Tamara Finkelstein: We have put in place a great deal of things to deal with sewage in our water. One aspect of it, in terms of dealing with the water companies, has been that we are looking at the level of civil sanctions and fines. We will be consulting on that. That is one aspect, but, as part of the price review process, we will be requiring significant investment by the water companies that have made commitments around taking action on sewage flows, including all the way up to 2050. A great deal of action is in place. We have put in the Environment Act powers for Ofwat to look at dividends, so it will be consulting on that as well. There is a raft of measures in place.  

Q2

Sir Geoffrey Clifton-Brown: I accept all that and that is all really good news, but if Government are signalling that they are going to weaken the enforcement regime, all of that is to naught really. The water companies will just carry on doing what they are doing at the moment. Surely this sends a really bad signal. 

Tamara Finkelstein: I do not think that there is anything about the range of things that we have put in place that suggests that the Environment Agency, Ofwat or Defra is weakening the regime. In fact, the requirement is for £56 billion of investment. As I say, we will be consulting around fines as well. All those things are in place. 

Q3

Chair: This week, Parliament passed the retained EU law Bill, which gives you a lot of work, I think, Ms Finkelstein. Could you tell us what progress you are making on going through every law covered by that Act and how long it is going to take you to deal with them?  

Q4

Chair: Some parts of the press have reported estimates that you are having to change or review three laws a day. Is that in the right ballpark? 

Tamara Finkelstein: Do you mean in terms of what we would need to do at that point? 

Chair: Before the end of the year, yes. 

Tamara Finkelstein: We are still working through. There is a lot, but we are working through it. It will slightly depend on how many there are to revoke and to allow sunset, and how many things there are to reform, etc. 

We are still working that through.   

Q5

Chair: One of the areas of concern from a lot of people is that some of the environmental law that we adhere to through the EU is good law that is 

generally backed. Can you give any reassurance that that will not be watered down or lost as a result of this review, and that we will continue to maintain those environmental protections? 

Tamara Finkelstein: I can echo what Ministers, including the Secretary of State and actually the Prime Minister, have said: that environmental protection will remain in place at a high level. The Environment Act has indicated our world-leading approach to environmental protection, so there is not an intention to weaken environmental protection through the retained EU law Bill.  

Q6

Chair: Is there any risk of a gap between this Bill coming in, forcing the drop, and you not being ready to introduce new law? 

Tamara Finkelstein: That is the work we are doing. Where that is the case, we would need to retain. We are going through really carefully to ensure that there are not gaps. 

Q7

Chair: Some may be retained while there are further discussions that go on. 

Tamara Finkelstein: Yes, because we can then use the later sunset for that. 

Q8

Olivia Blake: I was curious about the Government’s EU law dashboard. I have noticed a couple of discrepancies in a few PQs to members as well. On the dashboard, it currently says that there are 570 pieces relating to Defra. In answer to a question from the Member for Swansea West, the Minister indicated that there are 1,100 pieces of EU retained law that need to be dealt with by Defra. They are vastly different figures. Why is the dashboard so different from the Minister’s answers? 

Q12

Nick Smith: Good morning, everybody. Ms Finkelstein, given the number on the dashboard has gone up from 500 or so to 1,000 or so, how confident are you in the 1,000 or so number? Do you think that that is going to go up dramatically again? 

Tamara Finkelstein: We have done a tremendous amount of work to get to this point and looked at them in detail with each Minister and with the Secretary of State. I have quite a lot of confidence about this programme of work. We are close to having identified everything, but not quite yet. At the point we have an opportunity to update the dashboard, we will put that latest position and we will inform as soon as possible if that changes. 

Chair: We now move into our main session, looking at how Defra is managing its ageing digital services. As I say, that is a theme that we have been looking at across a number of Departments. It is the second most expensive in Whitehall, second to the Home Office, so lots of taxpayers’ money is involved.  

Q13

Anne Marie Morris: Ms Finkelstein, before we start drilling down into the risks of the legacy system you have, it would be helpful to understand the shape of the challenge. As I understand it, we have quite a complex Defra group. We have mainstream Defra, but then we also have a tail of about 30 arm’s length bodies, varying in size, which gives you quite a challenging organisation to then look at the IT provision across the piece. I understand that some of it, the large chunks even of the arm’s length bodies, are within the overall broad programme. Then there is a tail of small ones, if I can put it like that, that are still independent. That sounds like a real challenge in terms of managing the risk of the legacy of ageing IT.  

Q19

Anne Marie Morris: Which bit of Defra keeps you awake at night because you are really concerned that there is a very significant risk in terms of your ability to provide the service to the customer, which will have a serious impact on the customer or on that particular issue, maybe animal or plant health?  

Tamara Finkelstein: We have identified the risks and we have described what we have put in place to manage those risks as best as possible, including that hyper-care on some of the riskier systems, gives me a lot of confidence. 

Q20

Anne Marie Morris: What is in this hyper-care bucket? What are you providing as a service to a customer? 

Tamara Finkelstein: I suppose that there are two things for the customer. One is that you do not want to have a system that is going to go down and that you cannot use. There is also an issue that they are not that good and easy to use. On that first, of risk of cyber-attack or going down because we are not using it properly, I have a lot more confidence that we have identified the applications where we have concerns and put the right care around it so we can manage it if it goes down and monitor it so we know whether there is a risk.  

