HoC 85mm(Green).tif


Science and Technology Committee 

Oral evidence: Digital Government, HC 1455

Monday 4 March 2019

Ordered by the House of Commons to be published on 4 March 2019.

Watch the meeting 

Members present: Norman Lamb (Chair); Vicky Ford; Bill Grant; Sam Gyimah; Darren Jones; Damien Moore; Graham Stringer.

Questions 310 - 467


I: Matthew Gould, Director General for Digital and Media Policy, Department for Digital, Culture, Media and Sport; Kevin Cunnington, Director General, Government Digital Service; and Simon McKinnon, Interim Chief Digital and Information Officer, Department for Work and Pensions.

II: Margot James MP, Minister for Digital and Creative Industries, Department for Digital, Culture, Media and Sport; and Oliver Dowden MP, Minister for Implementation, Cabinet Office.


Written evidence from witnesses:

Department for Digital, Culture, Media and Sport

Cabinet Office

Examination of witnesses

Witnesses: Matthew Gould, Kevin Cunnington and Simon McKinnon.

Q310       Chair: Welcome, all of you. I will do introductions in a moment. It is important for me to say right at the start that we would like witnesses and Committee members to declare any interests that they think are relevant.

I chair an advisory board for a company called XenZone. If you have interests that you want to declare, please do so when you are introducing yourselves. May we start with you, Matthew?

Matthew Gould: I am director general at DCMS for digital and media policy, and I have no interests to declare.

Kevin Cunnington: I am head of the Government Digital Service. By way of background, I am a lifelong technologist. My bachelor’s degree was in computer science; for my master’s degree I specialised in AI. I am a recent recruit to the civil service, having spent most of my life in the private sector with PricewaterhouseCoopers, Goldman Sachs, and I was the global head of digital for Vodafone before joining GDS in 2003.

Simon McKinnon: I am the acting chief digital information officer and DG for digital in the Department for Work and Pensions.

Q311       Chair: Thank you very much. We much appreciate your time this afternoon.

To what extent is GDS still necessary if all Departments have their own digital strategy and digital teams? Kevin, do you want to start off justifying yourselves?

Kevin Cunnington: Maybe the best way to describe it is to say that, in common with other Cabinet Office functions, GDS operates to a six-point plan. I can go through those six points quite quickly: one is to set the cross-Government strategy, irrespective or, I guess, on top of what Departments do; two, to set standards and assurance; three, to provide capability across Government; four, to design services and platforms, which we do; five, to provide expert services; and, six, which hopefully we will get a chance to discuss, to provide continuous improvement across the Departments. That is the area where I think there is most work to be done going forward.

Q312       Chair: Would either you or Matthew comment on the fact that we have had quite a lot of evidence, both written and oral, to suggest that the shift of data policy to DCMS could have resulted in a diffusing of responsibility within Government and perhaps the loss of central drive, with the danger that, if you diffuse responsibility, you end up with no one being ultimately responsible for driving the strategy? How do you respond to that? Is there a risk in what has happened?

Matthew Gould: I think it is part of the stage of development we are at. There was certainly a period when it made sense to drive everything from the centre. That was useful and it did really good work.

We have since taken a different tack, which is to continue to have a very necessary core capability at the centre and do the things that Kevin and his team does. If I may answer the previous question as well to reinforce Kevin’s point, some functions are necessarily done from the centre: some of the work around the profession, standards and interoperability. However good departmental strategies are, you want them to be able to knit together, and I think that is best led from the centre.

Part of the maturing of our approach has been the build-up of what effectively in DCMS is a Department that leads on digital policy. It does that in the round and has developed quite considerable capability in doing so.

Q313       Chair: And has sufficient clout—with all due respect, some people have suggested that you do not—with other Government Departments.

Matthew Gould: I would say that we do, and that clout is growing as we deliver. If you had asked me three years ago, I would have said,Not now, but we need to prove ourselves and develop capability in order for that to happen.” I have to say that we now have good, robust discussions across Government. Increasingly, across the range of what we do we are seen as delivering competence and having expertise. It is a sensible investment by Government to create a Department that is capable of taking all those digital policy issues in the round, including the wider data issues, so that we can lead on the data economy and some of the policy questions around data as a counterpart and partner to GDS.

Q314       Darren Jones: In managing data policy, is it an advisory function or do you have enforcement powers? If a Department was doing something that was not in line with DCMS data policy, would you have the authority to say, “You’re not allowed to do that,” or, “We’d advise you not to do that”?

Matthew Gould: We have certain statutory functionsfor example, under the Digital Economy Act 2017and we are driving fulfilment of the aspirations of that Act. We have particular functions around ethics. We have set out the data ethics framework, which has been refreshed, and that provides a set of guidance for the Department. Ultimately, it is more advisory than us presenting an absolute block, but in practice the distinction is not one that particularly troubles me. Given the role we playfor example, in acting as secretariat to the Data Advisory Board, driving the DECA projects and setting the framework and standardsin practice this has not been a troubling distinction.

Q315       Graham Stringer: In the real world I would be more impressed with your answer if you gave us examples of where there has been resistance in Departments to what DCMS wants to do and where you have had a victory, because that is how the real world works. You have just given us very bland, general answers.

Matthew Gould: I am sorry about that. Across the range of digital policy we have done a number of things. They might not point to individual battles but we have delivered quite substantive, crunchy outcomes.

Q316       Chair: Do you have battles? Have you come up against resistance from Departments?

Graham Stringer: To answer Norman’s question, certainly to my satisfaction, you will have to say, “DWP or the Treasury resisted this and we smashed them; we got them to follow these digital policies.

Chair: Or, “We convinced them.”

Matthew Gould: Government are all about trying to find ways forward agreed between different Departments. Perhaps I may point to a few areas where I think we have taken things forward in a substantive way that has involved pulling Departments in particular directions.

Q317       Chair: To use Graham’s term, you smashed them.

Matthew Gould: I do not quite use those terms. The future telecoms infrastructure review, while a different bit of the field, for me was an example of DCMS taking an area, setting the agenda with crossGovernment agreement and asserting a role for DCMS as the lead Department on digital policy in a way that has been effective and substantive.

We have another one coming up with the forthcoming White Paper on online harms, which is emphatically going to be a crossgovernmental production but is led by DCMS with the Home Office. We are building a substantive set of areas where we have shown that we can make stuff happen.

Q318       Chair: To press you a little further, have you had resistance in specific cases from other Government Departments, and have you prevailed?

Matthew Gould: Specific resistance in what terms?

Q319       Chair: Seeking to make sure that there is a unified position in Government so that everybody is moving in the same direction. Have you come across resistance from some Government Departments?

Matthew Gould: On a range of our issuesthe future of the telecoms sector, how you deal with online harms and the balance in creating a regulatory framework for online harmsdifferent Departments come to the table with different views, and we have been able to forge a way forward.

Q320       Mr Gyimah: A number of the substantive policy issues you deal with are parented by other Departments, which is what you have said. It would be helpful to get a sense of the leverage that DCMS has, given that it owns the policy area, in either brokering a solution or leading it, or is it always just a function of negotiation and what comes out, in which case the question is: what is the leadership that DCMS is providing?

Kevin Cunnington: Data and API standards as defined by Matthew as part of the policy are still implemented by GDS. GDS has two main control mechanisms for assuring that they meet the standard. The first is that we have what is called the technology controls process, where I can sign off on a Department’s plan or otherwise if it is not within the specifications we adopt; secondly, we have the GDS service-assessment standard, which again gives me similar powers to say, “That’s not what we’re expecting.”

Q321       Chair: Effectively, you have a veto.

Kevin Cunnington: Yes, and the escalation is to Ministers.

Q322       Darren Jones: Can it be more than that?

Kevin Cunnington: The escalation is to Ministers, so it is a ministerial job to sort it out.

Q323       Chair: Kevin, do Government Departments use the resources of GDS effectively, or do you find that some are failing to use them?

Kevin Cunnington: I would say that in general there is a very collegiate environment across Government right now.

Q324       Chair: You do not think there is a silo effect, which we have heard from some witnesses, with Government Departments withdrawing into themselves and doing it all themselves.

Kevin Cunnington: No, I absolutely do not.

Q325       Chair: You find equal willingness across all of Government to use your services. That hesitation suggests that you do not.

Kevin Cunnington: It is the word “equal”; it is not absolutely the same everywhere.

Q326       Chair: Where are the areas of resistance?

Kevin Cunnington: I would not say there is anything specific, but there is a different sense of willingness—I do not know how best to describe it—or momentum to drive things.

Q327       Chair: Where do we need to improve the momentum? It is helpful if we know, because we will never get anywhere in improving things if we are not transparent on these things.

Kevin Cunnington: I was not trying not to answer your question; I was trying not to generalise. I genuinely feel that there is not a need for you to get involved in any one specific case. There are times when, through the process of setting the controls, we just do not agree, and that goes to Ministers for resolution, but there is no specific area I would want you to take away and focus on.

Q328       Chair: I am conscious you said there are different degrees of urgency, or words to that effect. If on reflection you might want to add something in writing to us, that would be very helpful because, if we are to be of any use in advising and holding Government to account, we have to know what is going on; so some clarity on that would be appreciated.

Kevin Cunnington: Let me express it slightly differently. I would say that the one area of continuous improvement that GDS needs to strengthen is helping the less mature Departments to come to the benchmark set by the more mature Departments.

Q329       Chair: Which are the less mature Departments?

Kevin Cunnington: The most mature are people like—

Q330       Chair: Just try to answer the question.

Kevin Cunnington: The smaller Departments in general.

Q331       Chair: How do we measure success on digitisation? How do we quantify it?

Kevin Cunnington: I would say by context. When GDS started in 2012 we really had no capability: no people and no profession. Developing digital service was not normal but abnormal. I think the most succinct way of expressing that is the recent Institute for Government report, which noted that from 2015 we had developed about 25 exemplar services. From there, it has soared to nearly 800. I think the greatest simple measure of digitisation in Government is that we have gone from 25 exemplars to nearly 800 services over the past four years.

