Skip to main content

Language: English / Gàidhlig

Loading…
Seòmar agus comataidhean

Public Audit Committee

Meeting date: Thursday, December 8, 2022


Contents


Major Information and Communications Technology Projects

The Convener

Agenda item 2, which is the principal item on our agenda this morning, is consideration of the Scottish Government’s latest update on major information and communications technology projects, which is something that the committee routinely receives.

I welcome to the meeting our Scottish Government witnesses: Sharon Fairweather, director of internal audit and assurance; Geoff Huggins, director of digital; and Yorath Turner, deputy director, digital people, strategy and corporate services, digital directorate. You are welcome, Yorath, and I hope that your salary reflects the length of your job title.

As there will be no opening statement, we will go straight to questions.

Willie Coffey (Kilmarnock and Irvine Valley) (SNP)

Good morning, panel.

I want to start with Geoff Huggins, if I may. In your letter to the committee, Geoff, you mention some pilot projects looking at the spend control process in two areas, namely the Scottish Government’s payment service and telephony services, and you have highlighted a number of issues that have arisen in that respect. Can you tell us a wee bit more about the outcome of that work? My attention was drawn to the part of your submission where you say:

“On the basis of the pilot work … we are developing new thinking on how to secure greater value and improved outcomes in respect of digital delivery.”

Can you give us a wee glimpse of what you mean by that? What were the actual outcomes of that process?

Geoff Huggins (Scottish Government)

About two years ago, we began to do some work on spend controls that mirrored work that was being done south of the border. Although that work could be applied to a number of areas, including recruitment, facilities and contracts, in this particular context we looked at it in relation to digital projects, and we developed models that allowed us, in effect, to assess the decision making on a particular digital project and, from that, elements of the commercial strategy, the technology choices and the understanding of things such as lifetime costs. Through procurement analysis and looking at budgets, we were able to work through a process to develop, I guess, a greater understanding of how we spend money.

As a result of that process, we developed a review model in which a team of people with expertise could engage with a programme team taking forward an ICT project, make an assessment and then offer a report and feedback. At that stage, the intention was to explore how and when to apply controls. Again, as we discussed in March, that sort of approach interacts with accountable officer responsibilities and the mechanism by which we control expenditure more generally. As with Sharon Fairweather’s area of work around assurance, what we effectively have here is a cross-cutting piece of work that looks across portfolios.

That was the thinking behind our taking that work forward. I mentioned that we would be doing this when I gave evidence in March, but over the summer, we identified two ways in which we would take the work that we had done and apply it in practice. First, we did some work on future telephony solutions for the Scottish Government in the context of hybrid working, the new opportunities that have arisen in that respect and the move away from having your own phone, with your own number, on your own desk. After all, you might not be at your desk every day; you might be somewhere else and still need to contact people. Secondly, we took a retrospective look at decision making on the payments programme.

Neither of those reviews identified any particular problems or challenges. However, a number of other challenges did come out of the work and have been set out in our letter. The first is that such reviews are quite resource intensive, which means that we could probably carry them out only for a limited number of programmes, while the second challenge that we identified was the difficulty of moving away from the individual judgment of assessors in the absence of clear frameworks. We have a number of such frameworks in place—for design and accessibility standards, for example—but we are still in the development phase in respect of frameworks for, say, commercial and data standards.

Alongside the interaction with the assurance process—and Sharon Fairweather has offered you a fairly comprehensive letter on that—that particular issue gave us pause as to whether this was the best way of getting value for money. As you will have seen in our letter, we have, at this stage, identified a different course. That is not to say that we would not return to a similar spend control-style model, but if we did so, it would be on the basis of having put in place some of those clear frameworks against which assessments can be made to enable us to operate in that way.

There are a couple of other things that I should mention. Increasingly, we are looking beyond making individual judgments of programmes to begin to apply red lines to expenditure—in other words, the things that must be done or the things that cannot be done. One example of that is the work that we are doing on cloud services. We might expect Scottish Government teams that are developing new programmes to use the Scottish Government’s contracts for clouds, instead of their going out and using separate clouds, not just because it would provide value for money but because it would allow us to share infrastructure, support and so on. In that way, the idea of a red line becomes significant, too.

Willie Coffey

You said that one of the lessons that you have learned is that such an approach could probably not be applied to all project work. I guess that you mean that getting that kind of information, which could then be applied across the board, would require too much investment, but would not applying the same rigour across the board give rise to any risks that you might be worried about?

Geoff Huggins

At the moment, we are doing a number of things. For a start, over the past three years, we have been developing and implementing the digital commercial service, which is a partnership between my directorate and Nick Ford’s procurement directorate and is intended to ensure that those engaging with digital and with purchasing and developing services have the best commercial advice in place. There is also a value-for-money element, which is picked up through the assurance process.

I have covered this in the second half of my letter, but there is a broader set of issues, too, which involves our beginning to think beyond individual programmes of work to the digital interventions that we want to make over the next three to four years. As you will see from the schedule, we are engaged in a long list of programmes of different sizes, and we think that we will probably need to become more parsimonious in the selections that we make and then manage those programmes more aggressively with the appropriate capability and resources in place to execute them properly. In other words, we are probably looking at something that lifts us from the individual “We need to do this” approach to thinking about what the overall system should look like.

Willie Coffey

Thank you for that.

It is the digital assurance framework itself that gives rise to my next question. How do we make sure that we have the right people and the right balance to review a particular piece of work? Perhaps that is a question for Sharon Fairweather. Looking at the organogram that you have submitted in your letter, Sharon, I find the set of structures with regard to officers and responsibilities fairly complex. What does it mean in practice? Moreover, given what Geoff Huggins has just said, how do you choose which skills to deploy in particular reviews that you undertake?

Sharon Fairweather (Scottish Government)

The work that we do contains several elements, the first of which is the engagement that we have with all the public bodies in order to build the record—that is, the register of the projects that are on-going out there—and to assess what level of assurance those projects will need. We have a pool of engagement managers who keep in contact and liaise with the bodies throughout the life of their projects in order to maintain that register.

