Category Archives: Government IT

Are you happy paying to help with problem Capita contract?

By Tony Collins

This week, as Barnet residents go to the polls, how many will be influenced by the continuing national and local media coverage of the council’s mass outsourcing deal with Capita?

Barnet’s Capita contracts are a local election issue. The council’s conservatives and Capita say the outsourcing contracts have saved money and are performing as expected “in many areas”.

But a former local Tory councillor Sury Khatri , who has been deselected after criticising the Capita contract, described the deal as “disastrous”. Barnet has paid Capita £327m since the deals were signed in 2013. Capita runs council services that range from cemeteries to IT.

Councillor Khatri said,  “My time at the council has been overshadowed by the disastrous Capita contract that is falling apart at the seams. Four years on, issues still keep rolling out of the woodwork. This contract represents poor value for money, and the residents are being fleeced.”

Another critic of the Capita contracts is John Dix who blogs as “Mr Reasonable” and is one of several highly respected local bloggers. He has been studying the council’s accounts for some years. He runs a small business and is comfortable with accounts and balance sheets.

He writes,

“I have no problem with outsourcing so long as it is being done for the right reasons. Typically this is where it involves very specialist, non core activities where technical expertise may be difficult to secure and retain in house.

“In Barnet’s case this outsourcing programme covered so many services which were core to the running of the council and which in 2010 were rated as 4 star (good). Barnet has been an experiment in mass outsourcing and almost five years in, it appears to be a failure.

“Last night’s [19 April 2018] audit committee was a litany of service problems, system failures, lack of controls, under performance, a major fraud. Internal audit saying issues were a problem, Capita saying they weren’t.”

Shadow Chancellor John McDonnell has entered the debate. He has applauded Barnet’s Unison branch for its enduring, close scrutiny of the Capita contracts. Unison this week published a report on the deal.

Capita’s share price rises

Earlier this month the national press reported extensively on concerns that Capita would follow Carillion into liquidation.

Since the bad publicity, the company’s announcement of a pre-tax loss of £535m, up from £90m the previous year, £1.2bn of debt and a rights issue to raise £662m after fees by selling new shares at a discount, Capita’s share price has risen steadily, from a low a month ago of about 130p to about 191 yesterday.

Could it be that investors sense that Capita’s long-term future is secure: the company has a wide range of complex and impenetrable public sector contracts where history shows that public sector clients – ruling politicians and officials – will defend Capita more enthusiastically than Capita itself, whatever the facts?

A list of some of Capita’s problem contracts is below the comment.

Comment

Carillion, a facilities management and construction company, collapsed in part because the effects of its failures were usually obvious: it was desperately short of money and new roads and hospitals were left unfinished.

When IT-based outsourcing deals go wrong, the effects are usually more nuanced. Losses can be hidden in balance sheets that can be interpreted in different ways; and when clients’ employees go unpaid, or the army’s Defence Recruiting System has glitches or medical records are lost, the problems will almost always be officially described as teething even if, as in Capita’s NHS contracts, they last for years.

It is spin that rules and protects IT outsourcing contracts in the public sector. Spin hides what’s really going on. It is as integral as projected savings and key performance indicators.

When Somerset County Council signed a mass outsourcing deal with IBM, its ruling councillors boasted of huge savings. When the deal went wrong and was ended early after a legal dispute with IBM the council announced that bringing the deal in-house would bring large savings: savings either way. Liverpool council said the same thing when it outsourced to BT – setting up a joint venture called Liverpool Direct – and brought services back-in house: savings each time.

Barnet Council is still claiming savings while the council’s auditors are struggling to find them.

Spinmeisters know there is rarely any such thing as a failed public sector IT contract: the worst failures are simply in transition from failure to success. Barnet’s council taxpayers will never know the full truth, whoever is in power.

Even when a council goes bust, the truth is disputed. Critics of spending at Northamptonshire County Council, which has gone bust, blame secretive and dysfunctional management. Officials, ruling councillors and even the National Audit Office blame underfunding.

In March The Times reported that Northamptonshire had paid almost £1m to a consultancy owned by its former chief executive. It also reported that the council’s former director of people, transformation and transactions for services, was re-hired on a one-year contract that made her company £185,000 within days of being made redundant in 2016.  Her firm was awarded a £650-a-day IT contract that was not advertised.

In the same month, the National Audit Office put Northamptonshire’s difficulties down to underfunding. It conceded that the “precise causes of Northamptonshire’s financial difficulties are not as yet clear”.

Perhaps it’s only investors in Capita who will really know the truth: that the full truth on complex public sector contracts in which IT is central will rarely, if ever, emerge; and although Capita has internal accountability for failures – bonuses, the share price and jobs can be affected – there is no reason for anyone in the public sector to fear failure. No jobs are ever affected. Why not sign a few more big outsourcing deals, for good or ill?

Thank you to FOI campaigners David Orr and Andrew Rowson for information that helped me write this post.

Some of Capita’s problem contracts

There is no definitive list of Capita’s problem contracts. Indeed the Institute for Government’s Associate Director Nick Davies says that poor quality of contract data means the government “doesn’t have a clear picture of who it is buying from and what it is buying”. Here, nevertheless, is a list of some of Capita’s problem contracts in the public sector:

Barnet Council

A Capita spokesperson said: “The partnership between Capita and Barnet Council is performing as expected in many areas. We continue to work closely with the council to make service enhancements as required.”

Birmingham City Council

“The new deal will deliver a mix of services currently provided under the joint venture, plus project based work aimed at providing extra savings, with forecasts of £10 million of savings in the current financial year and £43 million by 2020-21.”

West Sussex County Council

A spokesman said, “Whatever your concerns and small hiccups along the way, I believe this contract has been and will continue to be of great benefit to this county council.”

Hounslow Council

A Capita spokesperson said: “We are working closely with the London Borough of Hounslow to ensure a smooth transition of the pensions administration service to a new provider.”

Breckland Council

“They concluded that planning officers, working for outsourcing company Capita, had misinterpreted a policy, known as DC11, which dictates the amount of outdoor playing space required for a development..”

Army

Mark Francois, a Conservative former defence minister,  said Capita was known “universally in the army as Crapita”. But Capita said in a statement,

“Capita is trusted by multiple private and public clients to deliver technology-led customer and business process services, as demonstrated by recent wins and contract extensions from clients including British Gas, Royal Mail, BBC, TfL Networks, M&S and VW.”

Electronic tagging

(but it’s alright now)

A Ministry of Justice spokeswoman said: “As the National Audit Office makes clear, there were challenges in the delivery of the electronic monitoring programme between 2010 and 2015…

“As a direct result, we fundamentally changed our approach in 2015, expanding and strengthening our commercial teams and bringing responsibility for oversight of the programme in-house.

“We are now in a strong position to continue improving confidence in the new service and providing better value for money for the taxpayer.”

Disability benefits

A spokesperson for the Department for Work and Pensions said, “Assessments work for the majority of people, with 83 per cent of ESA claimants and 76 per cent of PIP claimants telling us that they’re happy with their overall experience…”

Miners

A Capita spokesperson said: “This issue has been resolved and all members affected will shortly receive letters to advise that they do not need to take any action. We sincerely apologise for any concern and inconvenience this has caused.”

NHS

Opticians

Dentists

BBC licence fee

Windrush

Advertisements

Ministers told of major problem on Capita NHS contract more than a year later

By Tony Collins

Today’s Financial Times and other newspapers cover a National Audit Office report into GP clinical notes and correspondence, some of it urgent, that was not directed to the patient’s GP.

The correspondence was archived by Capita under its contract to provide GP support services. But patient notes were still “live”. They included patient invitation letters, treatment/diagnosis notes, test results and documents/referrals marked ‘urgent’.

