Ministers involved with the ID card system were told the plan was feasible, but recently released documents reveal...
key issues that were never addressed:
- Insecure database at the heart of sensitive government computer systems
- ID system turned to DWP database as feasability reports cast doubt
- Scale and complexity required irreversible commitment to CIS plan
- Questions over the ID system's inter-departmental funding and governance
Brent Council sacked a member of staff for looking at his girlfriend's records on a government database in autumn 2006. But this wasn't any old sacking - and it wasn't any old database. It was said to be the largest government store of personal data in Europe. And the sacking happened as ministers prepared to present the database as the face-saving answer to the controversial Identity Cards Scheme.
Their decision demonstrated just how desperate a gambit the ID card system had become for the Labour government. They put an insecure database at the heart of the most sensitive of all government computer systems and signed off its development without verifying that it was possible.
Personal data gathered for the ID cards scheme is currently being destroyed, at a cost of £400,000, and we have now learned how unfeasible the plans looked from the outset. Computer Weekly has obtained, through Freedom of Information applications, the documents by which ministers approved the plan. Some might think they raise the question of whether the decision to go ahead was negligent. Ministers were given bad advice - but were told what they needed to hear.
They had previously concluded that the ID system couldn't be developed in the three years decreed by the 2006 Identity Cards Act. Within months of the Act being pushed through Parliament, the ID scheme was under fire after a leak of Home Office e-mails exposed concerns about its feasibility.
The Home Office saved face by proposing a "pick 'n' mix" ID system. It would co-opt existing government systems where it could, saving the time and expense of building from scratch, letting off some heat over the potential cost of the programme.
The Department for Work and Pensions (DWP) Customer Information System (CIS), a store used by benefits administrators which contains the personal records of 91 million people, would form the biographical core of ID cards - half of the scheme, functionally. The other half would be a new system to store biometrics. When this idea was presented in the December 2006 Strategic Action Plan, it pulled the ID scheme from the fire. It sounded cheap and simple, but it was a gamble. The CIS plan would be contingent on "the successful completion of technical feasibility work", said the Action Plan, signed by Home Office ministers Liam Byrne and Joan Ryan, as well as James Hall, the Identity and Passport Service (IPS) chief executive.
The plan to use CIS was not really optional; it was intuitively simple and politically irreversible. The IPS Feasibility Study they commissioned confirmed three months later: there was no plan B. "The initial view was that there appeared to be no technical, operational or legal reasons as to why CIS could not be utilised," it said. "[A] feasibility study was initiated in October 2006. The ability to host the biographic element of the NIR [National Identity Register] on any other government asset was explicitly excluded from the scope of this review. The requirement to perform options analysis was also excluded."
In February 2007, Martin Bellamy, then-director of pensions information systems at the DWP, sent ministers and department executives a preliminary feasibility study on the CIS plan. He couldn't say it was feasible, but he recommended it anyway. He presented a daunting list of risks, and warned there was no going back.
"There are a number of risks and issues to overcome before we take the work forward," said Bellamy in the Restricted Policy report, Use of the Customer Information System as a shared, cross-government asset, on 16 February 2007. "The significance of the work and the level of investment required mean that a commitment now is effectively irreversible."
Never before had a project of this scale and complexity been attempted. It would require the IPS, DWP and HM Revenue & Customs (HMRC) - the biggest external user of the DWP's legacy CIS database - to co-operate intimately. They had to pull off this feat of systems and organisational engineering in just two years.
The questions of inter-departmental governance, funding and accountability were still unanswered when ministers approved the CIS plan. They were never settled. This would prove to be the scheme's undoing.
In February 2007, Bellamy told ministers the DWP's exploration of cross-departmental issues with the DWP and HMRC had "assumed the principle that the additional costs incurred by DWP in supporting the other departments will be fully reimbursed by the Home Office and HMRC. However, we are yet to obtain formal confirmation that this principle is fully supported by the other departments," he said.
The matter was so far from being settled that it would keep the CIS plan on the drawing board for another three years. In January 2010, the date by which the Identity Cards Act decreed ID cards would become compulsory for anyone applying for a passport, the IPS was forced to ditch the CIS plan - by now know as CISx. "Once you start getting lots of suppliers and departments all working together to produce one thing," an IPS source told Computer Weekly, "ownership and security are a big issue and just the economics of it". A DWP executive said no CISx development work was ever done.
