Government And IT - "A Recipe For Rip-Offs": Time For A New Approach - Public Administration Committee Contents


Examination of Witnesses (Questions 223-254)

ADAM MCGREGGOR, ANDY BURTON, JIM KILLOCK

15 MARCH 2011

Q223   Chair: Welcome to our new witnesses. Perhaps you could introduce yourselves for the record.

Adam McGreggor: I am Adam McGreggor, the Chief Technologist at Rewired State. I should declare an interest here; if I don't, it could crop up that I co­signed the Constitution for NO2ID and remain the Technical Director of NO2ID.

Jim Killock: I am Jim Killock, I am the Executive Directive of the Open Rights Group. We are a citizen­based organisation that campaigns on human right issues in relation to digital technologies.

Andy Burton: My name is Andy Burton. I am here as the Chairman of the Cloud Industry Forum. We are a not­for­profit organisation made up of members representing the broader technology industry and our aim in life is to try and make it easier for consumers and technologists to meet minds.

Q224   Chair: Did you all sit through the previous session?

Andy Burton: Yes.

Chair: That is very useful. In that case I shall not repeat my own declaration of interest.

Q225   Greg Mulholland: Good morning. Can I start with you Mr Killock? I am going to ask all of you to comment but in the evidence that the Open Rights Group supplied, you said that, and I quote, "Viewing IT as a standalone area for policy is a bad idea", and we are very aware that this is one of the big challenges of how this is done. How do you think IT could and should be integrated into the policy making process?

Jim Killock: It needs to come further down the line. The evidence that I presented to this Committee is mostly based on a series of seminars we did which looked at various big IT projects that were causing a number of human rights issues from things like ID cards through to health projects. But what really struck us when we did that work and we talked to the practitioners is that IT solutions were essentially being thrown at services. Services, such as in child safety, would be told, "Here is the next thing that you must deliver and therefore everyone must have information about children to the nth degree". And these projects were essentially being imposed in a rather top­down way so they totally failed to really ask both the end users, perhaps in this case the children and parents, but also the service users, such as childcare practitioners, what they actually needed from these systems. So IT was really being regarded as a solution in itself. So the first step was to ask "Who is doing the work? What work are they doing? And what do they actually need?" So then whether IT fits into that is a completely secondary question. I don't know if that makes is a little bit clearer.

Andy Burton: There are two ends of the spectrum we need to look at with this; first of all, if IT does not serve an organisational purpose then, arguably, what is its function in life? It is there to achieve an objective and that objective is not to self­fulfil and deliver it by IT, it is to achieve an organisational objective. Listening to the earlier session, it also seemed to me that we risk lumping IT into this homogenous mass that only has one procurement model, which is outsourcing, and there is a risk that in looking at that as a deployment procurement method, you automatically lock in certain philosophies around how you build software, how you deploy software and how you manage software. We were mentioning about agile computing and things like that briefly, and it seems to me that the challenge is that is has to be serving an organisational or Governmental objective for public purpose, but the way in which it is procured needs to look at the elements where cost waste is incurred. There are issues around hardware and scalability, software—how it is built and whether it is licensed or not—and the way in which it is managed. You need to look at that whole spectrum and there is not enough rigour, I think, given to how the solution is procured because the method of procurement today typically advocates a lead organisation defining what sits underneath.

Adam McGreggor: I endorse both previous speakers' comments really, regarding a top­down position and not actually considering design for the people using the service, whether they are the end users or those actually keying in the information, who are possibly very crucial in this sort of thing but are often left out. It is all very good to implement IT systems but is there always a case? The answer is: is this a technical problem or is this a social problem? I would look at it from those sorts of direction as well and consider is as an all­round process, not just ongoing. There is always this wonderful thing of continual improvement, which is the other thing rather than just doing it. As we heard earlier our rigid framework does not allow scope to change and 77 weeks is an immensely, ludicrously long time just to deliver a project.

Q226   Greg Mulholland: And do you think that, as part of the procurement process, the Government focuses too much on the procurement of new systems and technology rather than thinking about how they will actually be used and the data that the systems will hold?

