Election 2021

The Scottish Parliament is in recess ahead of the election on 6 May.

Because of Covid-19, there are some changes to how the Parliament prepares for the election.

Find out more in our Election 2021 pages

Skip to main content

Language: English / Gàidhlig

Loading…

Debates and questions

Public Audit and Post-legislative Scrutiny Committee 05 December 2019

The agenda for the day:

Interests, Decision on Taking Business in Private, Freedom of Information (Scotland) Act 2002: Post-legislative Scrutiny, Section 23 Report.

Interests

Interests

The Convener (Jenny Marra)

Good morning and welcome to the Public Audit and Post-legislative Scrutiny Committee’s 28th meeting in 2019. I ask everyone in the gallery to turn off their phones or switch them to silent, please. We have received apologies from Anas Sarwar and Alex Neil. I welcome John Mason, who is attending in place of Alex Neil. Item 1 is to invite John Mason to declare any relevant interests to the committee.

John Mason (Glasgow Shettleston) (SNP) (Committee Substitute)

Thank you, convener, I am very happy to be here. The only thing that I should declare is that I am a member of the Institute of Chartered Accountants of Scotland.

Decision on Taking Business in Private

Decision on Taking Business in Private

The Convener

Item 2 is to make a decision on taking business in private. Do members agree to take items 5 and 6 in private?

Members indicated agreement.

Freedom of Information (Scotland) Act 2002: Post-legislative Scrutiny

Freedom of Information (Scotland) Act 2002: Post-legislative Scrutiny

The Convener

Item 3 is our post-legislative scrutiny of the Freedom of Information (Scotland) Act 2002. I welcome our witnesses. Daren Fitzhenry is the Scottish Information Commissioner, and Lorraine Currie is the freedom of information officer in charge of policy and information at the office of the Scottish Information Commissioner.

I understand that the commissioner has an opening statement.

Daren Fitzhenry (Scottish Information Commissioner)

I thank the committee for the opportunity to provide evidence in its post-legislative scrutiny of the Freedom of Information (Scotland) Act 2002, or FOISA, as we tend to call it. I am grateful to the committee for looking at FOISA—not because it is broken, but because it could be better and because it is important to keep it alive and up to date in order to meet the challenges ahead. It is important to put the act in context and to highlight aspects of the current system that work well, which will allow us to focus on where improvements can be made.

Our starting point is that the freedom of information regime is generally working well. There are very high levels of public awareness—up to 91 per cent. When we delve deeper into knowledge of what the right means to people in real life, 71 per cent of people in Scotland understand that FOI gives them a right to ask for information from public bodies, compared with 54 per cent awareness throughout the United Kingdom as a whole.

Last year, more than 83,000 requests for information were made in Scotland, of which 75 per cent resulted in full or partial disclosure of information. Some three quarters of disclosures were full disclosures. Over the past three years, the rate of responses being made on time has been around 85 per cent consistently across authorities. That is obviously something that we want to improve on, but the rate is still relatively high, despite the increasing volume of requests.

Most of the time, when people exercise their right, they get the information that they were looking for first time and on time. Request activity, however, is only the tip of the iceberg, because freedom of information regime users can, and do, access information that has been proactively published in accordance with FOISA’s proactive publication duty.

Preliminary findings from the University of Dundee’s “Uncovering the Environment: The Use of Public Access to Environmental Information” project show what we expected to find: namely, that most people who look for information first go online and search for it themselves.

I hope that I will be able to say more about proactive publication later in the evidence session, but for present purposes my point is that we have a system that the public are aware of, that is regularly and increasingly used, that provides people with information to enable them to participate meaningfully in our processes, and which supports accountability of public bodies. It can also help authorities to improve their services and to work with the communities that they serve.

However, as I said at the start, there is room for improvement. I have previously set out in my written and oral evidence to the committee the ways in which I think the freedom of information regime could be strengthened. The committee has obviously had many other respondents who have provided input on that, both on paper and orally. I am delighted to see so much input.

Some of those inputs are of concern, not just for me, or nationally, but in the international context. If we look at how the system is viewed internationally, some of the proposed changes would have the effect of reducing the right to information. I am very lucky in that it has been suggested that Scotland might, for the first time, be given a right to information assessment—which would make us the first subnational regime to be put in that position. I hope to enter discussions on that.

As the committee will know from reading my submission, the top three opportunities are modernisation of the publication scheme duty, strengthening of the intervention powers, and provision of enforcement powers for breaches of the code. I look forward to dealing with those and any other matters that the committee would like me to deal with.

The Convener

Thank you very much. That was extremely helpful.

I will open the questioning. The committee has heard from a few different sources that hurdles are put in place right at the start of the request process that make it harder for people to ask for information. Are you concerned that the process to make a request is more complicated than it needs to be?

Daren Fitzhenry

The process for making a request is relatively straightforward. All that is required is something in writing or something that is capable of being put in permanent form. The individual needs to provide their name and address for correspondence—it can be an email address or a postal address—and to state what information they are looking for. The process is designed to be straightforward. The individual does not need to mention that the request is being made under FOISA, so they do not need to have knowledge of the act to make the process work. The request can be sent to anybody within a public authority, so the individual does not need to know that there is a special website for putting in the request. The process has been designed to enable people who are unaware of their rights to exercise them and to get a response to their request for information. That is relatively straightforward.

Problems can arise when individuals do not know which authority might hold the information in which they are interested. There can also be issues in relation to what the individual really wants to know: crafting an accurate request that will allow a person to get exactly the information that they are after can be difficult and takes a bit of thought. However, the process is designed to be available to anybody, regardless of whether they have access to the internet or of whether they know who within the authority should have the information.

The Convener

You say that there is high awareness among the population of the right to get information, and that people who are thinking of making a request can look for the specific webpage and ask. However, from the evidence that we heard, it seems that that varies across local authorities. Does the process need to be more standardised?

Daren Fitzhenry

That would be helpful, but it is important not to lose the general approach whereby someone who does not know the system or who does not have access to the internet can make a request through other routes. It is a good idea for an authority to have a single point of contact; it certainly helps an authority if that is available. However, a system in which that was the only way to access the freedom of information regime would not be appropriate, because we would then be more likely to exclude people who are least able to know about the process, including people who have least access to the internet. I do not want such people to be disenfranchised from their right.

Colin Beattie (Midlothian North and Musselburgh) (SNP)

Public service structures and delivery of services have changed quite a bit since FOISA came into force. Against that background, is the act still fit for purpose?

Daren Fitzhenry

The act and the basic right to information are certainly fit for purpose, because we have the right to request information and the right to receive it. In relation to service delivery, whether the act is hitting all the bodies that it should hit, and whether the number of bodies that are subject to FOISA should be expanded, are different questions. Over time, there has been a reduction in access to information because of the way in which public services have been provided, which Colin Beattie mentioned. As more and more public services are contracted out or are provided by other types of arm’s-length bodies, it becomes more and more difficult to access information, because those bodies might not be subject to the act.

Colin Beattie

So you are saying, if I interpret it correctly, that the act as it stands is fit for purpose, but changes have perhaps resulted in other performers coming forward that are not caught by it.

Daren Fitzhenry

That is exactly the point, and that is why it is useful to have powers such as the section 5 power for ministers to expand the provisions to other bodies. That power was not used for a long period but, thankfully, it was used in 2013 for the culture, sports and leisure trusts, in 2016 for privately run prisons, and this year for registered social landlords. There is also the new consultation on contracted-out services, in which we are very interested.

Colin Beattie

You have led us right to my next question, which is on the other bodies to be included. Health and social care partnerships, as opposed to national health service boards, represent a significant example. There is a certain amount of tension between those bodies in respect of who is subject to FOISA and who is not. Should health and social care partnerships be subject to the act?

Daren Fitzhenry

Yes. In our consultation response, which was put on our website just yesterday, we say that that is an area that we certainly think ministers should look at in detail, with a view to such bodies being added to the list in FOISA for clear reasons relating to what happens if things go wrong, to the clear public interest and to use of public funds. There are many reasons why it would be appropriate to look at such bodies in detail.

Colin Beattie

To extrapolate, should private companies that contract for delivery of public services be included in the act?

Daren Fitzhenry

There is some tension between having a system that includes as many bodies as possible, particularly those that receive substantial public funding, and having a system that is capable of being enforced in practice. My view is that, however coverage is extended, it is important for people to know who is covered—that we have a mechanism such that we know that a company is covered by the freedom of information regime so that requesters know and can ask, so that we know and can enforce, and so that the bodies know and can discharge their obligations under the act.

Colin Beattie

You are suggesting that there would have to be criteria against which to determine whether a body would come under the freedom of information provisions. How would you establish those criteria?

Daren Fitzhenry

My predecessors set out a series of functional tests in a special report on whether the right bodies were covered. I generally agree with that approach.

One issue to consider is whether rights have been lost. In other words, is a private body now carrying out functions that were previously carried out by a public body? Issues relating to public finance and public interest in the body or its functions are relevant.

We are bound by section 5 of the act. At the end of the day, a public function has to be involved. Things are much more difficult with purely ancillary services. Should a body that gets public money for supplying paper clips—that is the great example—be subject to FOISA?

Colin Beattie

You are talking about public functions. Should not things be determined by the public pound, as well? Even charities and third sector bodies are heavily subsidised by the Scottish Government to deliver services that are agreed between them. Is there an interest in applying the act in respect of following the public pound?

Daren Fitzhenry

That is an interesting question. In a number of areas there are the public functions on the one hand and there is significant public finance on the other. I think that there is a distinction. If a body spends public money most of time, that will usually, but not always, be because it performs a public function.

In relation to supplying stationery, for example, a company will just need access to money. A public organisation will need to have its windows cleaned: we would expect the procurement information on that to be available, but there is not necessarily a strong case for making the people who do the window cleaning subject to the act.

I do not think that it is useful to follow the public pound to its end, but looking at where large sums of public money are expended is relevant in determining whether a body should be caught.

09:15  

Colin Beattie

The functions of bodies that we have been discussing, whether they are private companies, third sector organisations or whatever, and the amount of funding and so on that they receive will change from time to time. What kind of mechanism would you put in place to respond to such changes? Given how funding sometimes works, we might find that a body would drop out of fulfilling the criteria one year but would fulfil them again in another year. That is a tremendous amount of flexibility to put in place. How would you do that?

Daren Fitzhenry

As you can see from our consultation response, we suggest greater focus on the function test. We have recognised that large amounts of money going in tends to be related to public functions. The contracts that we think should be looked at first are those for health and social care services, private finance initiative and public-private partnership contracts, hubcos and services that are provided under the hubco model, and transport services. You will note that big contracts are less likely to change often; they tend to last for longer and to be more stable in terms of their output—

Colin Beattie

If I may interrupt, I suggest that companies in that little group on which you have just focused are likely to say that there are commercial issues, so they are unable to give the information that has been requested.

