Home Affairs Committee oral evidence: Harnessing the potential of new forms of digital ID (Science, Innovation and Technology Committee joint session, November 2025)
The Government's One Login let its certification lapse; the infrastructure and technical abilities around digital ID are already being developed by GDS, but policy and legislation will sit with the Cabinet Office.
Science, Innovation and Technology Committee
Oral evidence:
Digital centre of Government
, HC 790
Wednesday 19 November 2025
Ordered by the House of Commons
to be published on
19 November 2025
.
Watch the meeting
Members presentDame Chi
Onwurah
(Chair); Emily Darlington; Dr Allison Gardner; Kit Malthouse; Freddie van Mierlo; Samantha Niblett; Dr Lauren Sullivan; Adam Thompson; Martin Wrigley; Daniel Zeichner.
Questions
270
-
35
0
Witnesses
I
:
Rt hon.
Ian Murray
MP, Minister for Digital Government and Data,
Department for Science, Innovation and Technology
; and Emily Middleton, Director General, Digital Centre Design, Department for Science, Innovation and Technology
.
Examination of witnesses
WitnessesIan Murray MP and Emily Middleton.
Chair:
Good afternoon. This is the final session of the Committee’s inquiry into the digital centre of Government. We are pleased to welcome Minister Ian Murray and Emily Middleton, who is director general for digital centre design at the Department for Science, Innovation and Technology. I should declare that I worked with Emily in opposition when she was seconded to the shadow science team. We have a lot to get through, and there is a lot of interest from Committee members. I will hand over to Emily Darlington
to kick us off.
Q270
Emily Darlingto
n:
It is always nice to have more than one Emily. Welcome, both of you.
First of all
, I think the Committee is quite interested in understanding what the opportunities of creating a digital ID will be for the digital centre of Government, and in understanding the relationship between the citizen and the state. Who wants to go first?
Ian Murray:
I think you can never have too many Emilys, so thanks for the question. And thank you, Chair, for the invitation to participate in your inquiry.
There are
a number of
answers to that question. The first is the policy answer, in terms of what has already been announced by the Government in terms of having one digital identification on your smartphone that can be your gateway to all Government services. Obviously, the first use case has been done—mandating it to demonstrate your right to work, which is already almost a mandation anyway, because it is illegal for employers to employ workers who have no right to work in this country.
The options and opportunities
from that are vast. In fact, they are limitless in that sense. To give you one small example of how this could work, the communication and interaction between the Government and the citizen are crucial. If you think of any Government service where you
have to
log in—I think there are 144 different services that you can log into, all separately at this moment in time—you have to prove who you are. If the Government could know who you are automatically, and if you could tell the Government who you are automa
tically, think about how that would make citizens’ lives much easier when interacting with the Government.
Tomorrow we are launching GDS
Local
, which is the Government Digital Service for local authorities, to try to make their relationship with their citizens much easier as well. If you think about the kinds of services that local government delivers, it is right at the frontline—everything from very emotive and difficult services such as social care and social work, all the way through to collecting your bins. Having that digital interaction with Government makes things hugely efficient.
It also makes data safer, because digital ID would
put data under the control of users—the citizens themselves. On top of all that, it would mean
that any time any Government service requires you to verify your identity, you would know it was verifying it, and it would only be verifying the bits that it requires. At this moment in time, for example, if you hand over a passport to show your identity, it will show your picture, your name and everything else on your passport. Your driving licence has your address on it, and it has your age, of course. None of
that would necessarily need to be given over, because you would only have to identify yourself for that single purpose on a binary basis: “Is this person who they say they are—yes or no?” If it is yes, you would be able to access the service; if it is no, you would be sent around a different loop.
I am not really answering your question directly in the sense of what the benefits are, but they are pretty much limitless. I think we pretty much have an analogue Government in a digital age, and we need to bring
people along with that.
Q271
Emily Darlington:
Thanks for that answer. That raises
a really important
question, one that we have been discussing on the Committee. The digital ID development now sits in the Cabinet Office and digital
Government
now sits with you, and it is quite clear that the way in which the digital ID is developed will dictate the interaction with digital
Government
. How are you going to contribute to the development—what kinds of tech platforms, how it is introduced and all of that—and how will that feed into the work you are doing
on digital
Government
, now that it sits in two different Departments?
Ian Murray:
It is not unusual for that to happen. The Cabinet Office is obviously the overarching Department for the whole of Government, and therefore to make this process work, all of Government
has to
work together. This
particular first
use case is coming from the Home Office, the Passport Office as part of the Home Office, and indeed the Cabinet Office, working with DSIT and GDS to deliver it. They will deliver the policy, the implementation of the policy and the legislation, but the back-end technical side of it
will be delivered by GDS.
It is not unusual for that to happen and GDS delivers a whole host of services on behalf of other Government Departments and cross-Government Departments. It is up to us to deliver that infrastructure, and a lot of it is already under significant implementation already—think about services such as One Login, the gov.uk app or the Government wallet. We have just launched the digital veteran ID, and the driving licence is on the way shortly. The infrastructure and technical abilitie
s around the process of digital ID are already being developed and have been developed by GDS, but the policy and the legislation will sit with the Cabinet Office, because it requires both CSPM on behalf of the Prime Minister to deliver it and a cross-Government approach in terms of accessing both data and policy.
Q272
Emily Darlington:
So
the tech and the interoperability will sit with GDS, and the policy and potential legislation will sit with the Cabinet Office. Am I getting that right?
Ian Murray:
That is
absolutely correct
, yes.
Q273
Emily Darlington:
That gives us a bit more
clarity than where we were before. I also want to ask a final question about the development of Government digital services, with a particular lens on violence against women and girls, because as a
Government
we have the huge ambition of halving it. Government services often put women at risk, including publishing addresses and other information. I am using violence against women and girls as a lens, but there are other clear priorities that digital
Government
can either help—it co
uld help to hide some of that information from potential abusers—or really hinder. You could also talk about it in terms of children’s social care; again, there is an exposure issue there that could put children at risk. How much are you looking at the development of Government digital services through the sorts of priorities that the Government have? What kind of safeguards are you thinking about putting in place in those areas?
Ian Murray:
If the baseline for answering that question is where we are today, digitalisation of Government makes all those kinds of policy issues easier to deliver. At this moment, we basically run on a paper system—an analogue system. If you are trying to protect people’s identity, in the context of violence against women and girls, when someone is fleeing an abusive partner, that is one of the examples that has been given to me directly about how digital ID would be a huge benefit, because you could identify who so
meone is without releasing data. You are not holding data in filing cabinets in an analogue and physical way. I very much see digital
Government
as being part of the process of anonymising data, making it more secure, and making the citizen more secure, because they would know how and when to use it. That is opposed to an analogue system. In the case of violence against women and girls, a fleeing abused partner, for example, having to navigate a council or justice system in an analogue way does not seem to
be the way in which you protect their anonymity and safety.
Emily Middleton:
There are a couple of ways that we are looking at digital ID to be privacy preserving. One is that with a digital ID system, versus paper documents like a driving licence, the user only needs to share the exact piece of information or eligibility—that fact that they are over 18, for example—and not share their full address or date of birth. It also means that for women and girls in situations like you mentioned, if they are suddenly away from home, or even if their device gets stolen, the credentials can b
e revoked. It should provide security for individuals in those situations. That is certainly something that the team going to the consultation will be looking at.
Q274
Chair:
I just want to clarify; you said a couple of times that work checks would be the first use case for digital ID. My understanding was that it would be the first mandatory use case, but not necessarily the first use case.
Ian Murray:
I suppose, for clarity, it is the first use case that was announced by the Prime Minister when he introduced the policy of digital
ID. That is to be done by 2029—by the end of this Parliament. That is the only use case at this stage that has been publicly announced.
Chair:
The only use case?
Ian Murray:
The only use case that has been publicly announced, although the Department are working on a whole host of use cases—everything from anonymity to accessing DWP.
Q275
Kit Malthouse:
Is it envisaged at this stage that there is going to be a kind of biblical census, so that everyone who is currently employed—all 24 million of us or whatever it is—will have to go through this identification process?
Ian Murray:
No. The policy is clear that it is not retrospective, and therefore only for people who are moving jobs or taking on jobs for the first time.
Kit Malthouse:
So just for new joiners.
Q276
Dr Gardner:
I will stick with the question of the mandatory nature. I acknowledge that it is already mandatory to have right-to-work checks. I am a big advocate for digital identity. I am chair of the digital identity APPG, and I have also previously audited algorithms to do work on digital identity—I
have to
have that in my entry in the register of Members’ interests. Trust is
really important
for citizens to be able to use this, and to have trust, they have to have control and choice.
Do
you
think
,
Minister
,
that, t
o have the choice
of
whether to use a digital ID or digital wallet or not—and, particularly from a national resilience point of view, to have the added security that comes from having those two options—making digital identity mandatory for work checks could be a problem if there is a failure in the
system?