With what have been identified as major projects, the review team is led by a review team leader who is accredited by the United Kingdom Infrastructure and Projects Authority and who will be skilled at and experienced in undertaking such reviews. We aim to put together review teams that will be able to follow a project through its life and do all the different assurance work at the different stages, and those teams might be supplemented by individuals with the right skill sets from the Scottish Government, if appropriate. As I have said, that approach covers major projects.

As for the digital assessment against digital service standards, we recently changed our approach to staffing in that respect. Previously, we called on individuals with the relevant skill sets in the digital, data and technology profession across the Scottish Government and pulled them in—out of their day jobs, if you like—to carry out individual reviews. However, that was not proving to be particularly effective in managing the resource, so we now second individuals into our directorate for a period to work exclusively on digital service standard reviews. We have set a two-year timescale for those secondments; the approach allows us to bring really relevant skills into our directorate in order to undertake the reviews and to give the individuals who undertake the reviews a different set of skills before they go back out into the organisation. As we have set out in our letter, we use three strands of skill sets for digital standards.

Willie Coffey

My next question is on an issue that comes up regularly at committee. It appears that, when you commission of any new piece of IT software, if you get the specification, the design, the embracing of quality standards and all of that stuff right at the outset, there is a fair chance that you will get everything right. Where does that sort of thing sit within the framework, Sharon? Where is that assurance work done?

Sharon Fairweather

In the very first stage—the initial stage—of the technology assurance framework, we look at the setting up of the project, the reasons for taking it forward, the objectives and outcomes to be achieved, whether the right level of planning and resource is in place and whether there is the right skill set to deliver it. At the very first gate, if you like, of our major project reviews—and before we even go into the procurement phase—we look to ensure that the projects are set up in the best way possible to ensure their success at an early stage.

Willie Coffey

Does that cover the software development skills and ability of the team in question, their quality management experience of the tools to be used and so on—that is, the whole technical side—and an appraisal of whether the team is capable of delivering to requirements?

Sharon Fairweather

Yes. We look at all of that and whether they have the right resource in place in order to deliver the project to completion. That is often where we have the biggest concerns with regard to resourcing: the availability of budget and the availability of the right staff to deliver a project.

Willie Coffey

The submission says that the digital assurance office was established in 2019, but I also note that that was the last year in which a project was stopped for any reason. Has your experience since then benefited you by allowing you to identify as early as possible whether a project should or should not go forward? Are you saying that, since the DAO developed this process, every piece of work that has been undertaken has successfully gone through the various stages to completion?

Sharon Fairweather

As you have said, we have not had to stop a project since 2019. You will see from the statistics that we have provided on the outcome of reviews that about only a third of major digital project reviews go to the next stage without requiring some form of remedial action, which might include, say, pausing the project at that stage to put corrective measures in place. If, for example, we do not think that the project has the right level of resourcing, we will say, “Right, you can’t go on to the next stage until you’ve addressed these things.” We will ask for action plans against recommendations, and we will follow up those action plans before we allow things to proceed to the next stage. We think that that helps projects progress to successful completion, because we are trying to catch as much as possible as early as possible, at a point when the team has time to rectify things and before the problems build up later in the process.

Willie Coffey

We have not asked for this, convener, but is it possible to see an example of a staged assessment so that we can follow the process right from the beginning, when the technical appraisal of a piece of work is carried out, through the review that is undertaken to the project then being signed off? Could we see what happens at each stage?

Sharon Fairweather

So you would like us to set out all the different elements that we look at for each individual stage.

Aye.

Sharon Fairweather

We can certainly provide that. That is not a problem.

I am not asking for anything specific. I am just wondering whether it would be possible to see that sort of thing, if one wanted to have a look at the process.

Sharon Fairweather

Yes, we can certainly provide that.

Willie Coffey

That would be good.

Another common theme that arises at the committee is the identification of things that can be learned and the sharing of good practice. How do we capture all of that—the lessons learned and the sharing of good practice—to ensure that the best possible solutions are being deployed?

09:15  

Sharon Fairweather

There are several things that we are doing in that respect. We work very closely with Geoff Huggins’s team and the programme and project management centre of expertise, and our team tries to gather good practice. As you will have seen from the letter, we have recently recruited a continuous improvement individual to focus on that.

We are also trying to link on-going projects with other successful ones. When we know that somebody is undertaking a project or programme that we have seen done relatively successfully somewhere else, we will try to link the organisations involved so that people can learn good practice from each other.

I would highlight in this respect the social security programmes, which have been well managed and well done, and we are drawing lessons from those and disseminating that information to others. We try to tie together all the individual elements and get messages out about good practice. We also report to the Scottish Government DG assurance meetings and the Scottish Government audit and assurance committee, where we try, as much as we can, to disseminate good practice and indicate where to go for lessons learned. That said, there is more that we need to do—there is no doubt about that.

Willie Coffey

Ultimately, though, it is the DAO that assesses the effectiveness of the process. Is it measured by results—that is, projects getting through to completion without being stopped or projects not going over budget or overrunning schedules? Is that how you measure the effectiveness of your processes?

Sharon Fairweather

Yes, that would be fair comment. After all, a lack of failure is, for us, a sign of success. We get feedback from the clients to whom we provide a service, and, as I have said, our major reviewers are independently accredited by the UK authority.

Many thanks for that response. That was a positive note to end on.

I invite Craig Hoy to ask some questions.

Craig Hoy (South Scotland) (Con)

Good morning. I have a few questions about the Scottish digital academy. I want to explore the impact of the academy and the courses that you have put in place. The First Minister’s digital fellowship and digital champions programmes have been launched and undertaken. What impact are they having on the ground?

Geoff Huggins

Yorath, do you want to take that?

Yorath Turner (Scottish Government)

Yes, I am happy to take that question. We launched the academy in 2018 and started with around six courses that focused on agile delivery. Since then, we have increased that and we now offer 41 courses on a variety of topics, including agile leadership, the cloud and skills issues, but we also focus on the wider skill set that people need in order to engage with digital transformation. The academy is not just for people in digital roles; it helps people with their understanding of how to engage with digital projects.