Daren Fitzhenry

Freedom of information is designed to allow for commercial aspects to be taken into account in determining whether information is to be produced in response to a request. There are exemptions that can be applied in such circumstances.

Colin Beattie

There might be a disproportionately high number of exemptions among that grouping.

Daren Fitzhenry

I would not say that. Public authorities expend large sums of money, and they have contracts, too. There will be circumstances in which exemptions apply, but there will also be circumstances in which they do not.

Colin Beattie

In your written evidence, you propose a prohibition on relying on confidentiality clauses between public authorities and contractors that provide public services. Could you provide a bit more detail on that proposal? How has a similar provision in FOI legislation in Ireland worked in practice?

Daren Fitzhenry

Confidentiality clauses are often inserted in contracts, and are thereafter used by organisations to say that they cannot provide information because they are subject to a duty of confidentiality. That is quite apart from consideration of commercial harm or assessment of the seriousness of that harm. That concerns the confidentiality exemption, rather than the serious harm exemption.

In practice, although we may consider issues of confidentiality and public interest in determining whether confidentiality exists and the right exists, that can be a block to providing information. If confidentiality is included in a contract, that makes it easier to exclude provision of information. By removing confidentiality clauses, we are essentially saying that if there is a commercial reason why information cannot be provided, the body should rely on the commercial exemption.

I do not have details with me about how the provisions in Ireland have worked in practice. I will look to see whether I have anything for you—I can certainly get information on that to the committee.

The Convener

You can always get back to us in writing.

Colin Beattie

I would like to ask about one more aspect of this issue. It seems that, if freedom of information requirements are going to have the power to override commercial contracts—that is effectively what the situation would be, as the confidentiality clauses would be in the commercial contract—how would that work in practice legally? Can we do that? Do we have the powers to do that?

Daren Fitzhenry

In my view, you certainly could do that. An act of Parliament could say that there should not be such clauses in future contracts and it could set out the limitations. For example, we already have unfair contract terms in legislation. In my view, it is open to the Parliament to do that.

The Convener

What about private companies that are owned by the Government? Should they be subject to FOI?

Daren Fitzhenry

If they are wholly owned by the Government or by any other public authority, they are already caught by the act, by virtue of section 6. There is a bit of a loophole in the act whereby companies that are jointly owned by the Scottish Government and another public authority are not caught. That could be remedied by one of the technical amendments that I suggested in my written evidence.

The Convener

That is interesting. It means that Ferguson Marine, which is now wholly owned by the Scottish Government, would come into the ambit of FOI.

Daren Fitzhenry

Yes.

The Convener

But V&A Dundee, which is privately constituted but has more than 50 per cent public funding from a variety of sources, would not be caught by FOI.

Daren Fitzhenry

I have not looked at that particular case but, from what you say, I would not expect it to be covered, and certainly not by section 6.

The Convener

That is my understanding, too. You say that some of the legislation on the issue needs tidying up.

Daren Fitzhenry

Yes, particularly in relation to bodies that are wholly public owned but through a mix of Government and other authority ownership. We see no reason why such bodies should not be caught by section 6.

The Convener

Yes. that would follow the principle of following the public pound.

Daren Fitzhenry

It would also follow the principle of including bodies that are wholly publicly owned and controlled.

Bill Bowman (North East Scotland) (Con)

I do not think that you mentioned education in your introduction. We heard from a member of the Scottish Youth Parliament about an Ipsos MORI poll that showed that only 25 per cent of young people are aware that they can use FOISA and that only 28 per cent are confident that they would receive a response if they made a request. You said that the system is not broken. You said that it could be better, but that it generally works well and that there is 71 per cent public awareness overall. However, among young people, the figure is only 25 per cent. What is being done to raise awareness of FOISA among young people and to deal with the lack of confidence that they seem to have in the system?

Daren Fitzhenry

That is certainly a concerning statistic for us. Polling that we carried out earlier this year showed that, in the 16 to 34 age group, the level of awareness generally is about 53 per cent or in that ballpark. I can provide the specific figure for the committee, but it is substantially lower than the average of 71 per cent. In the older age groups, the figure increases beyond 71 per cent. There is definitely a difference based on age.

To start looking at that, we have engaged with the Scottish Youth Parliament. Lorraine Currie has been actively involved in that. She has spoken to the Youth Parliament to find out what its members think should be done to help increase awareness. In addition, we have produced an infographic to try to show the rights in a more accessible format rather than pages of explanations about how to make an application, put in an appeal or seek a review. The infographic plays with a little jingle in the background and sets out how to do those things.

We have also increased our Twitter visibility to try to engage with groups and individuals who we might not have engaged previously. The key point that Mr Bowman mentioned was education. There is certainly a role for improving education on many issues about how Scotland works in practice, including freedom of information.

I am engaged with the Open Government Partnership work and we have provided input in relation to commitment 4, which looks at scrutiny bodies generally and access to those. One of our points was about the importance of including education in that, and I also mentioned education when I met the Cabinet Secretary for Communities and Local Government recently.

We are trying to get a more structured entry into the education system, because that is where people will become aware of how FOI can be used in practice, but we are also looking at other practical ways of engaging across the board.

Bill Bowman

It seems counterintuitive that younger people are less aware of issues around FOI than older people. What you described initially sounds a bit passive—improving your website and putting a jingle in. Did you say that there have been moves to get out and do something in schools or places of higher education?

Daren Fitzhenry

Perhaps it would be helpful for Lorraine Currie to tell you about the conversations that she had with the Youth Parliament.

Lorraine Currie (Office of the Scottish Information Commissioner)

We held a workshop at the national sitting of the Scottish Youth Parliament to inform its members of their rights and how to use them effectively, recognising the approaches that could be useful to the MSYPs and their constituents. We have produced a report on the back of that, based on the feedback that we got from MSYPs and some of the ideas that came up—for example producing new resources.

We are now looking at which of the ideas we can take forward and which would have the most impact in targeting that group of people, because of the data that you mentioned, which shows that there is a definite difference between the younger and older populations. In the past, it has been difficult to take resources into schools or get education about FOI into the curriculum, but we are looking at options that we could pursue in relation to something to take into schools. We would very much like to do that.

Bill Bowman

What would stop you?

Lorraine Currie

We are not sure about the way in, but we have been having conversations with the Information Commissioner’s Office, which is responsible for FOI in the rest of the United Kingdom, about ways in which we might be able to take that forward. We are actively looking at that because we recognise that we need to do something more for that group.

Bill Bowman

Do you know whether, in that group, Scotland has a different awareness percentage from the rest of the United Kingdom?

Lorraine Currie

We have some data for the general population that shows that Scotland has higher awareness than the rest of the UK, but we do not have data about that particular group.

Bill Bowman

It sounds as though you are a step or two away from doing any more than having plans to do something.

Lorraine Currie

We have plans.

Daren Fitzhenry

The problem is that education is not within our remit. We do not want just to go to school X and school Y and then say that we have done something about it. We want to see how education about FOI can be added to the system in a structured way. That is why we are trying to piggy back on initiatives such as the Open Government Partnership as a way in, so that we are speaking as part of a bigger collective voice and there is more chance of it happening. It is not yet being done, but we are trying to achieve it.

The Convener

That sounds wholly sensible.

Bill Bowman

I have a final point. Do you have a budget, if you wanted to advertise something? Where would the money be?

Daren Fitzhenry

Publicity is one of the areas in our current budget. Another benefit of trying to get in through other organisations is that we can have impact as part of a bigger picture for less output. That is about trying to make efficient use of our resources.

Bill Bowman

But you do not have the money to run something like a television campaign.

Daren Fitzhenry

No; for that we would have to seek more from the Parliament.

The Convener

That would be an extremely popular request, would it not?

Liam Kerr (North East Scotland) (Con)

I will ask about responding to requests. The committee has looked at the 20-working-days response time and, specifically, the tension between what is provided for in legislation and how that is interpreted. We have heard that 20 days can put the pressure on, but there is a counter view that whatever limit is put on would become the target—the norm, if you like. Of the appeals that you get, can you say how many are because the 20-day deadline was not met, and what the key causes of delay were?

09:30  

Daren Fitzhenry

Yes. In 2018-19, the reason for 27 per cent of appeals was failure to respond. As such, a high number of appeals were because of delay.

Liam Kerr

And what were the causes of that delay?

Daren Fitzhenry

The causes are varied. Sometimes, it is human error. Sometimes, the reason given is that the amount of information that an individual was looking for meant that the process took longer. Sometimes, it is due to issues of clearance; in other words, the decision making is higher up in the authority. Sometimes, it is due to workload pressures or the lack of availability of a key individual; for example, somebody may have gone off ill or been on holiday when the request came in. A number of reasons might be given for delay; however, the net effect, at the end of the day, is that it ends up creating more work for the authority, as well as not providing the individual with the information to which they are entitled.

Liam Kerr

Do you think that local authorities ever use the “seeking clarification” clock-stopper as a delaying tactic, and, if so, how do we prevent that?

Daren Fitzhenry

As far as I am aware, it is not used often. I would certainly want to have a close look at any case where I thought that there was a suggestion that it had been deliberately used to delay the provision of information. The current construct whereby—in essence—you go straight back to point zero on the clock is not helpful. Some of the suggestions that were given to the committee in evidence around the clock being paused while clarification is being sought are perhaps more useful and might prevent that option from being perceived as an attractive way of delaying providing a response.

Liam Kerr

Is there another solution? For example, do you think that 20 days is long enough, and, if not, should we increase it, or extend the number of circumstances in which it could be paused?

Daren Fitzhenry

I think that 20 days is long enough. As I mentioned in my opening remarks, despite the increasing number of requests, over the past three years, the rate of responses that have been made on time has been around 85 per cent consistently across authorities. As I said, although we would like it to be better than 85 per cent, that does not suggest that the system is keeling over because of an inability to meet the deadline. As such, I think that it is manageable.

In addition, the provision has to be viewed in context. We have other provisions, such as the excessive costs provision, whereby—currently—if it will cost more than £600 to provide information, it does not have to be provided. That provision works, and we have to look at the whole suite of provisions in deciding whether the 20-days deadline works. Obviously, with regard to the environmental information regulations, you can extend the deadline by another 20 working days if the issue is voluminous and complex; however, you have less of the voluminous part, because of the £600 maximum level in FOISA.

Liam Kerr

I will look at the whole picture in two seconds, if you do not mind—I will come back to that cap. Before I do, however, you mentioned the increase in the number of requests—I think that your annual report talked about an 8 per cent increase in requests last year. The committee has heard that that increase puts a lot of pressure on authorities and might make it challenging for them to comply with the various provisions. Is that increase sustainable? Given the resource pressures that arise, would anything other than budget increases, which the convener talked about, help an authority to comply? For example, would more standardisation or sharing of best practice be useful?

