Significant savings can be made in a number of areas. These include simple pragmatic steps such as asset-sweating, contract review and restoring market consultancy rates. Government has the ability to drive down supplier costs, particularly in the ‘buyers market’ of a recession. For similar reasons, salaries of senior public sector IT staff and long-term contraactors should be curtailed, bringing them back into line with the private sector. The increases of CIO salaries aimed at making government roles more competitive have gone too far, and do not take into account falls in market rates during the recession, nor that the public sector is about more than paying higher rates than the private sector: the public sector ethos brings its own rewards.

More contentiously, massive overall savings can be made through moving services online. The reason this is contentious is because of those who are unable or unwilling to use online services – for example, because of geographic limitations on the availability of broadband, accessibility issues, lack of basic skills or simple choice. Public services need to work for everyone; while in the private sector a company can choose to ignore an unprofitable market segment, government cannot. However, paper-based transaction costs are enormous, because of manual costs but also the transcription and sense-checking errors.

Key principles

1. Use IT to reduce overall public service costs: don’t treat it in isolation from the public services it supports
2. Recognise the market power in the hands of government, and use it effectively and responsibly
3. Automate interactions, but don’t leave people behind (enabling the majority of citizens and businesses to use improved online services will free up resources that can be used better to support those most in need and less able, or willing, to use online services)

Specific recommendations

Things to do

1. Bring public sector IT day rates, conrtractor rates and salaries back into line with the private sector (consider making them c. 70-80% of the private sector equivalent)
2. Get control of CIO/CTO (and related) roles and salaries
3. Move services online: and use the resulting dividend to improve services for those who remain offline
4. Make creative and intelligent use of existing IT assets, driving out cost and inefficiencies (hard cash savings)
5. Demand reductions in existing service contracts and consultancy fees: recognise government’s market power and use it smartly

A strategy – or lack of strategy – which sees government create an intrusive surveillance state in breach of data-protection and human-rights laws is clearly far from ideal.

The ideal government IT strategy reinforces legitimacy. It supports and delivers services clearly designed with people in mind who are largely law-abiding and constructive, and whose own needs are welcomed as legitimate. And it recognises the value of their participation.

Key principles

1. The contempory Internet works as well as it does because it is inherently collaborative, co-operative, distributed and participative.
2. Online public services are inherently “two-way” by nature, and can support citizen-centred participation.
3. Citizen-centred participation addresses people’s real needs, aspirations and well being. When government enables this it acquires legitimacy, but when it fails to rise above organisational self-interest it forfeits it.

There is a huge agenda for improvement in consultation, supported by technology. But it’s prerequisite that we actually want to do it.

Participation becomes an ongoing process. Fully open, online consultation processes and records of involvement provide recognition, reward, respect, trust and learning. This allows public services to become a learning, problem-solving and self-improving community.

Specific recommendations

Things to do

1. Restore the open.gov.uk as a site for FoI responses and “proactive FoI” (cf whitehouse.gov/open)

Specifically on consultations

1. For any proposed “consultation platform”: specify the precise purpose, and work out how it links back into policy design
2. Ensure cross-contextual rules on eligibility, participation etc
3. Establish proper monitoring and statistical analysis of participation patterns
4. Provide enough supporting material that lay people can participate
5. Deal with the issue of moderation of comments

Stop, challenge or review

1. stop any “consultation” processes which fail to meet existing Cabinet Office guidelines
2. Review the evidence-based for, the role and the level of spend and outcome on direct.gov.uk
3. Consider whether directgov should be measured, for example, on how many of its data sets are reused externally by third parties

Continue, support or resume

1. Provide seedcorn support for independent transparency services
2. Provide pragmatic support for engagement in social networking by public servants

Resources

1. MySociety services
2. Dutch “Burgerlink on e-participation
3. Us Now (film)

Threats need to be assessed properly. At present, threat modelling may take account of factors such as the time taken to get a system back online, but completely overlook what might happen if all users of a system were phished. Effective information assurance depends on analysing information assets and assessing the levels of risk and security associated with them. In the absence of an information architecture (addressed in the section on architecture), systematic information assurance remains highly complex. Once the information architecture and information assets have been properly audited and assessed, a more effective information assurance and risk management regime can be established, one which fundamentally reviews the current levels of security classification of content (including recognising that much day-to-day content may not require protective markings at all).

