Opinion: openness, accountability and awareness of risk are vital for ID card scheme to succeed

The Commons Public Administration Committee asked Computer Weekly for a paper on the implications of ID cards for public services. Here is our submission.

The Commons Public Administration Committee asked Computer Weekly for a paper on the implications of ID cards for public services. Here is our submission.

There are undeniable benefits in ID cards for some government departments, agencies and the wider public sector, if the scheme is implemented successfully. 

For example, the time taken for the Criminal Records Bureau to clear an individual to work with children may be reduced from weeks to days. It may also be possible to clear applicants for sensitive jobs in government more quickly. 

But it is easy to claim an abundance of benefits for new IT-related schemes, and ministers, government departments and agencies that readily publish information about how complex IT-related schemes will transform public services are not so inclined to publish the audited results of implementations. Computer Weekly is therefore unwilling at this stage to join those who speak with enthusiasm about the advantages to the administration of government of ID cards.

We may be more confident if the government undertook to publish the business cases for projects, Gateway reviews prepared by the Office of Government Commerce and audit reports on the progress of schemes to exploit the opportunities created by ID cards.

We doubt this will happen.

We would not wish to travel on an aircraft knowing that responsibility for its maintenance lay with committees within the airline that had no fear of repercussions should the plane crash. We would be even more concerned if there were no regulatory scheme, enshrined in statute, to ensure compliance with international standards.

In the private sector, one of the incentives to exercise extreme caution is the loss of custom should an IT-related failure affect the company's service to the public. In the most serious cases chief executives can lose their jobs.

In the public sector, there is no competition for business and it is rare for the individuals, ministers or civil servants who are in place when a scheme begins to be in the same jobs when a scheme fails. 

With IT-enabled projects and programmes, there is no regulatory scheme, enshrined in statute, to ensure adherence to good practice. There is arguably no reason to fear failure, and there is a paucity of independent information on the progress of projects.

On major IT schemes there has also been a cultural resistance to accepting objective criticism and a "can-do" approach which has admitted no possibility of failure. This has led to an acceptance within government of high levels of risk, perhaps beyond that which is sensible in some cases.

Without fully understanding the risks or knowing the progress of projects to take advantage of ID cards, Computer Weekly cannot give its unqualified support for large new investments by government departments and agencies to exploit ID cards.

Regular reports to parliament about high-risk IT-enabled projects would at least enable stakeholders, taxpayers and the media to understand how schemes were progressing, to question assumptions and provide a scrutiny that would make it less likely that potential show-stoppers were dismissed internally as teething problems.

Factors critical to success are a reliance on the public service ethos and strong project management principles. But these are not always enough.

An excellent book about technology-related project failures - Inviting Disaster, Lessons from the Edge of Technology by James R Chiles - reveals what went wrong in dozens of major cases. One of its findings is that failures are caused by the organisational "habit of hiding embarrassing news" - a culture of "concealing all problems that might bring on trouble for the organisation".

Computer Weekly sees this happening with worrying regularity on major government IT projects; the playing down of potentially disastrous risks is de rigeur on schemes that are deemed a political necessity.

So far the ID card scheme has been characterised by a lack of openness, honesty and transparency. Information about progress has been published selectively or not at all, and it is not unusual for potentially serious problems to be played down in parliamentary questions, statements to select committees and answers to media questions.

Computer Weekly was being told by the Passport Service and its supplier about the success of a new system to improve the security of passports when, in fact, the scheme was going seriously awry. The tax credits scheme and systems to support the Criminal Records Bureau went ahead amid an underestimation of the risks of failure.

Some important parts of a £6.2bn project to modernise NHS IT are failing to meet expectations. We have evidence that certain risks were played down when the scheme was conceived in early 2002.

Recently the Home Office became the latest department to decline Computer Weekly's application under the Freedom of Information Act for the publication of Gateway reviews. It decided not to publish edited versions of its three Gateway reviews on the ID cards project. It also declined our request to publish risk registers for the project, or edited versions of them. 

Its arguments against the publication of Gateway reviews and risk registers were generalised. Yet Computer Weekly has seen the results of some Gateway reviews and received documents about risk registers from other public authorities under the Freedom of Information Act, so we find it difficult to accept all of the Home Office's arguments.

The criticality of openness to the success of large IT-related projects was highlighted in a 1999 independent report on the financial management of a scheme to develop air traffic control systems at the purpose-built centre at Swanwick in Hampshire. It found, among other things, that the mishandling and suppression of bad news internally had contributed to the project's problems, delays and cost over-runs. Since then, National Air Traffic Services has improved its reporting procedures, but in our experience little has changed within the government in general.

