Monday 8 February 2016

Trust in the Civil Service 1

As Cabinet Secretary and Head of the Civil Service, Sir Jeremy Heywood is one of the most powerful people in the country and three days ago on 5 February 2016 he tackled the question of Trust in the Civil Service:

© Ipsos MORI
According to an Ipsos MORI poll, civil servants are more trusted than journalists and politicians (and estate agents and bankers) and less trusted than policemen, prelates, scientists, teachers and doctors. If you believe Ipsos MORI, or any other pollsters, trust in civil servants has been increasing since 1983 but 45% of people still don't believe a word Sir Jeremy says.
Contents:
On the hook

Cosmetic change
Agile farmers
NPfIT & UC
HMRC
Exemplary
GOV.UK Verify (RIP)
digidentity & the Post Office
GBGroup & the Royal Mail
Privacy
Security
Sir Jeremy's wager

YouGov v. Ipsos MORI

Quis assessiet ipsos assessores?
Or as a real classicist would ask
Quis iudicet ipsos iudicos?
On the hook
There's a long way to go, 45% of the way, before the "integrity, honesty, impartiality and objectivity" of the civil service are reflected in undiluted public trust. How to get there?

Sir Jeremy suggests that among other things openness, efficiency and innovation may help:
We have also become more innovative. Digital has been at the forefront of this, allowing us to provide services that are more efficient, but also shaped around the needs of users. The New Zealand Government has used GOV.UK source code for their own online presence and the Obama Administration has created a US digital service borrowing from our own Government Digital Service (GDS).
He keeps coming back to "digital". On 11 January 2016 he wrote, in Civil Service priorities - what we’ve achieved, and what’s ahead:
World leaders
Our digital capability has continued to go from strength to strength, and Britain is now undoubtedly one of the world leaders in digital government. We have adopted new ideas and a new agile way of working to try to make everything we do more efficient and better for users. The award-winning GOV.UK has received 2 billion visits and reduced running costs by over half. Departments such as HMRC and DWP are becoming truly digital organisations, transformed from where they were only a few years ago. And at the Spending Review, an additional £1.8 billion investment in digital transformation, as well as £450 million specifically for GDS, was announced.
Not just in his blog posts, but in his tweets as well, Sir Jeremy can't keep away from the importance of the digital transformation of government by GDS.

In his review of 2015, there was no room to mention the successes scored by the Ministry of Defence, for example, or the Department of Health or the Department for Work and Pensions or the Department for Education or Her Majesty's Revenue and Customs but there was room for three tweets about GDS:


He's on the hook. He's committed. They've got each other over a barrel. He has deliberately linked his fate and GDS's. Was that wise?

Cosmetic change
Sir Jeremy describes the "award-winning GOV.UK" as a "huge success story". That's not how Tom Loosemore, the ex-deputy director of GDS, sees it:


Agile farmers
Under the heading World leaders, Sir Jeremy endorses agile software engineering as a way to try to "make everything we do more efficient and better for users". He's on thin ice.

The Department for the Environment, Food and Rural Affairs used agile to develop their new Basic Payment Scheme (BPS) for farmers. Mike Bracken, the ex-executive director of GDS said:
I go weekly now. I go to the meeting of the Common Agricultural Policy Reform Group. It's the RPA. It's the Rural Payments Agency.

Why I'm so excited about that is because they've embraced agile completely. They're going with an agile build out of a whole new programme. That's going to affect everyone in this country, and how they deal with land management, all the farmers, all the people who deal with crops, all the data. It's going to create, I think, a data industry around some of that data.

It's going to help us deal with Europe in a different way, and quite rightly we're building it as a platform. It's going to be another example of government as a platform.

I'm on the Board, and I'm trying to help them every week, and GDS will be working very closely with them to deliver that.
BPS failed nonetheless:
A multi-million pound government IT system to process EU subsidy payments for farmers has been largely abandoned following "performance problems".

The system will be re-launched next week with farmers asked to submit Basic Payment Scheme claims on paper forms.

Farmers say they have struggled with the £154m website for months ...
NPfIT & UC
"Departments such as HMRC and DWP are becoming truly digital organisations, transformed from where they were only a few years ago", according to Sir Jeremy.

Is it an accident that he failed to mention the Department of Health and their National Programme for Information Technology (NPfIT)? That really was a world-leading transformation project and when it failed we taxpayers sat quietly by, warming our hands at the bonfire of £11 billion+ wasted.

