Constantly on red alert since work began in 2012, the government’s high-risk reform of the courts has come up against mistrust.
With 43 police forces, 67 prosecuting authorities, 300 criminal aid firms, as well as courts, government departments, lawyers, judges, defendants, witness and victims being given access to criminal justice records, the most challenging part of programme was learning to trust others, lead Ministry of Justice architect Adam Gwinnett told a conference in London on 8 October.
“We are talking about a constrained user base of less than 100,000 and a potential user base of more than 25m for the new services we are deploying,” Gwninnet told the Identity Summit in London.
Asked what kept him up at night, Gwinnett said: “Establishing the appropriate identity trust framework, where we can [work with] legal firms, learn to trust other government agencies we might previously have kept at arms length, is one interesting challenge.
But the MOJ was also worried about simply getting good enough security to control who got access to sensitive legal records, he suggested.
The MOJ, which embarked on building its Common Platform system in November 2012 to create a single store of legal records to be used across the entire criminal justice system, had intended to use the government’s “Verify” identity system to control who got access to what. But the Cabinet Office has admitted it has had trouble collecting enough data to make the system identify people well enough to give them access to sensitive or even just personal records. With Verify set to identify people by collating commercial sources of data that described “attributes” of their lives, the Cabinet Office has claimed it expected to have even more trouble identifying those people at the fringes of society who don’t have much of a credit history or much digital social capital and might be over-represented among those who become victim to the criminal justice system.
It was hard, said Gwinnett, “to a certain extent, just identifying authoritative attributes.”
The Cabinet Office had been involved in an emergency redesign of the MOJ’s Common Platform since 2013, just as it had done more infamously for Universal Credit, the Department for Work and Pension’s computer-driven reform of the social security system.
But the MOJ’s IT crisis persisted, despite adopting a raft a Cabinet Office reforms meant to fix its problems, and again like Universal Credit, its IT system design has consequently looked as uncertain as it was when work began in 2012.
The Cabinet Office Major Projects Authority put the MOJ Common Platform programme on Amber/Red alert after a September 2013.
The MOJ claimed its poor rating was due to the programme being at an early stage. It’s business case was still “under development”, as were “controls”, which referred to cost-saving measures Cabinet Office was imposing on departments’ IT projects and their spending with suppliers.
“Therefore,” said the MPA review. “Successful delivery of the programme is unclear.”
The alert meant there were so many “major” issues that it was doubtful even if they could be fixed, so “urgent” action was needed, according to the MPA’s standard blurb on its traffic light ratings.
The MOJ said in May 2014 that it had done “a great deal… to expand and clarify the vision and blueprint and… business case”. Cabinet Office GDS was however helping MOJ reassess the programme using “agile” design methods.
But the MPA gave put another amber/red warning on the MOJ Common Platform in September 2014. And in May 2015 it said its business case was had still not been formally signed-off.
The rating reflected the programme’s “scale and complexity”, and adoption of the Cabinet Office’s agile reforms, said the MPA report.
MOJ developed its own identity system “with future compatibility” with the Cabinet Office scheme in 2014, according to a report in January.
MOJ decided to control access to some legal records by merely presuming some users in some locations, connected to some particular networks, or using some known devices could be trusted to a certain degree.
“We’ve got a lot of enthusiasm for context and location-sensitive controls, so [we are] looking at where they can infer security, infer credentials based on point of access, based on devices,” said Gwinnett.