Q332       Chair: Simon, we have heard claims that DWP may both deliberately and inadvertently utilise a digital by default strategy that excludes vulnerable people. How can DWP and other Government Departments ensure that their commitment to digitisation does not end up compromising accessibility for vulnerable citizens because they do not have those digital skills?

Simon McKinnon: It is an inherent part of our process to think about the users of our systems, and we recognise that in all cases some of those users will have less understanding about using digital devices or accessibility problems. We create personas and case studies that we use to test whether our solutions will allow users to use our systems. If you take the example of universal credit, we encourage users to use online services, but if they cannot there are telephone numbers they can call; there are services we have set up with the citizens advice bureau for people to go and get help. They can come into jobcentres and get advice from our caseworkers.

Q333       Chair: Do you think you are watertight on that? We have heard evidence of cases where they have had to fight against officials who have wanted to exclude phone numbers from information for citizens, for example. Does that still happen?

Simon McKinnon: Not that I am aware of. I saw that in one of the previous recordings. I am not aware of any examples where we have deliberately tried to hide information from people. For economic reasons, we try to encourage people to use digital channels, but we have never, as far as I am aware, excluded users from other means of accessing our systems.

Q334       Damien Moore: Continuous improvement has been mentioned a number of times, but do you think that for that to happen you would need powers to ensure that all Departments are utilising the potential of digitisation?

Kevin Cunnington: I think that in the first instance we would need a better analysis of where we are. Intuitively, if you were to ask me, along the lines you did, what good looks like and, therefore, what less good looks like, you would probably put DWP at the front of this and say it has done a really good job at insourcing capability, breaking up contracts and moving things to the cloud. That is almost my intuition, and I would love to have that maturity index for all Departments as a set of actual facts that we measure. So far we have not done that. That is one of the big areas we need to look at.

Within that, I would also want to press Departments to get to the same level of maturity where possible. Having a fairly wide spread of Departments is difficult because, when smaller Departments are called to do things, it is just more difficult for them to do it than it would be for Simon.

The second area on which I need to focus going forward is the enabling environment. We have done a lot to digitise Government and improve local processes between us by the technology controls process, which I know came up in previous evidence, but we probably have not done enough to transform the way we fund, assess and potentially audit digital transformation going forward, so there is work there to be done to make it more modern and in line with some of the improvements we have made locally within digital itself.

Matthew Gould: Powers are obviously a key part of it, but I would not fixate on them as the answer. In my experience, you need a suite of things. One is powers; another is to give people the confidence through the ethics frameworks and things like that; another is having sufficient skills, which goes to the work Kevin leads on profession; and it is also having ways to lubricate progressfor example, through things like the GovTech Fund or the Regulators’ Pioneer Fund, both of which for relatively small sums of money have got people thinking positively and creatively about how they can use emerging technology in a really good way.

Q335       Chair: We have also had evidence that the sum of money for the GovTech scheme—I think it is £20 million—is not nearly enough.

Kevin Cunnington: I would disagree with that. The GovTech catalyst is there only to get the first set of prototypes working; it is not there to fund the subsequent development. To get those 15 prototypes working, £20 million is adequate. We are still going through the early stages of seeing which of those prototypes come to fruition and are taken further, but I would expect it to be the Departments, not the centre, that then fund it.

Q336       Damien Moore: Do you think it is a reasonable response to say that bigger and smaller Departments have to take a different approach?

Kevin Cunnington: Yes.

Q337       Damien Moore: But ultimately would you want the power to be able to step in and compel them to do something?

Kevin Cunnington: To refer to Matthew’s point, I have never felt that having a mandate, whether with Government or in my previous role in Vodafone, really works, because when people do not do that it is not because you need to order them to do it; it is often because there are good local reasons why you cannot.

Q338       Chair: But it is not always that, is it? Sometimes it is just inertia.

Kevin Cunnington: Yes, but with positive encouragement from the centre in things like the setting of standards and certainly the build-up of capability, it is probably worth mentioning that we have now created a whole profession of 17,000 people in Government. We have created 38 job roles and assigned every one of those 17,000 people to one of those roles. We have provided a much better career offer, and, aligned with that, we have trained 10,000 people in the academies in what good looks like, so I think that now it is less about inertia, because I think I have removed a lot of inertia from the system; it is just about getting people to the same standard.

Q339       Vicky Ford: Simon, I want to come back to your long list of ways in which people are accessing UC if they do not have their own digital devices. Could you possibly add local libraries to that? In my constituency people go to smaller local libraries to access their UC. The council is currently consulting on potential reforms to local libraries, and clearly it would be suboptimal if those points of contact for DWP were not available.

Simon McKinnon: Of course. My list was simply meant to be examples rather than a comprehensive one.

Q340       Vicky Ford: Will you please look seriously at that issue? I do not know whether it is only in my county, but I suspect it is in others.

Simon McKinnon: I will make sure it is picked up.

Vicky Ford: As people move towards more online reading and fewer books, libraries change, but we must remember that people are using those places to access Government digital services.

Q341       Chair: If you came back to us with a note on whether that is an option, it would be helpful, if possible.

Matthew Gould: Perhaps that could be a joint note with us, given we have the policy lead on libraries. I know that my counterpart who leads on that side of it, if she were here, would absolutely say that our vision for libraries is that they are precisely the sorts of places where people can access the internet, along with lots of other things: training, skills and so on.

Vicky Ford: You might need to have a head-to-head challenge with some of those who manage the libraries, taking Graham’s approach of going head to head with other parts of Government.

Darren Jones: The ONS produced a report today about people who do not use the internet. It states that, in 2017, 56% of the 5.3 million non-internet adult users were disabled people, and among 16 to 24-year-olds 60% were disabled, so in that note it would be quite useful to hear about how systems to help people with disabilities, who often need to access Government support, fit within the non-internet strategy.

Q342       Bill Grant: I reinforce Vicky’s point about libraries and local councils that provide support for the less able. It is a cost to them, although I think there is some financial support to councils, but library access to the DWP system is extremely important throughout the UK.

My subject is legacy systems, which are already embedded, noting that some of them may have extended contracts; some may have limited or reduced support mechanisms to keep them going. Have your Departments attempted to replace legacy systems? For those that did, did they find that transition smooth or extremely difficult?

Simon McKinnon: I will talk about our legacy systems. A large part of our core service delivery is still operating through those legacy systems, but we are incrementally moving towards digitisation of them. An example would be the state pension, which is run through a 30-year-old system, but we have built parts of it. We have Check Your State Pension. There have been 12.5 million statement views in the past year. We have something called Get Your State Pension, which lets people ask for their state pension to be started. By building those incremental replacements we will get to a point where the legacy system is no longer necessary, but those legacy systems are critical to what we deliver, and the move away from them has to be done very carefully. It will take many years, but it is our ambition to move off those systems in due course.

Q343       Chair: Do you have a timescale to complete it?

Simon McKinnon: No, we do not. I can tell you when we expect individual systems to be replaced, but we have no plan to replace all the legacy systems. We prioritise them on the basis of where we think the need is going to be most important.

Q344       Bill Grant: Are there any other comments on legacy systems beyond the DWP? Is that the only Department operating legacy systems?

Kevin Cunnington: No. Every Department operates legacies. Maybe just as an external perspective, for me legacy in Government is characterised in two ways. First, we tend not to fix it if it ain’t broke; we tend to prioritise new policy requirements; secondly, as Simon says, it is much harder to fix Government legacy because it comes with all sorts of legislative constraints than it is in the private sector.

Having said that, there is work under way being led by the Government Security Group, in conjunction with GDS and the National Cyber Security Centre, to help Departments find the investment necessary to address legacy as part of the next spending round funding. That is primarily because, although legacy stops me and Simon transforming, it costs more and is more difficult to secure. Therefore, it is a real security concern if we move away from legacy to something more modern.

Q345       Bill Grant: Noting the security concerns, you also touched on investment. Is there a risk that, if we do not bite the bullet or grasp the nettle, for want of a better cliché, further down the line there will be a bigger cost to the taxpayer? We appear to be nursing the legacy systems as we go along rather than dealing with the issue. Is there a risk that it will be dearer if we continue the process?

Kevin Cunnington: We would say there is a risk because these things are getting increasingly costly to maintain. Therefore, the sooner we can move away from legacy to something that is purpose-built with security built in, the cheaper it will be to operate.

Matthew Gould: DCMS is not itself a Department that operates huge amounts of legacy kit, but in our mission it is very clear that legacy presents an interoperability problem. If you want systems that can speak to each other easily in enforcement of crossGovernment standards and, to go to Kevin’s point, cyber-security, it is all much easier if it is lifted out of legacy.

Q346       Chair: Is there a satisfactory level of ambition across Government to get rid of these legacy systems as quickly as possible?

Kevin Cunnington: That is what we are trying to achieve in the next spending round.

Q347       Chair: Therefore, this is a critical moment in the spending round.

Kevin Cunnington: Yes.

Q348       Chair: It needs to be given priority.

Kevin Cunnington: Yes.

Q349       Bill Grant: There is also the view in relation to legacy systems that Government Departments should consider developing parallel systems, or modernising the systems and running them together so that eventually the legacy systems drop off. Is there merit in that view? I think it is an opinion held by more than one source that we should develop parallel systems that engage and there is a fall-off in the legacy systems, or is it already happening?

Simon McKinnon: It is horses for courses. In some situations we will increment away from them. If I take the state pension world, by the end of this year we will be running cases in a parallel solution to the legacy systems. We will then move cases across incrementally to the new system in due course. I think that in other situationsuniversal credit is a classic example—we have built a brand-new solution that will remove the need for some of the legacy systems that we run.

Q350       Bill Grant: It has been suggested that the DWP, in progressing universal credit, hung on to legacy systems and maybe developed bolt-on systems rather than a replacement. Is that a factor? Do you have a different slant on that aspect? Is there resistance by DWP to modernising the legacy systems?

Simon McKinnon: Not at all. We are very keen to modernise our systems. It provides a better experience for customers; it reduces our operational costs; and it enables us to enact policy in a much easier way.

Q351       Bill Grant: DWP is working hard at digitisation and moving away from legacy.

