The Commons Public Administration Committee asked
Computer Weekly for a paper on the implications of ID cards for
public services. Here is our submission.
There are undeniable benefits in ID cards for some government
departments, agencies and the wider public sector, if the scheme is
implemented successfully.
For example, the time taken for the Criminal Records Bureau to
clear an individual to work with children may be reduced from weeks
to days. It may also be possible to clear applicants for sensitive
jobs in government more quickly.
But it is easy to claim an abundance of benefits for new
IT-related schemes, and ministers, government departments and
agencies that readily publish information about how complex
IT-related schemes will transform public services are not so
inclined to publish the audited results of implementations.
Computer Weekly is therefore unwilling at this stage to join those
who speak with enthusiasm about the advantages to the
administration of government of ID cards.
We may be more confident if the government undertook to publish
the business cases for projects, Gateway reviews prepared by the
Office of Government Commerce and audit reports on the progress of
schemes to exploit the opportunities created by ID cards.
We doubt this will happen.
We would not wish to travel on an aircraft knowing that
responsibility for its maintenance lay with committees within the
airline that had no fear of repercussions should the plane crash.
We would be even more concerned if there were no regulatory scheme,
enshrined in statute, to ensure compliance with international
standards.
In the private sector, one of the incentives to exercise extreme
caution is the loss of custom should an IT-related failure affect
the company's service to the public. In the most serious cases
chief executives can lose their jobs.
In the public sector, there is no competition for business and
it is rare for the individuals, ministers or civil servants who are
in place when a scheme begins to be in the same jobs when a scheme
fails.
With IT-enabled projects and programmes, there is no regulatory
scheme, enshrined in statute, to ensure adherence to good practice.
There is arguably no reason to fear failure, and there is a paucity
of independent information on the progress of projects.
On major IT schemes there has also been a cultural resistance to
accepting objective criticism and a "can-do" approach which has
admitted no possibility of failure. This has led to an acceptance
within government of high levels of risk, perhaps beyond that which
is sensible in some cases.
Without fully understanding the risks or knowing the progress of
projects to take advantage of ID cards, Computer Weekly cannot give
its unqualified support for large new investments by government
departments and agencies to exploit ID cards.
Regular reports to parliament about high-risk IT-enabled
projects would at least enable stakeholders, taxpayers and the
media to understand how schemes were progressing, to question
assumptions and provide a scrutiny that would make it less likely
that potential show-stoppers were dismissed internally as teething
problems.
Factors critical to success are a reliance on the public service
ethos and strong project management principles. But these are not
always enough.
An excellent book about technology-related project failures -
Inviting Disaster, Lessons from the Edge of Technology by James R
Chiles - reveals what went wrong in dozens of major cases. One of
its findings is that failures are caused by the organisational
"habit of hiding embarrassing news" - a culture of "concealing all
problems that might bring on trouble for the organisation".
Computer Weekly sees this happening with worrying regularity on
major government IT projects; the playing down of potentially
disastrous risks is de rigeur on schemes that are deemed a
political necessity.
So far the ID card scheme has been characterised by a lack of
openness, honesty and transparency. Information about progress has
been published selectively or not at all, and it is not unusual for
potentially serious problems to be played down in parliamentary
questions, statements to select committees and answers to media
questions.
Computer Weekly was being told by the Passport Service and its
supplier about the success of a new system to improve the security
of passports when, in fact, the scheme was going seriously awry.
The tax credits scheme and systems to support the Criminal Records
Bureau went ahead amid an underestimation of the risks of
failure.
Some important parts of a £6.2bn project to modernise NHS IT are
failing to meet expectations. We have evidence that certain risks
were played down when the scheme was conceived in early 2002.
Recently the Home Office became the latest department to decline
Computer Weekly's application under the Freedom of Information Act
for the publication of Gateway reviews. It decided not to publish
edited versions of its three Gateway reviews on the ID cards
project. It also declined our request to publish risk registers for
the project, or edited versions of them.
Its arguments against the publication of Gateway reviews and
risk registers were generalised. Yet Computer Weekly has seen the
results of some Gateway reviews and received documents about risk
registers from other public authorities under the Freedom of
Information Act, so we find it difficult to accept all of the Home
Office's arguments.
The criticality of openness to the success of large IT-related
projects was highlighted in a 1999 independent report on the
financial management of a scheme to develop air traffic control
systems at the purpose-built centre at Swanwick in Hampshire. It
found, among other things, that the mishandling and suppression of
bad news internally had contributed to the project's problems,
delays and cost over-runs. Since then, National Air Traffic
Services has improved its reporting procedures, but in our
experience little has changed within the government in general.