Daren Fitzhenry

On the question of what would help authorities to comply, the problem in some cases relates partly to an authority’s own structure for dealing with freedom of information requests; its procedures can sometimes add to delays.

Once the requested information has not been provided within the timescale, there is an increased chance of an internal review, which will suck up resource, followed by an appeal to my office, which will suck up even more resource. In many ways, the process rests on the stitch-in-time concept. If an authority has a smooth-running ship and good procedures, that should help to mitigate the chances of additional unnecessary work occurring.

There is certainly a resource implication in responding to freedom of information requests—there is no doubt about that. However, if an authority views the need to respond not simply as something else that has to be done—another encumbrance or bit of governance—but as a service that it should provide to people, because it should be pushing the information out there, that can help it to balance the resources that are utilised and see the benefits that it can get out of the process. For example, if people are raising issues of waste in an authority, that is a good thing, because it lets the authority respond and push out that waste. The process need not be a net sucker-up of resource, if you like—there are benefits for the authorities as well.

With regard to the increasing number of requests, if it keeps on going up and does not eventually plateau, that is always going to be a concern. However, in some ways, the increase is a good thing because it shows that the system is well used and that people are actively interested. Nevertheless, we hope that the mechanism of proactive publication will help to ease demand a little. I go back to the concept of wanting to push out information, and the view that that should be one of an authority’s primary roles. Taking such a view increases the chance that authorities will push out information voluntarily, through proactive publication.

As I said earlier, people are more likely to look online for the information first; it is only if they do not find it online that they will seek it from the authority. If they are going to ask a question after finding the information online, it is likely to be more specific and, we would hope, more easily answered, requiring less resource.

We do not want the numbers to keep on going higher forever—there must be an end point—but the demand is currently manageable. Authorities have not all of a sudden reached a point at which they are imploding with regard to their response times. However, they have to start thinking about how they do the work more efficiently and share best practice with each other. There are a number of sector groups that can help in that respect. Codes of practice also keep good practice alive, and helping to spread that good practice is always a positive thing.

We have been bringing the RSLs into the freedom of information system—they came under the remit of FOISA on 11 November. The fact that they have their own federations and groups has allowed for a lot of standardisation of forms and processes, and a lot of discussion between the RSLs. That has been useful in taking them forward and allowing the sector to take a more consistent approach.

Liam Kerr

I will stick with the same theme. You mentioned the fees cap earlier. There is a limit of £600, at £15 an hour, which is 40 hours’ work. I have two questions. First, is there any data on how often the fees cap is used as an exemption? In any event, do you take a view on whether the cap requires to be reviewed? If so, what should it be set at? You mentioned the Environmental Information (Scotland) Regulations 2004. Should we be looking at full cost recovery, as applies under those regulations?

There is quite a lot in there. If you want me to go back and ask the questions again individually, I can do so.

Daren Fitzhenry

First, we have statistics on how often the limit of 40 hours’ work at £600 is used every year. I do not think that we have those with us today, but I can certainly provide the committee with that information.

Lorraine Currie

We know that a fee was charged for 0.08 per cent of all requests in 2018-19, but we would need to come back to you with the data on how often a complete refusal was issued.

Liam Kerr

Thank you—that would be very kind.

Daren Fitzhenry

We know that the cap is used. There is a useful discussion to be had as to whether cost is the correct measure for that, or whether we should just go on how many hours it takes to provide the information. We currently have a cap in the form of the hourly rate and a limit of 40 hours in Scotland—in the rest of the UK, the limit is 20 hours. Where do we want to be on that? Perhaps moving away from cost will get rid of some unnecessary leaps. At the end of the day, we need to ask whether 40 hours is the right level of work.

Within the current practice, I think that the limit is working. It strikes a sensible balance between, on the one hand, wanting to get as much information out as possible and, on the other, recognising that there is a limit to what can be done with public finances. There are some systems in the world—in Canada, for example—where there are no limits at all, which can lead to requests for millions of pages of information. As members would imagine, that can cause serious issues. The current limit of 40 hours strikes a good balance, and I am certainly in favour of pushing out as much information as possible.

On your suggestion regarding the 2004 regulations, I would certainly not be in favour of full cost recovery. That would have an impact on those who are least able to pay—in essence, access to information would depend on how deep someone’s wallet was. That is in no way an attractive way forward for us in Scotland. I much prefer the concept of access to information as a universal right. As Lorraine Currie mentioned, the number of occasions on which costs are charged under FOISA is remarkably low, and that is generally a sensible approach.

Liam Kerr

A supplementary question occurs to me. As you highlighted, there is a different limit in England. Is there a comparison to be made there? What would the data show as the practical impact of having two different limits? Perhaps that is something that I will leave to you.

Daren Fitzhenry

The problem is that the rest of the UK does not have the same statistical information that we have, although it is looking at moving towards that. It would absolutely be interesting to see the difference in respect of the proportion of cases that are rejected; I imagine that it would be significant.

John Mason

To build on Liam Kerr’s questions, the committee has had a variety of evidence from different local authorities, and it is clear that the volume of requests coming in is an issue for some of them. Some authorities are therefore looking at who is asking the question or why it is being asked and are prioritising a little. The counter-suggestion is that the system should be applicant blind and purpose blind, and that requests should even be anonymised when they come in. Can you give us your thinking on that area?

Daren Fitzhenry

I certainly agree with FOISA’s general approach, which is that requests for information are applicant blind. It should not matter whether someone is a journalist or a private citizen, they are requesting public information, and they should be entitled to it unless one of the exemptions applies. Indeed, in our intervention to the Scottish Government, we made it clear that the decision as to whether information goes out should not be dictated by the fact that an individual happens to be a journalist or a political researcher. That should not automatically mean that they have to jump through more processes, which would cause an additional delay in the information going out.

Of course, if information is more complex and sensitive, there is a greater chance that it will be dealt with at a higher level in the system—we understand that.

09:45  

However, the legislation is not completely applicant blind, because there are some reasons why the name of the individual might be relevant. That is particularly the case in relation to vexatiousness. An individual might make requests for inappropriate motives and that might have the effect of harassing the authority. We have various tests for vexatiousness. In determining whether a particular request is vexatious, it is appropriate to be able to look at the wider picture, including the volume of requests from that individual. There are circumstances in which the identity of the individual is relevant to the process.

There would be some practical issues with requests being made without providing a name. For example, how could the individual concerned seek a review? How could they seek an appeal? How could we contact them to allow them to make their representations? How could they then go to court and talk about what they said in their original application?

John Mason

I took it that there would be a gatekeeper and that whoever looked for the information would do it anonymously, after which it would go back to the gatekeeper. However, I take your point.

Glasgow City Council said that commercial enterprises use the freedom of information system as a way of saving money. Instead of doing their own research, they get Glasgow City Council to do it for them at public expense.

Although you have suggested that the system should be purpose and applicant blind, I would rank an individual who just wants one bit of information higher than a journalist who sends in 200 requests all over the place on a quiet Friday afternoon. Should there not be an element of prioritisation?

Another suggestion, which was made by some of the health boards, was that people who have gone through the health system and are not happy with the result might just want to give the health board a kicking, and they do that by swamping it with requests.

Daren Fitzhenry

There are two issues there, the first of which is who is applying. In that regard, everybody is equal—it is a universal right. That is one of the strengths of the system, as it does not allow the authorities to make a subjective call on whether the individual in question is worthy or not. There will be different views on that. Some will say that journalists should have more access to information because they can raise issues at a higher level, while others will say that the individual is more important. Having a universal right removes any of those barriers and means that every request is treated in the same way, because everybody has the same right to the information.

John Mason

Mr Kerr mentioned the 8 per cent increase in the number of requests. If that figure keeps on increasing, given that a health board cannot give treatment to everybody who wants it and a local authority cannot fix every road that needs fixing, surely there needs to be some prioritisation.

Daren Fitzhenry

The next issue is the request behaviour. You mentioned health boards being swamped by requests and people contacting their authority to give it a kicking. That is when we come into the realms of a request possibly being vexatious, meaning that it should be blocked and need not be responded to. We already have the mechanisms to deal with that bad request behaviour.

I do not agree with the idea of prioritising individuals, because we are talking about a universal right. In essence, it is public information—it is information that we have all already paid for and which we all have the right to receive. In those areas where authorities are receiving lots of requests from companies for particular types of information, it should be asked whether those authorities should be more proactively pushing out that information so that it is out there anyway.

John Mason

My final question is on vexatiousness, which you have mentioned a couple of times. I think that it was Kevin Dunion who said that the vexatiousness ground for not responding has not been used very much by authorities. Is that your view, too?

Daren Fitzhenry

Yes. The vexatiousness ground has been and is used by authorities; in 2018-19, authorities used it 175 times. In the context of 83,000 requests, that is not a high number, so it is not used much, but it is used. That is sensible, because it shows that the provision is being used in cases in which people have crossed the line. Public authorities could use it in more cases, but they have a natural reluctance to using it. At the end of the day, we are public authorities and we believe that we are there to provide a service to the public. There is a natural reticence to calling people vexatious—even though it is the request, not the person, that is being called vexatious.

Willie Coffey (Kilmarnock and Irvine Valley) (SNP)

I will look at two areas that have been of interest to the committee over recent weeks. The first relates to proactive publication, which you have mentioned, and the second is the duty or expectation to record certain types of information. In your submission, you suggest

“removing the requirement to adopt a publication scheme”,

which should be replaced with a

“statutory duty to publish information”.

Will you explain, for the ordinary person in the street, the difference between the two? Why do you think that your suggestion would strengthen the 2002 act?

Daren Fitzhenry

The duty to have a publication scheme is quite an old-fashioned idea. The idea is that an authority has a bit of paper or document that is called its publication scheme, which sets out a number of things, including the classes of information that it will provide to people. Underneath that, there is another document, which is called the guide to information, that sets out everything that the authority publishes under each of the headings. It is quite an old-fashioned, paper-based idea of how an authority lets people know what it will proactively publish and what it is proactively publishing.

Originally, when the 2002 act came into force, the concept was that all authorities would have bespoke publication schemes. As time moved on, we looked at having sectoral schemes, and we have now got to the stage of having a model publication scheme. In other words, we say, “This is our idea of what a good publication scheme looks like—it’s the model publication scheme. Would you like to sign up to that?” The scheme sets out the classes of information that we would expect, such as information about the authority, procurement information, information about how it makes decisions and what decisions it has made, and information about how it manages its physical and human resources. Everyone is now signed up to our model publication scheme, but it is not really doing what it was originally intended to do, which was to make authorities focus on the public interest and push out information when there is a public interest in it.