Andy Burton: I would say it is both of those things. The fact that it is a silo procurement, i.e. you have Departmental projects, institutionally leads to looking for a solution for that particular purpose, almost ignorant of what else is available across the Government. The fact that there are 168 different data centres in Government today is a reflection of that.

Q227   Chair: How many?

Andy Burton: About 168 I believe.

Chair: Different data centres.

Andy Burton: Yes. The point I was making in the previous statement is that, if you look at it, there are basic savings; regardless of who you buy solutions from, at the end of the day they use computing power. If you look at it, it is a standard fact that the average computer or server is using 20% of the capability, so if you are using 20% of the capability and you have this replicated multiple times because you always build software solutions that scale to your peak demands; you are building capacity for your income tax returns on 31 January or whatever it is, but on the other 364 days of the year, it is running at a lower level.

Q228   Chair: One of the interesting things that we heard, I think it was about Amazon, was that they sell their data storage capacity for 11 months of the year because their peak time is Christmas, but Government do not do that.

Andy Burton: That is why they have moved from being a pure book retailer, which they started as, to now offering a massive cloud as their product. But I am obviously not here to representative a specific commercial agenda. The point I am trying to make is that when you look at procuring IT, the tendency is to look at the overarching solution, but Government actually needs to provide a framework for organisations to comply with. It comes back to the comments in the previous conversation about the participation of small businesses. If you actually provide a framework—going back to Open Standards, you have this initiative called G­Cloud running in Government, which I do not believe has enough teeth yet because it should be providing a blueprint to all Government Departments about how IT solutions should be procured. You should be sweating your hardware assets, you should be running less data centres, you should be consuming less power and there is no reason that someone who is delivering a software solution on top of that, and managing it or not managing it, cannot work on top of that underlying platform. At the current moment in time, you tend to look at a solution as a complete turnkey rather than saying, "Okay, it has got to fit within this model because we are going to use that capacity that we have now better." And so because you are buying everything in a vertical stack, you are not getting the benefit of the investment you have already made.

Jim Killock: The question needs to start off with: what are the Government trying to achieve? Just to take a quick case study, we have been involved in looking at the consequences of certain sorts of systems rather than at the detail of how they got procured, and we ran a campaign about electronic voting. We got involved in electronic voting as an issue because, to us, it was some significant issues about democratic accountability, because you are trying to bring together certain things which are nearly impossible to bring together-—anonymity of voting, security of voting and transparency of the process. These are very difficult things to bring together. How do you make a process both transparent and anonymous? It is actually very difficult in an electronic system, because, most of the time, you are trying to account for what happens in transactions by seeing everything that is going on, so it is very difficult to make something transparent, accountable and anonymous. But the Government started off from a position that they wanted to increase voter turnout and just assumed that the answer was going to be technology. The policy process appeared to be, "What technology might we throw at this? Electronic voting sounds good so let's put that in the mix." If you think about the question of how you increase voter turnout, that is actually something about democratic accountability first and foremost and about whether people think who they are voting for actually holds power, and whether they are going to have any influence. So trying to answer the question of voter turnout through technology might be entirely inappropriate. Then when it got down to, "How do we make any of these systems work?", the key problem in technology terms turned out to be far less about the method of voting—whether you are using an electronic machine or a paper ballot—but far more to do with voter registration, which is a very mundane problem but is causing lots and lots of issues around voter security and whether people really are voting, whether postal ballots are really secure and so on. In a way, the Government led policy from, "Here is a technical solution that sounds great that we'd really like to impose on our Departments", rather than, "What is our problem here? What are the best fits to answer that problem?" I cannot really say how Government stops using democratic, parliamentary or other political whim to drive policy but it seems to me that a number of the projects that we are talking about and criticising fall into that category. ID cards is arguably another. Would it have solved any real identity problems or was it actually far more about Governments appearing to look tough on law and order? What was really the driver behind that system?

Chair: I don't think you've got any dissenters here.

Paul Flynn: It would destroy a lot of jobs in my constituency.

