MS KATHERINE COURTNEY, DR HENRY BLOOMFIELD, MR NIGEL SEED AND MR MAREK REJMAN-GREENE

22 MARCH 2006

  Q340  Mr Devine: I want to talk a bit about security and timescales and such like. In February this year a Dutch company claimed to have skimmed information off ID cards. I do not know if you are aware of that. Are reliability and security your highest priorities regarding the National Identity Register? What other factors are influencing your decisions about the Register? Is there any scenario in which security levels would be sacrificed either for political reasons or for timescale reasons?

  Ms Courtney: I believe that the Dutch company, as reported in the media, was talking about an early prototype passport that had been used and not an ID card.

  Q341  Mr Devine: It still got access.

  Dr Bloomfield: The people who claim to have cracked this prototype Dutch passport did it under laboratory conditions. You need to sit next to a passport with a reader for some considerable time to read it and get into it, which may not happen in ordinary conditions. The other point is that they had already quite a lot of information about the data on the passport which allowed them a foothold to get in through the cryptography and they were also provided with a number of consecutively numbered passports, which further weakens the cryptography. There is a fairly odd set of circumstances that they had in their favour in order to get through this cryptography. Having said that, being able to attack a card or a passport will get you, in the case of our identity card proposals, access to data which is not at all valuable. All the data, apart from the encoded biometrics, would also be printed on the face of the card and you would not actually get very much out of it. Attacking the database is a very, very different challenge.

  Ms Courtney: It is important to point out that the accreditation process focuses on the security and integrity and also on the availability of the system. We need to make sure that all of our plans are accreditable not just against hacking and other security risks but that what we are designing here is a system that does not fall over, that does not have a single point of failure and it does not have a single point of decision-making and that there are clear audit logs of how the system is being used so that we can apply appropriate safeguards and supervision.

  Q342  Mr Devine: And all this can be done security wise within a timescale of two and a half years, can it?

  Ms Courtney: I am confused about the timescale of two and a half years—

  Mr Devine: We are looking at 2009.

  Q343  Bob Spink: That is the date of implementation.

  Ms Courtney: I believe we have said that our timetable is indicative and that on current plans we are looking at 2008-09, but I have also mentioned that we are implementing a number of intermediate things that are happening this year, next year, in 2008, et cetera.

  Q344  Mr Devine: You can write to us about that.

  Ms Courtney: The actual date for "turning on" the National Identity Register is very dependent on the suppliers' proposals as they come back to us through the procurement process. If you would like me to say something more about the security approach, perhaps I can ask Nigel to expand on the security requirements.

  Mr Seed: Security is not going to be an add-on, it is being done now. We have not even gone out with our requirements. The security team is embedded within my procurement team; they are fully engaged. They are on my back all the time, as they should be. The people who are going to do the accreditation are having meetings with our people all the times, looking at our requirements as they develop and then inputting to those requirements. The security of the data centre itself is down to even very basic things like making sure it is not on or near a floodplain. We are looking at all that sort of stuff, right the way from very basic level access and flooding and losing it that way right the way through to hacking.

  Ms Courtney: It is the security around the people, the processes and the systems, not just the technology.

  Q345  Mr Devine: There is a claim that basically if you have one database you are creating a "honeypot" for criminals to hack into. How would you respond to that suggestion?

  Ms Courtney: First of all, I think that is an assumption that there is one database. We have not predetermined the architecture of this system. Our security requirements include issues around making it difficult for people to hack in and access the system. We will have security accreditors throughout the lifetime of this scheme, not just in our planning phase. I think we are doing everything we can to ensure that the security considerations are taken very seriously indeed.

  Q346  Mr Devine: You are not going to have one database, is that what you are saying?

  Ms Courtney: People like to talk about the National Identity Register as a database. The National Identity Register will be a technical system that may involve a series of data storage solutions. I think it is important that people do not prejudge how the architecture of the system will be designed.

  Q347  Chairman: I am now very confused as to what you are saying here. You will have a series of databases. Where is the evidence coming from as to whether you are going for one single database or a series of databases?

  Ms Courtney: You are going to ask me questions about the technical design and I am not a technologist.

  Q348  Chairman: Can any of your colleagues answer?

  Ms Courtney: Our reference solution assumes one thing and then we are working with the market on options—

  Q349  Chairman: In terms of phase one procurement, will the market also decide how many databases you have?

