Science and Technology Committee
Oral evidence: Digital Government, HC 1455
Tuesday 8 January 2019
Ordered by the House of Commons to be published on 8 January 2019.
Members present: Norman Lamb (Chair); Vicky Ford; Bill Grant; Darren Jones; Stephen Metcalfe; Carol Monaghan; Damien Moore; Graham Stringer; Martin Whitfield.
Questions 197 - 309
Witnesses
I: Simon Hansford, Co-founder and Chief Executive, UKCloud; Professor Chris Johnson, Member of the Executive Committee, UK Computing Research Committee; and Antony Walker, Deputy Chief Executive Officer, techUK.
II: Professor Helen Margetts, Programme Director for Public Policy, The Alan Turing Institute; Peter Wells, Head of Policy, Open Data Institute; and Daniel Korski, Co-founder and Chief Executive Officer, PUBLIC.
Written evidence from witnesses:
– UKCloud
– UK Computing Research Committee
– techUK
– PUBLIC
Witnesses: Simon Hansford, Professor Johnson and Antony Walker.
Q197 Chair: Welcome, all of you. Thank you very much for coming in and apologies for the late start; we had quite a heavy agenda of stuff to get through in the private session. Can we start with very quick introductions?
Antony Walker: Good morning, everybody. I am Antony Walker. I am the deputy CEO of techUK, a trade association representing over 900 companies that are based in and operate in the UK.
Professor Johnson: I am Chris Johnson, a professor and head of computing at Glasgow University. I represent the UK Computing Research Committee, which is the body that combines the research interests of all the professional bodies in computing science in the UK.
Simon Hansford: I am Simon Hansford. I am the chief executive of UKCloud, a British company that provides secure cloud-based computing exclusively for the public sector.
Q198 Chair: Great. Thank you. As a guide, don’t feel that you all have to answer every question. We have quite a lot to get through and are under time pressure. Try to keep your answers succinct, if you can.
Why is SME procurement important to the Government?
Simon Hansford: As an SME, I find that it is tremendously important. It makes a significant difference to a small company. Having the validation of a large contract—
Chair: That speaks to its importance to the company. What about the Government?
Simon Hansford: I am sorry. I misunderstood your question.
Chair: Why is it important for the Government?
Simon Hansford: A vibrant SME community not only drives innovation throughout Government but significantly reduces costs. There are a lot of data, through CCS and others, that demonstrate that to be the case.
Q199 Chair: Are there any other contributions?
Antony Walker: There is a huge opportunity for the UK in what can be done through digital transformation of public services and service delivery. SMEs that are fleet of foot are often at the forefront of new ideas and new innovation, and they have an incredibly important contribution to make to achieving that objective. Having a diverse supply base that is able to bring new ideas and new innovations to all parts of the public sector is incredibly important. Our view is that the UK needs to be able to benefit from the full ecosystem of large, medium-sized and small firms.
Q200 Chair: How can the Government improve their procurement framework to make it easier for SMEs? That begs the question of whether they need to improve their procurement framework. On the basis that perhaps they should, how can they improve their framework in order to facilitate SMEs participating in procurement?
Simon Hansford: We have seen a tremendous amount of good in Government over the last five or six years, particularly since the formation of GDS, which has driven significant transformation across Government. G-Cloud, in particular, opened the market to many thousands of additional companies, but we are certainly finding that we are stepping back and that there has been a significant reduction in spend with SMEs over the last couple of years.
Q201 Chair: It is drifting back again.
Simon Hansford: It is drifting back into the old ways, where there were a small number of suppliers. Those were not the good days, I would suggest.
To answer your question directly, the significant difference that could be made in procurement would be to have procurement as part of our industrial strategy. You will remember that it was in the Green Paper but did not make the White Paper. It needs to be brought back into the fold. Similarly, we need to bring in social value as a component of procurement.
Q202 Chair: As a purpose in itself.
Simon Hansford: The purpose is that I truly believe that young, small companies drive innovation and jobs, creating wealth and taxes that are paid back into our economy.
Professor Johnson: I would like to make a few comments on the opening remarks. First, one of the major reasons subsuming all of this is that a lot of Government procurement is dominated by oligopolies in some markets and certain areas. To put some statistics behind the previous comments, in 2014-15, SMEs accounted for 27.1% of Government spend; in 2016-17, it was down to 22.5%. We are going in the wrong direction to make the 33% target for 2022.
It is really important to probe beyond these initial, high-level comments and look at the role that SMEs play within particular Government Departments. For instance, the MOD is between 13.1% and 18%—18% in the financial year 2016 and 13% now, in the financial year 2017. Obviously, the MOD is an area where you could characterise a lot of the supply chain in the UK as oligopolistic. Areas with a positive relationship with SMEs include DCMS and the Department for International Development. It is much more nuanced. For instance, the MOD accounts for 45% of all Government expenditure, so that 13% is really significant, perhaps beyond some of the other Government Departments. If we are trying to meet the 33% target, there has to be a strategy that looks across Government Departments, rather than a gloss across all industry.
Q203 Chair: Do you think that the Government need to do more in their procurement policy to break up very large IT contracts?
Professor Johnson: I promised that I would be optimistic in front of the Committee, but when I read some of the previous evidence, I really wanted to despair. There are some fantastic examples where the research community, with large companies and SMEs, can form ecostructures. I hate that word, but you can see it, especially in the United States, in areas that do not relate to public procurement. That is a model that could be used in public procurement, especially in an area like the MOD. To my mind, innovation is really important for the future of MOD procurement.
Q204 Chair: Are you saying that we are more likely to get the innovation from the smaller players?
Professor Johnson: By creating a joint culture. Often the small players do not have the ability to meet the contractual obligations that are required to supply the MOD, so often they have to partner with larger companies. In the UK, there is not a strong history of integrating the research environments, for example, as part of that.
We have been working with some of the major US banks. They set up the idea of a campus where the SMEs challenge the ideas of the banks. They say, “After 10 years, our employees are bank employees. We don’t want them to be bank employees; we want them to be innovators.” That kind of symbiosis can be established. Obviously, there are huge economic disincentives to breaking up contracts, both from the procurement side and for the people who have to meet safety and security obligations, for example, which SMEs, particularly in the digital economy, are not well set up to meet.
Q205 Chair: Do you want to add something, Antony?
Antony Walker: I agree that it is not an either/or, in terms of large or small.
Q206 Chair: We should not be favouring smaller over larger companies.
Antony Walker: You want a rich mix. You want to recognise and understand the benefits that come from large and small working together collaboratively, taking on different roles in a supply chain and dealing with different risks in that supply chain. There is no doubt that large companies absolutely see and recognise the innovative capacity and potential that small firms bring to the ecosystem.
I do not think that it is always a binary, and that smaller, disaggregated contracts are better than larger contracts. We have to look case by case. The key thing for me in all of this is to go back to the GDS mantra, which is “User need first.” That has to be the driving purpose of all of this procurement. We must then recognise that SMEs will play a vital role in meeting and delivering that user need. We all have to strive to get to the 33% target. It is a good target and it is entirely appropriate that the UK should be driving towards that.
Q207 Chair: Do the Government have the capacity to manage an increased number of small contracts with SME players, rather than large contracts? Is that an issue?
Professor Johnson: I have done a series of small contracts for different Government Departments in consultancy areas, supporting policy. One of the biggest issues is that, inside the civil service, people are often rotated or leave post very quickly. You work hard, and often the people you meet are fantastically engaged and talented in their area. They gain a certain amount of competency and leverage, and then they move to another area.
Q208 Chair: Should that culture be challenged where procurements are involved and a contract has to be managed over a period of time?
Professor Johnson: I think so, otherwise SMEs will have the overhead each time of building up the relationships and understanding the requirements. That is less of an issue for larger companies, which can allocate a member of staff to that relationship-building exercise full time. It is certainly not the case in private industry, where it is far easier to maintain and sustain contacts than it is to understand the changes that go on inside Government Departments.
Antony Walker: There is no doubt that there is a long-term challenge to build the skills, capacity and culture within Government, and across Government, that can handle complex digital technology procurements, which are going to become ever more important in how services are delivered and how Government works. It is a long-term challenge. Real progress is being made. We are in very different place from where we were five or six years ago.
Q209 Chair: Capacity has improved.
Antony Walker: Capacity has improved. We have seen people with a lot of experience from the supply side coming into Government and working in key Government Departments. We are seeing capacity building, in training and development. We are now seeing the fast-stream process starting to engage with digital. We are seeing digital academies developing, and so on. All of that is very good, but we are not there yet, in terms of having the kind of capacity that we need now and will certainly need in the future.
Q210 Chair: Can we have a brief comment from Chris?
Professor Johnson: In theory, there is an SME champion in each Government Department. The visibility and role of those champions is highly variable. The Committee might like to talk to some of them, perhaps the champion from DCMS and the champion from the MOD. Their visibility is extremely variable.
Q211 Chair: Some are good and effective, but others are pretty invisible.
Professor Johnson: I will leave it to you to decide which you find fits.
Q212 Bill Grant: We are still on SMEs. You will be better aware than I am that the UK Government were an early player in adopting new technology. As a result, they have a number of legacy systems throughout the Government. How well are SMEs equipped to deal with the complexities of the Government’s legacy systems? How can they improve them? What is their role?
Professor Johnson: Again, I am an optimist. In the past, there was a legacy of closed systems. Procurement was extremely bespoke. Last year, I was asked by the Department for Transport to do a review of the cyber-security of UK aviation. I was very interested in a particular case where a company had taken over the contract to provide air traffic services. We are not really talking about SMEs there, but you see the disruption that arises when a new player has to operate a legacy system.
That way of breaking up an oligopoly introduces new problems. Having a new player come into an area to try to learn how to use the legacy systems without affecting the public or influencing safety is an extreme technical challenge, but it can be done. Some of the things that the Government Digital Service has done in focusing on open source and making the interfaces with the code visible to people are entirely appropriate and will support that, but it is not a free lunch. The more you do it, the more you have to consider things like intellectual property or cyber-security. When people talk about the holistic approach to SMEs in public service, those technical issues need to be considered, as well as the market force issues that we may want to promote.