We should move away from using those documents and focus on publication. Public authorities should proactively publish information when there is a public interest to do so. Instead of having a publication scheme, we could have a code of practice setting out the areas to be included. The code could evolve over time to take into account new technological methods. It could perhaps include a consistent approach to how certain information should be published. That would help requester groups, but it would also help authorities, because it would give them an easier baseline to measure their performance against other authorities, and it would allow them to explain what they were doing. The code of practice would represent a more agile and modern way of doing things, and it would put the focus on pushing out information to the public and not on having a document.

Willie Coffey

If we introduce a statutory duty to publish information, will that not give rise to people asking what kind of information they should publish? That brings us back to your list. How do we clear that up?

Daren Fitzhenry

The code of practice could in essence provide that list, but it could do a lot more than that. It could move proactive publication forward in more ways than just by giving authorities a list and asking them to provide the information under it. For example, we provide guidance about what should be published under each of those heads, but that is just good practice; it is not mandatory. At the moment, if an authority does not do that, I have to argue that it has breached its publication scheme duty, and it can become quite difficult to say whether a certain bit of information needs to be published. If there is a code that sets these things out in a nice, straightforward way, it is much easier to enforce. Again, the focus is on proactive publication—it is on making authorities push the information out.

There is currently a duty to publish, but it is a duty to publish information in accordance with the model publication scheme. We have moved on from that. It is almost like an extra layer of old-fashionedness that does not add any value and even distracts from the key thing, which is the importance of pushing out information.

Willie Coffey

That introduces the idea that information should be published routinely, rather than it being covered by guidance and regulation. Is that what we should move towards? There has been discussion in the committee over a period of time about why authorities do not just routinely publish what they have, rather than being told to publish things. Would you favour that?

Daren Fitzhenry

Yes, certainly. That is the cultural shift. Sometimes, regulation is needed behind that to kick-start things and make authorities go down that route but, once it is embedded, it becomes part of the normal day job. When people are going through agenda items in committee meetings, they will say of a point in a committee report, “We’re happy for that to be published,” or, “We’re happy for most of that to be published, but not paragraph X, because it contains personal data.” In that way, it becomes much more organic. It is just how things are done, and more important information is pushed out to people.

Willie Coffey

My other question is about a notional duty to record. Within FOISA, there is no such duty to record anything, but there is perhaps an increasing expectation among the public that information should and will be available. What is your view on that? Should there be a duty to document what happens in the public sector?

Daren Fitzhenry

In many ways, this goes back to the point that I made earlier about practicality. Whatever system we have in place, it has to be enforceable, because there is no point in having a duty that is so nebulous that it can lead to endless arguments about whether people are complying. Such a system would become almost unenforceable and serve no purpose.

If we have a duty to document, it is important that we have clear definitions of what should be documented. Without doubt, if information is not documented, the freedom of information regime will be of no use to people. That is the bottom line. We need public authorities to record information if the freedom of information regime is to have utility.

There are a number of discrete bits of legislation that require people to record certain things. That is particularly true for local authorities. To me, the key things that need to be recorded are important decisions that are made in authorities, the rationale for those decisions and key bits of information that informed them. If I was asked, “What are the important things that should be recorded?”, I would say that decision making is the big one.

There is a duty to document in the system in Denmark, and it focuses on decision making as the area that should be documented. Because that is a discrete area, it is possible to legislate on it with some certainty, rather than providing, for example, that anything that is of importance to the public must be documented. To introduce that provision would just be to ask for argument, litigation and uncertainty. I know that there have been thoughts about requiring important meetings with outside interests, or all such meetings, to be recorded. If the committee felt that that was important, it would be relatively straightforward to define it and add it to a duty.

There is a big issue to do with whether such a duty lives in the freedom of information legislation or the records management legislation. Authorities already have duties under the records management legislation. The keeper of the records of Scotland is responsible for that, and there is already a requirement for authorities to have records management plans. To a degree, the keeper can require information to be created, but that power lives in the records management legislation and not in the freedom of information legislation.

Willie Coffey

I was going to come to that, because I was going to ask you to distinguish between what is in FOISA and what the civil service code sets out as a duty to keep accurate and official records. Is it the case that such a duty already exists somewhere else and does not have to be in FOISA? Should we strengthen FOISA to make it adopt aspects of the civil service code? Where does that duty sit?

10:00  

Daren Fitzhenry

A number of duties are contained in various places. For local authorities, there are a number of discrete, statutory duties to record certain things. Willie Coffey pointed out the civil service code; there is also the ministerial code. A number of codes already have guidance on what should be recorded. The issue that arises when there is no such guidance is who is responsible for dealing with it, what powers they have to deal with it and what sanctions there are. If the responsibility ended up with my office, a significant resource issue would be associated with that, because it is the sort of area where one would expect a number of lively discussions to take place and challenges to be received.

Willie Coffey

That is helpful. Thank you.

The Convener

Mr Fitzhenry, I assume that your job is concerned with the quality of information as well as the disclosure of information.

Daren Fitzhenry

It is concerned with the quality of the responses to make sure that the information is pushed out. Whether that information is accurate is another issue. For example, the value of the freedom of information request might be to show that the authority is working on the basis of inaccurate information, if the information that it holds is not correct.

The Convener

With our other hat on, in our audit work in this committee, we recently released a thematic report. One of the themes in that report is about data that the Scottish Government holds. We discovered—and the Auditor General also identified—that there is a problem with the lack of data that is held on certain things. Do you find that sometimes, when the public are looking for information, even though it might be an important question, the data is not held by local authorities when you might expect it to be?

Daren Fitzhenry

Yes, that happens. Occasionally, we express surprise that the information being sought was not held. Sometimes, it is not held because it is held by another body. There are so many bodies involved in health, for example, that the person who made the request might not have identified the correct body that holds the data. Sometimes, authorities have not thought to record that information and freedom of information requests can be used to identify that and to make the authority think while they are compiling their response, “Why do we not have this information? We should have it.” That can help to improve authority practice.

The Convener

I have a current example of an FOI request that I submitted to all the health boards in Scotland about the number of female spaces in hospitals, because wards are increasingly becoming mixed sex, and female-safe spaces are disappearing. I have been astonished by the responses, because health boards are not recording or holding that information. Is there an opportunity in the work that we are doing to address that and encourage local authorities to have better information keeping?

Daren Fitzhenry

Yes, as I said, that is an area in which freedom of information can help to identify areas that are not monitored but should be monitored. If a request such as Jenny Marra’s is made and the organisation realises that it is not keeping that information, that is an opportunity for it to say, “Well, let’s now keep it.” A person might make a request like that and get different responses from different authorities in the same sector, because they all record their information in slightly different ways, or because some record that information and others do not. It can help to raise the issue, so that the sector can look at how it records that information and try to have a degree of consistency in that. The problem is that independent authorities will always have a degree of difference in the way they record information.

The Convener

Is there anything that you feel you have not had the opportunity to address this morning?

Daren Fitzhenry

The only major point that I would like to make is about intervention and, in particular, proactive intervention. That is about the ability for my office to help improve authority practice, by going to an authority that is performing poorly and helping it to improve that performance—for example, with time delays.

We had a recent example of proactive intervention with East Lothian Council, which was performing poorly on turnaround times. By way of proactive intervention, we identified the problem, went to the council, discussed the matter with it and helped it to move forward. The council put resources in to deal with the issues causing late responses, and its on-time figure improved dramatically; having been as low as 70 per cent, it is up to about 99 per cent. Those were substantial changes.

We need a greater emphasis on allowing us to do that and on the powers that we have to compel witnesses, particularly if we move away from covering only public bodies and into covering private bodies that carry out public services. From an efficiency and effectiveness position, more resource in that area would be money well spent.

The Convener

I thank Daren Fitzhenry and Lorraine Currie for their evidence this morning. I will suspend the meeting briefly to allow for a changeover of witnesses.

10:06 Meeting suspended.  10:09 On resuming—  

Section 23 Report

Section 23 Report
“Scottish Public Pensions Agency: Update on management of PS Pensions project”

The Convener

Agenda item 4 is a section 23 report. I welcome our witnesses, who are from the Scottish Government. We have Leslie Evans, the permanent secretary; Alyson Stafford, director general, Scottish exchequer; Gordon Wales, chief financial officer; and Colin Cook, director of digital. I understand that the permanent secretary has an opening statement.

Leslie Evans (Scottish Government)

The Scottish Public Pensions Agency provides pension administration services to more than 0.5 million retired and contributing members across the national health service, teachers, the fire and police services and the Scottish Parliament. The agency has experienced material growth in the number of scheme members over recent years, including successfully taking responsibility for the police and firefighter schemes in 2015. In addition, the agency has implemented a range of information technology and change projects to respond to UK and Scottish pension reforms and system improvements.

The agency’s transformation programme was launched six years ago, in 2013, and comprised eight major projects. All bar one were implemented successfully. The decision to terminate the one unsuccessful project—the integration of pension administration and payment functions, which is the subject of our deliberations today—was taken almost two years ago in February 2018. The decision was taken only after months of strenuous efforts on the part of the agency to secure a working system from the contracted IT software supplier, Capita. Despite repeated reviews and replannings, Capita failed to deliver any of the project milestones.

In the committee’s previous evidence session on the report, you heard that the SPPA has undoubtedly extracted and applied important learning from the experience, and the Scottish Government has learned, too. We have put in place more robust procedures for the progress of IT projects and we are strengthening and clarifying relationships with arm’s-length bodies. Procurement regulations have also tightened in relation to areas such as low tenders. However, as Audit Scotland’s report confirms, Capita’s delivery of the software was fundamental to the success of the project.

I stress that, throughout the period under discussion, the SPPA maintained collection, administration and payment to clients and continues to do so. It is important to emphasise that there has been no risk to the pensions that are paid by the agency. They continue to be paid on time and in full. The focus has been and will always be putting customers first.

Audit Scotland’s report sets out costs for the life of the project but, in practice, the additional costs to the SPPA were smaller and were closer to £3.8 million. That includes significant sums on existing staff who would have been employed anyway, as well as costs to Capita. Cost projections for the future are also very different and are dependent on the pace of change.

I am aware that, over the years, the committee has considered a number of public sector IT projects. The lessons from those projects have shaped current practices and new Scottish Government assurance arrangements. Those lessons have also enabled Audit Scotland to develop helpful guidance for digital programmes right across the public sector. However, it is worth noting that we currently have 410 active IT projects registered with our digital assurance team, 27 of which are classed as major. In the past year alone, the Scottish Government and its agencies have successfully delivered several new IT projects and systems, including the upgrade to Revenue Scotland’s tax and administrative system, several new benefits in Social Security Scotland, improvements to our core shared service platform and the creation of two new forestry agencies.