Q21

Anne Marie Morris: That is efficient and great, but what we are concerned about is where we are now. Mr McKee, what do you see as the most vulnerable system within this Defra group that keeps you awake at night? What are the key consequences? Is it cyber-attack? Is it that the forms are not generated? Is it that the consequence will be some environmental damage? Can you give me a flavour?  

Malcolm McKee: Yes, I can. Good morning. It is first worth reflecting that Defra group was brought together from a number of different IT organisations. The NAO was kind enough to recognise that we are one of the very few Departments that are addressing that scale of thing.  

It would be unwise to talk about specific vulnerabilities in applications in this public forum. However, we can refer off to the top riskiest systems work that the CDDO did. Chris has already talked about Sam, which was at No. 21 on that list. The rest are scattered between about No. 46 and No. 101. 

The primary risk is cyber-attack, and it is something we have to work up to. Where an application is old or out of support, there are more known vulnerabilities and fewer patches available for that application. The older it gets, the truer that is. Primarily, there is a risk of cyber-attack. For all of Government and industry, the question tends to be when, not if. Hence, we build defences around that where we, by automated systems but also by people, detect intrusion. We respond to that intrusion and then have business continuity and disaster recovery plans, so that we can recover from that. Those are the additional measures that we have put around those. 

Q22

Anne Marie Morris: That is very helpful. That is entirely understood. Let me move to data. 

Data is, of course, critical to any business. If data is locked into a system that is not supported, you have a challenge then using it. What exactly are you going to do to deal with the fact that data is spread across so many disparate systems, so that it works better and you can use that data, rather than having to ask the consumer to put it in yet again? 

group, citizens and businesses. That handles literally billions of calls for data every year. It is through bringing those common platforms together and then bringing the disparate parts of Defra group together that we start knitting that together. It is not easy, and it requires continued investment over a number of years.  

Q23

Anne Marie Morris: Is there a strategy to deal with all these issues? From what you are telling me now, it is not just IT. It is legal. It is cultural. You have different systems. You then have the technical IT bit. Is there a strategy with a plan behind it as to how you are going to deliver this?  

Malcolm McKee: It absolutely is all those things. At the moment, there is a bit of work ongoing to form that strategy. It is done jointly between us, the digital organisation, Defra group transformation, which is looking at taking us forward, and the Office of the Chief Scientist. 

Chris Howes: We have formed something called the data exploitation board, which includes members from exco. It is a group that I sit on. As its name suggests, it has entirely that focus: to build a strategy, to ensure that we have stronger data sharing across Defra group, and to ensure that we have the skills in the organisation to use things such as the central data platform. 

The interesting thing in terms of the data analytics platform is that we have taken a strategic decision not to try to bring everything into one big data lake, but to put in a system that interrogates the systems where they sit. It is a much more cost-effective and lower-risk way of doing things, but it is much more effective in the long run.  

Q24

Nick Smith: I want to pick up a couple of strands from this most recent discussion. I like this phrase “hyper-care”. It shows that you are understanding the difficulties you face. There are a few things I was unsure about, though. There is this bottom 30% that would include the hyper-care work you are doing. Although you tried to give us some reassurance that things are going to be fine around floods and bovine TB, are those topic areas in that 30% section that you talked about? 

Chris Howes: There are two ways that we have worked with CDDO in terms of prioritising our approaches and investment. First, it is around public impact. Which are the most critical services to the public? Which are the high-volume services? I am sure that Paul will talk more about this, but there is an approach looking at the top 75 public-facing applications. 

We have 12 in Defra that sit in that top 75. 

Q25

Nick Smith: Sorry to interrupt, but are the networks around bovine TB and floods part of that 30% bucket that you talked about as being unsupported?  

Chris Howes: They are not any more, because Sam was but it has now been upgraded, so that is now not in that high-risk area. Our flood systems are more modern. Over the last year or so, we have made massive investments in our flood warning system so that it is up to date.  

If you looked at those 12 high-volume public-facing services, nine of those are fully in support, so a high proportion are fully in support. Two are a bit of a mixture of modern and legacy and one is what we would describe as full legacy. As I say, all three of those are in hyper-care and we have plans to remediate. In fact, the one that is full legacy will be remediated this year.   

Q26

Nick Smith: Which is the one that you said is in hyper-care? 

Chris Howes: Sorry, it is probably not wise in any public forum to say which systems are most at risk from external attack. The other way that we looked at things is to ask, “Which are our most risky systems?” Again, we have worked with CDDO and it has created a view of the 100 highestrisk systems across Government. As we have said, about 13 of our systems are in there. The majority of those are actually internally facing systems. They are not public-facing services. By using those two risk views, so what the basic risk is because of the age of the systems and what things are most relied on by the public, we can target our investment. That is exactly what we have done.  

Q27

Nick Smith: Of the work that is in hyper-care, which sections are costing you an arm and a leg and need attention sooner rather than later so that you can keep the bills lower?  