Simon Hansford: There are numerous examples of a disaggregated supply chain, with SMEs and larger companies, taking on very large legacy contracts very successfully. It takes more effort from procurement. If anything, I feel that that is the area where we are slipping back into the old ways, because it is too hard for procurement. There are many procurement examples where, when working with an SME, procurement will not adapt to the requirements and capabilities of SMEs that sometimes have to sign up to contracts that are very onerous, such as an asbestos contract in the MOD while you are supplying cloud services. You need to sign up to the asbestos contract. It does not make sense. Potentially, you may have to give away IP when you have delivered a commodity service that is not custom to that contract.
Personally, I feel that we are at risk of having legacy IT firmly in the hands of an oligopoly of eight large companies. We are likely to transform our estate into, potentially, a duopoly of just two companies. Basically, we will set ourselves up for a problem for tomorrow. That may need to be transformed.
Antony Walker: Legacy in the public sector will always be a huge challenge. It is difficult to generalise across the broad range of contracts and services that are underpinned by those contracts. There are good examples of SMEs that can handle legacy issues and can engage and play a really important role in that supply chain, but Simon is absolutely right. The process of procurement has to be cognisant of the legacy challenges and the actual implications for the different companies that will potentially be part of that supply chain and must be flexible to that.
Q213 Bill Grant: I will continue on the same theme. The DWP and HMRC have enormous legacy systems. I note with some concern that we are not progressing in adopting this and that there has been a reduction in introducing SMEs into the system. Do you think that, as we progress, it will be possible for us to accept that we need more SMEs in the business, and that a spread of SMEs can manage or look after such enormous systems, or do we have to maintain a partnership between the new guys on the block and the traditional legacy operators? Can they work together, or can SMEs work alone?
Simon Hansford: There are numerous examples in both those organisations, where there has been a mixed economy. Some large contracts have been awarded to SMEs. Similarly, some large contracts are run by the more traditional suppliers but have a high degree of SME content. We are disaggregating the supply chain. Again, I suggest that that needs to be driven further, because it is proven to deliver value for the taxpayer and has driven innovation in services delivered to the citizen.
Antony Walker: In an ideal scenario, some of those SMEs, and their capability and capacity, will grow in scale over time, but there will always be a need for some large suppliers in the mix, particularly when delivering very large systems that are absolutely critical to the functioning of the country, where there are really big legacy challenges and, frankly, where there is a lot of political risk associated with the delivery of the service, and political changes may lead to major changes to what has to be supplied and delivered. The SMEs are not a panacea for how you drive new, innovative public services. The reality has to be that we must look at how we make full and best use of the full range of suppliers that are available to the UK.
Q214 Bill Grant: Is there a danger that engaging SMEs to build, or attach to legacy systems, newer and innovative systems will be a difficulty in the removal of the legacy systems?
Antony Walker: It is absolutely the case that we should be aware of future legacy problems. There is a lot of focus on how you ensure that, as suppliers move on or change, you think ahead about how the service can be handed over.
Simon Hansford: I do not think it is a supply issue. There are numerous examples where, quite frankly, we have put lipstick on a pig. We have transformed the front end of the service, but the back-end legacy system has been untouched because it is too hard and too complex, whether contractually or technically. We have redeveloped the front end and said, “There’s a new system.”
Q215 Chair: Would you say that there has been quite a significant failure properly to address the legacy systems?
Simon Hansford: A significant amount of our public spend is on legacy systems that will be a problem for many years to come.
Q216 Chair: Ultimately, that is wasting public money.
Simon Hansford: It is wasting public money. That is absolutely correct. But I do not think that it is a supply chain issue. It is not about the capability of the supplier; it is about the fact that the problem is too hard and too big to attack.
Antony Walker: There may be situations where addressing the legacy issues is just too difficult. What you should do is create a new system that can deal with the new but continue to run legacy in the background, and then run it down.
Q217 Chair: Provided that you do it within a reasonably tight timescale, presumably. You could just end up with double-running costs for a long time.
Antony Walker: Potentially, there are situations where those double-running costs may be the better outcome, because you may be so constrained in what you can do if you are trying to take account of the legacy that you do not get the benefit of the innovation coming through. That is something that has to be considered.
Q218 Bill Grant: Do you sense resistance to the entry of SMEs into the marketplace? Sadly, Chris noted that there has been a reduction. Does it emanate from Departments fearful of the risk of passing that responsibility to SMEs, or is there resistance from the legacy companies, which may be failing to maintain old legacy systems? Do they still want to keep out the new boy on the block?
Professor Johnson: As I said before, I think it is much more nuanced. You have to look at different areas, where the requirements for both the legacy and the new-build systems are different. For example, if you are dealing with MOD projects that are safety and security critical, the overheads implicit in the amount of verification and validation you need to do—the testing you need to do to make sure that your systems do not kill people or malfunction—are a disincentive or barrier to entry for SMEs. There are technical reasons why larger contracts will persist there.
The MOD has been relatively successful in creating other mechanisms for innovation. For example, in the United States, they have the DARPA challenge, which tries to envisage a 10-year programme of technological innovation for autonomous vehicles or military robotics. That has been part of the DARPA challenge. There are mechanisms like that that can be used as a surrogate where SMEs find it difficult to meet the other requirements, which are properly there. I always think that otherwise you are taking a punt, in effect, with your mother’s benefit money.
Antony Walker: We must not underestimate the fact that there will also be lots of greenfield opportunities for SMEs. There will be opportunities to bring into the public sector new forms of innovation where there is not a big legacy problem or a big legacy system. The GovTech Catalyst programme, for example, can be powerful in identifying some of those opportunities and finding new ways to bring in SMEs. This is not all about legacy. There are lots of other new opportunities today.
Q219 Stephen Metcalfe: Presumably, all systems eventually become legacy systems. Have any lessons been learned in the design of new systems, as they are implemented, to allow for them to become legacy systems and, therefore, to port what is being stored and run on them to new systems? Are we learning the lessons?
Professor Johnson: Yes. A standard part of procurement for the MOD is a decommissioning phase. That makes you think about those legacy issues. It is absolutely essential. As usual, it is being done across Government in a piecemeal way, but there are areas where the real cost has been learned, typically, through misadventure.
Simon Hansford: In my area, disappointingly, we are not learning. I see numerous examples where we are transforming into the next legacy, and the next lock-in, where systems have been written to a provider that has a unique feature set that, therefore, cannot be ported or hosted elsewhere.
Antony Walker: I would argue that this is one of the areas in which GDS should be a specialist. It should be able to advise across Government on how you foresee and prevent some of those challenges. It is exactly one of the things that should be a focus for GDS—understanding the future potential legacy issues and how you mitigate them.
Professor Johnson: In some of the more applied areas of H2020, the European Commission has taken the really good approach of looking at an innovation lifecycle approach. There is a series of projects at different levels of technology readiness, from basic research, to applied research and large-scale demonstrators, to practice. Right now, we are just beginning to see things like virtual towers—air traffic control towers that are in the north-west of Scotland, for example, but controlled from Edinburgh. That is a fantastic example of where you can take SMEs, largely, and help them to nurture ideas to a point where larger players are paying large amounts of money to get that technology, but it takes a strategic view of the relationship from research, through the SMEs, to deployment. I do not see that happening so much in the UK, where even the Government funding for application of technology is always dominated by the oligopolists, rather than the SMEs.
Simon Hansford: It is an area that needs a lot of education to Government to explain the issues. I saw a very good example recently, where a hosting contract was awarded to one of our competitors. I made a point and was told by procurement, “Don’t worry. In two years’ time, it will be up for recompete.” I made back the point, “But you have allowed the developer to lock into that hosting provider. You have done it uniquely. In two years’ time, whatever the hosting cost, it will be dwarfed by the re-platform cost. Actually, you have just locked yourselves in for many years to come.”
Q220 Stephen Metcalfe: Did that get a response? Did they recognise the problem?
Simon Hansford: No. They absolutely did not recognise the problem.
Stephen Metcalfe: Oh dear.
Q221 Vicky Ford: I am going to try to catch up some time. My questions are about skills. How good are the Government at finding and retaining people with the right level of technical skills to deal with issues like legacy technology? If they are not good enough, how could they improve?
Antony Walker: There are some good examples of high-profile people coming in. GDS did a good job of attracting talent. People saw that it was a body that had real influence and was driving disruptive change across the public sector and, therefore, an attractive place to come and work. Some of the track record has been good. That needs to continue.
There is also the challenge of home-grown talent, which is a longer-term process. There are some positive things happening. I have talked about the digital academy and the fact that we are seeing digital skills and understanding being recognised as a key component of what senior civil servants will need to do in the course of their careers, but there is a lot more to do. This should be an area of constant challenge. I would be very concerned if we saw the Government slipping back on that, because these are skills, knowledge and capabilities that the public sector absolutely needs to thrive in the 21st century.
Q222 Vicky Ford: They should keep their foot on the accelerator.
Professor Johnson: My experience of working with people, mainly in the DFT and BEIS, has been absolutely fantastic. They are really skilled and competent people, but they have too many things to do and they change from one thing to another and then to another, which means that often their skills do not develop in the way you would hope.
Again, I will give some figures, to provide an element of scale. Up to last year, the GDS Academy had seen 7,500 people through its courses. By any assessment, that is a really creditable performance in a very short space of time.
Q223 Chair: Those who are going through it are public servants.
Professor Johnson: Indeed.
When I was looking at the previous evidence to the Committee, I was struck by the pessimism, and the contrast with the United Nations index for e-government, which puts the UK fourth. The only countries above us are Denmark, Australia and the Republic of Korea. Estonia does not figure in the top 10, by the way. I do not know why that might be. It is really important that the Committee looks to key performance indicators and an evidence base behind the evidence. Coming here, I felt that it was important that you get evidence, not opinion.
I looked at the reasons why Denmark, Australia and the Republic of Korea were above the UK, because the UK was first in 2016. One of the things I noticed in the UN report was that Korea had hosted 4,000 representatives of overseas civil services to try to exchange ideas and to train them. I wonder how many UK civil servants have been to Korea to meet that skill issue. We often look at it as a particular UK problem and think that the skills will all be from within the UK. It would be interesting to expand that opportunity and try to draw on skills that other countries are developing in the area.
