Contents
- Attendance
- Decision on Taking Business in Private
- Digital, Data and Information and Communication Technology Strategy (Police Scotland)
Digital, Data and Information and Communication Technology Strategy (Police Scotland)
Item 2 is an evidence session on Police Scotland’s digital, data and information and communication technology strategy. I refer members to paper 1, which is a note by the clerk, and paper 2, which is a private paper. I welcome from Police Scotland David Page, deputy chief officer; Martin Low, acting director of ICT; James Gray, chief financial officer; and Detective Chief Superintendent Gerry McLean, head of organised crime and counter-terrorism. I also welcome from the Scottish Police Authority Kenneth Hogg, interim chief officer. Thank you for your written submissions, which are, as ever, very helpful. We will go straight to questions.
Good afternoon, gentlemen. I start by asking each of you why the transformation of the legacy forces’ information technology platforms is still to a large extent outstanding.
Pre-2013, investment in the legacy forces’ ICT started to drop off, which is usual when organisations are merging. Before police reform there was no investment other than care and maintenance. When the reform began in 2013, two things were required: a clear strategic ICT plan for delivery and the investment to support that.
Obviously, work was carried out under the i6 project, which we have previously discussed with the committee. That was meant to address some of the technology issues that required to be dealt with. Unfortunately, that programme failed, but it was looking at only part of the required technology investment. There is a separate component, outside the technology, which is the funding. What we needed—which is what we have now—was a clear vision, strategy and set of plans for the technology requirements to integrate 10 organisations into one, which was the original police reform requirement.
Over and above that, with the publication of the policing 2026 strategy we needed to enable the digital transformation. There were a couple of components to that. One was to make sure that we had the financial competence and the governance and controls in place to understand what investment was required so that we could plan and control the use of that money appropriately. Separately, we had to do the work.
Unfortunately, we did not have enough capability and capacity in our existing teams to do that work. For the most part, the teams were fully stretched just with keeping the lights on. It was not until the back end of last year and early this year that we were able to use some of the reform funding to bring additional resource in to do the detailed planning, which has now been done.
Over the past year or so we have also put significantly improved controls in place around finance, which means that we now have an ICT strategy that is underpinned by proper financial planning and links in to the rest of our change programme. It has been quite a tortuous journey, but the past 18 months has seen a significant uplift in our capability, our people, our capacity and the investments that we have been directing specifically into doing that work.
It is a matter of concern that you realised only 18 months ago that you did not have the in-house capacity.
Would anyone else like to tackle the question? It is a pretty fundamental one.
I agree with some of the DCO’s points. There have not been the right levels of investment. The technology estate and footprint are complex and disparate. Pulling together an integrated vision for digital, data and ICT is a complex piece of work. The organisation needed to set the framework with the strategic plan in the policing 2026 strategy and the three-year implementation plan. As David Page said, we are getting to the point at which we understand the level of investment that is required to address the gap.
When I was brought into the organisation about 20 months ago, I was asked to evaluate why we had not made as much progress as we needed to on ICT and broader corporate services transformation. I was also asked to evaluate how we could address the multiple section 22 reports that we had received on financial control. Therefore, I initiated a series of health checks of the finance function and, later on, the ICT function and others to identify the gap between where we were and where we should be, why we were not doing what we should have been doing and what was needed to close the gap.
We had a lot of Audit Scotland reports on the finance function. The initial gap analysis, which considered what we needed in order to do the finance job properly versus what we had, resulted in a significant investment in additional capability in the ICT function to ensure that we could manage the money properly and put proper controls in place.
Subsequently, we did an ICT health check in the summer last year. That gave me information to understand the gap in capacity and capability that we needed to fill. Understanding that allowed me to bring in professional services to help to fill that gap and develop a strategy, which has also led to the requirement for future investment that we are considering at the moment to deliver the transformation.
That has been the journey over the past 18 months: do the health check, understand the gap in finance, plug the gap and do the same on the technology front.
Finance and funding seem to be key components. Would you like to comment, Mr Gray?
I agree with the comments that have been made but, fundamentally, if we do not have a strategy, we will not be in a position to set out our funding needs and make the case to compete against other parts of the public sector for the scarce resource of capital funding. We have not been in the position to make that case. That is not particularly news, in that, for a number of years, Audit Scotland has highlighted as one of the significant gaps the lack of an ICT strategy for Police Scotland and the SPA.
I was not part of Police Scotland in the early years so I cannot comment in any detail, but it looks to me as though the issue has been tackled incrementally by looking for bits of money to do bits of improvement instead of taking a step back and considering the overall requirements and what is needed to transform the old eight legacy forces into an integrated, national police ICT infrastructure and capability. That work is now under way and that is the reason why we are starting to get an understanding of the quantum of the investment that is required to take us from the legacy arrangements to something that a national police service requires.
What is the SPA perspective, Mr Hogg?
From the SPA perspective, the need to progress work on ICT has been evident since the creation of Police Scotland. The committee has discussed in the past the work that was undertaken in the i6 programme. What is different now is that, for the past year, we have had a strategic plan for policing—the policing 2026 strategy.
The work that is being taken forward now has two main functions. One is to create a fit-for-purpose ICT system that moves us on from the eight legacy forces’ systems. The second is to use that ICT platform as an enabler of wider change across Police Scotland.
The work that is being taken forward now, which has been shared with the committee at the stage of a strategic outline business case, is not a stand-alone ICT project. It is an integrated digital data and ICT project and it is positioned firmly in the context of that wider 10-year strategic policing plan.
It is good that we are looking forward, but I asked you to identify, from the SPA’s point of view, what you think had gone wrong in the past few years. For example, was it the case that the i6 project just swallowed up too many resources? Were there too many eggs in one basket? Did the SPA come to a conclusion on why we are in this position? I know what you have been doing in the past year or so, but did the SPA reach a conclusion?
The i6 programme and its ultimate failure were reviewed extensively, including by Audit Scotland. One of the questions that the SPA has been asking, on which it has now received assurances from Police Scotland, is whether lessons have been learned from the failure of i6. I think that colleagues could point to specific examples of where things are now being done differently as a result of those lessons.