What isn’t well reported is that ministers were left in the dark about the problems for more than a year. The National Audit Office does not blame anyone – its remit does not include questioning policy decisions – but its report is impressive in setting out of the facts.

Before NHS England outsourced GP support services to Capita in 2015, GPs practices sent correspondence for patients that were not registered at their practice to local primary care services centres, which would attempt to redirect the mail.

By the time Capita took over GP support services on 1 September 2015, GPs were supposed to “return to sender” any correspondence that was sent to them incorrectly – and not send it to primary care services centres that were now run, in part, by Capita.

But some GPs continued to send incorrectly-addressed correspondence to the primary care services centres. Capita’s contract did not require it to redirect clinical correspondence.

An unknown number of GP practices continued to send mail to the centres, expecting the centre’s staff to redirect it. A further complication was that Capita had “transformation” plans to cut costs by closing the primary care services support centres.

Capita made an inventory of all records at each site and shared this with NHS England. The inventories made reference to ‘clinical notes’ but at this point no one identified these notes as live clinical correspondence. Capita stored the correspondence in its archive.

In line with its contract, Capita did not forward the mail. It was not until May 2016 – eight months after Capita took over the primary care services centres – that Capita told a member of NHS England’s primary care support team that there was a problem with an unquantified accumulation of clinical notes.

It was a further five months before Capita formally reported the incident to NHS England. At that time Capita estimated that there was an accumulation of hundreds of thousands of clinical notes. When the National Audit Office questioned Capita on the matter, it replied that, with hindsight, it believes it could have reported the backlog sooner.

In November 2016, Capita and NHS England carried out initial checks on the reported backlog of 580,000 clinical notes. It wasn’t until December 2016 that ministers were informed of problems – more than a year after Capita took over the contract.

Even in December 2016 ministers were not fully informed. Information about a backlog of live clinical notes was within in a number of items in the quarterly ministerial reports. NHS England did not report the matter to the Department of Health until April 2017 – about two years after the problems began.

Even then, officials told ministers that clinical notes had been sampled and were considered “low clinical and patient risk”. But a later study by NHS England’s National Incident Team identified a backlog of 1,811 high priority patient notes such as documents deemed to be related to screening or urgent test results.

The National Audit Office says, “NHS England expects to know by March 2018 whether there has been any harm to patients as a result of the delay in redirecting correspondence. NHS England will investigate further where GPs have identified that there could be potential harm to patients. The review will be led by NHS England’s national clinical directors, with consultant level input where required.”

Last month Richard Vautrey, chairman of British Medical Association’s General Practitioners Committee, wrote to the NHS Chief Executive Simon Stevens criticising a lack of substantial improvement on Capita’s contract to run primary care service centres.

In December, the GP Committee surveyed practices and individual GPs on the Capita contract. The results showed a little improvement across all service lines, when compared to its previous survey in October 2016, but a “significant deterioration” in some services. Vautrey’s letter said,

“While any new organisation takes time to take over services effectively, the situation has gone from bad to worse since Capita took over the PCSE [Primary Care Support England] service almost two and a half years ago …

“This situation is completely unacceptable. As a result of the lack of improvement in the service delivery of PCSE we are now left with no option but to support practices and individual doctors in taking legal routes to seek resolution. While this is taking place, we believe it is imperative that NHS England conducts a transparent and comprehensive review of all policy, procedures and processes used by PCSE across each service line.”

Comment:

It’ll be clear to some who read the NAO report that the problems with urgent patient notes going astray or being put mistakenly into storage, stems from NHS England’s decision to outsource a complex range of GP support services without fully considering – or caring about – what could go wrong.

It’s not yet known if patients have come to harm. It’s clear, though, that patients have been caught in the middle of a major administrative blunder that has complex causes and for which nobody in particular can be held responsible.

That ministers learned of a major failure on a public sector outsourcing deal over a year after live patient notes began to be archived is not surprising.

About four million civil and public servants have strict rules governing confidentiality. There are no requirements for civil and public service openness except when it comes to the Freedom of Information Act which many officials can – and do – easily circumvent.

Even today, the fourth year of Capita’s contract to run GP support services, the implications for patients of what has gone wrong are not yet fully known or understood.

It’s a familiar story: a public sector blunder for which nobody will take responsibility, for which nobody in particular seems to care about, and for which the preoccupation of officialdom will be to continue playing down the implications or not say anything at all.

Why would they be open when there is no effective requirement for it? It’s a truism that serious problems cannot be fixed until they are admitted. In the public sector, serious problems on large IT-related contracts are not usually fixed until the seriousness of the problems can no longer be denied.

For hundreds of years UK governments have struggled to reconcile a theoretical desire for openness with an instinctive and institutional need to hide mistakes. Nothing is likely to change now.

National Audit Office report – Investigation into clinical correspondence handling in the NHS.

Companies nervous over HMRC customs IT deadline?

By Tony Collins

This Computer Weekly article in 1994 was about the much-delayed customs system CHIEF. Will its CDS replacement that’s being built for the post-Brexit customs regime also be delayed by years?

The Financial Times  reported this week that UK companies are nervous over a deadline next year for the introduction of a new customs system three months before Brexit.

HMRC’s existing customs system CHIEF (Customs Handling of Import Export Freight) copes well with about 100 million transactions a year. It’s expected a £157m replacement system using software from IBM and European Dynamics will have to handle about 255 million transactions and with many more complexities and interdependencies than the existing system.

If the new system fails post-Brexit and CHIEF cannot be adapted to cope, it could be disastrous for companies that import and export freight. A post-Brexit failure could also have a serious impact on the UK economy and the collection of billions of pounds in VAT, according to the National Audit Office.

The FT quoted me on Monday as calling for an independent review of the new customs system by an outside body.

I told the FT of my concern that officials will, at times, tell ministers what they want to hear. Only a fully independent review of the new customs system (as opposed to a comfortable internal review conducted by the Infrastructure and Projects Authority) would stand a chance of revealing whether the new customs system was likely to work on time and whether smaller and medium-sized companies handling freight had been adequately consulted and would be able to integrate the new system into their own technology.

The National Audit Office reported last year that HMRC has a well-established forum for engaging with some stakeholders but has

“significant gaps in its knowledge of important groups. In particular it needs to know more about the number and needs of the smaller and less established traders who might be affected by the customs changes for the first time”.

The National Audit Office said that the new system will need to cope with 180,000 new traders who will use the system for the first time after Brexit, in addition to the 141,000 traders who currently make customs declarations for trade outside the EU.

The introduction in 1994 of CHIEF was labelled a disaster at the time by some traders,  in part because it was designed and developed without their close involvement. CHIEF  was eventually accepted and is now much liked – though it’s 24 years old.

Involve end-users – or risk failure

Lack of involvement of prospective end-users is a common factor in government IT disasters. It happened on the Universal Credit IT programme, which turned out to be a failure in its early years, and on the £10bn National Programme for IT which was dismantled in 2010. Billions of pounds were wasted.

The FT quoted me as saying that the chances of the new customs system CDS [Customs Declaration Service) doing all the things that traders need it to do from day one are almost nil.

The FT quotes one trader as saying,

“HMRC is introducing a massive new programme at what is already a critical time. It would be a complex undertaking at the best of times but proceeding with it at this very moment feels like a high stakes gamble.”

HMRC has been preparing to replace CHIEF with CDS since 2013. Its civil servants say that the use of the SAFe agile methodology when combined with the skills and capabilities of its staff mean that programme risks and issues will be effectively managed.

But, like other government departments, HMRC does not publish its reports on the state of major IT-related projects and programmes. One risk, then,  is that ministers may not know the full truth until a disaster is imminent.

In the meantime ministerial confidence is likely to remain high.

Learning from past mistakes?