Chris Howes: The systems that are more expensive than they ought to be, in terms of what is spent, are typically those that are hosted in legacy data centres. One of the main things that the legacy applications programme is doing, which will be largely complete in terms of this phase by the end of this financial year, certainly by April of next financial year, is moving those applications out of legacy data centres into more modern data centres or into the cloud.  

As part of doing that, we are doing upgrades as well to make sure that they have the basic level of support. We talked about the legacy application programme delivering benefit of over £112 million. The highest proportion of that is the reduction in data centre hosting costs. 

Q28

Nick Smith: Ms Finkelstein, given you have to deal with—it says here—14 million transactions each year involving paper forms, when do you expect to get this number down? 

Q29

Nick Smith: Why not? 

Tamara Finkelstein: That is the work we are doing now. That is part of our transformation. We knew that we needed to stabilise our systems, enhance them and transform. You have to manage those risks first, take the opportunities. We had to do our EU exit new systems, but we took the opportunities to develop common platforms that have been really important to further stabilising. We have not yet made the plan as to how we further transform to digitise those systems. We are doing that as part of our transformation programme. 

Q30

Nick Smith: How many additional people do you employ because you operate all these legacy systems? 

Tamara Finkelstein: That is difficult to know, as to whether this is about additional people or not. A lot of the problem of what you are describing around the paper forms is what we are requiring the people who have to engage with us to do, rather than what we need to do. There was a sense of this in the NAO Report: “Does that mean we have people in our contact centres who are doing a lot of explaining of how you do stuff with our forms?” Undoubtedly, there will be some of that, but they are also answering other questions that people have. I do not know how much it would reduce our contact centres. 

Q31

Chair: It is a burden on the user. 

Tamara Finkelstein: Most of it is the burden on the user. I am not saying that there would not be some greater efficiencies. We have been investing in small bits of automation and that definitely has given us efficiencies. We have quite an efficiency challenge, so this will be part of addressing that, no question. 

Q32

Nick Smith: Given your wide-ranging responsibilities, how do your systems knit together? We have had some of that from Mr McKee, but what would be your judgment on that? 

Q33

Nick Smith: Hopefully there will be a new protocol around trade for the Republic and the north of Ireland in the coming months. I know that that will be uncertain for you, as you go towards that. How quickly do you think you will get to a place—fingers crossed that an agreement is made—where you will have Defra systems that allow frictionless trade there? That would be really important.  

Tamara Finkelstein: We have been investing in our digital assistance scheme and developing with the current arrangements that we have in place, as to digitising that and making that smoother, so we have already made huge progress on that and will continue to do that under whatever arrangements are in place. We have already invested in that system. 

Q34

Nick Smith: It is tricky. We understand that, but what is your assessment of when the IT will be ready, should there be a protocol agreement this spring? 

Tamara Finkelstein: It depends on quite what arrangements continue to be in place. We have already digitised a lot of the arrangements about how goods are moved through the digital assistance scheme. 

Q35

Nick Smith: That is good. Do you have any more on that? Which digitalisation have you done? 

Q36

Chair: I know that you have talked about the top 75 and we have touched a bit on cyber. I will bring Mr Willmott in here briefly as well. Cyber-attacks are top of the risk register. Obviously, you cannot talk about individual systems. We understand that. What plans do you have to support cyberdefence? Then I would like Mr Willmott to give us an assessment of how he feels this fits in with the Whitehall programme. 

Chris Howes: Mr McKee talked about our basic approach, which is to protect, stop things coming in in the first place, detect and then respond. We have spoken a little bit about the protection in terms of hyper-care. An important part of our process is that we have really strong monitoring capability. It is better in our more modern systems. We have our own monitoring capability. 

Q37

Chair: We get a general idea that you have monitoring capability. Can you walk us through an example of how you monitor? 

Chris Howes: All the traffic within our systems is being monitored 24/7, 365 days a year, by a team that is looking for abnormalities, for example in terms of high data loss. As another example, if I took my iPad or laptop overseas, to Germany or wherever, our systems would detect that that is an unusual thing to be happening. Unless I had got permission to do that in the first place, my system will be locked down. It is looking for that level of intrusion or my access will be locked down. 

If we find an issue, and we have found issues in the past, or unusual behaviour in terms of our technology systems, we are in a position to respond. We do that in two ways. One is that we have our internal security team and IT team. We also have an external cyber-incident response partner contracted to support us, again 24 hours a day. That will step in to support should we need specialist support in terms of responding to those particular incidents. 

The other thing that we have done is training, so working in terms of business continuity response. We ran an exercise with exco, going through a business continuity exercise based on a cyberattack that was actually developed by our external partner. We keep the awareness and a level of capability to respond in the event of an attack. 

Q38

Chair: Have you had any attempts? There must be cyber-attacks, or attempted attacks, happening all the time. 

Q39

Chair: That could be taking a laptop abroad or losing something. Have you had any malware or other attacks?  

Chris Howes: Yes, we have, historically, so back in 2019. This is from memory, so I think it was 2019. I will correct that if that is wrong. We had a ransomware attack on one of our off-network activities. It was actually a piece of grey IT. More recently, our systems have detected unusual behaviour in one of our development environments. That development environment was shut down immediately because we detected an attempt to intrude. 

Q40

Chair: We know that they will try, so it would be unusual if you did not have any. 