NPfIT was pre-GDS and pre-agile but we taxpayers are getting ready for another world-leading celebration when we can warm our hands at the Department for Works and Pensions's Universal Credit bonfire. DWP show no signs whatever of becoming a "truly digital organisation".

HMRC
Which makes it so odd that Sir Jeremy places DWP in the same basket as HMRC ...

... because Her Majesty's Revenue and Customs already are on the way to becoming a truly digital organisation.

Pre-GDS and pre-agile, HMRC have had millions of individuals and companies submitting digital returns for 15 years or more using the Government Gateway. HMRC have managed to get all companies submitting their accounts in iXBRL (inline extensible business reporting language, since you ask). And HMRC have managed to deploy RTI, Real Time Information.

Meanwhile GDS couldn't even computerise BPS's 100,000 farmers.

Exemplary
BPS was just one of the 25 public services GDS chose to develop as exemplars. How about the others?

According to Mike Beaven, just before he became the ex-director of transformation at GDS, eight of these exemplar services went live on time. Or 17 of them, if you count services that are still in beta testing as live. Or 20, according to the Conservative Party Manifesto 2015 (p.49) ... It's not easy counting things. As Mr Beaven explained, just before leaving: "The [transformation] programme has ended ... We’re only just beginning" (please see final paragraph).

How did Sir Jeremy choose to make himself dependent on GDS, rather than HMRC? How are GDS supposed to increase trust in the civil service?

GOV.UK Verify (RIP)
It's not just that GDS can't count. They can't even get their lipstick on straight.

HMRC: "It’s not our IT system; it’s the Cabinet Office’s"
Look at GOV.UK Verify (RIP), the national identity management scheme that GDS are trying to foist on the public. So-called "identity providers" will provide us all with an on-line identity and that's what we'll use to transact with government. That's the idea, at least.

First GDS told us that all "identity providers" (also known as "certified companies") must be certified trustworthy before they can work for GOV.UK Verify (RIP), please see Delivering Identity Assurance: You must be certified. Now we're told Some ID providers may not be accredited by GOV.UK Verify [RIP] go live.

If you try to register with GOV.UK Verify (RIP), after a few clicks, you will see this screen:


"There's no charge for this service"? Why do GDS need £450 million then?

"A certified company will verify your identity. They've all met security standards set by government"? No.

Experian and digidentity have been certified. So have Verizon, although they're not deemed trustworthy enough in Germany, where they're banned from any government contract..

But the Post Office haven't been certified. Their application for certification was registered in February 2014 and lapsed a year later in February 2015. Here we are in February 2016 and GDS are still suggesting that the Post Office have been certified.

That is no way to inspire trust.

digidentity & the Post Office
NHS: "People said I don't trust my bank, I don't trust the Post Office, I trust the NHS"
You may choose to be registered by the Post Office. GDS offer you that option. But behind the scenes what actually happens without telling you is that you are registered by digidentity:


Again, no way to inspire trust.

GBGroup & the Royal Mail
DWP: "building a separate ID tool as Verify can’t cut it, whisper sources"
GDS have five other "identity providers" up their sleeve – Barclays, GBGroup, Morpho, Royal Mail and PayPal. GBGroup have a lowly certification, the other four have none.

The GBGroup service that's been certified is called "ID3global" but the service they're offering the public is called "CitizenSafe". Are they the same?

GBGroup are pleased to announce that "the CitizenSafe engine will be embedded into the Royal Mail’s identity assurance process, also accessible as an alternative via GOV.UK Verify [RIP]". Register with the Royal Mail, and you get GBGroup?

No. You get Avoco Secure:
Royal Mail and GBGroup have been chosen to partner with GOV.UK’s Verify service, to provide verification of individuals so that they can access Government services online, safely and easily. The UK’s Identity Assurance market is taking shape thanks in part to the Government’s Digital Services Identity Assurance Programme. The goal is to enable trust in the Digital economy and this key win of two e-verification contracts places Avoco and their partners, in a strong position to capitalize on this fast developing market.
Who?

Never mind, it doesn't matter, the point is once again that this is no way to inspire trust.

Privacy
The adult entertainment industry and the Digital Policy Alliance: "looking for more innovative means to verify customers, where possible allowing for the potential for anonymised checks that could remove any possible abuse of confidential and personal details"
"GOV.UK Verify [RIP] is being built by Government Digital Service (GDS), working with government departments, private sector and the Privacy and Consumer Advisory Group", GDS tell us in Introducing GOV.UK Verify [RIP].

