GCloud doing sensible things, but needs tweaking

A recent Cabinet Office presentation of the GCloud to SOCITM London had some good news, and some things to do better.

Good:  There are lots more suppliers and the offerings are much simpler, and less costly to purchase.  They are preparing the terms and conditions for the next round and consulting on changes that make sense.  Suppliers in the audience pressed there need for longer contracts; even two years is not enough for the more complex requirements of information sharing in local government.

Must do better:  The presentation did not mention standards.  The messages from LeGSB are not getting through. Virtually the whole audience thought there was room for suppliers to say which interoperability standards they would use. It is the only way to develop multi-agency services from bottom-up.

Will we see the resurgence of the e-GIF and LGIP (Local Government Integration Practice)?

Will we advance as far as India?

Will Liam Maxwell’s targets for Open Standards be met?

Secure money saver

How many confidential or official documents must be sent by the post? Bank statements, payslips, licence renewals, invoices,… Why can’t they be sent electronically? The over-riding reason is to guarantee a real address.

The “Private and Confidential” sticker is irrelevant once it has been delivered to the household, but the sender has done as much as they can – or have they? Shouldn’t the recipient have the choice of asking for such documents being sent to a secure, encrypted, email inbox?

The benefits to the recipient are:

• Password, or token, protection to keep mails private and confidential.
• Correspondence filed electronically
• Readable from any location
• Fewer paper cuts

The benefits to the sender, often public sector organisations, are far greater:

• Reduced postal charges; 12 payslips a year must cost at least £2. That’s £2000 if you have a thousand pension payments to make.
• Guaranteed delivery; there’s an audit trail to see if a document has been delivered and opened.
• Interception free delivery and fewer non-delivery complaints to manage.
• Ability to implement closed invoicing and payment processes with minimal intervention from administrators.

So here is a business proposition for the Local Authorities  (LAs) or the Post Office. Offer citizens a free, secure, encrypted, email inbox on a GCloud service. Offer any public or private sector organisation a secure, encrypted, traceable, email service at a sustainable annual fee. Some citizens may also wish to subscribe to a secure Web-based outbox for replying to secure inbox messages, or even to initiate communications.

The key to success is to link a secure email address with a property and a person.   Local Authorities have knowledge of the Unique Property Reference Number (UPRN) and at least one person responsible for paying Council Tax. They could minimise the risk of fraud by sanity checking the number of secure email accounts at each property.  LAs must lead on this innovation. There’s lots of work to do on the detail, but the good thing is that there’s an Agile solution because the basic facilities are available out of the box. Quarkside is trialling them now.

At some time in the future, this service could stimulate interest from the Electoral Registration Transformation Programme (ERTP, IVR and EIR are among the abbreviations). You read it here first.

Register for Secure Emails

One of the benefits of networking events is that you come across interesting new products. Here is one spotted by Andrew Henderson.

It’s a secure email service, Regify.

• It looks good for encrypted messages and traceable delivery.
• It  avoids the need for complex VPN, GovConnect or key infrastructure.
• The web mail service seems fast enough.
• Outlook users can have an add-in
• Each recipient has to have an account, which is free and simple to enrol.
• There’s a monthly charge for sending emails – but you can sign up for a free month to start you off.

Quarkside thinks that this would be an excellent Cloud based service for Local Authorities. They could send secure emails to enrolled citizens, suppliers, partners and service providers with a traceable guarantee of receipt. Some citizens might appreciate this as a free secure inbox service to them. Some citizens and suppliers might even be prepared to pay a subscription to send secure emails to Councils.

Security and accountability are high in the governance agenda and it could become part of the infrastructure for voter registration, Universal Credit and service requests. Is anybody  else prepared to give it a try?

McCluggage GCloud Revival

Bill McCluggage, deputy Government CIO, confirmed that the GCloud is not dead at the Cloud Conference on June 21st. But it does still need definition. The problem is converting policy into practice.

