being put up for sale, and that a Capita employee might be implicated. Capita immediately complied with the DfES' instruction to close the system in order to protect the public interest and to allow for the necessary investigations, which initially focussed on this incident.

  29.  There is no evidence that any Capita employee was involved in any inappropriate access to the system or in supplying any account holder information improperly or illegally to a third party. (NAO para 3.8)

  30.  There is no evidence of any security breach of, or "hacking" into, the system by a third party who did not have legitimate access to the system.

  31.  The actions to extract large numbers of names took place during November 2001 just prior to the scheme closedown. Providers had already been notified that the scheme would be shut down, resulting in a high access rate to the system to record and confirm mainly legitimate activity.

  32.  It would appear that in one weekend in November 2001, account holder details were obtained by an elaborate and inappropriate use of the system by at least three accredited learning providers, acting in collusion.

  33.  Learning providers had access to account holders' names and addresses for the legitimate purpose of verifying that they had credit in their ILA and that they were registered learners in accordance with the business rules.

CONCLUSION

  34.  Capita recognised the value and importance of the programme and was pleased to have the opportunity to support the Government's policy of Individual Learning Accounts through the development, implementation and operation of the IT system and the administration of the defined business processes.

  35.  Capita's investigations have produced no evidence of any improper or illegal activity by any Capita employee, or any unauthorised access to the scheme. Capita continues to co-operate with all the investigations and inquiries on the ILA scheme. Capita made a range of evidence and information available to the NAO.

  36.  Capita would be pleased to supply any further information that the Committee may require.

  37.  Capita believes there are clear lessons from what has occurred:

    (i)  Any public private partnership must be a true partnership: private partners must be members of the project board, which should comprise senior personnel from the procurer and the provider partners. They must also have access above board level to ensure the scheme benefits from their advice and expertise, and that any arising issues can be swiftly escalated, if necessary to senior officials and ministers, and so resolved.

    (ii)  Whenever policy or business rules are changed, there should be consultation with the service delivery partner, and the full implications of these changes on the security of the project and the IT system should be identified and taken into account.


 
previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2003
Prepared 4 April 2003