In 1983 the House of Commons Public Accounts Committee warned
that departments need to pay closer attention to learning lessons
from IT-related disasters. Twenty-one years later, in 2004, a
report, Improving IT Procurement issued by the National Audit
Office, said the same thing.
In the US, after a succession of large IT-related failures, the
Clinton administration introduced legislation specific to the
federal government that requires Congress to be kept informed about
large IT-related projects that deviate significantly from their
original plans. The UK parliament is not so well informed about
projects that deviate from the initial objectives.
The NAO investigates only a few mission-critical IT-related
projects and programmes each year and its value-for-money
investigations, although thorough, are usually carried out on a
one-off basis.
So there is no defined means for parliament to know whether most
mission-critical projects are progressing well or not.
Transparency, honesty and accountability are not panaceas: they
will not bring success, but they make it more likely. In part they
would lead to a more realistic approach to serious risks. Projects
that should not go ahead may be stopped earlier, before they become
overt failures.
Without more transparency, honesty and accountability - and the
full support of a system's end-users - it is unlikely that
governments will significantly improve their chances of success on
complex and large IT projects.
The paucity of objective information on IT-related projects was
highlighted by the House of Commons Work and Pensions Committee in
a report about the Child Support Agency published in January. The
committee concluded, "It is not possible for the committee to make
judgements on why the IT contract with the contractor EDS went so
badly wrong.
"We have not had access to any of the policy or strategic
planning leading to the agreement being signed." Much of the
evidence it did receive was, it said, "conflicting".
We are not project managers, nor experts on the implementation
of IT schemes. We study projects and report on the common factors
that contributed to their success or failure. The most successful
projects tend to be smaller-scale ones with clearly defined
benefits and the strong support of end-users. The implementation of
a case management system by the Crown Prosecution Service is an
example of the smaller-scale success.
The ID cards scheme is a large and complex project, and support
for it among end-users in government is not yet known. In the
public sector, imposing new technology on end-users rarely
succeeds.
ID cards offer a theoretically desirable, secure and reliable
means to identify citizens, and are a possible aid to
simplification of government IT systems. They could allow
government systems to be built around a single identifier, instead
of the various numbers used the moment: passport numbers, driving
licence numbers, national insurance numbers and NHS numbers.
But government computer systems are, in general, too complex to
allow any radical simplification or modification without
significant costs and risks to the service they give the
public.
An NAO report - Dealing with the Complexity of the Benefits
System - published last month provides good arguments for a
simplification of systems, but it warns that the risk and cost of
making changes can outweigh the potential benefits.
Computer Weekly is not in a position to give advice on whether
government IT systems should be adapted and/or simplified to make
use of ID cards, assuming the ID cards scheme itself is successful.
We would, however, recommend that the committee request an
independent report, commissioned after competitive tender, on the
implications for government departments and the wider public sector
of ID cards. Otherwise there is a danger of decisions being made on
the basis of speculation, or filleted information issued by the
Home Office.
We would also urge the government and the committee to publish
all information about the progress made with the ID card scheme and
any work done by public sector bodies to make use of IDcards. We
accept the need for some commercial confidentiality but the Work
and Pensions Committee last year, after a thorough investigation of
IT projects undertaken by government, found that some departments
and agencies were using the cloak of commercial confidentiality to
hide problems.
There is even some evidence of secrecy for secrecy's sake. In
May, at the government IT summit attended by the deputy information
commissioner Francis Aldhouse and other notables, a civil servant
went unchallenged when he told the invited audience that he and his
colleagues derived pleasure from withholding information from MPs.
The disclosure came during a panel discussion about ID cards and
identity management. The civil servant made it clear that MPs and
others will not find it easy to discover how government IT projects
are progressing.
"You may think that posing the question is the easy part. It is
not," he said.
"Before the Freedom of Information Act most information was got
out of government departments through parliamentary questions. As a
civil servant of many years our greatest joy in a day was getting a
PQ [parliamentary question] and answering exactly as it was asked,
which is a way of answering the question without giving any
information."
This brought a ripple of knowing murmurs in the audience. He
continued, "Collectively we have centuries of experience of doing
thisÉ I actually do know this has gone on in my organisation: when
we are looking at Freedom of Information enquiries we are looking
at the way the enquirer is asking a question and we are seeking a
way to answer that question exactly as asked and thereby withhold
information."
Computer Weekly would like to believe that the ID cards scheme
will be a success and that it will benefit departments and agencies
and ultimately the public. But taking into account the history of
large and complex schemes, and the poor quality of information
provided to parliament on the progress of schemes, we are not yet
in a position to enthuse about its advantages and
opportunities.