More than 4,500 people have come through the academy over that period, and we have really shifted how we deliver. Before the pandemic, we operated fully in person, but we have shifted to online and hybrid delivery in order to enable people everywhere—from people in Shetland Islands Council to people in the Borders—to access our services. We have also changed some of our funding models so that we can bring in more people without having to put up a barrier for them.

That has resulted in better engagement with digital transformation in organisations. There has been a real drive to speed up that process and to enable organisations to recognise that they need the skills to deliver at the same time. We started by looking at giving individuals the skills to deliver the transformation, and it quickly became apparent that the wider organisations needed to understand how to set themselves up to deliver an agile methodology. We then started working with procurement teams, human resources teams and finance teams to make sure that they had the right audit and artefacts so that we knew that there was good governance in place.

We started the fellowship programme in 2018-19. That is a way of seconding industry experts into the Scottish Government for up to 23 months and, occasionally, for slightly longer, if there is a need for that. It has worked particularly well. We have had 10 fellows—we are bringing in an 11th—from various organisations, such as Sopra Steria, Deloitte Digital and Leidos UK. They are in roles that lead transformation. We have had fellows in the digital directorate, and we are now helping Social Security Scotland to bring in a fellow. That allows us to share the expertise. All our fellows come in and give sessions to civil servants, fixed term and permanent, in which they share their abilities and what they have learned. Most recently, we have run sessions with Alistair Hann, who has joined us and who previously worked at Skyscanner and NHS National Services Scotland. He talked about how they built engineering teams and how that works. We have been able to share that and to look at what is right for the Scottish Government in that respect.

We still have a long way to go, because we are still suffering skills shortages, as is everybody, but we are investing in our own people by bringing them in and trying to find new pathways so that they can join programmes.

What has the total cost of the academy been to date?

Yorath Turner

Off the top of my head, I do not know, but I can certainly provide that information. We run an annual budget for the academy of around £600,000 for delivery costs, and there are staff costs on top of that. We estimate that, up to around 2019-20, we had saved the public sector around £2.5 million for courses that might have been procured on the open market, which are much more expensive to run.

That pre-empts my next question. How do you determine which courses to offer in-house and which ones to bring in external suppliers for? What drives the choice of course subject matter?

Yorath Turner

We do user research with our user base on what skills they need now and what skills they will need in 12 or 18 months. We work with delivery bodies, agencies and core Scottish Government and ask, “Where are your shortages? What do you need help with?”.

We also have contacts in our procurement directorate, to find out whether people are asking for procurements from the major learning providers and whether we can meet that need instead. We then build our curriculum. There is enough flex, because we work with a model in which some in-house staff are experts in certain areas, which means that we can create and deliver our own courses, but we also work with partner organisations that deliver for us through flexible contracts that allow us to scale one course over another if there is a need or demand for it.

Craig Hoy

Have you done any benchmarking to assess the level of investment that you are putting in relative to Governments such as the Singapore Government, which have adopted a digital-delivery-first principle? Are we lagging behind those Governments that are taking an ambitious approach in this area?

Yorath Turner

I have not done formal benchmarking, but we have relationships with a Canadian digital academy that is working with a public sector that is roughly equivalent in size to ours. Our academy is much smaller, and we are probably not as far along on our journey. We certainly want to look at formal benchmarking. The UK Government recently closed its digital academy and subsumed it into the Government skills and curriculum unit, which is a much larger space that looks at professional learning generally. We need to make sure that we are not duplicating resources that are available elsewhere.

Craig Hoy

That was going to be my next question. Identifying it as a digital academy puts it into a silo. Is there a broader suite of training and skills provision in the Scottish Government or the Scottish public sector with which you could come together to create a more holistic approach?

Yorath Turner

Absolutely. We work with our people directorate colleagues, especially on the leadership skills that are needed in that space. We are meeting them to align our leadership curriculums to make sure that there is no duplication and that, most importantly, there is a clear user pathway and user journey so that users access the service only once and are not confused about where to go.

It is slightly difficult, because all my courses need to be accessible to the entire public sector in Scotland, so I cannot put them on a closed learning platform. They have to be searchable on Google so that people can find them, whereas, traditionally, most in-house learning offer is on a closed learning platform that people cannot find from outside.

Craig Hoy

On driving take-up, will you give us an indication of the methodology—you have identified one part of it—and the marketing that you are engaged in to make sure that you get buy-in and take-up from the broader range of Government organisations in Scotland?

Yorath Turner

Yes. We offer a coaching service as part of the academy. We work with senior leadership teams in various organisations across the public sector to help them to understand what their problems are and whether we can help or whether they need other help. That is where we see a change and a shift—they become almost evangelical about it and say, “You need to get on that programme, and we need to get our teams on it,” because the feedback is really good.

We also make sure that we attend events such as Civil Service Live so that people know who we are and can talk about us. We attend conferences to share our learning. This year, we launched a new website so that people can access and book courses and find out what we do. We also share success stories or case studies about work that we have done with Police Scotland, Dundee and Angus College and the National Library of Scotland, their end-to-end journey and how we have helped them.

If you push up against any resistance, whether institutional or from individuals, what form, typically, does that resistance take?

Yorath Turner

Often, it is about cost and time. We have to recharge for some of our services to recoup costs, otherwise we would have to pull back on other services. There is also the time that it takes to take people through training. They will not be fully up to speed after half an hour; it is a continual learning journey. Proving that that investment pays off is quite difficult, because it is not immediate. It is not a case of people spending half an hour or two days somewhere and, at the end of the process, the organisation achieving a saving of £X.

We are trying to work through what those metrics look like so that we have a better case for saying that the benefits are absolutely proven. We know that they are proven, and people in the community and the learning profession know the value of the training, but it is difficult to sell that through more tangible metrics.

