Tony Collins's IT Projects Blog

Financial uncertainty arising from the credit crunch is likely to lead to many outsourcing deals being re-negotiated, reduced in scope or terminated in 2009 - and they may go into dispute, warns international law firm Pinsent Masons.
 
The firm also says that long-term transformation projects may be delayed or terminated, in part because businesses will look to short-term cost cutting rather than to longer-term benefits.

When the government awarded the contract to ETS to process and mark SATs, Whitehall's press release was, as to be expected, full of praise for the supplier and the procurement process.

But the press release showed how the government, in awarding multimillion contracts, can be not merely at arm's length but miles away.

I said on the BBC Radio 4 "Today" programme this morning (approx 8.30am) that the loss of a memory stick by PA Consulting raises questions about why a private contractor had access to government data on 84,000 criminals. Does this mean private companies will also have access, on the quiet, to patient-identiable information under the NHS's National Programme for IT? I also said that there is so little independent scrutiny of the government machine, and so much secrecy, that the only time systemic failures come to light is when there is a, well, systemic failure.  

The Royal Free Hampstead NHS Trust is preparing for a possible compensation claim after a troubled go-live under the £12.7bn National Programme for IT [NPfIT]. 

The trust's staff have been struggling to cope with bugs and downtime since the go-live of the "Millennium" system from US supplier Cerner in June.

The trust's board has been told that all problems continue to be logged so that it is ready should a claim prove possible.

Barts and The London NHS Trust says it underestimated the impact on its operations of going live with the Cerner LC0 system under the NHS's £12.7bn National Programme for IT [NPfIT].

The problems have led to operating theatres and clinics being unused at times - despite a demand for them - because of difficulties in scheduling patients for appointments.

The trust is also funding from its reserves £930,000 for extra temporary staff, in part to cope with the backlogs of work following the NPfIT go-live. It is also facing a further £1.5m shortfall in income because it may not have enough accurate information on which to bill its local primary care trust for the patients it sees and treats.

PA Consulting has said sorry over the loss of a memory stick on thousands of prisoners as the Home Office terminated its £1.5m "JTrack" contract. PA's contract started on 1 June 2007 and was not due to end until June 2010.

It's ironic that the Home Office said at the time of awarding the contract that its length would provide "stability" to the JTrack system.

PA said in a statement yesterday [11 September 2008]:

"PA has safely handled sensitive government information for over 60 years and this is the first incident of such a nature that PA has been involved in. It is clear from the events of recent weeks that the challenge of managing necessary confidential information held by government, and in particular of eliminating human error, is industry-wide. We are engaged in dialogue with our clients and competitors to address, and find solutions to, this challenge.

Below is a transcript of my interview with Andre Snoxall, e-record programme director at Newcastle Upon Tyne Hospitals NHS Foundation Trust, which has broken away from the National Programme for IT [NPfIT]. The Trust is to implement Cerner systems from the University of Pittsburgh Medical Center. 

Snoxall spent much of the last 10 years as CIO for a number of trusts in New Zealand. He's Australian.

In the interview Snoxall talks about:

- Why in his view Cerner implementations in London and the south of England have gone wrong

- How Newcastle's plans to avoid some of these difficulties.

- Cerner's strengths and weaknesses

- The trust's biggest challenge - communications

- Why Newcastle's Cerner systems may be more advanced than those under the National Programme for IT [NPfIT]

- Newcastle's plan to minimise the use of the Cerner for reporting to the government on  patient activity

- Newcastle's plan to use its own Cerner system for seven years - by which time it hopes that local service providers under the NPfIT will have a replacement

Now the Labour Party's conference, which was held in Manchester, is finished, I've looked at the lessons and what went wrong on 13 large, government IT-based projects and programmes:

• Magistrates' courts
• Schools
• Intelligence Services
• GCHQ
• Passport Service
• National Health Service
• Rural Payments Agency
• Criminal Records Bureau
• HM Revenue and Customs
• Department for Work and Pensions
• Department of Health
• Department for Innovation Universities Skills
• Ministry of Defence

The analysis is tied in with an analysis and comment, to be published in Computer Weekly this week, on Labour's track record on managing big IT-based projects and programmes. 

Is a promise or a prediction made by a supplier's sales team ever a representation? When is a representation, if that is what it is, ever a misrepresentation? If ever there is a misrepresentation, can it be held to be fraudulent if it is made thoughtlessly rather than deceitfully? What if the customer relies more on promises than representations?

Some of these were matters raised at the nine-month hearing between BSkyB and EDS - the most expensive High Court hearing the history of the IT industry.

One argument made during the hearing was that promises, predictions and opinions are not representations. So can they be held to be misrepresentations?

Whittington Hospital NHS Trust says it has accounted for four discs that went missing, which contained the personal details of 17,990 health service staff and former employees. The incident has cost the trust (taxpayers) about £25,000.