Simon McKinnon: We would like to move away from legacy systems, but we still run 11 old mainframe systems. We are protecting them and modernising the hardware and software on which they run to give them a longer life, but in due course we would like to replace them with digital solutions because they are more effective.

Q352       Bill Grant: Do we still have the skills to support the legacy systems and maintain them? Are they still available?

Simon McKinnon: At the moment we do, yes.

Q353       Chair: I guess that becomes increasingly difficult, does it not, the more out of sync they are with modern requirements?

Simon McKinnon: Yes. They are harder to maintain and the skills become in shorter supply, but we are training people and building up that capability so we are protected going forward.

Q354       Darren Jones: Is there a standard definition of what a legacy system is across Departments? Has there been a cross-departmental audit of who has what legacy systems and when they need to be ended?

Kevin Cunnington: There is not really a standard definition. They tend to have about five characteristics: one is old mainframe services; another is out-of-date operating systems and the applications associated with them, but there is not a complete audit of all the legacy systems.

Q355       Vicky Ford: On skills, which is my section, we have been told by Tom Loosemore that GDS has a very high staff turnover rate. Kevin, do you think that is a fair analysis?

Kevin Cunnington: It is a fair question. When I first joined GDS two and a bit years ago the attrition rate was 21%, which is about the industry norm. At the time it was the third lowest in the Cabinet Office, so there is something to explain here. The Cabinet Office encourages people to come on rotation for a couple of years and then go back out. We tend to have a higher attrition rate than, say, Simon, who is at 8%.

Having said that, GDS has migrated 150 contractors over the past year. That adds to our migration and attrition rate. We have transferred people across to work with Matthew on data. That adds to our attrition rate. We are based in London, which is quite a competitive market, and that adds to our attrition rate. Our attrition rate today is 31%; most of the people who leave GDS go back and work in Departments, so I am entirely comfortable with that situation.

Q356       Vicky Ford: To the whole team, do you think Government Departments find it difficult to keep their digital skills in-house? If so, why?

Simon McKinnon: It is certainly difficult to recruit in this market. Traditionally, that has been largely the availability of skills in the market and the competitiveness of the packages offered. GDS has done a lot of work on improving the available packages, which is very effective for new people, but it is still a slight problem for retention and keeping all of our people on those sorts of salaries. Having said that, we are improving our ability to build capacity. Over the last year I think we recruited more than 800 people.

Matthew Gould: Our position is slightly different, inasmuch as typically we are trying to recruit people who understand digital technology, the platforms and so forth from the point of view of trying to create policy that worksfor example, in relation to the White Paper on online harms, making sure that it is technologically sensible and coherent.

We do not find it straightforward; it is difficult but doable, because the challenges we offer and the problems people get to grapple with when they come to us, or indeed other bits of Government, tend to be in lots of respects bigger, more interesting, more complex and ultimately more worth while than many they would get outside. We have some work to do on the digital policy front in creating really good models for how we take technical geniuses and use them in a digital policy context. There is a body of work still to do on exactly how that works.

To make one general point that I think is quite important, I was previously ambassador in Israel, where I saw the Israeli tech ecosystem and the whole Israeli tech scene up close. One of the things that is very different between them and us is that they have a flow of people through Government agencies, academia and the economy. They cycle round and through them easily; there is relatively low friction in moving between different bits. I think that flow is helpful, so I would be wary of getting to a point where you regard people who move on as a tragedy. If you can get it right, it is a good thing.

Q357       Vicky Ford: It is a two-way flow backwards and forwards between the private and public sectors.

Matthew Gould: Exactly.

Q358       Vicky Ford: Thank you for making that point.

Is there anything specific you would like to put to us about how we could help recruitment and retention and encourage the flow?

Matthew Gould: For one thing, I would emphasise the value of the flow itself. Sometimes there is a bit of a mindset that says when somebody who is really good moves on it is a tragedy. It is not necessarily, but there are also frictions and hurdles. We do not necessarily make it easy for people to come in; sometimes we certainly do not make it easy for people to leave. Encouraging Government to look at how the system works in getting people who understand the tech sector to come in from the tech sector and go out again would be useful.

Q359       Vicky Ford: So, people rising to the challenges.

Kevin Cunnington: If you had asked me two years ago, I would have said there was an awful lot you can do to help, but, having introduced these 38 job roles for the 17,000 people in the profession, we can now measure everybody’s competency within those job roles. For the first time, this gives us the ability to use progression pay. As people move up the competency levels, we can pay them more. Two or three years ago that simply resulted in people jumping between Departments to get more money, which was not helpful; that would not progress people within Departments.

Q360       Vicky Ford: What should be GDS’s role in ensuring that the future civil service workforce is digitally skilled and that the skills are kept up to date?

Kevin Cunnington: We have talked about the job framework with 17,000 people. We talked a little about the 10,000 people we have trained under the digital academy system. For the avoidance of doubt, the digital academy system is arguably the best in the world; nobody has ever done anything on this scale before.

Those are two. The third is that we are doing a lot to encourage diversity within the workforce. Specifically, in my space in GDS we promised on international womens day, pretty much three years ago later this week, that we would have a gender balanced management team, and we do. We have four women and four men.

In GDS, 44% of colleagues identify as women. GDS was the first Department to mandate BAME representation on interview panels, and our inflow has grown from 18% to 30%, so we are already doing a lot in that space.

Chair: It is positive.

Q361       Vicky Ford: On equal pay as well?

Kevin Cunnington: We are still working through that, but on the 17,000 we have not figured out whether we have an issue.

Q362       Vicky Ford: That is a “no”, then; you are getting there.

Kevin Cunnington: We are definitely working on it.

Simon McKinnon: It is more than that. We also need to invest in nondigital people to build their digital skills. In our environment, we help caseworkers in jobcentres, for example, to build their capabilities as well, and they can then pass that on to the general public.

Q363       Vicky Ford: As for the 10,000 people who have been through the digital academy, that is an ongoing process.

Kevin Cunnington: Yes. We train about 3,000 people a year at peak. We have four academies in Newcastle, Manchester, Leeds and London. On Simon’s point, about four fifths of the people who have been through are not practitioners; they are people to whom we are giving awareness, so they are no longer worried about agile digital. Two thousand people have gone on to be practitioners.

Q364       Chair: What is your current workforce number in GDS?

Kevin Cunnington: In GDS it is 860.

Q365       Chair: It is growing still quite rapidly. It was 500 in 2015, I think.

Kevin Cunnington: Yes.

Q366       Mr Gyimah: One of the key things about working in a digital environment, certainly outside Government, is its fast pace—it is entrepreneurial. The management structures are very different. What do you do to create a similar culture, because that is essential to attract and retain the best people within a Government environment?

Kevin Cunnington: I would say that it is not so dissimilar, having come to it from the outside environment. We are particularly non-hierarchic about the way we do business in GDS. We go to great pains to talk not about our grade but about what we actually do.

Q367       Mr Gyimah: You do not do everything through the submissions process.

Kevin Cunnington: Submissions are generally an adjunct to the development process. In the development process we use exactly the same agile methodology that is used in the private sector: a two-week sprint; show and tell; and the intelligent challenge. I would say we operate pretty close to the pace of the private sector in our digital development.

Matthew Gould: On our side, we have had quite a lot of people come in from different bits of the private tech sector. A lot of them have said to me that they are surprised at the degree to which it is not a stifling hierarchy. They get stuff done; there is a clear mission; and they are trusted to get on with it. For example, there is an irreducible amount of submissions to be written, but I think that is just part of the democratic process.

Simon McKinnon: Part of the process of trying to make ourselves more attractive to the market has been that we have had to change our culture. We have changed our physical environment and the way we deliver projects. I cannot think of the last time we did a waterfall project in DWP. There has been a fundamental shift in the way we deliver digital projects and make them digital, which is changing our culture enormously.

Q368       Chair: What actions are your individual Government Departments taking to ensure that your data are sharable with other Departments and the public?

Matthew Gould: The team that came over from GDS was working on standards. Underlying the infrastructures in place, we are using the powers under the Digital Economy Act, so it is up to individual Departments to take forward the possibility of data sharing, but we are certainly trying our best to encourage and lubricate the processfor example, by getting our staff to go on road shows, talk to groups and make sure people are taking up those powers. We are putting in place the things that are necessary for people to have confidence in the use of those powers through things like the data ethics framework and the creation of a centre for data ethics and innovation.

Q369       Chair: What about making sure that across Government data are safe and secure? Who leads on that between DCMS and your unit, Kevin?

Kevin Cunnington: DCMS owns the data policy; I am responsible for the implementation of that policy within Government.

Q370       Chair: How satisfied are we that data are secure across Government?

Kevin Cunnington: We do an annual audit in conjunction with the security services that looks at things like vulnerability, penetration testing and data security. To date, we are happy with that.

Q371       Chair: What about the NHS? It is not a Government Department, but significant concerns were expressed following the attack that the NHS suffered that trusts are not doing enough uniformly to protect themselves. Are you satisfied about security across the public sector?

Kevin Cunnington: Security for the wider NHS in this specific instance is with the Government Security Group, not GDS.

Q372       Darren Jones: Where is that based?

Kevin Cunnington: In the Cabinet Office.

Matthew Gould: It also takes you back to the question of legacy. If I remember from my days as director of cyber-security four years ago, as we look at this it ties intimately into the question of the degree to which we are bound into legacy systems, which we discussed earlier. It is problematic in cyber-security terms.

Q373       Chair: To be clear, responsibility for security in non-governmental departmentsthe public sector more generally—is with the Cabinet Office, and responsibility within Government Departments is with DCMS. Is that right?

Kevin Cunnington: It is a little more complicated than that. The broadest sense of security is owned by the National Cyber Security Centre, which is responsible for the pan-UK economy and Government. The Government Security Group is specifically responsible for some of the arm’s length ones.

Q374       Chair: Do they have any power to mandate that things happen? Concern has been expressed to us that parts of the public sector are not up to a sufficient standard, yet there does not appear to be the power to force change. Is that a concern? For example, how do we make sure that it happens in the NHS rather than continued reports suggesting that there are still issues?

Kevin Cunnington: I would leave the Government Security Group to answer that for itself, if I may.