Q229   Greg Mulholland: I wanted to ask a question on the IT card scheme so that leads very nicely on from there, but I thank you for declaring an interest and congratulations to NO2ID for their excellent and successful campaign which I am involved in and delighted about. Do you think that, concerning the whole ID card scheme, whatever people thought about whether it was a good idea or not, there were other issues that we can learn from? One of the interesting things about the ID card scheme was that it was a policy idea and an IT solution all wrapped up together. Do you think that one of the reasons that it was clearly going to be unsuccessful in policy terms is because those policy objectives kept changing throughout the course of the development of the programme in itself, but also because it became IT driven rather than policy driven?

Adam McGreggor: I will kick that off. On the policy objectives changing, if we go back to when I first got involved in identity cards—which was when they were still Entitlement Cards back in 2000-ish or so, and even before then going back to the previous Conservative Administration when the idea was being mooted even then—it is actually quite interesting to look at the identity cards and how, as a piece of machinery of Government, they actually came into fruition. There are some people who have even traced Permanent Secretaries and Deputy Secretaries around departments to see how departments followed when the servants moved as well, so there is that objective. It was kind of destined to fail from the start, with ever-changing policy objectives and as the solution, for the Government, for everything from terrorism to benefit fraud through to everything else. It didn't actually address the underlying problems in any way. There was still this problem: if we are going to tackle benefit fraud then why don't we look at the number of National Insurance numbers in circulation compared with those actually being used? Similarly, if we take immigration then why don't we look at it from the other side of things, at those actually leaving as well as those inbound? So there are those aspects. The policy change did not help at all. A golden rule is that if you are going to be delivering a service then it is useful for the goalposts not to continually be moved. So there is certainly that aspect of it. I suspect that I am probably going to turn into a previous witness here with the idea that I don't think it was IT driven; it was driven by IT procurers, those consulting and those involved in the procurement process, rather than the whole industry. They had an interest, to make lots of money for their shareholders, and they had the perfect opportunity with a nice little system that would be used in every single Government building, by, near enough as damn it, by every Government official: "We might as well build a system that will have universal rollout if it succeeds." As your previous witnesses last week have shown, if we actually designed the system based on the card—the Ministerial whim was making the card and then the database behind that—then we have that sort of issue here: are we actually delivering for a consumer who is going to use it? No. Does it actually deliver any benefits to the consumer—the citizen? No. Does it make life easier for Government? Possibly.

Q230   Greg Mulholland: Any comments?

Jim Killock: I would just add that it is not the only example of these sorts of projects. With ContactPoint, the Government had a concern about child security, so they invented a database system to solve the problem rather than talking to the professional childcare people and asking whether it really answers the problem without distracting them from their job because they are busy filling in databases that are largely full of useless material on people who are not actually at risk of child abuse. Those are the sorts of problems that you end up with, but I would just mention that there are a couple that are still carrying on, still in this vein. Summary Care Records are arguably in a similar vein, and the intercept modernisation programme is potentially a similar sort of massive IT project looking for a problem—it relates to needle in a haystack­type cases of terrorism. That involves collecting all the online traffic data of every UK citizen in order to solve a needle-in-a-haystack problem. So these drivers and the things pushing these policies forward still seem to be there. Intercept modernisation could be an incredibly intrusive and anti-human rights, anti-human privacy, measure—the sort of thing that both the Conservatives and the Liberal Democrats were very keen not to repeat. The fact that that is still somewhere in the Government agenda—or perhaps I should say the Department's agenda—says to me that the civil servants have not necessarily changed their view of how they want to solve the problem.

Q231   Chair: But can I just press you on this for a second? If you have everybody's emails, there are search engines that can search that pretty efficiently, aren't there?

Jim Killock: The idea of the programme is to store the traffic data, who talks to whom online—so it is the e-mail headers that are wanting to be kept—or who talks to whom on Facebook or who talks to whom in chat rooms. The problem is, of course, just collecting that data on the basis of no business case but purely on the basis that somebody somewhere—

Q232   Chair: You might want to search it one day.