Chris Howes: Absolutely, yes. 

Q41

Chair: Mr Willmott, in terms of Whitehall as a whole, how is Defra doing compared with other Departments? It has a very complex set of systems to sort out. 

Paul Willmott: Good morning, everybody. This Committee actually set the ball rolling just over two years ago, requesting that CDDO work across Government to assess the legacy estate. It is not just for cyber-risk but for operational risk, cost, efficiency and so on. We have accepted that set of recommendations. You know, because we have written to you last month. We are making progress to work with Departments to understand where the risks are, but also to help Departments mitigate those risks. 

So far, we have agreed a framework with Departments, which will be used going forward and refreshed annually. We have mapped six Departments and 105 systems—the most risky systems, we believe—from those six Departments, into that framework. There are 40 in the red zone, so 40 that need to be mitigated and action needs to happen. There is only one in Defra, which is the aforementioned Sam, which has already been mitigated.  

Chair: Sam is getting a lot of airtime today. 

Paul Willmott: We have then worked through the top 20 to confirm that mitigation funding and plans are in place. We are in progress of working through the remaining 85 by the end of this calendar year. We are also widening the scope in this calendar year to all other ministerial Departments. At that point, we will have a good sense of where the risks are in Government and how well they are mitigated.  

Q42

Chair: There was not a central understanding of these risks before.  

Q43

Chair: Has that helped with bidding money for the Treasury? Do you have some input when Ms Finkelstein is putting in her bid to the Treasury for money for this? Does it also ask for your opinion? 

Paul Willmott: Yes, it does. I think for the first time in SR21 we provided technical input to each of the major funding bids for legacy and other digital investment projects. 

Q44

Chair: This is a big change from when the rural payments debacle happened, when the digital team was seen as different. As someone said in this Committee, they talked differently and they wore different clothes. You are obviously talking the same language a bit more now. Where does Defra fit into the scheme of risk? We highlighted that the cost is second only to the Home Office. In terms of the challenges and the risks, how is Defra doing?  

Paul Willmott: I think that the Defra systems figure lower down the table was given earlier. There are many of those systems in the table but, as mentioned, I think that that is a factor of the history of Defra. If you look at the top of the table, there are other Departments that you see there, including DWP, courts, Home Office and HMRC. 

Q45

Chair: Yes, our regular visitors. We will obviously continue. You may well be a witness more often, because we are looking quite a lot at this digital legacy. 

On the funding issue, is the 10% to 15% saving that you mentioned earlier, Mr Howes, of the whole Department’s budget? 

Chris Howes: No, that is my budget, before I start offering up anybody else’s budget. 

Q46

Chair: Ms Finkelstein was about to rub her hands with glee, so just to be clear. What is that in money terms? Remind me. 

While we have had significant investment, there is still much more for us to do in terms of improving the customer journey, as well as improving our internal efficiencies and how we deliver our services. 

Q49

Sir Geoffrey Clifton-Brown: Mr Wilmott, I anticipated that answer from Mr Howes. You have some fairly exacting targets that you have set through the Central Digital and Data Office. How do you expect poor old Defra to meet those targets if you do not give it enough money? 

Paul Wilmott: Those targets come with some support from the Central Digital and Data Office, and also through our working with Treasury. We are working with Departments on what we call sprints to determine the size of the prize, and hence the business case, from the digitalisation of services. We are working through the top 75 that we aspire to be great. We have conducted nine service sprints so far and there are eight further in progress. 

So far, only 10% of the ones we have looked at qualify as great. This is not a super starting point, but it also means that there is a big opportunity because, when you digitise services, my experience—I have been involved in this sort of work for 30 years or so—is that there is a very significant upside in terms of efficiency and payback. From this work, we are anticipating that we are going to be able to surface some quite strong business cases for digitalisation, which will go into subsequent discussions with Departments and Treasury. 

Q50

Sir Geoffrey Clifton-Brown: That does not quite give me the answer that I wanted, or the answer to the question, really. Your mission 6 on the CDDO says, “All Departments will, as a minimum, meet the definition of ‘good’ for product-centric organisational structures and agile ways of working when self-assessed against the new digital, data and technology function standard” that you have set. How are they going to do this on the present budget? 

Paul Wilmott: First of all, that road map was signed off by Departments. There is no central pot of funding in Cabinet Office to deliver on those commitments, but each Department did sign up to that road map and the commitments therein. 

Q51

Sir Geoffrey Clifton-Brown: Ms Finkelstein, you have heard Mr Wilmott say that you signed up to it, but, presumably, you signed up to it on the basis that you were going to get the resources to be able to deliver it. Given that you needed £700 million plus to deal with the legacy, without all the new systems, how are you going to do this? You only got 56% of what you asked for. 

Tamara Finkelstein: There are bidding processes. You never get quite as much money as you would like to get. Having the money to stabilise things that are in our legacy portfolio and to do really good systems in some of our major programmes is incredibly helpful. Again, I will give the example that, hopefully, will resonate with you on countryside stewardship, which is an existing system, but, through the future farming programme, we are able to improve and digitalise that service and make it a really good service. 