Q375       Chair: Do you know whether anyone has the power to mandate that action is taken?

Kevin Cunnington: I do not think they have the power to mandate it.

Matthew Gould: But particularly in relation to the NHS the rules are rather different from Government; it is about the relationship between hospital trusts and other providers: NHS England, DH and NHS Digital. The equation is slightly different there, although I am straying into territory that is not mine.

Q376       Darren Jones: But is this not the point about data policy being in DCMS? Surely, you are responsible for NHS data if you have a cross-governmental function for data policy.

Matthew Gould: We are at one level, but that is a separate question from saying that specific responsibility for security standards best sits in a single place. I would be wary of thinking the answer necessarily is to centralise everything and have the maximum number of powers in a single place.

Q377       Chair: But we do need to make sure that the whole of the public sector is properly protected, do we not, against cyber-attack?

Matthew Gould: Yes, and that is emphatically the role of the National Cyber Security Centre, which was set up precisely so it could provide advice cross-sectorally.

Q378       Chair: But it is advice, not the power to mandate.

Matthew Gould: But that goes to individual regulators for sectors or Departments for different bits of the public sector to translate that advice and those standards into appropriate guidance/instruction for the sector. It depends on the sector; it is horses for courses.

Q379       Darren Jones: You must be the accountable Department for the security of data. I get that systems, hardware and security questions lie elsewhere, but if one of my constituents suffered a data loss because of a hardware issuesay, an outdated operating systemyou are still the person responsible for their data.

Matthew Gould: No. I think we are responsible for data policy.

Q380       Darren Jones: What is the difference between data policy and data security?

Matthew Gould: This goes to questions of operationsin particular, responsibility for a hospital trust losing data, for example. That would appropriately go up that line of command; it would not be for DCMS to take responsibility for all data.

Q381       Darren Jones: You are in charge of cross-departmental data policy, which includes the health service, so it must come to you eventually.

Matthew Gould: In terms of what the standards should be, yes; in terms of being accountable for particular data losses, no.

Q382       Chair: How do we ensure that Departments use data transparently and effectively? Is that your responsibility, Kevin?

Kevin Cunnington: No; again, it is Matthew who is concerned with data policy. The answer is the Digital Economy Act.

Matthew Gould: It is the powers under the Digital Economy Act that allow data to be shared, and continuing adherence to our open government standards.

Q383       Chair: Are you satisfied with the progress being made on the sharing of data across Government?

Matthew Gould: The relevant bit of the Digital Economy Act came into force only in the summer. Since then under each of the different categories we have seen a number of different trials and projects take off on, for example, permission granted under fraud. We can give you the full set of where it is already happening, but at this point, eight or nine months in, it is not bad progress.

Q384       Bill Grant: Noting the good and I am sure continuing progress in digital Government and taking the aspects of access to data, sharing data and security above all, where do we lie in dealing and working with devolved Administrations? My question is based on the fear that they may go in a different direction and perhaps at a different pace, or is there some overarching framework that embraces the United Kingdom and the digital progression of Government services?

Kevin Cunnington: From a digital perspective, we work closely with all the devolved countries. We have had side memoranda of understanding around the sorts of support GDS will provide specifically to them.

Q385       Chair: Thank you all very much indeed. We appreciate your time.

Kevin Cunnington: I would make the offer that, if you want to see agile in practice in GDS, do come and pay us a visit and we will show you round.

Chair: Thank you very much; that is a good offer.

Examination of witnesses

Witnesses: Margot James and Oliver Dowden.

Q386       Chair: Welcome, both of you. Thank you very much indeed for your attendance this afternoon. Perhaps I may start the questions by asking whether, between the two of you, you could clarify the respective roles of DCMS, GDS and the Cabinet Office.

Margot James: Good afternoon, everybody. Thank you for inviting us. We are here together because our two Departments work closely together.

Q387       Chair: Can you clarify the actual roles?

Margot James: I will speak for my Department and then I will hand over to my colleague to speak for GDS and the Cabinet Office, which are his responsibilities. We work closely together. My Department’s role is setting policy overall and providing strategic leadership for data and other aspects of technology across Government and its relations with the private sector. We are responsible overall via other agencies for security across Government as well.

Q388       Chair: The policy on security.

Margot James: The policy on security, yes.

Oliver Dowden: I am a Minister in the Cabinet Office. The Cabinet Office has direct oversight of the Government Digital Service, which is one of the functions that sits as part of the Cabinet Office functional agenda reporting to John Manzoni, the chief executive of the civil service, and then on to Ministers.

The way I see the divide is that DCMS is responsible for the tech sector and all the issues associated with that. We are responsible for Government delivery and the issues around that. The two areas where there is a bit of joint coverage are in relation to data. Data policy is owned by GDS, but clearly Government has a lot of data within it so inevitably it is tied up with GDS. Overall policy for cyber-security lies with the Chancellor of the Duchy of Lancaster, who sits on the National Security Council. But the reality is that on lots of these issues the Minister and I work very closely together, and GDS works very closely with DCMS.

Q389       Chair: May I put to both of you some of the criticisms we have received in both written and oral evidence? For example, Deloitte says that “countries with fewer levels of government and more centralised structures are better able to drive change across government silos.” We have moved away from centralised operation with the Cabinet Office and GDS towards what one might say is a more diffuse responsibility between DCMS and Cabinet Office and GDS. How do you respond to the criticism from Deloitte and from Peter Fleming of the LGA, who talked about a loss of momentum and an uncoordinated approach? The fear is that, if no specific body is ultimately responsible for driving the change and everyone is responsible, we end up with no one being responsible. Is there a risk of that with the new set-up?

Oliver Dowden: I think it is worth taking a slight step back. You, Mr Chairman, may remember from your time in the coalition Government that the reform, which was the creation of this functional agenda, started in 2010 and was led by Francis Maude, then Minister for the Cabinet Office. Essentially, we tried to break down the baronetcies of each Department, which had its own property, its own commercial responsibilities and its own digital, and create cross-Government functions.

At the beginning, in creating these cross-Government functions it required quite a lot of top-down drive to make it happen. For example, Francis had a very big drive on breaking up some of the large legacy contracts with major IT providers, which sat around for 10 years and did not represent good value for money and so on. In doing that, he set out a series of standards and a controls process whereby ultimately there was sign-off on new projects through GDS and up to Ministers in the Cabinet Office.

As GDS has developed over time and standards have matured, we have developed a more pipeline approach whereby it is only if we feel that Government or specific projects are off track that they get escalated to Ministers. GDS over time has in turn been able—because processes are getting better across Government—to focus more on cross-departmental things, such as general standards, training and so on.

Q390       Chair: I understand the philosophy. We still have the criticism that there has been a loss of momentum, and the need identified at the start, with Francis Maude driving an approach across Government, is still there: the silos still exist and we have a lot of work to do in getting better crossGovernment momentum.

Oliver Dowden: Yes and no. Inevitably, there is a balance between the extent to which you have top-down drive and bottom-up facilitation. Inevitably, one has to move it over time, but, as we have become more assured that the controls process is working and most Departments are doing the right thing, we can leave them to get on with doing the right thing, unless we feel they are not doing the right thing, in which case we intervene through the controls process, and we can use GDS to focus on things like training and standards.

One other thing I want to pick up from your initial comment is that there are two areas where the Government do not have the kind of control that jumps out. The first is the NHS, where, thanks to the nature of the set-up of the NHS, there is not that direct control, but that is being addressed by the Health Secretary in creating NHSX, which again is in collaboration with GDS; and, in respect of local government, the local government Minister, Rishi Sunak, has a local government digital declaration, which again is being supported by GDSbut we do not have direct levers over those. In respect of that, it is more about encouragement than direct control, but I am convinced we have the direct controls and use them as necessary.

Q391       Chair: Given the absolute need for high standards on protection against cyber-attack, is there a case for considering a power to mandate that organisations take the necessary action? We know that the NHS, for example, is still way off meeting sufficient standards of protection.

Oliver Dowden: In respect of cyber-security, the flow of work comes from the National Security Council and, in turn, the national cyber-security strategy. Through the National Cyber Security Centre, we have lots of work that sits across all of Government, including local government. Indeed, over time we want to make this available to the commercial sector, as well as, for example, looking at reducing phishing attacks. We have taken down lots of malicious websites; we have halved the number of phishing attacks, so that cross-Government work is available to everyone.

In addition, there are standards that are mandated through GDS for all Government IT systems, and there is a controls process that ultimately goes up to the Cabinet Office. Recently, in respect of procurement we have set up a new playbook and we have requirements for cyber-security there. Therefore, we are tackling it from lots of different angles.

Q392       Chair: You do not think the allegation that Government Departments are becoming more siloed is a fair charge to make.

Oliver Dowden: No, I do not. What we have tried to do over time, as we have gained confidence that GDS standards are being embedded in Departments, is take a step back, but we still have the ability through the controls process to escalate issues. Officials escalate issues to me if they feel that the standards are not being adhered to.

Q393       Chair: We have heard that the current procurement framework unhelpfully excludes start-ups and is seen as over-restrictive and risk-averse. How do you respond to that concern?

Oliver Dowden: I do have a concern about the accessibility of Government procurement to start-ups and SMEs, and the Chancellor of the Duchy of Lancaster and I have sought to address it.

Q394       Chair: Are you looking at whether the framework needs adjusting?

Oliver Dowden: There is a number of things. First, we have set a very challenging target for the whole of Government, which is that 33% of all procurement goes to SMEs. As part of that process, we have reduced complex pre-qualification questionnaires; we have required contracts and subcontracting opportunities to be advertised on Contracts Finder. We have also piloted a number of initiatives, such as the GovTech Catalyst, and as part of the emergent tech strategy that we are launching in the spring we are looking at further developmentsfor example, the extent to which we can scale up the catalyst function.

We are also creating a new framework called SPARC. The idea is that it will make it easier for SMEs to come on and off the framework as they scale up projects.

We also have the Digital Marketplace, which we launched only a few years ago. Already several billion pounds-worth of spending goes through that, and SME participation is much higher. That is for things like cloud services.

Q395       Chair: Is the trend still an increase in SME participation and winning of contracts, or are you seeing a drop off?