Ian Murray:
I suppose there are a number of elements to that, the first being that making it mandatory for new right-to-work checks is very much a similar scenario to a passport not being mandatory but being required to travel
. So the use case for that is mandatory.
I would hope
that,
because people would
see the benefits of digital ID
, they would
sign up. In countries
like Denmark, they have had
90-plus per cent of the population
signing
up on a voluntary basis
because they see
the benefits of that.
There is also a
second track to that, of course, because there will be people who are not digitally excluded
,
but for whom it is impossible to be digitally included, whether because of significant disability, mental impairment and so on. There must be another track for them to have a non-digital way of proving their identities as part of the process.
Perhaps to put your mind at rest, the consultation that will be launched to implement digital ID will look at all those questions. The reason we have essentially launched the
policy before the consultation was to try to tease out some of those issues to influence the consultation, rather than the Government launching a policy and the consultation with it. I would very
much hope, and think, that the question you asked will be a key part of the consultation.
Q277
Dr Gardner:
That is interesting to hear. I am just worried
that
we are b
acking
ourselves into a corner by making it mandatory for right-to-work checks rather than having that flexibility, because if it is as good as we say, people will voluntarily use it
,
as it will offer
them
more protection. I wonder whether we can have some flexibility on that.
Ian Murray:
I would hope
that
businesses would want to use it as well, because they
, at this moment in time,
have
this
hugely bureaucratic and burdensome data issue in checking people’s passports. It should cut error, be much more efficient and cheaper, and give confidence to businesses and
the
employee
that checks are being done properly and efficiently through a digital system
,
rather than having to use
potentially—
Q278
Dr Gardner:
There are plenty of popular use cases for driving licences with hauliers and those with health issues there.
Moving on, looking at the trust aspect, it is claimed that we are going to use a federated data system. Could you outline exactly what you mean by a federated data system—in that we are not combining departmental datasets? How will this work in practice, and what assurances can people have that there will not be cyber-security breaches? I think other people will come in on that one. Just a little nu
gget
there is:
can we be assured our data is held in this country?
Ian Murray:
The whole point of a federated data system is that Government Departments already hold the data, and they should continue to do so because they are the best custodians of the data they require for the uses they require it for.
The way the system would work—and the best way it has been described to me from a technical perspective—is this
. I
f you ask a question of digital ID, tak
ing for example, the DVLA,
in basic terms, the only thing the
DVLA
exists for is to determine whether an individual can drive or cannot.
Therefore,
the two pieces of data that are required from DVLA for any other Government Department
are:
who this person is
—
so their identity
—
and
if they can drive. All
you need is a yes to both those questions to pass that particular gateway.
The reason I give that example is that the federated data system allows you to dip in and a
sk the question of the dataset you
want to ask
, rather than having a consolidated dataset that is less secure because everything is in the same place.
In that example, it makes data more secure than it is at the moment
,
because it stays where it is, and privacy
much
more secure
,
because it allows you only to ask questions of the data for the purpose you need to ask it
;
and of course, the citizen would know that that Government Department had asked for that data.
It is very similar to a credit check
,
in the sense that if you go into your credit report, it will tell you everyone who has asked for
or looked
up
a
credit check on your report. It will be something similar to that
,
as we envisage the system to be.
Q279
Dr Gardner:
Thank you for that.
A final question
: l
inking with the trust, control and choice theme, the digital identity and attribute
s
trust framework sets standards in areas such as privacy, cyber-security and inclusivity, and it now has statutory status
under
the Data
(
Use and Access
) Act
. We have 43 accredited organisations under the trust framework, with 11,000 jobs providing digital ID and digital wallet services, and it is interesting that the Government’s One
Login let its certification lapse.
My question is:
does the Minister think we need to consider developing an ecosystem where citizens can choose to use the Government digital ID and wallet system with private providers as well, which have been accredited by the Government already? This is standard. What assessment have you made about the impact of producing a Government digital ID and wallet system on that sector?
Ian Murray:
Can I just clarify one issue? You said the Government allowed the certification to lapse, but that is not the case—
Dr Gardner:
One Login.
Ian Murray:
I think what happened was that one of the suppliers let its certification lapse because it did not realise it had to renew it. The renewal process takes some time, so the certification takes some time to come through. There was no breach in this sense; it was merely an oversight. When that process is run through for that particular subsidiary to have its certification, the whole of the system will then be re-certified. There wasn’t a lack of certification from the Government side; it was one of the supplie
rs that lost its certification.
Q280
Dr Gardner:
What about using the private providers and the impact on them, and also offering people the choice to use either those or the Government system?
Emily Middleton:
In terms of the role of the private sector digital ID market, we have already been engaging very intensively with that group through the development of the digital wallet this year. We have had some good engagement there and would expect that to continue through the consultation. We very much expect there to be a role for those providers, but exactly what that looks like is something that we will need to work through.
Q281
Chair:
Just to clarify, you said that the trust framework that Allison talked about—the certification of One Login—is not compatible with European standards, which are to a higher level of certification, which addresses issues such as deepfakes. Yesterday, the Home Affairs Committee heard from the technical experts that we should raise the standard of certification for One Login to be compatible with the European requirements; people might want to use their digital ID in Europe. Do you plan to do that?
Emily Midd
leton:
The team is really actively talking at the moment and exploring exactly what that looks like, so discussions are definitely ongoing.
Q282
Chair:
Could you write to us and let us know what your timelines are on that?
Emily Middleton:
Of course, yes.
Q283
Daniel Zeichner:
Very nice to see you, Minister. I am going to go back to the One Login issue, because I want to ask about how user friendly it is. I am going to be the grumpy person here who has spent many a weekend trying to deal with the Companies House requirement at the moment. When I got to the end of the process—having been rejected for the umpteenth time, or told that I didn’t have a sufficiently up-to-date Android operating system, or that I was not capable of clearing the cache or finally that, “If you don’t reso
lve this, you are a criminal”—I have to say that, to me, it did not feel the most user-friendly process. Do you have any statistics on how many people are having similarly difficult encounters and how many people are sailing through it, as others have told me they do?
Ian Murray:
I can certainly write to the Committee with the stats of where things are not working or where things are failing. My own Companies House identification process failed because my address does not match its numbering system, because of numbering in Edinburgh tenements, but that is easily resolved. More than 13 million now have a single One Login—that is a huge number of people. It is delivering huge savings. Having the Companies House, through the business side, being part of that identification process for
One Login is really helpful, because it is the business adoption side that we want to be able to progress quickly. I don’t have those stats to hand, but I am certainly happy to write to the Committee with them.
Q284
Daniel Zeichner:
Don’t get me wrong; I absolutely support what you are trying to do. I suppose I would just ask how many people above those 7 million have given up in frustration. A few years ago, I had a similar experience with Verify, which was an equally frustrating system for some of us. I suspect it is exactly as you say: it probably works for very straightforward cases, but for non-straightforward cases, such as MPs, who often live in more than one place, these are the problems. My worry is that we end up with a larg
e number of grumpy constituents, and we don’t want that, do we?
Ian Murray:
A larger number—I’ve got grumpy constituents already.
Daniel Zeichner:
A larger number, possibly, yes. I would be grateful if you could get that information.
Ian Murray:
If you want to drop me a note
about the exact processes that you went through and what subsequently failed, we can look at it directly.
Daniel Zeichner:
I am in regular contact with your helpful help desk.
Chair:
Thank you
, Daniel—the fewer grumpy constituents, the better.
Q285
Freddie van Mierlo:
A number of constituents have been in touch with me since the Government’s announcement. An overriding concern is cyber-security and the security of the data. Have data breaches happened in any other similar systems that you have looked at across Europe?
Ian Murray:
I will pass to Emily for some of the analysis, but the consultation to be launched about digital ID will look at, and try to assure on, all such systems. It will be the safest and most secure system that we can possibly design, and the safest and most secure system in the world that we can possibly have, because we will learn best practice from the other countries that you refer to. Having the federated system, however, the data already sits there. Therefore, the digital ID system will be simplifying all t
hat with One Login and the identity for the gov.uk app and the wallet. This is a way of simplifying all that to make it more secure.
At this moment in time, Government security is pretty good, in how all that is protected, but to think about the opposite, that would be to bring all the bits of Government data into one aggregated system and to use that. That, just by the nature of it, would make things less secure. I am confident that this system can be designed to be very secure. I am confident that it will
keep people’s data secure. I think it will be much more secure today than it was yesterday, in that sense.
Emily Middleton:
May I add to that? You might be referring to the data breach that the Estonian Government encountered. Certainly, we are studying examples around the world, and one of the benefits of going a bit later is that we are learning those lessons. The Estonian Government changed some of their cyber-security practices significantly as a result. Our teams co-operate, and we are absolutely learning those lessons. Security and privacy will be one of the things that we look at as part of the consultation. As well as e
ngaging with the public, civil society groups and the private sector as widely as we can, we will engage with experts. We also have National Cyber Security Centre expertise embedded in the way that we are working at the moment. We are taking it extremely seriously.
