Government And IT - "A Recipe For Rip-Offs": Time For A New Approach - Public Administration Committee Contents


Written evidence submitted by London School of Economics and Political Science Identity Project

EXECUTIVE SUMMARY

1.  The proposed National Identity Scheme would have been one of the largest technology innovations by UK government in recent years. It took place in the full glare of public and parliamentary scrutiny, much of it critical of the proposals. With IT playing a key role in the proposals it would be reasonable to expect that Scheme to be an exemplar of effective government IT. The Scheme would be able to draw on recommendations from academia and industry, the oversight and guidance provided by the National Audit Office (NAO) and the Office of Government Commerce (OGC) and the experience of its specialist consultants.

2.  As this submission shows, however, this proved not to be the case. The case of the National Identity Scheme therefore provides evidence for key questions in the inquiry: How well is technology policy co-ordinated across Government? Have past lessons from NAO and OGC reviews about unsuccessful IT programmes been learned and applied? How appropriate is the Government's existing approach to information security, information assurance and privacy?

3.  Although it was frequently claimed that the lessons from previous IT failures had been learned (see Paragraphs 9 to 12), between 2003 and 2009 various reports on the progress of the Scheme repeatedly warned about the dangers of not clearly specifying the scope and focus of the Scheme (Paragraphs 13 to 18). This suggests that this basic lesson had not been learned or was being ignored for other reasons.

4.  The Scheme was intended to be a core element of the government's "Safeguarding identity" strategy that would form the basis for identity assurance across government. Online authentication (or "remote access to public services") is clearly a key element of this strategy yet this aspect was never (publicly) specified (Paragraphs 19 to 20). This raises concerns about the effectiveness of cross-government delivery of key technology projects.

5.  The National Identity Register ("the Register") was intended to hold significant amounts of personal data that needed to be managed securely. The IPS spent over 30 months working on its plan to implement the biographical element of the Register on the Department of Work and Pensions Customer Information Systems before finally deciding that an alternative solution would be more appropriate. Ignoring the cost of this work and the likely consequent delays in provisioning a suitable replacement system, this raises questions about existing capabilities for assessing and managing data securely (Paragraphs 21 to 30).

THE LSE IDENTITY PROJECT

6.  The LSE Identity Project[11] ran from January 2005 until the Identity Documents Bill became law on 21 December 2010. During this period the research team has closely followed the development of the proposed National Identity Scheme ("The Scheme")[12] and have produced a number of scholarly publications and one research monograph based on their work.[13]

7.  Chapter 15 of the Main LSE report,[14] issued in June 2005, focussed on the IT environment in the UK, noting that the UK is a world leader in government IT projects and has "a rich experience in outsourcing projects, development projects, and the implementation of new systems. These projects and systems have not always achieved their stated goals".[15] The chapter noted the role of OGC Gateway Reviews in government IT projects and reviewed common project challenges. For example, following a problematic Home Office project that was intended to improve the handling of immigration, asylum and citizenship cases in 1999 the National Audit Office (NAO) called on departments to consider whether a project might be "too ambitious" and to agree details early in the process.[16]

8.  Chapter 15 of the Main LSE report ended by stating:

The legislative uncertainty and the constantly shifting goals give the UK one of the least admirable track records on large-scale IT projects. The infrastructure for the identity card, as envisioned by the Bill, is arguably one of the largest IT projects in the world. A database that will in time contain over 60 million records holding a vast amount of information, with on-line access, an advanced security model, and with hundreds of thousands of users, is not only difficult to design and implement, but will most likely be costly (p. 224).

LESSONS HAVE BEEN LEARNED

9.  Given the high profile nature of the Scheme, the concerns raised at the Home Affairs Select Committee's inquiry before the Bill was introduced,[17] the critique provided by the LSE Identity Project and problems with Government data handling (most notably the HMRC child benefit data breach), it would be reasonable to expect that lessons about successful IT projects including the need for clear scope and a well designed architecture had been embedded in the Scheme. Similarly, one would expect that given the sensitive nature of the data held on the Register, information assurance concerns would have been uppermost throughout the Scheme. Unfortunately, as the evidence in this submission will show, this was not the case. This raises the prospect that if government IT projects in the full media glare continue to face these problems what can be expected of projects that do not have such visibility and associated scrutiny.