Simon Hansford: Digital skills are an issue for industry and Government. All of us suffer from lack of capability to employ the right people quickly enough. Every time I talk to someone, I say that, roughly, we have 50 to 60 open vacancies in my company alone. We are desperate to fill those. The problem for Government is exactly the same. You see the work that GDS are doing around fast track and digital skills—they are doing a tremendous job—but they are challenged in the same way as we are in finding the right people and being paid enough. In Government, digital as a profession needs to be enhanced and promoted more so that you are able to pay the right salaries and attract the right people, but it is wider than just digital Government. At roots level in education we need to invest more and make—
Q224 Chair: Is it a global problem?
Simon Hansford: Absolutely.
Q225 Chair: Are there some countries that are doing it better than us?
Simon Hansford: I am not aware of any.
Q226 Vicky Ford: I understand the digital skills shortage and the great demand in all sectors. Is there a particular issue about procurement contracts and frameworks that makes it more difficult for Government to get that talent than in, say, the private sector? You are nodding. Can you explain?
Professor Johnson: It is difficult in the sense that, often in procurement, people who have a legal or financial background struggle to understand the technical concepts. In companies you usually find there is somebody in procurement who is the technical expert, whereas in Government, to get an understanding of what you are negotiating about—for example, cyber-security—is quite hard. Often, you go back to the procurements team with a problem over a clause and they say, “We need to talk to the specialist,” and the specialist will be in 33 meetings in Brussels, or wherever. Even within my own university, setting up a contract with an area of Government has taken us four months right now, on a project that will last two years.
Q227 Vicky Ford: You would recommend that more people with technical expertise are embedded in the procurement process.
Professor Johnson: Often the contract delays occur in the interface between law, finance and the technology, and that balance is not quite right at the moment to enable SMEs to do it. For bigger companies, it is not a problem; they can carry staff forward over the time period, but if you are waiting for the next contract to employ somebody on, you cannot wait three months.
Q228 Vicky Ford: Does that mean that Government need to invest more in people with technical expertise as well as procurement expertise?
Professor Johnson: From my reading of what you have been doing, I think it is important to establish an evidence base to identify some performance indicators, in the length of contract negotiations with SMEs compared with larger companies, for instance, and to gain some evidence about the kinds of things that cause the nature of the delays in contracts in procurement.
Q229 Vicky Ford: Those would be helpful recommendations—ways in which Government could look at it.
Professor Johnson: Rather than give you my impassioned view, I would want some evidence.
Q230 Vicky Ford: But your feeling is that it takes too long for SMEs, that SMEs cannot carry the length of negotiation in the same way as a larger company might be able to.
Professor Johnson: This is my personal experience, not something that I know in general.
Q231 Vicky Ford: We should ask the Government to build the evidence so that they can work to improve that.
Professor Johnson: Yes.
Q232 Chair: Do you think it is possible to establish what the actual evidence is of how long these contracts take to negotiate?
Professor Johnson: I would have thought so. There is a point at which you become the preferred supplier, and then the time between that point and the date when the contract is enacted is obvious. It should also be documented within the procurement process.
Chair: That is interesting.
Q233 Vicky Ford: Are there any other recommendations you would like to make on how Government could improve digital skills?
Professor Johnson: There is a fantastic opportunity in that the new chief scientific adviser to DCMS, Tom Rodden, is coming from the EPSRC. I would urge the Committee to talk to him at an early date because he has an understanding of the research in higher education context and he will play a pivotal role in advising that branch of Government, which will obviously have a big role in digital skills.
Antony Walker: There are two things I would mention. One is the particular skill, expertise or experience in being able to work across different parts of Government—people who understand how Government works across all the various silos. The ability to have cross‑Government experience and capability has real benefit to the overall procurement process.
The other thing is the exchange between the private sector and the public sector. There is more that can be done to build understanding and awareness of how those two environments work, and what it is like on the supply side—and on the demand side. One of the things techUK is working on with a number of bodies within Government is how we can pilot a scheme that will support that. It is something I will be able to inform the Committee about in due course, and I think we can really help to improve that interplay.
Q234 Darren Jones: We talked about how SME spending is going down, how procurement is too long, and the lack of skills. I am still not clear on what else there is in the procurement framework that you think we need to change. What are the specific recommendations we need to make to CCS? Is it for SME liability clauses or indemnity clauses? Is it requirements and so forth? Tell us what the key blockages are.
Professor Johnson: A fantastic example there is liability. I was asked to take part in a contract recently with MOD that had unlimited liability. What SME can take that on? That is a fantastic example, but it is only one of them.
Q235 Darren Jones: Are there others?
Simon Hansford: I repeat that the single biggest thing that could help an SME is to put social value into procurement so that it levels the playing field for people who are creating jobs and wealth and paying taxes in the UK, and are competing with oligopolies or large suppliers that are paying—
Q236 Vicky Ford: What do you mean by social value? Do you mean “buy America” clauses?
Simon Hansford: On a score card that one could have in procurement, clearly today No. 1 is cost. A percentage of the score card is based on whether the jobs and wealth that you are creating and the tax that you are paying are in the UK.
Q237 Vicky Ford: A lot of thought has gone into the environmental and social benefits, and that should be part of the contract.
Simon Hansford: It should be, and that is exactly what I think you should be recommending.
Q238 Vicky Ford: It is helpful to have that as broader than just what could be seen as protectionism.
Simon Hansford: Yes. I am not looking for protectionism. It is levelling the playing field so that our local British‑led suppliers are not actually being disadvantaged.
Vicky Ford: Understood.
Q239 Bill Grant: Relative to procurement and SMEs, when a Department puts out or requires some work to be done or undertaken, it produces a specification that goes into the marketplace to be perused by the potential suppliers. Do you sense that these specifications are written with clarity and are easily understood by SMEs, or are there instances where they may be written in a manner that boxes them out and maybe favours a larger existing company?
Professor Johnson: I have one short comment. I think they go to about 23 marketplaces.
Q240 Bill Grant: Depending on the monetary value, they go to Europe and through Digital Marketplace.
Professor Johnson: There is Digital Marketplace, Public Contracts Scotland, Sell2Wales, eSourcing NI and eTendersNI. Then there is the MOD procurement system and so on. It is a real tar. The quality of each of those portals varies immensely. If you have half an hour today at some point, just flick through all the ways in which you would be required to interact electronically with Government to even obtain the tender.
Q241 Chair: Standardising far more would be—
Simon Hansford: In many cases there is no tender. Increasingly in these marketplaces, the supplier has no knowledge that something is being requested, so the onus is on the civil servant to have gone to the market and explored it, but the supply chain does not necessarily know that they are doing that.
Q242 Bill Grant: Is there one thing that Government could do to improve that—to reverse the trend Chris mentioned, whereby SMEs peaked at 27% and it is a downward trajectory? What can Government do to allow better access to clearer specifications, to UK companies particularly, but maybe not exclusively—we do not want to be too parochial—to allow them to develop and grow? How can we give the business to UK SMEs?
Simon Hansford: Publishing contracts and making the data available so that the supply chain is aware that the contracts are up for renewal or for tendering is very important. It is about having SME champions with a voice and a presence, who promote the SMEs to the organisations.
Chair: Thank you very much.
Q243 Vicky Ford: I have a final question on skills. How good is our training on cyber-skills? If it is not good enough, what should good cyber-training look like?
Professor Johnson: Speaking as a provider of cyber-skills, it is excellent.
Q244 Chair: Come on—you are going back into opinion.
Professor Johnson: You are quite right. I think that the NCSC—the National Cyber Security Centre, which is part of GCHQ—has done a fantastic job in a relatively short period of time, but the challenge and threat is developing faster than we can train people. That has an impact on Government and on the supply chain.
When I was doing the work for the Department for Transport, one of the questions we would ask, say, UK airports was how many of their suppliers had Cyber Essentials, which is a very basic form of qualification in cyber-awareness. They would say that if they put that in their contracts, in their procurement, nobody would respond. In parts of UK infrastructure, there is a desire and a willingness to improve and to recruit people, but we are still, despite major investments, behind the level of demand.
Another example would be that there is significant market churn, almost akin to the civil service, for chief information security officers. The average period in office of a CISO in certain areas of UK industry is six months. We did a survey for one of the Government Departments where we looked at how long they had been in post and then went back a year later. Most of the people we had spoken to had changed role in that period. That is indicative of a shortage of skills and of extreme competition for those skills.
Q245 Chair: They are poached elsewhere.
Professor Johnson: Yes. It was described to me by a member of the civil service as, “We have a company that does online betting next to us. Where do you think they want to be employed if you look at the salary differentials?” That is the situation we are in.
Q246 Martin Whitfield: I would like to pursue that. I was going to ask for your opinion on cyber-security, particularly the Cabinet Office’s minimum cyber-security standard. In written evidence there have been various levels of criticism of that, so this is really an opportunity, again hunting for facts, to delve into what is wrong in the specifics. To what extent does that MCSS provide a clear and useful guidance, or is it worthless?
Simon Hansford: If we had sat here 18 months or two years ago, we would have said that it is very unclear in Government who is in charge of cyber, and in every Department you see someone saying, “We run it.” Today that is very clear, in NCSC, and a tremendous amount of goodness and direction is coming from there. Nevertheless, as you said, and Chris said, the standards are very low. At least there is a minimum bar, and that is a very positive thing, but the bar is tremendously low. Whether it is cyber-security or cyber-security plus, it is a very easy thing to qualify against, yet the majority of people do not.
Q247 Martin Whitfield: I suppose the next question for you, Chris, is: how can it be improved, given that the marketplace cannot reach that pitifully low level?
Professor Johnson: I am an optimist. The NCSC has proposed and is working towards the creation of a cyber-academy that will try to create a cohesive structure for both professional and academic accreditation, but obviously the key problem is that we are always working against time. The demand is outstripping the supply.
There are also organisational and institutional problems. I was present at a meeting between some of the UK’s professional engineering societies and NCSC, and NCSC put it to them that they could not fund or be seen to authorise a scheme unless all the engineering councils agreed to the same thing, and that probably would not happen. There are organisational issues and demarcations—I will not talk about specific organisations—and the role of NCSC is to try to be above those kinds of discussions, which I think could be addressed by Government giving somebody the onus to fast-track a common accreditation scheme for qualifications.
Q248 Martin Whitfield: Is it the need for someone within Government just to be more imaginative about this? Then the difficult question is, at what level of Government does that imagination need to sit?
Professor Johnson: That is a question best asked on your side of the table. I am an academic.
Q249 Martin Whitfield: It may be answered on this side of the table, but where would you look to ask the question?