To answer your direct question, there was a focus on ICT over the past five years and that focus was primarily around i6. That programme did not deliver, and now we are seeking to move on from that with a strategy that both improves the eight legacy forces’ infrastructure and places it in a broader strategic context.
Others will dig down as to why i6 did not move forward and on the lessons learned.
I would like to ask about the fundamental purposes of the strategy. I have read the document that was submitted to the SPA board at its most recent meeting. Although it contains a lot of detail about the technology that needs to be built in terms of infrastructure versus other elements of IT, as well as a lot of detail about plans and strategy, I still want to know what it seeks to deliver in terms of core police function and practice.
It is not about technology for technology’s sake; it is about harnessing the benefits of technology to deliver support, operational efficiencies and improvements in policing. If I may, convener, I would like to take the sub-committee through some of the core elements of the operational impact, which I hope will answer the question.
The strategy is designed to allow us to meet some of the challenges that we face around data by reducing our data silos, improving data quality, harnessing data and using and exploiting that data to support better decision making. The data input element has been widely trailed because it addresses the issue of officers having to input the same sets of data into multiple systems. The strategy seeks to address that so that we can get to a point where there is a single data input and a single federated search capability. The core operational systems element, which is effectively the part that i6 did not deliver, is still fundamental, so delivering a single national integrated solution that caters for crime case inquiries and the basic elements that officers use is key.
The strategy talks about the need to support much greater officer mobility to avoid the need for officers to return to base at the end of their shift to do multiple keying into multiple systems. That does not help with data quality, because it will not necessarily achieve a good outcome. Mobility is pretty key. We have not significantly exploited the area of analytics and business intelligence, although there is a lot of scope to do that.
In the strategy, there is quite a lot of mention of what would need to happen to facilitate greater public contact. There are different mechanisms whereby members of the public could contact and deal with the police in relation to online crime reporting and the tracking of crime. A lot of those mechanisms, which are used fairly obviously in other parts of the public sector, are not available at the moment.
13:15Having the core platforms that we need to support partnership working is also important. I will give a specific example that relates to the criminal justice community and digital evidence sharing. We need to fix our core operational policing systems so that we can contribute to the wider digital evidence-sharing agenda. That is important given that not all but quite a lot of the data and processes originate from and reside with the police.
We are trying to address those issues through the strategy from an operational perspective.
I understand much of what you are saying. However, dare I suggest that most police officers probably do not talk about federated data searches? They probably talk about looking up records and searching for vehicle licence numbers, for example. We all understand that having multiple systems wastes officers’ time. Have those frustrations and inefficiencies been captured? Are measures in place to ensure that any new system addresses the frustrations that exist currently?
We are looking at some of those issues and the potential benefits through the strategic outline business case. I agree that “federated searches” is not necessarily a term that an officer would use. As well as mobility, the strategy is about making the job of inputting and searching for data easier. It is about making those basic tasks easier, which will enable officers to do their job more effectively. That is the central tenet of the strategy.
The figure of £206 million is very large. To put it into context, I understand that the Scottish Government has spent about £400 million on ICT projects over the past four years. Therefore, that figure is about 50 per cent of Government spend on ICT. How have you arrived at that figure? How does it break down? As has been pointed out, it is not one shiny metal box that is being purchased; multiple systems are being worked on. I presume that there is a breakdown of that figure, but I have not seen it in any of the documentation.
This is still a strategic outline business case, so the numbers are very broad and approximate at the moment. They are in ranges, and the £206 million figure is at the top of the range. The figure is broken down into a number of components such as infrastructure. An example of that spending is the creation of the national network; other components include solution delivery, programme management, information and data, commercial and procurement and business change management. I can send that information to members if that would be useful.
The figure was calculated using a combination of a bottom-up approach—when EY was involved, it worked with colleagues in Police Scotland to identify what was in place, what the gaps were and where we need to get to—and by looking at other police services that EY has worked with that have done similar exercises. The strategy is not about doing anything that is particularly new; it is about bringing Police Scotland into line with what other police services across the United Kingdom have been doing.
We have looked at what the cost has been for other, comparable forces, which has not been easy given how Police Scotland compares in size with the Metropolitan Police and the next largest force. All of that was taken into account. On the basis of experience elsewhere and Police Scotland’s particular challenges, we came up with what the range of costs might be. At the moment, the cost is still at a very high level, but more detailed work is under way and, over the next three months, we will try to firm up the figures. We have highlighted the £206 million figure so that there is an awareness of it and a discussion can begin. Detailed work now needs to be done to put more evidence behind the numbers.
The high value of that figure compared to the cost of the recent NHS 24 IT project, which rose from £100 million to about £150 million, and the cost of the agricultural payments system, which is about £170 million, means that this is one of the largest ICT projects to be under way within the Scottish Government. Are any particular considerations required, given its size and the expense?
We need to look at what we have currently planned for IT spend. We have a three-year financial plan. Years 2 and 3 are indicative because we do not know what the funding settlement will be, but we already have a significant amount of capital expenditure scheduled. Whether we will be able to spend that capital will come out in the spending review.
In the first five years of Police Scotland, about £90 million has been spent on ICT. In the current year and the following two years, we have £94 million scheduled to be spent on ICT and a lot of that will be part of the overall £206 million, because the things that we are looking to invest in will feed into the overarching digital data and ICT strategy.
We need to marry up what we have in our indicative three-year capital plan with what is coming forward for digital data and ICT. A lot of that is the same money, because we will be doing the same things. It is also about the timing and the phasing of delivery. We are putting forward something for five years, but that period could be flexed. It could be shorter or longer, which would determine how much capital was required to be spent in any given year.
We have always had a capital budget; the issue is how much of the existing or scheduled resource we apply to capital at the expense of not investing in other things such as fleet or estates. That is discussed within a broader conversation about additional funding. We are not looking for £206 million on top of the funding that we think we might already receive for capital; we are trying to build that in and work with the Government to establish what is an affordable outcome, I suppose.
I hope that that answers your question. If not, I am happy to expand on that.
I do not think that we have time to follow up on that, so I will hand back to the convener.
