HMRC … you were the future once

No-one should ever read your first draft. Neil Gaiman.

Nearly 20 years ago when I joined the Inland Revenue (years before it became HMRC), the Internet was new in government.  In the IR HQ, there was one PC that had access to the ‘net – via a dial up 28.8k modem if I recall correctly.  Maybe it was 56.6.  You don’t easily forget the noise that such a modem makes as it works its way to a connection.

Not long after, the IR’s email system was shut down for 3 days by a variant of the Melissa virus.  Sometime later, that led us to back some great work by Al Collier, at what became OGC, to deploy MessageLabs anti-virus capability across the whole of the GSI.  Email was never lost again, as far as I know, by anyone so protected.

The Revenue, as they called themselves, had a website.  But that was it.  Indeed, government had a website (, but that, too, was it.  In the weeks and months that followed, thanks to clear, forward thinking leadership and insightful direction from the Perm Sec (Sir Nick Montagu), the CIO (John Yard) and what would now be called the CDO (Barry Glassberg), Self Assessment went online (remember the £10 rebate to encourage you to file online? And the floppy disc with the “app” on it, replaced at the beginning of the next year with a web app built by Ezgov?), PAYE came next, then Corporation Tax and many other services.

We took hits – despite publishing the need for a maintenance window (to take Self Assessment down) for a few hours on a Friday evening, we made it to above the fold news the following day, when SA was down (when there were, maybe, at best, 10,000 users).  We took flak from the Welsh, Mac using vicar who couldn’t file his tax return (we didn’t do Welsh, didn’t support Macs, and vicars, it turns out, have special tax forms that were not in our initial release; this is not a fable, there really was a Welsh, Mac using vicar that wanted to file his tax return online in 2000).

We built and rebuilt and threw some things away that didn’t;t work.  We ran parallel projects in competition to see what would work and to try and ensure that at least one horse would cross the finish line in time,  Before there was agile, this was agile.

As we worked to put PAYE online, the foundation of it was really the GovTalk standard that the Office of the e-Envoy had already put together (I liked to describe GovTalk as the envelope that you put a letter in, along with the format for the address and the writing inside; the content was yours to figure out).  We worked with dozens of both major and minor software vendors – from Rutherford Webb to Sage through to Oracle – to agree the PAYE XML format that would flow through the Government Gateway (which was in-flight at the same time as PAYE) and into the IR’s systems.  It was detailed work, led mostly by the inimitable and irrepressible Phil Stradling, but it established two important baselines – (1) there would be a single front door into online government services, via the Gateway and (2) the format adopted for all messages through that route would be GovTalk compliant.  Phil was quietly responsible for many firsts in the world of e-government.  I suspect we’ve never thanked him sufficiently for the incredible work he did.

There’s no question that the Inland Revenue (and then HMRC), almost entirely because of John and Barry, led e-government from the front – and were,  I suspect, baffled when other departments got credit for doing a tiny fraction of what they were doing.  They took risks in a world where taking risks was frowned upon. They were the first to put real transactions online (SA, PAYE, CT etc – each of which won awards in its time). They provided the initial funding for the Government Gateway (the vision came from a mixture of IR and HMCE thinking with a very large extra dose from Mark Gladwyn at CITU).  They were the first to get meaningful take-up, from both citizens and businesses – with the Carter review, in 2007, HMRC (as they were by then) became the first department to focus on driving 100% take-up of online services (with the aim of achieving that by 2012; my guess is they hit that, or, at least, got closer than anyone else did by then)

Many years later, I find myself in front of my Mac, painfully rekeying VAT/expenses data from the carefully crafted Excel sheets that I put together a decade ago into the cloud accounting package that, to date, I have only used for sending and tracking invoices.

And, at the same time, I find myself wondering just how far we have progressed.  Or, indeed, if we have progressed at all.

As far as I can tell, the Gateway is still there (my login credentials remain the same, but there was talk that, by now, the Gateway would be replaced – indeed, the website that remained unchanged from 2004 when I left it behind until even a few months ago is now apparently hidden away replaced by a front end).

Is the Gateway a dead man walking?  or is it dead?  I hope they gave it a good send off, it served us all well.  Too many awesome people worked on Gateway to mention here; but they know what they achieved, up against the odds.

What used to be a single front end for transactions into government now looks fragmented across dozens of sites.

And what I’m sending to HMRC, from my cloud accounting package (one login), through some bridging software (another login), through the Gateway (yet another login) …

… is a CSV file with the 9 boxes required for the VAT form.

There doesn’t seem to be a GovTalk envelope.

There’s no additional data.

But there is new overhead and new cost.

And yet no obvious benefit … HMRC are getting what they got before … and countless businesses are sending what they sent before, but with more effort.

And, obviously, no Verify … yet if every single company in the UK is going to send their tax returns this way, and as many as 9 million individuals (roughly 50% used to use accountants, perhaps it’s more now) and then 30 million individuals who might want to check their PAYE status … or a few million students who will want to check their student loan (which inevitably ties to PAYE) … this way in is going to become the default, at least for all financial transactions with government (there may be a good case for why NHS has a different way in; I don’t have a particular view).

Clearly there is more underway here and a bigger picture … but it’s not obvious to me that we have advanced at all since achieving the 100% (or near to it) objective perhaps 7 years ago.

Citizen focused?  Joined up?

I’m not sure.  Doesn’t look like it.

GDS Isn’t Working – Part 4 (Verify)

The conclusion to Part 3 (The Reboot) was:

  • Verify – It’s time to be brave and ignore sunk costs (investment to date and contractual exit costs if any) and let this one go.  It hasn’t achieved any of the plans that were set out for it and it isn’t magically going to get to 20m users in the next couple of years, least of all if HMRC are going their own way.  The real reason for letting it go, though, is that it doesn’t solve the real problem – identity is multi-faceted. I’m me, but I do my mother’s tax return, but appoint my accountant to do mins, but I work for a company and I do their payroll, and I counter-sign the VAT return that is prepared by someone else, and I act as the power of attorney for my blind father.  Taking a slice of that isn’t helping.  Having many systems that each do a piece of that is as far from handling user needs as you can get.  Driving take up by having a lower burden of proof isn’t useful either – ask the Tax Credits folks.  HMRC are, by far, the biggest user of the Gateway.  They need citizen and business (big business, sole trader, small company) capability.  Let them take the lead – they did on the Gateway and that worked out well – and put support around them to help ensure it meets the wider needs.

