Significant savings can be made in a number of areas. These include simple pragmatic steps such as asset-sweating, contract review and restoring market consultancy rates. Government has the ability to drive down supplier costs, particularly in the ‘buyers market’ of a recession. For similar reasons, salaries of senior public sector IT staff and long-term contraactors should be curtailed, bringing them back into line with the private sector. The increases of CIO salaries aimed at making government roles more competitive have gone too far, and do not take into account falls in market rates during the recession, nor that the public sector is about more than paying higher rates than the private sector: the public sector ethos brings its own rewards.
More contentiously, massive overall savings can be made through moving services online. The reason this is contentious is because of those who are unable or unwilling to use online services – for example, because of geographic limitations on the availability of broadband, accessibility issues, lack of basic skills or simple choice. Public services need to work for everyone; while in the private sector a company can choose to ignore an unprofitable market segment, government cannot. However, paper-based transaction costs are enormous, because of manual costs but also the transcription and sense-checking errors.
A strategy – or lack of strategy – which sees government create an intrusive surveillance state in breach of data-protection and human-rights laws is clearly far from ideal.
The ideal government IT strategy reinforces legitimacy. It supports and delivers services clearly designed with people in mind who are largely law-abiding and constructive, and whose own needs are welcomed as legitimate. And it recognises the value of their participation.
There is a huge agenda for improvement in consultation, supported by technology. But it’s prerequisite that we actually want to do it.
Participation becomes an ongoing process. Fully open, online consultation processes and records of involvement provide recognition, reward, respect, trust and learning. This allows public services to become a learning, problem-solving and self-improving community.
Threats need to be assessed properly. At present, threat modelling may take account of factors such as the time taken to get a system back online, but completely overlook what might happen if all users of a system were phished. Effective information assurance depends on analysing information assets and assessing the levels of risk and security associated with them. In the absence of an information architecture (addressed in the section on architecture), systematic information assurance remains highly complex. Once the information architecture and information assets have been properly audited and assessed, a more effective information assurance and risk management regime can be established, one which fundamentally reviews the current levels of security classification of content (including recognising that much day-to-day content may not require protective markings at all).
Common security vulnerabilities are not being routinely assessed and addressed. Government is not moving at the same pace as the Internet and the external digital world. There is some involvement here of the system integrators who are often slow to roll out new security patches and fixes. Their defence is often the sheer number and complexity of systems in place in many departments, meaning that they need to check backwards compatibility first to ensure the latest security fix does not break anything. Such complexity is the enemy of many things including good information assurance (IA) and security.
Some services require no authentication or verification of identity whereas others require high levels of assurance. The state does not need to gather comprehensive personal information into its databases in order to be able to deliver better public services. Not does it need to nationalise citizen’s personal identity: that undermines the very trust required to be successful.
Single sign-on, “joined-up” government services do not require a single identity token or single identifier. Indeed, the UK government has effective policies around the use of trusted identities from third parties (such as banks, Royal Mail and other organisations) developed in the early 2000s. President Obama’s team has recently taken up those UK policies and shown how they can deliver a vibrant, effective and citizen-centric approach to identity – one that the UK now needs to re-discover.
Citizens should be able to be anonymous and/or pseudonymous where appropriate in their online interactions. For example, it would not be appropriate for whistleblowers, abused spouses and children and others to be forced to disclose their true identities. Children posting online might wish to hide, for very good reasons, the fact that they are children, their age and so on.
An effective UK identity framework needs to ensure that it provides various levels of trust, identity and authentication. And to recognise that no single entity can – or should – collate an overview of all citizen’s activities. A design that uses a single, state-issued identity to be used in a variety of transactions and which always confirms a single specific identity is both inappropriate and insecure, and potentially dangerous in many daily contexts. Technology enables better, more secure, more privacy-aware and risk-managed solutions: ones that are a better fit to citizens’ needs and the design of twenty-first century public services.
The UK, without a track record of national identity structures like those in other countries, has the opportunity to put into place a well-designed, twenty-first century identity framework that will raise the standard across both public and private sectors – and do so in a way that works for citizens, businesses and government alike.
This is one area where the UK has made some good recent progress in the hands of Nigel Shadbolt and Sir Tim Berners-Lee. The data.gov.uk site aims to progressively make public data available, building on the earlier innovative work of the "Power of Information" report by Ed Mayo and Tom Steinberg; the Power of Information task force work by Tom Watson, Tom Loosemore, Richard Allan and others; the Guardian "Free our data" campaigners; and independent web advocates from Stefan Magdalinski through MySociety to Harry Metcalfe, State and Young Rewired State.
This pioneering work now needs to become embedded into the cultural and technical daily processes of the public sector.
There are eight data principles here set out in the 2007 meeting of open government advocates in Sebastopol California. These form a useful starting basis for the UK and set out that government data shall be considered open if it is made public in a way that complies with the principles below:
Recognising this reality, government should collect and keep as little personal data as is necessary to deliver services. To turn that principle into practical benefit, government needs to recognise that there are often different ways of achieving the same public policy outcomes without the costs and risks of collecting and keeping personal data. Government needs far less personal data than is generally assumed: the culture and mindset of personal data collection needs to change.
To enable improved public service planning, government needs to analyse and understand the information assets that it needs – and those it currently holds. This analysis will be provided by the information architecture recommended in Architecture. Once that is delivered, government will be able to identify what assets it needs to retain or acquire itself, which it no longer needs and who else it can co-operate with to enable a more citizen-centric approach to personal data. One that places the citizen at the centre of controlling their personal information.
