Written evidence submitted by London School
of Economics and Political Science Identity Project|
1. The proposed National Identity Scheme would
have been one of the largest technology innovations by UK government
in recent years. It took place in the full glare of public and
parliamentary scrutiny, much of it critical of the proposals.
With IT playing a key role in the proposals it would be reasonable
to expect that Scheme to be an exemplar of effective government
IT. The Scheme would be able to draw on recommendations from academia
and industry, the oversight and guidance provided by the National
Audit Office (NAO) and the Office of Government Commerce (OGC)
and the experience of its specialist consultants.
2. As this submission shows, however, this proved
not to be the case. The case of the National Identity Scheme therefore
provides evidence for key questions in the inquiry: How well is
technology policy co-ordinated across Government? Have past lessons
from NAO and OGC reviews about unsuccessful IT programmes been
learned and applied? How appropriate is the Government's existing
approach to information security, information assurance and privacy?
3. Although it was frequently claimed that the
lessons from previous IT failures had been learned (see Paragraphs
9 to 12), between 2003 and 2009 various reports on the progress
of the Scheme repeatedly warned about the dangers of not clearly
specifying the scope and focus of the Scheme (Paragraphs 13 to
18). This suggests that this basic lesson had not been learned
or was being ignored for other reasons.
4. The Scheme was intended to be a core element
of the government's "Safeguarding identity" strategy
that would form the basis for identity assurance across government.
Online authentication (or "remote access to public services")
is clearly a key element of this strategy yet this aspect was
never (publicly) specified (Paragraphs 19 to 20). This raises
concerns about the effectiveness of cross-government delivery
of key technology projects.
5. The National Identity Register ("the
Register") was intended to hold significant amounts of personal
data that needed to be managed securely. The IPS spent over 30
months working on its plan to implement the biographical element
of the Register on the Department of Work and Pensions Customer
Information Systems before finally deciding that an alternative
solution would be more appropriate. Ignoring the cost of this
work and the likely consequent delays in provisioning a suitable
replacement system, this raises questions about existing capabilities
for assessing and managing data securely (Paragraphs 21 to 30).
THE LSE IDENTITY
6. The LSE Identity Project
ran from January 2005 until the Identity Documents Bill became
law on 21 December 2010. During this period the research team
has closely followed the development of the proposed National
Identity Scheme ("The Scheme")
and have produced a number of scholarly publications and one research
monograph based on their work.
7. Chapter 15 of the Main LSE report,
issued in June 2005, focussed on the IT environment in the UK,
noting that the UK is a world leader in government IT projects
and has "a rich
experience in outsourcing projects, development projects, and
the implementation of new systems. These projects and systems
have not always achieved their stated goals".
The chapter noted the role of OGC Gateway Reviews in government
IT projects and reviewed common project challenges. For example,
following a problematic Home Office project that was intended
to improve the handling of immigration, asylum and citizenship
cases in 1999 the National Audit Office (NAO) called on departments
to consider whether a project might be "too ambitious"
and to agree details early in the process.
8. Chapter 15 of the Main LSE report ended
The legislative uncertainty and the constantly
shifting goals give the UK one of the least admirable track records
on large-scale IT projects. The infrastructure for the identity
card, as envisioned by the Bill, is arguably one of the largest
IT projects in the world. A database that will in time contain
over 60 million records holding a vast amount of information,
with on-line access, an advanced security model, and with hundreds
of thousands of users, is not only difficult to design and implement,
but will most likely be costly (p. 224).
9. Given the high profile nature of the Scheme,
the concerns raised at the Home Affairs Select Committee's inquiry
before the Bill was introduced,
the critique provided by the LSE Identity Project and problems
with Government data handling (most notably the HMRC child benefit
data breach), it would be reasonable to expect that lessons about
successful IT projects including the need for clear scope and
a well designed architecture had been embedded in the Scheme.
Similarly, one would expect that given the sensitive nature of
the data held on the Register, information assurance concerns
would have been uppermost throughout the Scheme. Unfortunately,
as the evidence in this submission will show, this was not the
case. This raises the prospect that if government IT projects
in the full media glare continue to face these problems what can
be expected of projects that do not have such visibility and associated
10. Throughout the Parliamentary passage of the
Identity Cards Bill, Government ministers reassured Parliament
that the lessons of previous IT failures had been learned. For
example, speaking in October 2005, Baroness Scotland told the
House of Lords:
Many concerns have been expressed about the technical
viability of the prescribed scheme. We recognise that there are
challenges. Projects such as this will always face such challenges
and opinions in the field of technology will differ. However,
the body of representations within industry, existing project
experience and research by established experts in the field of
biometrics and database technology indicate that we are right
to proceed with our plans at this stage. As with all major government
projects, the technology behind the identity card scheme will
ultimately come from the industry, and key sections of the industry
are telling us that the technology can work [31 October 2005 :
11. Such statements were consistent with the
guidance provided by the initial OGC gateway reviews of the project:
The implementation risks must be minimised through
the optimum use of existing capabilities, skills and expertise
The Identity Cards programme has been assessed
by the Department against the NAO/OGC list of common causes of
failure. We have examined this assessment and support its conclusions
although recognising that some of the common causes on the NAO/OGC
list relate to activities that will be undertaken during later
stages of the programme.