Q286
Freddie van Mierlo:
Yes, you did get the answer right—Estonia and Germany are among other countries that have had serious data breaches. From a technical perspective, will you explain how linking our existing datasets—which are separate—with a single point of entry does not create additional risk, rather than leaving them separate, where if someone got into one set, at least they would not have access to the others?
Ian Murray:
I am trying to think through a schematic diagram in my head. In essence, your question says that the 144 separate logins we have at the moment is more secure than having one.
Freddie van Mierlo:
Yes. The datasets are separate.
Ian Murray:
It would depend on the purpose for which you are using the One Login. At the moment, One Login gives you access to all the services that are there; it does not give you access to your data. When you
onboard a Government Department through that, it just means that you are logging in through One Login, rather than having to log into the DWP’s 30-odd different systems for different processes. I think you are asking two separate questions: first, does One Login make it less secure than having separate logins?
Secondly, are we joining together data? I do not think that we are joining together data in that sense, because you would still have to go through to the individual services, where the data would be held at those individual departmental levels. If someone were to steal your One Login, does that make it more or less secure?
Emily Middleton:
We expect that, with a digital identity, that would be protected, just as when you use your phone you might use a passcode, face ID or touch ID, and so on. It will not be easily stealable in that sense. The digital identity is not the same thing as joining up data. One of the reasons why it is more secure to have—in this case—one way of logging into services is that the threats that any system experiences change and evolve over time.
We constantly have to invest in capacity to make
sure that we are keeping
up with those threats and that we are continually investing in that. It is never a one-off bill; we need to continually invest in the systems to secure that. Doing that once and doing it really well helps to improve security in that sense.
Ian Murray:
In the digital ID space, if someone stole your identity, it could be switched off and replaced instantaneously. If somebody steals your identity now, you have to go to each individual place that requires your identity to change it, whether it be your bank, Government, local government or your employer. Having things digitised makes it much more flexible, which makes it more secure.
Q287
Freddie van Mierlo:
You have mentioned a few times that having something digital is safer than having something analogue. Can you explain what the evidence is for that? Why would having something stored on computers in a large dataset be safer than a file in my house?
Ian Murray:
Well, we have all lived in fear of losing our passports on holiday, haven’t we? To take the passport example, if you lose your passport, it is an incredible administrative burden to get one back. You have to apply for it, you have to prove that you have lost it and then you have to wait. You have to pay for it as well. If you were to lose your digital ID, it could just be cancelled and replaced.
Kit Malthouse:
A passport is more secure.
Ian Murray:
Having a passport in your pocket as opposed to a facially recognised digital ID? I would argue that the latter is much more secure if you are talking about hosts keeping digital identification documents compared with keeping them locked in a filing cabinet in a safe in your house. It is the usage of them, rather than where they are. You need you need identification to get on a domestic flight these days, so you have to carry your passport or driver’s licence wherever you go. That is much less secure than h
aving a proper digital ID that is protected on your telephone.
Q288
Emily Darlington:
Surely the point is that the person who has stolen your passport can then use it to access your services and pretend to be you. That is where the security comes in. A digital ID—
Ian Murray:
You switch it off.
Emily Darlington:
You switch it off, so it cannot be used by anyone to fake being you. That is one of the problems we have had consistently with national insurance numbers. There is nothing but a number and a name attached to them and people are using them.
Kit Malthouse:
Yet fraud and impersonation are rampant online.
Q289
Chair:
Equally, nobody can steal your passport from your pocket from Russia, for example, unless they send over an agent, whereas they can online. Could you have another go at explaining why digital ID is necessarily more secure?
Ian Murray:
In response to what Mr Malthouse just said about fraud and impersonation being rampant online, that is the whole point of having a digital ID. Then you are able to prove who you are online in a way that is reciprocal for the receiver. For example, if you were using your digital ID to prove your age, the system at the receiving end would be able to take your digital ID and say, “This person is who they say they are. They can pass that threshold.” The reason that digital identity theft is so rampant online i
s that we do not have a digital ID system. There is no verification process.
Dr Gardner:
I think we are overcomplicating a little bit. When I applied for a car loan, I was asked to give multiple bank statements, a copy of my driving licence, a copy of my passport and utility bills, which are a nightmare to download and get a paper version of. It got so bad that I ended up asking them if they wanted to know my bra size. That was for a car dealer. I am giving them photocopies of all my digital documents, and I am genuinely worried about identity theft. It would give me more assurance if I could
give them a one-off digital link to my wallet, where they can view the documents, but cannot print or download.
Chair:
That is a really important point, but Freddie was making the point that digital ID in itself is not necessarily secure or safe. It depends on the systems that implement it and the security around it. Witnesses, perhaps you could write to us to set out why a digital ID is necessarily safer and more secure than a physical document.
Q290
Kit Malthouse:
The crucial thing about analogue current ID is that there is some kind of connection between my documentation and my physical appearance. It is either my face, my fingerprint or something about me physically that is identifiable; with digital ID, that is not the case. I could give my wife whatever logins are required to my digital ID, and she can go off to be me, in the same way as I can give her my credit card and she can go to spend using it as she wishes. It is about the connection between my physical b
eing and my identification purposes—it is why I have a photograph—
Ian Murray:
That is why I am saying the question is actually two questionsabout having access to people’s data and what you use it for, and it being much better to have an electronic version that says yes or no, rather than screeds of photocopied documents; as opposed to it being about whether it is more secure to have a digital ID. You could not hand your wife your digital ID on your telephone because—the consultation will tease all this out—for one, it could have your photograph on it; also, she would have to be a
ble to access your telephone and she would be using it for the purposes of committing fraud, because she would not be the person she said she was. I can understand why criminality might be a slightly different thing in the question, but it is much more secure to have a digital ID than not.
Chair:
W
e need to move on, but it is worth you or Emily writing to us to set out the arguments, because of the counterarguments that could be put to some of what you have said, so perhaps you can take the time to answer. This is quite a basic question: why is digital ID necessarily more secure than physical documentation? I think there would be a lot of interest in your response on that. We will move on to Lauren’s question.
Q291
Dr Sullivan:
It is kind of linked. I am grateful that we are having this conversation ahead of the consultation, because I am hearing the arguments. You touched on digital inclusion and exclusion earlier. You mentioned some groups that are unable
to access Government things through digital ID, and some that do not want to. Will there be assurance that they can still have access to Government facilities and help? On that point and speaking about Emily’s point about violence against women and girls, in a lot of controlli
ng and abusive relationships, they could still give the facial recognition ID and potentially get into the Government systems to get the benefits paid to that partner, or whatever. I want to raise that with you while thinking about safeguards. Can you expand on those?
Ian Murray:
To take the second question first, those safeguards will all be part of the consultation, of course. Many—a multiplicity of—different questions will have to be asked about how we design a system for those particular issues. Will we be able to cover them all? They are endless, are they not? Those will be the serious issues that we have to deal with in terms of such ID—violence against women and girls, other abuses of the system, Mr Malthouse’s wife stealing his credit card, and that kind of stuff—
Kit Malth
ouse:
She does not “steal”
;
I am happy, on occasion, to give her the details.
Ian Murray:
Those kinds of issues will come through the consultation. On the first part of your question, which escapes me—
Dr Sullivan:
It is about digital inclusion and groups left behindthose who cannot access and those who do not want to access digitally.
Ian Murray:
Let us take some of the figures75% of the public have an active passport and 10% have an inactive passport that has expired, so
85% of the public already have the data a digital ID backbone would be built on. Digital inclusion is going to have to be a huge part of it, because we will have to get the people for whom we do not have that data to get them onboarded. There will have to be a front door to take through that process people who cannot use the system, whether digitally or otherwise. I have always
seen that as a very positive thing.
Governments for too long have talked about digital inclusion, but have never quite got there, although a lot of great work has been done. Therefore, both the connectivity part of it and the digital inclusion part of it can be turbocharged by this process, because it has to happen to make sure people can access those services.
As I said to your colleague, for people who just cannot, there will have to be an alternative
. It has not yet been designed but will obviously be part of the consultation process and the results of that. Is that fair?
Q292
Dr Sullivan:
Yes. I have one final small point. With the digital ID that I hope will not be mandatory, there is no way that somebody could Photoshop and go, “Yes, I am over age or under age” or anything like that? There is no simple fraud element?
Ian Murray:
Again, we have not designed the system, but if you think about things like a live concert ticket, it has an active QR code and refreshes either constantly or at various points, and you would therefore not be able to do that. The receiving system would be the same, updating all the time the data it would require.
Q293
Adam Thompson:
Good afternoon to you both; thanks for joining us. I am going to move on and talk about the digital and AI road map. I think this was originally promised for summer 2025. If today’s weather is anything to go by, it is definitely not summer any more. When will the document be published and what is the explanation for the delay?