Before I bring in Liam McArthur, I would like to clarify something. Mr Low, you talked about criminal justice partners. To what extent have you engaged with them, with other emergency services and with the national health service about compatibility issues? Has there been discussion of compatibility?
Yes. I and Assistant Chief Constable Malcolm Graham, along with my counterparts in the Crown Office and Procurator Fiscal Service and the courts system, sit on the programme direction group, which is the Scottish Government-led digital evidence-sharing group, so we are collectively in that space discussing and considering the options for the wider criminal justice digital evidence technology solution. As I said, in order to support that work, we need to get our own house in order.
There are good connections and there is good dialogue with criminal justice partners. However, there is work to be done. The next three months of work will be about engaging with colleagues in the NHS and local authorities, and we recognise that that work absolutely needs to be done.
That is reassuring. Thank you.
I want to follow up Daniel Johnson’s and the convener’s lines of questioning. Daniel cited the ICT projects for NHS 24 and farm payments, which underscore the fact that many projects start with the best intentions and the belief that the figures are as robust as they can be but the figures climb substantially. What assurances can you give the sub-committee about the £206 million figure that you have arrived at, albeit that it is not all new money, as it encompasses stuff that you are already committed to doing? How confident are you that that figure is not going to climb substantially, as we have seen happen in other areas?
I will have a higher level of confidence when we get to the outline business case stage. At the moment, we are at the strategic outline business case stage, which is very much a combination of looking at experiences elsewhere and, having done an initial piece of work, seeing what we think the internal need is. Over the next three months, we will undertake a detailed piece of work to come up with a more robust figure, and there will be much more behind that figure to support it.
Each of the components that make up the figure of £206 million was individually risk assessed on the basis of how much certainty over costing and scope there was—obviously, whenever we get into detail, the scope of things can change. On the basis of that risk assessment, optimism bias was applied. That ranged from matters to which there was no risk attached and certainty about costs, meaning there was no optimism bias, right the way up to matters on which there was a lot of uncertainty, for which the bias was 200 per cent.
The approach that has been taken to costing is robust in that, when we look across the piece at the whole £206 million, we see that an optimism bias of about 50 per cent has been averaged out in the strategic outline business case. As I have said, there is a range of bias from nothing to 200 per cent. However, as we move through the next detailed phase of work to get to the outline business case, we will have a greater degree of certainty over cost.
We have had a look forward; now I want to encourage a bit of a look back for a second. We have talked about the extent to which the i6 project was critical in delivering a lot of Police Scotland’s objectives across a wide range of areas—a point that was picked up by the auditors. Mr Page, in the report that was taken to the SPA at the end of last month you talked about the failure of that project, about the technology transformation of the legacy forces’ ICT platforms not having made progress and about how
“this continues to present multiple problems and challenges to the service in terms of weakening our operational effectiveness, data and information management and efficiency in delivering the policing services that our communities deserve”.
Can you give a bit more detail on the practical implications of that and some examples of situations in which police officers and staff have been able to use workarounds when they have been unable to do things because of the failure of i6?
I am happy to expand on that. There are two dimensions to the problem, the first of which is about the police officer who is doing the job. Because we have not been able to roll out mobility and do not yet have a single network across the entire country, officers spend a lot of time doing things that they would not need to do if we had the right systems in place. They have to go back to their police stations more often, they have to key in data more often and they cannot exchange data, all of which builds in delay. That is a big issue.
The other issue is the use of data. If we had integrated systems and our data and analytics were where they need to be, we would be able to give officers much better information much more quickly, which would allow them to be much more effective in doing their jobs. For example, if they were responding to calls from vulnerable people and we had better information flowing through—not just in our systems but through our integration with the national health service—we could give them better information up front, which would allow them to deal with the situations in front of them in a much more effective way or even to pull in partners much earlier. We have previously commented on the fact that we tend to be the service of last resort. If we had better information, we would probably be able to get to a solution much more quickly.
There is also the issue of threat. I have previously commented on the quantum of investment that we know serious crime organisations and terrorists are making. That should not be underestimated, as such individuals and groups are very sophisticated in how they use technology. That has a couple of effects, on which I will defer to Superintendent McLean in a second. It also means that our officers, who are trying to combat such crime, do not have the technology that they need to keep up with those groups, which creates a risk for the officers because those guys have more information. It also means that there is more opportunity for them to get away with crimes. That is quite a key area for us.
I will hand over to Gerry McLean, if I may.
13:30
I am here principally as the business lead for organised crime and counter-terrorism, but perhaps I can take questions on cybercrime later. I do not have any portfolio responsibility for ICT or the wider strategy but, as a business lead, I can say that the user experience is just as described. Members might have seen in the media some of the recent successes that we have had with organised crime and the recovery of firearms. Those groups are ever more sophisticated and challenging for law enforcement.
My area of business is very specialised in terms of covert delivery. However, as commercial technology becomes more readily available and sophisticated, it is becoming an extremely challenging area for law enforcement around the UK, although Police Scotland is well placed. I go back to the point that Mr Gray made about the experience within the organisation having been an incremental approach that has involved looking for opportunities to build capability in the capital arrangements over the past few years. We might talk about that later with regard to cybercrime.
The user experience within the organisation is that governance procedures are maturing and have been far better over the past 18 months or so. That is how we are able to put in place a more informed programme of delivery for tackling cybercrime, for our technical support and for meeting some of the challenges in the organised crime and counter-terrorism space. Those are very real challenges and, day by day, we continually slip behind the capability of some of the groups that are out there.
Mr Page, I want to take you back to your point about the inputting of data and mobility. Have you been able to unpack that and distinguish between issues that arise out of a reduction in Police Scotland staff, as it has been suggested that officers stepped in to perform those staff roles, and issues that arise as a result of the lack of mobility of data and so on?
We have previously acknowledged at the sub-committee that, historically, we had not made the necessary transformation before making staff redundant. If you are going to make staff redundant or give them the opportunity of redundancy in a situation in which the work still needs to be done, you need to improve the work process and, ideally, put technology into that space.
We found ourselves in the position of making staff redundant but not putting in the technology or making the transformation. The work still needed to be done so we moved officers in to backfill. The intention was to do that on a temporary basis, but they were there for much longer because we did not deliver on the technology. The effect was to bring officers out of operational policing into what could be described as back-office roles.