PCAG have produced nine Identity Assurance Principles and GDS are committed to abiding by all of them – "GOV.UK Verify [RIP] protects users' privacy. It has been designed to meet the principles developed by our privacy and consumer advisory group", please see GOV.UK Verify hub [RIP] - privacy aspects.

GOV.UK Verify (RIP) clearly doesn't abide by principle #7: "I can have confidence in the Identity Assurance Service because all the participants have to be certified against common governance requirements". And if you care to check, you'll find that it doesn't abide by the other eight either, please see The non-existent personal-data control-shift (Updated 14.11.14).

Security
Scotland not using GOV.UK Verify (RIP), the Scottish government has its own scheme, myaccount
And then there's the small matter of the security of GOV.UK Verify (RIP). If you've got the heart, you can read about it here, RIP IDA – who knows what they're talking about?, but ...

Sir Jeremy's wager
... the list goes on and that's quite enough to give you some idea just how sticky a wicket Sir Jeremy has chosen to bat on. He says:
To be trusted I believe we must demonstrate to the public who pay our salaries that we are open and accountable, that we are effective and efficient, and that we deliver excellent public services to citizens across the UK.
If that's what he believes, and if he wants the civil service to be more trusted, how on earth in all of his £743 billion empire (p.6) did he light on GDS as his champion?

... would you generally trust them to tell the truth, or not?

----------

Updated 11:20

The Institute for Government have published Trust in time: Trust in civil servants has increased, according to which some pollsters broadly agree with Ipsos MORI's 55% or so figures but YouGov found that trust in senior civil servants in November 2014 stood at only 19%.

The Institute doesn't tackle the question how GDS can provide a platform for trust in the civil service.


Updated 19.2.16

We are indebted to Kainos Software for bringing to everyone's attention an article published 10 days ago by Mark Say, the editor of UKAuthority.com, Verify [RIP] team expects 15 services for go live.

Straight bat throughout, the article does nothing but list the claims made for GOV.UK Verify (RIP). It is what negotiators call a "schedule of representations", a list of claims made by the salesmen during the sales process.

The supplier – in this case the Government Digital Service (GDS) – can be held to that list when it comes to signing the contract, at which point the representations become warranties, with contractual penalties for subsequent non-performance. Or, if the sales director feels that his or her team has perhaps been a little over-enthusiastic, items on the list can be dropped in exchange for a reduction in the consideration.

Kainos are well-placed to spot one area of contention. Mark Say includes the Rural Payments Agency's Basic Payment Scheme in the list of 15 public services that GDS say will be using GOV.UK Verify (RIP) by April 2016.

"Common Agricultural Policy (CAP) digital mapping solution, co-developed by Kainos, wins praise from Defra", as we were all saying back in April 2014. Then it all went pear-shaped, the computer system was withdrawn and now farmers apply on paper for their basic payments. Perhaps GDS would like to reduce "15" in their claim to "14"?

According to Mark Say's article:
Before it goes live, Verify [RIP] will have to pass the service standard assessment in the Government Service Design Manual, but the forecast of the number of services to go live suggests the team is confident of it passing. [Janet] Hughes says the service has already met many of the 18 points of the digital by default service standard.
GOV.UK Verify (RIP) will be uniquely assisted in its assessment. Janet Hughes is not only the Identity Assurance Programme Director. She is also the "Lead assessor for Digital by Default Service Standard Assessments".

"Four companies are already certified", according to the article, repeating what GDS say, "Digidentity, Experian, Post Offfice and Verizon". The Post Office, of course, isn't certified, please see above. Perhaps GDS would like to reduce "four" in their claim to "three"?

The certification in question is for trustworthiness. And it's not just the Post Office which isn't certified trustworthy. The Royal Mail isn't certified either. Neither is Barclays or Morpho. And PayPal hasn't even applied for certification.

"Hughes also reiterates an earlier forecast that the demographic coverage of Verify – the percentage of people expected to use it being able to do so – should hit 90% by April".

This forecast is based on the output from a mathematical model developed by GDS which heroically predicts that the percentage of 16 to 24 year-olds covered by GOV.UK Verify (RIP) will rise from about 40% late last year to about 80% more or less now. Has that happened? Perhaps GDS would like to reduce "80" in their claim?

Over-enthusiastic sales pitches can only dent trust in the civil service. There's a lot for Mark Say to investigate if he cares to. Even if he chooses not to, just recording GDS's schedule of representations is a valuable public service. He is to be thanked. As are Kainos.

No comments:

Post a Comment