HMRC has a mixed record on learning from past failures of big government IT-based projects.  Taking some of the lessons from “Crash”, these are the best  things about the new customs project:

  • It’s designed to be simple to use – a rarity for a government IT system. Last year HMRC reduced the number of system features it plans to implement from 968 to 519. It considered that there were many duplicated and redundant features listed in its programme backlog.
  • The SAFe agile methodology HMRC is using is supposed to help organisations implement large-scale, business-critical systems in the shortest possible time.
  • HMRC is directly managing the technical development and is carrying out this work using its own resources, independent contractors and the resources of its government technology company, RCDTS. Last year it had about 200 people working on the IT programme.

These are the potentially bad things:

  • It’s not HMRC’s fault but it doesn’t know how much work is going to be involved because talks over the post-Brexit customs regime are ongoing.
  • It’s accepted in IT project management that a big bang go-live is not a good idea. The new Customs Declaration Service is due to go live in January 2019, three months before Britain is due to leave the EU. CHIEF system was commissioned from BT in 1989 and its scheduled go-live was delayed by two years. Could CDS be delayed by two years as well? In pre-live trials CHIEF rejected hundreds of test customs declarations for no obvious reason.
  • The new service will use, at its core,  commercially available software (from IBM) to manage customs declarations and software (from European Dynamics) to calculate tariffs. The use of software packages is a good idea – but not if they need large-scale modification.  Tampering with proven packages is a much riskier strategy than developing software from scratch.  The new system will need to integrate with other HMRC systems and a range of third-party systems. It will need to provide information to 85 systems across 26 other government bodies.
  • If a software package works well in another country it almost certainly won’t work when deployed by the UK government. Core software in the new system uses a customs declaration management component that works well in the Netherlands but is not integrated with other systems, as it would be required to do in HMRC, and handles only 14 million declarations each year.
  • The IBM component has been tested in laboratory conditions to cope with 180 million declarations, but the UK may need to process 255 million declarations each year.
  • Testing software in laboratory conditions will give you little idea of whether it will work in the field. This was one of the costly lessons from the NHS IT programme NPfIT.
  • The National Audit Office said in a report last year that HMRC’s contingency plans were under-developed and that there were “significant gaps in staff resources”.

Comment

HMRC has an impressive new CIO Jackie Wright but whether she will have the freedom to work within Whitehall’s restrictive practices is uncertain. It seems that the more talented the CIO the more they’re made to feel like outsiders by senior civil servants who haven’t worked in the private sector.  It’s a pity that some of the best CIOs don’t usually last long in Whitehall.

Meanwhile HMRC’s top civil servants and IT specialists seem to be confident that CDS, the new customs system, will work on time.  Their confidence is not reassuring.  Ministers and civil servants publicly and repeatedly expressed confidence that Universal Credit would be fully rolled by the end of 2017. Now it’s running five years late.  The NHS IT programme NPfIT was to have been rolled out by 2015.  By 2010 it was dismantled as hopeless.

With some important exceptions, Whitehall’s track record on IT-related projects is poor – and that’s when what is needed is known. Brexit is still being negotiated. How can anyone build a new bridge when you’re not sure how long it’ll need to be and what the many and varied external stresses will be?

If the new or existing systems cannot cope with customs declarations after Brexit it may not be the fault of HMRC. But that’ll be little comfort for the hundreds of thousands of traders whose businesses rely, in part, on a speedy and efficient customs service.

FT article – UK companies nervous over deadline for new Customs system

Goodnewspeak and its Orwellian dark side

By Tony Collins

Orwell made no mention of goodnewspeak. But maybe today it’s an increasingly popular descendant of  Newspeak – a language devised by Orwell to show how the State could use words and phrases to limit thought.

This week, as a statue of Orwell was unveiled outside the BBC, a local council in Sussex made an announcement that was a fine example of goodnewspeak.

This was Horsham District Council’s way of not saying that it was scrapping weekly rubbish collections.

This was the benign side of goodnewspeak. The dark side is a growing acceptance in Whitehall, local authorities and the wider public sector that nothing negative can be thought of let alone expressed at work.

This suppression of negative thoughts means that the rollout of Universal Credit can be said officially to be going well and can be speeded up  despite the clamour from outsiders, including a former Prime Minister (John Major), for a rethink to consider the problems and delays.

[Labour MP Frank Field said last month that the DWP was withholding bad news on Universal Credit.]

It means that the Department for Business, Energy and Industrial Strategy can continue to praise all aspects of its smart meters rollout while its officials keep silent on the fact that the obsolescent smart meters now being installed do not work properly when the householder switches supplier.

It means that council employees can think only good about their major IT suppliers – and trust them with the council’s finances as at Barnet council.

[Nobody at Barnet council has pointed out the potential for a conflict of interest in having outsourcing supplier Capita reporting on the council’s finances while having a financial interest in those finances. It took a local blogger Mr Reasonable to make the point.]

Goodnewspeak can also mean that public servants do their best, within the law, to avoid outside scrutiny that could otherwise lead to criticism, as at Lambeth council.

Last month Private Eye reported the results of a “People’s Audit” in which local residents asked questions and scrutinised the authority’s accounts. The audit found that:

 – The number of managers earning between £50,000 and £150,000 has increased by 88, at a cost of more than £5.5m year.
-Spending on Lambeth’s new town hall has gone from a projected £50m to £140m.
– The council “invested” a total of £57,000 on its public libraries last year – closing three of them – while spending £13m on corporate office accommodation.
-£10.3m was spent making people redundant.

These disclosures (and there are many more of them) raise the question of what Lambeth is doing to dispel the impression that it manages public money badly and that its decisions could be routine in the world of local authorities.

Lambeth council’s reaction to the audit was to denounce it and issue its own goodnewspeak statement; and it is considering a proposal to lobby the government to allow councils to ban such People’s Audits in future.

Lambeth’s website, incidentally, is entitled “Love Lambeth”. Which, perhaps, shows that its leaders have, at least, a deep sense of irony.

Whitehall

The following lists of announcements on the websites of the Department for Work and Pensions and the Department of Transport are examples of how goodnewspeak manifests itself in Whitehall:

And the Department of Transport’s website:

Ministry of Truth

Orwell wrote in Nineteen Eighty-Four of the Ministry of Truth whose expertise was lying, the Ministry of Peace which organised wars and the Ministry of Plenty which rationed food.

Some of the Party’s slogans were:

War is peace.
Freedom is slavery.
Ignorance is strength.

And Orwell, whose wife worked at the Ministry of Information at Senate House, London (Orwell’s model for the Ministry of Truth) said,

“If you want to keep a secret, you must also hide it from yourself.”

Comment

Of course goodnewspeak doesn’t exist as a policy anywhere. But its practice is all-pervasive in the public sector. And it seems to change the way people think when they’re at work.

It blocks out any view other than the official line.

In Nineteen Eight-four, Orwell created “Newspeak” as a language of the Party to coerce the public to shape their thoughts around the State’s beliefs. Its much-reduced vocabulary stopped people conceiving of any other point of view.

Not using Newspeak was a thoughtcrime. The Party advocated Duckspeak – to speak without thinking – literally quack like a duck.

Has this already happened in a minor way at Barnet? A council document on the benefits of its outsourcing policies was peppered with abstractions that could have been constructed by software-driven random-phrase generators:

“Ahead of the game”
“Top to bottom organisational restructure”
“Flexibility to meet future challenges whilst ensuring we provide excellent services to residents today.”
“Root of our success”
“New solutions to complex problems”
“Pioneering partnerships”
“Investing for the future”
“Protect what makes Barnet such a great place to live”
“Increasing resident satisfaction”
“Paying dividends”
“Prepared for the future”
“Great strides”
“A radical, ‘whole place’ approach to designing and providing services”
“We have not been backwards in coming forwards”
“Pursuing alternatives to the norm”
“Vision into reality”
“Frame our future strategic direction”
“Future Shape”
“Drivers for change”
“Genuine innovation in Local Government”
“Bold in its decision making”
“Forward looking change strategy”
“A new relationship with citizens”
“A one public sector approach”
“A relentless drive for efficiency”
“Focus on stimulating the market”
“Best in class’ range of tradable services to win and deliver work for other authorities.”
‘Form follows function’.
“Clear roles and responsibilities”
“An internal escalation model”
“Renewed focus on improving engagement”
“Increasing transparency, and developing trust”
“Connect with people and build relationships of trust”
“A steep demand line to climb”

Dark side

One worrying consequence is that Whitehall civil servants and public servants and ruling councillors at, say Barnet and Somerset councils (and even at Cornwall), made the assumption that their IT suppliers shared the public sector’s goodnewspeak philosophy.