The need to rekey data means that it takes two, three or four times longer to enter data overall. Someone gets information and enters it into one data system, then somebody else has to key it into another data system, then they photocopy it and it goes elsewhere. It wastes a huge amount of time.
All those issues added together make us really inefficient and we have to reverse that, which we are doing. We have laid out a clear strategy and a plan for moving police officers out of back-office support roles. We are looking strategically at our workforce balance, as we should have the right people with the right skills doing the right jobs. Where police officers have warrant cards or the specialist skills that we need, they should only be in the places where we need them. They are our operational assets so they should be in operational roles.
The technology should be an enabler; it should enable police officers to be more efficient in their operational roles and staff to be more efficient in the delivery of support. From a workforce mix perspective, there will be opportunities for civilian staff to support operational policing in operational roles but, for the most part, we have to get the technology right to enable that. At the moment, we are dealing with the legacy of manual processes and people not being in the right place to do the right job, but the workforce strategy that is part of policing 2026 will allow us to be integrated, with the right financial planning and the right technology enablement.
We want to get to a situation in which operational police officers are deployed with better capacity to do their jobs on the front line and staff in the back office focus on the jobs that they need to do with the right technology. That way, we can be more efficient and allow police officers to use their time better. We can save money and operate within our budgets and, ideally, get investment through for the specialist technology that Gerry McLean and his colleagues need so that we can keep up with and, ideally, ahead of the opposition in that space.
I want to pick up on DCS McLean’s point about the commercial development of IT and Mr Page’s point about keeping pace with or even ahead of the opposition in relation to IT. Are the IT structures that you are looking for in order to integrate with criminal justice partners so bespoke that you are not trying to build in an expectation that the costs of such technology will come down markedly in the coming years?
We are taking an enterprise approach as far as possible. We are not looking to custom build everything, if that is what you mean by a bespoke system. Where we can, we use off-the-shelf, enterprise-scale products that can be deployed across the entire organisation. There will always be particular operational areas that need a custom or bespoke solution. However, in general, the principle is to use enterprise-scalable technology.
We are not trying to gold plate or create bespoke technology. Our starting point is 10 different organisations doing things in 10 different ways, often using different technologies. Simply by moving everyone to a single platform technology—a vanilla solution—that is proven across the UK and in law enforcement elsewhere, we can jump forward in capability quite considerably.
We are looking to do the best, cheapest investment to get us to the right space early. It is not about people sitting in rooms developing super-duper technology. We are not going in that direction. We are talking about core, basic technology for the entire service to let people do their jobs efficiently.
That works from a financial perspective and also allows us capacity to support the investment in tackling cybercrime, which is becoming more specialised. We can work with colleagues across the UK on that.
I want to pursue the line of questioning begun by Liam McArthur. In your report to the SPA board, Mr Page, you say that there is
“increasing pressure on our officers (operating inefficient processes with out of date or no technology)”
at the same time as they are
“facing the increasingly sophisticated Threat, Harm and Risk from criminals who are investing heavily”
in the most sophisticated technology and using it well, which leaves front-line officers and the public at risk.
How worried should we be about that and how immediately must we address the situation?
The situation is clear when you consider recent events, such as the TSB challenges, where there was a technology failure at the bank and in short order, criminals were developing what they needed to exploit that and strip significant amounts of money from people’s accounts at a point when the bank did not have the ability to defend itself. That is a very recent example. Gerry McLean can talk about some of the other vectors of attack used by criminals and organised crime.
We are becoming more digital and every kid who comes out of school is driving that digital way of life. As that grows, we can extrapolate that the threat will grow even more because as everyone gets involved in digital, the size of the opportunity becomes greater. That is a bigger opportunity for criminals.
Globally, many criminals can buy military-grade, off-the-shelf technology. As the opportunity gets bigger, the risk to the public grows. Organised criminals have access to cutting-edge technology and we must try to keep pace with that or the consequences are self-evident.
I echo that point. I have gone on record before to say that when using some of our more intrusive and covert tactics, it is almost as though we are targeting another covert organisation—one that has better equipment and capability. I am very much alive to that. I hope that some of our successes show that we are adjusting our tactical model and our operational deployment model.
We have to think about our officers’ safety, particularly if we put them out there in old and dated kit that makes them very visible as police officers to anyone who poses a threat to us, especially if they are in that covert environment and are not necessarily identifiable. We have had to debrief and adjust our tactics accordingly. We need to think about when to deploy the physical element—in other words, officers—towards such groups and what other means we can use to work around that. That is extremely difficult, given the technological challenges.
Does that need to be addressed here and now?
It is part of the programmes of work that were advanced through the governance groups that I talked about. There was a lot of focus on the cyber capability programme, but we have other programmes of work that are going through the change board—and of which the SPA has some visibility—to try to close that gap so that we can provide the support to our officers who are out there doing good jobs in difficult circumstances.
Some of the recent convictions and high-profile coverage of some of the operational work are to be commended.
Thank you, convener.
What sort of timescale, resource and investment would be required to get to the point at which Police Scotland’s services have the advantage over organised criminals and terrorists, rather than reacting, as seems to be the position at the moment?
We are alive to data privacy and the intrusive tactics that we use. We understand that issue. Nevertheless, because of the way that people live their day-to-day lives, we all leak and generate digital data around us. That provides other opportunities.
I say that because the way that we are deploying some of the covert assets against some of the high-risk threats is traditional. It is pretty much the way that we have been doing policing for the past 20 or 30 years—certainly, that is my experience. Therefore, with the caveats, checks and balances on data privacy and data security, there is the opportunity to lean more towards technology and make a different use of the human element—the police officer—for evidence gathering.
That is among the things that we are trying to lay out through the technical surveillance 21—that is, 21st century—programme of work. It is a more medium to long-term project, so we are looking at a three-year programme of work with various deliveries within it. It depends on what investment is available, but the front-line officers could start to realise the benefits of it within six to 12 months. We are trying to undertake an incremental programme. It will not just work towards an end state—each stage will be an improvement—but the end state will probably take us far in advance of any other force within the UK.