Ian Murray:
Since coming into
Government
, I have realised that spring means anything between 1 January and 31 December. We had the blueprint published at the start of this year, and the road map is essentially the implementation of that blueprint. There are a number of reasons why it has not yet been published. The first one is that we have a new Secretary of State who wanted to make sure her priorities were reflected in the blueprint and the road map. Delivery has not been stopped. We are still doing an awful lot of
the road map work to implement the blueprint. That is the first part of that.
We also want to make sure we get this right. This is a huge opportunity. The blueprint was well accepted and much lauded and we want to make sure the road map to implement it is right; that is key. The new Secretary of State has been very clear to all her Ministers and colleagues, both across Cabinet and other junior Ministers across Government, that she wants to work at pace. She wants to get the adoption and implementation of th
e blueprint done as quickly as possible. The road map will come out shortly and will have the new Secretary of State’s stamp on it. Emily can
maybe talk through some of the delivery things that are still happening as this process goes on.
Emily Middleton:
Delivery has been going on at pace, as the Minister says, both in GDS and the digital centre in DSIT and across Government. The things promised in the blueprint included five kickstarters. Those were designed to get stuff done quickly, build momentum and show the direction of travel. On all five of those, we have either completed them or made significant progress. The gov.uk app was released in public beta in July. It has already had 200,000 downloads and some really helpful user feedback, which is allowin
g us to iterate it. In addition, gov.uk chat will allow people to interact with the now more than 700,000 pages of gov.uk content much more easily in a chat function. That beta has been done and will be released in the app shortly.
We also talked about an AI accelerator programme. This is important for us to make sure we have the right talent in the civil service. The programme that we initially piloted was about getting data scientists who are already in the civil service and giving them the machine learni
ng engineering skills that they need. Our first cohort of around 25 has just graduated. The second cohort is in progress, and we have been inundated with applications for the next cohort, so that is something we are keen to scale up and continue.
We have had lots of discussion already around cyber-security. More than 600 organisations across the public sector have signed up
to our cross-
Government
vulnerability scanning service, which is now live. That service is helping to identify and fix more than 100 critical vulnerabilities every single month.
The final kickstarter that we talked about in the blueprint was around service transformation and being better able to join up services, particularly for people with long-term health conditions, but also in other circumstances. We have completed a discovery phase in that work. We have published some of what we have done in a blog o
n gov.uk.
That has informed the creation of a new service transformation capability
, which
we will release more information on shortly
.
All that
is in addition to a huge amount of work on the spending review and making sure that we have the right investment in digital
,
data and technology right across Government. We work very closely with the Cabinet Office and Treasury on that
. Over the next spending review period,
£20 billion
is
going into digital
,
data
and
technology service modernisation
—
a
bout
double the
amount in the
previous spending review
.
We are working with
D
epartments to gear up for that and make sure that
good
delivery plans
are
in place
and
that the
money will be spent
w
ell.
S
ome highlights of that
will be included in the road
map
. T
hat will be a really important moment of transparency so that the public, public sector frontline workers and businesses can understand what is coming in
the
digital transformation of services and what it means for them.
It
is also a really important commitment device
and
accountability device for
D
epartments
,
to make sure that what they have designed
for
service transformation
, that
investment
,
stay
s
there and get
s
delivered.
I
am happy to go into more things, but a huge amount
is
under
way.
Q294
Adam Thompson:
Great. Thank you both very much. That was really comprehensive
,
Emily
. O
ne thing you did not mention
is
the
n
ational
d
ata
l
ibrary that
has
been promised.
Will
any plans for that
be
coming in the road
map?
Emily Middleton:
Yes, the n
ational
d
ata
l
ibrary will be included in the road
map.
That team have been doing
really extensive engagement with experts
, civil
society
and
others
, and they
have been particularly keen to learn the lessons of previous data initiatives
by
Government
,
to make sure that the
n
ational
d
ata
l
ibrary is very outcomes focused
, and that even
though it has a big ambition
, it
starts small
. More
on that will be coming soon.
Ian Murray:
I will say two brief things
on the basis of those two questions. First, I encourage the Committee, if
this
is acceptable to
GDS
,
to go and have a look at some of the pilots. I
have
used
gov.uk c
ha
t,
which is
superb because you can put in questions directly and it is pulling
answers
straight from the 700,000 pages of information from Government.
You
can put in really complicated questions
, and
the answers that it gave me were completely accurate
; they
were double
-
checked
. It
was an incredibly good service,
so hopefully that will give the public much better interaction with Government.
The n
ational
data l
ibrary is one of my big priorities. I think this is one of the most exciting thing
s
that
Government can do,
given
the datasets that we have.
The
UK has some of the richest datasets in the world, and we have to be using that
to
our advantage in terms of Government policy, but also utilisation across the economy.
Q295
Adam Thompson:
Great. Thank you both.
That is v
ery positive.
In the
blueprint
, there is a comment about how you will “
drive and measure progress against
the
outcomes described
”
.
Could you
elaborate on the metrics that you
will
use to do those measurements?
Emily Middleton:
Thanks for the question.
The
state of digital Government review
found that one of the five root causes
of the Government not making
as much progress
on digital transformation
in some areas
as in others
is the lack of
really
consistent metrics
, so this
is something that we
take
incredibly seriously.
We are looking at metrics on a couple of different levels. One level
is the
outcomes that you mentioned
:
easier lives, faster growth
,
firmer foundations, smarter organisations and higher productivity and efficiency.
In each area, we
are looking at a bundle of metrics that can help us
to
see in aggregate
—
overall
—whether
Government
are
moving in the right direction.
For
instance, on easier lives, we might look at performance data from a particular bundle of services
—things
like adoption, completion rate
and
cost per transaction
. P
roductivity and efficiency are a bit more self-
explanatory. For firmer foundations
, we
would want to look at how we are addressing the density of legacy systems across Government
. We also have GovAssure, which is our
framework for measuring progress on cyber
-
security
, so
we would look at those sorts of pieces.
That is
the outcomes level.
T
he road
map
also sets out that we will
look at specific outcomes for tracking different initiatives, products and program
me
s
. A
s you would expect
, those
link to their business cases. There will be some specific things there.
The final level that we are looking at is departmental digital performance.
It
is important to think of
the digital performance
and
health, if you like, of each organisation
. At the moment, we
are piloting digital business reviews with
D
epartments
and
DSIT; those are
chaired by our permanent secretary
, so we are
making sure that they have clout and importance within organisations.
We are also working on piloting a dashboard that will look at these different areas on a departmental level, such as digital talents and how many civil servants in the Department are digital data tech spe
cialists. We will look at legacy, cyber-security and service performance.
Those are the three different levels that we are looking at, but we are taking the time to make sure that we get it right and have the buy-in across Departments, so that we have a consistent set of metrics that we can use.
Q296
Chair:
I have a couple of quick questions about the new GDS. You talked about the road map—when we eventually see it. In terms of the new GDS, when will a permanent Government chief digital officer be appointed?
Ian Murray:
As I understand it, there will not be one.
Chair:
Why? Who took the decision that one was not necessary?
Ian Murray:
That is a great question. I think the decision was just taken that we were not planning to have a new CDO, the purposes of which were that the transformation of the Department and modernising Government did not require us to have that. The GDS and DSIT are doing the work through the permanent secretary, and the permanent secretary is taking the lead on that. We thought it was far better for the Department to take the lead than to have a CDO.
Q297
Chair:
Okay, so the permanent secretary at the Department, who I think we will see with the Secretary of State, will have the talents, attributes and experience required for a chief digital officer?
Ian Murray:
It is also a governmental processes issue. Keeping these issues at permanent secretary level is the way to get a cross-Government approach to it. That is the decision that has been made.
Q298
Chair:
I think part of the challenge, though, is the experience and knowledge. That is an issue that has come to us before. The civil service
does not necessarily have the experience, and it is so important that digital transformation is driven by those with the right level of skills. We will look at the skillset of the permanent secretary and see if we understand the decision that has been made.
On the new GDS, we have seen the remit and the key responsibilities of the new GDS, for which its budget has been prot
ected and is rising to £418 million. Those responsibilities do not include digital ID. Does GDS have any responsibility for digital ID, and will there be any additional funding to go with it?
Ian Murray:
GDS does have the delivery aspect of the mechanics of digital ID. The funding of that—we have been asked a number of times about the costs—will be determined by what the situation looks like. That can only really be measured after the consultation has closed and been analysed, and we determine which kind of system we will build. That will determine the costs. At this moment in time, it will be met from the GDS budget—the DSIT budget.
Chair:
Sorry?
Ian Murray:
At this moment in time, it would be settled by the current spending review arrangements for DSIT.