The Convener

I would like to pick up that theme of cross-departmental or collaborative working. Geoff Huggins, back in March you mentioned the digital commercial service—I think that you referred to it again this morning—which sits within your directorate but operates as a joint function with procurement. Could you develop that a little bit and tell us how that has changed the way that procurement or contract management arrangements work?

Geoff Huggins

The decision to create the unit was based on the fact that there was a clear need to offer expertise, not least because, quite often when we begin a technology project, we take it from the perspective of policy and intent. That is in terms of the particular skills that we are looking to bring into that—knowledge of contracting, contract management and value over time—but also understanding the costs that may not be apparent at the outset of a process, because of issues such as vendor lock-in, access to data and the commercial value of different aspects of the contract.

Our experience has been that it is a very welcome service in that it brings a degree of expertise and assurance. It also brings a particular expertise into the area for those who might not be commercially minded. On quality digital provision across Government, we are looking to broaden that provision out beyond the commercial area to have clear data frameworks and architecture frameworks in place. We already have the design framework, but we want to be a bit more explicit about our capability framework—in addition to the work that Sharon Fairweather’s team already does in making an assessment of teams—to understand that there needs to be an appropriate set of arrangements in place across each of those five domains and a clear understanding of what is required. All those things have to happen effectively, alongside good programme management, if you are to get the good outcome that you want.

We have taken the idea from the digital commercial service and begun to extend it across those other domains in such a way as to tie together what we are doing at a Government level, as opposed to allowing it to develop independently in different parts of the organisation.

The Convener

One thing that the Auditor General has spoken about is the ambition for there to be more innovation in the public sector. He even used the expression “risk taking”. Do you think that you are doing things that are innovative and which involve taking some—calculated, I presume—risk?

Geoff Huggins

There are different ways and different areas in which we take different approaches. Fundamentally, I am keen to do some really dull things that are about effective programme delivery that delivers good services for people. Most of the technology that people use on a day-to-day basis is relatively straightforward: we do things such as make a payment, apply for something, look for a licence, update a record or make an appointment.

None of the technologies out there is innovative; the challenge is to make them work really well for citizens, so that we do not notice that they are happening and they become part of how we go about our lives. That requires a lot of hard work on design, data management and architecture—I am talking about things such as the work that we are doing on citizen ID and cloud. Most of the stuff that we are doing is, I am sorry to say, really quite dull. Ultimately, our objective is that you will not notice most of the things that we do because they have become expected parts of your life.

At the same time, a lovely group of people over at CivTech are doing innovation for things out there that you might not have contemplated or thought about that have the potential to build businesses in Scotland. Over the next period, they will be running two challenge cycles a year. The challenge cycles in CivTech 8 are focused around a range of environmental challenges in which we are, in effect, asking people to think beyond the normal. You may have seen some of the coverage on the BBC about using sensors and technology to track beaver burrows. I confess that I did not imagine that that would be a business at some point in the future, but it appears that there is a technology there that has the potential to grow the economy and solve real problems, and it is very much in that innovation space.

The activity at CivTech allows us to do that innovation in a controlled space, while doing the really important and very dull work that we do in digital at the same time.

09:30  

You mentioned citizen ID. Can you tell us what that is?

Geoff Huggins

Citizen ID is basically a piece of work that the Scottish Government has been working on since about 2017 to effectively give an individual who wants it an identity that they control, including the use of any information related to it, so that, when they come to log on and apply for a benefit, they can demonstrate who they are. A key example of that over the past two or three years has been the Covid passport—the status app—which enabled you to demonstrate your vaccination status. It also had to know that you were you, so that you were not just running around with a piece of paper that said “Joe Bloggs”. It gives the ability to verify that a person is the person they claim to be and to use that in the digital landscape. It is a bit like your bank login. The proposition is that it enables you, having created your identity and having used it for one purpose with Government, to then use it as you choose and under your control for other purposes.

It is quite interesting, and I thought of mentioning it in reply to the earlier question because it is a piece of work that Sharon Fairweather’s team reviewed in the summer of 2021. It was one of the reviews that came out as fairly red, and we had a long think about whether to continue with the programme. Over the past 14 months, we have taken it from being fairly red to being amber/green. The work will go live in February next year with Disclosure Scotland and will be a mechanism that it will use as part of its process of issuing disclosure certificates. The intention is that someone who has created an ID for that purpose might want to use it for another purpose. It is intended to get away from the fact that, for every service that you access from Government, you have a different login and password that you have to remember. It will enable you to move seamlessly between services.

If I take myself as an example, I have a Covid passport, vaccination certificates and so on. Do I have a citizen’s ID?

Geoff Huggins

No, not at the moment. Effectively, you have those different things. Down the line, if you want to have something that you could use for more than one thing, you will have that choice.

Do you not think that primary legislation would be required to do that?

Geoff Huggins

It is entirely within the control of the citizen, so the answer is no. The UK Government is also doing work in this area, under the one login scheme, and is considering whether legislation is needed for some aspects of the scheme; we will continue to follow that. However, with regard to where we are with the process and the decisions that we have made so far, we do not require primary legislation.

Craig Hoy

I have a brief question. The last time that you were before the committee, you referred to the cost of the infrastructure and the architecture for the Covid passport scheme. There was a fee per person who registered that was paid to a third-party agency or something for the verification. Do you know whether the total published costs included that nominal subscription fee per registrant?

Geoff Huggins

I will be honest and say that I have not seen the final costs, but one component of the costs—and this is one of the components that we want to not have to pay for again and again—is the process where they used a particular product to verify that the person was that person, using biometrics. I cannot recall what the cost of that item of that was, but it was more than a pound. Imagine that, every time you created a new login for a new service, you had to pay that pound. The idea is that, once you have done that, you have done it.

The Convener

I have a question about an individual project that came out in the July summary: the Highlands and Islands Airports Ltd air traffic management strategy programme and the remote tower solution. The narrative in the report states that the project has been paused. My understanding is that it has been abandoned. What is the status of that project? What has happened to the £45 million of public money that was allocated to it?

Sharon Fairweather

I do not have the answer to your second question; we can certainly come back to you on that.