The technology platform that we need to build for policing, which will support the covert work that Gerry McLean is talking about, is, in effect, an ecosystem of data and technology, all of which underpins the work that is going on. The data that territorial policing—police officers on the ground—can pick up through interaction with the public feeds into that journey and is just as important as everything else. We have to get the entire infrastructure working efficiently to take account of those data points.
The public will always be one of the best access points for intelligence for us, so we must have the ability to pick up that information, process that data, feed it to a large organisation and get it to the right people at the right time. That is why, in the investment profile and the technology plan, we have to do the strategic things that become the data enablers to get the type of cutting-edge technology that we need. That is where we need to get to for the technical surveillance 21 programme and covert policing. It must be built on a solid technology platform that captures all the data and feeds it through. Therefore, we will do it in as structured and efficient a way as we can. The totality of that will make it work.
So, in effect, you are saying that to create that advantage at the specialist level, generic progress is required.
Yes.
I hope that you do not throw out all the old stuff. A bit of computer code that I wrote in 1974 is still being used and most of you will have seen the output from it and used it. The old stuff will work well if you use it in the right way. Do not throw everything out.
I will dwell on the lessons that we can learn from failure. We have had reference to TSB. British Airways has been grappling with problems: it has been selling tickets at £1 that it should have been selling for hundreds of pounds. There are also the examples of the London Ambulance Service in the 1990s, the Scottish Qualifications Authority in the early 2000s and, now, the i6 programme.
I used to lecture on project failure. Are you looking outwith your own narrow interests to see whether there are lessons that can be learned from others? For example, the Federal Aviation Authority has a very good matrix for analysing failure, as do the nuclear industry and the health service. Are you looking to see how others have failed, how they dealt with that failure and how they learned from it to reduce the possibility of future failure?
13:45
Absolutely. Audit Scotland produced a very helpful set of lessons learned from public sector IT projects, which covered a variety of digital challenges and failures. We have built that into our thinking. We have already engaged with the Office of Government Commerce gateway reviews, and a strategic gateway review 0 has been done on our entire portfolio.
I mentioned earlier that we did a health check on the finance function about 18 or 20 months ago to look at what we needed to do there. We have done that across the organisation because, if we are going to run a strategic transformation, one of the early lessons that comes from Audit Scotland or any analysis of things that have failed or worked is that it is about having the right skills and capabilities in the organisation, supported by the right professionals.
As part of our utilisation of reform funding over the past year or so, we have brought a substantial amount of skills into the organisation—principally civilian skills on risk management and audit capability. We have built a full change function and we have put significant additional resource into the IT and finance functions. Part of that is about risk mitigation to avoid those types of failure. We are bringing in professional advisers who have skills that we need now but will not need in the long term. We are also taking cognisance of where others have failed.
We are building an entire ecosystem around that, because we are fully aware of the track record of public sector IT failures, including our own failure with i6. We are investing a huge amount of effort and money to make sure that we give ourselves the best chance of success. This is too important for Scotland—it is too important for the public—for it to fail, and it is far too important for our police officers, who are out on the ground and have to deal with the daily threat of harm or risk.
Before I move on to something else, I point out that the private sector fails as well; it is just more difficult to find out about its failures.
I agree.
TSB would be a good example of such a failure.
Very briefly, because my colleagues have covered some of this, I ask whether you have a timeline. We are running out of time in this meeting, so perhaps you could write to us with a timeline that shows the different activities that you will be undertaking. Would that be appropriate, convener, in order to allow us to move on?
That would be helpful.
I am happy to do that.
In answers to Liam McArthur’s questions, we heard about the extensive staff reorganisation required to implement the ICT strategy. What engagement has there been with unions and staff associations about the priorities and timescale for that reorganisation?
I will pick up on that. There is a bi-monthly engagement forum with all the staff associations and unions. At the last two meetings of that forum I presented the documents on some of the core products that were produced as part of the first phase, which will take the project through to the strategic outline business case stage. I have asked for feedback on the documents that were shared with the members of and attendees at the forum, and I offered to have a discussion with them—that is in train at the moment.
As part of the next stage, as we begin testing some of the assumptions in the SOBC to get to an OBC and drill into it in a bit more detail, there is a clear need and opportunity for engagement with the staff associations and trade unions to continue. We intend to have that engagement over the next three months.
Okay. There is more that I could ask, but we are running short of time.
The i6 contract is repeatedly referred to as a failure, but at the end of the day the money was recouped. The Accenture contract was for £46.1 million. I appreciate that it might not be a like-for-like comparison, but it seems a considerable jump to the sums that are now being talked about. Is it a greatly enhanced system? I appreciate that i6 was not intended to cover all aspects, but is the new system completely filling the gaps?
I can see that the DCO is keen to intervene, but that is exactly right, convener. The i6 programme was very specific, with six modules covering crime, vulnerable persons, criminal justice, custody, missing persons and productions. Almost all of that i6 capability transfers into what I have talked about in terms of core operational systems and the need for the integrated national system. However, as you have alluded to, this piece of work is significantly bigger. The two things are not the same in terms of scale, and hence in terms of investment. Getting to the i6 equivalent within the programme is still, in my view, fundamental, but there is an awful lot more that will be wrapped around the programme and the transformation than just what was included in the i6 programme.
For the avoidance of doubt, if this is i6-plus, can you confirm that there are no gaps and that this is what needs to be done, both for now and looking ahead?
We do not believe that there are gaps. The work that has been done in the first phase has been fairly extensive across all functions and business areas in the organisation. I would probably describe it as i6-plus, and plus again.
The written submission provides a lot more helpful information about the cyberkiosks. Can you clarify the terms of the cyberkiosks procurement contract and the amounts involved?
My understanding is that the cost of the kiosks was approximately £440,000, and we purchased 41 of them. I can provide the sub-committee with a breakdown of that, as it was one component of a wider cyber spend last year, which was £3.4 million. I will provide you with those details.
What about the suggestion that there is a trigger point of £500,000 that would require more involvement for the Scottish Police Authority? The cost that you have mentioned is short of £500,000. Would you have bought more kit if you could have?