10.  Throughout the Parliamentary passage of the Identity Cards Bill, Government ministers reassured Parliament that the lessons of previous IT failures had been learned. For example, speaking in October 2005, Baroness Scotland told the House of Lords:

Many concerns have been expressed about the technical viability of the prescribed scheme. We recognise that there are challenges. Projects such as this will always face such challenges and opinions in the field of technology will differ. However, the body of representations within industry, existing project experience and research by established experts in the field of biometrics and database technology indicate that we are right to proceed with our plans at this stage. As with all major government projects, the technology behind the identity card scheme will ultimately come from the industry, and key sections of the industry are telling us that the technology can work [31 October 2005 : Column 111].

11.  Such statements were consistent with the guidance provided by the initial OGC gateway reviews of the project:

The implementation risks must be minimised through the optimum use of existing capabilities, skills and expertise[18]

and

The Identity Cards programme has been assessed by the Department against the NAO/OGC list of common causes of failure. We have examined this assessment and support its conclusions although recognising that some of the common causes on the NAO/OGC list relate to activities that will be undertaken during later stages of the programme.[19]

12.  The Strategic Action Plan issued in December 2006 made similar claims, noting that the government was taking "an incremental and pragmatic approach. We will keep risks and costs down, by using existing Government investment and delivering incrementally, based on extensive piloting and trialling".[20]

SCOPE AND FOCUS

13.  The OGC reviews highlighted the need for the Scheme to have clear scope and focus:

The scope and objectives of an Entitlement Card scheme must be precisely defined at a very early stage and all opportunities and desires to change or grow these requirements must be resisted.[21]

14.  In 2006 The House of Commons Science and Technology Select Committee undertook an inquiry into the Governments use of scientific advice and used the Identity Cards Scheme as one of its case studies.[22] In their final report, the Committee noted that the emphasis "placed on different aspirations has varied throughout the life of the scheme and this changing focus has resulted in a lack of clarity regarding the likely technology requirements"[23] and that it is "unsatisfactory that the boundaries of the scheme still seem not to have been set. We have the impression that the Government still does not know precisely what it wants from the identity card scheme"[24]. As a result the Commitee urged "the Home Office to finalise the scope of the scheme and the technical standards needed for interoperability as soon as possible"[25] and hoped that "the situation will stabilise now that the Bill has received Royal Assent".[26]

15.  The Independent Scheme Assurance Panel (ISAP) was formed so that the Scheme would "have an experienced group of outsiders to take a dispassionate view of the work of the Scheme's delivery Programme".[27]

16.  In its Annual Report 2007, ISAP noted:

The Programme's priorities now need to be finalised and approvals gained if the project is to deliver in its published timeframe. Specifically:

—  The flexibility demanded of the Programme is useful but does not excuse the Programme from the need to adequately detail the requirements for ICT systems, processes and operations.

—  The Panel advised that delivery priorities would be clearer if backed up by a simple statement of the rationale for each of the Scheme's key design decisions.[28]

17.  However, in their 2009 Annual Report, ISAP was still reporting concerns about the lack of clarity (under the heading "Resist changes in requirements, give priority to benefits or simplification"):

There have been a significant number of requests for change (RfCs) in system requirements since supply contracts were awarded. Changing requirements increases risk, cost, timescale, or usually all three. It is essential that the RfCs be rigorously challenged to protect and ensure delivery of the core requirements.

The evaluation criteria for additional functions or changes should give priority to: benefit realisation; complexity reduction; and cost reduction. Emphasis should be given to simplicity and ease of execution. The Programme should pre-empt the complexity of multi—use that is to follow by keeping the core function as simple and straightforward as possible.[29]

18.  Similar concerns have been raised throughout the life of the programme in terms of the technical architecture for the Scheme. For example, the 2003 OGC review noted that poor system architecture "could severely reduce benefits from the scheme and increase cost"[30] with the 2004 OGC review stating that it will "be essential to identify the preferred solutions to each of the main technical issues by the start of the procurement phase".[31] The Science and Technology Select Committee recommended that "the Home Office issues a clear timetable for the publication of the technical specifications and defines procurement processes and stages".[32] ISAP in 2007 noted that the challenge "of integrating systems and operations requires an architectural and organisational response. The Panel suggest the Programme should verify that it has the capability to manage integration and that the complexity of integrating increasingly interdependent systems across Government is considered. This needs to cover integration during the development phase and ongoing operational integration".[33] In 2008 ISAP noted "Seamless integration will be an implementation challenge and definition of certain consistent standards will help. Resources and attention are needed on this".[34] They also reported that "Descriptions in the architecture document have been 'frozen' to ensure consistency in the procurement dialogue".[35] In their 2009 report, however, noted that "different suppliers use different development methodologies ('waterfall' and 'iterative' for example). At whole-programme level there will be incremental releases as components are delivered, tested and reviewed in turn. The different approaches increase complexity and hence challenge the ability of the Programme to deliver the whole. Management of releases or iterations will be a heavy burden with these mixed methodologies".[36]