Jim Killock: Yes, that is not how our human rights privacy is meant to work. We are meant to have a right to privacy until we are suspected and the use of traffic data in law—like your phone records; who you might have been talking to on your phone—depends on the businesses having a case for keeping that data; that is why they keep it. They do not keep it in case the Government wishes to survey all individuals; they keep it because they have a business reason. The Government is able to take that data because they have suspicion of an individual and they wish to get hold of that for investigation purposes. It does not therefore follow that, if the Government wishes to survey people, it can just simply have a blanket surveillance of everybody in whatever case. So that is how the balance in privacy is meant to work, but that does not seem to be any part of this debate internally, within the Home Office, about why the intercept modernisation programme should be advanced.

Q233   Paul Flynn: One of the things I see in your biography, Mr McGreggor, is that you were responsible for FaxYourMP, which nobody does any more. What more successful things have you been involved in recently and why did you want people to fax their MP?

Adam McGreggor: We built FaxYourMP almost by accident. It was one of those things that came out of a now defunct organisation group that, in some ways, led to the co­foundation of the Open Rights Group: the Regulation of Investigatory Powers Bill. We had lots of people, lots of our friends, saying to us, "We have to do something about this. How do we contact our MP? How do we write a response? How do we actually get involved in responding to a Government consultation?" Many people did not have any idea and a few of us were working in this building at the time, and those of us who founded FaxYourMP were all pretty activist and politically aware. So we thought, "Actually, how can we get hold of these MPs?" If we go back to 1997, if you remember, every MP had their pager. We initially thought of PageYourMP, with these wonderful 130 characters or something like that which people could use to say, "This Bill is bad, do not vote for it". So we ended building this campaign website and collated 5,000 opinions on why the Regulation of Investigatory Powers Bill was bad, the reasons why, and we collated those into a response. Part of that was because people wanted to get in touch with the MP and say, "Vote for this please", or "Please read this", or "Support this EDM" and things like that. We got hold of the information, contact numbers and fax numbers in those days because email was still in its infancy in Parliament, and we built a website.

Q234   Paul Flynn: 38 Degrees are operating this very successfully now; it is Write To Them in the present form. Do you think that is has a long­term effect or are MPs going to be able to sort out who is lobbying them? If they are the same people lobbying them on half a dozen issues, it would not be seen as vox pop by MPs; it would be seen to be people who are strongly motivated in certain directions.

Adam McGreggor: That is the case with surgeries though, as those who have a need contact their Members. We have merely made a little annoying tool which is slightly better than Parliament's own offering; we at FaxYourMP and now Write To Them have set it up that only your constituents can contact you. If you visit the Parliament site 14 years on, anyone can contact their MP, according to the 300-year-old tradition. I think I remember there was something from Bagehot about that.

Chair: How is this relevant to our inquiry?

Paul Flynn: It is interesting though isn't it?

Adam McGreggor: I was wondering that, Mr.Chairman

Q235   Paul Flynn: We are told we have just entered this post­bureaucratic age, which is an idea that I am sure thrills you as much as it thrills us. Do you see the concept of IT helping to lubricate our advance into this brave new world?

Adam McGreggor: Yes and no. IT can facilitate and IT can enable. What it cannot do is get people talking face­to­face and having dialogue. It can certainly allow people to arrange to meet up in a pub—while in the old days we would have used telephones or had regular meetings with people—to talk amongst our peers. It goes back to the public discourses and the foundation of coffee shops. Technology can help to some extent but it is not the solution to everything and that applies to social, political and economic technology.

Q236   Paul Flynn: I believe that part of the hope is that instead of a top­down approach from Government, there will be a parallel contact between citizens and that will take the place somehow of this authority down to the peasants. Is this a daft idea? Is it a great concept? Have we suddenly become post­bureaucratic or not?

Adam McGreggor: To me, post­bureaucratic will not happen unless bureaucracy disappears. There is this wonderful oxymoron of post­bureaucratic, yet there is still bureaucracy.

Q237   Paul Flynn: Can we use IT as a magic wand to make it disappear?

Adam McGreggor: We could, but I don't know whether it would have the same effect. It is a question of whether you go for your armchair expert or armchair auditor versus someone who has had 40 years in the field and is a proper expert. It is a provenance issue as well; the provenance of to whom you are listening, and whether the person you are talking to is in a position to give you sound advice. It is a trust issue as well.

