Agenda item 3 is an update from the minister on the information technology system that underpins the protection of vulnerable groups scheme. The minister wrote to the committee on 27 June about the progress that had been made on implementation and about some of the issues. A copy of the letter is included in the committee papers.
Thank you, convener.
Thank you, minister. I ask members to indicate whether they want to ask questions.
Absolutely. You will understand that, from my perspective, we are processing PVG applications; we are doing that work on time and we are continuing to provide a valuable public service.
I am aware that Disclosure Scotland is carrying on the work that it has to do.
Yes.
The problem is that a system that was due to come in in February was in such a state of—I will say disrepair, but that is perhaps being too polite.
I am not able to go into the technical detail of the project, but we are willing to come back to the committee on questions of technical detail.
I do not doubt that for a moment, but my concern is about not only the failures that I listed at the point in February when the system was supposed to be ready to go live, but about the BT recovery plan. The minister said that the recovery plan would continue until 2012. I am not sure when in 2012 that is. Perhaps you can clarify whether it will be early or late 2012.
Yes.
Can you explain what has happened to the recovery plan and why—as you said in your opening remarks—it will be completed sometime in 2012, despite promises of complete functionality by August?
Yes. Work needs to be done to improve day-to-day functionality, and the infrastructure of the project needs to be co-ordinated in a particular way. If there is further information on the technicalities that I can get to the committee, I will be happy to oblige. If the committee would like to be briefed by a full range of officials, we could certainly arrange that.
Forgive me. I do not want to be difficult, but the PVG programme’s independent technical adviser, the NCC Group, reported that it had a high degree of confidence in BT’s ability to successfully complete the recovery plan. The recovery plan was due to provide full functionality by August 2011 and we are now talking about a completion date of summer 2012—a delay of 12 months. What advice have you now received from the NCC Group on the recovery plan?
I accept that the timescale is less than satisfactory. That is probably an understatement. However, we continue to have confidence that we will get things sorted and that the matter will be resolved. In the meantime, we assure the committee that we are getting on with the day-to-day work of an important public service.
I am sure that we will come on to discuss the impact on Disclosure Scotland and the users of its services, but I am interested in the inability of BT’s IT people to deliver a system on time. I am sure that we will have questions about whether it will be delivered on budget too, but there has clearly been a failure on timeliness; even the recovery plan has failed to meet its timescale.
That is the thrust of our on-going dialogue with BT, as part of which we are having some challenging discussions. BT is under no illusions about my and this Government’s dissatisfaction with the state of affairs, and it continues to work intensively with us to resolve the issue.
You asked about the NCC report. We have not gone back to NCC for further views, but its recommendations included ways in which Disclosure Scotland should enhance its skill sets to ensure that we could keep on top of BT on the technical side. We are using Scottish Government contracts to get support from experts in particular fields and IT specialisms. A member of the Scottish Government’s IT side is working closely with us and with the project team to ensure that we can deal with BT’s approach with great rigour.
We are dealing with BT at a very senior level.
I certainly hope so.
I share the convener’s concerns. The minister was right to put it on the record that the Government is also deeply concerned about the long time involved.
We are not hiding the problem under a bushel. The issues were highlighted on Disclosure Scotland’s website and Disclosure Scotland has worked closely with stakeholders—the Convention of Scottish Local Authorities, the police and the Scottish Social Services Council.
You said that you had weekly updates. Do COSLA and people in schools receive them? Is information about why the problem happened and when you expect it to be solved being handed out to parents, schools and employers, or do they have to look at Disclosure Scotland’s website?
We do not need to hand out information to parents and schools; that would cause unnecessary alarm. I would be one of the first people to advocate ensuring that parents get necessary information, but Disclosure Scotland is doing the job that it must do, albeit with extra effort.
I do not suggest that. If looking after and protecting particularly vulnerable children is paramount—as you said in your opening statement—and is the prime aim, as it must be, are you confident that parents are aware of the timescale and are getting good information about what is being done to address the problem? When can parents have confidence that the problem will be solved?
The Government has been open about the problem. I came into my post at the end of May and wrote to the committee about the issue in June. The committee meets in public and involves MSPs who pursue the Government as appropriate and as is their absolute right. We are hiding nothing.
I reassure the committee that the data’s integrity is paramount. The PVG system as supplied did not give us confidence, so we had to introduce a separate system to recheck the data from the live databases with which the system was to interface. We did not just accept the results from the PVG system—we went offline to the police national computer, the Scottish criminal history system and the national police cross-reference system to ensure that the results that we got through the PVG system matched the results that we got directly from the live systems. That is a workaround, as we call it, and BT is providing the extra finance to cover it.
I totally accept that, and it is good to hear that there have not been any specific challenges to that. The issue is more that, as the convener suggested, there has been a considerable delay in the process. The Government has been quite good in engaging with the committee on this matter—it did not only write a letter; it offered us briefing sessions as well. However, the issue is more about engaging with parents and people who want to protect children from unsuitable people. They need to be told about the scale of the change that is having to take place and the reasons why we are in such difficulties. I am not quite sure that that is happening at the moment.
One of the jobs of the compliance team at Disclosure Scotland is to go out and explain the situation to the registered bodies. We get daily requests to visit those organisations, and we organise seminars and meetings to explain where we are with PVG. I am now proposing that we hold seminars throughout Scotland to bring everyone up to date with exactly where we are and what we are doing, to explain how the legislation operates and to assure people that there is no risk attached to the IT deficiency, because we have put in place the necessary measures to prevent that risk from moving beyond the IT system.
I am also reassured by your comments about risk in relation to those adults who should not be working with children. I absolutely accept your assurances on that point.
Yes.
There is no argument about that.
