Many people don’t want the government knowing all their business. Yet others reckon we should strive for knowledge efficiencies across the public sector. Rob Hosking talks to government chief information officer (yes, there is such a thing) Colin MacDonald.
Maurice Williamson is mostly famous, these days, as an international gay icon. That speech during the Parliamentary debate on the Marriage Equality Bill last year went more viral than a mashup of Swine Flu and SARS and got him invited onto global gay icon Ellen DeGeneres’ chat show in Los Angeles.
But long before this, nearly 20 years ago, Williamson was a different sort of international icon.
He made it into Wired magazine, the bible of the global information technology community, as the world’s first ever IT Minister.
In a lengthy and admiring feature back in 1995, Wired described him as an Eric Clapton look-alike and marvelled at the politician who could cut code and expound with enthusiasm and verve on the “third industrial revolution” and its opportunities for business, society – and government.
It was, in fact, some of these enthusiasms that used to get Williamson into the odd spot of bother.
It was around the time of that spread in Wired that Williamson mused to an IT conference about the possibilities of national ID cards for New Zealand. It would make delivery of government services much easier, he said, amongst other administrative efficiencies.
The comments caused an uproar, not only in public but around the Cabinet table. Then-prime minister Jim Bolger was not impressed. Particularly sensitive about the ‘Big Brother’ implications of new technologies and privacy issues, he firmly squelched Williamson’s enthusiasm from the top floor of the Beehive.
Privacy central
This is not just an amusing political anecdote. As the government gears up for a fresh wave of investment in new technologies and the news is dominated by privacy breaches dotted around the public sector – from WINZ kiosks to Inland Revenue information and the leakage of a list of sensitive claimants for accident compensation – the same issues are being debated again.
It is worth remembering New Zealand only has a Privacy Act, which marks its 20th year since becoming law this year, because of concerns about the ‘Big Brother’ implications of government IT work. Data-matching to catch benefit and tax fraud was initiated in the early 1990s and was only politically saleable with the implementation of privacy legislation, and the fact that the Privacy Act also covers the private sector was something of a collateral effect.
But privacy is central to how the government moves from here – something acknowledged by the government’s chief information officer, Colin MacDonald.
“There are quite strong restrictions between information being passed from one government agency to another,” MacDonald says. “We’ve crafted a way of working with that to put the power in the hands of the citizen to say ‘Here are the agencies I’m happy to have my information shared between’.”
Formerly known as iGovt, a registered user could retain a single identity across multiple government IT properties. In July this year it was rebranded as RealMe, which the government says is more than just a login service; users can verify their account by providing identity information and having their photo taken and in turn be able to prove their identity online to government agencies, banks and insurance companies.
MacDonald says the shift to including businesses is key to the name change away from ‘govt’. “It’s now become a commercial offering that several banks are looking at and TSB has confirmed they’ll be using it as their way of authenticated their customers. And the whole thing that sits behind RealMe is that it provides a very high level of certainty that you are who you say you are in the online world.”
But it is more complex than just authentication. Dealing with the dynamism of the online environment and people’s expectations and preferences makes the whole privacy and security issue an extremely tricky one.
“Your appetite and my appetite for what information is shared is going to be quite different,” MacDonald argues. “I’ve been quite surprised on a couple of occasions, just in casual conversation with friends, where people have expressed a very strong desire not to have the government in their lives at all. And these are people who are upstanding, upright citizens, directors of large companies, that sort of thing.
“But tolerance and appetite is different and our privacy legislation is set in a way that puts the control in the hands of the individuals but actually there’s a presumption of privacy. I’m not suggesting there shouldn’t be, but that’s the way it operates. And that does get in the way of information flow but we need to think much harder about how we solve that, and I do think there’s a place, I do think there’s an answer to that, through putting the control in the hands of the citizen to say ‘I’m really happy for … government to flow information between these agencies’ at an individual level.”
The position of government chief information officer (GCIO) is a new one. Created just three years ago, it resides in the position of the Secretary of Internal Affairs.
MacDonald himself is from the IT sector; he worked for banks in New Zealand before joining Inland Revenue in 2002 and before that worked in banks and other businesses in the United Kingdom.
The job of GCIO is subject to some confusion. There is a perception, and not just among the wider public, that the role puts him in charge of all government information and communications technology.
To be fair, going by question time, some members of Parliament are also under this impression. “And no, I’m not,” MacDonald tells Idealog.
“What I don’t do is I don’t run the government’s technology. Chief executives in government departments remain accountable for running their own operations and for ensuring that their operations are working well, that they’re serving their customers, and that they’re being done in a safe and secure and privacy-protected way. What I’m accountable for is giving ministers assurance that that is being done.”