The business requirements that we run with respond to business need. The current trigger points are what they are, and £500,000 is the spend limit for us within the police. Sums of £500,000 to £1 million go to the accountable officer, Mr Hogg, and sums of more than £1 million go to the main board. We do not cut the business requirements around those limits. We try to ensure that we have modular and right-sized approaches to things so that, if at all possible, we avoid really big problems because when they get really big, like i6, it is easier to fail. We would like to have more smaller-sized programmes, where benefits are linked to the expenditure. We are conscious of that.
The other issue is pace. In order for us to move at pace, we have to go through the right governance, so we try to ensure that we adhere to all the governance procedures that we need to as we go through that journey. We are careful to ensure, from a finance, control and governance perspective, that we adhere to the governance procedures that are required of us. That is one of the points that Audit Scotland made previously about financial control.
You have provided a lot of documents to us, and a number of them are redacted, but I would have thought that it would be possible to say who was the author of the business case. Who was it?
Do you mean the strategic outline business case?
No, I am talking about the business case for the cyberkiosks.
That came from the head of the cybercrime unit. I can provide a bit more data on that. As Mr Gray said, £445,000 was the figure for the kiosks. The business requirement was to provide three kiosks to each of the 13 local policing areas, which is how we came to the figure of 39. Given our expectation that we would get hardware failures from time to time, we wanted to keep one or two devices in the cybercrime unit, to add resilience.
At the time, we were working on a figure of about 40 devices. Did we want more, and would more devices deliver more benefits? Probably, and we will have to review the position. However, we were trying to work within the financial framework and the capital funds that were available at the time.
We were alive to the fact that there would be a notification to the SPA and that the programme might have to be signed off by the Scottish Government—that is reflected in some of the documentation from 2016—but the working premise was that the requirement from the business area was 39 devices, with some resilience added on.
The business case did not specify the author and it was undated. Can you say what the date of the business case was?
No, but I could provide that information.
That would be helpful.
At different points in the documentation that you have provided, there is different information on the approval of the programme. Page 5 suggests that ACC Johnson will give approval, but page 10 says:
“Permission was granted by the Force Executive”
Who signed off the programme in Police Scotland?
I am probably best placed to provide the detail on that. Evidence about the trials has been provided previously to the sub-committee. In about mid-2016, trials took place following anecdotal evidence from forces south of the border that were using similar technology. We were looking for a window of opportunity within which capital funds would become available in the business area. The force executive—in other words, the chief officers—was asked whether the trials could go ahead. That is reflected in some of the documentation that you have.
Funds were not available in 2016, but the matter was revisited and more trials took place in 2017. I think that it was late 2017 when the business case was written, but I will check the detail of that. That was put to the force executive. ACC Johnson has the portfolio lead for specialist crime and intelligence, so his name is mentioned in some of the documents.
Ultimately, that business case and the programme of work were put to the change board and notification was given to the Scottish Police Authority.
Page 4 talks about consulting UK law enforcement. Who was consulted? What was learned? At our previous evidence-taking session on the issue, I highlighted that the oversight body that looked at North Yorkshire’s experience and its application of the devices was extremely critical.
As we have responsibility for cyber, we are represented on the national cyber operations group, and we were aware that a number of forces south of the border had been using the technology for more than 10 years.
When we consulted through the operations group, we found that all but four of the 43 forces south of the border were using similar devices, albeit from different providers. I can provide the details on this, but we went to six forces, of which the Metropolitan Police was the largest. It was using about 130 kiosks at the time. If I remember correctly, we went to Northumbria, Lancashire, another force in England, the Garda in Ireland and a force in Wales. We went to see their experience and to find out about the challenges and operating principles.
Our reflections were that the experience was broadly positive—there had been no significant challenges, although there was some criticism, as you say. There were definitely operational benefits. However, we observed an absence of consistent ways of working—in effect, a code of ethics, or an operating procedure on using the devices, was lacking. We were keen to develop a code of practice at an early stage and to have an ethical response on how we might use the devices.
Mr Hogg, I refer you to your letter of 5 June on the SPA’s financial governance around the cyberkiosks. You say that, as the cost fell below half a million pounds, the purchase did not need SPA approval. Is that your position?
Yes, that is correct. A capital investment of more than half a million pounds would need to be submitted to me as the accountable officer for approval.
That is the capital investment, but we understand that the whole contract came to £545,000, which is over the £500,000 limit. Would it not be expected that, in terms of financial governance, the SPA would look at the contract?
No. The investment totalled £445,000, which included not only the capital investment for the kit but the licence costs and the costs associated with training. I add that—
Can I stop you there and ask why your figures differ from the ones that I have in front of me? Those in front of me suggest that the technology, licensing, training and annual fees amounted to a contract that was worth £545,000, which is over the £500,000 threshold.
14:00
The figures that I am quoting to you are the figures that I have from Police Scotland. I am happy to clarify that if you like, but when I gave evidence to the sub-committee a month ago, I used the same figures on the same basis.
We have a discrepancy. Perhaps we can find out why.
I wonder whether the issue is about looking at the capital costs alone. Clearly, there are also revenue costs, so there will be combined costs. We have a series of figures here.
Yes. In addition to the capital costs, there will be approximately £100,000 of annual operating costs associated with the cyberkiosks once they are rolled out. That cost is not currently being incurred.
The point that I wanted to make is that, as accountable officer, I have looked closely at the cyberkiosks issue, not least since the sub-committee raised concerns. I do not have concerns. This is not a situation where I have a sense that Police Scotland was trying to avoid scrutiny by the SPA by bringing in a cost below a threshold. The SPA has, in any case, looked at the proposal over the months and years of its gestation. It dates back to a 2015 cyber infrastructure technical strategy, and I have provided you with a presentation that dates back to September of last year, in which Police Scotland briefed members of the SPA on the proposal, among other elements of reform. I genuinely do not have concerns that there is either a lack of scrutiny or an attempt to avoid a threshold for referring the matter to the SPA.
I do not have concerns about the latter, but I most certainly have concerns about the financial governance that the SPA undertook, when the cost of the whole contract according to our figures still seems to differ from the cost according to your figures. Perhaps we can get some written evidence to clarify that, and we can return to the matter at a later date. It seems to me that it is absolutely germane to moving forward and establishing a robust role for the SPA in its financial governance remit.