Instead, GDS appear to be doubling down, based on this article in Computer Weekly:

  • GDS speakers at the event encouraged suppliers to use the GaaP tools in their own products, in the hope of widening their use. However, according to guests at the event that Computer Weekly talked to – who wished to remain anonymous due to their ongoing relationships with GDS – GDS was unable to give any guarantees around support or service levels.
  • GDS has now developed a new feature for Verify that allows “level of assurance 1” (LOA1) – a reduced level of verification that is effectively a straightforward user login and password system, which offers “minimal confidence in the asserted identity” of users for low-risk transactions. In effect, LOA1 means the government service trusts the user to verify their own identity.
  • The government has committed to having 25 million users of Verify by 2020, and offering LOA1 is seen as a key step in widening the adoption of the service to meet this target.
This is, though, to miss the point of “What is Verify for?”:

  • The goal isn’t to have 25 million users.  That’s a metric from 1999 when eyeballs were all that mattered.  25 million users that don’t access services, or that sign up for one and never use another service isn’t a measure of relevancy
  • A government authentication platform is instead for:
    • Giving its users a secure, trusted way of accessing information that government holds about them and allowing them to update it, provide new items and interact with government processes
    • Allowing users to act as themselves as well as representatives of others (corporate and personal) with the assurance that there is proper authorisation in place from all necessary parties
    • Putting sufficient protection in the way so as to ensure that my data and interactions cannot be accessed or carried out by people who aren’t me.  In other words, “I am who I say I am” and, by definition, no one else is
What then, if we took away the numbers and the arbitrary measures and said, instead, that the real purpose is to:
  • Create an environment where a first time user, someone who has had no meaningful interaction with government before, is able to transact online and need never use offline processes from that moment on
  • Sixteen year olds would begin their online interaction with government by getting their National Insurance numbers online
  • They would go on to apply for their student loan a couple of years later
  • With their first job they would receive their PAYE information and perhaps claim some benefits
  • Perhaps they would be handling PAYE, or VAT, or CT for their own employer
  • Health information and records would be available to the right people and would move them as they moved jobs and locations
  • Perhaps they would be looking at health information and records for others
  • They would see the impact of pension contributions and understand the impact of changes in taxation
  • Perhaps they would be helping other people figure out their pension contributions and entitlements
  • They might decide whether they can afford an ISA this year
  • In time some would pay their Self Assessment this way
  • Or maybe they would be completing Self Assessments for others
A 2002 Slide

Instead of spot creating some transactions that are nearby or easy, we would seek to change the entire experience that someone has who doesn’t know about government – they would never know that it had been broken for years, that paper forms were the norm for many, or that in 2010 people had to go from department to department to get what they needed.  They would take to this the way a baby learns that you swipe an an iPad screen – it would never occur to them that a magazine doesn’t work the same way.

Along the way, those who were at later stages of life would be encouraged to make the move online, joining at whatever stage of the journey made sense for them.

This wouldn’t be about transformation – the bulk of the users wouldn’t know what it was like before.  This would just be “the way government is”, the way it’s supposed to be.  Yes, in the background there would have been re-engineering (not, please, transformation), but all the user would see is the way it worked, fluidly, consistently and clearly, in their language, the language of the user.

Progress would no longer be about made up numbers, but about the richness of the interaction, the degree to which we were able to steer people away from paper and offline channels, and the success with which we met user needs.  The measure would be simply that they had no need, ever, to go offline.

Verify isn’t the way into this journey.  Verify started out trying to solve a different problem.  It isn’t seen, and wasn’t conceived, as part of a cohesive whole where the real aim is to shift interaction from offline to online.  In its current form, it’s on life support, being kept alive only because there’s a reluctance to deal with the sunk costs – the undoubtedly huge effort (money and time from good people) it’s taken to get here.  But it’s a “you can’t get there from here” problem. And when that’s the case … you have to be brave and stop digging.

If my original take on “What is GDS for” was:

GDS is for facilitating the re-engineering of the way government does business – changing from the traditional, departmentally-led silos and individual forms to joined-up, proactive, thought-through interactions that range widely across government.  It is not, in my view, about controlling, stopping, writing code or religious/philosophical debates about what’s right. It’s job is to remove the obstacles that stop government from championing the user cause.

Then what if GDS took the vanguard in moving government to cater for the user journey, from a user’s first interaction to its last.  A focused programme of making an online government available to everyone.  A way of assessing that “I am who I say I am” is an essential part of that – and starting with a 16 year old with minimal footprint is going to be challenging but is surely an essential part of making this work.  This would be a visionary challenge – something that could be laid out step by step, month to month, in partnership with the key departments.

It can be dull to look backwards, but sometimes we have to, so that we move forward sensibly.  The picture above shows the approach we planned at the Inland Revenue a long time ago.  We would take on three parallel streams of work – (1) move forms online, (2) join up with some other departments to create something new and (3) put together a full vertical slice that was entirely online and extend that – we were going to start with a company because our thinking was that they would move online first (this was in 2000): register the company, apply for VAT and tax status, send in returns, add employees, create pensions etc.

It feels like we’ve lost that vision and, instead, are creating ad hoc transactions based on departmental readiness, budget and willingness to play.  That’s about as far away from user needs as I can imagine being.

As a post-script, I was intrigued by this line in the Computer Weekly report:

GDS was unable to give any guarantees around support or service levels.

On the face of it, it’s true.  GDS is part of the Cabinet Office and so can’t issue contracts to third parties where it might incur penalties for non-delivery.  But if others are to invest and put their own customer relationships on the line, this is hardly a user needs led conversation.  Back in 2004 we spent some time looking at legal vehicles – trading funds, agencies, JVs, spin-offs – and there are lots of options, some that can be reached quite quickly.

My fundamental point, though, is that GDS should be facilitating the re-engineering of government, helping departments and holding them to account for their promises, not trying to replace the private sector, or step fully into the service delivery chain – least of all if the next step in the delivery promise is “you will have to take our word for it.”

GDS Isn’t working – Part 3 (The Reboot)

What is GDS for?  It’s a question that should be asked at a fundamental level at least every year for an organisation that set out to be agile, iterative and user led.   It’s easy to be superficial when asking such a seemingly simple question.  People inside the organisation are afraid to ask it, doubtless they’re busy being busy at what they’re doing.  They’re afraid of the consequences.  They don’t want to touch the question in case it bites – the electric fence that prevents introspection and, perhaps more importantly, outrospection.

There are several reasons why this question should be asked, but one that I would take as important, right now, is because GDS don’t know themselves, as the NAO highlighted recently.

“GDS has found it difficult to redefine its role as it has grown … initially, GDS supported exemplars of digital transformation … major transformations have had only mixed success … GDS has not sustained it’s framework of standards and guidance … roles and responsibilities are evolving … it is not yet clear what role GDS will play [in relation to transformation]”

If there was ever a time to ask “What is GDS for?”, it’s now … to help understand these numbers:

The budget is £150m in 16/17 and 17/18 (though it falls over coming years, to £77m in 19/20) and GDS has around 850 staff today (again, falling to 780 by 19/20).