Oliver Dowden: It goes up and down from year to year. The total volume continues to increase. As a proportion it goes up and down, but on the latest figures I think that 39p of every pound spent on the Digital Marketplace goes to SMEs. That has gone down from last year as a proportion, but it is significantly up in terms of absolute numbers. I would expect that to fluctuate again, but overall it seems a good way of increasing participation.

Q396       Graham Stringer: If I may take you back to earlier questions, we had a Sir Humphrey performance from officials who refused, point blank, to tell us which Departments were progressing as quickly as they might in the digital world. Can we get a more objective and accurate response from Ministers?

Chair: We have pinned it down to some of the smaller Departments, which perhaps have the least momentum for change. Could you be clearer in identifying where you see potential problems that need to be addressed in progress being made on digitising Government?

Oliver Dowden: Yes. I think that in general we have succeeded almost completely on digitisation in its simplest term, which is a digital interface. The challenge is how we ensure end-to-end digitisation; that is to say, that all the processes behind are done digitally and, in its simplest, it is not somebody taking something that is produced digitally, printing it out, processing it and then sending someone an email at the end. We have identified the largest-scale projects that we are continuing to push through a process of end-to-end digitisation. We have functions for driving that—for example, the digital implementation taskforce, a cross-Government taskforce chaired by the Secretary of State for DCMS.

As to the nature of the projects and what differentiates them and the Departments with a lot of legacy systems, first, if you have developed early legacy systems there is a process of getting through that. Secondly, maybe there is an issue in relation to small Departments. Clearly, all Governments have to prioritise. We have prioritised on the largest-scale projects and over time we will deal with the smaller ones.

Q397       Chair: Which Departments are causing you the most frustration?

Graham Stringer: Which are the laggard Departments?

Oliver Dowden: We tend to view it not by Department but by project and transformation.

Q398       Chair: Which are the projects that are causing the greatest frustration?

Oliver Dowden: There were well-documented issues in the past related to universal credit, but we have made good progress in that respect. In the approach we are taking we do not have a score sheet that says this Department is good and that Department is bad. It tends not to be that but which transformation is—

Q399       Chair: Presumably, you have a RAG rating, do you not, so you are monitoring progress.

Oliver Dowden: Yes.

Q400       Chair: Which are showing up as red?

Oliver Dowden: I do not think we disclose RAG ratings. I do not want to get into the detail of RAG ratings. I do not think they are public domain documents, and, if I start revealing one red RAG rating, I will end up doing the—

Q401       Chair: In helping us to do our job of scrutiny, if on reflection after this session you are able to help us on where you have found particular challenges, that would be very helpful.

Oliver Dowden: I am very happy to write.

Q402       Graham Stringer: Or on a departmental basis.

Going back to the very first answers on why DCMS has a role at the centre of it, Government is already very complicated. I cannot think of another organisation that has three organisations—No. 10, Cabinet Office and the Treasury—as the centre of Government. Why do we need a fourth centre for digital in DCMS, which is a small and weak Department?

Chair: Do not take that as personally insulting.

Graham Stringer: No. It is about resources, not your competence, Minister.

Margot James: My Department has always had responsibility for certain aspects of digital policy, notably data protection, data ethics, the value of the digital economy and facilitating the growth of the digital and technology industries. Given the opportunities in some of these areas, it was decided that there was a need for a single strategic lead. Given our responsibility for the areas I have just mentioned, it was decided sometime before I arrived in the Department—over a year ago—that that would be DCMS. We work closely with the Cabinet Office on some of these areas. In some of the things the Minister has just been describing we have a role, but more towards the private sector. I suppose there is a natural demarcation, in that the Cabinet Office and GDS have more responsibility for the uptake of digital across Government.

Q403       Chair: We have heard evidence that you are responsible for digital policy across Government, not just the private sector.

Margot James: Digital policy overall, but execution is more in the private sector, and we work through the Cabinet Office and GDS to make sure that policy is implemented across Government.

Q404       Graham Stringer: That describes the current situation. I accept that is a description, but it does not say whyyou have certain service functions and relationships with both the public and private sectorswe should also have a role at the centre, which I would have thought was better carried out wholly by the Cabinet Office, as it is already at the centre.

Margot James: We work very closely together and it is a huge area of policy in setting the policy and executing it. Mr Dowden has already described the genesis of Government digital services, and we now work together to make sure that both private and public sectors benefit from the swiftest uptake of digital across the piece.

Oliver Dowden: Frankly, it may be argued both ways. You could make the argument that the Cabinet Office should have all of anything to do with Government, although admittedly I am not quite sure where you would draw the line. A frequent issue with the Cabinet Office is that everything finds its way back to it because it is a central coordinating and facilitating Department.

Equally, you can make the argument that because DCMS has responsibility for digital and data policy in the wider economy it does not make sense to create an artificial boundary with the Government side. That was the decision made by the Prime Minister in the machinery of government, but the reality is that both of us rely on underlying common expertiseprincipally, the Government Digital Service, which is constantly working with DCMS and Cabinet Office Ministers.

Q405       Chair: The concern is about the sense of loss of momentum that has been expressed by some of the witnesses who have given evidence to this inquiry.

I go back to the role of SMEs, start-ups and so forth. We have heard evidence to suggest that collaborations between SMEs and larger companies can be effective in ensuring there is a role for SMEs in innovation in the delivery of services. Are you viewing that as an approach with some merit?

Oliver Dowden: Yes, definitely. I regularly meet strategic suppliers. We have an SME council, which meets four times a year, in which we discuss exactly these things. Some of the things we have done to try to facilitate that are, for example, requiring major strategic suppliers to advertise their subcontracting opportunities so SMEs know about them in the first place. If you look at the large strategic suppliers—I am not endorsing one over the other; it is just one I happened to see recently—Microsoft is very keen on this and is creating platforms on which SMEs can operate, because it sees the value of bringing in the flexibility of SMEs. I genuinely have an approach of continuous improvement, looking at ways we can help facilitate that. I outlined some of the measures we have already taken, and there will be further measures in the emerging technology strategy.

Q406       Darren Jones: My questions are about innovation in the delivery of Government services. I want to talk a bit about procurement, SMEs, data policy and legacy systems.

Before I do that, I want to push a little further the question, to which we have not really had an answer from both panels today, about the digitisation capacity within Departments. The European Commission does a benchmark measurement exercise of egovernment services across the European Union. The most recent one, last year, gave the UK a score of 59%. I do not quite know what that means, but that was our overall score. Germany and Spain were 76%; Italy 64%; and France 63%. We are lagging behind European competitors in the delivery of egovernment services.

My sense is not that this panel and the last one did not want to answer Graham’s or Norman’s question but that perhaps they did not know. Has any assessment been made by the Cabinet Office of the pipeline of digitisation that you want to see across Departments so you can then say to them, “We would really like you to deliver this service so we can meet our e-government objectives. Why are you not delivering that?” Is there a pipeline that is available to be seen?

Oliver Dowden: Yes. As I said, we have a cross-Government taskforce. It is fairly common. When there are cross-Government issues we have a cross-Government taskforce. There is a digital implementation taskforce, which is presented with evidence as to the scale of transformation, and we challenge Departments on the progress they are making. We have identified about 86 key strategic projects where it is most important to get that end-to-end digitisation, and there are a further 800 or so projects that are being digitised. That is the sort of cross-Government driver for it.

Q407       Chair: Do they set targets for the completion dates of all those projects so we can measure progress against some of them?

Oliver Dowden: Two things sit alongside that. In the case of very large strategic transformations, not necessarily just digital, two that spring to mind are the Court Service system and UC system. Those sit on the IPA frameworks. That used to be the Major Projects Authority, which evaluates progress on big pieces of Government transformation, not just digital. We get advice from that. At the ITF there is challenge provided by the implementation unit, which is the secretariat for that, in respect of each of those projects. Every project within its own Department has a timescale that it has to abide by, and we, through central mechanisms such as the implementation unit and IPA, are able to access that.

Q408       Chair: Does that taskforce RAG-rate all those projects?

Oliver Dowden: The IPA RAG-rates the major strategic projects.

Q409       Darren Jones: What we are not getting a feel for are the prioritisations for digitisation and how it is going and, in prioritising those, where we are perhaps not getting enough momentum in other areas. I entirely understand why the roll-out of universal credit or online taxation systems would be prioritised. Does it mean that, for example, areas around smart cities, smart motorways or agriculture policy are not happening at the same speed because of priorities? Is there a document the Select Committee can look at that gives us that overview?

Oliver Dowden: I am not sure I buy that the Government sit there and have relative priorities. What happens is that each Department has its own projects. There is not a trade-off between a project that is being run by, for example, MHCLG and one being run by DFID.

Darren Jones: But Treasury

Oliver Dowden: Yes. The process for a new project is that there is a bid by the Department. That goes through a controls process in terms of both the technological specification and approval through GDS. There is also Treasury approval process. That is then signed off. It is up to the Departments to deliver on those according to the timetables and budgets that they have been given.

Through the IPA, we set overall standards and tracking for major cross-Government transformations, and specifically in respect of digital transformation we keep an eye on it through the digital ITF, and the implementation unit provides a secretariat for that.

Q410       Darren Jones: Minister, you have just given me seven acronyms. All I am asking for are the priorities for digitisation. My questions are today about innovation. If I am a scale-up, start-up or SME and I want to help Government deliver, where do I look to know that the current Government are prioritising certain areas that I might be able to bid into? Where do I look to understand Government strategy in prioritising digitisation?

Oliver Dowden: As to the things that have been focused on through the Government Digital Service—I will try to spell out the acronyms rather than slip into them, because it drives me mad to receive submissions filled with them—the first is Government as a platform; that is to say, services that can be used across all Government services. It is migrating all Government services on to GOV.UK, a single website. It has a single payments system, GOV.UK Pay, and a single notification system, GOV.UK Notify. It is also focusing on driving up training and standards.

In respect of where the opportunities arise, for each of those transformation projects there is a separate contract that will be advertised on the Government’s Contracts Finder website. If you want to participate, you can see where the individual contracts arise.