My understanding is that the programme is being rethought. You will get your next six-monthly update before Christmas, so you will have a further update on that in the next couple of weeks, which will give a clear picture of where the programme is. My understanding is that the whole programme is being rethought.

Okay, but will that still be listed in the update?

Sharon Fairweather

Yes, you will have a follow-up. The update that you will get in the next couple of weeks will have a follow-up to that and will state the current position.

Okay, I will look keenly at the language that is used in that regard.

Colin Beattie (Midlothian North and Musselburgh) (SNP)

Historically, there has always been a shortage of skills and bodies in the digital area. I assume that that continues. How do you recruit people for those posts, and how do you specifically ensure that the mix of skills and resources that you need are in that recruitment process?

Geoff Huggins

I will offer something at a higher level and then bring in Yorath Turner to speak more specifically on the recruitment process.

One of the challenges that we have identified is the quantum of resource against the number of projects. There are two ways to solve that: more resource, or fewer projects. One of the things that we need to look at carefully is whether we are trying to do too many things and whether we should scale back the activity to the capability that we are likely to have and the resources that are available. That is partly because—this is my experience—when we overextend ourselves, we reach into the contractor market and the managed service contract market, which begins to raise the cost of delivering a programme and reduces our control. At a macro level, one of the challenges that I am seeing for 2023 is to begin to think about the size of a programme and whether we can ensure that it is not bigger than our capability to deliver. Those things, potentially, can get out of whack. That is partly in the context of lots of individual decisions being made as to what to commence, which then takes us into the situation where, for example, I am competing with Sharon Fairweather and health for the same resources. One of the things that I alluded to in my letter is that we need a corporate understanding of what we, collectively, are trying to do and to size it within the capability.

Yorath Turner has already referred to some of the work that we are doing in respect of the digital fellows that we have brought in, in terms of having a really good understanding of what team composition—the individuals and the structures—should look like. Quite often, I would think more at the team level than at the individual level as to how many teams I have in place to do digital activity rather than just how many architects or programmers I have. Ultimately, the unit here is not the person; it is the team.

Yorath Turner can say a bit more about the work that we are doing on recruitment.

Are you still paying off-scale to recruit people into the digital area?

Geoff Huggins

What do you mean by “off-scale”?

Several years ago, you were paying people coming into technology according to a civil service scale, but then, because of the shortages, you took posts off the scale and started to pay according to market.

Geoff Huggins

We offer an allowance for digital, data and technology—DDaT—professionals, which, at the moment, I think, is—

Yorath Turner

For our B and C bands, it is £5,000, on top of standard salary scales.

Geoff Huggins

We work with standard salary scales, but with an allowance that reflects the market dynamics.

Are you satisfied that that brings the salaries to a level where they are competitive?

Geoff Huggins

I am satisfied about that because we have worked through this very carefully. One of the big questions for me is, where are the challenges in recruitment? Is the challenge that we are not paying enough, or is it that we are not offering a good enough job? I think that what we have been working through has identified that we pay well enough, so we need to work on the quality of work, which we have been doing, and the recruitment process. Yorath Turner is the expert on that.

Yorath Turner

I did a full benchmarking exercise on this in March and April of this year. There is a business case for the allowance that we offer, and it gets renewed. That exercise was undertaken using Aon’s Radford global compensation database for the market rates for all our roles. The adoption of the digital data and technology framework has allowed us to do that. We have standardised the roles that we have in teams. It showed that, although there are outliers, we are generally not too bad in that around 60 per cent of our roles pay between the 25th and the 75th percentiles of the market rate. Where we really see differences is in our most senior posts, which is not unexpected, and our more technical spaces such as cybersecurity and architecture development operations. As a result of that benchmarking, we increased the allowance from £4,000 to £5,000 to bring that into line with where they were.

Our turnover rates are much lower than industry comparatively. Once people come and join us, they tend to stay. In industry, the turnover rate is around 18 per cent, and ours is around 8 per cent. We find that, although there is internal churn, the work that people get to do when they are with us is what is most rewarding. We have developed a business case to implement a specialist recruitment service to bring in digital people, recognising that this market is very competitive and that most people in this space have multiple job offers and cannot wait for our usual timescales. We need specialist people who know the market and where to talk to people, to sell our employer value proposition and to explain why it is so good to come and work for the Scottish Government: “Even if you do not stay for 20 or 30 years and you are only with us for two or three years, that is absolutely fine, and we would really love you to come”. We are embedding that. We worked over the summer to define that service model, using people who have digital market expertise and know how to do the candidate management of people, which needs much more active engagement and shortening of timescales. The people are not waiting around, and we need to make sure that we are changing our systems to account for that.

Given the competitive market, you would not think that £1,000 extra would swing it one way or the other for a senior IT person.

Yorath Turner

You would not necessarily think that. We have also changed some other things. It used to be paid after a nine-month qualifying period. We have now changed that so that it is paid after three months but retroactively paid to their start date. It is not all about the salary level. To be perfectly honest, we will never compete with some of the biggest payers, and I do not think that, as a Government, we really should be trying to. We try to sell, first, the work that people can do and, secondly, the additional benefits that they get from working in the public sector: the additional flexibility about when and where they work, the additional holiday allowances, the pension contributions and other benefits.

Colin Beattie

Having been in the private sector previously, one of the things that I am aware of is that employers encouraged employees in this area to move on after a period in the job. That was to allow them to go out and get more skills, more experience and broader exposure, and, then, they could come back in a few years’ time with much higher skills. What you do not want is somebody who will settle down for 20 or 30 years and just be in that groove and tick the box. Is that a consideration that you have taken?

Yorath Turner

Yes, absolutely. We have implemented our career pathways using the DDaT framework so that people can see the skills that they need to develop. We support them through the Scottish Digital Academy and others to develop those skills and move around internally, be that in the digital directorate, the agriculture and rural economy directorate or the social security directorate. Where we can, we support outward secondments as well as inward secondments so that people can go out to industry.