Let me ask again, what is GDS for?

When those 850 staff bounce into work every morning, what is it that they are looking forward to doing?  What user needs are they going to address?  How will they know that they have been successful?  How will the rest of us know?

Given a budget, Parkinson’s Law of Government, says the department will expand to absorb that budget.

GDS has demonstrated this law in action:

  • The exemplars have finished, with varying degrees of success.  There are no further exemplars planned.  The organisation has only grown.
  • Major digital projects have stumbled badly and, in some cases, failed entirely, for instance:
    • The RPA Common Agriculture Programme, specifically re-engineered by GDS early in its life and then directly overseen by senior staff, failed to deliver.  The lessons learned in the previous RPA project, 7 years earlier, were not learned and the result was the same – a system that was late, high disallowance costs and a poor experience for the real users, the farmers.
    • Digital Borders is progressing slowly at best, even allowing for the tuned and optimistic language in the IPA report.  Seven years after the last programme was terminated in difficult circumstances, the first, less aggressive than planned, rollout of new capability is starting now
  • Nearly 5 years after DWP were ready to complete their identity procurement and around three years since its replacement, Verify design to save millions, was about to enter public Beta, the Government Gateway is still there, 16 years old and looking not a day older than it did in 2006 when the UI was last refreshed.  Verify has garnered around 1.4m users,  a very small fraction of even Self Assessment users, let alone overall Gateway users.
    • The Government Gateway is slated for replacement soon, but Verify is clearly not going to replace it – it doesn’t handle transaction throughput and validation, it doesn’t handle nomination (e.g. please let my accountant handle my Self Assessment) and, most obviously, it doesn’t handle business identity.  Given the vision that we laid down for the Gateway and all of the work that was done to lay the foundations for a long term programme that would support all aspects of identity management, Verify is nothing short of a fiasco, as demonstrated by the increasingly vocal war about its future, with HMRC seemingly building its own identity platform.  Others far more able than me, including Jerry Fishenden and David Moss have exposed its flaws, muddled thinking and the triumph of hope over ability.
    • Even now, instead of bringing departmental transactions on board, addressing true user needs and massively improving completion rate from its current low of less than 50%, the Verify team are talking up their prospects of getting 20m users by lowering identity standards and getting the private sector on board.  They blame lack of take up to date on slow delivery of digital services by departments, according to the IPA report.
  •, whilst a triumphal demonstration of political will to drive consolidation and a far greater achievement in presenting a joined up view of government to the citizen than achieved before, is still a patchy consolidation with formats and styles changing as you move from level to level, departmental websites still having their own separate space (compromising, as soon as you arrive in a departmental domain, the sense of consolidation), PDFs abound, and, of course, it lacks major transactions (and those that are available often have a very disjointed journey – follow the route to filing a VAT return for instance).  The enormous early progress seems to have lapsed into iterative tinkering.
  • Alongside all of that we have the latest in a long series of transformation strategies. For many months the strapline on this blog read “transforming government is like trying to relocate a cemetery, you can’t expect the residents to help”.  Since then I’ve revised my view and now believe, firmly, that in any effort to achieve transformation, government will remain the catalyst, in the true chemical sense of the word.  This strategy says that by 2020 “we will”
    • design and deliver joined-up, end-to-end services
    • deliver the major transformation programmes
    • establish a whole-government approach to transformation, laying the ground for broader transformation across the public sector
  • We all want to believe those words.  We know that these have been the goals for years, decades even.  We know that little has really been achieved.  And yet here we are, after 7 years of GDS, being asked to believe that transformation can be achieved in the next 3.  There is a Jerry Maguire feeling to this, not so much “show me the money” as “show me the plan”
  • And, lastly, we have Government as a Platform.  No one was ever quite sure what it was.  It might include the Notifications and Payments service – oddly, two services that were available on the Gateway in 2002/3, but that were turned off for some reason.
So why not ask “What is GDS for?” and use the thinking generated by that question to restructure and reboot GDS.  Any reboot requires a shutdown, of course, and some elements of GDS’s current work will, as a result of the introspection, close down.

If I were asked to answer the question, I would suggest

GDS is for facilitating the re-engineering of the way government does business – changing from the traditional, departmentally-led silos and individual forms to joined-up, proactive, thought-through interactions that range widely across government.  It is not, in my view, about controlling, stopping, writing code or religious/philosophical debates about what’s right. It’s job is to remove the obstacles that stop government from championing the user cause.