Jim Killock: Thinking about how we might become rather more of a big society or rather more post­bureaucratic, there are three things that were touched upon in the last session which are very important here; there is a question of Open Standards. Obviously the Government does not want to lock itself into very tight, closed and impossible to get out of relationships with software vendors. Open Standards allow free competition on that sort of basis and that goes through the whole of the software world; we understand this but it is still not being done. We are all still locked into Microsoft formats for documents, and it is understood that that is a bad thing and it is understood that those companies are probably creaming off extremely large profits for very little work but we are not really pushing that hard and fast enough. There is a second question around Open Source. Government spends a lot of money on IT; when it spends that money, there is intellectual property being created and that will potentially be reused and resold back to the same Government, different departments or other governments elsewhere. By insisting that IP rights are made open, Open Source offers the potential for governments to retain control of those IP rights and not to simply be charged licence fees for things that they have essentially already paid for many times over. So Open Source can obviously enhance competition between different vendors using the same software; it can get you better returns on your investment. The third question is around open data which Adam just touched on. Open data obviously allows people to construct markets and analysis on that data but it also allows people to criticise Government and look inside what Government is doing, and that is incredibly important. The question about analysis is also very important; if we are going to make best use of open data over time then people need to have the skills to analyse that information and there needs to be a dialogue about it, but we should not just assume that, just because open data might lead to people coming to the wrong conclusions from that data, therefore they should not be given that information. That is an erroneous and rather short­term approach.

Andy Burton: We can only achieve this post­bureaucratic ideal, for want of a better phrase, if we don't view IT as an outsourcing solution. The fundamental thing that I keep hearing again and again is that we are looking at IT as something that is designed and built deliberately for a Government department and managed by a third party. You have got to look at the component parts. The technological world has changed so dramatically that we are still trying to build things based upon archaic understanding of what technology is capable of. Therefore the procurement process of making the IT uphold the bureaucracy is the wrong way round. There is not enough new thinking; there are some great initiatives like G­Cloud out there and there is some very low­hanging fruit, to use a horrible phrase, from which the Government can save considerable sums of money and reports have been written by organisations like the Open Computing Alliance saying that there is about £44 billion over a 10 year period, as a conservative estimate as to what can be saved, versus the £95 million that we are talking about at the moment in time.

Q238   Chair: But what you are saying is that the post­bureaucratic age is an essential component of harnessing modern technology. You have got to do agile development to do Open Standards and Open Source software. There has got to be a letting go.

Andy Burton: It is not about ceding control, it is about providing guidance to the market. It is actually the other way round, I would counsel. It is having the courage of conviction to say, "This is what we need as a nation, this is what we need as a set of public services". Just jumping back to the whole identity issue, that argument got lost with the manifestation of how to authenticate a person to their online identity. The notion of having an online identity is not a bad notion, and being able to reuse it multiple times rather than having to do it in every single system is a very sensible philosophy. The problem is that there is a lack of tangible evidence as to what the Government plan is. I would use G­Cloud as your best example and the Cabinet Office is on to a great thing there. It is a very sensible model which allows for that open standard to be deployed; it enables you to rationalise data centres; it enables you to break the provision of IT down into hardware and software and when you do that, you start enabling the SME, the entrepreneurial organisations. As Mr Rice said in the previous session, there are plenty of organisations out there that have the intellectual capability. The issue is, if they can only procure in the solution that is going to cost hundreds of millions of pounds to deliver, they just do not have the ability to come forward and even to be part of that consortium.

Q239   Paul Flynn: What happens when the creation of the post­bureaucratic age comes into conflict with the Government cuts? The mythology is that you cut non­frontline services, and IT is seen as something behind frontline services, and when cuts take place, it is 30% here and 30% there. Does it make sense to cut IT by the same amount because it is not seen somewhere and it is not on the frontline?

Andy Burton: What is the point of having hundreds of thousands of servers running at the 20% capacity? There is no benefit to the taxpayer, there is no benefit to the Government, all it means is that the way in which it is being procured—although at the time of procurement it may have been legitimate—at the point we are now, is no longer relevant. So would we rather save hundreds of millions or even billions of pounds in the way in which we procure our IT, rather than keep the method going? And by the way, we can then re­invest that, because IT services in this nation today do not do us justice, so even if you do not want to take that estimate of £4 billion a year saving and making it as a saving, you can reinvest it in the agility.