Common security vulnerabilities are not being routinely assessed and addressed. Government is not moving at the same pace as the Internet and the external digital world. There is some involvement here of the system integrators who are often slow to roll out new security patches and fixes. Their defence is often the sheer number and complexity of systems in place in many departments, meaning that they need to check backwards compatibility first to ensure the latest security fix does not break anything. Such complexity is the enemy of many things including good information assurance (IA) and security.

The key principles

1. Don’t collect and aggregate personal data when there is no real need to do so: and where there is a genuine need, do not hold it any longer than absolutely necessary
2. Recognise that the “insider” risk is often the main risk and design all systems accordingly (minimising the impact of any security/privacy breach that does occur)
3. No computer system is 100% secure: design and operate all systems with that in mind, ensuring any system or person compromise is tightly constrained

Specific Recommendations

Things to do

1. based on the development of an information architecture, review the current levels of security classification of public and private data held in government systems, ensuring they are appropriately marked and protected
2. explore a new, more realistic and risk-based approach to the majority of information in the public sector (protectively marking it when not required has enormous cost implications)
3. undertake a 90 day review of current information assurance and cybersecurity strategies (including the impact of federated identity and trust and intermediary models and open APIs)
4. ensure privacy engineering is an integrated part of systems development, alongside security engineering, when developing or commissioning new systems or updates
5. provide much clearer guidance to CESG about what is useful and how to raise standards in an effective way
6. implement a campaign to promote cybersecurity awareness and digital literacy across the civil service, with a particular focus on senior levels to ensure they are better able to assess and manage decisions relating to risk in the context of technology

Stop, challenge or review

1. Stop analysing and identifying risk without also putting forward recommendations for remediation or management of that risk
2. Don’t over-classify routine daily administrative and operational information: it causes exponential and knock-on in technology and operational costs, and prevents the public sector taking advantage of the economies and efficiencies of commodity software (everything ends up heavily bespoked)

Continue, support or resume

1. The UK has some world class security and privacy specialists: ensure academics and professional bodies’ expertise is tapped into and acted on by government prior to, during and post-implementation of public sector projects

Some services require no authentication or verification of identity whereas others require high levels of assurance. The state does not need to gather comprehensive personal information into its databases in order to be able to deliver better public services. Not does it need to nationalise citizen’s personal identity: that undermines the very trust required to be successful.

Single sign-on, “joined-up” government services do not require a single identity token or single identifier. Indeed, the UK government has effective policies around the use of trusted identities from third parties (such as banks, Royal Mail and other organisations) developed in the early 2000s. President Obama’s team has recently taken up those UK policies and shown how they can deliver a vibrant, effective and citizen-centric approach to identity – one that the UK now needs to re-discover.

Citizens should be able to be anonymous and/or pseudonymous where appropriate in their online interactions. For example, it would not be appropriate for whistleblowers, abused spouses and children and others to be forced to disclose their true identities. Children posting online might wish to hide, for very good reasons, the fact that they are children, their age and so on.

An effective UK identity framework needs to ensure that it provides various levels of trust, identity and authentication. And to recognise that no single entity can – or should – collate an overview of all citizen’s activities. A design that uses a single, state-issued identity to be used in a variety of transactions and which always confirms a single specific identity is both inappropriate and insecure, and potentially dangerous in many daily contexts. Technology enables better, more secure, more privacy-aware and risk-managed solutions: ones that are a better fit to citizens’ needs and the design of twenty-first century public services.

The UK, without a track record of national identity structures like those in other countries, has the opportunity to put into place a well-designed, twenty-first century identity framework that will raise the standard across both public and private sectors – and do so in a way that works for citizens, businesses and government alike.