Perhaps we can follow that up in correspondence, Mr Hogg, to clarify the point.
You mentioned a briefing, but it is the case that the SPA received no briefing from Police Scotland in advance of the trials.
The position is that the SPA did not receive a specific briefing about the trials in advance of the deployment of the devices. Yes—that is correct.
Okay—thank you.
I want to nail down how the governance works. Thirty years ago, in my experience at the Bank of Scotland, I could spend £0.25 million as often as I liked in a day as long as I had budget cover, but the key thing was that, although I was the decision maker up to that level, I was required to tell the next level up within 24 hours that I had done it. That approach applied from a teller who had authority to lend £1,000 all the way up, and eventually, at £3 million, it got to the board.
Is there a similar duty in your structure? Is there a decision maker up to a certain level but also a process by which the activities of the decision maker are reported to the next level in very short order? It is those two elements that make a robust system of governance.
I will answer that first and then hand over to my colleague from Police Scotland. The system of financial governance that exists between the SPA and Police Scotland is set out in various pieces of documentation including financial regulations, and they specify the arrangements that are in place for the sort of referrals that you have talked about. Police Scotland, under the chief financial officer’s overview, has its own system of approvals, which we are also sighted on. At that point, I am happy to hand over to the chief financial officer for the detail.
I would make a distinction between business cases and the letting of contracts, which is a procurement-type activity. We have an investment governance framework that sets out the governance requirements for business cases. It is linked to financial value and whether the funding comes from the reform budget or from core capital. That is all documented. The framework applies internally to Police Scotland governance and through SPA governance. For example, there is a requirement that a business justification case that gets signed off must be reported up—
I will try to short-circuit the discussion a little. I am just asking whether, when a decision maker makes a decision—under the procurement process, decisions are usually taken by clerks, not to be too rude, because it is a mechanical process—there is a formal process by which the decision maker’s decision is referred up the line in short order. There needs to be appropriate oversight, not to interfere with the decision but to be aware and be able to take account of the aggregate effect of all the decision makers’ decisions.
I understand the nature of the question. Our governance is very much driven around a series of boards—the finance board, the change board and the audit and risk board, all the way up to the force executive board. Any of our business cases—
Forgive me—I am not trying to be rude, but I am conscious of time. I understand that there will be a complex matrix for how decisions are made, but I am not focusing on that; I am focusing on what happens after a decision is made.
A decision is made at a committee. Any business case or major capital expenditure would be presented to a committee for approval. Either the change board or the corporate finance and investment board would make the decision. It would not be a case of an individual making a decision on expenditure that they could then—
However a decision is made, who is then informed that it has been made?
There would be an audit record for each of the individual governance boards of the decision that was made and who was present at the meeting. Depending on the size of the decision—that goes back to our schemes of delegation on financial matters—it would be accelerated up to the force executive board or it would be recommended for approval.
Would that be for information or for decision?
That depends on the nature of the decision. There are two parts: one is capital, or the money, and the other is the effect on the organisation. The expenditure might be relatively small, but the effect on the public or organisation might be such that it warrants a discussion at the force executive board. We also recommend that things go across to the relevant committees in the SPA, such as the finance committee. Everything is decided in a committee governance structure. There is no unilateral decision making for which we would then seek additional support.
Yet the Scottish Police Authority was not notified in this particular instance.
Do you mean the cyberkiosks?
Yes.
I cannot comment on that. I was not in Police Scotland at that time.
Following on from Mr Hogg’s answers to Margaret Mitchell and the convener, I want to clarify whether he is comfortable with the approach that Police Scotland has taken with regard to the introduction of the cyberkiosks.
I believe that the proposed expenditure was handled, and is being handled, in line with the existing processes. I have looked at the written evidence that Police Scotland submitted to the sub-committee. I will confirm the figures: the total cost of the purchase of the kiosks plus the software and a training package came to £444,821, including VAT. In addition, there is a £101,000 annual revenue support cost, which the written evidence says will commence from 2019-20.
Is that level of expenditure not above the threshold at which you would be briefed?
No, because the way in which the threshold is determined alludes to the capital cost. For example, most capital costs come with an on-going revenue cost over many years, but the thresholds are set in relation to the capital cost. I am happy to share the scheme of delegation, for example, which sets that out.
Would you not have expected a community impact assessment to have been carried out, given that there were significant changes to operational policing matters? Would the SPA not have wanted that?
I have looked at that, and the key point is that it was not a change to operational policing in terms of policing capability. It allowed police officers to do in local police stations what they were already doing in regional hubs, and it avoided the issues of backlogs arising from the sending off of devices. That is the rationale.
I understand that, but would the SPA not have wanted community impact assessments done to assess the impact on particular communities?
In the case of the trials, I do not believe that that was necessary. In terms of further roll-out of the kiosks, I know that Police Scotland is setting up an external reference group and that the terms of use of the kiosks will be consulted on with that group. I gather that Police Scotland is now looking at undertaking additional impact assessments. However, for the trials that previously took place, I do not believe that an additional community impact assessment was required.
Building on that, I appreciate that, in the written evidence and in the previous session that we held, it has been emphasised that the kiosks are about efficiency and trying to make sure that devices are not taken from individuals for unnecessarily long periods, and that the cyberkiosk technology has been available to UK law enforcement for some time.
However, as an MSP for a constituency where part of the trial took place—the remit of Gayfield Square police station includes part of my constituency even though the station is outside it—I have concerns about the fact that no assessments were undertaken, given the intrusive nature of the technology when somebody hands over their phone. After all, in the modern day and age, a phone holds so much information about an individual. I have concerns that there was no awareness about it, particularly with regard to human rights, equality or community impact assessments, data protection and security. A constituent could have come to me at a surgery and said, “The police have taken my phone and looked at every piece of data on it,” yet I, as a constituency MSP, as well as people more widely were not aware that it was happening.
I have concerns about individuals’ human rights and right to a private life. I am reassured that there will be a greater determination to make those assessments for a full roll-out, but is there any sense of regret, with hindsight, that you could have dealt with the issue more transparently?