We are also looking at how we use the reinstatement rules so that people can go to the private sector and then come back to Government within the limits that are set out by the commission. That allows them to build those skills and supports them in doing so. We are really changing our thinking and saying that we are building the skills in the sector and the market and, even if those people leave us, those skills will be retained in the sector. Scotland needs that. According to Accenture, 22,000 digital jobs were advertised in Edinburgh and Glasgow last year. We will never meet that on our own. We need to work together as an industry to help meet that need.

09:45  

Geoff Huggins

It is quite an interesting challenge for recruitment. Historically, the model of the civil service is that a lot of candidates apply for a small number of jobs, and we need to apply some very fair and transparent processes. In this area, many people in the digital world never apply for a job. They get approached on LinkedIn or get tapped by a friend in a different company. I have seen applications in other areas where they do not fill any of the competencies because they are in a very fluid market.

In the context of the Government or the national health service, we have done research to understand why some people join, as it seems like an odd thing to do if you are a technologist. The two main motivators are that the work is of value and they take a lot of personal value from it; and the second is that they get to work with people whom they want to work with. That means that the environment that they are working in needs to be effective and productive in that process.

The two-to-four-year element also requires us to get to a situation where we do not presume that we have recruited somebody and have now got them. Over the next three to four years, we will be engaged in a lot more continuous improvement as people effectively rotate through our system and back out into the private sector, as you described, which is really desirable, but it requires our approach to how we manage that flow to be quite different from what it would be traditionally for civil servants.

Can I ask for an interpretation of your letter? You state that there will be “targeted support” and

“Greater control over digital capability”.

Is that simply about sharing resources and people?

Geoff Huggins

It is a bit more than that. It comes back to the point that I made about whether we are trying to do too many things some of the time. Having talked to the minister, Ivan McKee, and JP Marks, the permanent secretary, I know that they clearly think that we should be managing our capability across the organisation in a different way than we currently do. The conversations that we have been having, which we will have next week again at the digital board, are about beginning to think effectively about how we do that in career development and in allocating people to priority areas of work. We are not quite there yet, but it might be a bit more than just having a nice chat, if that answers your question.

Colin Beattie

I will move on to a slightly different issue. You touched on the need to prioritise projects. How do you decide which projects to prioritise? What criteria are used? It is not just about whether you have the right skills available for a project; projects in themselves have a priority and need to be staffed in order to deliver for the public good. How do you do the prioritisation process?

Geoff Huggins

We have identified that that is another of the items that we will talk about on Monday at the digital board and that will be part of the work programme for 2023. This is not the settled position because we will continue to work with colleagues to get to a settled position on it, but, in my mind, there are three or four elements to it. First, there is a non-digital element, so we need to understand the business need of the organisation to achieve public good. It needs to have priority in the Government’s programme.

The second aspect to prioritisation is the degree to which making the change or taking the programme forward contributes more broadly than the programme itself. We must think about the capability to create new data sets or new processes that might be used by more than one organisation and to create infrastructure that is used by a number of organisations. Having something that adds to the overall system as opposed to simply solving an individual problem is key. An issue that the committee will be familiar with is our ability to bring data together from multiple systems. We have a challenge in that there might be data over here in one bit of the system and over there in another bit of the system but we need both those bits of data to make a decision. That is a common problem that we have across the Government, whether in health or justice. Therefore, I would also give prioritisation to finding solutions to common problems.

You have an enormous number of projects. The resources that are needed to prioritise them must be considerable.

Geoff Huggins

Yes. Again, part of the challenge is that we do not get to start with a green field and a blank piece of paper. We have a stock of projects, with those that you have in front of you as the list. How we consider what will be added to that list next year, the year after and the year after that is about focusing on fit and value but also about being clear that we need to cut our cloth to ensure that we have the capability to deliver those projects efficiently.

You assess the pipeline rather than the existing projects and the impact that they will make.

Geoff Huggins

We need to do both. We cannot do one or the other, but, between the two, the processes that we apply might be different. The other aspect is that it is not purely my job, as director of digital, to make the assessment. These are not only digital but business decisions. Part of our objective is to blend the business decision with the digital decision. Ultimately, as citizens, we live our lives across multiple parts of government, so the system needs to be orientated in that way, to understand it from the citizen point of view.

Who makes the business decision?

Geoff Huggins

I would push that fairly far up the organisation. There is a question about whether it should sit with the executive team as part of its—

Who is making the decision now?

Geoff Huggins

Decisions at the moment—we discussed this in March—are, largely, made within individual portfolios and directorates under the accountability arrangements under which we allocate resources to DGs and then down to directors. They sit within ministerial portfolios. We are suggesting that we need to step beyond that to understand the system of impact and to begin to think about it at system level.

Is there a timeframe?

Geoff Huggins

As I mentioned in my letter, we intend to meet at Monday’s digital board with the objective of putting in place a work programme for 2023. What we are considering is not a small change. It is a change to how people operate, what they do and what their accountabilities are. We have agreed that we will set out the initial work plan for 2023. That will begin to get into the areas of prioritisation, portfolio management and the frameworks that we apply to support change processes and, effectively, to create this as a programme rather than just a policy or a strategy, with a senior responsible owner appointed to take it forward. As we work through this, as I have indicated to the committee’s clerk, I would be happy to come and talk to the committee again.

Colin Beattie

The committee would be interested in how it progresses, because the process still seems a bit fragmented down to departmental level. I will conclude by asking one simple and easy question about the R100 programme. What do the savings from that mean for delivery?

Geoff Huggins

What we have done with R100, for a couple of reasons, is, in effect, to reprofile the delivery of the programme. We will probably cover more than we had originally intended to, but the period over which the programme will be delivered will be different. It comes back to legacy issues of supply chain and Covid in previous years, but the intention is that we continue to deliver R100 as previously set out. As part of the reprofiling, we expect to be able to offer broadband to an additional 2,600 rural properties, mostly in the Highlands and Islands. As we have already said in the public domain, the programme itself is not in any way reduced; it will just be extended over a slightly longer period.

Okay. I will leave it at that. Thank you.