One area where I think we need to provide a bit more clarity is our approach to emerging technology. In that respect, this is why we are creating an emerging technology strategy.

Q411       Darren Jones: I do not mean to cut in, but where is the strategy document? Where do I go to look for it?

Oliver Dowden: The Government transformation strategy was published in 2017.

Q412       Darren Jones: That tells us the strategic objectives for the delivery of digital Government services.

Oliver Dowden: Yes. That is the latest iteration.

Q413       Mr Gyimah: This is such a fast-moving area. It would be good to get a sense of where either Minister thinks—specifically Minister Dowden—we are compared with our competitors around the world in terms of the services we are offering through GDS. How would you categorise that?

Oliver Dowden: There are surveys that consistently put UK digital transformation and the Government Digital Service in the top five. As the Minister responsible for GDS, I see the number of delegations coming from around the world to look at what we are doing. For example, the Canadians have just set up a digital service based very much on what we are doing. Lots of American jurisdictions are looking at what we are doing; the Australians are looking at what we are doing, but it is a very crowded marketplace and people are moving quickly.

Q414       Chair: Where are you looking, Oliver?

Oliver Dowden: The one that everyone cites is Estonia, but Estonia is very different because it started government from scratch in the postcommunist era. I think the Singaporeans are doing lots of very interesting stuff. Interestingly, the Danes are doing more stuff in this space. In November there was a massive GovTech summit in Paris. One of the main events was hosted by President Macron. It was also attended by Justin Trudeau, Prime Minister of Canada. You certainly have to run to stand still in this environment. There is lots of potential for collaboration, but, if you view it in relative terms, consistently we are in the top five.

Q415       Darren Jones: We have had feedback about legacy systems where we are either building innovations on top of those systems or new systems. There was concern expressed in previous sessions that where you build fancy front-ends on top of a legacy system and that legacy system breaks the whole thing does not work.

In the previous session we heard that there had not been a crossgovernmental audit based on a standard definition of what a legacy system is and, therefore, a strategy to make sure we are at appropriate points moving on to new systems, or making investment bids to the Treasury to make sure we are not just patching up legacy systems. Is that something that you think we need to do?

Oliver Dowden: As I said in some of my previous comments, the simple bit has largely been done, which, as you say, is the digital interface. The challenge is end-to-end digitisation. As we have flow, as it were, with new systems, we will make sure that those have full, end-to-end digitisation.

Government, in common with almost every organisation, including the most cutting-edge ones like Google and Facebook, struggle to a certain extent with legacy systems. As budgets permit, we will seek to remove those legacy systems and replace them with more up-to-date systems, but in the meantime, as we continue with legacy systems, we need to make sure that they are resilient and we deal with cyber-security issues and so on. But clearly over time we will want to make sure we are—

Q416       Darren Jones: Is there a role for your Department to audit across Government Departments which legacy systems are in which Departments and therefore make the investment case?

Oliver Dowden: That is done through the Government Digital Service.

Q417       Darren Jones: But it said that it did not have an audit of legacy systems.

Oliver Dowden: What would happen is that if an individual Government Department wants to get rid of a legacy system it has to make a Treasury bid, and that will have to be supported by the Government Digital Service as part of the controls process for it.

Q418       Darren Jones: To be specific, the reason for this is that we want to make recommendations in our inquiry report. We were told that there was not a cross-departmental audit of legacy systems, so we do not know the degree of the problem, or how long it is going to take us to deal with legacy systems. My question, which I will ask for the third and final time, is: do you think the Cabinet Office should do that audit?

Oliver Dowden: We could do it. For example, if in the upcoming spending review the Treasury decided that it wanted to prioritise reforming legacy systems, as part of the normal function of Cabinet Office and GDS we could give advice and work with the Treasury to identify where we could best allocate those funds.

I am sorry to keep coming back to this point, but it is important that principal responsibility for individual systems sits with individual Government Departments. The role of GDS, Cabinet Office and to an extent DCMS is about providing the drive and direction, but the principal responsibility will always remain with the individual Departments.

Q419       Chair: We heard from the first panel today that the spending review is going to be quite important in tackling the persistent problem of legacy systems. Do you agree with that view? Are you pressing hard within Government to ensure that the spending review prioritises the eradication of legacy systems across Government within as tight a timescale as possible?

Oliver Dowden: I am not a Treasury Minister and am not in any way seeking to speak to the Treasury on issues of the spending review. At official and ministerial level, we are actively engaging with the Treasury to understand how, by furthering transformation through greater automation and use of emergent technology, we can help to deliver better outcomes for citizens and drive efficiencies.

The prism through which we are doing that is to try to understand how we get the best value. Part of that is likely to be through changing to legacy systems, but, equally, it is possible, within existing legacy systems, to drive efficiency. All of it is a cost-benefit analysis to find out what value you get from additional funding. Those will form part of spending review bids, which will then be considered by the Treasury from the spending review perspective but also by the Cabinet Office through the controls mechanisms, both commercial and through the Government Digital Service, to ask whether it is worth while to do those things.

Q420       Darren Jones: Three points were raised from start-ups that we met, which were bidding for the GovTech Catalyst funding. I am interested to know whether the innovation strategy that is due is going to consider these points. First, the Government required start-ups to sign up to large indemnities for potential damages or losses, which many of them could not meet. Secondly, start-ups that may have been funded but were in the pre-profit phase were excluded from bidding because they were not profitable, although that would be normal for a company in that phase.

Thirdly, with the way in which the cycle was being run—I think through the G-Cloud framework, but correct me if I am wrong—you had big companies such as Capgemini getting a slot and then having to sell the delivery of the innovation to the start-up and taking 10% off the revenue that the start-up got to get into the framework in the first place, because start-ups could not get into it.

Those were the three real difficulties for the start-ups to be able to help to deliver innovation for us. Will they be considered in the innovation strategy?

Oliver Dowden: The short answer is that a relatively small pot of money was allocated by the Treasury, of £20 million. We have found it to be a very valuable use of money, particularly in encouraging SMEs. Clearly, there are lessons to be learned, and that pot of money has now been used up. If and when—I hope very much when—we agree resources for the next round, we will take on board all those lessons that you have raised.

The question of not being profitable is one of the perennial procurement challenges that we face, because there is a balance to be struck between ensuring deliverability and accepting the reality of where start-ups are. It is precisely formed in that way to start small and scale up, so we can address some of those challenges.

Q421       Darren Jones: When does the innovation strategy report?

Oliver Dowden: This spring.

Q422       Darren Jones: I will take that on a non-climate change-based analysis of when spring is.

Oliver Dowden: Take it on a Whitehall basis.

Q423       Darren Jones: My last question is probably more for you, Margot. You will know that a lot of companies wanting to innovate, whether it is around artificial intelligence, algorithms or whatever it is, want access to data, which is often on a cross-departmental basis as opposed to a silo basis. What work has your Department been doing on making that work within the appropriate rules, ethics and consent of citizens to be able to deliver that use of data?

Margot James: At the moment, we are working on, and are very near to completion of, our national data strategy. There has been a move over the last few years towards open data, which is going to form an important part of the strategy. Quite a lot of data has already been opened up, and companies can take advantage of that, where it exists. For example, the National Environment Agency has opened up a lot of data. Some SMEs have advanced data capabilities in that area and have developed products utilising that data that they can commercialise. Open data is important, and we are part way there—it is an important part of it.

Furthermore, each of the public services is making whatever data they have available, but there are quite a lot of steps to go through before we can see a sea change in realising the opportunities that this data presents. It is important, of course, that we apply ethical standards and ensure compliance with various frameworks and laws, such as those on data protection, but that we do that in a way that is enabling rather than restricting. As soon as the national data strategy is complete, we will share it with your Committee.

Q424       Darren Jones: Do you have an expected date or season for that report?

Chair: Spring again?

Margot James: It may well be summer. Some good work was done on it last year. Regrettably, we had to release a number of officials to the Brexit requirement, but I am hopeful that the resource will be back to full complement very shortly and we will be able to complete the strategy sooner rather than later.

Q425       Mr Gyimah:  Margot, my first question is for you. It would be helpful for us to get an understanding of DCMS’s priorities on data policies.

Margot James: To set that in our wider digital priorities, we want to enable the right ecosystem for growing digital and technology, not just across Government but throughout society. Data is a hugely important part of that. Within that, our priorities are the use of data to revolutionise the delivery of public services, and it is fundamental to the digital transformation of the economy. So it is a hugely important part of our overall digital strategy.

Within data, our priorities are to ensure that data is used in an ethical framework, as I said in answer to Darren’s question, and used once, ethically driven to the huge benefit of wider society. There are mounting examples of it being used really effectively, but other aspects of our digital policy need to be motoring before it really can realise its potential, chief among them being connectivity. For a lot of the data revolution really to deliver its potential, we need dramatically to improve our connectivity; particularly, we need to ensure that we are global leaders in the deployment of 5G technology.

Q426       Mr Gyimah: Thank you for that. In our written evidence, we have heard that the Government should be doing more to utilise data to ensure value, effectiveness and usability. It would be helpful to know whether your priorities are going to ensure that those factors are improved as well.

Margot James: A lot of that will depend on the quality of the data that has been generated over years. Many areas of public service have already vast pools of data. For example, the NHS is the biggest of them all. We want to make sure that the data inputs are high quality and deployed in an ethical manner, with a clear goal of transforming outcomes for users, patients and the people who work in the NHS for the better.

There are a lot of things to get right in that. I think that the Chairman mentioned NHSX, which will capitalise on the work already done by the digital transformation wing of NHS England and under the auspices of the NHS data guardian. There are already a lot of examples, which you may have heard about, on a relatively small scale to start with—but they are delivering.

Data plays a huge part in the industrial strategy through the grand challenges and the sector deal with artificial intelligence. It has almost £1 billion of private and public funding towards enabling artificial intelligence to help to realise the data revolution. The grand challenges are using data to improve the detection, diagnosis and treatment outcomes of people with various long-term medical conditions. We work with the business department on rolling out the data and AI aspects of the industrial strategy.