Professor Johnson: I would get Tom Rodden, the chief scientific adviser about to come into DCMS, and ask him that question, because he has more experience of Government structures as to where that should be. It is an incredibly important question because—again, I will not mention names—I spoke to a friend at NCSC and said, “This is a fantastic thing. I am really enthusiastic about this initiative,” and he asked, “Do you think either of us will be alive by the time it is successful?” That is indicative of exactly the point you are making.
Q250 Martin Whitfield: Yes, absolutely. Are you convinced that there is now enough clarity across Government about who has control over what from the point of view of cyber-security?
Antony Walker: When we talk to our members, and we have a very broad range of cyber-security specialists and companies in our membership, there is a sense that there is still lack of clarity. In particular, there is some uncertainty about the relative roles of NCSC, DCMS and GDS in these areas. There is a growing view that, for clarity, there should be very clear senior ministerial responsibility at the top, and a growing sense that a Minister for cyber-security would be helpful in that regard.
On cyber in general, we should not underplay the UK’s capabilities. The UK has some incredible capabilities in cyber. The challenge is making sure that you are reaching all the parts of Government and all the services that need to be protected. It is not just that you have the right baseline standards, but that you are starting to change the culture—the way those organisations think about, respond to and engage on cyber-issues on a daily basis. The minimum standard is a route to that, because it is focused on outcomes‑based solutions rather than mandated requirements, but we cannot be complacent about the speed and pace at which we need to go in order to make it a reality. We are a little bit more glass half full, but it is only half full.
Professor Johnson: To add some colour to what Antony has just said, we asked a bunch of UK companies who they would report a cyber-incident to—it was for DFT—and we had everything from MI5 through to the Met police; some people mentioned NCSC, and that was a significant but still small minority knowing the correct procedures. Part of the confusion that exists in industry is in where what are called the lead Government Departments sit compared with NCSC. That relationship is not even clear within Government right now.
The best example is the NIS directive implementation as proposed within the DCMS, where the lead Government Departments are responsible for appointing the competent authorities that oversee the implementation of the cyber-security requirements in their industries. For example, BEIS has a different approach from DFT, so the Civil Aviation Authority has totally different implementation mechanisms for NIS compared with the Health and Safety Executive and energy distribution.
On Friday, I have a meeting with the Government Departments involved in this area, funded by GCHQ, to start measuring the differences across the supply chain. For example, does a company that supplies to the energy distribution market and to UK aviation adopt different standards of cyber-security in those different markets because of differences in the way that lead Government Departments have implemented the directive? There is a need for somebody—maybe a cyber-security Minister—to see that this devolved approach to cyber—
Q251 Chair: To get consistency.
Professor Johnson: That is 100% right. That is exactly the word I should have used and cut 30 words; I am sorry.
Chair: It is a pleasure to be of help.
Q252 Martin Whitfield: Obviously, with that consistency there would come savings and greater security.
Professor Johnson: I would hope so, yes.
Q253 Martin Whitfield: And the transparency needed at that level for everyone to join in.
Professor Johnson: Especially for suppliers. The same company supplying to the aviation industry has to apply a different set of regulations and requirements, and that is a big disincentive for SMEs.
Q254 Martin Whitfield: And that is a side cost. There is no cyber-security reason for it.
Professor Johnson: No, none at all.
Q255 Martin Whitfield: It is merely a contractual decision by one Department isolated from another.
Professor Johnson: I think what has happened is that NCSC does not have enough staff or technical competency in all the areas that are covered by the NIS directive, which is all of UK infrastructure, to take that on. The lead Government Departments have that competency, but they have had to grow their cyber-teams exponentially to meet the requirement.
Coming back to the question that Vicky asked about skills, they are struggling to—
Q256 Martin Whitfield: To recruit and retain.
Professor Johnson: They then pass responsibility on to the HSE or the CAA, which are the competent authorities, and now they have a huge problem, which is trying to get staff who understand the energy industry and cyber. In four to five years’ time, the UK will be in a fantastic place, but over the next four or five years we will have inconsistent approaches to our critical infrastructures across the digital economy in terms of cyber-security.
Q257 Martin Whitfield: Will we still be in that good place in five to seven years’ time if there are no changes in the process?
Professor Johnson: We could make it better. I like the idea of a Minister for cyber-security. A question was asked about what level of Government it should be. That is the key question, and I am not competent to answer it, but it is clear right now—
Q258 Martin Whitfield: We need someone everyone can look towards to stand up to take responsibility, and similarly, at one level, to advocate, and we need to ensure that we are getting that across the board.
Professor Johnson: Yes. It is effectively often a political decision because you are dealing with relationships between Government Departments. It is the cyber-security aspect of aviation or the cyber-security aspect of energy distribution. I am sorry to prolong the Committee, but it is an incredibly important topic.
Q259 Martin Whitfield: It is very useful, because it needs to be high enough so that Departments, including the Treasury, listen to the requirements and the demands.
Professor Johnson: That is Baroness Lane‑Fox’s criticism of DCMS, which I think is appropriate.
Q260 Martin Whitfield: My final question, because I know time is slightly against us, is: how confident are you about the future, and the security and comprehensive cyber-security strategy that we have? How much confidence do you have in it or what changes would you like to see that you have not had a chance to mention yet? Optimistically.
Professor Johnson: I am very confident. We have some fantastic people in place, and the NCSC is a committed, competent authority, but with huge demands. Some of the things you have been talking about in the Committee are excellent ideas and would address some of my concerns.
One element of the national cyber-security strategy appears in an appendix and should be promoted far higher. There is a section that calls for the creation of metrics to provide evidence for some of the assertions that are made about cyber-security in the UK. My own passion is to try to provide those metrics. That is something that the UK research community should be doing for Government. On the Chair’s point about consistency, the only way we can assess that is through trying to identify those sorts of issues—those metrics.
Antony Walker: I hate to mention the “B” word, but Brexit is unavoidable context for all of this. We have seen in some of the data coming through that the reality is that there has been a tremendous opportunity cost in terms of progress that has not been made, or maintained at the same rate, when we look at Government and public service transformation in general, and in our ability to address big, fast‑evolving issues such as cyber and cyber-security at a time when the Government are so distracted and Government resources are focused on dealing with the consequences of Brexit. Those are real concerns voiced on a daily basis in the businesses we work with. To your point on confidence, that is an underlying factor that has a big impact on confidence and our ability to address all those really big, significant issues that are absolutely live.
Q261 Martin Whitfield: Am I right to think that in the current environment the opportunity is there, and it would be criminal to miss this chance? Would that be fair?
Antony Walker: Absolutely, yes.
Professor Johnson: Yes.
Q262 Chair: I have a quick, final question for Chris. Redscan did a report in December about cyber-security in the NHS and basically seemed to be saying, some time on from the WannaCry issues, that there are still very significant cyber-security issues across the NHS. Is that your view? Do you think it is something we should be focusing on, given the potential damage that can be caused through another attack?
Professor Johnson: I said I am an optimist. It is a much wider issue. If I could briefly explain to the Committee, to try to convey the technical issues, in order to prove that a system is safe for a patient you have to test and test. In many systems, it could take eight weeks and above to do the testing. My intrusion detection system on a laptop updates itself every 24 hours to the latest threat. By definition, if I allow that kind of update to go into a scanning tool, it might introduce bugs that then cause harm to the patient.
Many of the systems that were affected by WannaCry were affected because they were running software that had passed validation and verification tests and they were obsolete for that reason—not all of them. There are many systems for which you can blame organisational failure, contractual issues and so on, but there are also technical barriers. Cyber-security in the NHS is a complex issue.
Another very quick example is where a company—say an SME—is providing an interface to a medical database, and the database changes and introduces a security protection mechanism, so the NHS has to ask the SME to update its system to the new database. The SME will go back to the NHS and say, “Sure, but you need to pay me £100,000,” and the NHS will say, “Do we spend that £100,000 on the security update, or on looking after patients?” There are technical issues. It is very easy to sit back and say that the NHS has a shocking record on cyber-security and is incredibly vulnerable.
Q263 Chair: I recognise those technical issues, but does that mean that there is still considerable risk in the NHS through potential cyber-attack?
Professor Johnson: Certainly.
Simon Hansford: You would be misguided to think it is purely the NHS. It is true throughout the whole of the public sector, and to highlight them as a specific case study is—
Q264 Chair: It needs to be given higher priority, with possibly the idea of a cyber-security Minister as one option to lead a new charge.
Professor Johnson: I am a specialist in cyber-security, and my own university, or my own department right now, is suffering a cyber-attack, so I have acute personal pain from this issue. I definitely cannot pretend to be the apogee of the subject.
Chair: Okay. Thank you all very much indeed. We really appreciate your time. Thank you.
Examination of witnesses
Witnesses: Professor Margetts, Peter Wells and Daniel Korski.
Q265 Chair: Welcome all of you. Thank you for your patience. Can we have very quick introductions?
Daniel Korski: Good morning. I am Daniel Korski, the CEO and co‑founder of PUBLIC. We are a venture firm that invests in tech start‑ups that want to transform public services.
Professor Margetts: I am Helen Margetts. I am a professor of society and the internet at the University of Oxford. Until recently I was the director of the Oxford Internet Institute. My core, and oldest, research specialism is digital Government. It is something I wrote my PhD about in the 1990s when it was quite a sad and lonely thing to do. Now I am at the Alan Turing Institute directing a programme on data science and AI for public policy, hoping to help policymakers make the best of the latest generation of technologies.
Peter Wells: I am Peter Wells, head of public policy at the Open Data Institute. We are a not for profit based in the UK working globally to help people—communities, organisations and Governments—use data to make better decisions while protecting them from harmful impacts.
Q266 Chair: Thank you. I make a plea again for succinct answers. Don’t feel obliged to answer every question if you feel it has already been answered.
Could I start by asking whether you are satisfied with the progress that the Government have made with regard to innovation of their technology and IT?
Professor Margetts: It is certainly true, as you have heard at other sessions and this one, that a lot of progress was made, particularly from 2010 and the advent of the Government Digital Service, but one issue now is that, just as the latest generation of data‑intensive technologies have come along, the kind of barriers that your Committee has heard about have become almost more important, because they are blocking the possibility for innovation, different ways of doing things and making Government more citizen‑focused, particularly in terms of digital infrastructure, which is, after all, how you yield data with which you might do exciting things.