Key principles

1. Government is just one potential identity provider of many: it does not, and should not have, a monopoly on citizens’ identity and authentication
2. Government’s role is to ensure an overall governance framework for UK identity, but to confine its own identity-issuance and authentication functions to those areas where it is relevant (eg passports for people wishing to travel; driving licenses for those eligible to drive).
3. Government should support and promote the use of federated identity and minimal disclosure

Specific recommendations

Things to do

1. Establish an independent public/private identity strategy organisation (along the lines of the Monetary Policy Committee), which spans public, private, voluntary, EU & international perspectives. It will take responsiblity for defining and maintaining the all-up identity framework for the UK
2. Speak with the Obama team who have taken the original UK identity and trust model and see what lessons can be learned for re-incorporation into the UK approach
3. 90 days after the formation of the identity organisation, publish the UK’s proposed identity strategy for comment and review
4. After 120 days, adjust in line with feedback and establish the new governance regime
5. Identify “quick win” projects that will enable effective online authentication for public services using a federated identity and trust model (integrated benefit claims forms, etc): establish rapid deployment teams to deliver change and implement the new model
6. Migrate the existing Government Gateway to (1) support minimal disclosure tokens (2) support federated identity including potentially Chip & PIN style authentication (3) not act as a “man in the middle” (4) remove phishing vulnerabilities (5) provide an API/toolkit for rapid adoption by orgs wishing to use federated identity (6) support CardSpace and client-based authentication protocols
7. Open up direct.gov to (1) enable third parties, including local govt, to host govt services (2) stop being a monolithic portal (3) provide consistent APIs and data formats
8. Architect an internal identity/authentication layer within the public sector that utilises the same information architecture design as external services

Stop, challenge or review

1. Remove ownership of identity strategy from IPS/Home Office (an effective and comprehensive identity strategy needs to be based on citizen, business and public service needs, not a narrow border control agenda)
2. Establish an independent inquiry to establish why so many wrong decisions have been made about identity since around 2005, Ministers mis-informed, costs over-run and so on
3. Review the risk and liability models associated with using an authentication credential intended for one domain in another (eg using a bank card or a Passport or a driving licence in a context other than that which it was designed for)

Continue, support or resume

1. Resume the UK’s former identity and authentication trajectory of the early 2000s …. policies that support federated identity and trust models and the intermediary policy … and government as just one player not THE player

This is one area where the UK has made some good recent progress in the hands of Nigel Shadbolt and Sir Tim Berners-Lee. The data.gov.uk site aims to progressively make public data available, building on the earlier innovative work of the "Power of Information" report by Ed Mayo and Tom Steinberg; the Power of Information task force work by Tom Watson, Tom Loosemore, Richard Allan and others; the Guardian "Free our data" campaigners; and independent web advocates from Stefan Magdalinski through MySociety to Harry Metcalfe, State and Young Rewired State. 

This pioneering work now needs to become embedded into the cultural and technical daily processes of the public sector.

The key principles

1. Public sector intellectual property and public data should be freely made available by default in both human readable and machine readable formats
2. Transparency should be a default principle: and needs to be applied to contracts, budgets, audits, standards, code and formats, meeting minutes, e

Other points/clarifications

There are eight data principles here set out in the 2007 meeting of open government advocates in Sebastopol California. These form a useful starting basis for the UK and set out that government data shall be considered open if it is made public in a way that complies with the principles below:

1. Complete – All public data is made available. Public data is data that is not subject to valid privacy, security or privilege limitations.
2. Primary – Data is as collected at the source, with the highest possible level of granularity, not in aggregate or modified forms.
3. Timely – Data is made available as quickly as necessary to preserve the value of the data.
4. Accessible – Data is available to the widest range of users for the widest range of purposes.
5. Machine processable – Data is reasonably structured to allow automated processing.
6. Non-discriminatory – Data is available to anyone, with no requirement of registration.
7. Non-proprietary – Data is available in a format over which no entity has exclusive control.
8. License-free – Data is not subject to any copyright, patent, trademark or trade secret regulation. Reasonable privacy, security and privilege restrictions may be allowed.