But suppliers are commercially savvy. They don’t exist purely to serve the public. They have to make a profit or they risk insolvency.

For years, goodnewspeak at Somerset County Council led to officers and councillors regularly praising the successes of a joint venture with IBM while covering up the problems and losses, in part by routine refusals of FOI requests.

Goodnewspeak at Liverpool Council meant that its officials had nothing but praise for BT when they ended a joint venture in 2015. They said that ending the joint venture would save £30m. But the joint venture itself was supposed to have saved tens of millions.

Somerset County Council made a similar good news announcement when it terminated its joint venture Southwest One with IBM.

Such announcements are consistent with Newspeak’s “Doublethink” – the act of simultaneously accepting two mutually contradictory beliefs as correct.

DWP

Outsiders can find goodnewspeak shocking. The Daily Mirror reported on how the DWP celebrated the rollout of Universal Credit at Hove, Sussex, with a cake. Were managers mindful of the fact that some failed UC claimants have been driven to the brink of suicide?

Disillusioned

Francis Maude, when minister for the Cabinet Office, was almost universally disliked in the civil service. He was an outsider who did not accept the Whitehall culture.  Even though he believed the UK had the best civil service in the world, he did not always show it.

He tried to reduce Whitehall spending on IT projects and programmes that could not be justified. He spoke an IT supplier oligopoly.

Now he has left government, most of his civil service reforms (apart from the Government Digital Service) have settled back to how they were before he arrived in 2010.

In a speech last month, Maude spoke of a “distressing” disillusionment with the civil service culture. He said:

“Based on my experience as a Minister in the eighties and early nineties my expectations (of the civil service) were high. And the disillusionment was steep and distressing.

“It remains my view that we have some of the  very best civil servants in the world … But the Civil Service as an institution is deeply flawed, and in urgent need of radical reform.

” And it is civil servants themselves, especially the younger ones, who are most frustrated by the Service and its culture and practices.”

World’s best civil service

He added that, as the new minister responsible for the civil service, every draft speech or article presented to him started: ‘The British Civil Service is the best in the world.’

But complaints by ministers in all parties about the lack of institutional capability, inefficiency and failed implementation were legion, he said.

“When we queried the evidential basis for this assertion, it turned out that the only relevant assessment was a World Bank ranking for ‘government effectiveness’, in which the UK ranked number 16.”

Speaking the unsaid

Perhaps more than any former minister, Maude has expertly summarised the civil service culture but in a way that suggests it’s unredeemable.

“I and others have observed that all too often the first reaction of the Civil Service when something wrong is discovered is either to cover it up or to find a scapegoat, often someone who is not a career civil servant and who is considered dispensable.
“There seems to be an absolute determination to avoid any evidence that the permanent Civil Service is capable of failure.
“Another indicator is that if a Minister decides that a Civil Service leader is not equipped for his or her task, this has to be dressed up as “a breakdown in the relationship”, with the unspoken suggestion that this is at least as much the fault of the Minister as of the civil servant.
“It can never be admitted that the mandarin was inadequate in any way.
“When I suggested that there might be room for improvement, the distinguished former Civil Service Head, Lord Butler, accused me of a failure of leadership. Actually the leadership failure is to pretend that all is well when no one, even civil servants themselves, really believes that.

The good news

All is not lost – thanks to a vibrant and investigative local press in some areas and resident auditors such as Mr Reasonable, Mrs Angry, David Orr, Andrew Rowson and the people’s auditors in Lambeth.

Along with the National Audit Office and some MPs, these resident auditors are the only effective check on goodnewspeak. They are reminder to complacent officialdom that it cannot always hide behind its barrier of unaccountability.

Long may these dogged protectors of the public interest continue to highlight financial mismanagement, excess and self-indulgent,wasteful decisions.

Earlier this year Nineteen Eight-Four hit the No 1 spot in Amazon’s book sales chart.

Perhaps copies were being scooped up by shortlisted candidates for top public sector jobs as vital homework before falling in with the culture at their interviews.

**

Outside the BBC, Orwell’s new statute is inscribed with a quotation from a proposed preface to Animal Farm that was never used:

“If liberty means anything at all, it means the right to tell people what they do not want to hear.”

Thank you for David Orr, one of the dogged local resident auditors referred to above, for drawing my attention to some of the articles mentioned in this post.

DWP good news announcements

Newspeak

Whitewashing history in education

 

Capita under fire again over GP support contract – but NHS England praises “improvements”

By Tony Collins

Hundreds of trainee GPs have not received their salaries from Capita, which is under contract to pay them, reports The Guardian.

Some of the trainees have applied for emergency funds from The Cameron Fund, a charity for the prevention of hardship among GPs and their dependents.

Capita administers training grants for GPs under its wide-ranging £1bn contract with NHS England to provide primary care services.

In November 2016 the then Health minister Nicola Blackwood described failings on Capita’s GP support contract as “entirely unacceptable”. 

She said Capita had inadequately prepared for delivering a “complex transition”.

In response,  Capita said it adding the full-time equivalent of 500 extra staff on the contract.

But in February 2017, after continuing complaints,  the Health Secretary Jeremy Hunt said he would be prepared to end Capita’s contract if necessary.

Since then, though, NHS England has praised “improvements” in the contract, according to Pulse.

Yesterday The Guardian reported extracts from a letter the British Medical Association sent to NHS England on 30 October 2017.

It said some GP practices were “having to pay trainees out of already overstretched practice budgets, or trainees are going months without being paid if the practice cannot cover the shortfall”.

Capita confirmed it had outstanding payments to some trainee GPs but was unable to say how many it is responsible for paying, or how many it has not paid.

It said that it had not received all the information it needed to pay salaries from the relevant employers. A Capita spokesperson told The Guardian that the problems were an inevitable part of “a major transformation project to modernise a localised and unstandardised service”.

It added: “We have made significant investment to deliver improvements and these have been recognised by NHS England and demonstrated through improved service performance and improved customer satisfaction.”

The Cameron Fund’s treasurer Dr David Wrigley described the outsourcing of GP support services as a “botched privatisation”.

“NHS England has commissioned out what was a very efficient service run within the NHS, and now Capita runs this contract in what I’d call another botched privatisation.”

One trainee GP went unpaid two consecutive months.  At the end of October she posted on a private message board for GPs: “Anyone know of how I access hardship funds (quickly) to feed children/pay nursery/mortgage (quickly)?”

Her surgery gave her a loan last month to tide her over but did not have enough surplus funds to do the same thing again.

She said that in the last 24 hours partners have stepped forward and have all taken a pay cut to provide a loan “to get me through the month as they were worried about my family”.

An NHS England spokesperson said it was “holding Capita’s feet to the fire on needed improvements”.

It added: “In the meantime, the lead employer for Health Education England or the GP practice are responsible for paying their GP trainee salaries and are subsequently reimbursed for this. Backlogs are being prioritised by Capita.”

The BMA’s letter to the NHS chief executive Simon Stevens criticises Capita.

“We are disappointed at the lack of progress that has been made … These issues have been ongoing since NHS England commissioned Capita … and it is unacceptable that more progress has not been made to getting these resolved …

Wrigley wants the House of Commons’ public accounts committee to investigate the contract.

