PROFESSOR PATRICK DUNLEAVY, MR TONY COLLINS AND MR RICHARD TYNDALL

24 NOVEMBER 2005

  Q1 Chairman: Could I welcome our witnesses this morning. We are delighted to have Richard Tyndall, a consultant with large public sector experience who particularly knows about smart cards; Professor Patrick Dunleavy from the LSE, the former Public Policy Group there, who knows everything about how government works and who has done work on ID cards but also other things relating to government information and so on, and Tony Collins who is executive editor of Computer Weekly and a leading commentator on government IT in particular. Thank you very much for coming. We thought it would be useful to have a session trying to tease out some of the implications for public services of going down the ID card route. You all have particular experience to that. Do any or all of you want to say anything by way of introduction? Patrick, do you want to say anything? Thank you for your memo, by the way.

  Professor Dunleavy: I thought it would be helpful to talk about the circumstances in which the ID cards would be picked up by other departments. It has become a little bit clearer in the last few days, including in a letter that Mr Burnham sent to Professor Angel from LSE yesterday, that the current ID Card Bill is strictly just a Home Office costed project and there is no obligation on any other department as yet to pick up the use of the card.

  Q2 Chairman: I want to ask you about your paper in a moment, but this is one of the factors that you say is going to influence the uptake of ID cards across the Government, the extent to which there is buy-in from departments and agencies. You are making the point now that it is a Home Office enterprise and we do not know about the extent of buy-in. You have given us some indications of the kinds of factors that would influence that. Do you want to say something about that?

  Professor Dunleavy: There is one footnote also. The current government statements give indications of benefit. So far as we can determine, those benefits are cross-governmental benefits and yet the costs are only provided on a single departmental basis, so there is a certain sort of disjuncture between those two. If you look at the history of identity and authentication measures within central government, things are often a lot more complex on the inside than they appear on the outside. So that people think it would be very straightforward for authentication measures to be picked up and in fact they have not been. And with some existing authentication measures, like the government Gateway reviews, departments and agencies have been very reluctant to buy-in. In the UK, we do not have any national body that can do, if you like, national infrastructure projects. We just have schemes like the current one, which could be a national infrastructure project but is being designed and promoted by one department. Then we will wait for implementation to begin in 2008. At a certain point (we currently think 2014) there will be a majority of people within the ID card net. At that point, the government of the day, whoever it may be, is likely to come and ask that the card be made compulsory. If Parliament approves that at that time, then somewhere between 2014 and 2018 other departments are likely to pick up on the scheme.

  Q3 Chairman: On the work you did for the NAO back in 2002, where you went through all the forms which government departments use, you said there is a "complex set of identifiers in use by different departments and agencies for tracking their relations with citizens". When I read that summary of your work, there is a tendency to think "This is a mess". You say this is a reflection of an Anglo-American tradition that does not like the state to unify: we like to disaggregate it all over the place in the interests of freedom. There is an argument which says that, from the point of view of the citizen, never mind the state, it would be quite useful to bring all this together.

  Professor Dunleavy: Absolutely. There are many advantages in having unique identifiers for citizens and businesses, especially if that was accomplished as part of our coordinated national information infrastructure, designed and conducted with appropriate buy-in from other agencies.

  Q4 Chairman: So your observations are not to do with the desirability of this. You are conceding that in that sense it would be administratively desirable. The issues are to do with whether it is operationally doable.

  Professor Dunleavy: Yes, and associated things like how many people will use it and how much it will all cost.

  Q5 Chairman: If I may bring the others in on that. Given your various perspectives, is it operationally doable?

  Mr Tyndall: I experience this in the field of local government, where the problems that have just been described to you are duplicated many times over the various different county, district and metropolitan borough councils. Individual service providers are already managing citizens' identities in an electronic way without any major revolt or reaction from citizens, who are quite happy to have library cards and various other tokens issued to them. The sheer economic logic of maintaining these as discreet systems within one organisation dictates that eventually the problem will be solved by doing it all up together because it will be cheaper, easier, better, more efficient. We are not there yet because there are considerable difficulties and rocks in that road, but our experience in the field of local government is that, without waiting to be told and without waiting for legislation compelling them, the more progressive and forward looking councils are doing it anyway because it makes good business sense.

  Q6 Chairman: I would like to know from you whether you think ID cards represent the sort of consummation of that process (that is, the logical end point of that process) or whether it cuts across all this sensible stuff that is going on already.

  Mr Tyndall: My evidence to you is that it is not about the card; it is about the business process that underpins the delivery of services to citizens. At various points, people decide that a card is a very convenient method of delivering services, but actually the information management problems are not about the card, they are about compiling a unique index of citizens where you can know with certainty that the Richard Tyndall in this list is a genuine person and he is entitled to be there and he has these attributes, and he is not duplicated anywhere else and he is not a figment of some fraudster's devious scheme.