Specific recommendations

Things to do

1. Develop an open.gov.uk portal as the entry point to all open information and data and make data.gov.uk a subset within that. The open portal should, as with the US, include a dashboard setting out clearly how each department and agency is doing in meeting its obligations
2. Ensure public data, through aggregation and other means, cannot be used to identify specific individuals or communities
3. The most important and useful data sets need to be identified and prioritised (“we don’t want obscure trivia, we want the most essential data to be included first”)
4. Departments need to add useful data consistently, frequently and regularly into the pool. A named role in each department must take responsibility for a monthly update (actual new data sets or a specific timescale of what will be available and when) and this should be openly published in both summary form (on a dashboard) and with underlying detail of progress or obstacles. Departments need to be held accountable for making available their most useful public data assets
5. A Parliamentary select committee should review, on an annual basis, progress by department
6. All new procurements going forward must specify, by default, that all public data will automatically become part of data.gov.uk
7. The complex licensing regime at http://www.opsi.gov.uk/click-use/index.htm must be reviewed and a timescale committed to where UK uses of data becomes freely available as part of data.gov.uk using open licensing. Where ‘trading funds’ have been established, those organisations should be compensated where necessary by a cut in IT budget of the owning department and the money given over to cover any trading fund deficit arising in order to enable the public data to be made freely available through direct.gov.uk
8. Independent technology experts must ensure that data formats and APIs for accessing and using data are as simple, open and easily usable as possible
9. Identify “quick wins” where public data exists internally in re-usable formats, such as databases and spreadsheets, but where the published versions exist only as PDFs: ensure those information owners republish in the more usable formats as well as the current fixed publishing formats

Stop, challenge or review

1. Review the Freedom of Information Act and see if it needs modifying in order to ensure a presumption of “open data by default” and make any changes necessary to make that presumption a reality
2. Stop onerous opsi licensing requirements or “trading funds” preventing useful public data sets from being made freely available: replace with open licensing
3. Challenge the culture of keeping public information and data closed, or unavailable “due to the costs” involved in answering each PQs

Continue, support or resume

1. Continue the good work of data.gov.uk, but give it real momentum and relevance by actioning the “things to do”
2. Encourage all local authorities to pursue the same open data agenda, and make this part of the audit regime under the Audit Commission

Recognising this reality, government should collect and keep as little personal data as is necessary to deliver services. To turn that principle into practical benefit, government needs to recognise that there are often different ways of achieving the same public policy outcomes without the costs and risks of collecting and keeping personal data. Government needs far less personal data than is generally assumed: the culture and mindset of personal data collection needs to change.

To enable improved public service planning, government needs to analyse and understand the information assets that it needs – and those it currently holds. This analysis will be provided by the information architecture recommended in Architecture. Once that is delivered, government will be able to identify what assets it needs to retain or acquire itself, which it no longer needs and who else it can co-operate with to enable a more citizen-centric approach to personal data. One that places the citizen at the centre of controlling their personal information.

Key principles

1. Minimise personal data collection and storage
2. Find alternative ways of providing services that require less central collection and storage of personal data

Other points/clarifications

Where subjects themselves have the opportunity to see, comment on and even control their personal information, some of the difficulties reduce or even disappear. There is no reason that delivery of a service requires an independent record for an individual controlled and kept within the walls of a government department. Technology can enable transactions with surprisingly small amounts of information to be passed. For example, individuals can prove their eligibility to access a service (over 65, unemployed, employed) without needing to identify who they are. Where service design takes into account the principle of data minimisation from the start, the personal data liability – and often a great deal of cost – can be dramatically reduced.

There is no fundamental reason why storage of personal information for public services needs to be inside the public sector. Government databases are already stored by third parties in most cases on behalf of the government rather than the individual. With the right frameworks, third party services can store information on behalf of individuals for their interaction with public services. Citizens should be able to move their data around, choosing their provider according to need.