There is the digital infrastructure, the legacy systems that underpin that digital infrastructure, and the question of the data landscape, which is pretty confusing and siloed in the same way that Government are siloed. Then there is the question of steering that. The governance of data and digital technology from the centre seems to have taken a step backwards in terms of coherence.
Q267 Chair: Do you feel there is a sense of drift—that it has lost some of its focus and momentum?
Professor Margetts: Yes. On the one hand, there is more interest and excitement about the possibilities of digital Government, and the possibilities of what technology might do for policy and public good. You are having this hearing. I would not have been invited to something like this in the 1990s. There would not have been something like this in the 1990s. There is a lot of interest.
Q268 Chair: Your time has finally come.
Professor Margetts: Exactly. Finally, people are interested. There is a lot of interest in data science and artificial intelligence.
Q269 Chair: You seem to be suggesting that that interest is not matched necessarily by progress within Government.
Professor Margetts: In a way, they are their own worst enemy. Because there is so much interest, there are a lot of different bits of Government that are keen to own or control part of it, so the landscape has become more complex. You have DCMS, the Office for AI and the Centre for Data Ethics and Innovation. All these are good things. It is good to have these things. You still have GDS and you have various other bodies and a lot more interest in the Departments. The digital Government landscape—
Q270 Chair: Do you sense that it needs more central drive?
Professor Margetts: Yes. I think you need a stronger centre.
Daniel Korski: To my mind, there is no doubt, as the Committee has heard, that the UK has been at the forefront of digital transformation for years and we have been the envy of lots of other countries. While there are small countries such as Denmark and Estonia that have moved faster, are more agile and have to deal with smaller problems and smaller populations, the fact is that, compared with France and Germany and other mid‑sized countries, we stole a march on everybody.
What is interesting now, picking up on Professor Margetts’s position, is that it is not just in central Government that digital transformation is taking place. We now have devolved mayors who are running with this effort, which is exciting. At the same time, it is true that the accelerator is not being pushed down quite as hard as it used to be. Partly, it is a function of some of the great transformation that is taking place. Technology is speeding up. What was at the forefront five years ago is no longer at the forefront, and what looked like a forward‑looking set of policies five years ago now looks a bit more dated, so you have to run faster in Government in order to catch up with some of the transformation that is happening.
The previous session discussed Brexit. There is no doubt that there is a little bit of a focus away from a whole range of issues, including the issues of digital Government. So, yes, on the one hand there is a proliferation of initiatives and real excitement, including outside central Government, with devolved Government and the devolved mayors, but at the same time there is less focus compared with what it was like a few years ago.
Q271 Chair: What do we need to do to improve the rate at which these technologies are adopted and to improve the opportunities exploited from them?
Daniel Korski: To my mind, Government have to be much more willing to try out, pilot and experiment with new technologies. It is still far too difficult for an innovative company that has come up with a fantastic new way of delivering a service to have that kind of conversation with Government, to get through the procurement system, and to overcome some of the real challenges, whether they are to do with liability, IP, or financial reliability. Unless we can overcome some of those things, it will be very hard to showcase what new technology can do. Right now, even though the skill base has increased dramatically, the reality is also that a lot of people who are responsible for setting the policy and buying the service do not quite understand what technology can do.
Q272 Chair: Thank you. Peter.
Peter Wells: Public sector workers and civil servants need space to try new technology. Some of the best examples are places such as the Office for National Statistics, the National Archives and MHCLG, where people are being given the space to try things to build some wonderful new services.
It is not just the space and the time that is needed; it is also infrastructure. In Leeds, for example, one of our franchises, or nodes, built an app to help people find the date their bins are collected—very simple, very pragmatic and useful for citizens who want to know what time their bins are collected, especially around Christmas and new year. Scaling that across multiple local authorities needs the same standards for data; it needs open standards and it needs data to be available and accessible to a common format, so there is infrastructural work that needs to happen to create the space and the ability for innovation to happen to scale, both nationally and internationally.
Q273 Chair: What specific recommendations would you make in terms of the adoption of specific technologies for Government?
Daniel Korski: For what it is worth, it is very important not to be too technology led. The GDS mantra of putting the user first is incredibly important and we should look at a range of technologies that can deliver, to roll out the kind of service that the Government want, at the right price point with the right security.
I find myself sceptical about the idea that we should be championing blockchain per se. We should be championing a solution that delivers what we want, and it may be that we need to experiment with some blockchain solutions to see whether it does or not, but you have to be a bit careful in how you approach it.
Professor Margetts: It is not a matter of all civil servants being able to code; it is a matter of building understanding of what is possible and what the barriers are. There was a very explicit decision from the 1990s until about 2010 to outsource all tech knowledge and understanding, so it is hardly surprising that we are where we are, but it is very difficult to get the benefits of working with an SME if you do not have some kind of understanding of what might be possible and what the barriers are in the current situation. There are cultural barriers that have come from generations of systems integrators being embedded in Government in really huge contracts. We need to tackle that. GDS started to tackle it, but we need explicitly to take it on.
One way of doing that is Government recognising what they have. It is enormously difficult, as some of your other witnesses have discussed, for Government to recruit the greatest talent in data science. One problem is that as soon as you call somebody a data scientist, their salary multiplies by about five and they get headhunted every day, but the Government have the statistical service, and data science is really statistics.
There are banks of Government analysts who are well qualified to understand what the possibilities and the barriers are, so Government need to make the most of what they have and not give all their data away. The Government have huge banks of data, which they have an appalling record on using for making administrative operations better and for generating policy, innovation and ideas. It is a question, in part, of making the most of what they have. The third thing would be the question of leadership from the centre, and fostering a digital data tech profession in Government that can help with these things.
As the academic on the panel, I guess I am allowed to make this point, which we might say more about later: Government have a problem with working with the research community. If you take, for example, the GovTech Catalyst, which I know some people have been talking about, you have to be a private company to bid to do work there, whereas the research community have some good ideas and some expertise about what to do. It is not just with reference to the GovTech Catalyst fund.
I will give you an example. DCMS opened up a tender at the end of November for a project, a cross‑Government adoption of AI. Obviously at the public policy programme at the Alan Turing Institute for data science and AI, we were quite excited about that, and thought we would tender for it. When we looked through the specification, it insisted that you held seven workshops in January and February 2019 and then reported on the results of those workshops in March. That is not a way to produce rigorous, research‑based evidence on how to move forward. There needs to be some recognition of that. It is something we might hope for, as some people have mentioned, with the new chief scientific adviser of DCMS, but it is definitely something right across Government that I think could be addressed.
Q274 Darren Jones: First, on the data question, we have talked about standards between local and national Government and in local government. We have talked about silos, with DFT doing one thing and DFE doing another. We have talked about legacy systems. Is there anything you would like to add to the conversations today around the use of Government data? Are there other specific recommendations that will make it easier for these technologies to deliver the outcomes?
Daniel Korski: There are some things I do not think we have spoken about. In a number of cases, largely as a result of legacy contracts, a lot of data is held by large private companies, and it is very hard for the public authorities to get access to that data. Sometimes they have to pay beyond the existing contractual arrangement to get access to data. We have a strange situation where access to data about citizens that you would think that a public authority on behalf of a citizen could get access to is, in many cases, not quite possible, or at least it is not possible—
Q275 Darren Jones: Is that because that company owns the data?
Daniel Korski: It is because of various contractual arrangements that differ across the country. They were instituted a long time ago when people did not perhaps think about the value of data, so that is an area worth looking at.
We have touched a little on the fact that there is a statistical cadre within Government that can be, as it were, transformed into data scientists, and it is great that the Government are starting a review, I think in GDS and ONS, to look at data science capability, but we have certainly found, when we have supported companies that have gone in to deliver contracts, that they have struggled to have a dialogue with the supposed data science experts in Government. There is a need, we think, to upgrade data science capability across Government.
Q276 Darren Jones: That is data skills and legacy contracts. Is there anything else specifically on data?
Professor Margetts: Yes. I am sure you have heard enough about Estonia by now, given the name of the inquiry, but one thing that is very good about Estonia is their system of data registries and secure data interchange between registries, and the transparency in how Government data is used. That is good. It was something that GDS was trying to push forward until reasonably recently.
If you talked to Estonia’s previous CIO and people who drove that initiative, they would say that one of the key problems the UK has is the lack of unique digital identifiers. Estonian citizens are born with one number; that number stays with them until they die, and it is used right across all systems. We do not have one; we have six, or maybe it is seven now. I don’t know because we keep having new ones. Less is more in the case of digital identifiers, and reviving the idea of data registries and a digital identifier is something to think about.
Q277 Chair: Thank you. Peter.
Peter Wells: I would express caution about a unique identifier for citizens. As a person online, I could have many identities, and that is quite nice as long as appropriate authorities, such as the police or somebody else, can work out who I really am. Being able to show different aspects of my personality is quite useful and relevant in public services. The DWP does not necessarily need to know about my interactions around my council tax, for example.
The registers bit is very important. There is work going on at both GDS and the Parliamentary Digital Service around registers—I am quite taken by the handwritten asset registers on all the chairs around the rooms as well. Both those bits of work have slowed down recently. I think that is a prioritisation thing, but they are vital bits of infrastructure, and openly available lists of local authorities, lists of schools and lists of addresses can be used by public services and the private sector to build services.
A lot of the stuff I have heard today has been about how digital Government can build public services. We are missing the bit about Government’s other role, which is to regulate the market. How do we set the tone on data? How do we give citizens more control over data about them, and show businesses how that can be done? How do we use Government’s data to create new markets? How do Government use data as a policy tool? We could look at the gender pay gap data. The Government have said, “Let’s get businesses to publish data about the gender pay gap to help people make decisions when looking for a job or campaigning for a pay rise.”
Using data is a great intervention, and the Government can do more with those things. The UK is pretty good around the world, but we are in danger of being overtaken by France and other bits of the EU and by Australia. Using more data as a policy tool over the next decade or two will be quite important.
Q278 Chair: Helen, you seemed to want to make a comment on Peter’s multiple identities.
Professor Margetts: It is still possible to have a unique identifier and multiple identities; I do not think the two are incompatible.