Within that the main jobs are:
  • Standards and guidelines for IT across government.  This could get dangerously out of hand but, as the NAO note, GDS has, to date, not kept its standards up to date.  Some key areas:
    • Data formats – messaging standards to allow full interoperability between government services and out to third parties through APIs.  In 2000, we called this govtalk and it worked well
    • Architecture – eventually, government IT will want to converge on a common architecture.  We are likely decades away from that on the basis it’s hardly started and replacing some of the existing systems will take more money than is available, let alone increased capacity across the user and technology community at a time when they have plenty going on.  New projects, though, should be set on a path to convergence wherever possible – that doesn’t mean getting religious about open source, but it does mean being clear about what products work and what doesn’t, how interactions should be managed and how we streamline the IT estate, improve resilience and reliability and reduce overall cost.  This team will show what the art of the possible is with small proofs of concept that can be developed by departments
    • Common component planning – all the way back in 2003 I published a first take on what that could look like.  It’s not the answer, but it’s a start.  I’m a strong believer in the underlying principles of Government as a Platform – there are some components that government doesn’t need more than one of and some that it needs just a few of.  They need to be in place before anyone can intercept with them – promising to deliver and then having a queue of projects held up by their non-availability won’t work.  And they don’t have to be delivered centrally, but they do have to take into account wider requirements than just those of whoever built them
  • publishing team – joined up content will best come from the centre.  This team will control what to publish and how to publish and how to ensure consistency across  They will rationalise the content is there, doing what Martha originally set out – kill or cure – to make sure that the user is getting what they need
  • Agile and user needs – perhaps the single largest achievement of GDS so far,  far beyond consolidating websites for me, is getting government to recognise that there are many ways to deliver IT and that taking a user-led approach is an essential part of any of them.  I’m not wedded to agile or any other methodology, but there’s a strong argument for a central team who can coach departments through this and checkpoint with them to see how they are doing, refresh knowledge and transfer skills so that everyone isn’t learning the same lessons over and over again
  • Spending controls – a team of elite people who know how to get inside the biggest projects, not waste time on the small ones, and understand what’s being built and why and who can help design the solution at a lower cost than proposed, who can help create the hooks for current and/or future common components and who can help negotiate better deals.  These folks should be the best that can be found – a SWAT team sent to work on mission critical projects.  Their job will be to help drive delivery, not slow it down through interminable bureaucracy and arguments about the philosophy of open source.
  • Transactions team – people who go beyond the pure publishing role into understanding how to hook users into a transaction and drive completion through smart design, innate user understanding and the ability partner with departments, not preach to them from some remote ivory tower.  These folks won’t make promises they can’t keep, they will work closely with departments to move transactions that are offline today to the online world, designing them to foster high take up rates and better service for users.  This team is the future of government – they will be a mix of people who can help rethink policy and legislation, service designers, UI folks who know how to put something slick together and technologists who can understand how to manage load and resilience and integrate with third parties inside and outside of government.
  • Project managers – a mixed team who know how to deliver small and large projects, who are comfortable managing all aspects of delivery, can work with users as well as departments and suppliers and who understand the tension that is always there between waiting and shipping.
Lastly, two areas that I think are contentious; there may be others:
  • development – Personally, I’m in favour of using companies to do build work.  They can maintain a bench and keep their teams up to date with evolving technologies.  They can locate wherever it makes sense and call on disparate teams, around the globe if necessary.  They can call on experience from other clients and use relationships with partners and the big vendors to do the heavy lifting.    The in-house project managers will keep the suppliers in check and will manage scope, cost and time to bring projects home.  This is contentious I know – there’s an increasing appetite for government to bring development in-house; some departments, such as HMRC, have had to locate far from the usual places to ensure that they can recruit and retain staff and I think, if you’re going to do it, that’s more sensible than trying to recruit in Holborn or Shoreditch. But, me, I would give it to an up and coming UK company that was passionate about growth, entirely aligned with the user led approach and looking to make a splash.  I’d then work closely with them to make an effective transition, assuming that the code stands up to such a transition.
  • Verify – It’s time to be brave and ignore sunk costs (investment to date and contractual exit costs if any) and let this one go.  It hasn’t achieved any of the plans that were set out for it and it isn’t magically going to get to 20m users in the next couple of years, least of all if HMRC are going their own way.  The real reason for letting it go, though, is that it doesn’t solve the real problem – identity is multi-faceted. I’m me, but I do my mother’s tax return, but appoint my accountant to do mins, but I work for a company and I do their payroll, and I counter-sign the VAT return that is prepared by someone else, and I act as the power of attorney for my blind father.  Taking a slice of that isn’t helping.  Having many systems that each do a piece of that is as far from handling user needs as you can get.  Driving take up by having a lower burden of proof isn’t useful either – ask the Tax Credits folks.  HMRC are, by far, the biggest user of the Gateway.  They need citizen and business (big business, sole trader, small company) capability.  Let them take the lead – they did on the Gateway and that worked out well – and put support around them to help ensure it meets the wider needs.
How many people does that make? I’m very interested in views, disagreements, counter-points and omissions.

    GDS Isn’t Working (Part 2 – The Content Mystery)

    In Martha Lane Fox’s 2010 report, that, in effect, led to the creation of GDS and that set out its mission, there were a series of recommendations.  These seem like a reasonable place to start in assessing GDS’ delivery track record.  The recommendations were:

    1. Directgov should be the default platform for information and transactional services, enabling all government transactions to be carried out via digital channels by 2015 … must focus on creating high-quality user-friendly transactions … scaling back on non-core activities.

    2. Realign all Government Delivery under a single web domain name … accelerate the move to shared web services.

    3. Learn from what has been proven to work well elsewhere on the web … focus on user-driven and transparent … implement a kill or cure policy to reduce poorly performing content.

    4. Mandate the creation of APIs to allow 3rd parties to present content and transactions.  Shift from “public services all in one place” to government services “wherever you are”

    5. Establish digital SWAT teams … work on flagship channel shift transactions

    Not surprisingly, I agreed entirely with this list at the time – nearly a decade beforehand I’d produced the picture below to represent the e-Delivery team’s (eDt) e-government vision – eDt was a part of the Office of the e-Envoy when the late Andrew Pinder was in charge.  I think it captures Martha’s recommendations in a page:

    In slide format, the picture evolved to this:

    Now, nearly 7 years after Martha’s report, we have a new flagship website (whilst Martha’s report was strong on making use of the brand name, given the investment in it over the previous 6 or so years, a decision was made to use a different brand – you’ll see that we had suggested that as a possible name in the 2001 picture above; it’s in the very top left).

    Here are 3 pictures showing the journey we have made over the last 13 years:

    1)’s home page in May 2004

    2) The same site, in January 2007

    3) in June 2017

    Thirteen years of user needs, iteration, at least three different content management tools and, branding and size of search bar aside, do you notice any major difference?  Nope, me either. 

    Interestingly and both encouragingly (because admitting the problem is the first step to solving it) and depressingly (because it’s not like there haven’t been plenty of opportunities before)  GDS, after I’d written this post but before I’d published it, have noticed the problem too and seem, at last, to be taking recommendation 3, “kill or cure”, to heart.
    When we envisaged the second iteration of (the first was run under a contract let to BT and was run by CITU, before OeE was really in existence, though it did go live on OeE’s watch), we saw it as a way to join up important content across government, creating a veneer that would buy time for the real engineering join up to take place behind the scenes – something that would result in joined up transactions and a truly citizen-centered approach to government.  
    Life events – important interactions with government – were synthesized from across all departments and brought together, by skilled content writers, in a way that meant the user didn’t need to traverse multiple government websites – the aim was to give them everything in one place.  We (OeE as a whole) continued that approach through successive iterations of UKonline and on into its successor, (which started life as the Online Government Store, or OGS – a shopfront where all of government content could be accessed).
    Thirteen years after the launch of, it looks like there have been successive iterations of that approach along with a wholesale migration of much of government’s content to a single platform.  But there hasn’t been any of the real heavy lifting done to join up the content and the transactions.  This is shown by the very existence of all of those other government websites, albeit as sub-domains on the same platform as  That wasn’t the vision that we were after and, based on the recent GDS blog post, it seems not to be the one that GDS are after either.   But we had around 7 years before GDS and we’ve had nearly 7 years since.  So clearly something isn’t working.

    My guess is that the lessons that we learned from 2002-2010 have been learned again from 2010-2017.  Sure, some new lessons will have been learned, but they will be largely the same – many of the new lessons will have been technology and methodology related I suspect. Despite everything, it all looks the same and that, when poking
    behind the front page, all that’s revealed is more design changes –
    bigger fonts, simpler questions and cleaner lines.

    A little learning is a dangerous thing;
    drink deep, or taste not the Pierian spring:
    there shallow draughts intoxicate the brain,
    and drinking largely sobers us again

    The creation of has been a massive job – huge amounts of content have been moved, sorted, consolidated, re-written and, doubtless, re-written again.  It all feels like marginal change though – more of the same.  Heavy lifting, yes, but more of the same, incremental changes, with some big parts still to move, such as much of HMRC and still no real home or consistency for business-related content

    The real mystery, though, is where are the transactions?  The new ones I mean, not the ones that were online a decade ago.