The chief executive of the SPPA, as the accountable officer answerable to the Parliament, will always be best placed to answer detailed questions on the issue. You will be aware that much of the information and paperwork pertaining to the project is archived, so we may have to come back to you on particular points of detail. However, I am here today with my colleagues to assist the committee in its scrutiny of the project.

The Convener

Thank you. As you mentioned, we had an evidence session on the issue, but the committee was not satisfied with the answers that we received, which is why we have invited you along, as the person in charge of the Scottish Government. The chief executive of the SPPA is new and so did not have detailed knowledge of what went on previously. We hope that we can get clarity on some of the issues today.

Willie Coffey

Ms Evans, you will be well aware that a number of IT projects have come to the committee’s attention. We tend to ask the same questions every time that we get those reports, because there is always a similarity in them with regard to a failure to adopt recognised software development and quality assurance management standards and practices. It seems that this might be another example of that. Why did the failures take place in this project? Were those recognised management standards adopted and in place for the project?

10:15  

Leslie Evans

Colin Cook might want to say something about the technical aspects of the software.

It is important to remember that the SPPA has its own board and accountable officer and is responsible as a decision-making body in its own right. It was clear from the beginning about its roles and responsibilities and what it was seeking.

We can talk a little about the support that we gave the SPPA as it followed the very clear procurement process, which, at the time, was governed by the Public Contracts (Scotland) Regulations 2012. The regulations have since changed, so the process by which the software would be procured now would be quite different.

The other thing to be clear about is that the SPPA received support from the Scottish Government’s procurement section and lawyers, but its decision-making process was based on rigorous testing of the Capita tender. A number of companies came forward in the procurement process on the basis of the descriptions of what was required that were put out. In those days, there was a 70:30 split in terms of quality and price, and Capita scored well on that.

Perhaps Colin Cook could say more about the specifics and a little about how the process would be different if we were looking to go through—as we are—the same exercise now.

Colin Cook (Scottish Government)

We have discussed on a few occasions the new principles and approach that, with Audit Scotland’s support and guidance, we have introduced across the Scottish Government. Such a major project would now need to be registered with the internal audit team that oversees digital projects, and it would be subject to mandatory justification gates throughout its lifetime. For the people running the project, there would be a set of guidance available and a set of resources for them to call on. There would also be a set of standards, known as the digital first standards, which summarise need, to ensure that user needs are well understood before the project starts; the technology that should be used, or the approach to procuring or developing that technology; and the capability and capacity that the team will need to develop the project and sustainably improve any service that emerges after it goes live.

Willie Coffey

Thank you.

Software development methodologies have been around for ages and are fairly well established in the industry. However, this project seems to be an example of those methodologies not applying—although they now will. Given that standards have been in place for so long, committee members have been asking for a number of years how that can happen with projects such as this one. It is as though the project slipped under the radar and we did not notice it. I think that that is a common feeling among members. When we suddenly get such a failure, we hear people say, “Oh, we are applying new standards now”, but the standards have been around for a long time. Why were they not applied in this case?

Leslie Evans

I will say one thing before Colin Cook comes in on the specifics.

The other thing that we need to remember is that we had a bid from a contractor that is very experienced in not just software but pensions, and which still delivers pensions contracts in the UK and, possibly, beyond. The bid was tested robustly; we might want to talk more about that process. However, on robustly and rigorously pressing Capita’s preparedness and capacity to deliver the project, the then chief executive was very experienced and took timely action to take extra time to test Capita’s capacity, experience and pricing of the bid, which was not necessary under the procurement regulations of the time.

Although I understand your frustration with particular software projects—Colin Cook can talk a bit more about how we are evolving and have developed our approach—there is a contractual compliance issue here that we should not forget. We may want to talk more about that later.

The Convener

Permanent secretary, that is an interesting response. The Auditor General reported that the SPPA’s response was that

“it did not have the skills to further probe the tender.”

That is quite contrary to what you just said.

Leslie Evans

The SPPA was looking to probe the tender across a range of areas. There is a bit of confusion about the exchange with, I think, the legal advisers in the Scottish Government—

The Convener

The exchange between—

Leslie Evans

The SPPA.

The Convener

And Capita?

Leslie Evans

No. There was an exchange—indeed, there were many exchanges—between the SPPA and Capita, but if I remember the report correctly, there was a discussion about when SPPA felt that it was appropriate to keep pursuing Capita, and along what line. My assertion here, and the evidence that we have—Alyson Stafford and others, probably including Gordon Wales, have seen the raw material on all this—is that the chief executive not only sought legal advice but asked for written clarification from Capita about its costings; how many data migrations it had experience of across public and private sector schemes; its ability to deliver economies of scale; and the view that it wanted to grow its market in Scotland and that that was one reason why its tenders were as they were. The SPPA also wanted to know what it would need to do if it felt that the tender was too low—in other words, that it was not robust enough. That was part of the conversation that I believe it undertook with experts in the Scottish Government.

The Convener

Okay, but are you suggesting that the contract was probed further?

Leslie Evans

The tender, yes.

The Convener

Sorry—the tender.

The Auditor General said that the SPPA itself responded that

“it did not have the skills to further probe the tender.”

That indicates that no further probing was done. The report goes on to indicate that the SPPA “took no further action” before accepting Capita’s bid.

Leslie Evans

The SPPA tested the tender rigorously. I know that it also had some specific technical issues that it wanted to consider with Capita; I think that that was the conversation that we are talking about. At no time were we asked for any further support by the SPPA on probing the tender, because the SPPA was so fundamentally—and characteristically, I think, given the chief executive’s experience—thorough in its testing. I am not aware of any aspect of the tender, or the probing of the tender, that would have made a difference to Capita’s fulfilling the project.

The Convener

So why did SPPA say to the Auditor General that

“it did not have the skills to further probe the tender”?

Are you saying that it did not need to probe the tender further—that it was all done?

Leslie Evans

I think that it probed the tender very seriously, and more than one might have expected, given the regulations that were in place at the time. I think that if it felt that it needed to gather more information, or more experience, it could have come to the Scottish Government for that. I am not aware of whether it did or did not do that. Do colleagues want to come in on that?

Alyson Stafford (Scottish Government)

I am very happy to do so. The key thing about the history of the tender and Capita’s involvement is that it started way back in 2014. A pre-qualification questionnaire was issued, to which various suppliers responded. Capita was one of those, and its response showed that there were no grounds for concern, in terms of its finances or its capability to ultimately take part in the tender. Tender bids were then submitted by the due date, which was in March 2015. Capita’s bid, alongside all the other bids that were submitted, went through a rigorous test to rank the position of all the bids that had come in. As the permanent secretary has already said, that process was based 70 per cent on quality and 30 per cent on cost. The key part of it was to work through what is known as the MEAT—most economically advantageous tender—method. The whole package is taken into account.

The agency went through due process and, as part of the process, carried out some further scenario tests, asking each of the bidders to work through three scenarios that involved demonstrating processes—for example, demonstrating how members would apply for benefits online or following a calculation right through, from receiving mail to the final stage. Those detailed things were all tested, and Capita came out on top for all those presentations.

Further checks were done. As the permanent secretary has said, those further checks, with the level of due diligence as described, were not actually required under the tendering regulations that were in place at the time; they were carried out to ensure that the bid was not an abnormally low tender. It was for Capita to demonstrate that the bid was both genuine and serious. It responded on that point, and its representatives were seen by the accountable officer at the agency. The judgment was made that the bid was a genuine and serious bid.

It is important for us to remember that what happens in procurement exercises is a highly regulated but also commercial activity. Companies that compete and take part in a tender exercise will make a whole range of judgments as to how they want to take part in it. Part of the testing of a low bid involves ensuring that the contract requirements are absolutely understood. The contract terms were supported by the Scottish Government’s legal department, in order to ensure that they were rigorously drafted. Capita was able to demonstrate to the accountable officer that its understanding of the contract’s requirements was not weak. We were alive to the fact that a supplier could perhaps choose to exploit the situation: once it had put in a low bid, it could come back during the term of the contract and exploit the situation to try to make good.

There have been some real decisions about tenderers that may wish to get into a market and are willing to put forward a different price. That is not unusual in a commercial scenario. We have had examples in Scotland—not necessarily involving IT—of suppliers and successful tenderers to which we have let contracts and which have put forward their materials with a price that was lower than what might be viewed as an appropriate price so that they could get a market share. Some companies are willing to enter a market just so that they do not have fallow periods or staff who are not being deployed.

The Convener

We appreciate that the scenario that you have described can happen. I am more concerned about the first part of your answers, which stands in direct contrast with paragraphs 14 and 15 of the Auditor General’s report. You said that Capita came out on top in every instance. The Auditor General said:

“Capita scored second for quality, first for cost, and first overall.”

Alyson Stafford

I agree with the Auditor General’s report in terms of—

The Convener

You do?

Alyson Stafford

I do in terms of the ranking against quality and cost but, as regards the further tests that were applied to all bidders, with three scenarios that each of them had to present against—

The Convener

Okay. Well, let me—

Alyson Stafford

That went beyond the 70:30 quality and cost ranking. Even beyond that, some further exercises were done, and they were applied to all bidders at the same time. It was a competitive process. On the basis of those three scenario testings, Capita came out on top.

The Convener

I think that we are all agreed that its bid was the lowest. However, paragraph 15 of the report stands in direct contrast to what you and the permanent secretary have described to us this morning. I will read it to you:

“As SPPA classed Capita’s bid as abnormally low, it was required to investigate whether it was a valid bid. SPPA queried elements of the bid with Capita and discussed Capita’s responses with the Scottish Government Legal Department, who advised that more in-depth questions should be asked to fully assess the bid. SPPA informed the Scottish Government Legal Department that it did not have the skills to further probe the tender. SPPA took no further action and accepted the bid and reassurances from Capita over its ability to deliver.”

Do you accept the Auditor General’s account?

Alyson Stafford

I know that the SPPA had to determine whether Capita’s bid was genuine and serious—that was the overarching test that it had to do. It conducted due diligence on the bid. Again, that was not required at the time, but it chose to do that—and absolutely did that—as part of following that through. The clarifications that it sought from Capita gave it the assurance that it needed that the bid was genuine and serious.

10:30  

The Convener

What is your reaction to the SPPA saying that

“it did not have the skills”

to ask the necessary questions?

Alyson Stafford

Obviously, that is what is on—

The Convener

Do you accept that?

Alyson Stafford

I see that that is what is on the record, and—

The Convener

But you do not accept that.

Alyson Stafford

I know that, ultimately, a judgment had to be exercised by the accountable officer on the contracts and the bids. On balance, across all the bids—and the due diligence on Capita was reasonable—the accountable officer saw that all the assurance that they had up to that point was sufficient to make a decision.

Leslie Evans

I do not think that that issue made a fundamental difference to Capita’s capacity to deliver on the contract. That is an important point. We saw that in the report. Capita failed from the first project milestone to deliver on the project. From very early on, it indicated concerns and difficulties about being able to deliver.