Daniel Korski: There are two other areas. Because the Government have a lot of data, there is an assumption that the answer lies in finding a smart way to access it, but we find that, increasingly, private and semi-private organisations have lots of data about us. A good example is a platform like JustGiving; it has a good idea of the breakdown of certain social services because, guess what, there is a correlation between what people give and an area where they do not feel there are services, but it is very difficult for a company like that to go to Government and say, “We’ve got this data, and we are of course GDPR compliant. What’s the way we interchange the data with you so that it can help public policy making?” An interesting growth area is figuring out how you help to take private sector-held data in an entirely compliant way but make it useful to public policy making. I do not think anybody has figured that out yet.
The other area I want to touch on is regulation. We saw just last week a massive hack in Germany that exposed the entire political class in a way that it had never experienced before. It raises a number of questions about how we regulate private sector use of data. As we know, most companies share our data with hundreds of other companies, and we need the regulator, the ICO, to be sufficiently robust, staffed and funded to guard against those kinds of incidents. We are at risk of moving a little bit away from the questions about digital Government, but, to my mind, they are very connected, and I encourage the Committee to look a bit at the capacity of the ICO to police that growing area.
Q279 Darren Jones: My second question is about the relationship between the public and private sectors. We have GDS; we have been talking about agile teams within Government Departments; we have the GovTech Catalyst; and your organisations at PUBLIC, Daniel, want to assist Government in being able to deliver solutions. Do we have the balance right between the private sector and public sector, and what criticisms, or positives, do you want to add about how that is working at the moment?
Daniel Korski: The Government could use small and agile technology companies much more than they do. The GovTech Catalyst fund is a great programme, but it is £20 million out of an overall Government digital spend of billions and billions. While it does exactly what it says on the tin—it is catalytic and shows the way ahead—it is by no means the path of genuine transformation. We would like to see many more Departments taking much more seriously the opportunities that come from working with smaller companies, breaking up contracts and forcing legacy providers to open their systems to smaller companies. To me, that feels like a great growth area, and one where we can do a lot more.
Q280 Darren Jones: But having the right skills within the Department to complement the relationship.
Daniel Korski: To my mind, the country needs something like a national school of government and technology. We have seen lots of great training programmes for civil servants, but it does not feel like the institutional set‑up is adequate to the enormity of the task ahead of us. If we were to go back in time to when large institutions were created, whether here, in Europe or across the Atlantic, and put ourselves in the position of those who created the Open University and so on, and ask them what they would do, they would probably rethink what kind of institutions we needed. To my mind, we need a large national school of government and technology.
Q281 Chair: Do you all agree that we need to scale up in that way the level of training, education and skills?
Professor Margetts: Yes, because it would signify a sort of prioritisation for this. Government now is digital Government; they are not doing a lot else. It would signify that kind of emphasis and it is important. There have been good initiatives. I used to do master classes for senior civil servants in the GDS Academy. We should definitely be raising the profile of that.
Q282 Darren Jones: And on the public/private point?
Professor Margetts: As one of the witnesses in the previous session said, the focus should be on a much more mixed market. It has been oligopolistic for so long and dominated by huge global systems integrators. You need more small companies; you need people in Government to have the expertise to be able to work with small companies, and sometimes that means insourcing and re-governmentalising things because of the unique situation of this country.
We went overboard with outsourcing, to the extent that now the UK is a complete outlier. I wrote a book with Patrick Dunleavy that compared seven countries. The UK is a complete outlier in the way it went into outsourcing in certain technology. You have already heard that DVLA has insourced a lot of what it was doing. If you have that, you are in a position to compete against companies that do not have Government’s best interests at heart. I emphasise using the research community as well. I would put us in the mix.
Q283 Darren Jones: Universities often create spin-out companies to commercialise their academic IP. Would you see that as a way of engaging with the GovTech Catalyst, or do you think there needs to be a genuine research collaboration under the catalyst fund?
Professor Margetts: That is very difficult for public good-type research where you are working out how to make Government better. It is a possibility for some things, but it would be good if it was possible for researchers in universities and research institutes to compete with the private sector on a level footing.
Q284 Darren Jones: Last but not least, Peter, what do you say about the public/private point and the skills questions from the Chair?
Peter Wells: On public/private, I completely agree with Helen. Working out the line between the public and private sector in the information age is going to take a while, a decade or two. What are some of the things that should be public services that are in the private sector? What are some of the things that are in the public sector that should move into the private sector? That answer will change over a period of time.
To give a practical example, a private company is producing a list of candidates for election because Government are not doing it. It is called the Democracy Club. They are great people, but they have to find the funds to create a national list of candidates for election, because at the moment that is in PDFs or on hundreds of local authority websites. That is a public function being performed by the private sector because the public sector has not stepped up. There will be some to-ing and fro-ing, but at the moment I absolutely agree with Helen.
On skills, yes to more training, but we have to recognise that we are not training people in the right things right now because we do not know how to use technology well; we are still working it out. Lots of that learning comes from doing. We probably need more secondment programmes, with civil servants working in places like the Alan Turing Institute, through its fellowships and programmes. We offer secondments to people with businesses or people in less digitally-savvy Departments, for whatever digital means, working on projects to build new services or procure contracts so that they get experience from working on real projects and services in a reasonably safe environment.
Q285 Vicky Ford: How do you respond to the view that the Government should prioritise dealing with legacy systems and the issues those create before they try to innovate digital systems? Should they deal with the legacy first?
Daniel Korski: It is not an either/or. To take legacy first, legacy was once a great idea; in other words, it was a fantastic innovative project when it was put in place. At the time, it was the right thing to do in many cases. The issue now is that we have to deal with some of these legacy systems; we have to make sure that those that exist are interoperable, so that newer third-party innovators can easily integrate. We see the particular challenge of that in the NHS where a large number of legacy providers are reluctant to open up their system so that we can see the sort of innovation that takes place in many other countries. To me, it is not an either/or; we have to be able to do both.
The reality is that a lot of the companies we back do not aspire to replace massive legacy systems; they do not think that is their role. They are happy to see larger companies take on some of the challenges. What they want is an ability to deliver their service in a way that integrates with that legacy. I think the Government tend to say, “Is it stop or is it flow?” It is both. You have to focus on both.
Q286 Vicky Ford: Interoperability is the key.
Daniel Korski: For us, absolutely. Smaller companies that want to get in and show what they can do need interoperability.
Professor Margetts: I totally agree that it is not one or the other; you have to do both at once. I do not think all legacy systems were once a great innovative idea. They were things sold to Government by systems integrators because they could; they knew that Government did not know what they were buying. They were massive bespoke systems based on out-of-date tech. Some of them have been totally superseded.
One of the previous witnesses made the very good point that sometimes you just need to start again. That has happened in BEIS. I suppose that to some extent it is what is happening in DWP. You get something built up at the same time. After all, as the previous head of GDS used to say, the Government are really not much bigger than a medium-sized dating site or a bank. It is not rocket science.
Peter Wells: I disagree with the view that the Government is only as complicated as a dating site.
As well as legacy systems, we should look at legacy culture and legacy business models. There was a reason why people bought legacy systems; they were falling for the sales pitches. It was easier to do that, so we need to tackle those cultural issues. We need to look at legacy business models in some parts of the public sector. We have been told that some of the trading firms survive by selling data at a time when the private sector often has better data suited to more needs and at a much lower price. Institutions like the Ordnance Survey will face incredible challenges unless we help them to adapt to newer business models suited to the 21st century. As well as legacy systems, there are other legacy issues to tackle; we cannot just focus on the technology.
Q287 Vicky Ford: Is there anything more you want to add on enabling innovative technologies to help overcome the legacy system issues, and actions that should be taken?
Peter Wells: It would be interoperability. For me, it is freeing up the data infrastructure across legacy systems so that we can put in more components to start to replace them.
Professor Margetts: It is quite difficult to generalise. We always try to generalise about legacy systems, but by their very nature it is almost impossible, because each Department has its own issues based on a unique contract, usually of massive length. It is difficult to generalise, but what should be done is to have a sort of prioritisation in helping Departments, from the centre as well as at departmental level, to overcome the challenges of legacy systems. I did not mean to trivialise it; obviously, it is more challenging than running a dating site, partly because you would not start from here and they are starting from there. It is a question of helping Departments to deal with the unique circumstances of their own legacy operators.
Daniel Korski: One thing that strikes me is that very rarely do Departments and agencies ask themselves: what does this market look like? In some cases, we are not dealing with just a duopoly. In the NHS, we are often dealing with regional monopolies. The reason why nobody is breaking free of, say, a patient record management monopoly is that, if you are the one GP practice that breaks away from it, you look around and realise everybody else is not breaking free, so why should you? How do you integrate the data of your patients?
What often happens then is that everybody stays the same and you have not just duopolies but local monopolies. Few Departments go through the exercise of asking themselves, “What does this market look like, and what are we doing either to create more competition or to solidify this?” That leads to the solidification of legacy systems that nobody can break free of.
Q288 Stephen Metcalfe: I want to look at how well the Government are deploying AI in all its various forms across Government, either to develop policy or create value for money. How good is it, and can you give me any examples of good and perhaps bad deployment?
Professor Margetts: There is a way to go. Part of that is because of all the excitement over AI, blockchain and anything that sounds exciting, and the branding or marketing problem for machine learning. After all, some people say that AI is basically either machine learning or PowerPoint. That is an exaggeration, but it is not as exciting as the words “artificial intelligence” imply, so much more can be done in using machine learning across Government. There is a lot of interest in it. We are getting a huge amount of interest in it right across local and central Government.
It is important to stress that local government is where it is happening in a lot of cases—for example, the use of machine learning to predict demand for public services such as schools; childcare; child welfare; and that kind of thing. It is being used. There are two barriers. One is the question of expertise. Will local government be sold things that are called AI, blockchain or something like that when there will not be the expertise to understand it? It is important to back up the interest with understanding. That can be done. For example, we are running workshops at the Turing to try to tackle that.
The other thing is the ethical questions. We find that at least half the questions we get from policymakers are about the ethical challenges. To take child welfare as an example, if a company goes to a local authority and produces algorithms to predict aggregate demand for child welfare for that local authority, the next question it will be asked is, “Yes, but which children?” That is a difficult ethical question. We need to get the ethical framework in place to be able to answer those questions.
Q289 Stephen Metcalfe: Is that ethical question more difficult than asking a human, “Which children?” Aren’t the same potential biases in play?