19.  An illustration of this lack of clarity with regards the capabilities to be offered by the Scheme can be seen with regard to the potential functionality to allow for remote authentication. The Regulatory Impact Assessment for the first version of the Identity Cards Bill talked of the "cost of providing an on-line verification service which can validate ID cards and other identity enquiries for user organisations. Continuing discussions with user organisations and work on reducing the delivery risks have led to a design decision that on-line checks provide an optimum combination of simplicity, reliability and auditability. However this does mean that the central IT infrastructure will require more capacity and will need to be more resilient than the current passport IT infrastructure or that envisaged in the 2004 UKPS corporate plan".[37] Similarly, the Science and Technology Select Committee recommended that "In order to clarify when and how the card might be used, we recommend that the Home Office releases more information regarding what personal data will be revealed in different scenarios, including in an online context. Until this information is released, it is difficult to ascertain the true scope of the scheme and to fully understand how technology will be used within the scheme".[38]

20.  This concern about online functionality was repeated by ISAP in its 2008 report "A usage proposition that appeals to citizens and organisations needing to verify identity should be laid out in detail, both to inform functional requirements and to drive benefits realisation. The possible 'e' functions to be included are an example. The specification of identity verification services is a particular need".[39] This concern was reiterated in its 2009 report: "The functionality for verification against NIR records in remote or non-face-to-face situations is a known need that is not yet specified. Definition of verification service requirements needs a high priority to inform systems design now".[40]

SECURITY, ASSURANCE AND THE NATIONAL IDENTITY REGISTER

21.  The assurance of the data held on the National Identity Register was always a key element underlying public confidence in the Scheme. This became even more significant following the HMRC Child Benefit Data Breach but was also flagged by ISAP. For example, in 2008 it noted: "The governance, safe storage, controls, means of and limits on the use, of Scheme data must be clear, and this clarity must be effectively communicated. The specification of data standards and these protections in practice should be further developed".[41] The 2009 ISAP report underlines the reasons for this: "Trust in the NIS is fundamental to its attractiveness. Fear of misuse of information about an individual or concerns about personal liberty threaten this. Trust requires: the record to be true; the data to be under control at all times; and the citizen to have power over its use and protections against its misuse with mechanisms for correction of errors".[42] "The NIS must have robust data governance and operational management controls from the outset that must be institutionalised and policed to the satisfaction of the Identity Commissioner in order to provide the first two of these trust requirements. All users and all data access arrangements must adhere to these governance controls".[43]

22.  In this context, the decision to use and then not use the Department of Work and Pensions Customer Information System (CIS) as the National Identity Register is particularly perplexing.

23.  The initial proposals had always been for the Register to be hosted in a brand new, purpose built data centre. As Nigel Seed informed the Science and Technology Select Committee:

Security is not going to be an add-on, it is being done now. We have not even gone out with our requirements. The security team is embedded within my procurement team; they are fully engaged. They are on my back all the time, as they should be. The people who are going to do the accreditation are having meetings with our people all the times, looking at our requirements as they develop and then inputting to those requirements. The security of the data centre itself is down to even very basic things like making sure it is not on or near a floodplain. We are looking at all that sort of stuff, right the way from very basic level access and flooding and losing it that way right the way through to hacking.[44]

24.  However, when John Reid became Home Secretary in May 2006 and declared the Department "not fit for purpose", various programmes within the Home Office were reviewed including the Identity Cards Scheme. This resulted in a new, Strategic Action Plan, released in December 2006 on the last day before the Christmas Parliamentary Recess. This proposed a redesign of the Scheme, for example by dropping the mandatory use of iris biometrics and reusing three existing government databases rather than designing a new National Identity Register from scratch: "for NIR biographical information, we plan to use DWP's Customer Information System (CIS) technology, subject to the successful completion of technical feasibility work".[45]

25.  ISAP in its 2007 report expressed concern that reuse of the CIS "may bring integration complexity".[46] As the plans to use the CIS developed, in 2008 ISAP noted "The immediate issue is one of costs and priorities—there must be a means of determining priorities if there is competition between DWP and IPS for development resources. In the longer term CIS could become a bottleneck for the introduction of new services. To minimise this risk the core scope and content of CIS should be strictly confined to the attributes of common interest to all users and the development schedule covered by strict service level agreements. The Scheme should review the relative cost and complexity of these re-use or re-build options".[47]