We are finding ways in which we can do double duty with the money that we have, so you have to do something new, but you can improve an existing service along the way and, similarly, with some of the legacy, taking the opportunity to improve a system as we go. 

As an executive committee, we have also identified the areas where, if we had the money, we would like to prioritise transformation and digitising a service. What we have agreed is that, where we can find a slice of money— perhaps we do something better and quicker on one of our major programmes—we will manage that money centrally, very actively, to say, “Let us use that to do some of this work”. We are trying to make best use of the money that we have. 

Alongside that, we are going to be building that case for the next spending review. What Mr Wilmott talked about, the work they are doing on how you identify the benefits and have frameworks to do that, is going to be really helpful with that, which Mr Smith was raising before as to how you build the case in terms of savings that you can make. That work will really help us in the next spending review. 

Q52

Sir Geoffrey Clifton-Brown: I have no doubt that you will be spending the money wisely, otherwise this Committee will be asking you some fairly probing questions. Mr Howes, according to the Report, you used to have a thing called the digital, data and technology group, which was set up in  2014. I assume that that has now been subsumed in either the data exploitation board or the digital prioritisation board. 

Chris Howes: I think that the 2014 reference is to the setting up of the digital, data and technology function. The group approach was delivered in stages, if you like, in terms of Natural England and the core Department joining first, and then, because there was a fair amount— 

Q53

Sir Geoffrey Clifton-Brown: We do not need a long-winded answer. Presumably, that 2014 board has now been disbanded—yes or no? 

Chris Howes: Yes. It has been superseded. 

Q54

Sir Geoffrey Clifton-Brown: Thank you. So you now have the digital prioritisation board and the digital exploitation board. Can you explain what they both do? 

Chris Howes: The data exploitation board, as its name suggests, is aiming to make the most of the data that exists across Defra group and to remove any barriers to that working effectively, whether those barriers are down to capabilities or down to the quality of data, or whether it is down to a technology requirement. It is very focused on data and how we get that data to move freely between different parts of Defra, and, where it is appropriate, then make it available to external users. 

The portfolio board looks at the entirety of Defra’s digital, data and technology spend within the six organisations or the six parts of Defra group. It ensures that any expenditure on digital, data and technology is done not just looking at the individual, specific, local need, but done in the context of the broader Defra group, so that we do not reinvent wheels, that we build on platforms, that we share existing components and that we use common architectural standards for how things are built and how the public can use them. It also makes sure that any externally facing digital services comply with CDDO requirements. 

Q55

Sir Geoffrey Clifton-Brown: Can I just be clear from all of you that the digital, data and technology group set up in 2014 has been abolished? That is right, is it, Mr McKee? 

Malcolm McKee: Can I just fill in on that? Digital, data and technology— DDAT—is the Cabinet Office name for the IT function. DDTS—digital, data and technology services—is the Defra name for our IT function. The process that you are talking about from 2017 was the forming together of the separate IT functions of the disparate parts of Defra group into one single IT function that still exists today. It is not a governance decision-making body. It is us. We are the IT function. 

Q56

Sir Geoffrey Clifton-Brown: That is really helpful. We have already talked about the CDDO’s six prioritisations. Is there a clear road map as to 

how you are going to meet all six of those? This is central Government’s aims of how we should be transforming each Department’s digital offering.

Is there a clear roadmap for how Defra is going to meet that? 

The first of our services that was assessed through the process fared pretty well, and there is very little room for improvement, according to the review that was carried out by CDDO. Although we have around a dozen services that are in that top 75, we are pretty confident about a high proportion of those, because they are relatively modern services. We will focus our efforts in terms of additional investment on those that are a little bit older, as I was talking about before. 

Q57

Sir Geoffrey Clifton-Brown: That is mission 1. You are confident that, by 2025, which is only two years away, those that are in the Government’s top number of services will move to a great standard. You have a plan to achieve that. 

Chris Howes: We are confident that, for those services in the top 75, we will meet that standard. 

Q58

Sir Geoffrey Clifton-Brown: Perhaps sticking with you, although any other members of the team are welcome to answer, in terms of paragraph 15, you cannot do all this without people. You ran a recruitment campaign for 244 digital, data and technology roles, but you could not fill 76 of those, or 31%. Trying to recruit sufficient IT people with sufficient skills is, I accept, a common problem across Government. What are you doing to further fill those roles? 

Chris Howes: The challenges in terms of digital capability are shared not just in Government but across business more generally. It is not specific to the UK either. We are using the DDAT pay framework, so that, essentially, supplements can be paid, based on capabilities for specific digital roles. 

Q59

Sir Geoffrey Clifton-Brown: Are you using that? 

Chris Howes: Yes, we are one of the users of that process. It is evolving, and we will be picking up the next iteration in terms of widening its scope and also the new revalorisation of those pay scales within it. We are working very hard to bring in more junior staff. We have set up our own academy. We are using apprenticeships to bring new staff in. Our approach is bearing fruit. We have dramatically reduced our reliance on contingent labour, for example, which is now down to around 22% of our resources.

A year ago, that was at over 30%, so we are making good progress there. 

Chris Howes: It absolutely does, and that is the trade-off. We would prefer to be resourcing more of that activity through our own resources and are committed to doing so. 