    Looking back at Martha’s recommendations:

    (1) Single platform and transactions – is at least partly done, but transactions have advanced little in a decade.

    (2) Single domain – looks initially to be a success (and one that I do not underestimate the huge effort it’s taken and that it continues to take), but there isn’t much else in the way of shared web services (I’ll be coming on to Verify and other common platform technologies soon).

    (3) User driven and transparent / Kill or cure – I’m going to score as strong effort, but not nearly enough of an advance on what was done before.  We have a huge amount of content piled on a single technology platform.  Disentangling it and ensuring that there’s only one place to find the most relevant content on any given topic is not well advanced.  If you’re a business, things are even more confusing. And if you’re a sole trader, for instance, who hops between individual and business content, you’re likely more confused than ever.

    (4) APIs – beyond what was done years ago, I don’t see much new.  I would love to be pointed at examples where I’m wrong here as I think this is a crucial part of the future mission and it would be good to see successes that I’ve missed.

    (5) Flagship transactions – I’m not seeing them. The tax disc is a great example of a transaction that was started years ago and that has been successively iterated, and I don’t want to undersell the monumental shift that getting rid of the disc itself, but it’s an outlier.  Where are the others, the ones that weren’t there before 2010?

    The critical recommendations in Martha’s report – the ones about flagship channel shift transactions, creating APIs (other than in HMRC, most of which was completed in 2000-2004) and “government services wherever you are” are still adrift. 
    Martha’s goal of “enabling all government transactions to be carried out via digital channels by 2015” seems as far away as it was when, in 2001, the then Prime Minister, Tony Blair, exhorted us to put joined up, citizen-focused services online by the end of 2005.

    The real mystery is why we are tinkering with content instead of confronting the really hard stuff, the transactions.  As I said in 2012:

    GDS’ most public delivery is “just another website” – those who know (and care) about these things think that it might be one of the sexiest and best websites ever developed, certainly in the government world.  But it isn’t Facebook, it isn’t iTunes, it isn’t Pirate Bay.  It’s a government website; perhaps “the” government website. Once you’ve packaged a lot of content, made wonderful navigation, transformed search, you end up with the place where government spends the real money – transactions (and I don’t just mean in IT terms).

    And now we have a Transformation Strategy that promises it will all be done by 2020.  I’m not seeing it.  Not if we follow the current approach.  That sounds snarky and perhaps it is, but it’s really the fundamental point of centre’s digital efforts – joining up what hasn’t been joined up before.  Content, as has been well proven for the last 15 years, is the easy bit.

    Transactions are definitely the difficult bit, and they’re difficult in two ways – (1) the creation of an end to end service that goes all the way from citizen possibly through intermediary (everything from PAYE provider to accountant to Citizen’s Advice Bureau to me doing my mother’s tax return) and (2) the rethinking of traditional policy in a way that supports government’s desired outcome, meets user needs and is also deliverable.  From 2001, we started putting transactions online and, for the most part, we put online what was offline.  At the time, a good start, but not one that fits with current thinking and capabilities.

    The Emperor And His Clothes Revisited – GDS Isn’t Working (Part 1)

    In October 2012, I questioned whether the Emperor had any clothes on; somewhere in that piece I said:

    The question is really how to turn what GDS do into the way everyone
    else does it.  In parallel with GDS’ agile implementations, departments
    are out procuring their next “generation” of IT services – and when
    you consider that most are still running desktop operating systems
    released in 2000 and that many are working with big suppliers wrapped
    up in old contracts supporting applications that often saw the light of
    day in the 80s or, at best, the 90s, “generation” takes on a new
    meaning.  To those people, agile, iterative, user experience focused
    services are things they see when they go home and check Facebook, use
    Twitter or Dropbox or have their files automagically backed up into the
    cloud.  Splitting procurements
    into towers, bringing in new kinds of integrators, promising not to
    reward “bad” suppliers and landing new frameworks by the dozen is also
    different of course, but not enough to bridge the gap between legacy
    and no legacy.

    and then

    The question is whether the GDS model is the one that achieves scale
    transformation right across government, or whether it is another
    iteration in a series of waves of change that, in the end, only create
    local change, rather than truly structural change.

    My sense, now, is that it’s the latter – another iteration, but one that hasn’t created as much change as the inputs would suggest and that, today, is creating far less change than it did early on in its life when charismatic leadership, a brilliant team, an almost messianic zeal and bulletproof political support were in place.

    GDS has done some brilliant and world-leading stuff but has also failed to deliver on its mission.   Simply, GDS isn’t working.  We need to think again about what it’s going to take to deliver the vision; something that has been largely consistent for much of the last two decades but still seems far away.  This is tricky: we don’t want to lose the good stuff and we clearly want to get the huge pile of missing stuff done.  The current approach is a dead end so we need to do something different; with the appointment of a new minister, now could be the time for the change.

    Every few years for at least the last two decades, HM Government has revised its approach to the co-ordination of all things IT. Throughout that time there’s always been a central function to e.g. set standards (govtalk for example), engage with industry to get the most done at the best price, co-ordinate services, do some direct delivery (,, etc) and also teach government what to do and how to do it – the art of the possible.

    It started with the Central Computer and Telecommunications Agency (CCTA), followed by Central Information Technology Unit (CITU), then the Office of the e-Envoy (OeE), the e-Government Unit (eGU), the Office of the Government CIO (OCIO) and, most recently, the Government Digital Service (GDS). Some of these – CCTA and CITU for instance – overlapped but had slightly different roles.

    After each revision, there was a change of leader, a change of approach and a change of focus – some were for the better, some not so much. Nearly 7 years after the Martha Lane Fox report that brought GDS into being, it’s time for another one of those revisions.

    We should, of course, celebrate the successes of GDS, because there have been some big results, learn the lessons (of GDS and all of its predecessors) and shutter the failures. So let’s first laud the successes. GDS have, in my view, been responsible for four big changes at the heart of government.

    1) User focus and an agile approach. GDS has shown government that there is another way to deliver projects (not just web projects, but all projects), through focusing on user needs, building initial capability and then iterating to bring on successive functionality. Whilst this wasn’t new and still isn’t yet fully adopted, there isn’t anyone in government who doesn’t know about, and have a view on, the topic; and every department and agency across the board is at least experimenting with the approach and many have taken it completely to heart. The two dozen exemplars showed departments that the new approach was possible and how they might go about it, infecting a new generation of civil servants, and some of the old guard, with an incredible enthusiasm. Assess user needs, build some and ship, assess results, build a bit more and ship again (repeat until false) is understood as a viable approach by far more of government than it was even 5 years ago, let alone 15.