Just to reassure you further, the Government has not paid a penny since these difficulties have emerged for the PVG-related work. I hope that it will be of some reassurance to the committee and to parents to know that 118,000 PVG applications have been processed since we moved on from the interim procedures.
I am taking from what you have said that BT has accepted financial responsibility for the situation that it has caused.
BT has accepted that Disclosure Scotland will need to be reimbursed for additional costs incurred.
The Government has not paid for the system.
No.
And will not pay for it—
We have not paid any money for the scheme since these problems have emerged.
There were some up-front costs, but you have stopped payments until the situation is resolved.
Yes.
That is clear.
Yes.
Is there a backlog? If so, what size is it and how is it being dealt with?
Currently, PVG turnaround time is 13 days. Our target is 14 days, which suggests to me that there is not a backlog, but I will let the experts answer.
There is no backlog. There is work in progress, which amounts to about 3,000 applications going through the system at any one time, but we do not consider that to be a backlog. A number of applications take longer than the 14 days—13 days is an average. As with the old system under the Police Act 1997, we have to go to police forces throughout the UK and other organisations to gain information. Although we have service level agreements with them, they are not enforceable and sometimes it takes longer than the 14 days to get information back. Some applications take longer than 14 days, but that represents work in progress as opposed to a backlog.
I am not sure whether I agree with that definition of what is not a backlog. I accept that the average is 13 days. Can you give me the spread? How quickly are the quickest done and how slowly are the slowest done?
Some can be done in two or three days; others can take four or five weeks.
Five weeks would be the longest.
Depending on some of the issues that arise, it could take longer. I noted one that took about 120 days.
Okay. That is helpful.
Disclosure Scotland is doing the work that it needs to do and we should all be reassured by that, irrespective of the fact that we are all dissatisfied by the current situation.
I am grateful. I would be grateful—as I am sure the committee would—if we could get regular updates on progress on the project, which would be helpful.
We would be delighted to do that.
I want to ask Disclosure Scotland about complaint levels. Are the complaints directly attributable to the IT problems, or do they relate to different problems? You might be aware that I am representing an organisation that has some difficulty with Disclosure Scotland and has complaints about your level of service. The complaints relate to handwritten letters, wrongly addressed correspondence and blank e-mails being sent to the organisation that were supposed to contain information. We are also talking about sensitive information being sent to a variety of addresses and the response being, “Well, you share your premises with more than one organisation,” although that is pretty routine. Is that anything to do with the IT situation, or is that due to something else?
The incident to which you refer was partially down to the IT situation. The organisations have the same street address, share the same building and are within the same faith group. We hope that we have now addressed that. I note your recent communication of Monday, which we are looking into. We will get back to you very soon with a response. I will have a wee look at that, because I thought that we had addressed it and had it down as a fix.
I do not want to get into a personal discussion about a case that I am involved with, but it indicates that you have IT problems. Blank e-mails and wrongly addressed correspondence that is sent to other organisations seem to reflect a fundamental problem. We are dealing with serious and sensitive information being wrongly addressed. I am trying to understand not the specifics of that case but the wider implications of that example for your IT system. If that is the experience of one organisation, who else is experiencing the same?
As far as I am aware, it is the only organisation that is experiencing that because of the unique set-up there.
I fail to understand why the set-up is unique. There are multiple organisations that are all in the same faith group within the same building. That must be common. I used to work in an organisation that shared a building with other voluntary and third sector groups. How can an envelope containing sensitive information be delivered to a different organisation with a different title, albeit that they are in the same building? How is that possible?
I would need to recheck our information before I could give you an answer to that question. As far as we can see, the first time, the address to which we had sent the letter seemed to be correct; whether there was a postal error, whereby the Post Office put the letter through the wrong letter box—
I am sorry to interrupt—I do not want to get into a personal spat about that one example. The letter was correctly addressed in terms of the street and the postcode, but the name of the organisation was incorrect—a different organisation’s name was on the envelope. That organisation opened the envelope, which contained sensitive information, and that happened not only on one occasion but on several occasions.
I shall go back and check that.
Although it is not for me to cut across the operational matters of Disclosure Scotland for reasons that you will understand, I ask to be cited on your correspondence to Disclosure Scotland. I take very seriously the constituency interest that MSPs have a duty to represent, and I am always interested in hearing about members’ individual experiences of things that are happening on the ground.
I am more than happy to copy you into it. I am not trying to resolve that constituency problem in the committee; I am concerned that it is an example of an IT system—customer service is another issue, but we will not discuss that here—producing material that is incorrectly addressed. I am not concerned only about that one case; I am concerned that it is an example of a deeper underlying problem with the IT system.
I share that concern. I cannot comment on the specific example, but if there are cases in which sensitive information has gone to the wrong place because of a fault in the system, that should concern us. Given that we are now talking about the problem being fixed next summer rather than this autumn, we have a responsibility to ensure that it is sorted out.
From my perspective, one complaint is one complaint too many. Notwithstanding the fact that, at four per 10,000, the complaint rate is low, we should always look very carefully at individual cases to ensure that there is not a wider, systemic issue.
Members have no further questions on the matter. I would appreciate further updates, as I am sure the committee would. I also have one final question. Who is ultimately responsible for the whole situation with the IT system?
BT. There will be a lessons-learned exercise, which will be shared with the committee. From where I am sitting just now, I think that the responsibility is with BT. However, if there is anything that the Scottish Government can learn, we will take that seriously.
I am sure that the committee is reassured by that answer. I share your finger pointing—if I can characterise it in that way—at BT, which has clearly failed to live up to expectations. That is very disappointing. I am sure that it is disappointing not only for Disclosure Scotland but for all the other organisations and individuals who depend on the work of Disclosure Scotland. I look forward to further updates and I thank the witnesses for coming along to discuss the issue.