Q299
Chair:
It will be within the current spending review. Looking at the responsibilities now, which include gov.uk, One Login and so on, we are adding the whole of delivery of digital ID, but we are not adding any funding. I say this with a week to go to the Budget—we are adding digital ID but no funding.
Emily Middleton:
May I clarify that point? DSIT will have responsibility for the technical design and build of the system. In terms of the funding, that will be met within the cross-Government spending review settlement. It will not necessarily just be DSIT, because it is a cross-Government priority.
Q300
Chair:
I think what you are saying is that you may get money from other Departments.
Ian Murray:
Yes, because money from other Departments will have to come in for the use cases, in terms of each of these other Government Departments. If you think about the efficiencies that are on the back of this, it is not just down to cost; the use cases also provide huge efficiencies, which feed into Government spending as well. That is why there is no direct—
Q301
Freddie van Mierlo:
Are the only use cases for work at this stage? Are you saying that the only money that will come in to fund this will be from the Department for Work and Pensions?
Ian Murray:
No, because the first use case of this will be in the Home Office.
Q302
Freddie van Mierlo:
Is that the only contribution?
Ian Murray:
No. It is the spending review settlement across Government.
Q303
Kit Malthouse:
But you have had that.
Ian Murray:
Yes, and it will be paid for throughout that spending review settlement, which the Government have already settled on.
Q304
Kit Malthouse:
So it is going to come from within existing funds.
Ian Murray:
Yes.
Chair:
Across Government.
Q305
Kit Malthouse:
That means things will be cut elsewhere.
Ian Murray:
Not necessarily, and that is the point I am trying to make. The costs of the entire system will depend on what the system looks like and what the capability of the system is outwith the consultation, as well as digital inclusion and all the bits that are attached to Digital ID. They will also depend on the use cases from other Government Departments, including both the cost of running the system and the savings that are subsequently made from having a much more efficient system. All those elements have to
come in on the spreadsheet, which will give you a figure at the bottom, and that figure at the bottom will be paid for by a combination of the spending review settlement at DSIT and the spending review settlements across Government in other Government Departments.
Q306
Chair:
I think what we understand from that—you have explained the process a couple of times—is that, as we all know, costs are up front when it comes to designing, delivering and implementing a system, whereas the savings come over time. How will the costs be paid for up front, when the savings are in the future?
Ian Murray:
The spending review is a three-year spending review on a two-year rolling basis. There is that three-year window, which is where we are at the moment, and the use cases, the system and how it is designed will transpire over the next period of time when the consultation is concluded. You are asking me to determine how long a piece of string is, when we do not even know what the string looks like as yet.
Q307
Chair:
I do not think we are. We are just looking for a line item that says whatever the costs are, and that they are going to come from somewhere. What I think we are hearing is that it is going to come from other Departments, but we are not clear how, and it will transpire over time. Any clarity on that would be welcome. Government money is tight and we want to make sure that it is there.
Q308
Kit Malthouse:
To expand on your point, Chair, we may be in a position where the Home Secretary says, “Right, you are asking for £500 million for this thing that may yield savings. Do you know what? That is £500 million I’d have to take from policing or border security, so I don’t want your service. Thanks very much, but go and look elsewhere.” The delivery of it will effectively be down to negotiation with Departments.
Ian Murray:
That is not the policy of Government.
Q309
Kit Malthouse:
No, but that is how Government works, right?
Ian Murray:
This is a prime ministerial priority. On the digital ID side of it, GDS will build the system under the monitoring and policy development of the Cabinet Office.
Q310
Kit Malthouse:
So the Prime Minister will say, “You will cut UK policing by 500 million quid to fund this”?
Ian Murray:
That is not the case, and it is a rather blunt way of looking at the way in which this will be funded.
Kit Malthouse:
But that is how it works, Ian. I have sat on your side of the table—that is how it works.
Chair:
We still have a concern.
Q311
Martin Wrigley:
I am slightly confused about how you are delivering any savings with the right-to-work check, which is currently done entirely by employers and entirely remotely—they look at bits of paper, take a copy of people’s passports and save them. Nobody is going out to check it, and nobody is doing any of that stuff at the moment. There are no savings of any size, so this is just a cost—there are no savings in this first use case.
Ian Murray:
There are, because the whole point of having the system of a mandatory right-to-work check is that the Home Office is able to target where it uses its enforcement, and it can be much more effective and efficient in how it uses that enforcement. It gets a map of the whole system.
Q312
Martin Wrigley:
Those are not savings in that process.
Ian Murray:
Of course they are. Making Government more efficient saves an awful lot of resources. If you look at the blueprint, and the figures that are used in that blueprint, there are potentially £45 billion-worth of efficiency savings from embedding technology—AI and other uses—into Government process. Therefore, there are significant savings to be made across Government. In the way in which the first use cases will come forward, including not just digital ID but the implementation of AI, you can see how the effic
iency savings can feed through straight into frontline public services—think about it in the NHS, for example. The whole issue of digitising Government is about making Government much more efficient, which makes it cheaper, and you can then reinvest that money into public services.
Q313
Chair:
Ian, we are going on to many different services; it is now encompassing the entire cost of digital transformation. Can we stay on this policy?
Ian Murray:
It is part of the same thing, Chair.
Q314
Chair:
I understand that, but
we have a digital ID policy
that
has been announced.
There is
going to be a consultation.
There is
going to be implementation
,
and that implementation will involve costs. GDS had budgets allocated for One Login and other aspects of digital
transformation. For digital ID specifically, you expect
those
implementation costs to come from current spending review funding across Government
, not future spending reviews. Is that what you are saying to the Committee?
Ian Murray:
The policy runs over three spending reviews because it takes us up to 2029. The current spending review is the one that
has
been published by
the
Government
, but
if you think about the policy in terms of the first use case
,
to have digital ID up and running by 2029 is actually three spending reviews.
Q315
Chair:
Yes, b
ut when will you start spending money on digital ID?
Ian Murray:
To a certain extent
,
we are already
,
because GDS
is
building stuff that is directly applicable to digital ID already for other
use cases.
Q316
Chair:
D
o you expect funding for digital ID to come out of
the
spending review
that
we are currently
in?
Ian Murray:
To 2027? Yes.
Q317
Chair:
Okay. I think we should be clear that funding
will
need to come out of current spending.
Ian Murray:
There are three pockets of funding. There is the
build, there
i
s the onboarding
and there
are
the ongoing costs. Of those three pockets, the first pocket
is the
one that
,
in terms of build, is the most imminent. Onboarding is the next part
, and
then the maintenance of it on
an
ongoing basis is the third part. All of
those
will have different timescales and timelines attached.
Q318
Chair:
Okay.
I am keen for us to
move
on. I think Kit
is
suggesting that you could write to us
to tell
us what you know right now about the process. I know that the consultation is happening in January.
Ian Murray:
We do not have numbers.
Q319
Chair:
No
numbers
—
just tell us what you know about the process and how it aligns with spending review
s
.
Q320
Kit Malthouse:
You said you are building it already.
Ian Murray:
No, I said that there are elements of it that are being built already.
Q321
Kit Malthouse:
That must be costing.
Ian Murray:
You have One Login
,
for example. We have the Government wallet. We have the ongoing onboarding of the digital veterans ID card
.
Q322
Kit Malthouse:
Sorry,
Chair
;
I do not mean to interrupt
.
This is a policy that
has
been announced, so there must be a sense of what it is going to cost
in the three stages that you pointed out, or
are you saying
that
the Prime Minister announced something that was completely uncosted?
Ian Murray:
No, because the first element of that in terms of the build will depend on what you are building
;
the second element in terms of
onboarding will be depend
e
nt on who
,
why and how you are onboarding people
; and the
ongoing maintenance will depend on how the system operates. All those three buckets of costs will be determined
by
what kind of system it is you want to build and deliver
, and
then on top of all that, there
i
s a wraparound
, isn’t there?
Q323
Kit Malthouse:
I understand what you are saying. Effectively
,
what you are saying is
that
the Prime Minister has announced a policy with an unknown cost envelope that could be into the tens of billions
—
we don
’
t really know
—
but it is an aspiration that we want to get there. I guess the question is
:
is there a cost that might be too much
, so it
might be abandoned?
Ian Murray:
I could play devil
’
s advocate and say there might be a massive saving
, which would be advantageous.
Q324
Kit Malthouse:
That was
n’t
my question. I guess my question was twofold. Has the Prime Minister announced an open
-
ended budget for this, or is there at least a kind of stop
-
loss limitation cost above which you will not go?
Ian Murray:
That is only one element of the entire funding package of this, because the whole point of doing it is to make Government and the relationship with citizens much easier, much more efficient
and work better
.
Q325
Kit Malthouse:
We understand all that.
You have
said that
all
already.
I am sorry to press the point, but we are
asking
now
about
whether this is a proper plan with a budget and a sense of how much it is going to cost in its various stages, which you have outlined to us a number of times now. What you seem unwilling to tell us is whether there is, and there does not seem to be.