    2) Website consolidation. What was just an idea on some slides nearly 15 years ago, as seen in the picture below, is now close to reality. The vast bulk of government information sits on, a site that didn’t exist in 2010. receives some12-14 million visitors in a typical week. We’ve gone from a couple of thousand websites to a handful (not quite to one, but near enough to make little difference).  Bringing together the content and giving the citizen the impression that government is all joined up is a necessary precursor to achieving lift off with transactions.

    3) Spend Controls. Before the Coalition Government came in, departments spent money however they wanted to, despite the best efforts of various bodies to impose at least some controls. There’s now a governance process in place that reviews projects at various stages and, whilst the saves are likely not as big as has been claimed, the additional review focuses departmental minds and encourages them to look at all options.  Controlling and, more specifically, directing spend is the mainstay of changing how government does IT and will support further re-use of platforms and technologies.

    4) Openness, transparency and championing issues. Government blogs were few and far between before 2010; official ones didn’t really exist. GDS staff (and, as a result, departmental people too) blog incessantly, to talk about what they are doing, to share best practice, to lay down gauntlets (e.g. championing the issue of necessary diversity on panels through the “GDS Parity Pledge”) and to help recruit new people from inside and outside of government to the cause.  Working in the open is a great way to show the outside, as well as the inside, world that things really have changed.

    Each of those is a significant achievement – and each has been sustained, to at least some degree, throughout the time GDS has been active which deserves additional celebration. Having an idea is the easy bit, it’s getting it done that’s the hard bit – the latter is where most people turn around and give up. Each of these achievements does, however, come with a succession of buts which I will explore in later posts.

    In the world of agile, failure is inevitable.  The point, though, is to fail fast and at a lower cost, correct the errors and get it right the next time.  Getting the next phase of the online agenda right requires some significant rethinking, an analysis of the failures and the setting of a new direction.

    This is not to say that what GDS has done to date isn’t good – the successes outlined above should rightly be lauded.  It is, though, to say that it was not and is not enough to create the necessary change.  Transformation is an overused word and one that is rarely delivered on, least of all in an agile, iterative world; but a step change in the way citizens interact with government is still possible.

    So, to create that necessary level of change, we need to put in place a different approach, one that ratchets up the pace of delivery with departments, one that integrates tightly with the outside world and one that doesn’t repeat the past but that embraces the future.
    I plan to publish a succession of posts looking at this with the aims of constructively challenging what’s been done so far and providing a framework for setting things up successfully for that next phase.

    10 Years After 10 Years After

    Strictly speaking, this is a little more than 10 years after the 10 year mark.  In late 2005,  Public Sector Forums asked me to do a review of the first 10 years of e-government; in May 2006, I published that same review on this blog.  It’s now time, I think, to look at what has happened in the 10 years (or more) since that piece, reviewing, particularly, digital government as opposed to e-government.

    Here’s a quick recap of the original “10 years of e-government” piece, pulling out the key points from each of the posts that made up the full piece:

    Part 1 – Let’s get it all online

    At the Labour Party conference in 1997, the Prime Minister had announced his plans for ‘simple government’ with a short paragraph in his first conference speech since taking charge of the country: 
    “We will publish a White Paper in the new year for what we call Simple Government, to cut the bureaucracy of Government and improve its service. We are setting a target that within five years, one quarter of dealings with Government can be done by a member of the public electronically through their television, telephone or computer.”
    Some time later he went further:
    “I am determined that Government should play its part, so I am bringing forward our target for getting all Government services online, from 2008 to 2005”

    It’s easy to pick holes with a strategy (or perhaps the absence of one) that’s resulted in more than 4,000 individual websites, dozens of inconsistent and incompatible services and a level of take-up that, for the most popular services, is perhaps 25% at best.
    After all, in a world where most people have 10-12 sites they visit regularly, it’s unlikely even one of those would be a government site – most interactions with government are, at best, annual and so there’s little incentive to store a list of government sites you might visit. As the count of government websites rose inexorably – from 1,600 in mid-2002 to 2,500 a year later and nearly 4,000 by mid-2005 – citizen interest in all but a few moved in the opposite direction.
    Over 80% of the cost of any given website was spent on technology – content management tools, web server software, servers themselves – as technology buyers and their business unit partners became easy pickings for salesmen with 2 car families to support. Too often, design meant flashy graphics, complicated pages, too much information on a page and confusing navigation. 
    Accessibility meant, simply, the site wasn’t.
    In short, services were supply-led by the government, not demand-led by the consumer. But where was the demand? Was the demand even there? Should it be up to the citizen to scream for the services they want and, if they did, would they – as Henry Ford claimed before producing the Model T – just want ‘faster horses’, or more of the same they’d always had performed a little quicker? 
    We have government for government, not government for the citizen. With so many services available, you’d perhaps think that usage should be higher. Early on, the argument was often made (I believe I made it too) that it wasn’t worth going online just to do one service – the overhead was too high – and that we needed to have a full range of services on offer – ones that could be used weekly and monthly as well as annually. That way, people would get used to dealing online with government and we’d have a shot at passing the ‘neighbour test’ (i.e. no service will get truly high usage until people are willing to tell their neighbour that they used, say, ‘that new tax credits service online’ and got their money in 4 days flat, encouraging their friends to do likewise).
    A new plan
     • Rationalise massively the number of government websites. In a 2002 April Fool email sent widely around government, I announced the e-Envoy’s department had seized control of government’s domain name registry and routed all website URLs to and was in the process of moving all content to that same site. Many people reading the mail a few days later applauded the initiative. Something similar is needed. The only reason to have a website is if someone else isn’t already doing it. Even if someone isn’t, there’s rarely a need for a new site and a new brand for every new idea.
    • Engage forcefully with the private sector. The banks, building societies, pension and insurance companies need to tie their services into those offered by government. Want a pension forecast? Why go to government – what you really want to know is how much will you need to live on when you’re 65 (67?) and how you’ll put that much money away in time. Government can’t and won’t tell you that. Similarly, authentication services need to be provided that can be used across both public and private sectors – speeding the registration process in either direction. With Tesco more trusted than government, why shouldn’t it work this way? The Government Gateway, with over 7 million registered users, has much to offer the private sector – and they, in turn, could accelerate the usage of hardware tokens for authentication (to rid us of the problems of phishing) and so on.
    • Open up every service. The folks at my society, public whip and have shown what can be done by a small, dedicated (in the sense of passionate) team. No-one should ever need to visit the absurdly difficult to use Hansard site when it’s much easier through the services these folks have created. Incentives for small third parties to offer services should be created.
    • Build services based on what people need to do. We know every year there are some 38 million tax discs issued for cars and that nearly everyone shows up at a post office with a tax disc, insurance form and MOT. For years, people in government have been talking about insurance companies issuing discs – but it still hasn’t happened. Bring together disparate services that have the same basic data requirements – tax credits and child benefit, housing benefit and council tax benefit etc.
    • Increase the use of intermediaries. For the 45% of people who aren’t using the Internet and aren’t likely to any time soon, web-enabled services are so much hocus pocus. There needs to be a drive to take services to where people use them. Andrew Pinder, the former e-Envoy, used to talk about kiosks in pubs. He may have been speaking half in jest, but he probably wasn’t wrong. If that’s where people in a small village in Shropshire are to be found (and with Post Offices diminishing, it’s probably the only place to get access to the locals), that’s where the services need to be available. Government needs to be in the wholesale market if it’s to be efficient – there are far smarter, more fleet of foot retail providers that can deliver the individual transactions.
    • Clean up the data. One of the reasons why government is probably afraid to join up services is that they know the data held on any given citizen is wildly out of date or just plain wrong. Joining up services would expose this. When I first took the business plan for the Government Gateway to a minister outside the Cabinet Office, this problem was quickly identified and seen as a huge impediment to progress