The proposed governance regime, where there is some measure of mandation, is primarily concentrated on six large ministries: Home Office, DWP, HMRC, MoJ, DoH and MoD. They will be expected to consolidate data centres and purchase from an App Store. The omission of Education, BIS, FCO and DCLG raised a few eyebrows in the audience.

When questioned about the absence of 450 local authorities in the governance regime, he said the job was big enough with six agencies without contemplating adding the diversity of local government. He did, however, refer to “Planting the Flag” without directly refering to SOCITM. So he does endorse the strategy (referring only to Joss), but not as part of his public presentation.

Identity Icebergs to sink Universal Credits

Does the Cabinet Office talk to the Cabinet Office – or any other Department for that matter?  Last week’s Local Government Delivery Council also had two related presentations; “Identity Assurance for Public Services” by the Cabinet Office and  “Employee Authentication Services (EAS)” by DfE and DWP.

Put these into the context of “HMG CTO Council – Government Employees Strategy for management of Identities – Version 1.1 – 1 February 2011. ” This noble document has some excellent content as far as it goes – but look at the juicy bits it deems out of scope.

• “Access control of data within a single system or organisation
• Entitlements of a validated identity within a single system
• Authorisation services and other capabilities enabled by identity management
• Citizen and Individual authentication even for access to government services or visitors to government sites
• Identity Management of systems, devices and other entities
• Audit and accounting requirements other than by reference to their need.”

Most, if not all of these are required by real live systems, especially in Local Government.  They are probably the hard bit where most guidance is needed.  Federated identity management protocols do understand how to include these options.  For example the use of Shibboleth 2 in the education sector can easily differentiate between children and teachers in Web based application systems.

EAS has been around for years in DWP.  It has been recently used for the “Tell Us Once” (TUO) project, authenticating for multiple agencies handling common citizen data.  They have discovered the need for, and have implemented, some employee attributes that allow differential access to application systems. This is out of the scope of the strategy above, but they found they had to do it.  Every Local Authority (LA), and there are hundreds of them, needs guidance on this because most do not have the internal skills and knowledge to interoperate with external identity providers (like EAS, but there are lots more). A common standard for federating identity, supported with standard software, is the only sensible way to proceed.

Finally, there was a bomb shell from the Cabinet Office.  As part of the stakeholder engagement process, they presented  “a federated approach through which a person is able to assert a trustworthy identity“.  Here are some of the enlightening aspects of a working federated system:

• delivered for DWP Universal Credits in April 2012
• provided ‘by the market’, presumably meaning non-funded
• dependent on external verification of identity by third parties (such as banks) selected by the citizen
• LAs will provide an Identity Hub which collects personal data and matches with the external credentials (this is a minefield, not just icebergs)
• links with biographic, health, wealth and education data by attributes
• links with DVLA
• links with an ‘official’ address file
• not dependent on a centralised identity register
• Oh, and by the way, it will run on the GCloud. Trebles all round.

The aspirations are wonderful, straight out of the junior management consultant’s handbook, but three simple questions illustrate the risks involved:

1. Does the Identity Management industry, working with hundreds of LAs, have the capacity to deliver in such a time scale?
2. Does the Cabinet Office (or anybody else?) have a Technical Architecture that is fit for purpose and compliant with the CTO Council strategy?
3. Identity management ignorance crippled the development of ContactPoint – why is it so much easier and simpler for Universal Credits?

No jobs for the boys

There are some senior people in the local government and voluntary sector seriously considering the need for directly employed information technologists.  With shared services, GCloud and public sector networks being regarded as infrastructure commodities, are they right?

Expect a different landscape in 5 years time as chief executives prioritise their need for better public-facing service managers, not technology managers.  They are only interested in service outcomes, not the technology that might help to achieve them.  Patterns of redundancy are unsavoury, but predictable.