12. The Strategic Action Plan issued in December
2006 made similar claims, noting that the government was taking
and pragmatic approach. We will keep risks and costs down, by
using existing Government investment and delivering incrementally,
based on extensive piloting and trialling".
13. The OGC reviews highlighted the need for
the Scheme to have clear scope and focus:
The scope and objectives of an Entitlement Card
scheme must be precisely defined at a very early stage and all
opportunities and desires to change or grow these requirements
must be resisted.
14. In 2006 The House of Commons Science and
Technology Select Committee undertook an inquiry into the Governments
use of scientific advice and used the Identity Cards Scheme as
one of its case studies.
In their final report, the Committee noted that the emphasis "placed
on different aspirations has varied throughout the life of the
scheme and this changing focus has resulted in a lack of clarity
regarding the likely technology requirements"
and that it is "unsatisfactory
that the boundaries of the scheme still seem not to have been
set. We have the impression that the Government still does not
know precisely what it wants from the identity card scheme".
As a result the Commitee urged "the
Home Office to finalise the scope of the scheme and the technical
standards needed for interoperability as soon as possible"
and hoped that "the
situation will stabilise now that the Bill has received Royal
15. The Independent Scheme Assurance Panel (ISAP)
was formed so that the Scheme would "have
an experienced group of outsiders to take a dispassionate view
of the work of the Scheme's delivery Programme".
16. In its Annual Report 2007, ISAP noted:
The Programme's priorities now need to be finalised
and approvals gained if the project is to deliver in its published
flexibility demanded of the Programme is useful but does not excuse
the Programme from the need to adequately detail the requirements
for ICT systems, processes and operations.
Panel advised that delivery priorities would be clearer if backed
up by a simple statement of the rationale for each of the Scheme's
key design decisions.
17. However, in their 2009 Annual Report, ISAP
was still reporting concerns about the lack of clarity (under
the heading "Resist changes in requirements, give priority
to benefits or simplification"):
There have been a significant number of requests
for change (RfCs) in system requirements since supply contracts
were awarded. Changing requirements increases risk, cost, timescale,
or usually all three. It is essential that the RfCs be rigorously
challenged to protect and ensure delivery of the core requirements.
The evaluation criteria for additional functions
or changes should give priority to: benefit realisation; complexity
reduction; and cost reduction. Emphasis should be given to simplicity
and ease of execution. The Programme should pre-empt the complexity
of multiuse that is to follow by keeping the core function
as simple and straightforward as possible.
18. Similar concerns have been raised throughout
the life of the programme in terms of the technical architecture
for the Scheme. For example, the 2003 OGC review noted that poor
system architecture "could
severely reduce benefits from the scheme and increase cost"
with the 2004 OGC review stating that it will "be
essential to identify the preferred solutions to each of the main
technical issues by the start of the procurement phase".
The Science and Technology Select Committee recommended that "the
Home Office issues a clear timetable for the publication of the
technical specifications and defines procurement processes and
ISAP in 2007 noted that the challenge "of
integrating systems and operations requires an architectural and
organisational response. The Panel suggest the Programme should
verify that it has the capability to manage integration and that
the complexity of integrating increasingly interdependent systems
across Government is considered. This needs to cover integration
during the development phase and ongoing operational integration".
In 2008 ISAP noted "Seamless
integration will be an implementation challenge and definition
of certain consistent standards will help. Resources and attention
are needed on this".
They also reported that "Descriptions
in the architecture document have been 'frozen' to ensure consistency
in the procurement dialogue".
In their 2009 report, however, noted that "different
suppliers use different development methodologies ('waterfall'
and 'iterative' for example). At whole-programme level there will
be incremental releases as components are delivered, tested and
reviewed in turn. The different approaches increase complexity
and hence challenge the ability of the Programme to deliver the
whole. Management of releases or iterations will be a heavy burden
with these mixed methodologies".
19. An illustration of this lack of clarity with
regards the capabilities to be offered by the Scheme can be seen
with regard to the potential functionality to allow for remote
authentication. The Regulatory Impact Assessment for the first
version of the Identity Cards Bill talked of the "cost
of providing an on-line verification service which can validate
ID cards and other identity enquiries for user organisations.