Ian Murray:
T
he budget for this, as has already been outlined, will come from
DSIT’s
current spending review budget and
the
overall Government spending review budget.
Kit Malthouse:
Yes, but what is it? How much is it?
Q326
Emily Darlington:
What is your
current
GDS
budget that you are using to create digital services
?
In the spending review
, you got
a GDS budget
. It would be useful for the Committee to understand how much you have for the
Government Digital Service
. I think what you are saying to us is that the predevelopment that is happening within this spending review phase is coming from the
Government Digital Service
budget that has already been agreed.
Kit Malthouse:
But, Emily, this is a new requirement on GDS. GDS’s budget will have been agreed in the funding round on certain assumptions about what it was going to deliver.
Emily Darlington:
Mr Murray said that w
e are already spending
because we are already spending on Government
Digital Service
. Digital ID is the way you access
Government Digital Service
, but the
digital services
spend
was already part of the spending review and is already an agreed budget, I would assume. That is what I am asking for confirmation on.
Ian Murray:
The GDS budget from the spending review is £1.2 billion over the spending review period.
Q327
Kit Malthouse:
That is £1.2 billion before the commitment to digital ID. The spending review envelope was agreed before the announcement of the digital ID.
Ian Murray:
In chronological order, that is indeed correct.
Chair:
It might be helpful if we ask the Minister to write to us. I think what
the Committee
is getting at is that there is an incremental requirement—does the Minister understand what that is, and where is the funding for it coming from? Would it help if we ask the Minister to write to us on that? I am not sure we are going to get to it now.
Q328
Kit Malthouse:
Completely. If our first use case is the Home Office, it would be helpful to have the numbers that
you
have shared with the Home Office, Mr Murray. Presumably, it has also been told, “This is going to cost x to build. You’ll save all this money over the next 20 years, chaps, but, actually, we need half a billion quid from you to build this first use case”—or however much it might be. Or, it is all, “Look, we’ve got this rather jolly idea. We’d like to have a go. Is that okay? No numbers, no pack drill—we'l
l tap it all out”? We are trying to gauge where you are between those two extremes.
Ian Murray:
But those two hypothetical extremes are over three spending reviews.
Q329
Kit Malthouse:
You cannot have announced this thing without having any idea of what it will cost.
Ian Murray:
It depends on the system that you design, and it depends on the savings that are attached to that system. There are massive savings to be—
Q330
Kit Malthouse:
I’m sorry to go round again, Chair, but to finish on this, Mr Murray, you sound like the kind of builder we all dread coming to our house, who says, “Well, you know, I’m not quite sure. You want a new kitchen, and it could be x—tell you what, we’ll build it and then tell you how much it’s going to cost.”
Ian Murray:
If I can take your analogy to the other side, you are the worst possible customer. You are asking me to price up a job, but you are not telling me what you want.
Q331
Kit Malthouse:
Right. So you do not actually know what you want as a Government. You have announced the policy, but you do not actually know what it is going to be or how much it is going to cost. You just have a vague aspiration that this is what you want?
Ian Murray:
There are huge efficiency savings for Government to come out of this process.
Kit Malthouse:
How do you know, if you do not know what you want? If you do not know what the product is, how do you know? Is it an article of faith?
Chair:
I think we need to move on. We have spent quite a lot of time on this.
Kit Malthouse:
Sorry to press the point, but it all seems rather vague, Chair. I was expecting, “Here’s the detail; here’s what we’re going to do; here’s the cost; here’s where we’re going—we’re off!”
Q332
Chair:
To be fair, we cannot have the full cost before we have the consultation. However, Kit’s point is that you have said that there is a specific use case and a timeline for it. There is incremental burden on GDS. Can we have an understanding of how you have analysed and assessed that? Can you write to us on that?
Ian Murray:
Yes. It will be delivered by the current spending review governmental budget and the DSIT budget.
Chair:
Excellent. We will see what your estimate of that might be. Freddie, I will ask you to come in really quickly, and then we will go to Samantha.
Q333
Freddie van Mierlo:
Did you look at how much it cost Estonia, or other countries that have implemented similar systems, to implement a system? Did you take that into account when you made this announcement?
Ian Murray:
Yes, but the process is going through now. As I explained earlier, there are two options for Government policy. You can announce a policy with a consultation, or you can announce a policy with a run-up to a consultation to develop what that consultation has to be. We have taken the latter approach. Therefore, all that work is
happening as we speak.
I know
that
this seems a bit like chicken and egg
,
or egg and chicken, but you do not know what a system
will
look like until you have done
a
consultation.
I think that is a really good thing for the Government to do—to determine some of these issues around violence against women and girls, which is the example we have had twice already this afternoon; to look at digital inclusion and what that means for people who either can’t or will never be able to; and to look at how that affects the economy in terms of how i
t is benefiting businesses and the economy more generally, and how it benefits efficiency in Government and local government. You look at all of that in the round.
If I was to sit here and answer Mr Malthouse’s question directly with a figure, it wouldn’t be accurate, and it wouldn’t be right to do so. I think you have to look at these things properly. I am sorry that Mr Malthouse doesn’t believe that Government should work that way, but that is the way we believe it should work.
Q334
Chair:
Minister, we have a duty to ensure that public money is spent well and that the GDS, as part of our scrutiny, has the money that it needs to
implement these important policies. We are trying to get to what your understanding of it is, so that we can scrutinise that in terms of following through on this very important policy.
Ian Murray:
DSIT as a Department did very well in the spending review, for the purposes of modernising Government.
Chair:
I am sure there isn’t money to flash around, Minister. Can I ask Samantha to move us on?
Q335
Samantha Niblett:
It is interesting to hear you say that DSIT did really well in the spending review, because that leads me nicely on to a couple of things I want to talk about in respect of procurement and vendor lock-in. By way of background and context, I used to work in the tech industry. I have tried to sell to public sector as well as private sector organisations, and I know for a fact how Microsoft have ripped off the NHS, and I say that—
[
Interruption.
]
Well, they have.
Chair:
Is this privileged?
Samantha Niblett:
It is a slightly loaded question, but we are all really keen to understand your perspective. I will focus on Microsoft for a second. We know there has been an MOU with Microsoft for £9 billion, which is an intention of spend over several years. According to the Cabinet Office, the Government spent a cumulative total of £1.9 billion on Microsoft software licences during the first five months of the strategic partnership arrangement. Does that suggest a potential yearly spend of £4.6 billion, bearing in mind
that the MOU was for £9 billion, which was supposed to cover several years?
This speaks to procurement and the buying power of Microsoft to lock in public sector customers—although not just public sector customers. They are enticed with cheap deals and then locked into a contract and charged exponential amounts. I will give an example: I have heard that DEFRA recently signed a contract renewal for Windows 10, which is now out of date, and that has resulted in DEFRA having to pay more for security checks be
cause they are using a very old version of Windows. I wonder how much scrutiny and attention is given to what seems like a good contract in the first instance, locked in with a single provider, that then ends up essentially ripping off the taxpayer.
Ian Murray:
It is a good question, and that is probably the genesis of why GDS and DSIT as a Department are trying to co-ordinate across Government. There are three elements to that. There is the strategy and policy part, in terms of what we want Government Departments to do not only to digitise their services but to make sure that their digital departments are getting the best out of technologies. The strategy and policy side of it has to be uniform across the Government. That is the road map that we will be publishi
ng soon.
Then there is the sort of central buying element of it. There is a multitude of contracts across Government for all types of different kinds of digital services. We want to try to make sure that that is consistent across
Government and that we get the best bang for our buck in terms of economies of scale by buying it together—cloud services being a big example of that.
The third thing, I suppose, with all the issues here, is to try to get Government digital officers and departmental digital officers to think about how they procure some of those big pieces of infrastructure together. We are trying to play a co-ordinating role in that, with best practice. It is about understanding what is in Departments and what they need, an
d making sure that they understand what they need to procure.
There is then a mechanism that overlays all of that, whereby DSIT look directly at particular contracts that are coming forward and give that assurance process. I am not quite sure of the level. There is no contract that comes forward above—is it £5 million?
Emily Middleton:
For spend, yes. That is what we would look at.
Can I add two things in answer to your question?
We are trying to balance two things here
. One is that there is serious fragmentation in the £21 billion that the public sector spends every year on technology. Cloud is a good example of that: central Government spend about £1 billion a year on cloud through a whole host of different contracts. We know we are not getting the value for money that we should be. One of the things we have committed to, through the digital commercial centre of excellence—that is a structural change that brings together tech expe
rtise in GDS with commercial expertise in the Government Commercial Function—is looking at how we can better buy once for commodity services and products. That is one of the things we are trying to do. At the same time—I think this is what your question is getting at—we know that there is a lack of competition
in some categories
.