  Q7 Chairman: This is simply a technical consideration as to whether we can do it in that form.

  Mr Tyndall: Technically there are challenges. Within the Freedom of Information and Data Protection Acts there are legal frameworks and legal challenges. It is not that it cannot be done; it is just that, as you do it, you have to conform to the law of the land, which sometimes makes life a little more difficult.

  Q8 Chairman: What interests us greatly is whether we can see real benefits in this direction of travel for citizens, as opposed to what you might call the security of the state or the administration of state services. You give some very nice examples in your paper. I particularly like the Oyster card example—and I do not know if it is true, but I suppose it is if you tell us it is—where someone with an Oyster card is sent—a text message, was it?

  Mr Tyndall: Well, an e-mail in this case.

  Q9 Chairman: —at work?

  Mr Tyndall: Yes.

  Q10 Chairman: Alerting them to the fact that there were delays on the line they use to go home.

  Mr Tyndall: Yes. That is an answer to the question: Now that we have this technology, what can we do to delight or amaze our citizens who use our services that we could not do before we had this technology? One of the big challenges for the providers of public services is displaying this imagination, of occupying that space that nobody has been in before because the technology has simply not been available.

  Q11 Chairman: Should citizens get excited about the prospect of having a unique identifier that is going to bring all these benefits to them?

  Mr Tyndall: They should not be excited by that, because that is a very dull subject.

  Q12 Chairman: I was trying to make it sound exciting.

  Mr Tyndall: No, they should be excited by the way in which the services can meet their needs better.

  Q13 Chairman: Tony, would you like to add your bit to this, particularly on the operational side? Is it doable?

  Mr Collins: I think that varies from agency to agency, local authority to local authority. Each will have to come up with a business case to show the benefits. At the moment, there are quite a few departments that are grappling with capacity issues of their own in terms of their systems. I think there is no doubt that they would buy into the idea of ID cards, because there are lots of different identifiers at the moment and it is very difficult for departments to get a single view of the customer, so the idea of a unique identifier is an attractive one. But some of the departments, like HMRC and DWP, have very complex systems which date back at least 20 years, some of their core systems. Altering those to take account of the single identifier that is not the national insurance number—which in itself has issues—will be difficult. For example, HMRC has already put off some of its major projects because it has capacity problems internally and has to deal with things like tax credits. DWP is going through an IT-related modernisation process and that obviously does not take into account the ID card number. I think there are operational issues, but I think desirability would not be questioned by what is known as the CIO Council (a council of Chief Information Officers in Government). That could be a body that would be able to look at this across government and local authorities, the police and the NHS.

  Q14 Chairman: Given all that we know about the track record of government in relation to IT projects and everything else, and given the fact that this is the most cutting edge kind of project, is it doable?

  Mr Collins: I am not an expert on ID cards and I am not a "techy" either, but I have covered government projects, for central government particularly, for 15 years, and I have seen a lot of projects go wrong. Computer Weekly sees common factors emerging in some of these projects. One of the things we see is an early exuberance, created by the potential benefits of schemes which rarely materialise in practice. We have seen that with the NHS, for example: there is a very large IT-related scheme where the benefits everybody buys into, but with the practicalities, the implementation, there are problems with end-user support—because people can see that contracts were awarded fairly quickly and then the details worked out afterwards. Having gone through a lot of the Government's information on ID cards, we can see that there is a tendency to issue selective information, which is a bit of a hallmark of some of the other projects that we have seen go wrong. I asked the Home Office yesterday for some of the documents listed in the KPMG report which summarised the Government's position to date on ID cards. I asked them for the outline business case; a business case for something called "authentication by interviewing"; and then there was a related business case for biometric residence permits for non-UK citizens. I asked for an ID cards programme from Blueprint; Gateway reviews; and the risk register, and I was told that none of these documents can be published. That concerns me somewhat because they have quoted from the KPMG report as saying that the "costs basis is robust" whereas I have noticed that the KPMG report says that the "methodology for appraising the costs is robust" but based on information that was already superseded by the time they did their report. With IT projects generally, it is very difficult to establish, even after they have gone wrong, what the cause is. The Work and Pensions Committee looked at the Child Support Agency and still could not establish at the end of its investigation what had caused the problems there. I think there needs to be openness and transparency at an early stage, in order for potentially serious problems not to be treated as teething. From looking at the documents, there seems to be an attitude of awarding contracts first and sorting detail out afterwards—as in the NHS project, which has not gone very well so far. I think that is a danger.

  Q15 Chairman: Does this make you sceptical, pessimistic about the ultimate outcome?