Information governance will still be needed.  The Chief Executives do not wish to go to jail because of poor processes and leaky infrastructure. Information assets will be the crown jewels, not the equipment.  They will need people who understand the requirements, can purchase from a wide range of suppliers and can co-operate with more local partners.

Pasc 8: Standards, standards, standards

The eighth of the Public Administration Select Committee (PASC) 12 questions, asks:

8. What infrastructure, data or other assets does government need to own, or to control directly, in order to make effective use of IT?

Ownership of processors, data stores and communication networks is not a major issue. They are commodity products and most are not core government assets. They should be procured and operated at the lowest cost to the public purse. If a Government Cloud is trusted, secure and economical, then it should be used.

Control of data is a core custodianship function and must not be relinquished. Data is best regarded as a triumvirate of Operational, Reference and Derived data. Public services may use any or all of these.

• Operational data is front-line, perhaps with high transaction volumes, eg school attendance or DVLA registration. Nobody would contemplate providing this type of service without IT.
• Reference data, commonly shared between many systems, is of variable quality, such as addresses. The reason is often that different operational systems have different versions and incompatible formats. Interoperability between systems is impossible without adoption of data standards. The public sector, as a whole, does not have a functioning standards body, or the power to enforce them.
• Derived data is combined or abstracted from several sources. It is the basis of planning and performance measurement systems. It may reside in data warehouses or complex spreadsheets. Systems may collect data from operational, reference or other derived data sets.

What make it more complex is that the quality not only depends on knowledge of standards, but also the context and timeliness of the source data. Martha Lane Fox seems to understand the need for standards. That’s what Government leadership should control.

By standards, don’t assume the detailed documentation published by BSI or ISO.  Standards can also be the accepted frameworks and governance structures that form best practice.  But somebody independent should assess that they are being followed and avoiding prima donna assertions.  Above all it needs IT functional leadership.

Mobile Apps for the immobile

The latest threat to make application for all services on-line, as reported in the  Guardian may have cost benefits – but it is plainly unsuitable for elderly and other digitally excluded staff.

“The plans are likely to infuriate millions of people. Around 27% of households still have no internet connection at home and six million people aged over 65 have never used the web.”

Post Office facilities are still more common than local council offices, but they are reducing in number and many are inaccessible by being located in basement of retail stores.   Schools might be another suitable location.  But for the truly immobile, something different must be done.  The on-line system must be taken to the citizen.  This will create its own set of problems for reducing numbers of service staff, so Quarkside says:

• Develop web based (=Cloud based) applications
• Make sure they are suitable for chronically slow G2 or G3 telecommunications
• Also, make them work on small screen smartphones – for those who have them in preference to home based devices.

The policy is easy.  Doing it needs leadership.

GB SIF supplier shines in US Cloud

The US of A now offers hosted systems interoperability services via SIF.  It is interesting that a British based group is leading the way, Pearson.  They acquired one of the leading suppliers of the interoperability hub (in this world of acronymic jargon it is also called a Zone Integration Server, or a ZIS). Pearson must think that there is an economically attractive future for SIF, even though it is based on open standards. Brands like Prentice Hall, Longman, Addison Wesley, the Financial Times Group and the Penguin Group do not grow without a high level of corporate commitment.

Pearson also must believe in the GCloud strategy of the UK coalition government.  In the US they offer a choice from two hosted service options to districts (closest to UK local authorities, but not exactly equivalent).  This allow districts and schools to customize their SIF requirements while Pearson hosts it.  Isn’t this what we are trying to achieve to minimise costs? Whilst I can’t speak for SOCITM, this approach is in line with their published policy.

One of the benefits of hosted solutions is that trials and pilots can be used to help in assessing requirements with a minimum commitment of future funds.  The time can be used to build up a benefits case and demonstrate the areas of saving achievable. Even in the long term, hosted solutions are likely to prove to be most economical, with many schools, local authorities, other agencies and DfE sharing the cost of a SIF infrastructure.

Such innovative suppliers should get moral support from DfE, not risk having their business throttled.