I will let my Police Scotland colleagues comment on their practice. The key point from the SPA perspective is that, at the time of the trials, phones were already being taken by the police for the same policing purposes, but what happened to those phones differed. At that time, phones were sent off to one of three—now five—regional hubs whereas, during the trials, phones were assessed at the local police station instead of being sent off to a regional hub. That is the rationale that has been given when the SPA has asked questions of Police Scotland about why and how it did the trials.
The written evidence said that it was only done by suitably trained front-line officers. What sort of training did they go through, and were checks and balances in place to make sure that that was the case?
I agree with what Mr Hogg said. To answer your question directly—I am conscious of time—25 officers at Gayfield Square police station were trained. The provider of the technology trained the cybercrime staff and they, in conjunction with the provider, trained the 25 officers, and supervision was put in place around that.
The trials were not about the public experience because, as Mr Hogg said, those phones had already been taken legally and had gone to a central location. They were very much about the experiences of officers at the front end, trying to build the business case to show that there was an opportunity for service improvement and efficiency and pushing that through what was a capital bid at the time.
14:15
I still feel a bit uncomfortable that my constituents were not aware of that happening in their vicinity.
I am absolutely alive to such concerns. A lot of lessons have been learned, which is why it is so important that we now do the impact assessments. The direction that we had at the time was that, because it was more of a change of use, those assessments were not required. I can report that what would formerly have been a privacy impact assessment but is now a data protection impact assessment has been completed, as has an equality and human rights impact assessment. I see those very much as live documents. Convener, if you are so minded, I can get copies of them to the sub-committee.
That would be helpful, Mr McLean.
I am conscious that Ben Macpherson asked a question about training that has gone unanswered. Perhaps I can answer it as regards the business case. I think that, in advance of the cyberkiosks being put in place, Police Scotland would have considered the backroom function of the interrogation of data on phones to be a very specialist function. Would you agree with that?
I would agree with that.
In the undated and unsigned business case, the very last sentence of the section on training says:
“It can be comfortably taught in well under an hour.”
That suggests that it is not a like-for-like transfer but a roll-out of something different, which is precisely where the concern has come about. People understand the technical requirements. It would be very helpful to have those assessments if you could forward them.
As I have said, I would be delighted to provide them.
If time permits, perhaps I could come back to you on your comment, convener.
Yes, indeed.
You made a comment about the business case. That report was provided by the officers at Gayfield Square, and gave the supervisor’s view of the circumstances. That comment is perhaps more attributable to the commercial provider of the equipment. A day’s training was provided, which might or might not have been enough. Ahead of any roll-out of the kiosks, which we hope will be later this year, the cybercrime unit staff have already attended a three-day teaching methods course. They are also working on the training package for the 410 officers in local policing who it is planned will facilitate the triaging of devices at the front end. There will be a two-day training course for those officers, which they will be able to attend only once they have completed the mandatory one-day online general data protection regulation training that is going on right across the force. They must conclude the GDPR training, and then there is a two-day training course.
Mr McLean, that is something entirely different. I am reading from the document that Police Scotland has provided to the sub-committee and that is headed up “Business Case”. As I have said, it is redacted, so we do not know who provided the training. There are other redactions across the document, but that final sentence says:
“It can be comfortably taught in well under an hour.”
That does not sound like it is about replicating a specialist backroom function, which is where the concern has come from.
In answer to that, convener, I say that I agree with your point about the specialism in interrogation of data. However, the interface with the triage device is pretty intuitive and fairly straightforward, which is the point that the commercial provider is trying to make there. We understood that checks, balances and safeguards were required, which is why there is a day’s training. However, training in the use of the device itself is quite straightforward.
I am sorry to keep coming back to this—not least because there are a couple of members who want to come in very shortly—but are you saying that, in the documents that we have been sent, appendix B, which is headed “Kiosk—Trial Business Case”, has been put together by the provider of the equipment rather than by Police Scotland?
No—I am saying that that is the commercial provider’s view, which has been reflected in a police document.
Okay—thank you.
I am not questioning the integrity of officers but, as a safeguard, I want to know whether the technology is able to delete information from people’s devices or just copy it. If you do not know the answer right now, it would be good to have clarity on that. Obviously, if it had the ability to delete people’s data, that would be concerning.
It would do neither. The technology allows us to view the data that is stored on the device, and only that. It does not materially change it, which is important because of the steps that might then follow through the criminal justice system.
It is my understanding—I would like you to rebut or confirm this—that the kiosk is about triage. In other words, it is about identifying a proportion of the phones that are received that can be returned immediately because they are not of evidential value. The real analysis will continue to be done at the centres. The purpose of the kiosk is to make the centres more efficient and to enable phones that are not required to be taken back out of the criminal justice system. Therefore, what the kiosk does is only a very small part of what would be done in the centres. Is that correct?
That is exactly right, Mr Stevenson. At the moment, as many as 15,000 devices are submitted to the cybercrime hubs, as Mr Hogg said. Anecdotal evidence from other forces in the UK suggested that more than 90 per cent of those devices would not be submitted in the future but would be returned to their owner or excluded from the relevant investigation, and that was borne out by the trials. That means that a single-digit percentage will go to the more specialist officers who will carry out the extraction of data.
I would like to clarify one final thing. According to the documentation that has been provided, the “evidential efficacy” of the examination of data from seized items was “not collated” as part of the trials.
I am sorry, but could you repeat that, please?
The “evidential efficacy”—that is the phrase in inverted commas in my notes—of the data that was examined was not collated as part of the trials. What was the Crown Office and Procurator Fiscal Service briefed on following the trials, if the evidential efficacy of the operation was not considered?
The Crown Office was briefed on the trials and it had no objections to their going ahead. As I said, there are always lessons to be learned, and there could probably have been better record keeping for some of the trials. The figures are there, but the user experience of the officers at the front end and some of the investigative benefits had to be reported back. As I said, if we were to run the trials again, I would ensure that there was better governance with regard to the provision of detail.
That is very helpful.
It has been a long session. I thank the witnesses for their evidence, which has been extremely helpful. Perhaps Mr Hogg could follow up with a letter to clarify the point that was raised and Mr McLean could provide the documents that he mentioned.
14:22 Meeting continued in private until 14:29.