26.  In its 2008 Delivery Plan (itself a significant variation of the previous Strategic Action Plan), the IPS reaffirmed the ongoing work to use the CIS, noting that "The Department for Work and Pensions (DWP), is also treated as a delivery partner because their Customer Information System (CIS) forms part of the technical solution for the NIR"[48] and the ISAP 2009 report strongly supported "the decision that the NIS should use the DWP's CIS biographic database".[49] This is despite the fact that, in 2008, the NAO reported that "The Customer Information System has not yet received full data security accreditation under the new Cabinet Office rules for personal data".[50]

27.  On 18 March 2010, the Identity and Passport Service announced that it had selected a "revised option for delivering the biographic store which will form a key asset in the National Identity Register".[51] The decision was to "enhance the database that is already being implemented as part of the replacement for the UK Border Agency's Identity and Asylum Fingerprint System, rather than utilising the Department of Work and Pensions' Customer Information System".[52]

28.  Whilst such a significant technological shift might be justified in terms of it providing the most effective response to the previously expressed concerns about information assurance, documents obtained under the Freedom of Information Act by the journalist Mark Ballard[53] indicate more fundamental problems in the decision making process about the use of the CIS. The documents note that as of 6 December 2006 the ongoing feasibility study "had not discovered any issues that would prevent this use of CIS".[54] Indeed, the summary (dated 16 February 2007) notes that "The work completed to date by our teams has proved valuable in demonstrating that there are no apparent showstoppers, but there is clearly a way to go before all parties have a full understanding and everything is in place to facilitate success".[55]

29.  In terms of a timeline, the review initiated by John Reid sometime after May 2006 proposed the use of CIS. By 6 December 2006 there was sufficient confidence in the use of the CIS that it could be explicitly cited as the likely route for the biographical element of the Register in the Strategic Action Plan issued on 19 December 2006. On 16 February 2007 there were not believed to be any "showstopper" problems with using the CIS, and the 2008 Delivery Plan and 2009 ISAP annual report both suggest that the use of CIS was still the preferred technological solution. The s37 cost report issued on 26 October 2009 also gives no indication of any change in projected costs that would arise from a proposed major change in the technological infrastructure of the Register. Therefore, the decision to not use the CIS had to be taken sometime between 26 October 2009 and 18 March 2010. Thus between February 2007 and October 2009 (at least) the use of the CIS was the preferred technological option for the biographical element of the Register. It is unclear how much money was spent on the development work associated with the plans to use the CIS during this period.

30.  In addition, it has been disclosed that some of the front office systems for enrolling individuals onto the Register "have on occasion incorrectly retained data" despite being designed "for data to be retained centrally with no information retained locally".[56]

A NOTE ON SOURCES USED

31.  Many details about the National Identity Scheme have not been made available publicly. For example, the OGC reports cited in this report, were only released after a lengthy legal challenge to the original FOIA request in March 2009.[57] This submission therefore draws on publicly available sources. Most of these documents would have been written with an expectation that they would be released to the public. They are therefore likely to err on the side of understating potential problems. However, given the important role of parliamentary oversight of government IT projects, they are also likely to be the main documents that any decision making by parliamentarians would be based upon.