“NHS England have known about this for a while and the BMA has been putting constant pressure on, and it’s all promises that it’ll get better but it doesn’t.”

New systems for cervical screening and GP payments and pensions that are also contracted out to Capita are due to go live next July. The BMA has told NHS England that it has “no confidence” in Capita’s ability to deliver the services.

Comment

It’s possible to have some sympathy for Capita which has the daunting task of trying to standardize a wide range of systems for supporting disparate GP support services.

But, as Campiagn4Change has reported many times on Barnet Council’s Capita outsourcing contract, it can be difficult if not impossible to make huge savings in the cost of running services (£40m in the case of the GP support contract), deliver an IT-based transformation based on new investment and provide a healthy profit for the supplier’s shareholders while at the same time making internal efficiency savings.

Capita’s share price is relatively low and under continuing pressure but is holding up reasonably well given the company’s varied problems.

Still, we wonder whether the company can afford to put large sums into sorting out problems on the GP support contract, at Barnet Council and on other well-publicised contracts?

The MoD has ended a Capita contract early, the company faces litigation from the Co-op and its staff are staging nine days of strikes over pensions.

Who’s to blame?

If anyone is to blame in this NHS saga it is NHS England for not fully understanding the scale and complexity of the challenges when it outsourced to Capita.

The first rule of outsourcing is: Don’t outsource a problem.

Doctors warned NHS England against signing the contract. Under financial pressure to do so – it needed the promised savings  – NHS England’s public servants signed the deal.

Those public servants will not be held accountable for their decision. In which case, what’s to stop public and civil servants making the wrong decisions time and again?

Two further questions:

Is NHS England too close to Capita to see the faults?

Do public servants have a vested interest in not criticising their outsourcing suppliers, in case opprobrium falls on both parties? 

Thank you to Zara Pradyer for drawing my attention to the Guardian article.

Hundreds of trainee GPs facing hardship as outsourcing firm Capita fails to pay – The Guardian.

 

Did Gauke and Couling break free today of DWP “good news” stance on Universal Credit rollout?

By Tony Collins

Two leaders of the Universal Credit rollout, David Gauke and Neil Couling, faced MPs’ questioning this morning on problems with the rollout of Universal Credit.

They were asked, among other things, about excessive delays in payments and payments made on the basis of incorrect data.

Gauke and Couling appeared before the work and pensions committee. There is also a Commons debate today on the Universal Credit rollout.

Gauke, the work and pensions secretary, and civil servant Neil Couling, Director General of Universal Credit, are known to resent criticism of the Universal Credit programme or its rollout.

Couling tweeted last week, in response to academic Jonathan Portas:

But MPs on the work and pensions committee, particularly its chairman Frank Field,  are sensitive to the DWP’s “good news” culture.

Field is reported to have said he suspected that ministers had only pressed ahead with the accelerated rollout of universal credit this month because civil servants at the Department for Work and Pensions had withheld the true scale of the problems.

Field said:

“Given everything we have heard, I was surprised that David Gauke opted to proceed with the accelerated rollout.

“I strongly suspect his decision, together with the failure to tell us anything, reflects a culture at the DWP of those most invested in universal credit not telling anyone, including their ministers, bad news.”

In its 2013 report “Universal Credit Early Progress“, the National Audit Office said,

“Both the Major Projects Authority [now the Infrastructure and Projects Authority] and a supplier-led review in mid-2012 identified problems with staff culture; including a ‘fortress mentality’ within the programme.

“The latter also reported there was a culture of ‘good news’ reporting that limited open discussion of risks and stifled challenge.”

BBC Radio 4’s Today programme heard this morning (18 October 2017) that a Universal Credit claimant who’d been the victim of “mistake after mistake” on his claim had threatened to take his own life and police had been called.

Update:

Gauke and Couling told the work and pensions committee this morning that the rollout may be paused in January 2018 as part of the department’s test and learn philosophy. They called it a “fire-break.  Couling said the rollout was paused in February 2016 for two months and “nobody noticed”.

He added that he was prepared to advise his minister, the Treasury and the prime minister to pause the rollout whenever the “evidence merits”..

Gauke said the advantages of the Universal Credit system were of such a “prize” that there was  cost of slowing down the rollout. “It can transform lives and it’s my determination is to deliver this successfully,” said Gauke.

Gauke and Couling told MPs that the rollout was working successfully. Neither expressed any criticisms of the programme or the rollout; and neither accepted the many criticisms of the committee’s MPs of the programme. At one point, Couling helpfully suggested to the committee some of the questions they “should” have been asking.

Where there were problems it was outside the DWP’s control – because of information supplied, or not supplied, by claimants or employers. The real-time information supplied to DWP by HM Revenue and Customs was only as good as the information provided to HMRC by employers.

Comment:

There’s universal support for the idea of Universal Credit. But there is almost universal criticism of the way it is being rolled out. Critics of the rollout also find it difficult to understand the DWP’s continuing refusal to accept that there are any serious problems.

For decades the DWP and its predecessor the Department of Social Security have been culturally unable to accept criticism of any of their big IT-based projects and programmes, even after a project was aborted.

One DWP director last year used the word “paranoid” when referring to her colleagues and their concerns about leaks of any bad news on the Universal Credit programme.

The DWP routinely declines FOI requests to publish its performance reviews on the Universal Credit programme. This lack of official information on the DWP’s performance leaves officials and ministers free to say that criticism of the programme is subjective or anecdotal.

Stephen Crabb was one of the few politicians who have ever made a difference to the DWP’s closed culture of secrecy and defensiveness. He ordered that internal reports on the risks and progress of the Universal Credit programme be released, against the advice of his civil servants. But Crabb didn’t stay long.

And the “good news” culture has returned, as unremitting as ever. Will any minister or civil servant be able to change the DWP’s “good news” culture?

Probably not.

The DWP’s permanent secretary Robert Devereux is retiring in January 2018, which will open the door to a successor who could try and change the department’s defensive culture.

It’s more likely, however, that Devereux’s replacement will be chosen on the basis that he or she will be a “safe pair of hands” which, in civil service terms, means a staunch defender of the department, its performance, all it is doing and the civil service in general.

However many independent voices call for a brake on the Universal Credit rollout, it seems inevitable that the DWP’s mandarins (and their pliant ministers) will carry on doing whatever they can justify to themselves.

The DWP hasn’t let humility or democratic openness get in the way before. Why would it give in to them now?

 

Whitehall renews facade of openness on major IT projects

By Tony Collins

Headlines yesterday on the state of major government IT projects were mixed.

Government Computing said,

“IPA: Whitehall major projects show ‘slow and steady’ delivery improvement”

Computer Weekly said,

“Government IT projects improving – but several still in doubt”

The Register said,

“One-quarter of UK.gov IT projects at high risk of failure – Digital borders, digital tax and raft of MoJ projects singled out”

The headlines were prompted by the Infrastructure and Projects Authority’s annual report which was published yesterday.

The report listed the RAG – red/amber/green – status of each of 143 major projects in the government’s  £455bn major projects portfolio. Thirty-nine of these are ICT projects, worth a total of £18.6bn.

Publication of the projects’ red/amber/green status – called the “Delivery Confidence Assessment” – seemed a sign that the government was being open over the state of its major IT and other projects.

A reversal of decades of secrecy over the progress or otherwise of major IT projects and programmes?

In a foreword to the Infrastructure and Project Authority’s report, two ministers referred twice to the government’s commitment to openness and accountability.

MP Caroline Nokes, Cabinet Office minister, and MP Andrew Jones, a Treasury minister, said in their joint foreword,

“The government is also committed to transparency, and to being responsive and accountable to the public we serve.

“Accordingly, we have collected and published this data consistently over the past five years, enabling us to track the progress of projects on the GMPP [Government Major Projects Portfolio] over time.