The Convener

Do you accept that the Government failed to check out Capita properly?

Leslie Evans

I accept that the chief executive, as the accountable officer, his team and the board did everything that they could. In fact, they did more than was required to check out Capita’s capacity.

The Convener

They did not, because they said that they

“did not have the skills”

to ask the right questions.

Leslie Evans

I do not know where that comment came from, but—

The Convener

It came from the Auditor General.

Leslie Evans

I mean in terms of the SPPA. Ultimately, it was for the chief executive to probe every aspect that he felt was appropriate to probe in letting the contract, to advise his board on that basis and to decide that the contracted has been tested—not quite to destruction, but the tender was heavily tested; it was tested way over and above what was required for procurement at that time. Are we saying that there is one element that led Capita to fail to fulfil the contract? Capita would need to be asked about that.

The Convener

But your officials said that they

“did not have the skills”

to ask Capita questions. That is part of the problem.

Leslie Evans

The SPPA said that it might not have had the skills, as far as I can remember from Audit Scotland’s text. I cannot understand what the context of that comment was.

The Convener

No, the SPPA did not say that it “might not have had the skills”. The exact wording is:

“SPPA informed the Scottish Government Legal Department that it did not have the skills to further probe the tender.”

I sincerely apologise to Willie Coffey. Would you like to come back in? I know that other colleagues want to probe that issue a little more, too.

Willie Coffey

I will be brief.

I go back to the software that did not work. My experience from a number of years of working in information technology is that, if people adopt and apply a recognised development standard, they are quite likely to get things right. What development standard was applied in the project? What software development methodology was applied?

Colin Cook

In this instance, we have seen from the reviews that took place that there were a weakness in how the program was developed by the contractor and weaknesses in the way in which the SPPA was skilled and in its ability to oversee the development of the project.

I can assure members that, if such a project were starting now, the ways in which the assurance processes would work, the support that we could provide to the SPPA, how it would engage with that support and the standards to which we would operate would insist on and require us to follow a recognised methodology, whether that was a standard waterfall-type project management approach or, as would be more likely in this case, some form of agile project development.

I can also assure members that the training that is required in order to promote those standards is in place. We have launched a skills academy. The Scottish digital academy has trained more than 1,800 people in such processes. We are managing to train the practitioners who are responsible for delivering the projects and the senior managers and directors of organisations, to give them a better understanding of the ways in which software should be developed.

Willie Coffey

That is a good answer, but it tells me that no software development standard was applied in this project. That is what I am trying to get at. The issue has been known about for a long time, but the project seemed to escape the clutches of recognised development methodologies. Nobody noticed until it was too late, and we lost £8 million as a result—a figure of £8.7 million was mentioned by the Auditor General, £700,000 of which was returned by Capita.

If no standard was applied, and we are correcting that so that we now apply it, we might as well say so. The message that has been sent for a long time is that the adoption of recognised IT development standards must be a priority. I am encouraged by what you have said, because it appears that that standard is now in place. However, it was not in place in this project.

Colin Cook

Yes, and I think that you saw from how the reviews took place that there was a willingness at the beginning of the process to try to put the project back on an even keel and start to introduce some of the disciplines that one would expect, and time was given for that to happen. The way in which the review process was carried out set some milestones and anticipated gates that we would expect people to meet. When they were not met, the new—as it was at the time—audit and assessment process was robust enough to say that the project was one that we could no longer support, and the chief executive took the decision on that basis.

I think that I can offer you confidence that we are in a different place now in terms of skills, methodologies and capabilities in the organisation. However, clearly, this project did not work, and, as a consequence, we have learned from it and are moving on.

Colin Beattie

Sorry to be pedantic, but to come back to paragraph 15, the SPPA clearly had concerns about and queried aspects of the bid. It raised some of Capita’s responses with the Scottish Government’s legal department, which agreed that there was a problem and asked the SPPA to ask more in-depth questions. The SPPA told the legal department that it did not have the skills to do that. What did the legal department do at that point?

Leslie Evans

I cannot speak on behalf of the legal department in those days. I think that, now, the legal department would probably say, “We have given you our advice. If you need further support or skills sources, there are places in the Scottish Government where those can be sourced, depending on what the specific issue is.” The project was a very technical one, and the advice that was given by the Scottish Government at that time was predominantly to do with procurement and the legal aspects of procurement. It would not necessarily have been the lawyers who would have been able to either spot the issue or answer questions about what to do about it.

If the aspect of the software that was the problem was a particularly technical one—I do not know how technical it was; Gordon Wales might be able to help with that—that would not necessarily be something that the legal department or the procurement department could help with. However, those departments could have sent them elsewhere, such as to Colin Cook’s predecessors in IT and to our technology side of things. However, to my knowledge, we did not receive a bid for that kind of information or support, although we gave masses of support in other areas, and continued to do so throughout the project.

I understand that it is important that you probe the issue in paragraph 15, but if you are asking whether that issue is at the core of why the project failed, I would say that I do not think so.

Colin Beattie

I think that it is rather more indicative of why the project failed. There is a series of multiple failures throughout. That is just one aspect of it. I would have expected someone in the legal department, when they got that response from the SPPA, to have the intelligence to say that there is a problem here. Did the department just file the issue? It has a corporate responsibility.

Leslie Evans

Indeed it does, and I would not demur from that. I would like to think that, because we all have a corporate responsibility for ensuring that the Scottish Government and arm’s-length organisations deliver on projects, if something of that nature came up now, it would be dealt with differently. Of course, the decision to accept the tender was the chief executive’s decision, based on all the information that he had at the time from the Scottish Government, in a supporting capacity, and from his own officers.

Colin Beattie

So, it would be the chief executive who would take the decision to take no additional action.

Leslie Evans

Yes, that would be his operational responsibility; he would be accountable for that. He would have weighed up all the information that was in front of him, having, as Alyson Stafford described, tested almost to destruction the nature of the tender and having had contact with our procurement and legal sides. On the basis of all that, he would have decided whether he felt that it was the right kind of tender for the project that we described.

Colin Beattie

Is there documentary evidence of the decision and why it was taken?

Leslie Evans

I am sure that there will be, because it will have been submitted to the board. I do not have the minutes with me, but we might be able to find those for you.

Colin Beattie

It would be interesting to see them.

The Convener

Permanent secretary, forgive me, but I am confused by some of your answers. You say that the chief executive tested the tender to destruction. He did not test it to destruction. It says in paragraph 15 of the Audit Scotland report:

“SPPA queried elements of the bid with Capita and discussed Capita’s responses with the Scottish Government Legal Department, who advised that more in-depth questions should be asked to fully assess the bid.”

The legal department of your Government told the SPPA that it needed to ask more questions. Therefore, the chief executive at the time could never have been under the impression that he had tested the tender to destruction before he decided to accept the bid, so why do you say that?

Leslie Evans

The chief executive is the accountable officer who is responsible for taking the decision. He—or she, in certain circumstances—has to look at all the information that has been amassed at the various stages of tendering that Alyson Stafford described, the probing that has been undertaken and what came out of that probing. Depending on how technical or financial the tender is, or depending on its quality or presentation and so on, the chief executive has to recommend whether the tender should be accepted.

The Convener

You said that it had been tested to destruction, but your legal department said that it had not been and that there were additional questions to be asked.

Leslie Evans

In the context of the regulations and procurement processes of that time, the investigations that the chief executive undertook were not required. Now, they would be, and a bid of this kind would probably not be accepted, although Colin Cook can advise me on that. The regulations have changed; they were quite different several years ago.

The Convener

But your legal department advised the SPPA that it needed to—it was required to—ask more questions. The Audit Scotland report says that your legal department

“advised that more in-depth questions should be asked to fully assess the bid.”

Gordon Wales (Scottish Government)

Perhaps I could interject. The legal department reviewed the Capita’s responses and described them as reasonable. It then suggested that an additional question could be asked. It did not dictate that the agency should ask additional questions. The legal department’s assessment was that the questions that Capita had been asked thus far had elicited reasonable responses.

The Convener

You are therefore saying that paragraph 15 in the Auditor General’s report is not worded all that accurately.

Gordon Wales

It might well be that the SPPA was not in a position to ask additional technical questions, but the reality is that the chief executive—

The Convener

No, paragraph 15 does not say that. It says:

“the Scottish Government Legal Department ... advised that more in-depth questions should be asked”.

Gordon Wales

The evidence that I have seen says that the legal department suggested that additional questions could be asked.

The Convener

Paragraph 15 says “should”.

Gordon Wales

I realise that there is a subtle difference.

The Convener

There is a difference between “could” and “should”, yes.

Gordon Wales

Ultimately, as the permanent secretary says, it comes back to whether the accountable officer was satisfied that the probing that had been carried out up to that point was reasonable and satisfied him that Capita’s bid was a serious one. He took the decision that it was.

The Convener

He took that decision despite the fact that he had been advised that more questions needed to be asked.

Leslie Evans

They could be asked.

Gordon Wales

Could be asked.

The Convener

It says “should” in the Auditor General’s report.

Leslie Evans

Our understanding is that it was “could” not “should”—we have only a limited amount of information to go on, but we have some that indicates that it was “could”.

The Convener

The Auditor General is sitting behind you and we will hear what her take on that is during our next session.

Why did the Scottish Government not intervene at this point?

Leslie Evans

The Scottish Government was in a position to support the accountable officer’s role in testing the tender. The chief executive of the agency would come to us and tell us, which I think he did, that his intention was to accept the tender. A process was then triggered by that decision. I am not familiar with all the details of the process but, to my knowledge, at no time did the chief executive ask the Government to tell him whether he should accept the bid. If that had been the case, we would have had a conversation about it. Alyson Stafford can say whether that was the process.

10:45  

Alyson Stafford

A specific process is followed for all procurements, which is designed to ensure that diligence is applied to all bids equally. Overall, based on the different scorings on the 70 per cent quality element and the 30 per cent costs element, Capita’s bid came out as the most economically advantageous bid. In the additional tests on the three scenarios, it came out top. Additional diligence was carried out to ensure that the bid was not an abnormally low tender. Capita was asked to provide clarification and assurance that its submitted costs were accurate and sustainable through the term of the contract, and Capita was able to confirm that its bid was accurate and that it allowed for its required margins and contingency. All those factors are the things that the accountable officer at the agency took into account in reaching a judgment.

The other thing that I think is important—

The Convener

I accept—the Auditor General has made this clear—that the SPPA chief executive went ahead and accepted the contract. We are not quibbling with that, but why did the Scottish Government not intervene at that point, when the chief executive had called the legal department and said, “I don’t have the necessary skills to get under the skin of this.”?

Alyson Stafford

It was not the chief executive.