Where subjects themselves have the opportunity to see, comment on and even control their personal information, some of the difficulties reduce or even disappear. There is no reason that delivery of a service requires an independent record for an individual controlled and kept within the walls of a government department. Technology can enable transactions with surprisingly small amounts of information to be passed. For example, individuals can prove their eligibility to access a service (over 65, unemployed, employed) without needing to identify who they are. Where service design takes into account the principle of data minimisation from the start, the personal data liability – and often a great deal of cost – can be dramatically reduced.
There is no fundamental reason why storage of personal information for public services needs to be inside the public sector. Government databases are already stored by third parties in most cases on behalf of the government rather than the individual. With the right frameworks, third party services can store information on behalf of individuals for their interaction with public services. Citizens should be able to move their data around, choosing their provider according to need.
There will be situations where government needs total control over information, where responsibility and access is shared or unequal, or where even the existence of the information is confidential. However, there should be a basic assumption of mutual aligned interest in the quality and safety of information for the individual and the state, unless proven otherwise.
When the Victorians created the infrastructure we still use today, they made it not only highly functional and effective, but beautiful as well. We should do the same with our public services and the way they use IT.
The question of design goes deeper than technology systems or user interfaces. Unless the public service itself is designed and constantly reinvented and improved to meet real public service needs the technology applied may be pointless or counterproductive. It’s not the role of this strategy to force design considerations into legislative processes or public-sector management. But an ideal government IT strategy requires that any technology sits in a wider context of well-designed activities and business processes. Otherwise the IT is unlikely to add value.
Front-line and user experience provides the authentic evidence for this.
Whether it’s identity, health, education, child protection or transport projects there are legal, social, and moral ramifications way beyond the specification, scope and cost of the IT system. Most of what we analyse as major IT project failures were in reality social or political failures. We were trying to do the wrong thing. The systems were never designed to “work” in the sense of to solve the real problem in the right way. They ignored common sense or human nature.
OGC Gateway Reviews and the identification of a Senior Responsible Owner (SRO) have been useful initial measures – and in some cases have offered improvements. But proper scrutiny and early decisions to cancel/modify a project can all too easily be circumvented. Also, procurement does not always interact well with the political process: when legislation over-specifies a solution or makes last-minute changes, it can have significant cost and delviery implications on a project.
There needs to be a better categoration of procurement and different strategies for handling them. Commodities (such as operating systems, email, office application software or some network hardware) can be procured in a very different way to heavily bespoked requirements relating to one-off legislation. And common infrastructure (such as secure networking) may benefit from national-scale procurement activity, whilst local government web sites may not.
Pricing may be the critical factor in an individual procurement, or it may be risk, innovation or capability. Procurement rules (such as time trading, turnover levels) and other barriers to entry may be appropriate for some largescale, bespoke and high risk projects, but not for others. There are many tools and strategies that can be used, but they must be applied intelligently based on the characteristics of what is needed.
Government should also make use of what is available commercially in the market where there is a sufficient match. The rapid evolution of generic software is such that bespoke government procurements can easily be outpaced by the market. Where partial solutions exist in the form of open source products – or where there may be an unmet market demand for software – government can consider funding open source development and other types of community contribution to meet its needs. But government needs to recognise its own significant distorting impact on the wider IT market, and use its own buying power to help invigorate local markets rather than stifle them.
Government should use, participate in and adopt open standards. This will break up systems into components and interfaces, and systems can be evolved/upgraded rather than made obsolete. Well-defined interfaces can enable bite-sized procurement, competition and engagement from SMEs. Open standards can also be developed outside the procurement process and contractual situations, leading to well-specified and lower risk procurement of components.
Government should look to the principles of open source as a way of achieving value for money – and as a participant both giving and benefiting from community projects. But there may be areas where the economics or simple availability suggests proprietary solutions. However, government needs to be fully aware of the potential impacts of any market interventions it makes. Where there are thriving businesses developing products and services, to fund an open source alternative or release a government-owned competitor can be counterproductive. Government should undertake market impact assessments before choosing to fund projects for general release (closed or open source), taking responsibility for its own buying/funding decisions.
No such architecture exists in Whitehall.
The important relationship between public policy and technology is not effectively led or managed. There is no owner for this important work. It should normally be the responsibility of a Chief Information Officer – but in Whitehall, the “CIO” function is IT-led, not public services and public policy led. This result is that public sector IT is adrift from the needs of the UK’s public services.
A new, senior role is required to take ownership of this important function. This role will need to work with business and policy owners to identify the holistic architecture required to support and operate cost-effective, high quality twenty-first century public services. Once this has been done, they should help oversee the development of the supporting technical architecture, developed by the existing technical community.
Key principles
Government does not need to own or hold everything itself to achieve the outcome of integrated services. Indeed, known difficulties with personal data make this approach a liability. Alternative models are likely to offer a better return on investment, variety and service. So government needs a smart approach to architecture to let it exploit a wide array of investment across the public, private and voluntary sectors, as well as the “personal sector” (ie individuals’ own capability for self-service and participation in public services).
It should stop the expensive and inefficient approach of specifying everything as bespoke and specific to the public sector, with all the complexity, costs and nugatory expenditure that involves.
Government’s job is to ensure high quality, cost-efficient public services. This has to be reflected in its IT: with a tight focus on public services, not technically-driven web sites or portals. The development of a successful IT infrastructure should be rooted within fundamental public service questions, such as:
These are fundamental failures of effective governance. They need to be fixed: public sector strategy needs to incorporate IT at the most senior levels of policymaking and civil service business planning if it is going to deliver on its potential.
There needs to be clear alignment of IT objectives and programmes to policy objectives and strategies: business and IT strategy need to be co-designed and co-led. Performance and success metrics will be based on achieving overall business objectives, not technical outcomes.
A new technology policy leadership role needs to be created to fill the current vacuum between policy and technology. This new function will need to be part of the Cabinet Secretary’s leadership team, with shared governance with business policy and process management.