MoD embarks on cloud-based push to digitise data protection request service
After previously finding itself on the receiving end of a reprimand from the UK data protection watchdog for taking too long to respond to subject access requests, the Ministry of Defence sets out how its turned the situation around with the help of cloud-based system eCase
“It’s a microcosm of government as a whole. There are very few other departments that have their own education services, their own health service and their own police force, for example,” the MoD’s head of information stewardship, Ian Henderson, told Computer Weekly.
“Each of the commands, which include the army, the navy and the air force, are effectively chief executives in their own right. They’re given money, they’re told what they need to deliver and they need to be compliant with the law.”
Where the latter point is concerned, it is Henderson’s job to ensure the department is complaint with any – what he terms – “information-related legislation”, which includes the Data Protection Act 2018 and the General Data Protection Regulation (GDPR).
By Henderson’s own admission, when these pieces of legislation came into force in May 2018, the MoD found itself ill-prepared for the more rigorous data protection compliance regime, particularly when it came to responding to data protection-related subject access requests (SARs) in a timely way.
So much so, the department found itself on the receiving end of a reprimand by data protection watchdog The Information Commissioner’s Office (ICO) in July 2022 after building up a significant backlog of SARs during the Covid-19 coronavirus pandemic.
The MoD provided the ICO with details in July 2020 about how it planned to clear the backlog before 2022, but its efforts fell short and by April 2022 the MoD confirmed it had around 9,000 SARs left to process.
SARs in-demand
The MoD receives an average of 45,000 SARs a year – typically from ex-service personnel and civil servants – who may request information for a wide variety of reasons.
“Sometimes, the requests are from people with grievances – such as the class actions for people who have suffered hearing loss or injuries from being in the cold [while serving in the forces] – or sometimes they are people who want a thorough account of their career history for posterity,” said Henderson.
Regardless of what they want the information for, under the terms of the Data Protection Act 2018, the MoD is required by law to answer SARs within one month unless the case is considered complex, which means the department has up to three months to respond.
“You can’t just default and classify a case as complex to [buy more time], because you have to justify to Information Commissioner why you’ve determined the case to be worthy of an extension. So, typically, each of these requests must be responded to within a month.”
As detailed in the ICO’s reprimand document, the source of the backlog was attributed to one specific business unit, the Army Personnel Centre, having “resourcing issues” and the MoD said it had funding in place from September 2022 to hire 40 additional contractors to process the outstanding SARs.
The ICO set the MoD a deadline of March 2023 to get the backlog cleared and the job was done by the end of that month. And while increasing the organisation’s headcount to assist in processing the SARs undoubtedly helped, work was already underway behind the scenes to digitally streamline and standardise the more administrative parts of the SAR response process across the whole of the MoD.
“[To submit an SAR] individuals have to fill out these horrible forms that they would have post, print or email, and MoD people would pick them up and then transcribe the information from them – hopefully correctly – into the case file,” said Henderson.
“In the middle of the process is a whole load of paper as well, because the personal records of people in the MoD are a combination of paper and digital records, but it was all having to be printed, redacted and then posted out. It was costly and very inefficient…and there was a danger of it being insecure by sending stuff to the wrong address.”
Also, each branch of the MoD seemed to have their own systems and processes for monitoring and managing their SARs-related workloads.
I couldn’t, even in my position as data protection officer, get a handle on whether we were compliant
Ian Henderson, The Ministry of Defence
“We didn’t have any commonality of toolsets across the different commands. Some people would be managing their SARs registers on Excel spreadsheets and others were using Access databases,” added Henderson.
“I couldn’t, even in my position as data protection officer, get a handle on whether we were compliant, let alone provide any confidence to our accounting officers, our permanent secretary and any other senior figures that we were compliant.
“We needed to fix that by introducing a single case management tool and a single process that everybody could follow as a single and set way of managing SARs so we have a common baseline and a common way of working.”