Bellamy spelled out much else that was wrong with the plan in 2007. It was such a tall order that the DWP wanted to be delegated authority on expenditure. He told ministers that the DWP didn't have the resources to do the job. Neither did it have the management skills to adopt the pioneering role of "IT services company" to other government departments. Hardware infrastructure and datacentre capacity, which were known be in short supply after a 2005 KPMG report, had not been identified. Procurement was uncertain. The DWP was under "intense pressure" from existing IT commitments, and it had a "headcount challenge".
"CIS is a seriously challenging project and will need considerably greater resources than we currently have," Bellamy said. DWP's existing work schedule was already five months in arrears and worsening, he said. The National Audit Office later reported that Release 2c of the legacy CIS (delivered the month following Bellamy's report) was 12 months late. By the time the legacy CIS was completed, it was 13 months late and more than twice over budget.
The CIS ID scheme plan - rebranded CISx, for CIS-cross-government - had very little going for it. The only certainties were that the IPS had asked the DWP to do it, the ID Cards Act set the timescale, and the plan sounded plausible as long as you didn't look at it too closely. So was it feasible? Bellamy said that despite the risks there were "no showstoppers". The project was merely unable to proceed until the resources, inter-departmental costs and accountabilities issues had been resolved. But it was recommended anyway.
The IPS was meanwhile producing the official Feasibility Study. Then-ministers James Plaskitt (DWP), Dawn Primarolo (HMRC), Liam Byrne and Joan Ryan (Home Office) were due to receive it on 21 February 2007. The IPS repeated the "no showstoppers" claim. Its analysis considered the DWP's capability to do its work. It raised many of the same risks, but removed Bellamy's proviso that they should be addressed before work could proceed. Ministers gave CISx the go-ahead in March.
The IPS had said of CISx, "It is a close fit, requires no complex change and will cost significantly less than building a solution from scratch". The watchdog, the Independent Scheme Assurance Panel (ISAP), thought differently. It concluded CISx would be more complex, while resources were scarce. It sought assurances from the IPS that CISx was, in effect, feasible and was assured that steps were in hand to ensure it was.
Eighteen months later the National Audit Office reported that questions of inter-departmental funding, accountability and governance had still not been settled. Governance was another of ISAP's perennial concerns. Yet the IPS Feasibility Study told ministers in 2007, "A workable governance model has been defined in consultation with key stakeholders from DWP, Home Office, HMRC and the centre of government." It sounded promising. But it was just two weeks after Bellamy said governance was a problem but not a show stopper. What the IPS presented as a "definition" of inter-departmental harmony was still short of agreement.
There was one other thing that the Bellamy and IPS studies glossed over. The security risks, and their potential to undermine public trust, had by 2010 become the greatest showstopper of them all. Hundreds of civil servants have been disciplined for CIS snooping since that first sacking at Brent, so there was little chance the IPS could have preserved the integrity of CIS as a component of the ID scheme. The IPS said in 2007 security wasn't a problem. Did they brush the security breaches under the carpet, or really not see the problem? The IPS needed CISx to be feasible for the ID Scheme timescales to be met. It looked less like a question of feasibility than a fait accompli.
Timeline of events
2003 - DWP initiates development of its Customer Information System (CIS)
Autumn 2006 - Brent council worker sacked after looking up girlfriend on CIS
December 2006 - ID scheme Strategic Action Plan names CIS as biographical store
Early 2007 - DWP feasibility study recommends CISx plan with joint IPS ownership
March 2007 - Ministers approve CISx re-use plan for National Identity Scheme (NIS)
Early 2007 - ISAP warns of complexities of using CISx for IPS
Summer-2007 - IPS claims CIS re-use risks addressed
1 April 2008 - IPS NIS Delivery Plan assures that CIS reuse would be cheaper and less risky
25 April 2008 - Ministry of Justice (MoJ) asks DWP how to deal with CIS security breaches committed by its staff
6 May 2008 - ISAP repeats its 2007 criticisms of CIS re-use plan
6 May 2008 - IPS publishes 2007 assurance: remedies in ID procurement and governance
October 2008 - Basic CIS completed 13 months late and more than twice over budget
November 2008 - NAO repeats ISAP concerns about costs & risks of DWP/IPS co-operation
November 2008 - First ID cards issued for foreign workers
24 February 2009 - Computer Weekly reveals widespread council breaches of CIS security
11 May 2009 - ISAP repeats 2007 warnings and calls for review of CIS re-use policy
7 October 2009 - IPS admits it is reconsidering using CIS for ID scheme
30 November 2009 - First ID cards rolled out to UK nationals using a demo ID system
December 2009 - IPS decides to ditch CIS
28 January 2010 - DWP security team contact MoJ with latest list of suspected CIS breaches