Q240   Chair: But the astonishing thing that one of our previous witnesses has just said is "If you want value, just turn off the tap". Do you agree with that?

Andy Burton: There is no point turning off the tap unless you are prepared for the drought, that be the way that I would put it, because you have got to say where it is that you are going. Just turning it off will mean that you are going to end up with chaos because you have nothing to replace it with at this moment in time. Getting to the blueprint is not that far away and the G­Cloud initiative is a very credible step in that direction.

Chair: We will come to that in a second.

Q241   Paul Flynn: There was great distress in the past about the loss of private information. There were tens of millions of people involved in the huge loss of Health Service data. I can't remember any single case where data was found and anyone was harmed by it—perhaps you know of some—but I am sure that the procedures have been improved in some way. What was the justification for the hysteria about lost memory sticks that took place when in fact very little, if any, damage was done by those losses?

Jim Killock: I don't know if no damage was done. Have you got concrete examples?

Adam McGreggor: Of disks being found again? No.

Q242   Paul Flynn: I don't think they found any of them did they? Being lost is one thing.

Adam McGreggor: I don't know of any cases but it is still a case of: where is this data and what is going to happen? A vaguely comparable thing is the Metropolitan Police sitting on the News of the World phone-hacking data. There is a wealth of data sitting somewhere and the content of it is a hissing time bomb waiting for the release moment if it is in various hands. If it has just fallen down the drain then it is a case of what the damage actually is, where has it ended up and, even before that, why it was being transported. Why was it being transported and transferred in such a way?

Jim Killock: Some of that included bank details didn't it? I would imagine that anyone with bank details can engage in minor fraud of setting up direct debits and so on.

Q243   Paul Flynn: But did it happen? Was the nervous breakdown by the Daily Mail justified on this subject?

Jim Killock: It was; whether or not concrete examples in specific cases occur or not, the point is that if large amounts of data is getting out there, then it is a problem. It is certainly the case that, in certain instances, there has been a great deal of embarrassment, people will have been quite scared and if your bank details are among 10 million or 15 million other people's bank details that you know have got out there, you know that is going to cause worry to every single one of those citizens because they do not know if there is going to be a consequence or not. So worrying whether there is always going to be genuine large scale harm to individuals is not necessarily the point, but if Government systems are not up to the job, and they are creating risk and worry for people, then that is a very serious concern.

Chair: We must press ahead in the next 10 minutes. I would just observe that it is like explosions at a nuclear power station; nobody gets hurt but everyone is very worried about it.

Paul Flynn: I don't think that's true.

Chair: Well, nobody gets killed by the radiation.

Paul Flynn: There were 10,000 at Chernobyl.

Chair: Well obviously I was making a parallel. Mr Heyes?

Q244   David Heyes: It is pretty clear from what each of you have said so far that you do not think that Government understands the potential of IT to change the way it runs and delivers services and so far, the focus has been on automating existing processes. I would like to tease a bit more out of you and ask each of you to give some examples of how the Government could use IT to deliver services differently. You talked about low­hanging fruit, so give us some examples.

Andy Burton: At the most basic level, and forgetting even the applications that are being used, when you look at how IT is being delivered, you have effectively got hardware, software applications— whether Open Source or commercially licensed—and you have people managing it. Purely at the level of the way in which hardware is bought, consumed and used within Government, by default, it is running at 20% of its efficiency because of the silos, the way that the original technology was built, the fact that systems are designed to work at peak capacity although they do not typically work at peak capacity and the fact that every Department has its own IT approach. By consolidating that infrastructural service, you can release considerable capacity growth and you can realise considerable savings because you move away from the capital­based investment plan into an operational, pay­as­you­go delivery plan—as the previous gentleman said—and you are only paying for what you need when you need it rather than building something that is for the 31 January tax deadline. It is that kind of philosophy. Without even worrying about what the applications are, there is a huge saving there.