    More to come.

    The Billion Pound G-Cloud

    Sometime in the next few weeks, spend through the G-Cloud framework
    will cross £1 billion.  Yep, a cool billion.  A billion here and a
    billion there and pretty soon you’re talking real money.

    that mean G-Cloud has been successful?  Has it achieved what it was set
    up for? Has it broken the mould?  I guess we could say this is a story in four lots.

    Well, that depends:

    1) The Trend

    Let’s start with this chart showing the monthly spend since inception.

    shows 400 fold growth since day one, but spend looks pretty flat over
    the last year or so, despite that peak 3 months ago. Given that this
    framework had a standing start, for both customers and suppliers, it
    looks pretty good.  It took time for potential customers (and suppliers)
    to get their heads round it.  Some still haven’t. And perhaps that’s
    why things seem to have stalled?

    Total spend to
    date is a little over £903m.  At roughly £40m a month (based on the
    November figures), £1bn should be reached before the end of February,
    maybe sooner. And then the bollard budget might swing into action and
    we’ll see a year end boost (contrary to the principles of pay as you go
    cloud services though that would be).

    Government no
    longer publishes total IT spend figures but, in the past, it’s been
    estimated to be somewhere between £10bn and £16bn per year.  G-Cloud’s
    annual spend, then, is a tiny part of that overall spend.  G-Cloud fans
    have, though, suggested that £1 spent on G-Cloud is equivalent to £10 or
    even £50 spent the old way – that may be the case for hosting costs, it
    certainly isn’t the case for Lot 4 costs (though I am quite sure there
    has been some reduction in rates simply from the real innovation that
    G-Cloud brought – transparency on prices).

    2) The Overall Composition

    until 18 months ago, I used to publish regular analysis showing where
    G-Cloud spend was going.  The headline observation then was that some
    80% was being spent in Lot 4 – Specialist Cloud Services, or perhaps
    Specialist Counsultancy Services.  To date, of our £903m, some £715m, or
    79%, has been spent through Lot 4 (the red bars on the chart above). 
    That’s a lot of cloud consultancy.

    (post updated 19th Jan 2016 with the above graph to show more clearly the percentage that is spent on Lot 4).

    With all that spent
    on cloud consultancy, surely we would see an increase in spend in the
    other lots?  Lot 4 was created to give customers a vehicle to buy
    expertise that would explain to them how to migrate from their stale,
    high capital, high cost legacy services to sleek, shiny, pay as you go
    cloud services.

    Well, maybe.  Spend on IaaS (the blue
    bars), or Lot 1, is hovering around £4m-£5m a month, though has increased substantially from the early days.  Let’s call it
    £60m/year at the current run rate (we’re at £47m now) – if it hits that
    number it will be double the spend last year, good growth for sure, and
    that IaaS spend has helped created some new businesses from scratch. 
    But they probably aren’t coining it just yet.

    Perhaps the Crown Hosting Service has, ummm, stolen the crown and taken all of the easy business.  Government apparently spends £1.6bn per year on hosting,
    with £700m of that on facilities and infrastructure, and the CHS was
    predicted to save some £530m of that once it was running (that looks to
    be a save through the end of 2017/18 rather than an annual save).  But
    CHS is not designed for cloud hosting, it’s designed for legacy systems –
    call it the Marie Celeste, or the Ship of the Doomed.  You send your
    legacy apps there and never have to move them again – though, ideally,
    you migrate them to cloud at some point. We had a similar idea to CHS
    back in 2002, called True North, it ended badly.

    more positive way to look at this is that Government’s hosting costs
    would have increased if G-Cloud wasn’t there – so the £47m spent this
    year would actually have been £470m or £2.5bn if the money had been
    spent the old way.  There is no way of knowing of course – it could be
    that much of this money is being spent on servers that are idling
    because people spin them up but don’t spin them down, it could be that
    more projects are underway at the same than previously possible because
    the cost of hosting is so much lower.

    But really, G-Cloud
    is all about Lot 4.  A persistent and consistent 80% of the monthly
    spend is going on people, not on servers, software or platforms.  PaaS
    may well be People As A Service as far as Lot 4 is concerned.

    3) Lot 4 Specifically

    narrow Lot 4 down to this year only, so that we are not looking at old
    data.  We have £356m of spend to look at, 80% of which is made by
    central government.  There’s a roughly 50/50 split between small and
    large companies – though I suspect one or two previously small companies
    have now become very much larger since G-Cloud arrived (though on these
    revenues, they have not yet become “large”).

    If we
    knew which projects that spend had been committed to – we would soon
    know what kind of cloud work government was doing if we could see that,

    Sadly, £160m is recorded as against “Project
    Null”.  Let’s hope it’s successful, there’s a lot of cash riding on it
    not becoming void too.

    Here are the Top 10 Lot 4 spenders (for this calendar year to date only):

     And the Top 10 suppliers:

    companies?  Well, possibly.  Or perhaps, more likely, companies with
    available (and, obviously, agile) resource for development projects that
    might, or might not, be deployed to the cloud.  It’s also possible that
    all of these companies are breaking down the legacy systems into
    components that can be deployed into the cloud starting as soon as this
    new financial year; we will soon see if that’s the case.

    help understand what is most likely, here’s another way of looking at
    the same data.  This plots the length of an engagement (along the
    X-axis) against the total spend (Y-axis) and shows a dot with the
    customer and supplier name.

    cloud-related contract under G-Cloud might be expected to be short and
    sharp – a few months, perhaps, to understand the need, develop the
    strategy and then ready it for implementation.  With G-Cloud contracts
    lasting a maximum of two years, you might expect to see no relationship
    last longer than twenty four months.