Police had been alerted, and the trust held 24 separate briefings for staff over four days, including one on Saturday, 20 September 2008, on the possibilities of identity theft. David Sloman, Chief Executive, wrote "individually" to the 17,900 staff at their home addresses to advise them of the missing data. The trust wrote to them again to let them know the discs had been accounted for. The trust also reported a Serious Untoward Incident. An enquiry had been set up and the Information Commissioner's Office was alerted. Staff were advised to keep a regular check on their bank accounts and statements.

Searches were carried out in all areas of Whittington hospital's salaries and wages office and the post room. The trust is based near the Archway tube station in London. There was also a search of the European headquarters in Warwick of McKesson, the intended recipients of the discs. McKesson runs the MAPS Manpower and Payroll system for the trusts. The Royal Mail was alerted.

A Ministry of Defence official says it is investigating with its contractor EDS whether a 1TB portable hard drive, which went missing from EDS's secure offices at Hook, Surrey, had an unencrypted download of the MoD's "TAFMIS" training and recruitment database.

When I put it to an MoD official that such are the security and audit mechanisms that nobody seems to know whether a large government database has been downloaded onto a portable hard drive which later went missing, the MoD official replied:

"We are vulnerable to that criticism, it would be fair to say."

The Mod is custodian for tens of millions of data records, according to an inquiry into a separate MoD data loss earlier this year.

In a statement on the latest incident, the MoD said it's possible that some of those serving in the armed forces "may have been compromised."

The MoD statement said:

"There is no indication that the data, if indeed it has fallen into unauthorised hands, has been exploited maliciously in any way; but it is possible that personal information on anyone serving or who has served in recent years in the Armed Forces may have been compromised."

In interviews on Friday [10 October 2008] the BBC asked me whether the possible loss of sensitive, unencrypted data on armed forces personnel, as a result of a missing portable hard drive, was the fault of the MoD's main IT contractor EDS.  I said not necessarily - it's unclear whether the MoD should be, or needs to be, passing sensitive government information into pass into the hands of private contractors.

It's remarkable that the MoD doesn't stipulate encryption for portable data stored in secure offices.

It's also remarkable that departments - not just the MoD - seem not to put any limit on how much government information - citizen information - they allow to be transferred to outsourced private companies. One question MPs should ask ministers is: how much control does the government have over the outsourced information held on millions of us? The government's honest answer should be: "We have no idea."

So much for internal audit. So much for the Data Protection Act.

Links:

Our interview with MoD over EDS missing hard drive - IT Projects Blog, 13 October 2008

EDS again? - Stuart King's blog

EDS loses personal details of 5,000 prison staff - Computer Weekly

Private data on armed forces goes missing - Silobreaker  

Sir Robert Fry, head of EDS Defence, has said that a portable hard drive which went missing had not needed to be encrypted under Ministry of Defence procedures because it was held in secure premises.   

Some in the IT industry may be surprised that portable MoD data does not require encryption if it is held in secure premises.

Fry said he was unable to rule out the malicious use of any data on the missing drive. But he said that "if it was intended for any malicious purpose, we would have had some indication that that was the case before now".

He was being questioned on BBC Radio 5's "Drive" programme, which included an interview with Computer Weekly. The presenter Anita Anand asked Fry: how secure was the hard drive?

He replied: 

"The hard drive was not encrypted but neither did it need to be, in terms of the protocols to which we and the Ministry of Defence work, when it sits inside a secure site."

The loss of the drive was discovered last Wednesday and reported by EDS on the same day. But it's not known when the drive disappeared. The Ministry of Defence said in a statement that the hard drive may yet turn up at another secure site. It conceded that the personal information of members of the armed forces might have been "compromised" by the loss of data on the drive.

The 1TB portable hard drive went missing from a secure EDS site at Hook in Surrey. 

MPs have criticised the loss of the hard drive, saying that a culture change is needed to prevent personal data going missing.

Health officials in London are working with BT, Cerner and IT specialists to rescue plans for integrated e-health records in the capital amid signs that the government's one-size-fits-all approach is disintegrating, Computer Weekly has learned.

The original plan which was announced in 2002, in a document "Delivering 21st Century IT Support for the NHS", was for the National Programme for IT [NPfIT] in the NHS to deliver "ruthless standardisation". In London a single database to support electronic health records for eight million people was to be rolled out to all trusts and other NHS sites.

That plan turned out to be too ambitious - and was watered down when officials and the NPfIT local service provider in the capital, BT, decided to install in NHS trusts different releases of the US-based Cerner "Millennium" system to support e-records.

Now that plan, too, has run into trouble. BT, NHS IT specialists and Cerner have ended up customising LC1, the standardised smartcard-based Cerner system, for one London trust, the Royal Free, after it ran into serious problems.