Jim Killock: We don't study these things from the point of view of trying to deliver actual systems; we are just observing what goes on. So from our perspective, what we see is that there is a huge disjunct between the intentions of Government, what people within those Departments or projects need, and what then gets delivered or what these projects aim to deliver. We also see the lack of expertise in Government. There were very good comments made in the last session about the need for that sort of expertise. We also experience that it helps understanding when technologists are able to get in and talk to Government officials directly. The big things for us are probably around releasing data and actually allowing Government data and Government information to empower citizens. That is our particular concern, and we think that Government currently has the right approach about that and it should go as far as it possibly can on that. However, in terms of the experience we have had of looking at the systems over the last five years, we would say that the Government has got to be very, very clear about why it is doing things with IT and know that it has the right idea at its core, that it has chosen an objective that is actually needed rather than essentially driving IT from a political priority that it has set.

Q245   David Heyes: Mr McGreggor, you have done some specific work on this, haven't you? I understand your hack days are designed with this in mind. Tell us about it.

Adam McGreggor: We have heard in passing from Martin Rice about hack days. I hate to correct a witness but actually these two day events were run by Rewired State not The Guardian. A hack day[2] is something that probably needs explanation here. Essentially, within a given period of time, either 24 hours, 48 hours or something similar, a specific problem is given, with some specific data, and by the end of that, depending on the number of participants in the hack, you will see a number of prototypes knocked up. So for example, you heard talk of the Jobcentre ProPlus earlier, which involves Jobcentres looking up and finding jobs close to you. These services are built up by keen developers on the basis of a real need. There is actually a case for this, people are actually going to use this; so it is built up from the view of demand rather than on the basis of what Government wants, or what Government thinks it needs.

So that sort of approach to it results in a very rapid process: prototype through to a fully­working application in a very short burst of time. So that is one of those things, but in order for those to function, as Jim mentioned, data release is needed. It is all very good to release past data, but live data will give developers a much better, much faster and a much more realistic approach, particularly if there is something that you can tap in. So for example, building a simple service for something like "When is my bin going to be collected?" would rely on the Council providing up-to-date information because bin contracts change occasionally, so there is the issue on that. Going agile, which we have heard about already, can certainly help; you could not build a site or a hack day using a traditional, project management, project procurement tendering process at all; it just would not work. The idea for the hack day is that these things come up very quickly, they are built and that is it. There is handover and so on to take it beyond there; so in our case, the intellectual property rights remain with the developers themselves, with the source code generally being available so that people can add in and build additional functionality. People can also peer review the code so as to have some confidence in it to say whether it actually does what it says it does. People will scrutinise other people's code, be competitive about it and come back with suggestions. That is improving in terms of waste by hitting at the very root of it, and the code that drives the site can be collaboratively worked on.

To go back to the question, it is maybe a bit harsh to say that the Government do not wholly understand the potential. Some Departments have got it right and some Departments are keen. Certainly with our professional hats on, we are realising that Government departments want to run hack days; Government departments want to go agile; Government departments are thinking about how they can do stuff and how they can do it quickly. They go along with this idea of, "What can you do with our data? We do not have any ideas, we have this wealth of data, build us something, show us something fun, something that ordinary citizens can actually make sense of. Show us what we can do."

Jim Killock: It strikes me that, at the moment, a lot of the data sets that are being licensed or paid for fall into two categories; one is basic infrastructure. When we are talking about information, things like maps and postcodes are really critical infrastructure, so if they are being charged for, that is causing either social or economic barriers to people really using data properly. The Government should identity those parts of data which really are infrastructure and critically important to make sure that they are free and open to use. Secondly, some of the data that is being charged for, people have a tendency to license, which I feel is almost competing against the core purposes of those departments, businesses or Government functions. Take transport as an example; fair enough it has been privatised but the core business of train and bus companies is to get people on trains and buses, but it is nevertheless quite difficult to get the data off them to advertise their services. So in a way, they are trying to charge or license the data of their train and bus services, and that attempts to charge for the data and provides a revenue stream that actually competes against their core business of getting people on transport. Around a number of places where people are trying to sell or license data restrictively, that is quite a common feature. People assume that they can charge for data and go about finding new revenue streams when that is not really the point.