    But there are some
    big contracts here that appear to have been running for far longer than
    twenty four months.  And, whilst it’s very clear that G-Cloud has
    enabled far greater access to SME capability than any previous
    framework, there are some old familiar names here.

    4) Conclusions

    without Lot 4 would look far less impressive, even if the spend it is
    replacing was 10x higher.  It’s clear that we need:

    – Transparency. What is the Lot 4 spend going to?

    – Telegraphing of need.  What will government entities come to market for over the next 6-12 months?

    Targets.  The old target was that 50% of new IT spend would be on
    cloud.  Little has been said about that in a long time.  Little has, in
    fact, been said about plans.  What are the new targets?

    Most of those points are not new – I’ve said them before, for instance in a previous post about G-Cloud as a Hobby and also here about how to take G-Cloud Further Forward.

    short, Lot 4 needs to be looked at hard – and government needs to get
    serious about the opportunity that this framework (which broke new
    ground at inception but has been allowed to fester somewhat) presents
    for restructuring how IT is delivered.


    indebted, as ever, to Dan Harrison for taking the raw G-Cloud data and
    producing these far simpler to follow graphs and tables.  I maintain
    that GDS should long ago have hired him to do their data analysis.  I’m
    all for open data, but without presentation, the consequences of the
    data go unremarked.

    Digital Government 2002 – Doing Something Magical

    Now here’s a blast from the past!  Here’s a “talking head” video recorded, I think, in early 2002 all about e-government (I am, of course, the talking head).  Some months later, much to my surprise, the video popped up at a conference I was attending – I remember looking up to see my head on a dozen 6′ tall screens around the auditorium.

    It’s easily dated by me talking about increasing use of PDAs (you’ll even see me using one) and the rollout of 3G, not to mention the logo flashing up in the opening frames and e-government, as opposed to Digital By Default.

    But the underpinning points of making the move from government to online government, e-goverment or a Digital by Default approach are much the same now as then:

    “The citizen gets the services they need, when they need them, where they need then, how they need them … without having to worry about … the barriers and burdens of dealing with government”

    “You’ve changed government so fundamentally … people are spending less time interacting and are getting real benefit”

    Lessons learned: get a haircut before being taped, learn your  lines, even when in America don’t wear a t-shirt under your shirt (my excuse is that it was winter).

    Am I Being Official? Or Just Too Sensitive? Changes in Protective Marking.

    From April 2nd – no fools these folks – government’s approach to security classifications will change.  For what seems like decades, the cognoscenti have bandied around acronyms like IL2 and IL3, with real insiders going as far as to talk about IL2-2-4 and IL3-3-4. There are at least seven levels of classification (IL0 through IL6 and some might argue that there are even eight levels, with “nuclear” trumping all else; there could be more if you accept that each of the three numbers in something like IL2-2-4 could, in theory, be changed separately). No more.  We venture into the next financial year with a streamlined, simplified structure of only three classifications. THREE!  

    Or do we?

    The aim was to make things easier – strip away the bureaucracy and process that had grown up around protective marking, stop people over-classifying data making it harder to share (both inside and outside of government) and introduce a set of controls that as well as technical security controls actually ask something of the user – that is, that ask them to take care of data entrusted to them.

    In the new approach, some 96% of data falls into a new category, called “OFFICIAL” – I’m not shouting, they are. A further 2% would be labelled as “SECRET” and the remainder “TOP SECRET”.  Those familiar with the old approach will quickly see that OFFICIAL seems to encompass everything from IL0 to IL4 – from open Internet to Confidential (I’m not going to keep shouting, promise), though CESG and the Government Security Secretariat have naturally resisted mapping old to new.

    That really is a quite stunning change.  Or it could be.

    Such a radical change isn’t easy to pull off – the fact that there has been at least two years of work behind the scenes to get it this far suggests that.  Inevitably, there have been some fudges along the way.  Official isn’t really a single broad classification.  It also includes “Official Sensitive” which is data that only those who “need to know” should be able to access.   There are no additional technical controls placed on that data – that is, you don’t have to put it behind yet another firewall – there are only procedural controls (which might range – I’m guessing – from checking distribution lists to filters on outgoing email perhaps).

    There is, though, another classification in Official which doesn’t yet, to my knowledge, have a name.   Some data that used to be Confidential will probably fall into this section.  So perhaps we can call it Official Confidential? Ok, just kidding.

    So what was going to be a streamlining to three simple tiers, where almost everyone you’ve ever met in government would spend most of their working lives creating and reading only Official data, is now looking like five tiers.  Still an improvement, but not quite as sweeping as hoped for.

    The more interesting challenges are probably yet to come – and will be seen in the wild only after April.  They include:

    – Can Central Government now buy an off-the-shelf device (phone, laptop, tablet etc) and turn on all of the “security widgets” that are in the baseline operating system and meet the requirements of Official?

    – Can Central Government adopt a cloud service more easily? The Cloud Security Principles would suggest not.

    – If you need to be cleared to “SC” to access a departmental e-mail system which operated at Restricted (IL3) in the past and if “SC” allows you occasional access to Secret information, what is the new clearance level?

    – If emails that were marked Restricted could never be forwarded outside of the government’s own network (the GSI), what odds would you place on very large amounts of data being classified as “Official Sensitive” and a procedural restriction being applied that prevents that data traversing the Internet?

    – If, as anecdotal evidence suggests, an IL3 solution costs roughly 25% more than an IL2 solution, will IT costs automatically fall or will inertia mean costs stay the same as solutions continue to be specified exactly as before?

    – Will the use of networks within government quickly fall to lowest common denominator – the Internet with some add-ons – on the basis that there needs to be some security but not as much as had been required before?

    – If the entry to an accreditation process was a comprehensive and well thought through “RMADS” (Risk Management and Accreditation Document Set) which was largely the domain of experts who handed their secrets down through mysterious writings and hidden symbols

    It seems most likely that the changes to protective marking will result in little change over the next year, or even two years.  Changes to existing contracts will take too long to process for too little return. New contracts will be framed in the new terms but the biggest contracts, with the potential for the largest effects, are still some way from expiry.  And the Cloud Security Principles will need much rework to encourage departments to take advantage of what is already routine for corporations. 

    If the market is going to rise to the challenge of meeting demand – if we are to see commodity products made available at low cost that still meet government requirements – then the requirements need to be spelled out.  The new markings launch in just over two months.  What is the market supposed to provide come 2nd April?

    None of this is aimed at taking away what has been achieved with the thinking and the policy work to date – it’s aimed at calling out just how hard it is going to be to change an approach that is as much part of daily life in HM Government as waking up, getting dressed and coming to work.