The Convener

Whomever it was, the SPPA got in touch with the Scottish Government’s legal department and said, “We don’t have the skills to get under the skin of this.” Why did you not intervene at that point? I have never run a Government, Ms Stafford, but if somebody told me, in relation to a huge contract involving a huge amount of public money, that they were not sure whether they had the staff who were qualified to ask the appropriate questions, I think that that would ring alarm bells and I would want to send someone in to sort it out.

Alyson Stafford

The chief executive at the time had the skills and the track record. He had come from running a £15 billion pension operation.

The Convener

So, despite the fact that the SPPA told you that it did not have the skills to ask the necessary questions, you were happy to let it go ahead and accept the contract.

Alyson Stafford

The chief executive of the agency had the skills to reach the judgment, overall. He had done due diligence and he had received an assurance from the Scottish Government’s legal department that all the various assurances that he had sought specifically on Capita supported going ahead on the contract.

Yes, there was an additional element about asking an additional question. However, it is not that that the bid could not be probed at all; it was thoroughly probed.

The Convener

What did your legal team say when the SPPA said, “We need help with this, because we don’t have the skills to ask the appropriate questions.”? How did the legal team respond?

Alyson Stafford

I ask Gordon Wales to respond to that.

Gordon Wales

Can I go back—

The Convener

If you answered that question, that would help me.

Gordon Wales

Yes, and I am looking at the correspondence. The legal department did not insist that the agency went back to Capita. It provided it with advice on additional questions that it could ask, but I go back to the point that the legal department confirmed that the responses that had been provided up to that point were reasonable. It provided advice on additional questions that the agency could ask if it wanted to. I want to be clear on that point.

The Convener

Were the people in your legal department not concerned about the lack of clarity? Did they not think that they should flag up the issue further up the tree and maybe get intervention?

Gordon Wales

Again, they deemed the responses reasonable but provided additional advice on additional areas that could be probed if the agency wanted to do that.

The Convener

What would happen now in the same scenario, permanent secretary?

Leslie Evans

As I have said, I do not think that the tender would have got to the stage that it has, for reasons that Colin Cook has described. The procurement process is completely different. In addition, there would be less pressure in terms of some of the conditions that the SPPA was experiencing at the time.

It is important to put it in a sidebar that the process was not happening in a vacuum. The chief executive had regular contact with his line manager and regular contact through the Fraser figure, who was attending meetings and received paperwork. The conversations and the tendering process that we are talking about were not taking place in a vacuum; they were part of regular contact between the chief executive of the agency and some of his staff, our staff and his line manager, and indeed, on occasion, ministers.

That would of course still happen now. We would have a very different set of testing and assurances, which Colin Cook has outlined. Equally, as part of that, there would be a much more in-depth and rigorous assessment of the nature of the contract, within the procurement guidelines that now exist, which are distinctly different from the ones that were in operation.

The Convener

When was the contract awarded?

Leslie Evans

It was October 2015.

The Convener

How long had the discussion of the contract been going on before that?

Leslie Evans

It would have been in the months prior to October 2015, during that year.

Alyson Stafford

The bids were due in by a date in March. The date was adjusted slightly, but it was in March 2015, and then reviews took place throughout that time.

The Convener

Exhibit 1 in the Auditor General’s report, which is on page 10, gives a timeline of the leadership and governance of the SPPA. It sounds as if you have read the Official Report of our previous evidence session when the committee probed the issue in quite a lot of detail. The conversations that we have just been talking about all took place when there was a serious hiatus at the top of the SPPA. You say that the contract bids were due in in March 2015. The permanent chief executive, who had been in the post for 13 years, left the following month, in April 2015. There was then a three-month gap with an interim chief executive, who left in June 2015. A permanent chief executive was appointed in July 2015, and then that chief executive was pulled into the Scottish Government—I understand to work on another project—until September 2016, and the agency was left with a senior responsible officer.

Given the points that we have just covered about the questions that needed to be asked about the contract and the big question marks over it, did the lack of leadership at the top of the agency have anything to do with those issues?

Leslie Evans

I need to correct some of those points. An accountable officer and chief executive officer has been in place at all times for the SPPA. Ross Paterson took up the post in May 2015. He was in place for two years and saw through the concluding stages of the evaluation and tendering. He saw through the contract award in October 2015. He was also wrestling with Capita to try to ensure that the project stayed on track and was able to deliver. Because Capita failed to do that, Mr Paterson was also responsible for having to extend the existing contract to ensure that there was provision and that customer care and customer focus were maintained.

At one point, he went for about three months to work partly for the Scottish Government, but he retained his responsibility as chief executive of the agency and as accountable officer. That was agreed with the chair of the management advisory board and the cabinet secretary at the time. He maintained responsibility for the project throughout those three months or 12 weeks and he attended all the project board meetings during that time. He was the key player overseeing the process and in all the contact with Capita during those three months. Therefore, I contest the assertion that there was a lack of continuity.

There were some personal circumstances, which we had to adjust to and address but, in all cases, we were trying to ensure that we had a balance between business continuity and the duty of care as an employer. We do not need to go into what those circumstances were.

The Convener

Indeed not.

When you had such an important contract with considerable public expense and such a big on-going project, why would you give somebody a second job in Government? Why did you not leave them there and let them properly manage what was going on?

Leslie Evans

I spoke earlier about the balance between business continuity and the importance of delivery, on the one hand, and personal circumstances and our duty of care as an employer on the other. Taking into account all those circumstances, we decided that the best thing to do was to get a working arrangement that de-risked the tension between those two sides. That meant that Mr Paterson was working for the Government for a certain period of time on a particular project—which Alyson Stafford can describe, and where he had valuable and important experience—but continued to be responsible for overseeing and driving the delivery of the IT project.

I could go into a few more details about the personal circumstances—

The Convener

I do not want any personal circumstances—

Leslie Evans

I did not think that you would.

The Convener

I did not even think it was necessary to mention anyone’s name here.

Leslie Evans

It was important, because that was one of the reasons why we slightly changed the configuration of responsibility at the agency at the time. The deputy was in charge of day-to-day activity in the agency, but Ross Paterson retained accountable officer responsibilities, chief executive responsibilities and, indeed, responsibility for this project. There was no doubt about that.

The Convener

Permanent secretary, would you not agree that it seems odd that, if you have just signed a contract and if there are issues about awarding it—as is clearly set out in paragraph 15 of the Auditor General’s report—you would give somebody a second job on top of overseeing what was a very important job at the same time?

Leslie Evans

We do not want to get into personal circumstances—

The Convener

I am not asking you to get into personal circumstances.

Leslie Evans

No—but you are doing that by the question that you are asking, I am afraid. I am not going to go into what they are, but we had to ensure that, in order to maintain the continuity of business, in order for the chief executive to be able to continue to devote his important time to leading and indeed project managing this important piece of IT development, and in order to facilitate his doing that, to have him working a little closer to his home and supporting an important project—which Alyson Stafford can describe—was a good business solution. That approach combined business continuity—because he was still in charge of the project—with duty of care as an employer.

The Convener

You have left us in an awkward position. I would be the last person who would want to dive into anyone’s personal circumstances, but it seems an odd way to deal with duty of care to give somebody a second job, no matter where that job may exist.

Leslie Evans

It was not a second job; it was another part of work that supplemented what he was doing. He was not in charge of the day-to-day running of the agency any more, but he was in charge of this project, and he had oversight as AO, as well as chief executive responsibilities. I do not want that to be confused.

The Convener

Why would you want to change the person at the top of the organisation in the middle of such a critical project?

Leslie Evans

We sometimes have to take decisions about a duty-of-care responsibility, supporting individuals, the location of their work and their working pattern where we can ensure that that does not put projects at risk—which this decision did not—but in a way that enables us to be responsible employers.

Bill Bowman

I will move on to the subject of governance. At a previous meeting I asked some questions about the SPPA’s audit committee. In summary, I had some difficulty finding out from the website who the audit committee were, and I found the committee’s minutes to be subsumed into the minutes of the management committee, I think it was. Only recent minutes were on the website, and we had to email to get previous ones. We did that, but I do not think that we have received them.

When you receive a section 23 report such as the one that we are discussing, do you ask yourself—in this case—what the audit committee was doing and whether it is fit for purpose?

Leslie Evans

Of course, we reflect very seriously on reports such as this. You will have been able to tell from the evidence sessions that you have conducted that we think very carefully about the learning around all this.

The audit committee met, and I believe that its meeting was attended by our Fraser figure. We also had officials regularly attending the agency’s management board, audit committee and project board. We had a Government responsibility, through the Fraser figure, to be in touch with the governance and assurance of the SPPA. If we feel, as a result of the Auditor General’s report, that those need to be tightened, that will be one of the things that the SPPA will be responding to in due course.

Bill Bowman

I do not know whether the audit committee met and reported, because I have not been able to see the earlier minutes. I do not know whether you have been able to look at those yourself.

11:00  

Leslie Evans

I would have to ask colleagues here whether they have, although much of the information is archived, as you might understand.

However, one thing that I will say, which may be helpful to you, is that we have our own Scottish Government assurance and audit committee meeting next week, on 10 December. The section 23 report, the SPPA’s response to it and our Government response, including some of the issues that you have been asking me about, will be considered. We will then take further advice and deliberate about what Scottish Government circumstances we need to change in our relationship with arm’s-length bodies. I know that the SPPA has already shared with you some of the changes that it has made as a result of its deliberations on the report.

Bill Bowman

I do not want to broaden this to other audit committees, but I know that the Auditor General had comments about your Government audit committee.

I am concerned that issues have been raised, across a number of reports, about what the SPPA audit committee was doing and I would really like to know that you have looked at this section 23 report and that you have satisfied yourself that that audit committee is now at least fit for purpose.

Leslie Evans

Yes. I know that Alyson will want to talk about that. We have asked the SPPA to ensure that, in its comprehensive response to the Audit Scotland report, it reflects on the governance and assurance arrangements that it had in place then and those it has in place now. We are not complacent.

Bill Bowman

But if the organisation itself has had an issue and a problem, can you just rely on it to say that its audit committee is functioning properly?

Leslie Evans

It will be for the organisation in the first instance to look, as it is doing, at the nature of the report and what it says about its audit and risk practices. Alyson may want to say something about that in a while. It is also for us to ensure that we are playing our role in relation to an arm’s-length body with an accountable officer and its own board, and to ensure that there is no room for things to fall between those two stools, on audit and risk capacity. Alyson, do you want to say something about that?

Alyson Stafford

Certainly. The audit and risk committee at the Scottish Public Pensions Agency was in place during this time. It met according to the schedule one would expect it to meet.

Bill Bowman

This is going back to 2014?