  Mr Seed: To an extent, yes. We are doing an output-based requirement, so we are saying this is what the system must do. How they do it is not defined. If industry comes back and says one single monolithic database is the best way and it meets all the requirements then there may be one database. Equally, they could come back and say the security is increased by having partial data here and partial data elsewhere. We have not defined it.

  Q350  Chairman: Will industry not come back with a solution that is best for them?

  Mr Seed: Possibly.

  Q351  Chairman: I would if I was a commercial company.

  Mr Seed: Of course you would. You have got to remember that this is an open competition. If somebody comes through with a cheaper solution, that is not necessarily what we are going to select. We are going to look for the best technical solution and the best value for money.

  Dr Bloomfield: It is worth adding that it will also have to be a solution which meets the requirements of our security accreditors.

  Q352  Mr Devine: Let us say Jim Devine's computer company gets the contract. I can set up a company in Scotland and send information to Scotland, Wales and London. I could outsource this contract to 100 different companies. Is that right?

  Ms Courtney: We will obviously have a due diligence process—

  Q353  Mr Devine: Is that right?

  Ms Courtney: Not necessarily. We will have a say in this procurement process, as any government client does, about how the consortium is formed and who is providing the solutions. While we do not have an intention to dictate how the market responds to the requirements, we have made it clear that we have to take a decision based on the proposals they put to us. If they propose a solution that includes using companies in a subcontractor relationship such as you describe that we cannot have confidence in, we will not be signing a contract with them.

  Bob Spink: Could I ask you to confirm again, please, because I am incredulous about this, that all of this will be up and running in two and a half years? Can you confirm that none of this will be outsourced offshore UK?

  Q354  Chairman: Can you answer the second part because I think you have answered the first part to be fair?

  Ms Courtney: We have offered to write back with the procurement principles that apply to that.

  Q355  Margaret Moran: Is it not inevitable that the market solution will be a single database simply because of the complexity of joining up a myriad of departmental databases which do not match? How are you going to be able to evaluate what comes forward to you in that respect as against the option of multiple databases which may not come forward at all from industry?

  Ms Courtney: I do not believe there is a foregone conclusion about that. In our market soundings we have had suppliers who have been working for some time on their own reference solutions for this and they have a number of different approaches, all of which may be equally valid and which should be evaluated in the open competition.

  Q356  Mr Devine: You mentioned earlier on that technology is changing. It has been suggested by colleagues in America that these cards are going to be out-of-date very quickly. I think KPMG's assertion is that the durability of the cards would be 10 years. Have you made any assessment of that?

  Ms Courtney: We did do that because that is one of the assumptions driving some of the costs in our business case model. We went out and did a survey of card manufacturers to look specifically at card lifecycles and durability and based on the evidence that they gave back to us we are confident in the 10 year assumption.

  Dr Bloomfield: And also from looking at other schemes. Hong Kong, for example, has a polycarbonate smartcard which is valid for 10 years.

  Q357  Chairman: Nigel, if you have multi-databases as part of your phase one procurement, and that is an option which is open to the tenderers of the process, who controls the data? Would it be the companies who win the contract or does the Government retain control of that data?

  Mr Seed: It is a bit of both. The company will be running the database per se, but the data itself will be monitored by civil servants sitting alongside the contractor. We are intending to have a partnership agreement. There is no intention to hand this contract over and then walk away and leave it with a commercial outfit. There will be full-time civil servants in the data centre monitoring the data and the usage of the data.

  Q358  Chairman: But a private company will be able to have access to all that data if they win the contract, will they not?

  Mr Seed: By definition, in order to maintain the database, yes, they would have to be able to see the data on it.

  Q359  Dr Iddon: As you know, this is a very excitable political issue and all the Members around this table get lots of correspondence on it. Apart from the libertarian arguments which we engage with, the second argument is about the costs and that is where I want to go now. Obviously the London School of Economics is in opposition to the Government on costs and they have quoted figures of £10.6 billion to £19.2 billion, which are the 10 year costs and which include running costs. We can argue about those figures and they have been argued about and the Government has contradicted them. The hon Member for Leigh has quoted a figure of £584 million per year as the total cost but he will not reveal the estimates within that particular figure. Obviously those figures are way apart, there is no similarity between them. I just want to examine that big difference. How can you be certain about the costs when you have not even set a detailed specification yet?

  Ms Courtney: We have had to produce a reference solution for ourselves in order to evaluate what the likely costs would be. We have done that work based on the feasibility analysis that we have done. The figure of £584 million—