But that, in turn, means he needs to understand what government agencies are doing and how they’re doing it with their technology.
New game
And things have shifted in the past 12 months in particular.
“When I started in the role there was still a degree to which we were striking a balance between how much central leadership ministers want and that’s increased considerably with the issues we’ve seen. So I guess I’ve been progressively been drawn more and more into that more assurance-type role in the past few months.”
MacDonald believes the private sector has made more progress than the public sector in recent years.
“I think an issue that the public sector has to catch up on is recognising that technology is no longer an add-on. It’s no longer something that is there as a technical discipline – it’s actually integral to your business in the same way that understanding how to lead people and manage finance is integral to your business.
“The private sector’s recognised, on the whole, that technology is integral. I think the big challenge for the public sector that’s been recognised by both ministers and the leadership of the public sector, is that in the future there’ll be no chief executive appointed who doesn’t understand the territory where technology sits.”
That doesn’t mean government chief executives will all have to be code cutters but they will have to have a far greater understanding of ICT.
“I’m not an accountant but I wouldn’t have my job if I couldn’t understand the numbers and how to work the numbers. And in exactly the same way, future chief executives in the public sector will have to understand technology at that same kind of level.”
He does have a few wider powers in that area than he did at the time of his appointment in mid-2012 – largely because of the ICT privacy and security issues that have emerged, rather messily and embarrassingly, since then.
“Ministers have now asked for assurance that ICT is being well run across the public service, which is a new aspect of the job. But what I see the role in that respect as being, more than anything, is actually to help and support agencies, because in the end what we want is government technology being run as well as it possibly can be and simply having me sitting at the side lines and passing judgment isn’t actually going to help.
“What I think helps is getting on the playing field whilst still remaining objective. Getting on the playing field and helping agencies to share best practice, helping agencies to make sure that they’re deploying the right techniques, the right methods – that they’re using the right private sector providers, with the right qualities.”
One highly topical outcome of this is the announcement this month of an ‘open panel’ of security providers. Numbering 21 at present, the group is effectively a group of ICT providers who meet the necessary standard to deliver secure ICT services for government agencies. They will have gone through an “appropriate market process”, MacDonald says, and will have established themselves as able to meet particular standards. It will work as a seal of approval and agencies will draw from that panel. It won’t, however, constitute a procurement process.
“They just have to select from an open panel that’s already been openly procured and properly procured. Secondly they’ve got a level of comfort that the players on those panels have passed, you know, if you like, passed the test. So that’s an example of how we’ll be drawing from the private sector.”
This is just the first of such a panel of approved providers; others are on the way, with quality assurance next on the list. It does a number of things, according to MacDonald. Firstly it ups the overall quality but it stops the GCIO from becoming the provider of those services. “That’s not how I see the role.”
It also lets the private sector be correctly deployed to support agencies to get it right and to keep a kind of continuous improvement dynamic operating.
“The concept of an open panel means new people who can prove that they can meet the standards can join and anyone who doesn’t meet the standards gets taken off.”
It also tackles some nervousness on the provider side.
“One of the things that the industry have said to us is that quite often the way government goes about these things is that the providers have to kind of make a big bet. So we go to market once and that’s it, then it’s all over Rover.
“Sometimes that will have to be the case given the nature of what you’re doing, but there are lots of circumstances where you can take an open panel approach, which is much more about establishing a set of standards that the providers have to meet, and continue to meet. And so you don’t get one shot at it.
“And new players coming into the market, if they’ve got the quality and can prove it, can get onto the panel and the work is available. I think that’s much better for the market.
“It doesn’t work in every case, but in the case of professional-type services, it does tend to work pretty well.”
That has a couple of further benefits: as well as making the providers a bit less concerned about what are some very large projects, it also helps deal with a certain degree of endemic risk-aversion in the public sector.
Public failure
One long-standing ICT professional, now a very senior public service manger, has observed that in the private sector, those who run failed ICT projects can – unless they are in publicly listed companies – usually quietly bury their failures, whereas in the government sector they are open for all to see. Add to that a certain cultural caution in the public sector, and it can lead to excessive risk aversion.
On top of that is the legacy of some high-profile failed IT projects from the 1990s, with the massive Police INCIS computer system being the big one. More recently there was the Novopay teacher pay fiasco, something which could have led to a certain nervous paralysis.
But that is just unavoidable, MacDonald says bluntly.
“One of the realities of the technology world is that change introduces risk. There’s just no two ways about it. If you’ve got an environment that’s providing a service, be it a website or be it some kind of – supporting an ATM or wherever – if you introduce change into that you up the risk and that’s just a fact. That is an immutable truth.”
And that’s greater now, in a way, he says, because demand and expectations have become so fluid, regardless of whether a service is provided by a government agency or a private sector firm.