Q60

Chair: Are you constrained by salary levels? If you want to do it through your own resources, are you finding that you are competing in the relatively small pool of technical experts? 

Chris Howes: Yes, but the DDAT pay framework is aimed to bridge some of that gap. It is recognised that that is a really good step, but it has not entirely taken that problem away in terms of the breadth of roles covered by the DDAT pay framework, which needs to increase. It is also always going to be difficult to compete with the private sector. 

Chair: There are other benefits to working in the public sector. 

Chris Howes: Indeed. 

Q61

Sir Geoffrey Clifton-Brown: I am wondering whether you could do more in terms of recruitment of these necessary IT skills by trying to make the job more attractive with hybrid working, or going to target specific university departments to spread your message to potential recruits. There are lots of things that could be being done—stands at IT fairs and so forth. Are you doing any of that? 

Chris Howes: Yes, indeed, we are, in terms of general approaches and specific approaches from an equality, diversity and inclusion perspective, so targeting underrepresented groups for us as well. One of the things that Government offer, and that Defra in particular offers, is a really strong mission. We find that quite a high proportion of people who join Defra, even in the technology teams, are really committed to the cause in terms of protection and enhancing the environment. 

We are very actively using, for example, areas like LinkedIn to promote not just the job vacancies but what it is that it will be delivering, because I genuinely believe that the things we are delivering in Defra are really quite innovative and groundbreaking, and genuinely protect the environment for this and future generations. There is a strong offer there. 

Q62

Sir Geoffrey Clifton-Brown: Finally, here is a completely different question. I sit on the Finance Committee of this House, and I was staggered

to find out what the Microsoft licence costs just this House. It has managed to do some quite nifty renegotiations of that cost by streamlining some of those licence requirements and lumping them into a smaller number. I know what the figure for this House is and I am not going to put it in the public domain, because it is confidential, but I should imagine that your figure is several times more than that, so it is a lot of money. What are you doing to renegotiate that? 

It is not just about the money. We also make sure that we bring in the added value from organisations like Microsoft in terms of the things that it can bring in addition to the licence cost. As you say, we are quite a significant customer of Microsoft, in terms of both individual licences and, of course, a lot of the cloud that we use. Azure is a Microsoft product that we pay for.  

Q63

Sir Geoffrey Clifton-Brown: I would imagine that you could reduce that licence requirement. Part of the cost must be that you have so many different systems, particularly legacy systems, and what the House of Commons managed was, by upgrading some systems, to lump them all into one. Presumably, that is an added incentive for you to start to really make quick progress on these legacy systems. 

Chris Howes: That is absolutely true. The other important aspect is that, very often, when we are carrying out major programmes like the legacy application programmes, we find redundant systems or take the opportunity to make systems redundant. During that process alone in terms of the legacy application programme, we have decommissioned over 30 IT systems, because more modern alternatives are available. That is really quite significant, in terms of both internal efficiency and cost savings.

Q64

Sir Geoffrey Clifton-Brown: I have a final question, and the Report makes mention of this. You mentioned migration to cloud systems, which are great, because they are more flexible, but there is a problem here, because you are migrating from capital systems to revenue systems. How are you managing that within your Government ask? 

Chris Howes: That is, again, very much of a known issue in terms of both the move to cloud and a change of approach to how IT systems are maintained and operated. We are trying to move to a process that is much more based on iterative improvements—smaller and lower cost but more frequent—to our IT systems. That also means that quite a lot of that investment is more RDEL-focused than CDEL-focused.  

Q65

Nick Smith: Mr Wilmott, I think Mr Howes said the percentage of external staff in his Department had gone down from approximately 30% to something like 22%. That sounds great, with good progress and nearly a third off—thumbs up—but it is still at 22%. How does that departmental figure compare to other Departments in your remit? Are they top of the league, middling, or bottom of the league? 

Paul Wilmott: They are almost spot-on middle. The number across Government is 20.5%, and that is out of 30,100, from memory, which was in the last workforce report in October. What do we think about that number? We think it should come down. Some contingent labour is good for flexibility, but, as has been pointed out by colleagues, contingent labour can be up to twice as expensive for some roles, so we are trying to address that opportunity. 

Again, from our recent workforce reporting, we have around 14% vacancies at the moment in the digital and data community, which is not what we aspire to at all. We have committed to less than 10% and we hope it could be even lower, but, as you have already pointed out, it is a challenging market for talent. 

Q66

Nick Smith: What percentage is “good” and what is your strategy for getting everybody up to “good”? 

Paul Wilmott: This might sound like I am ducking the question, but “good” depends on the Department and its needs. There may be certain parts of Government where the need for technology resources goes up and down. There are other parts of Government, and particularly the bigger Departments, where it is a lot more stable. The more stable the need, the less contingent labour. We have said 10% because that is an achievable target Government-wide. 

What are we doing about it? Mr Howes has already referred to some of the efforts that we are making around hiring, but the pay framework, which has been adopted by 28 Departments already, is a material improvement. Some Departments—for example MOJ—have managed to reduce

contingent labour by around 50% as a result of that pay framework alone. 

We are doing more. We are also changing the way that career progression works and the criteria for career progression, to make digital careers more attractive, and we are increasing the amount training that we are giving. 