“We will continue to be responsive and accountable to the public.”

But the report says nothing about the current state of major IT projects. The delivery confidence assessments are dated September 2016. They are 10 months out of date.

This is because senior civil servants – some of whom may be the “dinosaurs” that former minister Francis Maude referred to last month – have refused to allow politicians to publish the red/amber/gtreen status of major projects (including the Universal Credit programme and the smart meters rollout) unless the information, when published, is at least six months old.

[Perhaps one reason is to give departmental and agency press officers an opportunity to respond to journalists’ questions by saying that the red, red/amber of amber status of a particular major project is out of date.]

Amber – but why?

An amber rating means that “successful delivery appears feasible but significant issues already exist” though any problems “appear resolvable”.

In September 2016 the Universal Credit programme was at amber but we don’t know why. Neither the IPA or the Department for Work and Pensions mention any of the “issues”.

The £11bn smart meters rollout is also at amber and again we don’t know why. Neither the IPA nor the Department for Business, Energy and Industrial Strategy mention any of the “issues”. Permanent secretaries are allowed to keep under wraps the IPA’s reasons for the red/amber/green assessments.

Even FOI requests for basic project information have been refused.  Computer Weekly said,

“Costs for the Verify programme were also withheld from the IPA report, again citing exemptions under FOI.”

Comment

The senior civil servants who, in practice, set the rules for what the Infrastructure and Projects Authority can and cannot publish on major government projects and programmes are likely to be the “dinosaurs” that former Cabinet Office minister Francis Maude referred to last month.

Maude said that Whtehall reforms require that new ministers “face down the obstruction and prevarication from the self-interested dinosaur tendency in the mandarinate.”

Clearly that hasn’t happened yet.

The real information about Universal Credit’s progress and problems will come not from the Infrastructure and Projects Authority – or the Department for Work and Pensions – but from local authoritities, housing associations, landlord organistions, charities and consumer groups such the Citizen’s Advice Bureau (which has called for Universal Credit to be halted), the local press, the National Audit Office and Parliamentary committees such as the Public Accounts Committee and Work and Pensions Committee.

On the smart meter rollout, the real information will come not from the Infrastructure and Projects Authority – or the Department for Business, Energy and Industrial Strategy – but from business journalist Paul Lewis, consumer advocate Martin Lewis, business organistions such as the Institute of Directors,  experts such as Nick Hunn, the Energy and Climate Change Committee and even energy companies such as EDF.

Much of this “real” information will almost certainly be denied by Whitehall press officers. They’ll be briefed by senior officials to give business journalists only selected “good news” facts on a project’s progress and costs.

All of this means that the Infrastructure and Projects Authority may have good advice for departments and agencies on how to avoid project failures – and its tact and deference will be welcomed by permanent secretaries – but it’s likely the IPA will be all but useless in providing early warnings to Parliament and the public of incipient project disasters.

Ministers and some senior civil servants talk regularly about the government’s commitment to openness and accountability. When it will start applying to major government IT projects?

 

UK.gov watchdog didn’t red flag any IT projects. And that alone should be a red flag to everyone

 

 

 

 

Aftermath of the cyber attack – will ministers learn the wrong lessons?

By Tony Collins

At least 16 NHS trusts out of 47 that were hit by the ransomware attack continue to face problems, according to BBC research.

And, as some patients continued to have their cancer treatments postponed, Tory, Labour and Lib-dem politicians told of their plans to spend more money on NHS IT.

But will any new money promised by government focus on basic weaknesses – such as the lack of interoperability and the structural complexities that made the health service vulnerable to cyber attack?

Last year when the health secretary Jeremy Hunt announced £4bn for NHS IT, his focus was on new technologies such as smartphone apps to order repeat prescriptions rather than any urgent need to upgrade MRI, CT and other medical devices that rely on Windows XP.

Similarly the government-commissioned Wachter review “Making IT Work: Harnessing the Power of HealthInformation Technology to Improve Care in England made no mention of Windows XP or any operating system – perhaps because ministers were much more likely to welcome a review of NHS IT that focused on innovation and new technologies.

Cancer treatments postponed

The Government’s position is that the NHS was not specifically targeted in the cyber attack and that the Tories are putting £2bn into cyber security over the next year.

Theresa May said yesterday,

“It was clear warnings were given to hospital trusts but this is not something that was focused on attacking the NHS. 150 countries are affected. Europol says there are 200,000 victims across the world. Cyber security is an issue we need to address.

“That’s why the government, when we came into government in 2010, put money into cyber security. It’s why we are putting £2bn into cyber security over the coming year.”

Similarly Jeremy Hunt, health secretary, told the BBC that the attack affected international sites that have “some of the most modern IT systems”.

But the BBC’s World at One gave an example of how the NHS’s IT problems were affecting the lives of patients.

It cited the case of Claire Hobday whose radiography appointment for breast cancer at Lincoln County Hospital was cancelled on Friday (12 May 2017) and she still doesn’t know when she’ll receive treatment. Hobday said,

“I turned up by hospital transport for my second radiotherapy session, and I, along with many other patients – at least 20 other people were waiting – and they said the computers weren’t working.

“I do have to say the staff were very good and very quickly let us all know that they were having trouble with the computers. They didn’t want to misinform us, so they were going to come and talk to us all individually and hoped they would be able to rectify it.

“Within half an hour or so they came out and said, ‘We’re really sorry but it’s not going to get sorted. We’ll send you all home and give you a call on Sunday’ which didn’t happen.

“But they did ring me this morning (15 May 2017) to say it’s not happening today and if transport turns up please don’t get in it, and it’s very unlikely it will happen tomorrow.

“It is just a bit upsetting that other authorities have managed to sort it but Lincolnshire don’t seem to have been able to do that.”

United Lincolnshire Hospitals Trust told World at One it will be back in touch with patients once the IT system is restored.

Roy Grimshaw was in the middle of an MRI scan – after dye was injected into his blood stream –  when the scan was stopped and he was asked to go back into the waiting room in his gown, with tubes attached to him, while staff investigated a computer problem. After half an hour he was told the NHS couldn’t continue the scan.

Budgets “not an issue”?

GP practices continue to be affected. Keiran Sharrock, GP and medical director of Lincolnshire local medical committee, said yesterday (15 Mat 2017) that systems were switched off in “many” practices.

“We still have no access to medical records of our patients. We are asking patients to only contact the surgery if they have an urgent or emergency problem that needs dealing with today. We have had to cancel routine follow-up appointments for chronic illnesses or long-term conditions.”

Martha Kearney – BBC World at One presenter –  asked Sharrock about NHS Digital’s claim that trusts were sent details of a security patch that would have protected against the latest ransomware attack.

“I don’t think in general practice we received that information or warning. It would have been useful to have had it,” replied Sharrock.

Kearney – What about claims that budget is an aspect of this?

Sharrock: “Within general practice that doesn’t seem to be the reason this happened. Most general practices have people who can work on their IT and if we’d been given the patch and told it needed to be installed, most practices would have done that straight away.”

GCHQ

World at One also spoke to Ciaran Martin, Director General for Government and Industry Cyber Security.  He is a member of the GCHQ board and its senior information risk owner.  He used to be Constitution Director at the Cabinet Office and was lead negotiator for the Prime Minister in the run-up to the Edinburgh Agreement in 2012 on a referendum on independence for Scotland.

Kearney: Did your organisation issue any warnings to the health service?

Martin: “We issue warnings and advice on how to upgrade defences constantly. It’s generally public on our website and it’s made very widely available for all organisations. We are a national organisation protecting all critical sectors and indeed individuals and smaller organisations as well.”

Huge sums spent on paying ransoms?