Continuing discussions with user organisations and work on reducing
the delivery risks have led to a design decision that on-line
checks provide an optimum combination of simplicity, reliability
and auditability. However this does mean that the central IT infrastructure
will require more capacity and will need to be more resilient
than the current passport IT infrastructure or that envisaged
in the 2004 UKPS corporate plan".
Similarly, the Science and Technology Select Committee recommended
that "In order to
clarify when and how the card might be used, we recommend that
the Home Office releases more information regarding what personal
data will be revealed in different scenarios, including in an
online context. Until this information is released, it is difficult
to ascertain the true scope of the scheme and to fully understand
how technology will be used within the scheme".
20. This concern about online functionality was
repeated by ISAP in its 2008 report "A
usage proposition that appeals to citizens and organisations needing
to verify identity should be laid out in detail, both to inform
functional requirements and to drive benefits realisation. The
possible 'e' functions to be included are an example. The specification
of identity verification services is a particular need".
This concern was reiterated in its 2009 report: "The
functionality for verification against NIR records in remote or
non-face-to-face situations is a known need that is not yet specified.
Definition of verification service requirements needs a high priority
to inform systems design now".
21. The assurance of the data held on the National
Identity Register was always a key element underlying public confidence
in the Scheme. This became even more significant following the
HMRC Child Benefit Data Breach but was also flagged by ISAP. For
example, in 2008 it noted: "The
governance, safe storage, controls, means of and limits on the
use, of Scheme data must be clear, and this clarity must be effectively
communicated. The specification of data standards and these protections
in practice should be further developed".
The 2009 ISAP report underlines the reasons for this: "Trust
in the NIS is fundamental to its attractiveness. Fear of misuse
of information about an individual or concerns about personal
liberty threaten this. Trust requires: the record to be true;
the data to be under control at all times; and the citizen to
have power over its use and protections against its misuse with
mechanisms for correction of errors".
"The NIS must have
robust data governance and operational management controls from
the outset that must be institutionalised and policed to the satisfaction
of the Identity Commissioner in order to provide the first two
of these trust requirements. All users and all data access arrangements
must adhere to these governance controls".
22. In this context, the decision to use and
then not use the Department of Work and Pensions Customer Information
System (CIS) as the National Identity Register is particularly
23. The initial proposals had always been for
the Register to be hosted in a brand new, purpose built data centre.
As Nigel Seed informed the Science and Technology Select Committee:
Security is not going to be an add-on, it is being
done now. We have not even gone out with our requirements. The
security team is embedded within my procurement team; they are
fully engaged. They are on my back all the time, as they should
be. The people who are going to do the accreditation are having
meetings with our people all the times, looking at our requirements
as they develop and then inputting to those requirements. The
security of the data centre itself is down to even very basic
things like making sure it is not on or near a floodplain. We
are looking at all that sort of stuff, right the way from very
basic level access and flooding and losing it that way right the
way through to hacking.
24. However, when John Reid became Home Secretary
in May 2006 and declared the Department "not fit for purpose",
various programmes within the Home Office were reviewed including
the Identity Cards Scheme. This resulted in a new, Strategic Action
Plan, released in December 2006 on the last day before the Christmas
Parliamentary Recess. This proposed a redesign of the Scheme,
for example by dropping the mandatory use of iris biometrics and
reusing three existing government databases rather than designing
a new National Identity Register from scratch: "for
NIR biographical information, we plan to use DWP's Customer Information
System (CIS) technology, subject to the successful completion
of technical feasibility work".
25. ISAP in its 2007 report expressed concern
that reuse of the CIS "may
bring integration complexity".
As the plans to use the CIS developed, in 2008 ISAP noted "The
immediate issue is one of costs and prioritiesthere must
be a means of determining priorities if there is competition between
DWP and IPS for development resources. In the longer term CIS
could become a bottleneck for the introduction of new services.
To minimise this risk the core scope and content of CIS should
be strictly confined to the attributes of common interest to all
users and the development schedule covered by strict service level
agreements. The Scheme should review the relative cost and complexity
of these re-use or re-build options".
26. In its 2008 Delivery Plan (itself a significant
variation of the previous Strategic Action Plan), the IPS reaffirmed
the ongoing work to use the CIS, noting that "The Department
for Work and Pensions (DWP), is also treated as a delivery partner
because their Customer Information System (CIS) forms part of
the technical solution for the NIR"
and the ISAP 2009 report strongly supported "the decision
that the NIS should use the DWP's CIS biographic database".
This is despite the fact that, in 2008, the NAO reported that
"The Customer Information System has not yet received
full data security accreditation under the new Cabinet Office
rules for personal data".
27. On 18 March 2010, the Identity and Passport
Service announced that it had selected a "revised option
for delivering the biographic store which will form a key asset
in the National Identity Register".