Websites are now dynamic beasts and not only what they provide, but also the timing and the way it is provided, is in constant movement and negotiation.
“So now we’re talking about environments that are going to be changed more often and inherently you therefore up the risk profile because you’re changing it. So you can’t use the same techniques to manage risk that you would’ve used in a more stable environment, you need to use some different techniques.”
Sandboxing is one, he says, and that’s changed hugely from the secret squirrel way things used to be run.
“Typically the way – and this is public or private sector would’ve done it in the old days – is we’d keep it inside the shop, we would test it – test it, test it, test it – yes it’s working, and then we’d let the users loose on it. Now we actually have to let the users loose on it earlier because they’re the ones that tend to find the holes and find the bugs, because they use it in unpredictable ways. And that’s the wonderful thing about the users of systems, is that they don’t always act and react the way the developers think they will.”
At this level it is very much about recognising the level of risk involved and managing it – rather than avoiding that risk – something MacDonald maintains is impossible anyway.
“Technology change is inherently risky, so it’s not about avoiding risk, it’s about assessing and mitigating and managing risk.
“In the public sector we are investing in spending public money. And it’s one thing that mistakes are made, but I think what the public needs to know is that lessons are being learned and that their money is being spent well.
“But we can’t make change, we can’t move forward, without taking a degree of managed risk. And I think at some level people understand that. What I don’t think the public like to see is anything that looks as if lessons haven’t been learned.”
ICT to lead new wave of state sector reform
It can be easy to get carried away by both the technology and the policy jargon when discussing the widespread opportunities opening up for the public sector by the next wave of technology.
Revenue Minister Todd McClay, whose department holds a crucial position in this area, explains the issues in a very street-level way.
Speaking to a meeting of mostly technology wonks and policy pooh-bahs in Wellington in September, McClay eschewed the temptation to frame the issues in either IT or in bureaucratic terms.
Instead, he talked of helping a constituent in his Rotorua electorate deal with the ins and outs of government departments. The constituent, a solo parent, had given the necessary information to the local branch of the Inland Revenue and was having difficulties.
She also had to deal with Work and Income NZ, of course, as a beneficiary, and had gotten into something of a tangle doing so over what was in fact a very straightforward situation.
Having provided all the necessary information to Inland Revenue, she then had to trundle around Rotorua’s Tutanekai Street to Work and Income and go through the whole matter again.
“And it was the same information,” McClay says. “As far as she was concerned she had given all the necessary information to the government and all she wanted to do was get on with her life and look after her kids and so forth. It was frustrating for her, and she did not understand why it was making her life more difficult. And frankly, there is no good reason for that.”
There are even more complex issues, involving what should be a relatively straightforward set of information, when the person is a migrant.
“They have to provide a huge amount of information, and all the information that is required to come to New Zealand to get a work permit is there. There must be ways of sharing that.”
At a higher level, Finance Minister, Deputy Prime Minister, and the man who is becoming known informally as also the de facto Minister of State Services, Bill English, says New Zealand has some way to go.
“What we’re finding with that is that generally New Zealand is a bit behind the curve,” English says. “There are parts of our public sector that are by international standards quite innovative and well done, and then other parts that are lagging behind.”
The past 20-odd years have seen Inland Revenue move from being the tax-gathering agency to also the delivery arm for child support, student loans, KiwiSaver, Working for Families and host of other, lower-profile welfare support systems.
“It’s the government’s main transaction engine and there’s potential. The challenge there is understanding the universe of possibilities, so not being confined by the way we’ve traditionally done things. And then being able to, you know, pick a path that’s manageable.”
The IRD’s ICT systems date back 20 years and are now said to be unable to cope with the demands being made on them. The necessary upgrade is put at $1 billion over the next decade. It’s the sort of figure to make a finance minister blanch, but that figure isn’t a budget allocation, just a rough estimate.
But beyond that, the government is looking at the opportunities for ICT to boost not only its own revenue but also overall economic productivity. Here, English is dropping hints rather than specifics.
But conceptually, he says, a lot of government agencies have large investments in ICT and in the intellectual property around that.
“It’s been quite a difficult issue to wrestle with. You’ve just got to look at the challenges we’ve had commercialising science, and that’s over the past 15 years, and this is harder.”
What the government is looking at – and there could be an announcement before Christmas, or, more likely, early in the New Year – is ways to leverage taxpayers’ investment in ICT into a better return.
What the government is looking at, he says, is a set-up that will preserve the public sector ethos at the same time as allow for what is essentially the commercialisation of the IP.
“It’s a tricky boundary – it’s not going to be acceptable to the public to have the Ministry of Education neglecting New Zealand children while it’s off hawking product around the world.”