WRITTEN ON June 8th, 2006 BY William Heath AND STORED IN Uncategorized
The Home Office’s “gold standard” ID programme is being delayed 2-3 months and watered down according to several sources both inside and outside government. The Home Office has issued a plausible statement
We have had a lot of feedback from the market on the timing and method of procurement, and we feel it is right that we should publish findings from this…Now that the Bill has been passed, we are moving to the procurement phase…Until the announcement of a formal procurement via placement of a notice in the Official Journal of the European Union (OJEU) the Identity and Passport Service is interacting with the market of suppliers through “market sounding”. This is the process of assessing the reaction of the market to a proposed requirement and procurement approach, and is recognised as best practice in Government procurement. Whilst market sounding, our team will want to speak to the market regarding all aspects of the proposed scheme…We have always made clear that identity cards would be a long-term project and we have an ongoing programme of work to make sure we get it right. That is why we had detailed consultation and why we have refined the scheme over the course of the project to date…Since the outset of the project, the Home Office has held regular consultations with industry to ensure the most expert advice is being taken on board and applied. Intellect, the UK’s trade body for the IT industry, has praised the Home Office for its early and open engagement on this project. We continue to actively engage with stakeholders and relevant experts to ensure the success of the programme.
Hurrah. (But I thought Intellect had woken up to the risk and had a change of heart?)
Risk? What risk?
Suppliers could just go for it: line up and stand by to bid for one of the few major goverment IT procurements in the pipeline. See, speak and hear no evil, and discipline any employee who steps out of line (I never heard back from Michael Osborne at IBM – hope he’s OK). Sound out potential allies and partners. Look around the world for roughly similar projects that have worked. Define your differentiator or competitive advantage, whether it’s tried and tested in banks, casinos or mobile phone customers. Perhaps undertake some discreet lobbying, and show up at the Intellect meetings to listen rather than to open your mouth.
But corporate boards around the world have learned that UK government contracts can incur losses, both financial and reputational. Is the risk of this ID project worth taking? Well, reach out for that money on the table when you can confidently say “yes” to these questions:
- Does the end customer want this? Do people want it? Do Departments (OGDs in govspeak) and does business want it?
- Does it all work in a way that fits natural patterns of human behaviour?
- Is there a clear business case?
- Is it a credible solution to a worthwhile problem?
- Is it consistent with Departmental responsibility and Ministerial accountability via Accounting Officers (Perm Secs)?
- Is it consistent with government policy on choice and devolution?
- Will it work on-line? Is it headed where the Internet seems to be headed, according to the best contemporary thinking available?
- Is the right bit of government in charge? Will OGDs respect the lead and fall into line?
- Is the client department competently led and managed? Are its accounts clean, its staff high-calibre and in high morale?
- Was the security risk assessment done properly? Did it come out OK?
- This looks as if it will start. But are they going to finish?
There may be other things that matter also.
WIBBI the authentication and ID system at the heart of e-enabled government had a big tick in all those boxes. Then there wouldn’t be these delays and nervous signs that give the impression that things are slipping and sliding and that those in charge do not really know what they are doing. Nor this malignant fear of speaking plain truth.
2 Responses to “How will suppliers know the ID programme is in good shape?”
Do not forget the potential 10 years in prison or an unlimited fine, or both, for the wretched Section 29 Tampering with the Register etc. of the Identity Cards Act 2006
Since these are criminal penalties, a companyy cannot lay off the risk financially in the smallpriont of their contracts with the Government.
DDrectors of Companies, Trades Unionists, and individual staff who work on the National identity Register infrastructure, or even on any “accredited” third party company system which is connected to it, could be prosecuted if there are any software or hardware or configuration errors, or power failures or strikes or industrial action or even a contract dispute over late payments etc. etc. which makes it
” (3) For the purposes of this section the cases in which conduct causes a modification of information recorded in the Register include-
(a) where it contributes to a modification of such information; and
(b) where it makes it more difficult or impossible for such information to be retrieved in a legible form from a computer on which it is stored by the Secretary of State, or contributes to making that more difficult or impossible.”
This offence has worldwide scope, applies to non-UK citizens as well as UK ones, and also includes “acts of ommission” in the definition.
It also appears to preclude the use of any third party encryption wrappers e.g. mobile telephony, SSL/TLS session encrypted web pages or Virtual Private Network encrypted tunnels – encryption, by definition, and in practice makes things “more difficult or impossible” to read “legibly”.
Shareholders should ask serious questions about the professional competence of any company directors who expose a company to such uncessary risks.
Section 29 was presumably origianlly intended to address potential Denial of Service attacks , but there is no reason why the National Identity Register should be treated differently under law than attacks on other parts of the Critical National Infrastructure or on real time control systems where lives may be lost if they fail.
The Police and Justice Bill currently in the House of Lords, is amending the Computer Misuse Act anyway (even though in an inept and overbroad way), so there was no need for this section 29 at all.
However, since it was stuck at the end of the list of clauses to be debated, it never once even debated by the Commons, and hardly mentioned at all by the Lords, throughout the Draft Bill and the two versions of the Identity Cards Bill.
Wouldn’t It Be Better If politicians actually read and understood the full text of the legislation they currently rubber stamp through Parliament ?
Companies which develop particular technologies would probably find markets for them elsewhere, such as in the much simpler corporate ID schemes, or perhaps in banking.
However, very few if any other countries are likely to copy the UK’s crazy ID project.
Participation in the UK’s dodgy ID project is very likely to damage the reputation of any company; representing a serious commercial risk.
The NHS IT project shows the risks of dealing with this UK government: Participation even in this apparently socially acceptable project has lead to poor profits, heavy penalties and very bad press.