The decision was to "enhance
the database that is already being implemented as part of the
replacement for the UK Border Agency's Identity and Asylum Fingerprint
System, rather than utilising the Department of Work and Pensions'
Customer Information System".
28. Whilst such a significant technological shift
might be justified in terms of it providing the most effective
response to the previously expressed concerns about information
assurance, documents obtained under the Freedom of Information
Act by the journalist Mark Ballard
indicate more fundamental problems in the decision making process
about the use of the CIS. The documents note that as of 6 December
2006 the ongoing feasibility study "had
not discovered any issues that would prevent this use of CIS".
Indeed, the summary (dated 16 February 2007) notes that "The
work completed to date by our teams has proved valuable in demonstrating
that there are no apparent showstoppers, but there is clearly
a way to go before all parties have a full understanding and everything
is in place to facilitate success".
29. In terms of a timeline, the review initiated
by John Reid sometime after May 2006 proposed the use of CIS.
By 6 December 2006 there was sufficient confidence in the use
of the CIS that it could be explicitly cited as the likely route
for the biographical element of the Register in the Strategic
Action Plan issued on 19 December 2006. On 16 February 2007 there
were not believed to be any "showstopper" problems with
using the CIS, and the 2008 Delivery Plan and 2009 ISAP annual
report both suggest that the use of CIS was still the preferred
technological solution. The s37 cost report issued on 26 October
2009 also gives no indication of any change in projected costs
that would arise from a proposed major change in the technological
infrastructure of the Register. Therefore, the decision to not
use the CIS had to be taken sometime between 26 October 2009 and
18 March 2010. Thus between February 2007 and October 2009 (at
least) the use of the CIS was the preferred technological option
for the biographical element of the Register. It is unclear how
much money was spent on the development work associated with the
plans to use the CIS during this period.
30. In addition, it has been disclosed that some
of the front office systems for enrolling individuals onto the
Register "have on occasion incorrectly retained data"
despite being designed "for data to be retained centrally
with no information retained locally".
A NOTE ON
31. Many details about the National Identity
Scheme have not been made available publicly. For example, the
OGC reports cited in this report, were only released after a lengthy
legal challenge to the original FOIA request in March 2009.
This submission therefore draws on publicly available sources.
Most of these documents would have been written with an expectation
that they would be released to the public. They are therefore
likely to err on the side of understating potential problems.
However, given the important role of parliamentary oversight of
government IT projects, they are also likely to be the main documents
that any decision making by parliamentarians would be based upon.
The LSE Identity Project archive is available at http://identityproject.lse.ac.uk/default.htm.
The LSE's work on identity policies more broadly can be found
at http://identitypolicy.lse.ac.uk/ Back
By May 2009, the National Identity Scheme was being rebadged as
the National Identity Service. It will be referred to as the Scheme
throughout this submission. Back
For example, Whitley E A and Hosein G (2010). Global challenges
for identity policies. Palgrave Macmillan, Basingstoke and Whitley
EA and Hosein G (2010) Global Identity Policies and Technology:
Do we Understand the Question? Global Policy 1(2), 209-215. Back
LSE Identity Project (2005) Main Report (27 June) Archived at
Page 201 Back
"The Home Office: The Immigration and Nationality Directorate's
Casework Programme", National Audit Office Press Notice,
HC277, 24 March 1999 Back
HAC 2004. For full details of frequently cited sources, see reference
list at end of document. Back
OGC 2003 Page 4 of PDF Back
OGC 2004 Page 6. Back
SAP 2006 Page 2 Back
OGC 2003 Page 4 of PDF Back
ST 2006 Back
ST 2006 §37 Back
ST 2006 §39 Back
ST 2006 §42 Back
ST 2006 §37 Back
ISAP 2007 Page 2 of PDF Back
ISAP 2007 §3.4 Back
ISAP 2009 §5.5, 5.6 Back
OGC 2003 Page 11 of PDF Back
OGC 2004 Page 5 Back
ST 2006 §46 Back
ISAP 2007 §3.2 Back
ISAP 2008 §2.2 Back
ISAP 2008 §2.4 Back
ISAP 2009 §5.8 Back
RIA 2004 §18 (iii) Back
ST 2006 §47 Back
ISAP 2008 §2.2 (1) Back
ISAP 2009 §2.6 Back
ISAP 2008 §2.2 (3) Back
ISAP 2009 §2.7 Back
ISAP 2009 §2.8 Back
SAP §15 Back
ISAP 2007 §3 Back
ISAP 2008 §2.5 Back
DP 2008 §53 Back
ISAP 2009 §3.9 Back
NAO 2008 §4.13 Back
IPS 2010 Back
IPS 2010 Back
CW 2011 Back
CW 2011 Back
CWIC 2010 Back