There will be situations where government needs total control over information, where responsibility and access is shared or unequal, or where even the existence of the information is confidential. However, there should be a basic assumption of mutual aligned interest in the quality and safety of information for the individual and the state, unless proven otherwise.

Specific recommendations

1. Map and understand personal information use across government and for each service
2. Make data minimisation a default design criteria
3. Make use of third party services where appropriate, giving individuals the choice of what to use

Things to do

1. Publish a high level personal data map for government
2. Develop and publish an information strategy for each department or service
3. Plan the shutdown of unnecessary/legacy databases

Stop, challenge or review

1. Challenge assumptions on data collection, storage and use

When the Victorians created the infrastructure we still use today, they made it not only highly functional and effective, but beautiful as well. We should do the same with our public services and the way they use IT.

The question of design goes deeper than technology systems or user interfaces. Unless the public service itself is designed and constantly reinvented and improved to meet real public service needs the technology applied may be pointless or counterproductive. It’s not the role of this strategy to force design considerations into legislative processes or public-sector management. But an ideal government IT strategy requires that any technology sits in a wider context of well-designed activities and business processes. Otherwise the IT is unlikely to add value.

Front-line and user experience provides the authentic evidence for this.

Key principles

1. In addition to delivering public services, the task we face is to rethink and redesign them.
2. When we co-design and co-create public services from start to end with staff and “customers” (ie those the service is intended to help) we start to address the deeper underlying problems
3. We need transdisciplinary design. Real world problems are complex. Different disciplines see and understand different things. Good designers understand this.

Whether it’s identity, health, education, child protection or transport projects there are legal, social, and moral ramifications way beyond the specification, scope and cost of the IT system. Most of what we analyse as major IT project failures were in reality social or political failures. We were trying to do the wrong thing. The systems were never designed to “work” in the sense of to solve the real problem in the right way. They ignored common sense or human nature.

Specific recommendations

Things to do:

1. Make junior Ministers in Departments responsible for “customer experience” and outcomes
2. Require evidence of user-oriented design for all business change projects
3. Add a “design” dimension to the Gateway Review process to evaluate this
4. Invite the Design Council to lead, in articulating the role of design in technology-based public services
5. Ask the Design Council to propose standards for public-sector service design
6. Support independent feedback about public services. All you need to do is listen.
7. Make SROs and other senior staff use the systems they are responsible for in a live environment

Stop, challenge or review

1. Stop any major project that fails a design audit (ie is not formally designed to solve the stated problem)
2. Stop replication of (and consequent threat to) independent feedback channels such as patientopinion and mypolice: don’t “nationalise”/replicate/institutionalise/compete with these initiatives – welcome and endorse them

Continue, support or resume

1. Support and encourage responsible independent feedback channels such as patientopinion, mypolice, mypublicservices, mysociety (they are the embodiment of the intermediary strategy and ground-up public services)
2. Support the small element of service design work in some parts of health and education

Resources

• Central St Martins College of Art & Design
• Design Council
• Dutch “Citizen Link” programme
• Engine Service Design
• inwithfor.org
• mypolice.org
• MyPublicServices
• Patient Opinion
• participle.net (esp its “Beveridge 4.0” report)
• service-design-network.org
• thinkpublic
• The Public Office (Kable)

OGC Gateway Reviews and the identification of a Senior Responsible Owner (SRO) have been useful initial measures – and in some cases have offered improvements. But proper scrutiny and early decisions to cancel/modify a project can all too easily be circumvented. Also, procurement does not always interact well with the political process: when legislation over-specifies a solution or makes last-minute changes, it can have significant cost and delviery implications on a project.

There needs to be a better categoration of procurement and different strategies for handling them. Commodities (such as operating systems, email, office application software or some network hardware) can be procured in a very different way to heavily bespoked requirements relating to one-off legislation. And common infrastructure (such as secure networking) may benefit from national-scale procurement activity, whilst local government web sites may not.

Pricing may be the critical factor in an individual procurement, or it may be risk, innovation or capability. Procurement rules (such as time trading, turnover levels) and other barriers to entry may be appropriate for some largescale, bespoke and high risk projects, but not for others. There are many tools and strategies that can be used, but they must be applied intelligently based on the characteristics of what is needed.

