The Identity Card Scheme offers a lesson in the infeasibility of IT systems held to political ransom. The cost of failure was too high for the Labour government. So the Home Office pressed on Quixotically with the system, despite never overcoming its critical weaknesses.
The picture that has emerged with the publication of last week’s Independent Scheme Assurance Panel report is one of a government department hashing together on the fly a system of a size, complexity and sensitivity never before attempted. It may have been too big to fail, but it was also too much to handle.
The Home Office was obliged over the years to issue empty assurances that everything was under control and that it was addressing the repeated warnings given by ISAP. Can you handle a project of this size and complexity, asked ISAP in 2007. Yeah, ‘course we can, said the Home Office – we’ve recruited some more executives.
In failing to deliver on those assurances, the department gave an indication of the amount of strain its IT experts must have been under. Working on a panacea project must be like happy-clapping at a cult.
The inconvenient imperfections of the ID plan were spelled out clearly in ISAP’s 2007 report, compiled in the year after the Home Office cut the ribbon on the system blueprint and set their IT chumlies off on their futile quest.
After three years of development, the problems still had to be addressed. And very little of the blame could be put on the poor techies building the system. The snags were political. The fault was incompetent ministerial direction.
Writing on the wall
Data security risks identified in 2007 were never brought under control. And much else ISAP and good sense required of the ID project in 2007 was never fully addressed.
Public trust essential to the scheme was never secured. Inter-departmental differences over the accountability, funding and ownership of the cross-government system architecture were never settled. A “robust and transparent” system of data governance was never established. The system requirements were never properly defined and neither were its benefits, though both were crucial, it was and is commonly said, before the system could be properly designed.
Vital skilled staff were never recruited. A system of competent organisational governance was never established. Cross-government support was ever obtained and a cross-government standard of identity data and management was never agreed.
It was being built, against ISAP’s advice and accepted wisdom, on “shifting sands”. And contracts with suppliers were let, to satisfy a political timetable, despite these crucial preliminaries not being clarified.
This must have been especially awkward for the Home Office and may explain why it disbanded ISAP in 2009. No matter that the oversight panel was set up after the Home Affairs Select Committee said in 2004 that the Gateway review process (through which the Office of Government Commerce usually seeks to prevent embarrassing IT failures) couldn’t be trusted to oversee a “project of this scale”. Don’t worry, said the Home Office, we’ll set up an independent oversight board.
Had the Home Office given ISAP more credence, a lot of time and money may have been saved. The panel’s first public warning put the writing on the wall: data loss will lead to a loss of public trust that, it implied, would be the project’s ruin. There were real risks of data loss, it said. Something had better be done about it because people won’t stand for it.
This was to be done with a PR exercise that would win public trust by showing how security concerns had been addressed. People would be told the system’s tolerance for errors. Said system would have not only to be “robust” but also “well respected”.
The problem was swept under the carpet. Civil servants were being sacked for snooping on the Customer Information System (the DWP database that was to form the biographical core of the ID system) before the scheme began. They were still being sacked after the scheme was scrapped in 2010. The DWP’s precautions were shoddy, the security leaks were proving unmanageable and the DWP refused to reveal the error tolerance of the CIS. It may not even have known.
You have to wonder how the ISAP overseers felt about it all in the end. Nokia CEO John Clarke, Cranfield Professor Brian Collins, ex-First Direct Bank CEO Alan Hughes, BAA IT director Malcolm Mitchell, and ex-HSBC Bank CIO Fergie Williams: these sort of people are not used to being fobbed off.
Being from the commercial world, they are also accustomed to developing systems that rely for their success on customer choice. Paradoxically, they advised that the ID scheme would only succeed if everyone was forced to use it. This exposed the lie in Blair’s ID sales patter, the come-on-you-know-you-want-it approach to civil security: everyone was going to get it anyway, whether they liked it or not.
“To be successful,” the ISAP said, “the scheme has to become the government’s (and the commercial sector’s) primary means of identifying individuals and controlling updates to and use of their data.”
It sounds preposterous now. Citizens no more like the Home Office watching them for their own good than foreigners like having bombs dropped on their heads for their own good.
The ID scheme gives us one other amusing paradox to ponder. From ISAP’s perspective, it demonstrated how a lack of transparency in public policy and execution led inevitably to costly failure. Yet had the government come clean about the risks, it may never have won the public’s support in the first place.
Transparency is the only hope we have of overcome the endemic problem of public databases being snooped.
What support people had given ID was befooled. The sands shifted so much under the ID scheme that it’s hard to say what it was meant to do in the first place. Someone should nose around the Home Office with that very same question in mind. When they come across its fascistic database of identity-carded foreigners they might ponder whether it would ever have been approved either had the opening sales gambit not been ID-for-all.