ID Governance movers and shakers - When I did my a programme management course as part of my time at the London Business School (back in 1972) we were told that a programme with a turnover among key staff of greater than about 12.5% p.a. (1 in 8) was in trouble because of lack of continuity.
If turnover was less that 5% p.a. (1 in 20), it was in trouble because of stagnation. What does one make of a programme where the rate of churn among key staff, particularly those nearest to the top, appears to be over 200% p.a., sometimes with average length of stay measured in weeks, not months, let alone years?
Is it finally being sorted out and on track because it is finally about to adopt good practice, having exhausted all the other options?
I would love to be able to think so.
But future success also requires sorting a number of critical dependancies which are not under DWP control: not just the HMRC Real Time Information system, which happens to be a good idea in its own right, but also Government ID policy.
ID policy is also at the heart of the fight against fraud, the quality control control of immigration and the deterring of health tourism by making it very much harder for those who were not born here and had never paid tax, nor had parents or grandparents who paid tax, to claim benefits or free treatment.
But who is responsible for the ID policy that we have not got.
ID Governance Movers and Shakers
Over recent years I have tired to maintain a "map" of who is responsible for which bits of government on-line security policy. Here is the current state of the section on ID policy.
- Identity Assurance (inc electronic IDs, Internet names and addresses)
- Home Office
Law enforcement and Criminal Intelligence files of identities and aliases
National Fraud Authority and "Fighting Identity Crime Together"
UK Borders Agency: identity of those entering/leaving, acquiring residency/citizenship
Identities and aliases of those within justice systems, from prosecutions, through courts, prison and probation to criminal and civil records
Lead on EU e-ID initiatives
Export control orders and sanctions on foreign regimes. Companies House: legal identities for Companies and Directors
- Ordnance Survey and Land Registry
Legal identities for properties
- Post Office
Programme to encourage inward investment in cyber and ID also ID/VISA issues
- DCMS including via Ofcom, Phonepay Plus and Nominet
- Phone Numbers and Internet names and addresses.
- CESG, UKTI (shared with BIS)
- NINO and identity of benefits claimants
- NHS National Health Service Number and a wide variety of other reference numbers
- Treasury Banking Regulation "Know your own customer rules"
HMRC Legal identities of corporate and individual taxpayers and tax credit claimants
- Transport : DVLA, identity of drivers and vehicles .
- Cabinet Office
- UK OIX Group
"Co-ordination" of identities for citizen dealings with Government
"Co-ordination" of identities for Government employees
Electoral Register (joint with DCLG and Local Authorities)
ID tokens in use across UK as common "proofs" of identity/age
- Local Authority ID Cards (15 use the Bracknell card)
- Other ID/Authorisation Tokens and Access/Transaction Cards
- Employee, Contractor and Agent IDs: from Armed Forces, Police, Emergency Services, Council and Utilities and others with statutory rights of access etc. to Charity Collectors
- Frequent Flier cards
- Customer Cards (with or without transaction bonuses)
- Credit Cards
- Debit Cards
- On-line ID services
- Paypal, Google, Microsoft etc.
I would be most grateful for any comments on errors and omissions in the above list but it will be fairly obvious why Cabinet Office finally appears to have conceded defeat on the thankless task of trying to "co-ordinate" ID policy. I should perhaps that I was never a fan of ID cards because I do not believe in "one size fits no-one" solutions.
I have long believed that the only way realistic was forward is a policy of creeping rationalisation - driven by National Audit Office reports which condemn those departmental identity systems that are unfit for purpose, riddled with errors and wide open to abuse, and which praise those that are found to be fit for purpose - i.e sufficient accurate, secure and fast (response time) for the applications for which they are used.
If that leads to departments choosing to contract their ID processes to private sector suppliers governed by UK law whose call centres and files are inside the UK, then that would be totally rational. I should, however add that I happen to also believe that it should be an offence (i.e. not just a mandatory contractual prohibition) to process personal data collected under statutory authority (e.g. criminal or health records, tax or benefits data) outside the UK without some form of explicit judicial oversight.
Next week I hope to begin the review of the Conservative Technology Forum policy study priorities for next year. We have provisionally agreed to take a look at the implications of basing ID policy on the premise that we have copyright in our own identities and identifiers and that anyone using them owes us a duty of care, even if we have agreed to waive the royalties in order to, for example, receive benefits. Those interested in helping such a study will find membership details on the website. We have also been asked to take a cool view at the reform of the programme planning and procurement in the public sector.
That will be even harder because so many of the experts who have volunteered to help have such strong views on the need to follow professional best practice without considering political realities. The "real" problem is how to apply "political engineering" (others use less polite phraseology) to avoid the rank bad practice that is so often found in the public sector when those without relevant experience are pressured into taking short cuts, while so-called IT professionals, (usually with little, if any, experience of delivery as opposed to selling), promise politicians that this time it will be different.