Civil servants told to destroy reports on risky IT projects

Treasury officials are ordering the immediate destruction of "Gateway" internal reports into risky government IT schemes to prevent information on the projects being leaked.

Treasury officials are ordering the immediate destruction of "Gateway" internal reports into risky government IT schemes to prevent information on the projects being leaked.

Their action, a response to the Freedom of Information Act, comes even though the Treasury's Office of Government Commerce (OGC) has lost two appeals to keep Gateway reports secret. Managed by the OGC, Gateway reviews are independent assessments of high and medium-risk IT-based and other projects at various stages in their lifecycle: projects such as the £5.3bn ID cards scheme and the NHS’s £12.4bn National Programme for IT.

Liberal Democrat Shadow Chancellor Vincent Cable described the policy as “shockingly arrogant behaviour by those who should know they are accountable for public money”.  He said that those involved in projects, as well as parliament and taxpayers, had a right to see the Gateway review reports.

The OGC paper on the Gateway review, seen by Computer Weekly, tells its teams, “You must securely dispose of the [final Gateway] report and all supporting documents immediately after delivery of the final report - which should be no later than seven days after the review."

The OGC wants to cut the risk of leaks - only two people will have copies, the OGC and a department’s “senior responsible owner”.

Nobody else has any automatic right to see the reviews. So a department or agency’s internal audit committee, MPs, the department’s IT team, computer suppliers and potential end-users may be denied access to the final report.

The OGC is also assuring departments that confidentiality over Gateway reviews is “assured” – even though the High Court could rule that the reviews are published.

And the presentation paper tells review teams that if asked verbally for information on the Gateway reviews to include in their reply the fact that they say they are not “actively published or disclosed”.

Under the Freedom of Information Act, each request for disclosure of Gateway reviews should be considered individually. But the OGC has refused every application for disclosure of the results of Gateway reviews.

Two Parliamentary committees have asked the government to look favourably on publishing Gateway reviews after taking in evidence from Computer Weekly. This magazine’s evidence was also cited in the ruling of the Information Tribunal that early reviews on ID cards be published.

An OGC spokesman refused to say why it has ordered the secure disposal of Gateway reviews. The OGC confirmed that only two copies are kept.

Civil servants who undertake Gateway reviews told Computer Weekly they thought it unnecessary to destroy the final reports. They said the documents usually contained important recommendations which may not be carried out properly if people in the department or agency do not know what they are.

One Gateway reviewer said the order to destroy the final reports was “odd and a little sinister”.

A legacy of secrecy

More than 2,000 Gateway reviews have been carried out – but the OGC has published none of them.

The order for the destruction of final reports will fuel suspicion that they identify fundamental flaws in some major government IT-based projects.

The paper also tells civil servants they must securely dispose immediately after delivery of the final Gateway report “all supporting documents”.

The Information Commissioner ruled last year that early Gateway reviews on ID cards should be published, arguing that it should be public knowledge whether the programme was feasible and being well managed. The OGC appealed – and lost. It is now to fund a third appeal hearing, this time to the High Court.

For more on this story, see Tony Collins' IT projects blog>>

Government told to publish Gateway reviews on ID cards >>

ID cards: 'openness would damage project reviews' >>

The Office of Government Commerce >>

The Information Tribunal >> 


Comment on this article: [email protected]

Read more on IT risk management