Capita admits to ILA failings but denies negligence

The chief executive of IT services firm Capita which designed, built and ran the computer systems for the Individual Learning...

The chief executive of IT services firm Capita which designed, built and ran the computer systems for the Individual Learning Account programme was hauled up before MPs on the all-party education and skills select committee. Bill Goodwin reports

Senior executives of the IT outsourcing firm Capita denied suggestions of negligence during their cross-examination by MPs on the Commons education and skills select committee last week.

The company is under the spotlight for its role in managing and running the Government's ill-fated £200m Individual Learning Account (ILA) programme, which had to be closed down when evidence emerged last year of fraud.

The dramatic collapse of the Government's flagship scheme has raised questions about the security of the computer systems used to administer it.

Computer Weekly revealed last month that there were virtually no checks on the credentials of learning providers joining the ILA programme.

Once they had access to the Web site, unscrupulous providers were able to use the site to guess unused account numbers, each worth to up to £200 in government subsidies. A black market in unused account numbers developed.

The security of the ILA computer system was undermined by a last-minute Government decision to abandon plans to accredit training providers, Paddy Doyle, Capita's group board director told MPs.

Plans to run checks on the individuals applying for courses were also dropped. Capita had already designed and built the computer systems and it was difficult to change them quickly, he said.

It proved difficult to integrate the accreditation databases into the new ILA system. The database only held details of established training providers and this conflicted with the Government's policy to encourage new training providers into the scheme.

"The emphasis of the security case was very much on who had access to the system. Once into the system it was a very open scheme," said Doyle. "There was a low level of security, I am very aware of that."

With Capita's extensive experience of security gained from running housing benefit systems, and its forthcoming contract to manage criminal records, MPs asked why it had failed to warn the Government about the potential security shortfalls.

"I don't think we foresaw there was going to be a problem," said Doyle.

Capita had assumed that any abuse of the system would be picked up in the monthly management reports it compiled for the Department for Education & Skills (DfES).

"While we would say we are very experienced and professional, this is an area where we can't know too much. Someone invented a new way of breaking into the system," he said.

The select committee examined the forms learning providers and course applicants had to complete before joining the scheme. They were only a page long and contained few checks to distinguish the genuine learning providers from the fraudulent firms, or real course applicants from fictitious ones.

Surely, one MP suggested, Capita's work on other IT projects should have given it the experience to say the forms were not good enough.

But Doyle said Capita did not have the ultimate say over the design of the forms. "Before we bid for the contract there was a specification. It was not for us to sit down solely on our own and design the forms. Our people had some say in it, but we were not given free rein," said Doyle. "We are not in a position to define Government policy.

"There was a balance: open and non-bureaucratic versus closed and bureaucratic," he said. "If you want to encourage people to apply, you don't come down and ask for birth certificates and utility bills. It discourages people from applying."

Capita's earnings, MPs heard, were related to the number of students passing through the scheme. When the ILA programme closed it had 2.6 million people - the target was originally 1.6 million applicants.

But this did not create an incentive to skimp on security, said Doyle. "The rapid build-up of numbers gave us far more problems. We had difficulty keeping our service levels because of those problems."

The committee asked if Capita would accept responsibility for making any mistake. Doyle admitted that the company should have "shouted louder" to the department about the computer system's security.

"We could have moved earlier to make this system more robust in the light of the information we received," he said.

Capita did raise concerns with DfES officials during its regular meetings with them. But, said Doyle, it might have been better to raise the issues at a higher level with the department.

In a move that could shed unprecedented light on public-private partnership deals, Capita agreed that it would make copies of its contract with the DfES and the minutes of its meetings with department officials available to MPs, provided there are no objections from Government.

Capita's role in the ILA programme
  • Ran a call centre in Coventry to process applications and advise learners

  • Processed learning provider applications from an administrative centre in Darlington

  • Developed, implemented and operated the ILA computer centre at West Malling, Kent

  • Granted access to learning providers to the ILA computer system

  • Produced management information and audit reports for the Department for Education & Skills.

Lessons learned by Capita from ILA mess
  • ILA computer and business process systems should be reviewed

  • Partnership arrangements with the Department for Education & Skills should be formalised to ensure problems are recognised and addressed

  • Learning providers should be accredited before joining the scheme

  • The existence of people applying for training should be verified

  • Guidance should be issued to the public on the quality of training they should expect

  • Regular account statements should be sent out to enable students to check that their accounts are not being misused

  • Courses should be verified and monitored.

Read more on IT risk management