Chair: We have been talking about skilling up the civil service for at least a decade on this Committee. 

Q67

Anne Marie Morris: Mr Wilmott, the Government are doing a lot, both back office and front office, and I wonder whether there is a challenge about whether the two should carry on being separate or whether they should be joined. The current back-office project—the five clusters—has been a challenge in its own right in trying to pull all Departments together and put them into these clusters, and then work out a way forward. Backoffice systems and front office systems are connected. It seems to me,

Paul Wilmott: I have not looked in great detail at the five clusters, but let me tell you what I have experienced in other large-scale settings in the commercial sector— 

Q68

Chair: Just to be clear, it is about 30 years’ experience that you have, mostly in the private sector. 

Paul Wilmott: Yes, I have seen this debate play out in different contexts, so here are some thoughts. First, there are clearly economies of scale from reducing the number of systems and consolidating across organisational units and Departments, as we have seen in Defra via the five clusters or other things that we have done, like One Login. There remains opportunity there within Government. 

Secondly, as part of our chief technology officer forum—we have around 30 of the CTOs, such as Malcolm, around the table there—we are looking at opportunities for that sharing and consolidation. The current pilot project that we are looking at is grants, because distribution of grants is something that many Departments do, but on multiple systems at the moment. We see an opportunity here and are pursuing it through that forum and that initiative. 

In terms of the connection between front and back, the way that that is usually handled is by having a very clear boundary or interface between the two, and being extremely specific about what lives in the back and is shared, and what is not. That clarity and alignment between the technical systems design and the organisational model is critical. 

Q69

Anne Marie Morris: That is very helpful and very clear. Let me then ask you this. In terms of procurement, which is clearly an enabler for all of this, is there an overarching, Government-wide strategy to make sure that we do not find all sorts of different negotiations going on in different places? 

Paul Wilmott: We are working with Government commercial services on that. I would say that there is more to do there. Mr Clifton-Brown mentioned earlier some of the savings that have already been seen around Microsoft. We know that commercial is achieving, on average, an 18% save when it pushes together vendor contracts—that is the published number— and so we do see the opportunity. What is important, though, is not just negotiating jointly as one Government, but also setting up those contracts so that there are common technical standards. You can buy the same thing and implement it many different times, but that just creates more complexity. 

Q70

Anne Marie Morris: That is very helpful, but, if I can sum up, it sounds to me like it is opportunity rather than strategy. You are not quite at that  stage yet. 

Paul Wilmott: That is fair. We do not have a published strategy at this point. 

Q71

Anne Marie Morris: Would that be an ambition? 

Paul Wilmott: Yes. 

Anne Marie Morris: The right answer, thank you. 

Q72

Chair: I wanted, if I could, to turn to you again, Mr Wilmott. You have had an interesting career in change and digital. You have been in the Whitehall arena since February 2021. How do both Whitehall’s and Defra’s approach to digital change compare with the best of the private sector? 

Paul Wilmott: That is a wide-ranging question. 

Chair: What is your scorecard for Whitehall? You are one step removed. Although you are a Whitehall insider to some degree, you are not a lifer. 

Paul Wilmott: On arriving in Whitehall, the ambition was well below what I would have liked or expected. That was worrying to me as a citizen as much as anything else, because there is a huge opportunity here for not just better use of public money, but a far better experience for citizens. People do not want to fill in paper forms and wait 12 weeks for a benefit or whatever, so I can see that there is a huge opportunity. 

I do think that we have made good progress, and I have been delighted with the level of collaboration from all Departments as we put together the transforming for digital change road map. As you have heard, it is a stretching set of commitments, but Departments have leaned into that and continue to do so. Defra has been very much at the centre of that programme, so I am considerably more optimistic now as we go forward.  

There is more to do. We have talked about talent. The other thing that we have talked about is upskilling civil servants outside of the digital arena to make sure that the awareness of the opportunity is clear and that the right prioritisation is happening. 

Q73

Chair: The other thing is something that we touched on earlier, when Sir Geoffrey raised this issue about the licences with Microsoft, and Mr Howes gave quite a good, detailed answer on that. Is it something that you are looking at as chair of the digital group across Government in terms of having negotiations with the big suppliers? Whitehall is a big customer of some of these big companies. The taxpayer is bankrolling them with quite a lot of money. Are you using that purchasing power to try to grind down on costs? 

Paul Wilmott: That accountability lies with Government commercial services. We are feeding into that. 

Paul Wilmott: No, I would not like to go out with a number at the moment. 

Q74

Chair: We always like a number; we always try. 

I just wanted to go to you again, Ms Finkelstein. We talked a lot about the costs and savings, and we have talked about savings within Mr Howes’s own budget, which is not insignificant. Schools and hospitals could be built with that, if you replicate that across Whitehall, and every pound saved, of course, is a pound spent on something that is a Government priority, whichever Government are in power. Have you done any work to map the cost savings to the user? If you have people spending hours filling out paper forms, and farmers struggling with IT because they do not have broadband, you have to look at all of that impact on them. Are you doing any exercise to see what you can save the wider economy? 