Kearney asked Martin, “How much money are you able to estimate is being spent on ransoms as a result of these cyber attacks?” She added,

“I did hear one astonishing claim that in the first quarter of 2016 more money was spent in the USA on responding to ransomware than [was involved] in armed robberies for the whole of that year?”

Martin: “First let me make clear that we don’t condone the payment of ransoms and we strongly advise bodies not to pay and indeed in this case the Department of Health and the NHS have been very clear that affected bodies are not to pay ransoms. Across the globe there is, sadly, a market in ransomware. It is often the private sector in shapes and sizes that is targeted.”

Martha Kearney said the UK may be a target because it has a reputation for being willing to pay ransoms.

Martin, “We are no more or less a target for ransomware than anywhere else. It’s a global business; and it is a business. It is all about return on investment for the attacker.

“What’s important about that is that it’s all about upgrading defences because you can make the return on investment lower by making it harder to get in.”

If an attacker gets in the aim must be to make it harder to get anything useful, in which case the “margin on investment goes down”. He added,

“That’s absolutely vital to addressing this problem.”

Are governments at fault?

Martin,

“Vulnerabilities will always exist in software. Regardless of who finds the underlying software defect, it’s incumbent on the entire cyber security ecosystem – individual users, enterprises, governments or whoever – to work together to mitigate the harm.”

He added that there are “all sorts of vulnerabilities out there” including with open source software.

Windows XP

Computer Weekly reports – convincingly – that the government did not cancel an IT support contract for XP.

Officials decided to end a volume pricing deal with Microsoft which left NHS organisations to continue with XP support if they chose to do so. This was clearly communicated to affected departments.

Government technology specialists, reports Computer Weekly, did not want a volume pricing deal with Microsoft to be  “comfort blanket” for organisations that – for their own local reasons – were avoiding an upgrade from XP.

Computer Weekly also reported that civil servants at the Government Digital Service expressed concerns about the lack of technical standards in the NHS to the then health minister George Freeman.

Freeman was a Department of Health minister until July 2016. In their meeting with Freeman, GDS officials  emphasised the need for a central body to set technical standards across the NHS, with the authority to ensure trusts and other organisations followed best practice, and with the transparency to highlight those who chose not to.

A source told Computer Weekly that Jeremy Hunt was also briefed on the security risks that a lack of IT standards would create in a heavily-federated NHS but it was not considered a priority at that top political level.

“Hunt never grasped the problem,” said the source.

There are doubts, though, that Hunt could have forced trusts to implement national IT security standards even if he’d wanted to. NHS trusts are largely autonomous and GDS has no authority to mandate technical standards. It can only advise.

How our trust avoided being hit

A comment by an NHS IT lead on Digital Health’s website gives an insight into how his trust avoided being hit by the latest cyber attack.  He said his trust had a “focus on perimeter security” and then worked back to the desktop.

“This is then followed up by lots of IG security pop ups and finally upgrading (painfully) windows XP to windows 7…” He added,

“NHS Digital have to take a lead on this and enforce standards for us locally to be able to use.”

He also suggests that NHS Digital sign a Microsoft Enrollment for Windows Azure [EWA] agreement as it is costly arranging such a deal locally.

 “NHS Digital must for me, step in and provide another MS EWA as I am sure the disruption and political fall-out will cost more. Introduce an NHS MS EWA, introduce standards for software suppliers to comply with latest OS and then use CQC to rate organisations that do not upgrade.”

Another comment on the Digital Health website says that even those organisations that could afford the deployment costs of moving from XP to Windows 7 were left with the “professional” version, which “Microsoft has mercilessly withdrawn core management features from (e.g. group policy features)”.

The comment said,

“There are a lot of mercenary enterprises taking advantage of the NHS’s inability to mandate and coordinate the required policies on suppliers which would at least give the under-funded and under-appreciated IT functions the ability to provide the service they so desperately want to.”

A third comment said that security and configuration management in the NHS is “pretty poor”. He added, “I don’t know why some hospitals continue to invest in home-brew email systems when there is a national solution ready and paid for.

“In this recent attack most the organisations hit seem to use local email systems.”

He also criticised NHS organisations that:

  • Do not properly segment their networks
  • Allow workstations to openly and freely connect to each other in a trusted zone.
  • Do not have a proper patch / update management regime
  • Do not firewall legacy systems
  • Don’t have basic ACLs [access control lists)

Three lessons?

  • Give GDS the ability to mandate no matter how many Sir Humphreys would be upset at every challenge to their authority. Government would work better if consensus and complacency at the top of the civil service were regarded as vices, while constructive, effective and forceful criticism was regarded as a virtue.
  • Give the NHS money to spend on the basic essentials rather than nice-to-haves such as a paperless NHS, trust-wide wi-fi, smartphone apps, telehealth and new websites. The essentials include interoperability – so that, at the least, all trusts can send test results and other medical information electronically to GPs –  and the upgrading of medical devices that rely on old operating systems.
  •  Plan for making the NHS less dependent on monolithic Microsoft support charges.

On the first day of the attacks, Microsoft released an updated patch for older Windows systems “given the potential impact to customers and their businesses”.

Patches are available for: Windows Server 2003 SP2 x64Windows Server 2003 SP2 x86, Windows XP SP2 x64Windows XP SP3 x86Windows XP Embedded SP3 x86Windows 8 x86, and Windows 8 x64.

Reuters reported last night that the share prices of cyber security companies “surged as investors bet on governments and corporations spending to upgrade their defences”.

Network company Cisco Systems also closed up (2.3%), perhaps because of a belief that it would benefit from more network spending driven by security needs.

Security company Avast said the countries worst affected by WannaCry – also known as Wannacypt – were Russia, Taiwan, Ukraine and India.

Comment

In a small room on the periphery of an IT conference on board a cruise ship , nearly all of the senior security people talked openly about how their board directors had paid ransoms to release their systems after denial of service attacks.

Some of the companies – most of them household names – had paid ransoms more than once.

Until then, I’d thought that some software suppliers tended to exaggerate IT security threats to help market their solutions and services.

But I was surprised at the high percentage of large companies in that small room that had paid ransoms. I no longer doubted that the threats – and the damage – were real and pervasive.

The discussions were not “off-the-record” but I didn’t report their comments at the time because that would doubtless have had job, and possibly even career ramifications, if I had quoted the security specialists by name.

Clearly ransomware is, as the GCHQ expert Kieran Martin put it, a global business but, as ransoms are paid secretly – there’s not a whisper in corporate annual accounts – the threat has not been taken seriously enough in some parts of the NHS.

The government’s main defence is that the NHS was not targeted specifically and that many private organisations were also affected.

But the NHS has responsibility for lives.

There may be a silver lining if a new government focuses NHS IT priorities on the basics – particularly the structural defects that make the health service an easy target for attackers.

What the NHS doesn’t need is a new set of politicians and senior civil servants who can’t help massaging their egos and trying to immortalise their legacy by announcing a patchwork of technological marvels that are fun to work on, and spend money on, but which gloss over the fact that much of the NHS is, with some notable exceptions, technologically backward.

Microsoft stockpiled patches – The Register

UK government, NHS and Windows XP support – what really happened – Computer Weekly

NHS letter on patches to counter cyber attack

Multiple sites hit by ransomware attack – Digital Health (31 comments)

Lessons from the WannaCrypt – Wannacry – cyber attack according to Microsoft

 

Some officials “smuggle their often half-baked proposals past ministers” says Cabinet Office adviser who quits

By Tony Collins

Jerry Fishenden has resigned from the Cabinet Office‘s Privacy and Consumer Advisory Group after nearly six years. First he was its chairman and more recently co-chairman.

The Privacy and Consumer Advisory Group comprises privacy and security experts who give the government independent analysis and guidance on personal data and privacy initiatives by departments, agencies and other public sector bodies. This includes GOV.UK Verify.

The group’s advice has had the citizens’ interests in mind. But the group might have been seen by some Whitehall officials as having an open and frank “outsiders” culture.