In 1983 the House of Commons Public Accounts Committee warned that departments need to pay closer attention to learning lessons from IT-related disasters. Twenty-one years later, in 2004, a report, Improving IT Procurement issued by the National Audit Office, said the same thing.

In the US, after a succession of large IT-related failures, the Clinton administration introduced legislation specific to the federal government that requires Congress to be kept informed about large IT-related projects that deviate significantly from their original plans. The UK parliament is not so well informed about projects that deviate from the initial objectives.

The NAO investigates only a few mission-critical IT-related projects and programmes each year and its value-for-money investigations, although thorough, are usually carried out on a one-off basis.

So there is no defined means for parliament to know whether most mission-critical projects are progressing well or not.

Transparency, honesty and accountability are not panaceas: they will not bring success, but they make it more likely. In part they would lead to a more realistic approach to serious risks. Projects that should not go ahead may be stopped earlier, before they become overt failures.

Without more transparency, honesty and accountability - and the full support of a system's end-users - it is unlikely that governments will significantly improve their chances of success on complex and large IT projects.

The paucity of objective information on IT-related projects was highlighted by the House of Commons Work and Pensions Committee in a report about the Child Support Agency published in January. The committee concluded, "It is not possible for the committee to make judgements on why the IT contract with the contractor EDS went so badly wrong.

"We have not had access to any of the policy or strategic planning leading to the agreement being signed." Much of the evidence it did receive was, it said, "conflicting".

We are not project managers, nor experts on the implementation of IT schemes. We study projects and report on the common factors that contributed to their success or failure. The most successful projects tend to be smaller-scale ones with clearly defined benefits and the strong support of end-users. The implementation of a case management system by the Crown Prosecution Service is an example of the smaller-scale success. 

The ID cards scheme is a large and complex project, and support for it among end-users in government is not yet known. In the public sector, imposing new technology on end-users rarely succeeds.

ID cards offer a theoretically desirable, secure and reliable means to identify citizens, and are a possible aid to simplification of government IT systems. They could allow government systems to be built around a single identifier, instead of the various numbers used the moment: passport numbers, driving licence numbers, national insurance numbers and NHS numbers. 

But government computer systems are, in general, too complex to allow any radical simplification or modification without significant costs and risks to the service they give the public.

An NAO report - Dealing with the Complexity of the Benefits System - published last month provides good arguments for a simplification of systems, but it warns that the risk and cost of making changes can outweigh the potential benefits.

Computer Weekly is not in a position to give advice on whether government IT systems should be adapted and/or simplified to make use of ID cards, assuming the ID cards scheme itself is successful. We would, however, recommend that the committee request an independent report, commissioned after competitive tender, on the implications for government departments and the wider public sector of ID cards. Otherwise there is a danger of decisions being made on the basis of speculation, or filleted information issued by the Home Office.

We would also urge the government and the committee to publish all information about the progress made with the ID card scheme and any work done by public sector bodies to make use of IDcards. We accept the need for some commercial confidentiality but the Work and Pensions Committee last year, after a thorough investigation of IT projects undertaken by government, found that some departments and agencies were using the cloak of commercial confidentiality to hide problems.

There is even some evidence of secrecy for secrecy's sake. In May, at the government IT summit attended by the deputy information commissioner Francis Aldhouse and other notables, a civil servant went unchallenged when he told the invited audience that he and his colleagues derived pleasure from withholding information from MPs. The disclosure came during a panel discussion about ID cards and identity management. The civil servant made it clear that MPs and others will not find it easy to discover how government IT projects are progressing.

"You may think that posing the question is the easy part. It is not," he said.

"Before the Freedom of Information Act most information was got out of government departments through parliamentary questions. As a civil servant of many years our greatest joy in a day was getting a PQ [parliamentary question] and answering exactly as it was asked, which is a way of answering the question without giving any information."

This brought a ripple of knowing murmurs in the audience. He continued, "Collectively we have centuries of experience of doing thisÉ I actually do know this has gone on in my organisation: when we are looking at Freedom of Information enquiries we are looking at the way the enquirer is asking a question and we are seeking a way to answer that question exactly as asked and thereby withhold information."

Computer Weekly would like to believe that the ID cards scheme will be a success and that it will benefit departments and agencies and ultimately the public. But taking into account the history of large and complex schemes, and the poor quality of information provided to parliament on the progress of schemes, we are not yet in a position to enthuse about its advantages and opportunities.

Read more on IT project management