The Convener

For clarification, I would like to take you back to a couple of points that you made in your answers to Colin Beattie. First, will a project such as the proposed Highlands and Islands’ air traffic management system change or will the series of Police Scotland IT initiatives, which are listed in the programme—I think that there are four of those—get ministerial sign-off?

Geoff Huggins

Those are programmes of work that will sit within their own accountability structures. Police Scotland will have its own accountability structure for the allocation that it receives. It then operates under the delegated assurances and authorities that it has. I do not know whether any individual projects have been in front of ministers, but those organisations have the power to take projects forward.

The Convener

Is there not any kind of threshold that requires ministerial approval? In the context of the ferries, we have discussed the role that ministers have clearly played in signing off the award of contracts, preferred bidder status and so on, so I am trying to understand whether there is an equivalence in the ICT area. Is ministerial sign-off part and parcel of the routine way in which such projects are given the green light?

Geoff Huggins

External non-departmental public bodies generally have the authority to take forward work within their delegated authority, their budgets and the framework under which they are expected to operate. So, no, I do not think that they go to ministers. I am happy to write to you if I am wrong, but that is how I understand it.

The Convener

Okay. If, on reflection, you think that there is nuance to that answer, please come back to us, Mr Huggins.

You mentioned the digital board, and I think that you said that it is due to meet soon. Is that not the board that is minister-led, and is the Convention of Scottish Local Authorities not also involved in that?

Geoff Huggins

That board is chaired by Lindsay Montgomery, who is external. The minister attended the previous meeting on 29 September, and he and I gave a presentation on how we see the future developing. There is a question about whether, in 2023, when the board will probably become the digital programme board as opposed to the digital board, the minister will wish to chair it himself. I will have that conversation with him some time in the next week or so, but he is fully up to speed and informed about what is going on at the board. I spoke to him last Friday to talk through the approach that we will take next Monday.

The Convener

When you gave evidence in March, I think that you said that there is, understandably, a group composed of officials that has oversight of those things. I think that you said that there is a minister-led body, as well, in which COSLA is involved.

Geoff Huggins

There is the joint board that oversees the digital strategy, which is a shared strategy between the Scottish Government and COSLA, and that met most recently about two weeks ago. That also exists. Its focus—

Who chairs that, Mr Huggins?

Geoff Huggins

That rotates between the minister and the council spokesman for digital issues. It has identified four priorities: digital inclusion; connectivity; common componentry; and the work of the academy. It is very much focused on those areas of activity. Effectively, it is a political clearing-house to not only assure the on-going delivery of the strategy but, potentially, address any challenges or difficulties that we have between different parts of the system. The digital board is a Scottish Government entity that is intended to get us organised to be effective in delivering digital. In attendance, it has representatives from the Digital Office for Scottish Local Government, the agencies group and the NDPBs group. One of the discussions going into 2023 is on how far and to what degree the board’s reach will be in the next stage of work. I guess that that comes back to your previous question about Police Scotland and NDPBs.

Yes. Presumably those bodies have terms of reference. Would it be possible to share those with us?

Geoff Huggins

I am happy to share the current terms of reference for the digital board, but I suspect that we will have new terms of reference in February that will reflect the changes that we are making. I can share whichever you wish.

We will be happy to see the ancient and the modern, and we can then compare the two. Thank you.

Sharon Dowey (South Scotland) (Con)

Good morning. I want to ask you about Social Security Scotland. So far, it seems to have been classed as a good-news story as far as systems are concerned. However, on day 1 of the launch of the new Scottish child payment, the system crashed. Can you tell us a bit more about what happened and about any learning that you have taken from that?

10:00  

Geoff Huggins

I am happy to do that.

I had a good conversation with a number of colleagues at Social Security Scotland in order to understand that properly. The first thing that I should say is that the system did not crash. The new child payment launched at 8 o’clock on 14 November. At around 10 o’clock, 150,000 SMS notifications were issued to people, which included a web link that allowed them to go on to the site and begin to make an application. A lot of people clicked on that link at the same time. The system understood that as a denial-of-service attack, because it was not expecting quite so many clicks, and the protective measures that we have in place for the system effectively kicked in. The system closed down, believing that it was subject to some form of cyberattack, whereas many of those 150,000 people had done exactly what we wanted them to do, which was to go on to the site.

The site was down for about an hour and 45 minutes. During that time, telephone applications were still operating and were still being taken forward. Corrective action had been taken by 11.45, and the system went back online.

Looking forward, the agency has a variety of ways in which it might approach that in future. It might stagger the process of issuing SMS notifications, or it might calibrate the domain name system—DNS—protection at the point at which it is likely to be receiving a wave of applications of that kind. It will learn from the process and make sensible decisions, and we expect not to have that problem again.

It is clear that the system is capable of scaling for the demand, and it was robust in every other way. That is an example of where we have applied a protection to a system against a particular threat, but it has given us a different problem. That is just part of the agile learning process in which we need to be involved.

The agency had 89,000 applications in the first two days of the process. That is not a small number. In that context, that is an interesting piece of work, and members might wish to hear more from Social Security Scotland on it.

We are also looking at how the agency is able to automate additional elements of the application process in such a way as to process quickly and at a lower cost per transaction. Those are the sorts of things that we expect digital to do. The first payments were made in the week commencing 21 November.

The story is probably not as it was reported. It is interesting because, as members might expect, people who run small and medium-sized enterprises and private sector companies regularly email me to ask me for meetings to help me to solve my problems. Although I appreciate their generosity in that case, a number of the emails that I got seemed to suggest that people thought that they knew what had happened and that they were now going to solve the problem for the future. In fact, the story is probably a lot more straightforward. We can have confidence in the people at Social Security Scotland getting that right in future.

Sharon Dowey

You said that the system did not crash, but the person in the street who did not get access would have thought that it had. Did you not expect to get everybody applying for that payment at the same time? It was widely advertised in advance, and we were all told to advertise it on social media. You would have been expecting to have 150,000 applications. Should you not therefore have done things in a different way?