Q246   Chair: We must bring our session to a close but can I just briefly ask Mr Burton about how Government can make use of the Cloud? How could the Government make much better use of the Cloud than it does?

Andy Burton: I do not really believe that it is making use of the Cloud at the moment, or certainly not as a conscious strategy. The G­Cloud is the formation of that and that initiative can provide a framework to the wider marketplace, bearing in mind that about 26% of IT spend in the UK is made by public sector; it is a major fault in the way that IT is shaped in the nation.

Q247   Chair: Does the Government need to own its Cloud?

Andy Burton: No, it does not need to own it at all.

Q248   Chair: So G­Cloud is not necessarily Government-owned infrastructure?

Andy Burton: No, in its simplest form, G­Cloud should be providing the standard by which solutions should be built and it should determine what data is held and protected on sovereign soil.

Q249   Chair: And it should be happy if its infrastructure, G­Cloud, is used by other users for storing information, and for commercial use? It doesn't need its own exclusive cloud?

Andy Burton: It does not need its own exclusive cloud. I would counsel that there are probably some areas from a political and conceptual point of view—

Q250   Chair: We won't put GCHQ on the Cloud.

Andy Burton: Exactly. So there are issues around data privacy, data security, and data sovereignty. They are the three key issues that the general public and businesses are concerned about.

Q251   Chair: And what do you perceive the barriers to Cloud to be?

Andy Burton: If I go back to the tenor of this meeting, a current barrier to Cloud is that procurement is not geared up, at this moment in time, to even define how those organisations move from classic outsourcing—build a data centre, build a unique application, manage it 24/7—to building something and saying, "It had got to conform to this standard; it has got to be able to work within this security framework and it has got to enable small businesses, from a software provision point of view, to be able to interface with local community group", or whatever the case may be. The lack of framework is the biggest disabler today, and that lack of framework does not advise and guide your procurement process.

Q252   Chair: And presumably the existing framework is reinforced by the existing contractual commitments.

Andy Burton: Correct, and something has got to give. That is why I fundamentally believe that the initiative of G­Cloud is very powerful; it just has not yet manifested itself in a way that is design first and therefore procurement. The critical three things that I am hearing are: on agile computing, I think we all agree that this prototyping and design is an important issue to involve in before you get into contracting; the use of Cloud computing to get a least cost operation; and the definition of Open Standards.

Q253   Chair: And very lastly, how do you address those three qualities—privacy, security and sovereignty—in the Cloud?

Andy Burton: Bearing in mind the example that I gave earlier, a lot of those issues about data leakage were not actually around the central systems. They were about data being left in briefcases or couriers not delivering it, and things like that. It was when data was in portable media that it was being lost. I would counsel that most data centre organisations, at least the credible ones, will have very stringent security operations in place. There is a lot of fear, uncertainty and doubt about security in technology, and a lot of the scenarios we have seen have fed a public concern that it cannot be done. I would counsel that it can be done, but the issue is that you need to be clear about what you require of it, and those standards need to be enforced with any providers you use.

Q254   Chair: But we need to be far more concerned about people with memory sticks and losing their laptops.

Andy Burton: Than using Cloud computing. Correct.

Adam McGreggor: One of the things which should be consistent with a G­Cloud is that data should be easy to get out as well. At the moment the trouble is if a Government Department wants some data out of their own systems, sometimes they could end up paying a contractor their hourly rate[3] to get the same data out, which is a problem when it comes to Freedom of Information requests and the limit on the expenditure available. So if Government owns the data, it can get it rather than paying a contractor to release its own data to it, which would then open up transparency even more.

Chair: This has been a very helpful session. Are there any other burning comments? Excellent. Well I am most grateful for your help with this. It is difficult for us lay people to understand some of this. I think your session has been extremely helpful in that respect, so thank you very much indeed.


2   Note by witness : "Tell Us Once" (mentioned in Q188) was the product of a Rewired State Hack Day. Back

3   Note from witness: evidence from Freedom of Information Act requests suggest that third parties may be over-quoting for these requests.  Back


 
previous page contents


© Parliamentary copyright 2011
Prepared 28 July 2011