Q427       Vicky Ford: You mentioned the roll-out of 5G. While we have been here, there has been quite a lot of press coverage of potential caps on single companies providing more of the infrastructure. Do you want to give a comment on where the thinking is about 5G providers?

Margot James: I cannot really comment any further than has already been provided in the public domain, with particular reference to Huawei. What I would say is that there are very few providers—probably three, effectively. The Government have a decision to make, and we are being advised by the National Cyber Security Centre, which has worked with Huawei over a number of years, to monitor the security and quality of their systems. There will be a report and an announcement once all levels of Government have given it appropriate consideration.

Chair: Are you suggesting, Vicky, that an announcement has been made?

Vicky Ford: No, there are just rumours flying around in the press at the moment about a potential 50% cap, and I wanted to give Margot the opportunity to talk about that.

Q428       Chair: Are you aware of that?

Margot James: I was not actually aware of the rumour about a specific cap. There is a review going on in Government at the moment, and it is known that there is a review going on, to which I just alluded, with the National Cyber Security Centre, around the supply infrastructure for the roll-out not just of 5G but of all our critical national telecoms infrastructure.

Q429       Chair: Do you have any idea when we will get a reply to our letter to DCMS from many weeks ago on Huawei? We wrote to the DCMS, Defence and the Foreign Office, and we have been waiting now many weeks. We understand that there is going to be a co-ordinated reply from Government, and we also understand that there may be disagreements within Government. But the fact is that we are still waiting. Do you have any idea when we will have a reply?

Margot James: I cannot be precise. It is being worked on; the review is in draft format and is being considered by various arms of Government at the moment. I hope that you have had an acknowledgment of your letter and an indication that a reply will be forthcoming.

Q430       Chair: I think that we have had an indication that a reply will be forthcoming, but no indication as to when. It would be helpful if, internally—ah, a note is coming to you. If you could tell us what it says, that would be very helpful.

Margot James: Well, we apologise for the delay in responding to your letter, and a response will be provided shortly.

Chair: Shortly is as flexible a concept as the seasons of the year, but, anyway, thank you. Back to you, Sam.

Margot James: It is a tricky issue.

Q431       Mr Gyimah: Thank you, Margot. I hope that you can deal with this question. To go back to your earlier answer on AI, the data revolution and what the Government are doing, which I certainly welcome, you will know that one of the biggest issues surrounding data is the lack of public trust and understanding about what citizen data is being used for. How will DCMS consult the Centre for Data Ethics and Innovation on how best to improve public trust and design a data policy to ensure that it is transparent and responsible?

Margot James: That is a very important area. The Centre for Data Ethics and Innovation is up and running now. One of the most important aspects of its remit is to engage the public in the debate on data ethics and to produce work and research that, hopefully, will reassure the public that data is being used appropriately, transparently and in compliance with the law, particularly the data protection legislation.

We have established some data ethics principles—the data ethics framework principles. We expect all Government Departments and public services to honour and respect them. They are all about complying with the legislation, being aware of the various codes of practice—like the data ethics framework itself—ensuring that the use of data is proportionate to the user need, ensuring that there are robust practices and being aware that the insights gained from data and its uses will be only as good as the data inputs.

The ethical challenge is to make sure that various biases and potential discrimination between customer groups, user groups and members of the public are properly controlled and ironed out at source. You mentioned transparency, which is very important. Organisations have to be accountable for their use of data. We want to create an environment of responsibility around the use of data.

Q432       Mr Gyimah: Is there an actual link-up with the Centre for Data Ethics when it comes to looking at the issue of responsibility of the specialist users?

Margot James: Yes. The Centre for Data Ethics will be advising Government on all aspects of data policy and the use of data. It will also undertake specific assignments. The first ones it has been tasked with researching and inquiring into are the use of profiling and the use of microtargeting. It will be exploring those. It will be working with the Information Commissioner’s Office, which is also looking quite closely at those areas in certain aspects of Government’s work. The centre will be a very important adviser to Government in this area.

Q433       Mr Gyimah: Does DCMS intend to take any action to run outreach to measure public trust and to understand citizens’ concerns about how data are being used? You have explained what is happening in Whitehall, in quite a technocratic way, but how do you know that the public are moving and that trust among the public as far as data is concerned is improving?

Margot James: I am sorry that I appear to be technocratic.

Q434       Mr Gyimah: No. I think that you gave the right answer.

Margot James: DCMS runs various programmes of research. In consultation with the centre, we will audit public trust in data. There is not a specific proposal at the moment, but it is part of our ongoing remit to assess public opinion and trust when it comes to data.

Q435       Chair: Have you looked at the Estonian model? They have legislated to create a Personal Data Protection Act, which gives citizens control over their data. It is all based on a consent model. Are you looking favourably at that for this country? The question of consent is still a bit vague in our official approach.

Margot James: It should not be. It is now embedded in law. I respect thoroughly what Estonia has done in a number of areas, but we have the same protections written into our data protection legislation, which became law in May of last year.

Q436       Chair: Are you suggesting that, in effect, the GDPR does the same job as the Personal Data Protection Act in Estonia, in giving the citizen control?

Margot James: Yes. I do not know the Personal Data Protection Act in Estonia in detail, so I would caveat my response, but I believe that the incorporation of the GDPR—and, indeed, the Data Protection Act, which goes beyond the GDPR—puts citizens in control of their own data. It gives them a panoply of rights over their data. For example, it gives them rights when decisions are being made about them through the use of AI. It gives them the right to know that, to challenge it and to request and obtain human oversight, if required. It is consent driven, as is Estonia’s Act. Whereas, prior to the passage of that legislation, consent was in danger of becoming a tick-box exercise—a lot of it was opt-out, really—with the new legislation consent has to be active and freely given.

Q437       Chair: In terms of Government use of your data.

Margot James: In terms of both Government and private sector use of your data. There are exemptions. We took advantage of some of the exemptions that are permitted under GDPR, primarily with regard to law enforcement and, to a much lesser extent, in respect of immigration policy.

Q438       Mr Gyimah: My final question is for Oliver Dowden. Data is obviously an integral part of digitisation. Are you at all concerned about decentralisation of data policy?

Oliver Dowden: No. The way in which it works is that DCMS has overall responsibility for data ethics and the data frameworks, but, clearly, through GDS, we have a responsibility for the data that the Government hold. To be honest with you, the biggest challenge is just getting data to a state where it can actually be used for manipulation and so on. That, in turn, goes to questions that we had earlier from Darren Jones and others around digital transformation. Clearly, you tend to get better data from newer systems than from older systems.

Q439       Vicky Ford: I have four quick questions about cyber-skills. First, who is responsible for cyber-skills development across Government?

Oliver Dowden: The Government Digital Service.

Q440       Vicky Ford: Secondly, we have heard witnesses from several organisations, such as techUK and the UK Computing Research Committee, say that there is a global shortage of people with cyber-skills. What action is being taken to ensure that the Government are equipped with digitally skilled civil servants?

Oliver Dowden: Clearly, there is a shortage. It is one of the most in-demand areas. One thing that the Government can do is try to upskill their existing workforce—for example, through the digital academy—but it now goes wider than that. We need to make sure that all civil servants, particularly the people in a leadership role, understand the potential of cyber and digital transformation. Increasingly, that is what the Government Digital Service is focusing on.

Margot James: There is a wider skills shortage. There is a skills gap across technology in the digital area. That is particularly acute in cyber-security. In addition to what Oliver has just mentioned about skilling up Government professionals, we are doing quite a lot of work overall to improve the attractiveness of cyber-security as a sector. A lot of that is all about professionalising it and enabling cyber-security to be a profession in its own right.

We are also investing hugely in skills. We are working very much with the private sector. Our contribution is the cyber-security high-impact skills fund, which is working both in schools and universities and in various other hard-to-reach groups. We take a holistic approach to the skills gap. We will not be able to fill this gap, like every other aspect of the digital skills gap, just from the population who are currently in full-time education. For example, we have an arrangement with the National Autistic Society to roll out cyber-skills training to people on the neurodiverse spectrum. We are also implementing packages of skills training in cyber-security to parents who are coming back into the workplace. We are doing a lot of outreach in this area, as well as putting more resources into formal education—both schools and further and higher education.

Q441       Vicky Ford: This question is for the Cabinet Office. How much do you expect the GDS workforce to expand over the coming years?

Oliver Dowden: Clearly, discussions with the Treasury are commencing/ongoing as we look to the spending review settlement for the next period. We certainly need those skills and are investing a lot in them.  Training issues are now probably one of the principal focuses of GDS.

Q442       Vicky Ford: Some witnesses have told us that the civil service does not pay people enough for cyber-skill roles. Do you agree? If there is a salary issue, how can we better incentivise digitally skilled employees to work for and stay in the civil service?

Oliver Dowden: Clearly, across the whole civil service there are challenges in relation to pay. We are never going to be at the top end of pay, but we offer a wide range of other things—for example, our working patterns and the skills that come from being involved in wider public policy. Through the creation of a function in relation to digital skills, we are looking across Government, rather than for each Department, and setting separate pay scales for people with digital skills, through the digital profession. That is enabling us to set pay in a way that is appropriate for those areas where there are skill shortages.

Q443       Bill Grant: Cyber-security has been mentioned a few times. What is the role of your Departments in ensuring that Government cyber-security is there? Is that role fully understood by your Departments?

Margot James: We have the cyber-security strategy and a cyber-security council. We work very closely with the National Cyber Security Centre, which has training delivery standards—minimum standards, if you like—that are deployed across Government to ensure that cyber-security is as it should be across Government. All systems are tested routinely. Departments are responsible for their own security, but they have to account for implementation.

Q444       Bill Grant: I note that cyber-security seems to be embedded in the Departments, but where does ultimate responsibility for cyber-security lie? It must have a policy. Where does that policy emanate from?

Oliver Dowden: Clearly, cyber-security overall sits ultimately with the National Security Council, which is chaired by the Prime Minister. There are then the National Cyber Security Centre and the national cyber-security strategy, which brings together the Cabinet Office and GCHQ, which sits under the Foreign Office. That is led by the Chancellor of the Duchy of Lancaster.

Q445       Bill Grant: They set policy, and that policy is enacted across the Departments.