Professor Margetts: Yes, and the same applies when bias comes into machine-learning technologies used for policing, sentencing or any of those things. Humans suffer from exactly the same challenges, but it is not as explicit. Obviously, a lot of judicial decisions are biased, but they are not so explicit and we know less about them. Now we can measure them much more carefully, which is a good thing. I do not want to make it sound a bad thing, but you are absolutely right. All those things are in human systems too. That is why they are in machine-learning systems; they are based on data from decisions made by humans.
Q290 Stephen Metcalfe: I suppose the danger is that we perhaps overstate that and it is a barrier to deploying what could be a really useful tool across Government.
Professor Margetts: It definitely is. You have the same problem I mentioned earlier. We have a lot of interest in the ethics of AI and a lot of new bodies to tackle that—for example, the Ada Lovelace Institute, which I will be on the board of, the Centre for Data Ethics and Innovation, the Information Commissioner’s Office and the Partnership on AI in the private sector. We have a lot of interest in the ethics of AI. Again, we need a bit of coherence in that landscape so that it does not stop us doing things but enables them.
Daniel Korski: There are some great examples despite the fact that we are in the early foothills of this. DWP has done a lot of interesting work on detecting fraud and error; HMRC has managed to transform totally 57 back-office processes; and in East Sussex we have seen an example of using various forms of machine learning to predict traffic patterns. We see a number of different things, but we are very much in the foothills of the exercise.
A third element is that we need great data. The reality is that we are not going to be able to run machines to predict anything unless we have great data, which means we must have access to it; it has to be available in a certain format that can be used. In many cases, it is not quite there yet.
Looking ahead a bit, where could some of the exciting opportunities lie? They are definitely around customs, trade and shipping. What can we predict by way of goods certification, or even fraud, which is an exciting and interesting area? Professor Margetts talked a bit about sentencing. There is definitely a lot of support that you can provide earlier in the judicial process where people basically need to look through case law, particularly if they are seeking legal aid. There are a number of exciting areas.
I would like to see the Government being more experimental and providing a bit more catalytic money. The GovTech Catalyst fund has begun doing that in some great areas, including using AI to detect Daesh imagery that promotes a jihadi message. That small but great example, which could be expanded, was originally backed by the GovTech Catalyst fund. Exciting things are happening, but we are at a very early stage. We need not just the right kind of people but data in formats that can be used.
Q291 Chair: Is enough being done to get the data sorted out, to clean data and put it into a usable form?
Daniel Korski: No. There are certain organisations that are absolutely clear about what is required and are moving ahead at pace, and there are other organisations that are not prioritising that. The Budget announced a review of data science capability across Government. I would love to see a similar central Government push to say, “Where are you on cleaning up core datasets?”
Q292 Chair: Healthcare is a key example, isn’t it? There is a vast amount of work to be done in cleaning up data.
Daniel Korski: Absolutely, but even if you take an area like health and think about social care, which is the responsibility of both the NHS and local government, you often run the risk of different datasets being required, but only one or two have been cleaned up because the organisational responsibilities lie across different Departments and organisations. I would love to see more top-down direction or audit of core datasets and the kind of journey that is needed to get them to the right place.
Q293 Chair: Do you want to add anything, Peter?
Peter Wells: On AI, I worry that there is a bit of naivety about some of the adoption. People are not thinking about what happens next. To take the example of Daesh imagery, if I was a techie working for Daesh—to be clear, I am not—I would be using AI to change my imagery and adapt to the AI that was trying to attack me. It would just be computer programs battling against each other, and hackers changing the data day in, day out.
It is very difficult to define quality of data. Quality is in the eye of the beholder; it depends on what you want to use it for. You almost have to clean it up by using the data and lifting it up to that standard through use. You want to build data infrastructure through delivering real practical services by solving problems, always thinking of what other unintended uses you might be making it available for. How can you clean it up for others, but always with solving the problem in mind? Otherwise, the big SIs will be back saying, “I’m going to clean up all that data for you. Here’s my multi-billion-pound programme.”
Q294 Chair: Helen.
Professor Margetts: I could give you a list of examples. Perhaps I will send them to the Committee because there is not enough time to go into them now.
Chair: Do that.
Professor Margetts: There is just one point. This not a luxury. The Government now perform a lot of tasks that will be completely dependent on an understanding of these technologies and their use. To take regulation, think of the Financial Conduct Authority or the Information Commissioner’s Office. How do you regulate the financial sector? How do you regulate elections? Any regulatory task now relies on understanding a very complex data and technological environment. It is not just a luxury or a nice to have; it is essential that we meet those challenges.
Q295 Stephen Metcalfe: Bearing in mind that as a Committee we produce a report and make recommendations to Government, what recommendations would you make to Government to ensure that they are making the most of their technology and that there is a skill base and understanding across Government?
Daniel Korski: The Government say they are going to undertake a spending review, and that is often a good time to have a slightly more zero-based approach to programmes and services. I submit to you that you should be recommending to the Government that they look in a very zero-based way across the range of institutions where machine learning can totally transform things. You could have extraordinary savings, particularly in DWP, HMRC and MOJ, where a number of incredibly manpower-intensive processes still remain far beyond what is necessary.
Another area is customer service. That is where the rubber hits the road and citizens get in touch with Government. Across the private sector, there are now commoditised solutions that make it much easier and more efficient to engage with customers, whether it is somebody calling with a toothache or somebody calling about their council tax bill. To me, it is extraordinary how limited a transformation of Government customer service we have seen, given some of those very commoditised technologies in the private sector. Those are some of the real opportunities.
Professor Margetts: Clarify responsibility for this at the centre and work with sectors to capitalise on the opportunities and meet the challenges. One example is the massive billion-pound programme to digitise the courts. That could allow massive potential for all the things we have been talking about in terms of predictive capacity and simulation. All sorts of good things could come from that, but it will not happen automatically as a by-product of digitising the courts. We have digitised lots of things in the past and it has not yielded those things, so it needs to be prioritised from the centre, with an eye to building those things.
Peter Wells: Given the potential of the coming spending review, the wheels are already moving and I am sure there will be lots of innovative ideas and new programmes as a result. The Committee could recommend something the Government have not been focusing on much, which is transparency and accountability around some of the new services. How do we create transparency and accountability in the outcomes of those services so that we can have the ethical or political debate about who we try to prioritise to benefit from some services and who loses out in some areas? Creating better debate about public services in the future will be useful.
Q296 Stephen Metcalfe: We talked earlier about having a Minister for cyber-security. Do we need a Minister for AI, or does that sound a bit gimmicky?
Peter Wells: It risks putting emphasis on a particular technology over other technologies. There was an AI winter. Was it 25 years? AI could go back to that period. Rather than focusing on a particular technology, let’s focus on transformation.
Professor Margetts: I think you are going to speak to the Minister for Implementation, who is pretty interested in these things and in improving them, so that is one possibility. We already have an office for AI. We might be at the Gartner hype cycle peak—it might be better not to call it that.
Daniel Korski: I agree. We have a Minister who calls himself the Minister for GovTech, even if his official title is Minister for Implementation, and he has been very forward-leaning on a lot of these issues. I would like to see a situation where in every Department there is a Minister and a senior official who think it is their job to drive innovation and rethink how the Department works. That may be using machine learning or doing something slightly different, but there should be one individual who constantly drives that agenda at both official and ministerial level.
Q297 Chair: Are there any areas of good practice that others could learn from? Are there any Departments where you think they are really getting their act together?
Daniel Korski: It is a good question. In my experience, real progress happens when there is an alignment between a Minister who gets it and is interested and a senior official. We must not forget that. The top 200 senior officials—permanent secretaries and DGs—are absolutely critical. They tend not to go on these courses; they tend not to have time and they tend to prioritise.
Q298 Chair: Are there any places where there is the alignment you have identified?
Daniel Korski: It is a good question.
Q299 Chair: Come back to us if you wish.
Daniel Korski: Under the new Health Secretary there is an opportunity. There seems to be an alignment between the Health Secretary’s interest in technology and the arrival of a chief digital officer, Juliet Bauer, from the private sector. Together, they seem to be driving the agenda quite well.
Professor Margetts: At one point, GDS had responsibility for senior digital hires in the Government. I do not know where that is now.
Q300 Chair: Reboot it in some way.
Professor Margetts: Yes, because in that way you get a kind of network. You can reinforce the silo effect if you focus on it just at departmental level. I could give you examples of Departments that will not share their cloud-based platform with one of their constituent agencies. You need something to bang heads together.
Chair: Understood.
Q301 Damien Moore: I declare an interest as the chair of the all-party group on blockchain, but I got these questions by accident rather than design. To what extent can technologies like blockchain and biometrics be used to enhance digital Government services in the UK?
Daniel Korski: For my money, it is hugely important that Government always ask the question: is this technology delivering services that we want delivered, at a price point and security that is optimal? Until now, I do not think we have found the sweet spot for blockchain across the public sector. That is not to say that we should not try or that it will not emerge, but I have yet to see a use case that is sufficiently cost-efficient and gives the same level of clarity as a secure database, for example. My view is that we should definitely be exploring, piloting and trying it, but also sanguine about the opportunities.
To me, biometrics is a slightly different kettle of fish because it feels logical to assume that in the future, whether you walk through an airport, are approaching the Palace of Westminster, or are at a football game or whatever, some level of biometric identification will take place. The question that arises is: under what parameters? Where do the data get stored? Who can get access to it? What is the recourse for the person whose biometric identifier has been delivered, in case they want to complain? Is the entire framework of identity fit for purpose?
To give one quick example, if you book into a hotel somewhere, you hand over your passport. The hotel takes a copy and retains a range of biometric data about you that you may not want to give: your height, eye colour and so on. Suddenly, we might be in a situation where we need to change the nature of the biometric data you are giving for the purposes you are giving it, because all the hotel needs to know is where you are a citizen. They do not need to know how tall you are, the colour of your eyes or where you were born. Blockchain and biometry are different. For sure, we are going to see a diffusion of uses of biometry across the public sector, which then begs a number of interesting regulatory and ethical questions.
Professor Margetts: We need to make sure that technologies are the solution to a problem we actually have. If you are a policymaker in a country with very high levels of corruption and you are trying to establish property rights, blockchain could be a dream come true, but I very much agree with Daniel that those kinds of use cases in the UK would be more difficult to find.
Biometrics is different because that has been shown to be a solution to problems we have, but it can generate new policy questions and a need for data governance that we did not have before. We always have to be alive to that.