Q336
Samantha Niblett:
Both a lack of competition and a lack of opportunity for smaller players to get a bite of the cherry. The use of Microsoft is another example: for some contracts, you can only upgrade for more Microsoft tools, rather than adding in other tools. This was brought to our attention during our innovation session, and it is a key focus of mine. If we go for economies of scale and engage with big tech organisations that are not based here, then we get our economies of scale, but is it taking with one hand and giv
ing with another?
We could support smaller players, particularly on cloud. I had a recent meeting with some smaller cloud players that are fighting against the big three. I know there is a live CMA case about giving two of the three—not Google, but AWS and Microsoft—strategic market status. We have these big players, which are not based here or paying corporation tax here, versus the smaller players, which we could not exactly take a bit of a gamble on but support, because we are committed to growing our st
art-up and scale-up community. They are based here, will be paying their tax here and will generate jobs here. When the Government are negotiating contracts, do they take into account supporting smaller businesses that are born and bred here?
Emily Middleton:
That is absolutely something we are looking at, in a couple of ways. One is that we have started work on a digital sourcing strategy that will let us look much more systematically at different categories and where we might need to take a more strategic approach across Government. We also want, in time, the digital commercial centre of excellence to be able to engage in more strategic supplier management and foster collaboration, including with UK SMEs and other providers, and to make the best use of the ne
w Procurement Act. That is absolutely something we are looking at.
Samantha Niblett:
Excellent. That is good to hear.
Ian Murray:
The other element of all this, which is slightly attached, is insourcing and trying to get Government Departments to do this stuff on their own by upskilling their digital staff, rather than having to outsource it, whether to cloud services or otherwise. Obviously those kinds of services have to be provided for Government Departments on an individual basis for policy implementation, but we are trying to make sure we can insource lots of stuff in the digital space as well.
Q337
Samantha Niblett:
That is interesting to hear. I had a constituent in earlier for an award, so I apologise if you covered this already—tell me to shut up if you have—but this also focuses on our sovereignty. Obviously security is a major issue. We constantly live in fear of cables at sea being chopped, and we had outages recently, including Cloudflare yesterday. When we are looking to partner with big tech that is not based here, how much of what we are doing is about creating our own sovereignty—an on-prem version of cloud
—so that we are masters of our own destiny, rather than having to rely on big tech that stores our data in data centres in other countries?
Ian Murray:
The point is well made. Sovereignty is a huge issue that we always discuss. Security, safety and resilience are all parts of that, and the digital spending controls that DSIT puts in on behalf of Government, which examines individual contracts on that basis, very much examines these issues as well. Ministers sign those off.
Q338
Emily Darlington:
Can I push you a bit on the sovereignty issue?
We have heard the economic case, and clearly we have a nascent AI data industry here that could benefit from Government contracts, but let us talk about the security reasons for why sovereignty is important. Why are we relying on AWS data centres more than we rely on the Crown services data centres that we actually have a stake in?
Emily Middleton:
There are two different things there. We absolutely value our partners, such as Crown Hosting, which I think you are referring to. There are also other providers that provide on-prem hosting. Cloud is different, and one of the reasons we have a cloud-first policy in the UK Government—
Q339
Emily Darlington:
I am not talking about cloud; I am talking about data centres. The Government—the Cabinet Office, I believe—are part owners of Crown, and it was set up to provide sovereign data centres, yet very
few Government Departments are actually using our own ones. To move that on a bit, why are we relying on companies like Palantir in the NHS, rather than UK companies? We are the second-most cyber-targeted country in the world, so building our UK industry and capability is great for our economy, but also important
for public confidence and our security. How much weight are you putting on sovereignty in any use of cloud, data centres and tech, particularly if we are trying to build people’s confidence in Government digital services and digital ID?
Ian Murray:
It goes to a wider Government strategic policy answer in terms of the supply chain and strategic capability. I do not think it will have escaped the Committee how much resource and focus the Government have put into building our own sovereign capability here in terms of data centres, AI growth zones—
Q340
Chair:
Sorry, but what is the sovereign capability in terms of data centres?
Ian Murray:
Well, it directly answers the question that Emily was asking in terms of using what we have here rather than outsourcing it to non-sovereign capabilities—so building those supply chains. It goes back to the question Samantha asked about vendor lock-in and using some of these international cloud players, for example, and being locked into that vendor because the contract says Microsoft, so you are stuck with Microsoft all the way through. It is about building those capabilities and supply chains here, and t
hat is all part of what we are trying to do to make sure that the ecosystem here works for the UK.
Q341
Emily Darlington:
This is one point where we as a Committee really want to push you because, frankly, we hear over and over again that UK companies cannot get those contracts. If we look at the recent deal that was done with the US when President Trump came to visit, we might ask how much of that—on data centres, other services and, in particular, their desire to co-opt some of our world-leading quantum—is really on the side of sovereignty and security? How much of the GDS work is looking at how we build that secure UK sove
reign tech to make sure that we are secure and not reliant on these big guys who are coming over? They make great photo ops and great deals, but the reality is, as we have seen on many occasions in this Committee, that sovereign capability is important. I am trying to understand where the GDS strategy is in terms of making sure that we are procuring and working with sovereign technology here in the UK to develop Government services and digital ID.
Ian Murray:
There are several elements to that. I suppose the first thing is that GDS as an organisation is about building capabilities for Government—I know there are various other elements, but it is about building capabilities for Government in-house, here, on behalf of Government. GDS Local is a great way of rolling that out across local government. These are sovereign built, because they are built here. That is the first part of sort of GDS’s strategy: to build these things ourselves as a Government.
The second t
hing is to make sure that the roll-out across Government in terms of procurement is done on the basis of assurance, and on the basis of security and safety, and that all that goes through that secure and assurance process—anything over £5 million comes to Ministers for sign-off. Then it is about ensuring consistency across Government. All that sits alongside the UK’s supercomputing capabilities, in which we invested £750 million at the last spending review, and the strategy of making sure that the AI growth
zones and the technology developments in this country are sovereign capability.
Q342
Chair:
You have said “sovereign” a number of times. Is sovereign capability something that is built here, using British infrastructure—British-owned data centres, British-owned networking—or is it something that is built here using infrastructure owned by others in the UK?
Ian Murray:
When I asked the question about sovereignty in the tech area, the first part that came back to me was: “It depends how you define what sovereignty is.”
Chair:
Yes, and that’s why I am asking you.
Ian Murray:
What I am trying to explain is that the way in which the Government as a whole, but also GDS and DSIT as a Department, are taking this forward is by investing in those things in this country that are physically here—for example, the supercomputer, in terms of that investment, is here. We want those supply chains to be here. We are innovating and trying to bring stuff through GDS as a Government, so we are building it here. We are building it by ourselves and using that capability, with all those qualificat
ions that Samantha laid out—yes, there is more to be done on procurement and making sure that smaller companies are not locked out of the process, which we have seen for many decades, if not generations, in the defence industry, for example, through the MOD. So there is a wider Government policy and strategy here, as well as, alongside what GDS and DSIT are—
Chair:
I think we are going to have to move on, because I need to come to others on the Committee, but you concede that there is a lot—
Ian Murray:
I am very interested if the Committee want to give us some of those examples that you have come across.
Chair:
There is obviously a lot of interest in this subject, so we will identify some of the examples. We will also write to ask you for a better definition of “sovereignty” in this context and in the supply chain, but I need to move on now—Martin has been very patient.
Q343
Martin Wrigley:
I have been listening carefully, and I have a lot of sympathy for you, because I have been doing the digital transformation job in multinational companies, councils, Government agencies and a wide variety of different places over a good many number of years. I am even old enough to remember doing a Y2K audit for all the legacy systems—you would not believe what we found.
How are you dealing with the legacy systems? What we are hearing is that everything is at an “interesting stage”, shall we say, where the
re is variety all over the place and no co-ordinated contracts. The first thing you co-ordinate is your cloud providers and your contract terms with Microsoft. That’s step one, but we are not even there. You are going to have to work with a whole load of legacy systems. If you are sticking to the idea, quite rightly, of data remaining in the systems where it lives, and you are connecting into legacy systems, you will be doing a whole range of things that you have not even talked about.
Having transformed
Informix
systems into N-tier distributed systems, I can tell you that it is not easy, nor is it quick or cheap. We had an organisation tell us that it regarded anything that was not a non-public cloud asset as a legacy system. Would you agree with that as a definition?
Ian Murray:
No, and, to preface my answer, I remember working on Y2K at a major financial company
on
Hogmanay
in 1999, expecting planes to fall out of the sky, and everything was fine. That was a whole—
Martin Wrigley:
May I say that it was fine because of the amount of work that went in to make it fine? It was not fine because the problem did not exist. I will defend the work that went into Y2K till my dying breath. A heck of a lot of work went into finding those problems and fixing them, so that the planes did not fall out of the sky. People who ridicule that by saying, “We were expecting planes to fall out of the sky,” I will shout down at every opportunity.