Alyson Stafford

Yes. It did meet. It was populated, as you would expect, with non-executive directors and officials were in attendance. Internal audit services and Audit Scotland would also have been in attendance at those meetings throughout that time. The non-executive directors who were part of that included people with large-scale, public sector financial experience; they would also have brought in private sector experience. That continues up to today. Those people have experience as accountable officers, so they would understand that. There was also someone who had only recently stood down after completing their term of office, who also had specific private sector pension industry experience, from Edinburgh. That was helpful because, as well as this project that we are talking about, there were another seven projects going on, implementing not only changes that the Scottish ministers wished to see—as the permanent secretary has already said, bringing in between 20,000 and 30,000 firefighter and police pensions—but the Hutton reforms from 2011, which was a UK Government requirement.

Bill Bowman

You have the benefit of having seen the minutes: can you tell us whether the audit committee flagged up the issues, or did the issues fly past it?

Alyson Stafford

The audit committee was briefed about the projects. There was an overall transformation programme that was programmed to run—

Bill Bowman

Did the audit committee raise issues that somebody, presumably, ignored?

Alyson Stafford

The audit committee scrutinised each stage and was equally testing about how Capita was to deliver on the contract. The main issues were not really around after the contract had been let, but about the lack of contract delivery. To come back to Mr Coffey’s earlier question, Colin was not able to comment specifically on the software development, but we know from some other material that—

Gordon Wales

It may be helpful if I directly address Mr Coffey’s comment. A 2016 independent first review of the project states:

“Capita are using a waterfall approach to development and apply recognised international standards to the development process”.

That is an independent report.

Alyson Stafford

I realise that we need to address your specific question. The audit and risk committee’s issues were to do with Capita’s non-delivery in respect of what was required at particular points in time. In the first stages of the contract, Capita delivered on various elements but, at the end of July or early August 2016, a particular element of the software supply was applied to user acceptance testing in the agency. The agency staff are considered to be part of the cost of the project, because they tested the software. They had the experience and the knowledge, and they were used to using previous systems and the reforms that were being brought in. At that point, the success rate of the calculations that the software generated was not satisfactory. The audit and risk committee was therefore briefed and aware of the issues. The project board then intensified its activities in holding Capita to account through the process.

Bill Bowman

Did the audit and risk committee raise issues such as the continuity of the management at the top of the agency?

Alyson Stafford

Not to my knowledge, because there was a managed handover. There was a short period between the chief executive standing down at the end of March 2015 and the interim management. There was then a long handover between the interim chief executive and the substantive chief executive. The audit and risk committee and those members who also had a link into the management advisory board were sighted on that and recognised the actions that were being taken.

Bill Bowman

Perhaps there is a takeaway from this. It is hard to argue with you, because I have not been able to see the reports. Will they be made available? I do not mean just historical reports; I mean on-going reports.

Leslie Evans

I am sure that we can arrange to share the historical ones, but in terms of—

Bill Bowman

I mean will they be on the SPPA’s website? I do not necessarily want them myself.

Leslie Evans

I am sure that the SPPA would want to dwell on that and ensure that it has the right kind of information on its website.

The convener asked about the short period of time in which the chief executive of the SPPA worked on a financial project as well as having oversight of the project. That was agreed by the management advisory board. It was not as if that work was carried out separately. The management advisory board was aware of that.

Bill Bowman

I have a final, more general question. If you get a section 23 report, do you ask yourself what the body’s audit committee has been doing and whether it is still operating functionally?

Leslie Evans

I can speak only on behalf of my own audit function; Alyson Stafford may want to talk about arm’s-length bodies.

Bill Bowman

You can talk about the bigger picture.

Leslie Evans

That function is, of course, a very important part of the governance and assurance of any organisation. You referred to Audit Scotland’s comments on the Scottish Government’s audit and assurance committee. We have taken those comments extremely seriously.

Bill Bowman

I do not want to go into them specifically.

Leslie Evans

Absolutely. The function is very important. It is an integral part of the Government’s assurance of any organisation, and particularly the assurance of a Government body or a body that is at arm’s-length to the Government.

Alyson Stafford

Mr Bowman is referring to the audit and risk committee during a particular period. As I mentioned, Audit Scotland has been present at that committee. The Audit Scotland reports on the SPPA’s accounts for the 2014-15 and 2015-16 financial years made no reference to the project. The Scottish Public Pensions Agency made a tremendous effort, and subject matter experts were brought in. The chief executive at the time approached me to talk about bringing in people who would help with continued diligence on the delivery of the project and the change process. The project was one of eight. At the time, major things were happening to pensions in Scotland, which the agency led on. Those eight projects included software elements. Prior to that, the Scottish Public Pensions Agency delivered successful software changes, and it has done so subsequently.

The real concern was about the supplier’s non-delivery. To give you a sense of the diligence that was applied in managing the contract, the project board met at least monthly and the frequency intensified as soon as there were issues. Further, the SPPA approached the Government to ask to be part of the pilot of the technical assurance framework that has been designed and is in place. Therefore, the chief information officer became a member of the project board. There was a huge amount of effort and scrutiny around the supplier to make sure that it delivered.

When the first failure occurred, a tremendous amount of work was done, not to look at the sequencing and critical path of the project—one thing after another—but to work through which elements could be built coterminously. We are not critical of that. It was about building them side by side, so as to make up the time.

The key thing was that there was a hard deadline for the project. March 2017 was an absolute cut-off date, for one reason alone. The project integrated administration, payroll and web-based services and, of the three existing suppliers that were to be replaced by one supplier, two were willing to extend the contract beyond March 2017, but the other refused to do so, which created that hard deadline.

Subject matter experts were brought in, which enabled us to redesign the project as it went along. It was Capita that—one series after another—failed to deliver.

The Convener

We appreciate the detail, but will you try to be briefer?

Alyson Stafford

Yes, of course. Those are some of the key points. That was the capacity that was there to support the project and keep it as on track as possible.

The only other point to draw out about the effective management of the contract is that, according to the contract terms, Capita could and should have earned £2.7 million if it had delivered the project. That is the contract price that would have been paid during the period that we are talking about. In the end, the SPPA paid less than £700,000, which shows that it did not pay for anything that it did not get. The contract was rigorously managed. The sad thing about it was the lack of delivery.

Colin Beattie

We had an evidence session with the SPPA on 26 September, which covered some of the changes to sponsors during the life of the project. Gordon Wales advised the committee that the sponsor arrangements encompassed line management of the chief executive and the public body’s Fraser figure. At different times during the project, those roles were combined and carried out by one Scottish Government official; at other times, they were split between two officials. A Scottish Government sponsor official is also a non-executive director of the SPPA’s management advisory board.

I am looking at the timelines for the to-ing and fro-ing of the sponsors. That surely must have contributed to the chaotic management of the project. What were those guys doing during that time? The sponsors must have been aware of the problems, so what did they do?

Leslie Evans

On your first point, Gordon Wales now has the roles and responsibilities of line manager and Fraser figure. That is slightly different from the sponsor process, but I understand the point that you are making.

The Fraser figure is a very particular role, which embodies the responsibilities that are delegated from a minister to a director general. The director general decides whether to take on those roles and responsibilities themselves or to give them to a Fraser figure. I might be wrong—I am willing to be challenged on this—but I do not recall another occasion on which we have combined a Fraser figure with line management responsibility. I was not permanent secretary for a good chunk of the project, but as far as I am aware, Gordon Wales was the first person to be the Fraser figure and hold the line management responsibility.

Colin Beattie

According to my information, the roles were also combined from April to June 2015.

11:15  

Leslie Evans

I am not aware of that being the case. Your point was about the quality and nature of the Fraser figure role. Eleanor Emberson—later, Eleanor Ryan—and Alistair Brown, who acted as Fraser figures from 2014 up to Gordon Wales’s time, were two of our most experienced finance officials. They worked for Alyson Stafford and were colleagues of Colin Cook, and they were both very experienced not just in relation to the Fraser figure responsibilities but in the implementation of major IT projects. They would have been very clear about their roles and functions—Gordon Wales can talk a bit more about that—and about their responsibilities for attending board meetings and seeing the management advisory board papers, which they did. Alongside that, they had line management responsibility—with Alyson Stafford, for the most part. Those two functions were a very important part of our being kept abreast of what was going on. Ministers were also kept abreast of the process.

The Fraser figures would have been familiar with the rigorous process that Alyson Stafford described and with the management of the Capita relationship, particularly by Ross Paterson, who managed it at the most crucial time. The chief information officer was also on the board, and she and her colleagues were part of the independent testing at three different times during the project’s life.

Colin Beattie

I presume that whoever was discharging that function for the Scottish Government was well aware of the problems with the project. How did they discharge their duties? How did they assess the risks to success? How did they report that up the line? I feel that the problems should have been flagged up earlier.

Leslie Evans

You are right that the Fraser figure’s role is to support but also to challenge on behalf of the Scottish Government. The Fraser figure would have a relationship with the minister and with line managers, in terms of reporting back.

The accountable officer had the role of and responsibility for executing the project and keeping the Government appraised, which he did regularly. It was not that we were not aware of what was going on; we were part of the solution and part of the testing and probing of Capita. We looked at what it could deliver, particularly at the three junction points that are mentioned in the independent IT review. You will have read about the amber, the amber-red and the red categories in the report and the accompanying documents.

Does Alyson Stafford want to say anything about the Fraser figure information that was relayed to her?

Alyson Stafford

Yes, certainly. Through regular line management contact and through the Fraser figure feedback from the various project and management advisory boards, there was a clear awareness that what Capita had been contracted for was not being supplied by the required deadlines.

The first indication of that lack of supply came at the end of July and into early August in 2016. A further extraordinary project board session was set up in the middle of August. I personally went to that session to meet the senior representative, who was Capita’s signatory to the contract, to stress that we expected and required the contract to be delivered. I insisted that that needed to happen. I also attended the session to see the replanning and reprofiling that I described, with separate blocks of activity identified, which would be done coterminously, not in sequence.

I wanted the Capita software development team to have a more regular presence on site, because a lot of its work was being done remotely. Space was made available in order to get people from Capita on site, so that they would be there and could test anything that they wished to by way of interpretation of regulations and specification. As I say—

The Convener

I am sorry, but we are running short of time. Would you like to add anything else?

Alyson Stafford

There was oversight and there was knowledge. Ministers were briefed at key points when various things were happening. Equally, when there was the particular change in October—a recognition that Capita was going to fail to meet its March deadline—specific actions were taken.

The Convener

Thank you.

Alyson Stafford

Just to add to that, the work that was done at the specific points relating to the three levels of assurance, and the scrutiny that was done by the chief information officer, were really important. That was an independent means of holding Capita to account not only during the contract but, sadly, subsequently, when it had to be closed.

Leslie Evans

We can give some information in writing on that, if that would be helpful.

The Convener

That would be very helpful.

I thank the witnesses for their evidence this morning.

11:19 Meeting continued in private until 11:28.