Verify business case ‘undermined’ by its performance, as GDS ‘struggle to adapt’ to changing role
NAO says GDS has a ‘long way to go’ in a report that lays bare the problems faced by the government's flagship identity assurance programme Verify
GDS is moving to new headquarters near Algdate this year - Photo credit: Derwent London
The UK’s spending watchdog has said that the Government Digital Service’s remit and accountabilities are unclear, and warned the business case for its flagship Verify programme is undermined by its performance.
In its report, Digital Transformation in Government, published today (30 March), the National Audit Office said that although GDS had “successfully reshaped” the government’s approach to technology, the service itself had “found it difficult to redefine its role” as it evolved over time.
The NAO praised GDS’s early role in driving change across government, saying that “strong controls over spending and service design” had helped it to save around £1.3bn in the five years to April 2016.
However, it noted that the role of the centre of government in any transformation programme “constantly evolves in response to new demands” and suggested that GDS had not yet got to grips with changes to its approach.
This has seen GDS’ role shift away from an adversarial relationship with departments, towards a “less arrogant” approach - but the NAO said that it found “widespread views across government that GDS had struggled to adapt to its changing role”.
This includes a quick increase in staff numbers - this reached 653 in March 2016 and is set to top 900 by the end of this month - and in budget, after receiving a £455m boost in the 2015 Autumn Statement. This has taken it to £150m this year, although it expects to underspend by £45m due to lower than predicted take-up of centrally provided services.
The NAO said that, although the renewed approach set out in last month’s Government Transformation Strategy aimed to address many of the concerns around the GDS’s future, “there continues to be a risk that GDS is trying to cover too broad a remit with unclear accountabilities”.
GDS has ‘lost long-term focus’ on Verify
The report emphasised that GDS needs to prove its abilities through its own programmes, saying that major transformation programmes have met with “only mixed success”: just 12 of the 22 digital exemplars have been identified as having a positive net present value.
In addition, the NAO said that GDS had “struggled to demonstrate the value of its own flagship initiatives, such as Verify”, saying it had “lost focus on the longer term strategic case” for the identity assurance programme.
The NAO warned that if the government is to achieve its target of 25 million users by 2020 - the figure currently stands at 1.3 million - it would need to increase numbers much more quickly than it currently is doing.
Commentators have previously said that the identity assurance programme was initially saddled with over-ambitious timetables, but the NAO’s report sets out the degree of changes that have been made to its targets over time.
“In 2014, GDS expected over 100 departmental services to be using Verify by 2016. In October 2016, GDS predicted that 43 services would be using Verify by April 2018,” the report stated.
“In February 2017, 12 services were using Verify. None of the nine services that were in the pipeline for connecting to Verify during the remainder of 2016 was ready to do so by that date.”
In addition, the NAO said that the service’s business case is “undermined” by the fact that nine of the 12 services also allow access by other means, as well as causing confusion for users.
Poor take-up means Verify will have to be centrally funded for longer and provides less incentives for the identity providers to lower their prices, the NAO said.
Meanwhile, departments are bearing the indirect costs of people struggling to use the system (on top of the £1.20 they pay per identity confirmation), which reduces their incentive to adopt Verify.
Without the buy-in of big departments, the NAO warned that there might not positive net benefit for the service: a October 2016 analysis showed that without HMRC users there would be a £78m reduction in benefits over four years, leading to a net cost of £40m.
“Verify presents a strategic opportunity to improve the way that personal data is used across government enabling better use of data, based on a single secure view of identity. But this strategic case has not been sufficiently developed, tested and communicated,” the report said.
In recommendations for Verify, the NAO implied that GDS might want to revisit the idea of developing Government Gateway, which already hosts 138 live services, as an alternative, saying that GDS has not “reassesed the cost and security implications of an improved Gateway service”.
Uncertainty over spend controls
Further criticisms in the report include that some guidance is poorly maintained, with missing information and broken links, and that standards were “broad principles” that left too much scope for interpretation.
The NAO said that when this “uncertainty about guidance” was combined with the strict spending controls, departments found it difficult to understand assurance requirements and “hard to anticipate how GDS will interpret their performance against standards”.
And, although the NAO did commend central spend controls - which allow GDS to review and possibly reject proposals for projects or programmes above a set limit - it raised some concerns with the process.
These included that the process is burdensome for departments and that some applications are making it to full business case stage before GDS reviews them: this happened for 40% of the 2016-17 applications.
Moreover, the NAO found an imbalance between the time spent managing spend control cases and the amount of savings this work delivered: 47% of the spend controls team’s time was spent on requests of up to £1m, which produced only 1% of the financial savings in 2015-16.
It noted that GDS was trialling a different approach to spend control that looks at departments’ 18-month roadmap and decides which projects need either small or large-scale intervention. The plan, first revealed by GDS leader Kevin Cunnington in an interview PublicTechnology, is due to come into widespread use next month.
‘More clarity needed’
The NAO’s overall conclusion was that there is “a key role for [GDS] as a central function responsible for promoting new approaches and developing expertise”, but that there is “a long way to go”.
Setting out four main recommendations for the service, the NAO said that GDS needs to focus on improving the clarity of its roles and the messages it sends out.
It called on GDS needed to develop a more systematic, central analysis of what needs to be done, in particular on the government’s use and management of data, and to carry out more planning for the new transformation strategy, with clear costs, timescales and monitoring arrangements.
There should also be work done to improve the clarity, relevance and consistency of guidance and technical standards - in particular on migrating and maintaining systems - and ensure that there is a consistent approach to measure and control spending and performance.
GDS “needs to be clear about its role and strike a balance between robust assurance and a more consultative approach”, the NAO said.
Paul Maltby claims councils must first renew ageing infrastructure before realising the benefits of machine learning and automation
Move follows the earlier transfer of data policymakers
Department reportedly provides list of 39 technology and other reform programmes that are being paused or delayed
The relaunched annual GDS event shone a light on the government’s key digital-transformation strategies and initiatives for the coming months and years. PublicTechnology went along to...
Calm has turned a section of the 57,509-word EU document into a sleep-inducing audio book
BT's Konstantinos Karagiannis explains ethical hacking and why it's important to exploit vulnerabilities
The Federation for Small Businesses has urged regulators be patient as firms try to comply with the General Data Protection Regulation
BT answers some common questions on the new data privacy laws that come into force on Friday