Geoff Huggins

Social Security Scotland received 89,000 applications over the first two days, many of which were by telephone, because not everybody will use a web link. The learning point relates to the process by which access to the web link is given. There is the frictionless government aspect. If you make something easy, people will use it. Imagine what you would have needed to do to apply for a benefit in the past, with the documentation and things like that. People will take up such an offer. Had Social Security Scotland not put out the web link, it would not have had the same volume at the same time. It is not just that a lot of people applied in the first couple of days; rather, a lot of people clicked on the link at 10 o’clock. That is the learning point. With SMS, delivery could be staggered so that web links go out in batches at five-minute intervals. That might be Social Security Scotland’s solution, or it might just recalibrate the DNS protection.

Do you know what the uptake has been from people who are eligible?

Geoff Huggins

I do not have that figure. I know that there were 89,000 applications in the first two days and that payments were made before the end of November, in the week commencing 21 November, but I do not have the figure that you ask about. I am sorry.

Sharon Dowey

You touched on data collection in responding to Colin Beattie’s questions. Obviously, there is a cost of living crisis, and we continually hear about people not claiming benefits that they are entitled to. Where are we with data collection for the new social security system to make sure that people who are entitled to benefits can get them automatically rather than having to click on links or SMS messages on the day that the new benefits go live?

Geoff Huggins

That is one of the areas in which Social Security Scotland has a particular duty to maximise benefit take-up and make it straightforward. However, there are challenges in that area because of issues to do with the general data protection regulation, privacy and choice. That is why telling somebody, “This might be something you are eligible for” works quite well as a methodology, rather than saying, “Here is a benefit that you are entitled to”, because people have to make the decision to apply. The latter is also more likely to be subject to things such as fraud.

The agency is continuing to work through different ways in which it can better target people and make them aware, and to say, “If you have this, you might get that.” It is an iterative process. The other side of the issue is doing that in a way that people feel comfortable with, because people may react differently to receiving information about eligibility. Therefore, design elements are involved, as well.

Do some people get an automatic entitlement to the Scottish child payment, or does everybody have to apply?

Geoff Huggins

People have to apply.

So none of it is automatic.

Geoff Huggins

The application process is for those who are eligible. That is, of course, based on access to another benefit. After the application has been made, the process is very straightforward, but people have to say, “I want that benefit”, because, at some point, they have to sign to indicate that they consider themselves to be eligible.

Sharon Dowey

On the reverse side, you mentioned fraud, for example. Is there something in place in the new system to make sure that benefits stop when people are not eligible to receive them—if, for example, they go into full-time employment or their children reach a certain age?

Geoff Huggins

Social Security Scotland will have a range of measures in place to ensure that it is continuing to assess eligibility and to prevent fraud. I would probably be stepping outside my expertise if I tried to talk about its programme, which is mature and is being run effectively.

May I finish on—I am sorry; I am not going to finish. I am going to allow Willie Coffey to come back in. I will then turn to my last question. Over to you, Willie.

Willie Coffey

Thank you very much, convener.

On the issue that Sharon Dowey has just raised, it seems from the explanation that no load testing of the system was carried out in advance. It is clear that that would and should have identified that the system would think that there was a cyberattack. Why was that not done in advance?

Geoff Huggins

I know the chief digital officer at Social Security Scotland, and they will have undertaken load testing. The challenge is undertaking load testing on a live system. There is the issue of mental constructs: we will forever look at the issue in a different way, having had the experience, and we will think differently about DNS protection and understand where it fits into the process. The load testing on the system showed that it was able to process applications at the rate that they were coming in. The challenge was that, by simply using the DNS, we effectively stopped the applications coming in. The learning is that what happened was unfortunate, but it means that it is less likely that we and others will make that mistake in the future.

The load testing did not pick up that the system might think that there was a cyberattack, but when the system went live in real time, it did.

Geoff Huggins

I guess that that is because the load testing will have been based on the applications that had made it to the system. Effectively, the throttle was applied before those applications made it to the system, in that, basically, it was about the number of connections going in. I am confident that the system was fully geared up to manage that number of processes.

Okay. Thanks for that.

The Convener

For my final question, I again turn to the summary of projects that you issued to us back in July. Forgive me, but one project in that caught my eye: the replacement and enhancement of the CalMac Ferries booking system. I think that that was started in 2016, but the date set on the note for completion and, I presume, for going live was November 2022. We are now in December. Can you assure us that that system is now live?

Geoff Huggins

I would be very grateful if Sharon Fairweather picked up that question.

Sharon Fairweather

The system is not yet live. CalMac Ferries is planning for that to go live in the spring. There is currently staff training—the company is training up about 700 staff on the new system. We do not have an exact go-live date yet. The company has another pre-go-live gate review coming up post-Christmas.

Why does the note tell us that the expected start date is November 2022, not spring 2023?

Sharon Fairweather

The note that you have was for the July update, not the December update, if you know what I mean.

You have not issued that to us yet.

Sharon Fairweather

No. That is due in the next couple of weeks.

The Convener

Okay. I am just trying to understand. The project started in 2016. I presume that there must have been an understanding that staff training would be required before the system went live. Was that not planned in advance of the system going live?

Sharon Fairweather

Yes, it was, but it is not the staff training that has slowed things down. CalMac Ferries did all the assurance processes that it was due to do, and it did user acceptance testing over the summer, which raised a number of issues that it wanted to resolve before the system went live. It has now resolved the user testing issues that came up. You would not do staff training until you had the final product that you were going to roll out. The company needed to iron out those other issues first.

Why has it taken six years in the first place? Is that not unusually long?

Sharon Fairweather

I do not have enough detail on the project to be able to answer that question. We can certainly get more information for you.

Okay. I am also bound to ask whether that is on budget.

Sharon Fairweather

Yes, it is still within budget.

The Convener

Okay. Thanks for that answer and your other answers.

I thank Sharon Fairweather, Geoff Huggins and Yorath Turner for their contributions. That ends the public part of this morning’s session. We will now go into private session.

10:12 Meeting continued in private until 11:39.