Government should also make use of what is available commercially in the market where there is a sufficient match. The rapid evolution of generic software is such that bespoke government procurements can easily be outpaced by the market. Where partial solutions exist in the form of open source products – or where there may be an unmet market demand for software – government can consider funding open source development and other types of community contribution to meet its needs. But government needs to recognise its own significant distorting impact on the wider IT market, and use its own buying power to help invigorate local markets rather than stifle them.

Government should use, participate in and adopt open standards. This will break up systems into components and interfaces, and systems can be evolved/upgraded rather than made obsolete. Well-defined interfaces can enable bite-sized procurement, competition and engagement from SMEs. Open standards can also be developed outside the procurement process and contractual situations, leading to well-specified and lower risk procurement of components.

Key Principles

1. Effective competition is needed in the public sector IT marketplace
2. Complex and commodity procurements should be handled separately, with appropriate procurement approaches
3. Commission bespoke work only when necessary, with a presumption of adopting and driving market solutions over proprietary and custom
4. Break procurements into components that solve specific problems

Other points/clarifications

Government should look to the principles of open source as a way of achieving value for money – and as a participant both giving and benefiting from community projects. But there may be areas where the economics or simple availability suggests proprietary solutions. However, government needs to be fully aware of the potential impacts of any market interventions it makes. Where there are thriving businesses developing products and services, to fund an open source alternative or release a government-owned competitor can be counterproductive. Government should undertake market impact assessments before choosing to fund projects for general release (closed or open source), taking responsibility for its own buying/funding decisions.

Specific recommendations

Things to do:

1. Develop and use a categorisation of IT procurement types, with approaches for each. Break commodity, low risk purchases away from one-off, high risk procurements: do not continue to bundle them together or place with a single supplier just “because it is easier” (use large, high reliability suppliers where appropriate; use agile, specialist providers for suitable tasks. Stop bundling the two together and manage them separately)
2. Ensure the strict separation of procurement, review and audit, providing as much publicly-available data and scrutiny as possible.
3. Ensure appropriately skilled technical staff are involved in procurement processes and provide independent technical assessments
4. For existing contracts:
   1. Set up a transparency portal with details of all existing contracts and all spend over £25K
   2. Identify % market share of all major IT suppliers to the public sector
   3. Identify risk/exposure of “too big to fail” IT suppliers in the public sector
   4. Identify whether companies pay corporate tax in the UK – and, where they do not, publish the amount lost annually to the UK taxpayer/exchequer
   5. Request existing suppliers to agree to the open publication of contractual information on the transparency portal and, where they do not agree to do so, make clear on the portal (a) they have declined (b) total value of taxpayers’ business with that organisation
   6. Review existing contracts against actual requirements, costs, benefits, get-out-clauses
   7. Work with existing suppliers to drive a least 20% cost out of existing services within 24 months
   8. Make Permanent Secretaries, CIOs and the IT department account properly for all expenditure rather than, as at present, not knowing what is being spent. This should be done within 1 year, the current lack of proper accounting systems is unacceptable
   9. Assess the extent to which TUPE is, as some suppliers claim, preventing them delivering innovation, better services at lower cost
   10. Request feedback on which products and technologies currently in place under existing contracts are proprietary and/or otherwise not-interoperable
5. For new contracts:
   1. freeze all new procurement while other aspects of eg goverance, information architecture and technical architecture are fixed, along wth clear stategies around eg identity, privacy and security. Exceptions may be made, but must be thoroughly reviewed.
   2. assess the extent to which agile procurement methods are permitted under EU legislation and promote their rapid adoption in the UK in place of the current model
   3. move to small procurement chunks rather than multi-year, complex requirements
   4. drop OCG requirement for at least 3 years trading figures on smaller procurements and bring in a more realistic risk-assessment model (rather than current risk avoidance)and “keep ajar” framework procurements for new entrants
   5. stage contracts, with competitive tendering at each stage
   6. ensure all projects have a senior, accountable business sponsor not just a technical owner
   7. establish clear acountability for failed procurements/projects/programmes (make it possible to remove staff – and suppliers – who have not performed well as easily as can be done in the private sector)

Stop, challenge or review:

1. Stop bespoke bundling of different requirements into a single procurement as the status quo, and aggressively explore market alternatives
2. Stop pointless red tape that impedes rather than encourages effective competition and an efficient, open marketplace

No such architecture exists in Whitehall.

