2) Decouple all civil servant bonus payments from introducing a specific system and link instead to measurable improvement in customer feedback.

3) For every project over £25 have a mandatory monthly teleconference / online presentation status update where any member of the public can attend (listen only). All sessions to be recorded (sound and slides) and provided in an archive for future “lessons learned” sessions.

Similarly, I’d say principle 1 should read: ‘Government is just one potential *credential* provider of many: it does not, and should not have, a monopoly on citizens’ identity and authentication.’

Principle 2 is more problematic. Government’s role may be to ensure/enforce proper governance of any identity assurance framework(s) operating in the UK – though its record to date makes it a pretty poor candidate. It may even have a place in establishing standards – if it can get over its obsession with its own administrative convenience. But ‘an overall governance framework’ could easily be misinterpreted to mean ‘one ring to rule them all’…

Governments don’t issue identities. So, ‘credential-issuing and authentication functions’ or ‘identity assurance’ would be far preferable to ‘identity-issuance and authentication functions’.

Principle 3: why not ‘adopt’, rather than ‘support and promote’? A bit of ‘leadership by example’ might help rehabilitate trust…

1) Anonymity is not just ‘fine’, it could be (the/a) key to getting the public sector to realise it doesn’t need to collect (so much) data. Aim for the ‘high hanging fruit’, so your driving problem is sufficiently challenging to make people/organisations reconceive the whole way they do things – rather than just pare back bits of existing systems, or bolt other bits on – and embrace the fact that it’ll shake out some of the stickiest problems first. Success (i.e. anonymous delivery) then illustrates a deep principle, and successes along the way (e.g. permanently excising a field of data) build momentum rather than serve as end points in themselves. Agree with Iain that data minimisation, though sensible and necessary, is not as good as *proper* privacy by design. Indeed, as espoused by Home Office, I’ve heard dm used as a ‘justification’ for the National Identity Register!

2) If it’s truly a principle, you need something stronger than ‘may’. Sorry. Also think double use of ‘proof’ is problematic, though I can’t quite put my finger on why (tautologous? limits the case too much?). How about ‘Declaration/establishment of entitlement should *never* require proof of identity’? People should always be able to find out what they qualify for (and if they qualify for that, what else they might also qualify for) without having to identify themselves. Only at ‘transaction’ time should credentials/actual personal data come into play. If government wants to act like a shop (and I don’t agree that it should) it has to allow people to wander around and try things on for size/colour/whatever before going to the ’till’…

3) Please seperate ownership from management and control. Though tremendously problematic, in all sorts of ways, ‘ownership’ of personal data should be inviolable. An analogy: though their lives/bodies are almost completely managed and heavily controlled, no-one would argue (I hope) that prisoners are *owned* by the state that has detained them. Law enforcement agencies may be ‘priviledged’ (preferably by court-issued warrants – strict constraints and proper independent oversight) to act in certain ways that override the control or consent of the individual, but they don’t ‘own’ the suspect or even stuff/items gathered in evidence – and should NEVER be encouraged to think that they do. Or you get more obscenities like the million innocent people’s data on NDNAD. Just because, in the course of discharging its duties, an agency paid to process some data shouldn’t mean it gets to own it.

Personal Data
Principles of Personal Data:
Clear benefit statement – 2 way
Benefits realisation for the customer:
Tell us once
Know what your entitled to
Stop Queuing
Prevent fraudulent use
Lowered service cost and reduced tax
Subject Access Request
Rapid Response Holistic view
Minimal disclosure
Transparency
People’s records should be accessible
Provide audit trail
Accepted and endorsed across government
Selective implementation
Explicit permission – citizen in control

Things to do (new)
Open up to receiving data streams from the individual – Rx rather than Tx
Monitor/control access to data streams

Things to stop doing
Stop breaking the law
Don’t build centralised databases

Things to continue doing
Get better on information assurance

– constrained by existin contracts
– constrained by procuremnt regulations

* know what it is you want to buy
– ID the svce categories you want to buy in new world
* ensure you move away from bespoke reqts; ID what is genuinely unique.

Create envt where pub sector collaborates on proct is a world away – mechanisms for comms etc just not in place

Loops back into enabling business change – the bigger part of savings.

Standardised reqts conflict with “we work this way”: existing business processes inhibit change. So we need holistic view of entire piece. Where is the IT reinforcing inefficiencies.

IT suppliers not entirely happy with gov approach to proct. re the 4 principles:

i effective competition: YES
ii separation of complex v commodity. DOnt wrap up desktop with user-facing: agree in principle. But recognise it cd drive up cost of bespoke work (if commodity partis removed)
? is public sector ready to support multi vendor environment? Skills, manpower issue.
Bespoke only when necessary: doesnt require move away from proprietary; just means define tech arch standard and we have interopability so nothing is closed off.
4: breaking it up. We thought this was admirable, but is the problem statement fact or open to argument? Also: it points to importance of collaboration and partnership. Dont send suppliers into bunkers to solve problems.

Terms/key recs:
1. identify genuilnely unique reqts. Standardise and share the rest.
2. improve capability and skills for whole programme; proj, contr mgt as well as procurement. There are many causes of failure.
3. Big gap: how is risk priced into existing contracts? (ind cd help with this). Do they understad tradeoffs with cost savings etc.
4. Find ways to ease proct process. eg rolling centralised accreditation or pre PQQ stage, so it doesnt have to be done case by case. “This supplier is capable of supplyig these services, up to these sorts of standards or levels of risk” – gold/silver . Doesnt rul eout SMEs. Might drive cost of sale down, and length of procureent,

Things to stop:
overly flexible OGC frameworls focussed on PRICE of IT svces as opposed to the change it delivers. Driving magin out is not in long term interests of entire market.

Avoid ignoring businesss process change: focus on the larger prize.

Avoid process as blocker to change.

We DO sense change in envt in trying to have debate on difficult and entrenched issues. Persist with this

* not all depts are equal. DWP non-issuing cash vs people not getting their tax discs

Things to stop:

Hard to work out. But perhaps there’s less oingon in govt than it supports through CPNI.