Chair:
And you will have support on this Committee.
Ian Murray:
Being part of a Y2K team in the financial services sector, I know how much
work went into it.
The reason I said that is that the definition of legacy systems is not what you are saying, or what some have suggested it is. Just because it is not on a public cloud does not make it a legacy system. What we are trying to do across Government is to understand where each Government Department is, in terms of what a legacy system is, how we identify those, and whether we actually have all the data, given where th
e legacy systems are and what they are.
I suppose that there are certain characteristics that make a system legacy. Is the software still supported? If not, that would make it a legacy system. Are there expired vendor contracts that can no longer be implemented? Is there nobody who has the knowledge or skills to be able to operate the system? I have seen that in the private sector, as you probably have too, given your experience. Does it do what it is supposed to be doing, and can it do something in the fu
ture? I suspect that there are lots of those systems across Government, tucked in cupboards somewhere or under stairwells, and those kinds of issues.
Then of course, you go into the hardware issues. Is there hardware? Is it able to be replaced? Can it be redesigned? There is a whole security issue that goes alongside that and a huge list of different classifications that would make a system legacy. We do not quite know yet 100% of all the
systems that we have across Government, but I think we are pretty much there with about 75% of it. Is that fair, Emily?
Emily Middleton:
One of the things that we really want to do a push on over the next year is understanding and having a better and more accurate picture of where our legacy systems are. In the past, we have only asked Departments to report to GDS their red-rated systems, which are the highest risk. We need to get a more comprehensive picture of that legacy, but we are also looking at how we can better automate those data feeds. Rather than manually asking Departments to report now and again, at the moment we are running so
me tests, so that we can get a better and more moving picture.
That will allow us to look at the next phase of our strategy for supporting Departments to remediate some of those systems. That is in addition to some funding in the £20 billion I mentioned that has been earmarked within different departmental settlements for remediating some of the most serious systems. That is what we are looking at, as well as some of the newer product work that we are doing.
Q344
Martin Wrigley:
How are you developing your plans to use the legacy systems as you go forward? What you are trying to do with digital ID is to integrate with some of those legacy systems. When I interact with the DVLA and renew my car tax, that ain’t a nice new system behind those screens; that is a clunky old system back there and someone has put a nice scraped front-end on to it. A whole load of people have made them look good. What are your plans for doing that and how are you going to approach it?
Ian Murray:
The
starting point was the
state of digital Government
review, in terms of trying to identify where the legacy systems are. As Emily has set out, the starting point is to understand where they are, what state they are in, what would be required to get them to a state of use, and whether or not there are other processes that can be used to take those legacy systems out of the system. There is a whole range of different things that can happen, depending on the identification of them. However, the first start
ing point, from a DSIT and a GDS perspective, was to find out what the legacy systems are and what they are doing.
You mentioned the DVLA. The digitisation of the driver’s licence is part of that process because the DVLA get 45,000 pieces of correspondence a day, so if we can embed new technology into the DVLA and give them different systems that are able to deal with that, we can perhaps then look at how their whole service provision is delivered, rather than looking at whether the legacy system can handl
e that.
Q345
Martin Wrigley:
Again, having tried to do this for my council two years ago, I know that that is where you get the savings, with digital-first provision of services to users of those services. However, I don’t think we are anywhere near that.
Earlier today, you somewhat took me aback, because you started talking about GDS
Local
for local authorities. Given that we are just throwing
them all up into the air, so that pretty much every single two-tier area will now have to reinvent all of its processes, systems and everything else, and you are now throwing GDS
Local
into that as well, you will have an awful lot of work to do there over the next few years. Some of this stuff is going to be really lengthy.
When can you give us a more informed idea of legacy—or are you planning to? Your digital ID super-layer on top is now giving
another definition of legacy, of systems that are incompatible with answering that yes/no question.
Emily Middleton:
One of things about legacy remediation in Government that we have learned and reflected on over the past years is that tackling it separately—just having a project to remediate systems—sometimes does not get the momentum and precision that we need. The DVLA is a great example of what is more helpful, with some of our work there with the digital driving licence. While looking at how some of the key driver services onboard to the app, we are working with the DVLA on how to remediate its legacy. We found that
to be a helpful way of looking at it. In fact, I am spending a day in Swansea next week to talk through some of those issues.
Q346
Martin Wrigley:
As you find the issues, where are they being budgeted for?
Emily Middleton:
As I mentioned, there is already funding for legacy remediation as part of the overall investment in digital, data and technology in the next spending review. On GDS’s role and how we might go further, we are doing some pilots at the moment with DEFRA to look at how we can use AI to speed up recoding and legacy remediation. Those early tests have been promising, so at the same time we are looking at how to innovate and do legacy remediation as fast and as efficiently as possible.
Q347
Chair:
We are coming to the end, but I have a couple of questions that follow on from Martin’s. The information security review, which was revealed as part of the correspondence between this Committee and the Cabinet Office over the summer, related to the Afghan data breaches, brought to light a number of issues in existing digital infrastructure. It revealed very poor standards of data management across Government and that many Departments were not even following Microsoft 365’s guidance for UK Government—which
led to the question, “What are they following?”. It revealed that there was not an understanding or an audit of the level of legacy systems. Minister, are you concerned about the poor standards of data management that have been revealed? Are they integrated into your plans for digital transformation and for digital ID?
Ian Murray:
Serious incidents that happen recalibrate how we see security and safety across systems, across Government. The Committee has obviously examined these things in detail, but we have established the cross-Government vulnerability scanning service, which looks at how Government systems in the round are secure and safe. That is all part of the process of trying to make sure that each individual Government
Department has resilience in place. To answer your question, yes, it was a concern. The data breaches are
something that obviously the whole of Government take incredibly seriously, including the individual Departments.
What we need to do as a Department is to make sure that we deal with such breaches on the basis of best practice, on the basis of maximum security and safety, and on the basis of what we have just discussed—whether it is a legacy system issue, making sure that across Government we have consistent approaches, or making sure that, as the digital service in Government, we give that advice to Depart
ments through their chief digital officers on how the issues should be resolved. Frameworks are in place and, in the main, while you are right to express your concerns, I think that Government data is pretty secure—although that does not mean to say that there are not weaknesses.
Q348
Chair:
The information and security review carried out in 2023, but not
published until this summer following the Committee’s intervention, raised specific issues around data security. The update that the Cabinet Office and DSIT jointly sent to me highlighted that many of those issues were still there. Best practice was certainly not implemented across Government. How are you going to ensure that best practice is implemented? When will you be able to come back to the Committee and say you are confident that there
is best practice? Do you accept that best practice is a requirement for digital ID, and will you publish
the commitment that you are making
to
the ICO on raising data standards so that we can look at that as well
?
Emily Middleton:
My colleague, the Government chief technology officer, and I have worked closely with the Government chief security officer, who I know wrote to you on some of these measures. We have put together a package of measures that we think addresses some of the concerns. To give you a flavour of some of those—
Q349
Chair:
Yes, you have written to me, and I am familiar with those measures. My question is when they are going to be implemented and how we will monitor progress.
Emily Middleton:
We have already made progress on some of those. One of the measures we looked at was centralising governance and having really clear accountability for cross-Government risk and compliance. That is with the Government chief data officer. As of last week, she is now in post. That will help us and her office to measure progress.
You mentioned the joint commitment with the ICO. We are on track to have that drawn up by the end of 2025—by the end of this calendar year. One thing we are really keen to do as par
t of that is create a proactive mechanism to make sure we really draw on their expertise. They are also going to be invited to the civil service operations board and the Government security board to make sure that we work more closely together going forward.
We are also looking at, in the first half of next year, a campaign for civil servants on best practices with information management and security. That will look at both what they need to do and the human cost of any breaches. Planning for that is alread
y under way. There is also work that we need to do to hold suppliers to account. We are already, for instance, working with Microsoft to make sure we are able to hold them accountable where necessary to fix security breaches and consistently use data loss prevention tools and other techniques. Work on this is under way and we are taking it very seriously.
Q350
Chair:
You have been very helpful. We have grilled you for over an hour and a half now and we really appreciate your focus on our questions and your responses. I would like to see that cultural campaign, because I believe that changing the culture of the civil service to make data management a priority is really important. You have had the attention of the whole Committee for the last hour and a half. Minister, is there something that you want to add?
Ian Murray:
This is probably the most serious issue that we deal with as a Department, so I am very keen to push forward a standardised breach response. The one thread that runs through all the data breaches in Government is that they are not dealt with in a consistent way, in a transparent way, or across Government in the way in which the members of this Committee and Members of the House more generally would like them to be. So that standardised breach response is something I am keen to push forward with the ICO and
the GCDO as quickly as possible.
Chair:
On behalf of the Committee, let me say thank you. We hope to see you again to hear about progress as you work through this important part of the Government’s agenda on digital transformation and digital ID. Thank you very much for the time you have spent with us today.