Oliver Dowden: Yes. As Minister James said, the primary responsibility for each Department’s cyber-security lies with that Department. The Government Digital Service sets the overall standards, frameworks and training. It is then supported by the National Cyber Security Centre on common tools that can be used across the whole of Government. In addition to that, there is the Government security group, which tests and challenges cyber-security.

Q446       Chair: Are you satisfied that sufficient progress is being made on cyber-security across Government?

Oliver Dowden: Yes. I think that we have made tremendous strides since we announced the national cyber-security strategy, with £1.9 billion-worth of funds, and set up the dedicated National Cyber Security Centre. It has been given real drive. I know that the Chancellor of the Duchy of Lancaster, who leads my Department, spends an awful lot of time personally engaged in this and that the National Security Council considers it on a regular basis.

Q447       Bill Grant: I note that there has been some considerable success with digital Government. That success will continue, but the risks and vulnerability may expand in parallel with it, as digital goes forward—

Oliver Dowden: Definitely. I am sorry—I did not mean to interrupt you.

Q448       Bill Grant: As a result of that, do you see a need for a Minister dedicated to cyber-security, or does it reside comfortably and effectively within one of your Departments?

Oliver Dowden: Essentially, it is being led by the Chancellor of the Duchy of Lancaster. In turn, he has relationships through to DCMS, the Ministry of Defence, the Foreign Office and all the other bits of Government that take an interest in it. However, the Minister with lead responsibility is the Chancellor of the Duchy of Lancaster.

Q449       Bill Grant: That already exists.

Oliver Dowden: Yes.

Q450       Bill Grant: So we do not need to—

Oliver Dowden: No. The Chancellor of the Duchy of Lancaster leads on it.

Margot James: He does. As Oliver said, he spends quite a lot of time on this personally. For example—this is not so much about Government, although it is very important—this month I am working with the Chancellor of the Duchy of Lancaster on an initiative to drive improved prioritisation of and commitment of resource to cyber-security on the part of our larger companies. There is a whole programme. We are chairing roundtables. Both of us have written to the chairs of the FTSE 350 urging them to take up the recommendations that we have developed. Effectively, we have a Minister for cyber-security. That is David Lidington, as Oliver said.

Q451       Bill Grant: So, as digital Government goes forward, it does so with the embedded cyber-security at the top of the agenda. That is well protected.

Margot James: I am sorry, but I do not quite understand your question.

Q452       Bill Grant: As it goes forward, the security is a key part of digital Government.

Oliver Dowden: Yes.

Margot James: Definitely. It is a high priority.

Oliver Dowden: Every new Government project is signed off through a controls process by the Government Digital Service. It will ask those questions about cyber-security. Indeed, in all procurements, we now require cyber-security to be considered as part of the new playbook for Government procurements, which I launched at the beginning of last week.

Q453       Chair: You will be aware of the Redscan investigation that was published in December, which followed the WannaCry attack on the NHS. It revealed quite a disturbing picture across the NHS some time after the WannaCry attack. The report reached the conclusion that NHS trusts lack sufficient in-house cyber-security expertise, that there is a wide imbalance in employee cyber-security training and spending between trusts, and that many trusts are likely to be failing to meet training targets on information governance.

There is a sense that the NHS as an institution is still a long way short of where it needs to be to protect against cyber-attack. Given the significance of the NHS, doesn’t that really concern you? Do we need more prescription and to have some body, whether it is a Minister or an organisation, that can mandate that things happen across institutions like the NHS, to ensure that highly sensitive systems are robust enough to defend against an attack?

Margot James: Your characterisation of the NHS is possibly a little out of date.

Q454       Chair: This was a report published in December 2018.

Margot James: It was a report at the end of last year. The NHS has moved on quite considerably since the WannaCry attack, but it is a huge organisation and was under quite substantial financial pressures until very recently. Sometimes, unfortunately, that militates against the investments required to upgrade its security systems. We have seen the advent of NHSX and a clear determination on the part of the new Health Secretary to bring all the advantages of digitisation to the health service. That has to be done in conjunction with improving the security standards of the operating systems.

Q455       Chair: I come back to my question. You do not think that we need to have the power to mandate that things happen. I am talking not just about the NHS, but about other public sector bodies, where there may be vulnerabilities that could be very serious in the event of an attack.

Margot James: As I said in response to Bill Grant’s question, there are some basic cyber-security requirements, under the cyber essentials programme that the National Cyber Security Centre has developed, that apply across Government.

Q456       Chair: And public sector bodies.

Margot James: I will have to double-check that.

Q457       Chair: Do write in.

Margot James: I will. I will double-check that. It is certainly the case across Government. Do you want to say anything on that, Oliver?

Oliver Dowden: The principles are set out by the National Cyber Security Centre and the national cyber-security strategy. They are to defend, to deter and so on. We are trying not only to apply those requirements across Government, but to make, first, critical national infrastructure and then the wider economy aware of them. Since the WannaCry incident, the NHS has invested considerably in Windows 10 to up its security.

Chair: We will take a quick question from Graham.

Q458       Graham Stringer: I have three questions. Minister, in your response to Norman’s question, it sounded as though you were not responsible for security in the NHS. Perhaps you would like to correct that. In the final analysis, it is the national health service, funded and paid for by the taxpayer, and you are the Government responsible for it. You said, “They have had financial shortages,” and, “They have not done as well.” Surely it is the Government—you—who are responsible.

Margot James: Yes, I accept that. That is absolutely right.

Q459       Graham Stringer: But what have you done about it?

Margot James: We have worked with the National Cyber Security Centre. With our input, it has developed a transforming Government security programme. That has mandated what we call the cyber-essentials, which are minimum standards of security for all Government Departments—and, I think, agencies, but I will write to the Chair to confirm that. Obviously, the Government are responsible for the NHS, but we expect the cyber-essentials to be rolled out and adhered to across Government. Departments and bodies are held to account for their adherence to those principles.

Although I accept that, obviously, the Government are accountable for the NHS and how it manages its finances, I mentioned earlier that Departments are responsible themselves for the security of their digital assets and their overall services.

Oliver Dowden: I can add to that. The point in respect of the NHS is that, clearly, in terms of how it is set up, it has a higher degree of autonomy, particularly post the NHS reforms.

Margot James: Indeed.

Oliver Dowden: The Secretary of State for Health has set up NHSX precisely to try to bridge that gap—to bring together the expertise of people like GDS and the existing expertise in the NHS. One of the things that NHSX will be driving is cyber-policy. That is setting a national strategy and mandating cyber-security standards, so that the NHS and social care systems have security designed into them. That is the principle driving that mandate.

Chair: We need to finish in a couple of minutes. Do members have some quick final questions?

Q460       Graham Stringer: May I follow that with a quick answer? I take it that you are not trying to abdicate responsibility in this area by structural analysis of what the relationship between the centre and the Departments is. It brings us back to the very first questions. It must be the responsibility of the centre to check what is happening in the different Departments. We have failed to get any answers as to which Departments, on those checks, were not doing as well as they might have been.

Oliver Dowden: To clarify that point, I am just recognising the reality of how, constitutionally, the NHS is set up, in that it does not lie within the power of the Secretary of State—

Q461       Chair: I suppose that it begs the question of whether there needs to be a power to do that.

Oliver Dowden: That is exactly why, through NHSX, they are mandating these standards. It is being addressed by that. As I said, the overall policy for cyber-security is driven ultimately by the National Security Council, through the National Cyber Security Centre and the Chancellor of the Duchy of Lancaster, who has ministerial responsibility. He is driving it out across Government. The method for delivery in the NHS is NHSX.

Q462       Graham Stringer: This is my final question. One of the great mysteries of the UK economy is why, when oodles of money have been put into IT, right across the economy, there is no improvement in productivity. We do not see any benefit in productivity from the money—whether it is from the private sector or from the public sector—that has been put into computers and new technology. Do you have any measure across Government of whether the productivity of central Government has increased because of all the money that has been put into computers, software and personnel—and if not, why not?

Margot James: If that is a question requiring a short answer, I will struggle.

Q463       Graham Stringer: It is a short answer. Is there or isn’t there such a measure?

Margot James: The digital economy adds over £100 billion of GVA to the UK overall. It is estimated that, if our digital skills were right up at the top of world comparisons, we would improve UK productivity by 5%, which would be quite a chunk. Across the private and public sectors, we have one of the strongest tech and digital sectors in the world, but there are quite a few challenges that are getting in the way of realising the productivity benefits that we should be realising, considering how successful our technology and digital sector is.

Chair: If you want to add a further note to us that analyses the relationship Graham has asked about, that will be very helpful.

Q464       Graham Stringer: Productivity is a simple concept—you take output and divide it by the number of people. If you have put the money in, you would expect to see improved public sector productivity.

Margot James: That assumes that the money has been spent in the optimum way, that everybody involved is trained and able to implement and make the best of the new systems, and that no one is trying to go around the systems. There are so many variables. What you say is simple. Yes, productivity is the amount coming out, divided per capita. As you probably know, Britain’s productivity lags behind that of many other European countries.

Q465       Graham Stringer: It is static.

Margot James: I quite agree.

Q466       Graham Stringer: I am asking a simple question. Do you measure that in the public sector? Has there been any benefit from the digital process?

Chair: Is there a simple answer. Is it measured or not?

Oliver Dowden: One can sometimes mix up productivity and efficiency, although I am not saying that you are doing that. Efficiencies—how much we have saved by doing this—are a slightly easier thing to measure. We have done quite a lot of work on that. For example, the work that the Government Digital Service and the Government commercial service have done together delivered savings of £3.5 billion between April 2012 and March 2015. We are definitely delivering greater efficiency in the delivery of public services. The Treasury is responsible for calculating the wider impact on productivity. From all the evidence I have seen, I am convinced that we are getting more efficient public services because of these transformations.

Q467       Chair: But we do not think that there is a measure within Government of productivity gains from investment in digitisation.

Oliver Dowden: We measure the efficiency, but not the productivity. I am not aware of such a measure. I will write to you if I become aware of one, but I am pretty sure that there is not.

Chair: Thank you very much. We really appreciate your time. It has been a very useful session.