The important relationship between public policy and technology is not effectively led or managed. There is no owner for this important work. It should normally be the responsibility of a Chief Information Officer – but in Whitehall, the “CIO” function is IT-led, not public services and public policy led. This result is that public sector IT is adrift from the needs of the UK’s public services.

A new, senior role is required to take ownership of this important function. This role will need to work with business and policy owners to identify the holistic architecture required to support and operate cost-effective, high quality twenty-first century public services. Once this has been done, they should help oversee the development of the supporting technical  architecture, developed by the existing technical community.

Key principles

1. Define what public services need to achieve and the all-up architecture required to support those outcomes. From this, the technology strategy and architecture should be designed. An IT strategy can only be defined and delivered when developed in the context of overall policy and business outcomes. This should remain a live, iterative process. It is not a one-off exercise.
2. Implement an IT architecture that is modular and which encourages re-use and off-the-shelf components: it should enable innovative small and medium IT businesses to engage with public sector projects. It should avoid vendor lock-in and dependency. It should break commodity away from bespoke systems and handle them in very different ways.
3. Implement a policy of openness: in lay terms this means open standards. More specifically this means W3C web and Internet standards as the basis of all public sector architecture, with openly published APIs, XML schemas and open source/reference and example code
4. Adopt an open platform: this lets others provide services within the discipline of intermediary and channel strategies and a trust framework.

Other points/clarifications

Government does not need to own or hold everything itself to achieve the outcome of integrated services. Indeed, known difficulties with personal data make this approach a liability. Alternative models are likely to offer a better return on investment, variety and service. So government needs a smart approach to architecture to let it exploit a wide array of investment across the public, private and voluntary sectors, as well as the “personal sector” (ie individuals’ own capability for self-service and participation in public services).

It should stop the expensive and inefficient approach of specifying everything as bespoke and specific to the public sector, with all the complexity, costs and nugatory expenditure that involves.

Government’s job is to ensure high quality, cost-efficient public services. This has to be reflected in its IT: with a tight focus on public services, not technically-driven web sites or portals. The development of a successful IT infrastructure should be rooted within fundamental public service questions, such as:

1. What are we trying to achieve with our public services?
2. What capabilities are required to support those public services?
3. What architecture will be required to support those capabilities?
4. What assets does the public sector already possess?
5. Which assets does it need to remove, retain or enhance in order to achieve the required levels of capability?
6. Which assets can government utilise without building them itself?
7. What technical architecture can best support the overall architecture?

Specific recommendations

Things to do

1. The new, senior technology policy role (recommended under “Governance”) should co-ordinate the development of an all-up architecture for public services, working closely with Ministers, Permanent Secretaries and their teams and reflecting the needs of frontline public services
2. The new leadership role should oversee the technical community in the development of an IT architecture (based on the all-up architecture)
3. Task the existing heads of IT in government departments and agencies (the current CIO/CTOs) with commencing a migration away from out-dated and expensive monolithic and proprietary mainframe systems. Identify any impediments to doing so to the new leadership role (such as complexity of existing legislation), who will then work with policymakers/legislators to simplify.
4. Task the new leadership role for technology policy with co-ordinating a review of existing software and hardware and services to identify vendor lock-in and other technical blockers that could prevent a migration to a more open, modular and agile architecture – and then request Ministerial action to remove those blockers
5. Develop a sustainable business / market propostion around third parties (eg if they provide a really intuitive way of someone interacting with government, that saves government money, what does the commercial reward model look like that will enable the intermediary strategy to thrive?)

