When I did my a programme management course as part of my time at the London Business School (back in 1972) we were told that a programme with a turnover among key staff of greater than about 12.5% p.a. (1 in 8) was in trouble because of lack of continuity. If turnover was less that 5% p.a. (1 in 20), it was in trouble because of stagnation. What does one make of a programme where the rate of churn among key staff, particularly those nearest to the top, appears to be over 200% p.a., sometimes with average length of stay measured in weeks, not months, let alone years?
Is it finally being sorted out and on track because it is finally about to adopt good practice, having exhausted all the other options?
I would love to be able to think so.
But future success also requires sorting a number of critical dependancies which are not under DWP control: not just the HMRC Real Time Information system, which happens to be a good idea in its own right, but also Government ID policy.
ID policy is also at the heart of the fight against fraud, the quality control control of immigration and the deterring of health tourism by making it very much harder for those who were not born here and had never paid tax, nor had parents or grandparents who paid tax, to claim benefits or free treatment.
But who is responsible for the ID policy that we have not got.
Over recent years I have tired to maintain a “map” of who is responsible for which bits of government on-line security policy. Here is the current state of the section on ID policy.
2.2.3) Identity Assurance (inc electronic IDs,Internet names and addresses)
Lawenforcement and Criminal Intelligence files of identities and aliases
NationalFraud Authority and “Fighting Identity Crime Together”
UKBorders Agency: identity of those entering/leaving, acquiringresidency/citizenship
Identitiesand aliases of those within justice systems, from prosecutions, throughcourts, prison and probation to criminal and civil records
Leadon EU e-ID initiatives
Exportcontrol orders and sanctions on foreign regimes.
Companies House: legal identities for Companies and Directors
OrdnanceSurvey and Land Registry: legal identities for properties
Royal Mail: address files
UKTI:programme to encourage inward investment in cyber and ID also ID/VISA issues
DCMS including viaOfcom, Phonepay Plus and Nominet
PhoneNumbers and Internet names and addresses.
GCHQ,CESG, UKTI (shared with BIS)
NINOand identity of benefits claimants
National Health Service Number and a wide variety of other reference numbers
Banking Regulation “Knowyour own customer rules”
HMRC: Legal identities ofcorporate and individual taxpayers and tax credit claimants
DVLA, identity ofdrivers and vehicles .
“Co-ordination”of identities for citizen dealings with Government
“Co-ordination”of identities for Government employees
ElectoralRegister (joint with DCLG and Local Authorities)
ID tokensin use across UK as common “proofs” of identity/age
KnowYour Customer list:
LocalAuthority ID Cards (15 use the Bracknell card)
Other ID/Authorisation Tokens andAccess/Transaction Cards
Employee,Contractor and Agent IDs: from Armed Forces, Police, Emergency Services,Council and Utilities and others with statutory rights of access etc. toCharity Collectors
CustomerCards (with or without transaction bonuses)
On-line ID services
Paypal, Google, Microsoft etc.
I would be most grateful for any comments on errors and ommissions in the above list but it will be fairly obvious why Cabinet Office finally appears to have conceded defeat on the thankless task of trying to “co-ordinate” ID policy. I should perhaps that I was never a fan of ID cards beause I do not believe in “one size fits no-one” solutions.
I have long beleived that the only way realistic was forward is a policy of creeping rationalisation – driven by National Audit Office reports which condemn those departmental identity systems that are unfit for purpose, riddled with errors and wide open to abuse, and whcih praise those that are found to be fit for purpose – i.e sufficient accurate, secure and fast (response time) for the applications for which they are used.
If that leads to departments choosing to contract their ID processes to private sector suppliers governed by UK law whose call centres and files are inside the UK, then that would be totally rational. I should, however add that I happen to also believe that it should be an offence (i.e. not just a mandatory contractual prohibition) to process personal data collected under statutory authority (e.g. criminal or health records, tax or benefits data) outside the UK without some form of explicit judicial oversight.
Next week I hope to begin the review of the Conservative Technology Forum policy study priorities for next year. We have provisionally agreed to take a look at the implications of basing ID policy on the premise that we have copyright in our own identities and identifiers and that anyone using them owes us a duty of care, even if we have agreed to waive the royalties in order to, for example, receive benefits. Those interested in helping such a study will find membership details on the website. We have also been asked to take a cool view at the reform of the programme planning and procurement in the public sector.
That will be even harder because so many of the experts who have volunteered to help have such strong views on the need to follow professional best practice without considering political realities. The “real” problem is how to apply “political engineering” (others use less polite phraseology) to avoid the rank bad practice that is so often found in the public sector when those without relevant experience are pressured into taking short cuts, while so-called IT professionals, (usually with little, if any, experience of delivery as opposed to selling), promise politicians that this time it will be different.