Tamara Finkelstein: As we put together business cases for particular changes, we will look at that and build those in. We have found it quite hard to measure, but, as I said, the framework that CDDO is putting in place for us to make those assessments is really helping us to do that. We were looking at our fishing licence application and asking, “How much does it cost us to do? What are the costs of somebody engaging with it?” We are starting to have some of the mechanisms by which we can assess that, so that will inform an important part of us building those business cases and assessing priorities. 

Q75

Q76

Chair: It is challenging to assess, because it is quite qualitative work that you are doing. 

Tamara Finkelstein: It is, but, as I say, we are getting some really good help as to how you go about identifying the ways to assess that. 

Tamara Finkelstein: I wish I had never raised fishing. 

Q78

Sir Geoffrey Clifton-Brown: I would like, please, to revisit three questions that I have already asked, because the answers that I was given seem to be contrary to what is very clearly stated in the Report. Let us go over them, please. Paragraph 2.20 at page 27, halfway through, very clearly says, “Defra has not established an overall group-wide standard for technology and architecture”. Do you agree with that? If it is true, when will you have a standard? 

Malcolm McKee: Defra has established many standards. It has not established all standards; there are some gaps, and there is work in place to fill those gaps through the technical architects and enterprise architects who work for me. A lot of standards are established—standards for data, standards for cloud hosting and standards for devices. There are many common platforms, some of which I mentioned earlier. 

The work we did as part of exiting the European Union was really helpful in establishing some of the new platforms, which are now the standard platforms that we use for new digital developments. That is what gives us some of the confidence, when we were talking about Northern Ireland earlier, that we can react really quickly, because we have standard business components that we can slot together with capability. 

Like all of these things, there is an element of painting the Forth Bridge, in that, as technology moves on, new standards are required, and so we are filling those gaps. We anticipate having those gaps filled within this year. 

Q79

Sir Geoffrey Clifton-Brown: If we have you back in a year’s time, we will be able to be fairly sure that they have been filled. 

Malcolm McKee: Yes. 

Q80

Sir Geoffrey Clifton-Brown: That is great. Can I take you over the page, to page 29 and paragraph 2.25? It goes back to what I was asking earlier about a business transformation of Defra. Just to be quite clear what we are talking about, I am going to quote from that paragraph. “Without 

sufficient clarity on a vision for what the transformed Defra will look like, it is difficult for Defra’s digital specialists to prepare. Decisions are having to

We have to bite this off chunk by chunk, so that is the first of six sprints in which we are looking at common capability across Defra. Together, that will illustrate the vision that takes us to a transformed Defra. 

Q81

Sir Geoffrey Clifton-Brown: That was a long answer to a relatively simple question. Will you give us an assurance that you will not be building new systems now that will have to be rebuilt and waste money when this new Defra business model is developed? 

Malcolm McKee: I can absolutely assure you that we do not invest in nugatory spend. That goes back to my previous answer, which is that the things we are investing in are the common components that we can arrange to support future development. 

Q82

Sir Geoffrey Clifton-Brown: Further down in that paragraph it says, “However, there is further work to do to align the different perspectives of policy, future business needs and digital, data and technology so there is a clear and consistent vision and ‘blueprint’ for Defra’s transformation and to create a digital and data-driven organisation”. Ms Finkelstein, I am going to let you answer this. 

Tamara Finkelstein: I probably ought to. 

Sir Geoffrey Clifton-Brown: We will watch this space with interest and see how the emerging plan works out. 

Q83

Chair: In danger of going down a tributary on fishing, we have Mr Smith in the room, who is a big figure in Tredegar fishing club. You could probably incentivise fishing clubs, with a small amount of money, to encourage their members to go digital. Have you thought about the cost benefit of doing that? A few hundred pounds for fishing groups to encourage their members to go digital might be the incentive that they need. Would that even be something that you would think about? 

Chris Howes: Our plan, this year, is to work with those who buy the licences to understand what the barriers to take-up are. Again, going back to the user experience, we need to work out why it is and what the concerns are. It may not be in the technology. It may be in, for example, how we do enforcement and those sorts of things that is causing those concerns. 

Q84

Chair: So you are looking at the business process for that. 

Chris Howes: Absolutely, but we are also putting the users at the heart of that. We have not pushed it hard. It is part of a gradual migration, but the plan this year is to encourage the uptake, working with, as you say, fishing groups to see the best way to do that. 

where we were having some of these same discussions. We are in danger of going down just the fishing lane here. 

Q85

Nick Smith: Swimming with the tide, how many licences are there? 

Chair: Do you have a number? Ballpark, if not the figure—is it hundreds of thousands, or millions? There are a lot of fishermen and fisherwomen. 

Chris Howes: It is not in the millions. I will come back. 

Q86

Chair: Finally, Ms Finkelstein, this is a huge and challenging project. You are not the only Department having to deal with this, but what keeps you awake at night in relation to digital? What is your biggest worry? 

Tamara Finkelstein: The two risks at the top of my corporate risk register are around cyber and around the business resilience of these systems. It is right at the top on that side. The other thing that is not quite keeping me awake at night is that we want to transform our organisation and are putting in place the road map that we have talked about, but we have not done it yet, as to how we are going to drive a really digital data-enabled organisation. That is very important to me, so there is a lot of work to do in this area.