Peter Wells: We think we have come across one or possibly two good use cases for blockchain in the UK. The National Archives has had the challenge of taking digital content for a few decades. It will start releasing more and more of that digital content over the coming years. People want to know whether that digital content has been changed. Sometimes files are removed from folders. There are good reasons for that sometimes; sometimes there are bad reasons, but it is about knowing it has been changed. There is a method with blockchain whereby you can provide a bit more confidence in the information provided by the National Archives.
Secondly, there is the collaborative aspect of blockchain, looking at a network of national archives collaborating to maintain data, so they are all working together across the globe on how to help to increase confidence in each other’s national archives. The National Archives use a project called ARCHANGEL, which has some interesting characteristics. It is hard to cut through the hype on blockchain. I do not think blockchain is useless, but finding out whether it is more useful than what other technologies are bringing is quite hard to do.
Biometrics has very different characteristics. I get concerned about the twin pull of biometrics. An increasing number of people who use smartphones happily use their face to unlock their smartphone, but there is increasing public disquiet over things like the police use of facial recognition. Is that giving a useful guess rate in spotting possible criminals and is there value for money through that? I fear we might have a backlash against some of the possible useful things that biometrics provide unless we get some of that under control and work out how we build a safe market for biometric services.
Daniel Korski: We have not given many good examples of the use of blockchain. Across international development, led by DFID, there are a number of examples. I have seen some interesting examples led by the Swedish land registry. There are a number of interesting examples worth looking at.
On biometrics, the issue is giving citizens a sense that it makes their life easier. If you can arrive at Heathrow and quickly go through without a queue, largely because you have allowed your face to be used, you will see a value in a way that you may not see if you hear that the police are using different systems of crowd control.
Q302 Damien Moore: We talked about Government doing more to improve datasets. Would you say that technologies such as identifiers are the best way to do that, or is there an alternative?
Professor Margetts: In delivering digital Government services, we ought to be thinking about digital identifiers, but we have to recognise the kind of cultural shift that has to take place with respect to data, in that for the first time we can use data in the wild, as it were, where it is not in a dataset but in its natural state. It is much more possible than it used to be to use that kind of data. There are lots of challenges but there are two key challenges.
One is that the Government have no history of using just data that are out there, or even data from their own administrative operations, for making operations better or for making policy. We need to overcome that cultural shift because it is crucial.
Another thing to note is how much data Government, or indeed the research community, do not have access to. We talk a lot about social media data, for example, and all the ghastly things that Facebook is assumed to be doing, but we do not actually have any of that data. We do not have any ability to mandate digital platforms to give data that might be used for the public good. That is something regulators and other policymakers need to think about. There is so much data we are not using because we do not have it.
Q303 Martin Whitfield: I want to look at the ethics of all of this in a very short time. We have discussed the ethics of datasets. I would like to say that we understand that and have evidence that we can understand on that, but what about the ethics of the innovative technologies rather than the actual datasets? What are the big ethical problems that will come along? What questions should we be asking now?
Daniel Korski: Gosh, it is a big question.
Martin Whitfield: I am sorry.
Daniel Korski: There are issues about the extent to which we want datasets to be brought together to give us some insight into the behaviour of people or potentially even a prediction of their behaviour. Once you have insight and prediction, you often have a requirement or demand for a policy or operational decision. If you happen to know that at certain times of the month certain kinds of families with certain kinds of characteristics tend to experience more spousal abuse than others, what do you do with that data? I do not want to overdo the analogy, but what are the ethics of a car? The ethics of a car are entirely different depending on how you use it. If you drive it towards lots of civilians, it is entirely different from driving it to transport your family.
Q304 Martin Whitfield: Rather than datasets, if we take the car analogy, there are ethical questions about it. If we take a gun, the ethical questions are different and sometimes perhaps it is easier to take a side. If we could think about the innovative technologies that are being proposed and dreamt up, rather than the dataset ethics, is there a chance to look at whether or not the technologies themselves will raise ethical problems that we should address? That is what I am interested in.
Professor Margetts: It comes back to my answer to an earlier question. One is the question about the use of it. What you do with the information? If you know that statistically a child is almost definitely going to drop out of school, what should you do with that child’s education? Should you put more or less resources into it? Should you pretend you do not know? Those ethical questions are challenging, and they are to do with the use of the data, not the actual data. It is just a question of the accuracy of probability.
Q305 Martin Whitfield: Again, it is the historic problem of all ethical questions. It is not the technology; it is what you choose to do with it and who you choose to share it with.
Professor Margetts: The other question, which is quite profound—not good for 30 seconds—is about bias. As I expect you know, all machine learning is based on training data, basically; it has to learn from data somehow, and that data can be biased. Often, we find that we are revealing biases in our system of government, and our public administration and judicial systems, that we have always known were there but did not confront in any sense. In a way, that is super positive because it is difficult to tweak a judge, but there might be things you could do with machine-learning technology. In a way, it opens up new opportunities, and we are much more aware of bias than we used to be.
At the same time, it is very challenging. For example, Amazon had a new hiring algorithm that was not going to be gender biased. They have just withdrawn it because, guess what, it was worse than people because there was no data. Some people believe that there is no data in some policing jurisdictions in the US that can produce an unbiased technology. That is a very profound ethical question. Can you use technology that you know will be biased?
Q306 Martin Whitfield: The ethical problems are not just for digital Government; they are at a more fundamental level. The questions are at a more fundamental level, and that is what we need to address.
Professor Margetts: It is forcing us to recognise things about our system of government and ask ourselves what level of bias we are willing to put up with. We might find that we are not willing to put up with a level of bias that we formerly accepted relatively uncritically. We are much more uncomfortable with digital systems.
We expect much higher levels of safety for driverless cars than we do for human drivers. We are killing each other all the time and that is okay. That analogy will pop up. With both things, you will get a lot of the ethical issues that you get in health. How do you decide which person should have a life-saving drug or should be kept on a life support system and so on? We are very used to those ethical questions in health, but we will see them popping up right across Government.
Daniel Korski: To me, the two things are consent and recourse. Who is consenting to what, and what recourse do you have to a human being making a decision that perhaps evaluates what has been decided by an algorithm? We have two great examples where we have taken incredibly complex ethical issues, including in the House of Commons and House of Lords. Stem cell research is hugely contentious, but it has been handled in an incredibly calm and thoughtful way over a significant period. We also had the introduction of NICE and the way we price drugs, which I know the Chair knows a lot about. There are models for how we deal with incredibly complex ethical issues that involve Government decision making and the parameters within which we are willing to allow private sector players to operate, and we might be able to learn something from those two cases.
Q307 Chair: You mentioned consent. In written evidence to us, DefendDigitalMe criticised the lack of consent in the current model of data usage by Government. They say: “Government ignores the lack of public agreement process for secondary re-use of administrative data at its peril and with associated institutional and reputational risk.” Is that a concern that you share, or not?
Daniel Korski: Although the GDPR is built on existing legislation, it has set a new bar for data standards and the kind of consent data subjects provide.
Q308 Chair: Is it not different for a Government?
Daniel Korski: We are all on a journey to ensure compliance. I am absolutely certain that Government are in many cases still not compliant with that regime. That is one issue. The second issue is the extent to which datasets can be maintained as anonymous or pseudonymous by Government when they look to derive certain policy insights. I suspect that the evidence you quoted touches on that question. There will be a live debate about the extent to which one can safeguard data subjects’ rights while still deriving policy outcomes, but at least we now have an incredibly robust legal framework and, in the ICO, a recourse mechanism for people who are concerned.
Peter Wells: To go back to the ethical point, we need to be careful not to fall into a trap. I see a bit of a trap at the moment in the technology world of thinking ethical debate solves lots of things. Often, we need action. A lot of things are tangled up in ethical debates, whereas there are some quite obvious actions that need to be taken to stop or start things. I very much agree with Helen. A lot of these things show existing societal biases and questions, and often it is not just ethical debate but political debate about what type of future we want to build using the technology.
A third very quick point is: whose ethics? In a digital Government context, people are using tools built by others. Those tools contain decisions made by the people who built them. Facebook is built by people on the west coast of America, and America has a different belief in what free speech is compared with, say, the UK or Germany, which has said it will ban comments about Nazis because of what we all know happened. Whose ethics are they, and where are those decisions being made? Trying to get the decisions a bit more public, and understanding, when we are procuring things, what comes with the technology we are procuring would be interesting.
Q309 Martin Whitfield: Do you think there are different levels of transparency that we should demand that might not be demanded elsewhere with regard to our technologies?
Peter Wells: The UK Government have a data ethics decision-making framework. You could demand that the outputs from that framework are published alongside services and projects, apart from certain circumstances where they have to be kept incredibly confidential, which might be to do with the police or parts of the intelligence services. We should publish those results as openly as possible so that we can see what debate was had.
We use a data ethics canvassing tool with our clients. We have clients in the private sector, public sector and third sector publishing their results and their internal ethical debates over these issues, so surely we should demand that Government be held to a higher standard when they hold more power over us because of the nature of the state.
Professor Margetts: I am not sure we know so much about what people do and do not consent to. There is some evidence to suggest that people assume that their Government interaction data is being used much more than it is. That is certainly true of health research. People think their data is being used more than it actually is. We need to know more about consent, and we should move towards that situation on data ethics. I absolutely agree with you. There are success stories. NICE might be one of them; the Nuffield Council for Bioethics is another; the Human Fertilisation and Embryology Authority is another.
There are issues that people feel are being dealt with in a good way. Perhaps we need to know more about that, but there is research that suggests it. We want to move towards that situation with data ethics. I do not think we are there now, but in large part that is because of what every other organisation, not just Government, is doing with our data.
Daniel Korski: I am hopeful for an even more ambitious future. Today, if you or your family suffer from a certain disease that only an experimental drug can deal with, most people raise hell in order to get access to that drug. I hope for a future where people will say, “Are you telling me that because you did not use data smartly, you were not able to predict that I or my family member was at risk?” When we reach that point, people will see the value of data in their lives, albeit in ways where they feel they have given consent and they have recourse to complaint procedures or the safeguarding of their rights.
Professor Margetts: Absolutely. The ethics of not using data factor that in.
Chair: Brilliant. It has been quite a marathon, but we are there. Thank you all very much indeed. We really appreciate the time you have spent with us.