Stop, challenge or review

1. Stop assuming central government has to design and procure everything itself – the reality is it is remote from frontline needs of public service workers and citizens and businesses alike
2. Stop the idea you can start with technical ideas and fads and fashions, and buy or build them, and then work out where they fit
3. Stop the centralised imposition of a single identity system, update previous government policy around federated identity and trust models, and develop a new identity information and technical architecture

Continue, support or resume

1. Review the previous approach to technical architecture and open standards (such as eGIF), identify where it was working and where it was failing, and then relaunch as a new collaborative approach co-owned and co-led between the public, private and voluntary sectors

These are fundamental failures of effective governance. They need to be fixed: public sector strategy needs to incorporate IT at the most senior levels of policymaking and civil service business planning if it is going to deliver on its potential.

Key Principles

1. Implement pre-legislative technology scrutiny and impact assessments: to ensure technology informs the design and potential outcome of proposed legislation, as well as providing insight into its practical feasibility and costs
2. Ensure departmental board-level capability in technology policy: to ensure IT and technology policy informs public service business planning and policymaking at the most senior levels of the civil service
3. Provide frameworks that enable self-organisation (not central command and control): to support locally-responsive, cost-effective and high quality public services operating within a common technical and policy framework

Other points/clarifications

There needs to be clear alignment of IT objectives and programmes to policy objectives and strategies: business and IT strategy need to be co-designed and co-led. Performance and success metrics will be based on achieving overall business objectives, not technical outcomes.

A new technology policy leadership role needs to be created to fill the current vacuum between policy and technology. This new function will need to be part of the Cabinet Secretary’s leadership team, with shared governance with business policy and process management.

Recommendations

Things to do

1. Designate a Cabinet-level Minister with responsibility and accountability for all-up technology policy and IT (across Whitehall, Ofcom, the BBC etc)
2. Establish an independent technology policy advisory board. This will review and advise the Minister/Cabinet and senior civil service on draft policy and legislative proposals. This will ensure all technological potential and implications are understood and addressed prior to passing legislation
3. Create a new senior, Whitehall-wide technology policy leadership role and appoint to that role. This will be a true CIO leadership function. This new business-focused CIO role will report both to the Cabinet Secretary (and be a member of his management board) and to the Cabinet-level Minister responsible for technology policy
4. Rename existing CIOs “Head of IT” to make clearer their function and role, and to avoid confusion with the new, strategic CIO roles.
5. Create a new, business-led departmental CIO function. Make appointments to that role to the boards of all government departments to ensure that Permanent Secretaries and their teams have competent and informed technology policy advice integrated within their management teams. This will be a strategic business-based CIO role.
6. Incorporate technology policy into the compulsory curriculum of all senior civil servants to improve their understanding of IT’s potential (both benefits and risks). The civil service needs an infusion of technical talent.

Stop, challenge or review

1. Require Permanent Secretaries to baseline and provide full details of their current technology policy and IT governance mechanisms (including roles, levels of seniority, internal/external staff and contractors, etc)
2. Stop the development and publication of IT strategies that are not an integral part of the wider public service strategy. All IT strategies need to be rooted in how they enable better delivery of public service outcomes and be able to demonstrate how they deliver value for money.
3. Stop all new major IT projects or programmes until they have been subjected to expert, independent review by the new governance team and board
4. Review all active major public service programmes with a significant IT component and subject them to an expert, independent review
5. Review the existing pay, grading and employment status of all senior IT roles and functions across Whitehall and ensure they are in line with standard public sector pay and reward packages
6. Stop any proposed business plans or public service proposals from departments that have not been developed in conjunction with an understanding of technology policy and IT (ie from Permanent Secretariess and boards who have no current capability in this area)

Continue, support or resume

1. Task the new technology policy leadership role with co-ordinating the revision and development of key IT frameworks in areas such as the use of trusted intermediaries, trust models and identity, open standards, privacy, security and authentication frameworks. Ensure that once the policies are updated and re-issued that they are actively delivered with named, accountable senior civil servants repsonsible for their implementation.