This led the organisation to expand its use of a cloud-based technology called eCase, which is made by a case management software company called Fivium and is specifically designed for use by public sector organisations.
“We looked at what the rest of Whitehall was doing with similar projects, and we went to the Department for Work and Pensions and looked at what they had done with eCase, which was a technology that was already being used within the MoD for managing other types of correspondence, such as freedom of information requests, ministerial correspondence and parliamentary questions,” said Henderson.
“So, the benefit of that was there was already a vehicle in place for us to quickly engage with Fivium and get the ball rolling on.”
As part of this process, Henderson said he was keen to revamp the start of the entire SAR submission process by creating an MoD-specific front-end in the form of a bespoke eCase Capture web-form that would also have capabilities that would help to cut the department’s response times.
This is because the webform would be able to automate the logging, triaging and allocation of the SARs to ensure they ended up in front of the right personnel within the MoD for much faster processing.
It was also important to Henderson that the front-end was accredited by the Government Digital Service (GDS) as being Gov.uk compliant. “This is because I wanted the individuals using it to be confident that they were dealing with the government, and not just submitting their requests to any old website,” he said.
“If you haven’t gone through the GDS accreditation, you cannot use any of the [government] logos, plus you can’t use our Mod.uk DSN address, and it was really important to me that people felt confident that they were sending and sharing their personal data electronically to a trusted source.
“We worked very closely with Fivium on that part of the project…they did the [service] designs and the technical stuff, while my team made sure we facilitated the conversations with GDS to meet their digital standards.”
The deployment began in mid-2020, during the early days of the Covid-19 coronavirus pandemic, which created an added complication in that the department was trying to bring all of its disparate organisations round to a single way of doing things while everyone was working remotely.
“We had all of these workshops to come up with a single way of working using a single tool and it was all done remotely during Covid, which meant lots of Microsoft Teams calls and virtual training sessions and such like,” said Henderson.
The staff training sessions were less about helping the MoD’s workforce get to grips with the new technology, as Henderson restated that eCase was already in use within the department, but focused more on supporting its employees with the change in business process.
Our teams felt beaten up because they were being seen to be failing, but now we’ve got a team who are seeing that actually they’re succeeding
Ian Henderson, The Ministry of Defence
“They all had their own ways of working, their own peculiarities and their own perceptions of what is the right thing to do as well,” he said.
“Whereas what we had introduced now was a common way of working with a common process to follow, while the tool itself was fairly intuitive anyway. So, it was less of a staff training burden and more of a business transformation burden.”
Once the deployment was complete and its staff were fluent in the new process for completing SARs that eCase was now underpinning, the benefits of this project soon started to become apparent, with Henderson talking up the cost savings the project has brought about as well as the improvements it has made to staff morale.
“The savings for the MoD are phenomenal,” he said. “Just using the army as an example, we worked it out that we’re saving around £20 per SAR and that’s not taking into account the people savings. It’s just the cost of printing and the cost of posting out paper.”
According to the MoD’s own estimates, the project is on course to save the department 70,000 hours of work per annum, and it expects to make cashable savings of almost £1m per year too.
In June 2023, the department achieved a 91% score for complying with the ICO’s regulations, which is also indicative of how much faster it has got at responding to SAR requests.
“The biggest thing is that we had the reprimand by the ICO and our teams felt beaten up because they were being seen to be failing, but now we’ve got a team who are seeing that actually they’re succeeding and all of the positive that goes with that,” continued Henderson.
With the system and process now fully bedded in, Henderson said he would like to explore whether there is potential for a wider, cross-government use case for the setup and it is his ambition to get the service recognised by the Central Digital & Data Office (CDDO) as one of its top 75 exemplar IT projects.
“We’re starting to initiate those conversations about whether this is a candidate for consideration, which would also introduce all sorts of other opportunities to explore and further develop the service that has already been provided,” he said.
