Is it finally being sorted out and on track because it is finally about to adopt good practice, having exhausted all the other options?
I would love to be able to think so.
But future success also requires sorting a number of critical dependancies which are not under DWP control: not just the HMRC Real Time Information system, which happens to be a good idea in its own right, but also Government ID policy.
ID policy is also at the heart of the fight against fraud, the quality control control of immigration and the deterring of health tourism by making it very much harder for those who were not born here and had never paid tax, nor had parents or grandparents who paid tax, to claim benefits or free treatment.
But who is responsible for the ID policy that we have not got.
Over recent years I have tired to maintain a "map" of who is responsible for which bits of government on-line security policy. Here is the current state of the section on ID policy.
2.2.3) Identity Assurance (inc electronic IDs, Internet names and addresses)
Home Office
Law enforcement and Criminal Intelligence files of identities and aliases
National Fraud Authority and "Fighting Identity Crime Together"
UK Borders Agency: identity of those entering/leaving, acquiring residency/citizenship
Justice
Identities
and aliases of those within justice systems, from prosecutions, through
courts, prison and probation to criminal and civil records
BIS
Lead on EU e-ID initiatives
Export
control orders and sanctions on foreign regimes.
Companies House: legal identities for Companies and Directors
Ordnance Survey and Land Registry: legal identities for properties
Royal Mail: address files
UKTI: programme to encourage inward investment in cyber and ID also ID/VISA issues
DCMS including via Ofcom, Phonepay Plus and Nominet
Phone Numbers and Internet names and addresses.
FCO
GCHQ,
CESG, UKTI (shared with BIS)
DWP
NINO and identity of benefits claimants
NHS
National Health Service Number and a wide variety of other reference numbers
Treasury:
Banking Regulation "Know your own customer rules"
HMRC: Legal identities of corporate and individual taxpayers and tax credit claimants
Transport :
DVLA, identity of
drivers and vehicles .
Cabinet Office
UK OIX Group
"Co-ordination" of identities for citizen dealings with Government
"Co-ordination" of identities for Government employees
Electoral Register (joint with DCLG and Local Authorities)
ID tokens
in use across UK as common "proofs" of identity/age
Passport
Local Authority ID Cards (15 use the Bracknell card)
Other ID/Authorisation Tokens and Access/Transaction Cards
Employee, Contractor and Agent IDs: from Armed Forces, Police, Emergency Services, Council and Utilities and others with statutory rights of access etc. to Charity Collectors
Frequent Flier cards:
Customer Cards (with or without transaction bonuses)
Credit Cards
Debit
Cards
On-line ID services
Paypal, Google, Microsoft etc.
I would be most grateful for any comments on errors and ommissions in the above list but it will be fairly obvious why Cabinet Office finally appears to have conceded defeat on the thankless task of trying to "co-ordinate" ID policy. I should perhaps that I was never a fan of ID cards beause I do not believe in "one size fits no-one" solutions.
I have long beleived that the only way realistic was forward is a policy of creeping rationalisation - driven by National Audit Office reports which condemn those departmental identity systems that are unfit for purpose, riddled with errors and wide open to abuse, and whcih praise those that are found to be fit for purpose - i.e sufficient accurate, secure and fast (response time) for the applications for which they are used.
If that leads to departments choosing to contract their ID processes to private sector suppliers governed by UK law whose call centres and files are inside the UK, then that would be totally rational. I should, however add that I happen to also believe that it should be an offence (i.e. not just a mandatory contractual prohibition) to process personal data collected under statutory authority (e.g. criminal or health records, tax or benefits data) outside the UK without some form of explicit judicial oversight.
Next week I hope to begin the review of the Conservative Technology Forum policy study priorities for next year. We have provisionally agreed to take a look at the implications of basing ID policy on the premise that we have copyright in our own identities and identifiers and that anyone using them owes us a duty of care, even if we have agreed to waive the royalties in order to, for example, receive benefits. Those interested in helping such a study will find membership details on the website. We have also been asked to take a cool view at the reform of the programme planning and procurement in the public sector.
That will be even harder because so many of the experts who have volunteered to help have such strong views on the need to follow professional best practice without considering political realities. The "real" problem is how to apply "political engineering" (others use less polite phraseology) to avoid the rank bad practice that is so often found in the public sector when those without relevant experience are pressured into taking short cuts, while so-called IT professionals, (usually with little, if any, experience of delivery as opposed to selling), promise politicians that this time it will be different.
Subscribe to blog feed
Leave a comment