  Mr Collins: I think if they exercise extreme caution, I could be optimistic about the outcome.

  Q16 Chairman: That is a highly political formulation!

  Mr Collins: You have to take extreme caution. For example, you have things like sensitivity analysis and optimism bias in praising ID cards and other projects, and if there is a realistic attitude towards those that would allow you to stop a project if, for example, the anticipated savings do not justify the costs, or the benefits do not justify the risks and the costs. I do not get the impression that that can be carried out realistically, because there is no means for stopping the project should they decide that the benefits cease to outweigh the risks. "The scheme has to go ahead" is the impression—as it was with some of these other projects that went rather badly wrong—and if they come across potential show-stoppers, that is not going to stop the programme.

  Q17 Chairman: That is a good point.

  Professor Dunleavy: Over the summer, there has been a considerable change in the scheme. The KPMG report which came out on 7 November gives you assurances about the new form of the scheme. So far as I can tell the new form of the scheme is that there is a biometric validation of somebody at the point where they are issued with a card. And after that it is basically just a chip-and-pin card and there are very, very rare further occurrences where there are biometric checks. That is very, very different from the sort of thing that was being discussed before. And the current scheme is very different from the sort of thing that was being discussed under the heading of "entitlement card". So I think there has been a lot of movement. The KPMG report does not provide any assurances on the benefits. They only looked at sections of the business case—they said that the contingency amount, for example, does not follow the Treasury green book on operating costs, so there are a lot of quite detailed things—and they did not get to look at the final costs of the scheme in a coherent way. They got to look at some earlier costs and then they looked at revisions and thought about whether they would be helpful. It is a very good report, the KPMG report, and very vital, and it (of course) post-dates the costs consideration.

  Chairman: Yes. My colleagues will want to explore this further with you.

  Q18 Julia Goldsworthy: Do you think we need the publication of these documents, whether they are Gateway reviews or any of these background documents, to keep up with how the situation is changing and to be able to assess accurately whether this is early exuberance, and to get down to the realism of what they are proposing and whether they can deliver it?

  Professor Dunleavy: I am not sure which of the documents Tony asked for is publishable under Treasury rules. When you are doing a procurement you have to be rather careful about putting a cost figure into the public domain. If it is too low, contractors may bid in at some too low figure and you get a scheme that does not work. On the other hand, if your cost figure is overly high, then you may be paying more. I think there is a constraint on how much the Home Office can publish. The problem has been that the Home Office has published several different versions of what the ID card was supposed to do. We still have this problem that the benefits are `whole-of-government' benefits, and we have no data at all on any other government departments' costs. The final difference between this scheme and other kinds of smart card schemes is really the huge scale of the scheme. There will probably be at least 60 million people in the scheme. I was just looking at the legislation—the note, I think, in the Lords' briefing—and it now seems that dead people will be on it, as well as people who have left the country. So I am not sure how many people will actually be on the scheme and the Government has not told us.

  Q19 Chairman: Kelvin points out that there are a lot of dead people!—which is true.

  Professor Dunleavy: KPMG also looked at: How long will the card last? The Government says it is going to last for a certain amount of time, 10 years—which is a very long time. Your normal bank card does not last for that long. If you had to renew the card earlier than that and it cost some very small amount of money, let's say £4, to replace the card, and then if you had to post that card to people in a secure way—which I think you probably would have to do—and that cost £4. Well £8 times 60 million is £480 million. It is very, very important that these key cost assumptions and information about them should be in the public domain and should be considered by Parliament and should be realistic. So far as I can see, until very recently the Home Office was, for example, assuming that the identity card would be lost and become faulty and become damaged about as often as passports would—which is a very different creature from an ID card. They have now moved to putting in figures for them becoming lost/damaged (or whatever) about as frequently as driving licences, which is a much better way of doing it. But they only made that move, I think, in August.

  Mr Collins: I have no quarrel at all with the evidence you have just heard of what the costs on the left-hand side of the page are. Our experience, looking at this problem in local government, is that there are also savings on the right-hand side of the page to balance off. The audit of cards and electronic identities that was done in one country and district area demonstrates that there are already lots of costs in the system. There are costs for mailing out new cards to people who lose their library card and there is somebody in the next door office mailing out a new bus-pass and there is somebody in the next office doing school or building identity and so on and so on. At the smaller scale of an individual local authority, the way into justifying the expense on the left-hand side of the page is about saying, "Can we realise real savings on the right-hand side of the page by switching off some of these other systems if we can unify?". That, for all sorts of organisational behavioural reasons, can be difficult to achieve, but you have to understand that if it is just seen as a new scheme and everything else carries on without change then the numbers are never going to add up to the sort of figure that will convince people that it is worth doing.