February 2011

DOCUMENTS CITED IN THE SUBMISSION
CW 2011Computer Weekly http://www.computerweekly.com/blogs/public-sector/2011/02/01/Use%20of%20the%20Customer%20Information%20System
%20as%20a%20shared%2C%20cross-Government%20asset%20-%
20DWP%20Restricted%20Policy%20-%2016%20February%202007.pdf
CWIC 2010CWIC-NIR Destruction and Equipment Decommissioning http://www.parliament.uk/deposits/depositedpapers/2010/DEP2010-1918.zip
DP 2008Delivery Plan 2008 http://collections.europarchive.org/tna/20100429164701/
http://ips.gov.uk/cps/files/ips/live/assets/documents/national-identity-scheme-delivery-2008.pdf
HAC 2004Identity Cards: Fourth report of session 2003-04 http://www.publications.parliament.uk/pa/cm200304/cmselect/cmhaff/130/130.pdf
IPS 2010 Identity and Passport Service Announcement http://collections.europarchive.org/tna/20100429164701/http://ips.gov.uk/cps/rde/xchg/ips_live/hs.xsl/1618.htm?advanced=&searchoperator=
&searchmodifier=&verb=&search_date_from=&search_date_to=&stage=&search_event_subject=&search_
category=&search_query=&search_scope=&search_group=&varChunk=
ISAP 2007Independent Scheme Assurance Panel Annual Report 2007
ISAP 2008Independent Scheme Assurance Panel Annual Report 2008 http://collections.europarchive.org/tna/20100429164701/http://ips.gov.uk/cps/files/ips/live/assets/documents/ISAP_2008_Report_v1.pdf
ISAP 2009Independent Scheme Assurance Panel Annual Report 2009 http://ips.gov.uk/cps/files/ips/live/assets/documents/ISAP_Report_2009_Final.pdf
NAO 2008Department for Work and Pensions: Information Technology Programmes http://www.nao.org.uk/publications/0708/dwp_it_programmes.aspx
OGC 2003Identity Cards OGC Gateway review: 0—Strategic Assessment http://www.ogc.gov.uk/documents/Home_Office_ID_Cards_Programe_Gate_0_Report_June_2003.pdf
OGC 2004Identity Cards OGC Gateway review: 0—Strategic Assessment http://www.ogc.gov.uk/documents/Home_Office_ID_Cards_Programme_Gate_0_Report_January_2004.pdf
SAP 2006Strategic Action Plan for the National Identity Scheme: Safe guarding your identity http://collections.europarchive.org/tna/20100429164701/http://ips.gov.uk/cps/files/ips/live/assets/documents/Strategic-Action-Plan.pdf
ST 2006Science and Technology Select Committee: Identity Card Technologies: Scientific advice, risk and evidence http://www.publications.parliament.uk/pa/cm200506/cmselect/cmsctech/1032/1032.pdf



11   The LSE Identity Project archive is available at http://identityproject.lse.ac.uk/default.htm. The LSE's work on identity policies more broadly can be found at http://identitypolicy.lse.ac.uk/ Back

12   By May 2009, the National Identity Scheme was being rebadged as the National Identity Service. It will be referred to as the Scheme throughout this submission. Back

13   For example, Whitley E A and Hosein G (2010). Global challenges for identity policies. Palgrave Macmillan, Basingstoke and Whitley EA and Hosein G (2010) Global Identity Policies and Technology: Do we Understand the Question? Global Policy 1(2), 209-215. Back

14   LSE Identity Project (2005) Main Report (27 June) Archived at http://identityproject.lse.ac.uk/identityreport.pdf Back

15   Page 201 Back

16   "The Home Office: The Immigration and Nationality Directorate's Casework Programme", National Audit Office Press Notice, HC277, 24 March 1999 Back

17   HAC 2004. For full details of frequently cited sources, see reference list at end of document. Back

18   OGC 2003 Page 4 of PDF Back

19   OGC 2004 Page 6. Back

20   SAP 2006 Page 2 Back

21   OGC 2003 Page 4 of PDF Back

22   ST 2006 Back

23   ST 2006 §37 Back

24   ST 2006 §39 Back

25   ST 2006 §42 Back

26   ST 2006 §37 Back

27   ISAP 2007 Page 2 of PDF Back

28   ISAP 2007 §3.4 Back

29   ISAP 2009 §5.5, 5.6 Back

30   OGC 2003 Page 11 of PDF Back

31   OGC 2004 Page 5 Back

32   ST 2006 §46 Back

33   ISAP 2007 §3.2 Back

34   ISAP 2008 §2.2 Back

35   ISAP 2008 §2.4 Back

36   ISAP 2009 §5.8 Back

37   RIA 2004 §18 (iii) Back

38   ST 2006 §47 Back

39   ISAP 2008 §2.2 (1) Back

40   ISAP 2009 §2.6 Back

41   ISAP 2008 §2.2 (3) Back

42   ISAP 2009 §2.7 Back

43   ISAP 2009 §2.8 Back

44   Q344 Back

45   SAP §15 Back

46   ISAP 2007 §3 Back

47   ISAP 2008 §2.5 Back

48   DP 2008 §53 Back

49   ISAP 2009 §3.9 Back

50   NAO 2008 §4.13 Back

51   IPS 2010 Back

52   IPS 2010 Back

53   http://www.computerweekly.com/blogs/public-sector/2011/02/use-of-the-customer-informatio.html Back

54   CW 2011 Back

55   CW 2011 Back

56   CWIC 2010 Back

57   http://www.ogc.gov.uk/freedom_of_information_disclosures_gateway_reviews_of_home_office_id_cards_programme__updated_19th_march_2009.asp Back


 
previous page contents next page


© Parliamentary copyright 2011
Prepared 28 July 2011