Francis Maude, then Cabinet Office minister, helped to set up the group but he left in 2015 and none of his replacements has had a comparable willingness to challenge the civil service culture.

Maude welcomed the help of outsiders in trying to change the civil service.  He tried to bring down the costs of Government IT and sought to stop unnecessary or failing projects and programmes. He also wanted to end the “oligopoly” of a handful of large IT suppliers. But Maude’s initiatives have had little continuing support among some Whitehall officials.

Fishenden said in a blog post this week that Maude had wanted the Privacy and Consumer Advisory Group to be a “critical friend” – a canary that could detect and help fix policy and technology issues before they were too far down the policy / Bill process.

“The idea was to try to avoid a repeat of previous fiascos, such as the Identity Card Act, where Whitehall generalists found themselves notably out of their depth on complex technical issues and left Ministers to pick up the pieces.”

He added that “since Francis Maude’s departure, there has been only one meeting” with subsequent Cabinet Office ministers.

“Without such backing, those officials who find the group’s expert reviews and analyses “challenging” have found it easier to ignore, attempting instead to smuggle their often half-baked proposals past Ministers without the benefit of the group’s independent assistance…

“Let’s just hope that after the election the value of the group will be rediscovered and government will breathe life back into the canary. Doing so would help realise Francis Maude’s original purpose – and bring significant benefits to us all, whether inside or outside of government.”

Comment

One of the Privacy and Consumer Group’s strengths has been its independent view of Government IT-related initiatives  – which is probably the main reason it has been marginalised.

Fishenden’s departure is further confirmation that since Maude’s departure, the Cabinet Office – apart from the Government Digital Service – has settled back into the decades-old Whitehall culture of tinkering with the system while opposing radical change.

While Whitehall’s culture remains unreformable, central government will continue to lose the best IT people from the private sector. Some of these include the former Government Digital Service executive director Mike Bracken, Stephen Foreshew-Cain, who took over from Bracken, Janet Hughes, programme director of Verify,  Andy Beale, GDS’s chief technology officer, Paul Maltby, GDS’s director of data and former Whitehall chief information officers Joe Harley, Steve Lamey, Andy Nelson and Mark Dearnley.

The unfortunate thing is that a few powerful career civil servants, including some permanent secretaries, will be delighted to lose such outsiders.

Jerry Fishenden is simply the latest casualty of a civil service tradition that puts the needs of the department before those of the citizen.

It’s a culture that hasn’t changed for decades.

The canary that ceased to be – Jerry Fishenden’s blog on his departure

Privacy and Consumer Advisory Group

Does Universal Credit make a mockery of Whitehall business cases?

By Tony Collins

Does Universal Credit make a mockery of this Treasury guidance on business cases?

It’s supposed to be mandatory for Whitehall departments to produce business cases. They show that big projects are “unequivocally” affordable and will work as planned.

But Computer Weekly said yesterday that the Department for Work and Pensions has not yet submitted a full business case for Universal Credit although the programme has been running for six years.

The result is that the Universal Credit IT programme may be the first big government computer project to have reached the original completion date before a full business case has been finalised.

Its absence suggests that the Department for Work and Pensions has not yet been able to produce a convincing case to the Treasury that the IT programme will either work or be affordable when it is due to roll out to millions of claimants.

The absence also raises a question of why the Department for Work and Pensions was able to award contracts and proceed with implementation without having to be accountable to Parliament for milestones, objectives, projected costs and benefits – all things that would have been recorded in the full business case.

If the DWP can proceed for years with project implementation without a full business case, does this mean that other Whitehall department need have no final structured plan to justify spending of billions on projects?

Will Universal Credit work?

By early March 2017, fewer than 500,000 people were on Universal Credit. On completion, the system will be expected to cope with seven million claimants.

Although the rollout of the so-called “digital” system – which can handle all types of claim online – is going well (subject to long delays in payments in some areas and extreme hardship for some), there are uncertainties about whether it will cope with millions of claimants.

Universal Credit campaigner John Slater has been unable to obtain any confirmation from the DWP on whether it is planning to complete the rollout by 2022 – five years later than originally scheduled.

Business cases present arguments that justify the spending of public money. They also provide a “clear audit trail for purposes of public accountability,” says Cabinet Office guidance on business cases.

But hundreds of millions has already been spent on Universal Credit IT, according to the National Audit Office.

Business cases are mandatory … sort of

The Treasury says that production of business cases is a

“mandatory part of planning a public sector spending proposal …”

Yesterday, however, Computer Weekly reported that,

“Amazingly, given the programme has been going since 2011, the full business case for Universal Credit has still not been submitted or signed off by the Treasury – that’s due to take place in September this year.”

The Treasury says that preparation of the Full Business Case is “completed following procurement of the scheme – but prior to contract signature – in most public sector organisations.”

But by March 2013, the Department for Work and Pensions had already spent about £303m on Universal Credit IT, mostly with Accenture (£125m), IBM (£75m), HP (49m) and BT (£16m), according to the National Audit Office.

Why a business case is important

The Treasury sums up the importance of business cases in its guidance to departments,

“… it is vital that capital spending decisions are taken on the basis of highly competent professionally developed spending proposals.

The business case provides a

“structured process for appraising, developing and planning to deliver best public value.”

The full business case, in particular, sets out the

  • contractual arrangements
  • funding and affordability
  • detailed management arrangements
  • plans for successful delivery and post evaluation.

In the absence of a full business case the DWP was able to start the Universal Credit IT programme with little structured control on costs. The National Audit Office found in 2013 that there was

  • Poorly managed and documented financial governance
  • Limited evidence that supplier invoices were properly checked before payments were made.
  • Inadequate challenge of purchase decisions
  • Insufficient information on value for money of contracts before ministers approved them
  • Insufficient challenge of suppliers’ cost changes
  • Over-reliance on performance information from suppliers that the Department for Work and Pensions didn’t validate.
  • No enforcement by the DWP of key parts of the supplier contracts

Comment

Officials at the Department for Work and Pensions have gone to the bank for money for a new business venture – the building of Universal Credit IT – and said in effect,

“We’ll let you have an outline business case that may change a few times and in a few years, perhaps on completion of the programme or thereabouts, we’ll provide a full business case. But we’d like the money now please.”

In response the bank – HM Treasury – has replied in effect,

“You’re supposed to supply a full business plan before we decide on whether to give you the money but we know how important Universal Credit is.

“We’ll tell you what: we’ll let you have a few tens of millions here and there and see how you get on.

“For the time being, without a full business case, you’re restricted to an IT spend of around £300m.

“In terms of the eligibility criteria for the money, you can let us know what this should be when you’re a few years down the road.

“We accept that you’ll be in a much better position to know why you should be given the money once you’ve spent it.”

Does “mandatory” mean anything when there is no sanction against non-compliance?

And when the DWP is able to embark on a multi-billion pound programme without submitting a full business case until after the original completion date (2017), what’s the point of a business case?

The fact that the DWP is six years into implementation of Universal Credit without a full business case suggests that departments make up the rules as they go along.

What if the Treasury rejects the Universal Credit business case when it’s eventually submitted?

Will the DWP wait another few years to submit a case, when an entirely new set of officials will be in place? By then, perhaps, the Universal Credit rollout will have finished (or been aborted) and nobody at that stage could be effectively held to account if the scheme didn’t work or money had been wasted.

If Whitehall routinely waits until an IT-based programme is finished before presenting a full business case for Treasury approval, there’s nothing the Treasury can do if it wants and needs the programme.

Sir Humphrey is all-powerful.  Why should officials worry about presenting full business cases on programmes they know there’s a political imperative to deliver?

Can DWP meet its revised 2022 target for completion of Universal Credit? – Computer Weekly

Treasury guidance on business cases

 

 

%d bloggers like this: