Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Finance and Public Administration References Committee—Senate Standing—Digital delivery of government services—Report, dated June 2018


Download PDF Download PDF

The Senate

Finance and Public Administration

References Committee

Digital delivery of government services

June 2018

ii

© Commonwealth of Australia 2018

ISBN 978-1-76010-778-9

Senate Finance and Public Administration Committee Secretariat:

Mr Tas Larnach (Acting Secretary) from 13 April 2018

Ms Ann Palmer (Secretary) until 12 April 2018

Ms Cathy Nembu (Acting Principal Research Officer)

Ms Kathryn Cochrane (Senior Research Officer)

Ms Nicole Baxter (Administrative Officer) until 11 April 2018

Ms Michelle Macarthur-King (Administrative Officer) from 12 April 2018

Ms Jo-Anne Holmes (Administrative Officer) from 12 April 2018

The Senate PO Box 6100 Parliament House Canberra ACT 2600

Ph: 02 6277 3530 Fax: 02 6277 5809 E-mail: fpa.sen@aph.gov.au Internet: www.aph.gov.au/senate_fpa

This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Australia License.

The details of this licence are available on the Creative Commons website:

http://creativecommons.org/licenses/by-nc-nd/3.0/au/.

Printed by the Senate Printing Unit, Parliament House, Canberra.

iii

Membership of the Committee

Members

Senator Jenny McAllister (Chair) ALP, NSW

Senator James Paterson (Deputy Chair) LP, VIC

Senator David Fawcett (from 5.02.18 to 22.03.2018) LP, SA

Senator Kimberley Kitching ALP, VIC

Senator Bridget McKenzie (to 5.02.18)

Senator Amanda Stoker(from 22.03.2018)

NAT, VIC

LP, QLD

Senator Lee Rhiannon AG, NSW

Senator Lisa Singh ALP, TAS

Substitute Members

Senator Jordon Steele-John (for Senator Rhiannon on 15.02.2018) AG, WA

Participating Members

Senator Rex Patrick CA, SA

v

Table of Contents

Membership of the Committee ........................................................................ iii

Acronyms and abbreviations ............................................................................ xi

Recommendations ............................................................................................. xv

Chapter 1 ................................................................................................................... 1

Committee views and recommendations ................................................................ 1

The promise of digital transformation ................................................................. 1

Failure of leadership ............................................................................................ 4

The reality of 'digital transformation' so far ........................................................ 6

The cost of consultants and contractors .............................................................. 8

Building digital capability in the APS ................................................................. 8

Report Structure ................................................................................................. 12

Chapter 2 ................................................................................................................. 13

Background and context ........................................................................................ 13

Referral ................................................................................................................. 13

Overview .............................................................................................................. 13

Previous inquiries into government ICT .............................................................. 14

The Gershon Report .......................................................................................... 14

Audit of Australian Government ICT ............................................................... 15

The history of the Digital Transformation Agency .............................................. 16

The Digital Transformation Office .................................................................... 16

The creation of the Digital Transformation Agency ......................................... 17

The DTA’s current role ..................................................................................... 18

Leadership ......................................................................................................... 19

Recent Incidents ................................................................................................... 20

Australian Taxation Office 'outages' ................................................................. 21

Department of Human Service—'robo-debt' ..................................................... 21

vi

Department of Human Service's—'sale of Medicare card numbers on the darkweb' ............................................................................................................. 22

Department of Human Services—child support replacement system ............... 24

Australian National Audit Office Cyber Security Follow-up Report. .............. 24

Australian Bureau of Statistics eCensus denial of service ................................ 26

Department of Home Affairs ............................................................................. 26

The NAPLAN online failure ............................................................................. 27

The Australian Apprenticeship Management System ....................................... 27

The Biometric Identification Services Project .................................................. 28

Chapter 3 ................................................................................................................. 31

What is 'digital transformation' of government services .................................... 31

Introduction .......................................................................................................... 31

Perspectives .......................................................................................................... 31

Whether government is different from the private sector .................................... 33

What questions should government be asking? ................................................... 36

'Being digital' rather than 'doing digital' ............................................................... 37

Chapter 4 ................................................................................................................. 41

Challenges faced in undertaking digital transformation .................................... 41

Introduction .......................................................................................................... 41

Critical challenges to digital transformation ........................................................ 41

Systems architecture issues ............................................................................... 41

Infrastructure design ...................................................................................... 41

Managing complexity .................................................................................... 44

Legacy issues ................................................................................................. 47

Cyber security, risk and resilience .................................................................... 48

Privacy ............................................................................................................... 51

Digital identity ............................................................................................... 53

The diversity of users and their needs ............................................................... 55

Public expectations of government in digital transformation ........................ 55

vii

The retention of traditional methods of engagement with citizens ............... 57

Website design ............................................................................................... 59

Data storage security ...................................................................................... 60

Chapter 5............................................................................................................ 65

Whole-of-Government Issues ................................................................................ 65

Introduction .......................................................................................................... 65

Leadership and accountability .............................................................................. 65

The need for an agreed vision ........................................................................ 65

Senior leadership and digital capability ............................................................ 65

Devolved decision-making ................................................................................ 67

Outsourcing has deskilled the APS ...................................................................... 67

The skills shortage ............................................................................................. 68

The generalist manager...................................................................................... 69

Cost-saving policy leads to deskilling ............................................................... 69

Rebuilding skills ................................................................................................... 70

An APS ICT digital profession ......................................................................... 70

Building digital competence .............................................................................. 71

Project management capability ...................................................................... 72

Current initiatives .............................................................................................. 74

Procurement .......................................................................................................... 75

Whole of government ........................................................................................ 75

Procurement expertise within the APS .............................................................. 75

Access to tendering process in procurement ..................................................... 76

The 'undigital' nature of current procurement methodologies ...................... 77

DTA response .................................................................................................... 77

A common approach ............................................................................................. 78

Platforms ............................................................................................................ 78

Common activities need a common approach ................................................... 79

Chapter 6 ................................................................................................................. 81

viii

Case Studies............................................................................................................. 81

Introduction .......................................................................................................... 81

Australian Taxation Office—Unplanned Systems Outages ................................. 81

Background ........................................................................................................ 82

DTA's response .................................................................................................. 84

The outage ......................................................................................................... 84

Overview of the ICT purchasing decision ......................................................... 85

Contracting arrangements .................................................................................. 86

Increase in contracting activity in 2009 ............................................................ 89

Committee view ................................................................................................. 90

Child support system replacement project ........................................................... 91

DTA response .................................................................................................... 94

DHS response .................................................................................................... 95

Committee view ................................................................................................. 97

Online Compliance Intervention (Robodebt) ....................................................... 98

Background ........................................................................................................ 98

The development of OCI ................................................................................. 101

The ATO role in data matching ....................................................................... 102

The OCI letters ................................................................................................ 102

DHS' assessment of OCI ................................................................................. 103

Systems design issues ...................................................................................... 104

Committee view ............................................................................................... 106

Welfare Payment Infrastructure Transformation ............................................... 106

Background ...................................................................................................... 106

DHS Response ................................................................................................. 108

Committee view ............................................................................................... 111

Government senators' dissenting report ....................................................... 115

Leadership .......................................................................................................... 115

The Australian Public Service ............................................................................ 117

ix

Common platforms and procurement ................................................................. 119

The Digital Transformation Agency .................................................................. 120

Australian Greens' additional comments ..................................................... 123

Summary ............................................................................................................. 123

Affordable, quality broadband internet .............................................................. 123

Appendix 1 ....................................................................................................... 125

Submissions and additional information received by the committee .............. 125

Submissions ........................................................................................................ 125

Tabled Documents .............................................................................................. 126

Additional Information ....................................................................................... 126

Answers to Questions taken on Notice ............................................................... 126

Appendix 2 ....................................................................................................... 129

Public Hearings ..................................................................................................... 129

x

i

Acronyms and abbreviations

AAMS Australian Apprenticeship Management System (replaced TYIMS)

ABS Australian Bureau of Statistics

ACCAN Australian Communications Consumer Action Network

ACS Australian Computer Society

AIIA Australian Information Industry Association

APP Australian Privacy Principles

APS Australian Public Service

APSC Australian Public Service Commission

ASD Australian Signals Directorate

ATO Australian Taxation Office

BAU Business As Usual

Capex Capital Expenditure

CC Centralised Computing

Code Australian Public Service Privacy Governance Code

Committee Senate Finance and Public Administration References Committee

COTA Council of the Aged Australia

CPSU Community and Public Sector Union

CSSR Child Support IT system replacement; also known as PLUTO (DHS)

Cuba Child Support IT system (DHS)

DHS Department of Human Services

DigComp European Commission Digital Competence Framework

DSS Digital Service Standard (DTA)

xii

DTA Digital Transformation Agency

DTO Digital Transformation Office

DVS Document Verification Service (Department of Home Affairs)

EPIC Elastic Private Information Cloud

FECCA Federation of Ethnic Communities Council of Australia

Gershon Report Review of the Australian Government's Use of Information and Communication Technology, by Sir Peter Gershon

Home Affairs Department of Home Affairs

HPE/DXC Hewlett Packard Enterprises

ICT Information and Communications Technology

IRAP Implementation Readiness Assessments

ISIS Income Security Integrated System

ISM Information Security Manual (ASD)

KPI Key Performance Indicator

NAB National Australia Bank

OAIC Office of the Australian Information Commissioner

OCI Online Compliance Intervention (DHS)

OCSSA Office of the Cyber Security Special Advisor (now known as the National Cyber Security Advisor)

PIA Privacy Impact Assessments

PLUTO Child Support IT system replacement; also known as CSSR (DHS)

RACGP Royal Australian College of General Practitioners

Robo-debt Online Compliance Intervention (DHS)

SAFe Scaled Agile Framework delivery model

SAN Storage Array Network

SFIA Skills Framework for the Information Age

x iii

SME Small and Medium Enterprises

TYIMS Training and Youth Internet Management System

UK United Kingdom

WPIT Welfare Payments Infrastructure Transformation

xv

Recommendations

Recommendation 1

1.35 With the increasing demands for government to improve the digital delivery of services and functions, the committee recommends that the government undertake a review of the digital, cyber and data policy functions performed across government—and then establish key digital performance measures shared and reported across departments and agencies.

Recommendation 2

1.36 The committee recommends that the success of government digital transformation should prioritise measurement of user experience—as this is likely to also drive process improvements beyond simply the application of digital technology.

Recommendation 3

1.37 The committee recommends that the government deliver an annual Ministerial Statement on Digital Transformation that reports on cross-portfolio progress to improve digital transformation, identifying leading performance in departments and agencies and also publicly explaining steps to lift performance on projects failing to meet budget or delivery expectations.

Recommendation 4

1.48 The Committee recommends that the government establish a regular timetable to independently audit ICT contracting and subcontracting arrangements to identify whether government is taking on a level of risk that is consistent with the contract price and community expectations - and to help identify or improve contracting standards or set better principles based approaches to future contracting..

Recommendation 5

1.53 The Committee recommends that departments examine project budgets to identify and eliminate unnecessary spend on contractors, consultants and external vendors. Further, it should consider developing a longer term strategy to build internal public service capability to help drive the development or in house build of digital activities regularly contracted out by government.

Recommendation 6

1.65 The committee recommends that the Australian Public Service Commissioner be tasked with developing a whole-of-government Australian Public Sector Information and Communications Technology career stream with mandated competencies and skill-sets for Information and Communications Technology professionals, government procurement officers, and Information and Communications Technology project managers.

Recommendation 7

xvi

1.66 The committee recommends that the government routinely report on how it intends to lift the number of digital apprentices and trainees that it is currently recruiting into the public service.

Recommendation 8

1.70 The committee recommends that the DTA be tasked with developing education and training initiatives to enhance the digital competency of all APS employees, including SES officers.

Chapter 1

Committee views and recommendations

1.1 Shortly before this report was tabled, the Minister Assisting the Prime Minister for Digital Transformation announced the government's ambition that '[b]y 2025, Australia would be one of the top three digital governments in the world'.1

1.2 It would be tremendous if Australia were able to achieve this. Throughout this inquiry, however, it has become clear to the committee that digital transformation is a policy area beset by soaring rhetoric and vague aspirations by government, largely unconnected to the actual policy activities actually undertaken.

1.3 This is a shame. Digital transformation represents one of the best opportunities to deliver more to those who pay for government, those who work for government, and those who government works for.

The promise of digital transformation

1.4 When considering what digital transformation means, it is tempting to draw parallels with businesses that Australians interact with in their everyday lives— businesses like streaming services, banks, or utilities.

1.5 Government does face many of the same challenges as business in undertaking digital transformation, particularly large, service-oriented businesses. The unique mission of government, however, means that digital transformation takes on special significance and takes place under different conditions.

1.6 Government interacts with more people in more ways than any single business. The services provided by government are often relied on by people in vulnerable situations. As was seen during "Robo-debt", mistakes made by government in how it delivers services can have devastating effects on individuals and their families.

1.7 Government is also much more than a mere service delivery vehicle for 'citizen-consumers'. It has policy and constitutional functions that have broad, society wide impact.

1.8 The promise of digital transformation is not just that existing information and services can be delivered through websites or apps. As observed by Mr Paul Waller in his submission to this committee, '[b]efore the internet we wouldn't have set out to transform public administration by redesigning the forms and guidance leaflets'.2

1 Hon Michael Keenan MP, Minister Assisting the Prime Minister for Digital Transformation, Delivering Australia's digital future, Media release, 13 June 2018, https://ministers.pmc.gov.au/keenan/2018/delivering-australias-digital-future (accessed 18 June 2018).

2 Mr Paul Waller, Submission 18, p. 1.

2

1.9 The promise of digital transformation is that technology will open up new policy possibilities and allow government to make a real impact in people’s lives more effectively, efficiently, and frictionlessly.

1.10 This requires more than just investment in technology. As the AIIA explained:

The efficiency of moving a service online is only realised when the business process that supports the service is re-engineered...this has still not been addressed by a range of government agencies that deliver outward-facing services to customers - while the technology is new, the underlying processes remain antiquated.3

1.11 It also applies to government activities beyond transactions. Mr Waller's submission provides a very helpful taxonomy of government functions.

3 Australian Information Industry Association, Submission 5, p. 3.

3

Table 1.1: Taxonomy of government functions4

1.12 At its best, digital transformation would involve considering the value technology can bring to each of these domains.

1.13 Government is capable of achieving this, it does a disservice to the public if it cedes the field of digital innovation, although the role government plays places some constraints on how this can occur.

1.14 People expect stability and predictability from government. It cannot meet those expectations by operating like a start-up. However, the Australian Public Service has remained relevant for over a century through innovation and responsiveness to the changing demands of government and the public. There is no reason for it to stop.

4 Mr Paul Waller, Submission 18.1, p. 13.

4

1.15 Finding the balance between these competing demands in order to realise the promise of digital transformation requires concerted leadership at a ministerial and public service level. This leadership has been lacking.

Failure of leadership

1.16 Transformation of any kind is challenging. It requires internal champions to overcome organisational inertia.

1.17 The committee recognises that there are many senior public servants across the service who have sought to drive digital transformation within their departments. They have been let down in their efforts by the lack of a champion within government as a whole.

1.18 Commenting elsewhere, former DTO CEO Mr Paul Shetler observed the following:

It's extremely difficult to get an incredibly bureaucratised, incredibly balkanised bureaucracy to decide it wants to transform itself. That's an awful lot of inertia in the systems built in…It's obviously possible to do that but you need to have strong support along the way from the ministers and the top.

I think that there has to be the ambition to [digitally transform government] and extremely importantly I think there has to be the political will to do so.5

1.19 The committee considers that the government has not demonstrated that it has the political will to drive digital transformation. This much is evidenced by the role it has given the DTA.

1.20 At the time, the reorganisation of the DTO into the DTA was presented as representing an expansion of the agency's powers. In reality, although the agency's scope of operations did increase (for instance through the acquisition of responsibility for procurement), it was less empowered to take action.

1.21 Now, two years later, the DTA performs a useful role in providing governance standards and guidance. Its contribution is muted because its role is confined to the level of assistance with discrete projects at the operational level.

1.22 Even there, its involvement is limited. At the time of its creation, it was intended to operate as a 'powerful new program management office' that would track ICT and digital projects across the whole of government, stepping in to remediate where things are not working.

1.23 In reality, it had only a minor role in the case studies examined by this committee.

1.24 The DTA is supposed to maintain a watchlist of at risk projects. However the Biometric Identification Services that was suspended this month was not on the list

5 George Nott, Paul Shetler: I quit over a philosophical clash with the Minister, CIO, 9 January 2017, available at: https://www.cio.com.au/article/print/612460/paul-shetler-quit-over-philosophical-clash-minister/ (accessed on 13 June 2018).

5

despite being a large project which was already significantly overtime and over budget.

1.25 The DTA has been sidelined in the new digital initiatives undertaken by the government. The committee heard that:

• Cyber policy will reside at the Department of Home Affairs.

• Data policy will reside at the Department of the Prime Minister and Cabinet.

• The newly created Office of the Information Commissioner is

organisationally separate from the DTA. No one in the DTA monitors whether the reported notifications by that office relates to Australian Public Service entities—agency performance in relation to security is not in its brief.

• The soon to be created Data Commissioner will be organisationally separate

from the DTA.6

1.26 Cumulatively, the evidence heard by this committee revealed an organisation that was not at the centre of government thinking about digital transformation, or responsible for the creation and enactment of a broader vision of what that transformation would look like.

1.27 Troublingly, no other organisation is.

1.28 There is a clear need for a whole-of-government vision and strategic plan for the digital transformation of government administration. The evidence is of departments and agencies in silos looking internally and focussing on their own approach to the digital delivery of their particular government service, where in many respects all are facing the same challenges.

1.29 In the absence of any central vision, individual departments (and ministers) may end up pursuing projects that run counter to the aims of digital transformation. In particular, there may be a temptation to view ICT investment solely as a way to realise efficiencies and cut costs, rather than as a mechanism for transforming government service.

1.30 The committee believes that it is a mistake to take such a narrow view. The consequences of adopting this approach can be seen in the "Robo-debt" case study. The committee found it galling that DHS officers could claim that despite the hardships it caused, the program went 'very well' because it saved the government money. For the department the impact of the program on vulnerable people seemed to be an irrelevant in its design; irrelevant in its evaluation.

1.31 The committee was told by Dr Seebeck of the DTA that:

One of the key elements of digital transformation as it was envisaged—and you can track this through the DTO to the DTA—is that focus on user centredness, which is traditionally not the way government has tended to operate. Making sure that the user

6 Committee Hansard, 7 May 2018, pp. 5-7.

6

is absolutely dead centre in terms of any work of any government department, of any proposal that comes forward, is part of that process.7

1.32 It is difficult, if not impossible, to reconcile a program like "Robo-debt" with the principles of user-centredness that the DTA is supposedly responsible for engendering throughout government.

1.33 This inconsistency is a direct product of the absence of a central vision for digital transformation. A cohesive and shared view, driven by a properly resourced and empowered department or agency, would serve to guide policy development and decision making by the bureaucracy and ministers alike.

1.34 All departments and agencies would derive significant benefit from a whole-of-government strategic plan to achieve the digital transformation of government. Ultimate responsibility for this plan should rest with a central agency that is properly invested with powers and responsibility.

Recommendation 1

1.35 With the increasing demands for government to improve the digital delivery of services and functions, the committee recommends that the government undertake a review of the digital, cyber and data policy functions performed across government—and then establish key digital performance measures shared and reported across departments and agencies.

Recommendation 2

1.36 The committee recommends that the success of government digital transformation should prioritise measurement of user experience—as this is likely to also drive process improvements beyond simply the application of digital technology.

Recommendation 3

1.37 The committee recommends that the government deliver an annual Ministerial Statement on Digital Transformation that reports on cross-portfolio progress to improve digital transformation, identifying leading performance in departments and agencies and also publicly explaining steps to lift performance on projects failing to meet budget or delivery expectations.

The reality of 'digital transformation' so far

1.38 True digital transformation is a higher aspiration. The government to date has been unable to meet even the lower objective of being able to replace aging infrastructure without major mishap.

1.39 Digital projects—rightly or not—have a reputation in the public and private sectors alike for running overtime and over-budget. Over the past five years, however, the government has overseen a litany of failures, largely unprecedented in scale and degree.

7 Dr Lesley Seebeck, Chief Investment Advisory Officer, Digital Transformation Agency, Committee Hansard, 7 May 2018, p 5.

7

1.40 In November 2013, the newly elected Coalition Government initiated an audit of government ICT spending. Although there was some room for improvement, the review was largely positive about the value for money achieved for taxpayers and the nature of risk taken on by departments.

1.41 The same could not be said today. Since the last election we have seen:

• The failure of the online delivery of the 2016 Census;

• Repeated crashes of the ATO website;

• Overrun and delay in the upgrades to the Child Support Agency

infrastructure;

• Abandoning the GOV.AU redesign proposal;

• Halting the start of online NAPLAN testing; and

• Abandoning the AAMS apprenticeship platform.

1.42 Shortly before this report was tabled, the already overtime and budget Biometric Identification Services project was suspended by the Australian Criminal Intelligence Commission, with contractors escorted off the premises.

1.43 Each individual instance of failure, delay, and cost overrun can be explained by specific factors at the project level. However issues have arisen at every stage of the project lifecycle, in large and small undertakings, and across departments and agencies. The pattern of faults points to broader systemic problems.

1.44 There seems to be serious deficiencies in the way that departments contract with the private sector. Although some ICT projects are delivered on time and on budget, too often government agencies appear to have assumed a risk that is inconsistent with both the contract price and community expectations.

1.45 There are some examples of improvement. In its contractual arrangements for the WPIT project, for instance, DHS seems more willing to put its partners on risk for failure to deliver than it had been with previous projects in years earlier.

1.46 This is heartening. It is not sufficient or satisfactory, however, to have a learning curve that is half a decade long and billions in taxpayer dollars deep. Nor should each department have to go on its own voyage of discovery.

1.47 An independent audit of completed and ongoing major ICT projects would allow lessons to be drawn from the contracting (and subcontracting) arrangements entered into by departments. It would be able to identify common sources of problems, and compare the allocation and pricing of risk across projects and with best practice.

Recommendation 4

1.48 The Committee recommends that the government establish a regular timetable to independently audit ICT contracting and subcontracting arrangements to identify whether government is taking on a level of risk that is consistent with the contract price and community expectations - and to help

8

identify or improve contracting standards or set better principles based approaches to future contracting..

The cost of consultants and contractors

1.49 It has been difficult for this committee to assess the cost of ICT consultants to the government, both in relation to major projects and for business as usual (BAU) spending.

1.50 Over a number of budget estimates, members of this committee have asked for information about the whole-of-government spend on consultants. The response has been that the government does not consider it good value for money to track this spend.8 During this inquiry, members of this committee have asked for the spend on consultants to be identified in relation to specific projects, to varying degrees of success.9

1.51 The committee considers it an essential component of oversight to be able to examine whether the money spent by a department represents good value for money. Contractors are usually substantially more expensive than APS staff. They may be contracted for good reasons, or not. They may be used judiciously, or not. Without details of how much is spent it is difficult to know whether contractors are serving a valuable purpose in providing otherwise unobtainable skills and expertise, or are being used by senior public servants to outsource responsibility for outcomes.

1.52 The committee notes the ongoing inquiry being undertaken by the Joint Standing Committee on Public Accounts and Audits into the use of contractors in the APS. In light of this inquiry, the committee has refrained from making any formal recommendations about reporting requirements for government expenditure, but endorses the principle of further transparency in this regard.

Recommendation 5

1.53 The Committee recommends that departments examine project budgets to identify and eliminate unnecessary spend on contractors, consultants and external vendors. Further, it should consider developing a longer term strategy to build internal public service capability to help drive the development or in house build of digital activities regularly contracted out by government.

Building digital capability in the APS

1.54 The cost of consultants extends beyond their budgetary impact. The governments' policy of outsourcing much of its ICT capability to external vendors and contractors has led to a loss of internal capability by the APS.

8 See, for example: Senate Finance and Public Administration Legislation Committee, Budget Estimates 2018-19, Committee Hansard, 23 May 2018, p. 97.

9 See, for example: Bureau of Meteorology answers to advance questions taken on notice; Department of Human Services, Answers to questions taken on notice no. 1, 2, 6 (sent 26 March 2018.)

9

1.55 In 2015, then Communications Minister, Hon Malcolm Turnbull MP, was reported as commenting on the role of outsourcing in the APS during the Australian Financial Review's National Infrastructure Summit in Sydney:

There has been a practice for government to outsource what should be the legitimate work of the public service to consultants.

…So the public service departments just become, you know, mail boxes for sending out tenders and then receiving the reports and paying for them.

…What we have to do in government in my view is stop panning public servants and do more to ensure that they do their job better. And one of the ways to do that is to make sure they do the work that is their core responsibility, as opposed to outsourcing everything. 10

1.56 The committee thinks this sentiment is commendable, and calls upon the Prime Minister to put it into practice.

1.57 Digital work should be considered part of the "core responsibility" of the public service. It is no longer possible—if it ever was—to think of ICT and digital as adjacent or subsidiary to the proper work of government. Digital delivery and applications are an increasingly significant part both of departments' internal processes, and their interactions with the general public and end users.

1.58 The committee is concerned that the APS is unable to do much of this work. On its current trajectory, the APS risks becoming exclusively a cadre of generalist managers who no longer have the requisite policy and technical skills to conduct the business of government.

1.59 The committee recognises that ICT is a specialised area. It is not always possible or prudent for every department to house every required skill on a full time, ongoing basis. However, it is also not possible or prudent to view ICT expertise as the exclusive and proper preserve of the private sector.

1.60 At a minimum, a level of ICT expertise is required to be able to understand a project's digital needs and properly shape the department's exposure to risk and reliance on contractors. The committee is not convinced, for instance, that either the ATO or the ABS were fully cognisant of the risks they were taking on in the contractual arrangements that led to the ATO outages and the online census failure respectively.

1.61 The evidence to this committee, however, was that there are significant efficiencies in departments having more than just this minimum level of in-house expertise. The testimony of the Department of Human Service's acting Chief Information Officer is instructive in this regard. When discussing changes in the department's approach to large ICT projects, Mr McHardie explained:

10 Emphasis added. Alan Mitchell, 'Time to end outsourcing and rebuild the public service', Australian Financial Review, 14 July 2015, http://www.afr.com/opinion/columnists/time-to-end-outsourcing-and-rebuild-the-public-service-20150612-ghmrje (accessed 22 June 2018).

10

Mr McHardie: I think a lot of it is the experience we have now within the department of doing custom development work on the core SAP platform. We have just under 500 public servants within the department that are now qualified, now certified, as SAP professionals, whether they're enterprise architects or developers or testers.

CHAIR: And that's different to where you were at, say, in 2013?

Mr McHardie: Correct. Remember we talked about the outsourced approach?

CHAIR: Yes.

Mr McHardie: We now have a lot more control of our destiny, particularly when we need to do work on core products such as SAP.

CHAIR: It sounds like it's been more effective. You said that you have more control of your own destiny. What about the cost impacts of moving to an in-house solution?

Mr McHardie: The overall cost profile of the program hasn't changed for us. John, you may want to talk about—

CHAIR: Mr McHardie, it's not so much about the program. If you were to compare the input costs for projects back in 2013, when you were more reliant on external providers to deliver these interactions with these big platforms, and where you are now, where you've got 500 people who are accredited and on staff, does that produce a different set of cost drivers when you're scoping up a project for the future?

Mr McHardie: I think it does in the initial costings that are put together for projects, particularly when there are government directed activities, where government is looking at a range of solutions that it could roll out to meet legislative change or new legislative policy, or when replacing large elderly legacy systems. We understand these products so much better now, and with us doing the in-house build we're able to cost up those bodies of work much more effectively.

CHAIR: So you're a more informed buyer when you do go externally, but you're also able to deploy internal labour to drive down cost?

Mr McHardie: Correct.11

1.62 The committee commends this change, however there is further to go in both deepening the extent of expertise within DHS, and replicating this approach across other departments.

1.63 The government should invest in the development of a workforce that is capable of delivering digital outcomes. As noted by the former head of the DTO, Mr Paul Shetler, in his evidence to this committee:

In my time at DTO, I saw dedicated public servants doing their best to help Australians, but often failing because of a shortage of digital skills. Instead

11 Committee Hansard, 23 March 2018, pp. 49-50. Emphasis added.

11

of providing digital training to public servants, too often we've outsourced IT to large international technology vendors and consultants.12

1.64 A decade ago, the Gershon review recommended the creation of a whole of government ICT career structure. This recommendation is even more pertinent today.

Recommendation 6

1.65 The committee recommends that the Australian Public Service Commissioner be tasked with developing a whole-of-government Australian Public Sector Information and Communications Technology career stream with mandated competencies and skill-sets for Information and Communications Technology professionals, government procurement officers, and Information and Communications Technology project managers.

Recommendation 7

1.66 The committee recommends that the government routinely report on how it intends to lift the number of digital apprentices and trainees that it is currently recruiting into the public service.

1.67 Digital expertise should not be siloed in a particular career stream. Submitters such as the CPSU have suggested programs to ensure that the APS as a whole (including senior decisions makers) is able to engage with the digital work of government.

1.68 These suggestions include:

• Creating an expert-in-residence programme to engage private sector exports on secondment.

• Establishing a Digital Academy, modelled on the United Kingdom's Academy, to offer intensive in-person training for SES officers and online learning modules for all APS staff.

• Creating an internal accreditation system, so that digital skills can be recognised across the APS.

• Providing the necessary commercial training in negotiation skills, contract design and management including re-negotiation of contracts as required, so that the APS takes over the role of the integrator—from waterfall to agile

1.69 This is a necessary and appropriate continuation of the process of innovation that has enabled the APS to remain relevant and effective for over a century.

Recommendation 8

1.70 The committee recommends that the DTA be tasked with developing education and training initiatives to enhance the digital competency of all APS employees, including SES officers.

12 Mr Paul Shetler, Committee Hansard, 14 March 2018, p. 16.

12

Report Structure

1.71 The following chapters explain the background to the inquiry, and summarise the evidence received by the committee.

1.72 The remainder of the report is structured as follows:

• Chapter 2 outlines context and administrative details of the inquiry.

• Chapter 3 explores perspectives on what constitutes ‘digital transformation’

• Chapter 4 considers the challenges endemic to undertaking digital

transformation.

• Chapter 5 considers whole-of-government policy issues.

• Chapter 6 examines four separate case studies that illustrate the challenges agencies face in transitioning to the digital delivery of government services.

Chapter 2

Background and context

Referral 2.1 On 16 August 2017, the Senate referred the following matter to the Senate Finance and Public Administration References Committee (the committee) for inquiry and report by 4 December 2017:

Digital delivery of government services, with particular reference to:

(a) whether planned and existing programs are able to digitally deliver services wit

h due regard for:

(i) privac

y,

(ii) securit

y,

(iii) qualit

y and reliability, and

(iv) value for money;

(b) strategie

s for whole of government digital transformation;

(c) digital pr

oject delivery, including:

(i) project governance,

(ii) design and

build of platforms,

(iii) the adequac

y of available capabilities both within the public sector and externally, and,

(iv) procure

ment of digital services and equipment; and

(d) an

y other related matters.1

2.2

The Senate was granted an extension of time for reporting until 26 June 2018.2

Overview 2.3 The digital delivery of government services represents a major change in the way government administration has traditionally interacted with citizens. The opportunities provided by the technology are countered by significant challenges.

2.4 This chapter provides the current context for the inquiry, starting with the Gershon Report into the government's delivery of digital services undertaken in 2008, which provided recommendations for a governance framework. The Chapter also covers recent incidents where the government has failed to meet community expectations in undertaking a transformation to digital modes of delivery.

1 Journals of the Senate, No 54—Wednesday, 16 August 2017, p. 1732-1733.

2 Journals of the Senate, No 68—Monday, 13 November 2017, p. 2191; Journals of the Senate, No 84—12 February 2018, p. 2666; Journals of the Senate, No 95—8 May 2018.

14

Previous inquiries into government ICT

The Gershon Report

2.5 In April 2008, the Minister for Finance and Deregulation, the Hon. Lindsay Tanner, MP, engaged Sir Peter Gershon CBR FREng to lead an independent review of the Australian Government's use and management of information and communication technology (ICT).3

2.6 The key findings of the Review of the Australian Government's Use of Information and Communication Technology (the Gershon Report) focussed on issues of governance, capability, ICT spend, skills, data centres and sustainable ICT. The heart of the Gershon Reports's findings was that sub-optimal outcomes for the digital delivery of government services was as a result of weak governance of ICT at a whole-of-government level and very high levels of agency autonomy.

2.7 The Gershon Report noted that sustainable change needed leadership at the top levels to bring about cultural change, and funding of the enablers of change—one such enabler being to identify those with the appropriate level of skills:

My recommendations involve a major program of both administrative reform of, and cultural change from, a status quo where agency autonomy is a longstanding characteristic of the Australian Public Service. Based on my experience of creating sustainable change in the United Kingdom public sector environment, there are two critical requirements which will determine the success of this reform program: firstly, sustained leadership and drive at Ministerial and top official levels and, secondly, ensuring the enablers of change are properly resourced, not only in funding terms but also with skills of the right calibre.4

2.8 At the time the Hon Lindsay Tanner MP said the Gershon Report would provide a new model for the effective and efficient use of ICT within the Australian government, with the rebalancing of the currently highly-decentralised ICT administration in Commonwealth departments and agencies. Minister Tanner also said the focus would be on efficient and effective ICT expenditure and management, and that the government would reduce the number of ICT contractors by 50 per cent phased in over 2009-2011, commenting that ICT Review Teams would work with

3 Department of Finance archived record: Review of the Australian Government's Use of Information and Communication Technology, by Sir Peter Gershon CBE FREng: https://www.finance.gov.au/archive/publications/ICT-Review/ (accessed on 18 April 2018).

4 Sir Peter Gershon CBE FREng, Review of the Australian Government's Use of Information and Communication Technology, August 2008, p. iii-iv. https://www.finance.gov.au/sites/default/files/Review-of-the-Australian-Governments-Use-of-Information-and-Communication-Technology_0.pdf (accessed on 18 April 2018). Sir Peter Gershon is a former Chief Executive of the UK Treasury who undertook a similar review on behalf of the UK government in 2003-2004.

15

agencies to deliver reductions to agency 'business as usual' (BAU) ICT budgets, saving around $400 million annually once fully implemented.5

2.9 The government later extended the timeframe for the reduction of ICT contractors within the Australian Public Service (APS) from two years to three, to allow for the bulk of the reductions to occur after the development of a strategic ICT workforce plan and whole-of-government ICT career pathway.6

Audit of Australian Government ICT

2.10 In November 2013, the newly elected Coalition Government initiated an audit across all government departments and agencies focussing on spending, capital expenditure (capex) and outcomes achieved—Audit of Australian Government ICT.

The audit was in support of the government's e-Government and Digital Economy policy agenda.7 The objectives of the audit were:

• To assess the extent to which the government’s investment in ICT, over the

last three years (2010-11, 2011-12 and 2012-13), has achieved value for money.

• To make recommendations for improvement, with the aim of optimising

outcomes from existing and future investments.8

2.11 The Department of Finance contracted a private sector consultant to conduct a desk review of ICT Benchmarking results and other relevant data holdings, and to identify options for government to derive better value for money from its ICT Business as Usual (BAU) spending.

2.12 The audit found that the value for money from BAU investment across the APS as a whole was reasonable, but that there is room for further improvement.9

5 Alan Coleman, 'Gershon ICT review to be implemented "in full"', Government News, 25 November 2009; https://www.governmentnews.com.au/2008/11/gershon-ict-review-to-be-implemented-in-full/ (accessed on 18 April 2018).

6 Department of Finance Archive, Review of the Government's Use of Information and Communication Technology, Publication Summary, https://www.finance.gov.au/archive/publications/ICT-Review/ (accessed 18 April 2018).

7 Department of Finance, Audit of Australian Government ICT Public Report, December 2014, released under the Freedom of Information Act 1982, FOI15/124 Document 1, p. 3, available at: https://www.finance.gov.au/sites/default/files/FOI%2015-124%20Document.pdf (accessed 13 June 2018.

8 Department of Finance, Audit of Australian Government ICT Public Report, December 2014, released under the Freedom of Information Act 1982, FOI15/124 Document 1, p. 3, available at: https://www.finance.gov.au/sites/default/files/FOI%2015-124%20Document.pdf (accessed 13 June 2018.

9 Department of Finance, Audit of Australian Government ICT Public Report, December 2014, released under the Freedom of Information Act 1982, FOI15/124 Document 1, pp. 4, 5, available at: https://www.finance.gov.au/sites/default/files/FOI%2015-124%20Document.pdf (accessed 13 June 2018.

16

2.13 The audit also involved a review of the status and outcomes of 31 major ICT-enabled projects underway during the past three years and that met the ICT Two Pass Review process criteria. These projects included 23 projects underway at the time of the audit, and eight completed projects.

• The audit analysis indicated that the majority of the 31 projects reviewed generally had appropriate governance and risk management mechanisms in place, but that there was scope for improvement in monitoring and tracking benefits, particularly during and after project implementation.

• There was concern that workforce issues such as skills shortages could pose

risk to project delivery, and that agencies needed to more proactive in managing resources, and to take a more critical approach when analysing and treating workforce risk. Managing workforce risk at a whole-of-government level, as well as at agency level, would likely lead to better project outcomes.10

2.14 The audit noted the APS’s adoption of digital channels had seen strong growth in online and mobile services. Over the period of this analysis, the APS had substantially increased the range and penetration of online services to customers, all of which were supported by BAU investment.

The history of the Digital Transformation Agency

The Digital Transformation Office

2.15 On 23 January 2015, a joint statement by the then Prime Minister, Hon. Tony Abbott MP, and the then Minister for Communications, the Hon. Malcolm Turnbull MP announced the establishment of a Digital Transformation Office (DTO) within the Department of Communications so that government services could be delivered digitally:

The DTO will comprise a small team of developers, designers, researchers and content specialists working across government to develop and coordinate the delivery of digital services. The DTO will operate more like a start-up than a traditional government agency, focussing on end-user needs in developing digital services.11

2.16 On becoming Prime Minister in September 2015, Hon Malcolm Turnbull announced that the DTO would be transferred to the Prime Minister and Cabinet portfolio. The Prime Minister, who had secured $255 million to implement an

10 Department of Finance, Audit of Australian Government ICT Public Report, December 2014, released under the Freedom of Information Act 1982, FOI15/124 Document 1, pp. 4, 6. available at: https://www.finance.gov.au/sites/default/files/FOI%2015-124%20Document.pdf (accessed 13 June 2018.

11 Media Release: Joint Statement the Hon. Tony Abbott, MP, Prime Minister and the Hon Malcolm Turnbull MP, Minister for Communications Establishment of a Digital Transformation Office, 23 January 2015, available at: https://www.malcolmturnbull.com.au/media/digital-transformation-office-to-make-it-easier-to-connect (accessed 13 June 2018).

17

electronic service delivery agenda in the May 2015 budget, drove the establishment of the DTO, which was modelled on the UK’s government Digital Service.12

The creation of the Digital Transformation Agency

2.17 The DTO was replaced by the Digital Transformation Agency (DTA) in October 2016.

2.18 Unlike the DTO, the DTA was not empowered to act as a start-up. Acting CEO Ms Nerida O’Laughlin explained the difference to this committee in an estimates session in February 2017:13

The DTO was there to be a disruptor, to think about things differently, to go into agencies and challenge them…

It was a confined role to transforming government digital services and service delivery. It was quite a different role to what I see as my role and the broader role of the organisation. Of course when you are going in and trying to disrupt people you get push back. DTO did quite a considerable amount of work, really good work, with departments and agencies around things like exemplar projects, of which they delivered any number. I expect the experience was varied, but in the time I have been in this role I have found strong cooperation across departments and agencies.

2.19 The DTA acquired additional functions. It continued the capability building, design and delivery roles of the former DTO, but the DTA's remit was been significantly broadened to include whole-of-government ICT policy, strategy and procurement, as well as the creation of a new whole-of-government assurance function.14

2.20 The DTA's first tasking was to review all significant government ICT projects to provide greater transparency and oversight of the government's $6.2 billion in annual ICT expenditure. The DTA ws expected to bring specific expertise in user centred design, technology and delivery to departments' and agencies' ICT projects, and to provide government with greater assurance that agencies are making the right technology choices. Furthermore, the projects should contribute to its transformation agenda and deliver real benefits.15

12 Paris Cowan, Turnbull refuses to let go of DTO Turnbull refuses to let go of DTO: Takes pet agency with him to PM&C, itnews, 22 September 2015 at 9.35 AM, available at: https://www.itnews.com.au/news/turnbull-refuses-to-let-go-of-dto-409453 (accessed 13 June 2018).

13 Ms Nerida O'Loughlin, Interim Chief Executive Officer, Digital Transformation Agency, Official Estimates Hansard, Monday 27 February 2017, pp. 194-195. 14 Ms Nerida O'Loughlin, Interim Chief Executive Officer, Digital Transformation Agency, Official Estimates Hansard, Monday 27 February 2017, p. 184.

15 Dr Steven Kennedy, Deputy Secretary, Innovation and Transformation, Department of the Prime Minister and Cabinet, Official Estimates Hansard, 27 February 2017, p. 185.

18

The DTA’s current role

2.21 At the committee hearing in Canberra on 21 March 2018, Dr Lesley Seebeck, Chief Investment and Advisory Officer, Digital Investment Management Office, DTA, advised the committee that the DTA has an oversight and advisory role. It has oversight of all ICT projects worth greater than $10 million that are either being developed, or that are going through a significant transition, or that provide a service that affects a significant number of Australians. The DTA will also become involved where it has been specifically asked to help build capability. Dr Seebeck stated that the DTA does not get involved with everyday expenditure and resourcing of ICT operations across government, including outages:

We see these as matters before business owners. Similarly, with the delivery of projects, we're there to assist, help and guide, but essentially, accountability lies with the agencies themselves.16

2.22 At the hearing in Canberra on 7 May 2018, the DTA further clarified its role. Dr Seebeck advised the committee of the transfer of the DTA's internal cyber security team to ACSC as part of the government's machinery of government changes. The DTA's role in cyber security will be to ensure departments' and agencies' project proposals take account of good cyber security practices.17

2.23 Dr Seebeck further advised that the DTA has no formal interface between the DTA and the Office of the Australian Information Commissioner, and similarly the DTA has no role in data policy or in access to government data.18 Mr Peter Alexander, Chief Digital Officer, DTA, advised that the DTA's interest in data is in its management of the government's data sharing website, data.gov.au, and in looking at how data can better serve citizens and business.19 Dr Seebeck advised one of the key elements of the DTA is the focus on user centredness, 'which is traditionally not the way government has tended to operate'.20 Mr Alexander stated:

Going to your question, and building on Dr Seeback's point, we are absolutely focused on users of government services; that is kind of the mission of the Digital Transformation Agency. And it really is the mission of digital transformation to think about the end user of a particular service. That is the purpose of government—to serve the people of Australia, to serve the businesses of Australia, to defend Australia, to protect our borders

16 Dr Lesley Seebeck, Chief Investment Officer and Advisory Officer, Digital Investment Management Office, Digital Transformation Agency, Committee Hansard, 23 March 2018, p. 9.

17 Dr Lesley Seebeck, Chief Investment Officer and Advisory Officer, Digital Investment Management Office, Digital Transformation Agency, Committee Hansard, 7 May 2018, p. 4.

18 Dr Lesley Seebeck, Chief Investment Officer and Advisory Officer, Digital Investment Management Office, Digital Transformation Agency, Committee Hansard, 7 May 2018, p. 4.

19 Mr Peter Alexander, Chief Digital Officer, Digital Transformation Agency, Committee Hansard, 7 May 2018, p. 5.

20 Dr Lesley Seebeck, Chief Investment Officer and Advisory Officer, Digital Investment Management Office, Digital Transformation Agency, Committee Hansard, 7 May 2018, p. 5.

19

or whatever it might be…So our strategic input and our engagement with agencies is to have them think about the way they are doing their business and to guide them, build their skills and partner with them…

To build on the [DTA CEO's] earlier point about platforms: we are thinking about the way we deliver, duplication across agencies and how we make space for better transformative thinking by taking away some of the more operational business of government. Platforms around identity, around notifications—things we do in our service delivery space. Payments— regularly. How do we build those into a common platform so that agencies then can build excellence in their services and transform them to solve the problems of their users rather the problems of the structure of government? We are doing a lot of work in that space with all the big service delivery agencies and exemplars with lots of smaller agencies as well. So we're absolutely in that strategic space. That guides the work we do. We apply security as built-in practice. The way we use data and the way we apply privacy principles is absolutely core to that.21

2.24 Mr Randall Brugeaud, Acting Chief Executive Officer, DTA, advised the committee that its role has evolved to be more expansive than that originally envisaged for the DTO:

I would say that the accountabilities of the DTA are actually broader than those of the original DTO. Given the recent machinery of government changes, the DTA now has accountability for a range of capability programs, entry level programs and mentoring. It also now has accountability for whole of government coordinated procurement— administration of existing panel arrangements to move to a more strategic and consolidated footing. Investment management and providing advice on these major programs is also an important role for the DTA. The traditional digital delivery, the platforms, and doing common things in common ways and providing those central platforms for government, are still within the set of accountabilities that sit with the DTA.22

Leadership

2.25 The digital transformation portfolio has gone through a number of changes in responsibility.

2.26 Senator the Hon Mitch Fifield was the Minister Assisting the Prime Minister for Digital Government from 21 September 2015 until 18 February 2016. He was replaced by Hon Angus Taylor MP, as the Assistant Minister for Cities and Digital Transformation from 19 February 2016 until 20 December 2017. He was replaced by the now incumbent Hon Michael Keenan MP, the Minister Assisting the Prime Minister for Digital Transformation on 20 December 2017.

21 Mr Peter Alexander, Chief Digital Officer, Digital Transformation Agency, Committee Hansard, 7 May 2018, p. 6.

22 Mr Randall Brugeaud, Acting Chief Executive Officer, Digital Transformation Agency, Committee Hansard, 7 May 2018, p. 5.

20

2.27 The DTO/DTA has also undergone significant leadership turnover. Mr David Hazelhurst served as interim CEO of the DTO from its creation until July 2015. Mr Paul Shetler, previously the head of Britain's Government Digital Service, was head hunted by Mr Turnbull in his previous capacity as Minister for Communications to act as CEO of the DTO. Mr Shetler commenced his role with the DTO in July 2015, but resigned shortly after being demoted to the role of Chief Digital Officer when the DTO was replaced by the DTA.23

2.28 Ms Nerida O'Loughlin, a career public servant, replaced Mr Shetler as CEO of the revamped DTA.24 On 5 April 2017, the Assistant Minister for Cities and Digital Transformation, Hon Angus Taylor MP announced the appointment of Mr Gavin Slater, as the new CEO of the DTA. Mr Slater was previously a member of the Group Executive Team of the National Australia Bank (NAB) responsible for digital transformation across the NAB's customer service businesses. Mr Slater replaced Ms O'Loughlin.25

2.29 On 22 June 2018, Mr Slater announced that he would be stepping down at the end of the month after less than a year and half in the role. He will be replaced by Mr Randall Brugeaud. Mr Brugeaud is currently the Chief Operating Officer of the Australian Bureau of Statistics. He served as acting CEO of the DTA for a period earlier this year when Mr Slater took leave to undertake a management course at Harvard.

Recent Incidents 2.30 The current inquiry has arisen in response to a number of serious incidents where different government departments and agencies have suffered significant failures in their ICT systems which have had a direct and detrimental impact on the Australian public.

2.31 Though diverse in their nature, the incidents all have in common underlying infrastructure and design fragility of their digital systems. These failures have the potential to cause harm to individuals as well as to undermine the public's trust in the Australian government's capacity to transition to a digital administration and economy.

23 Jenny Wiggins, Why Malcolm Turnbull's digital transformation guru Paul Shetler had to quit, Australian Financial Review, 27 January 2017 at 4.00PM, available at: http://www.afr.com/business/turnbulls-digital-public-service-appointee-paul-shetler-on-what-went-wrong-20170124-gtxhjd (accessed on 13 June 2018).

24 Noel Towell, Digital Transformation Agency boss Paul Shetler resigns, 20 November 2016, 7.16 pm, available at: https://www.smh.com.au/public-service/digital-transformation-agency-boss-paul-shetler-resigns-20161130-gt0tot.html (accessed on 13 June 2018).

25 Department of the Prime Minister and Canbinet, Appointment of CEO of the Digital Transformation Agency, media release, 5 April 2017, available at: https://ministers.pmc.gov.au/taylor/2017/appointment-ceo-digital-transformation-agency (accessed 14 June 2018).

21

2.32 The following is a brief summation of four case studies and other incidents. The case studies are examined more fully in Chapter 4.

Australian Taxation Office 'outages'

2.33 In December 2016 and February 2017, the Australian Taxation Office (ATO) experienced a series of 'unplanned systems outages' due to hardware failure of its Storage Array Network (SAN).26

2.34 In mid-2017, the Australian National Audit Office (ANAO) undertook a performance review of the ATO. The ANAO found that the ATO's responses to the system failures and unscheduled outages were largely effective, this being despite inadequacies in the ATO's business continuity management planning relating to critical infrastructure.

2.35 The ANAO found that the ATO does not have service commitments specifically relating to the availability of ICT systems but does specify system outage tolerances in its major contracts with ICT service providers. To monitor the impact of ICT service outages on satisfaction with its services, the ANAO recommended the ATO develop service standards that are aligned with system outage tolerances in its contracts with ICT service providers.27

Department of Human Service—'robo-debt'

2.36 In July 2016 the Department of Human Services' (DHS) Online Compliance Intervention (OCI) program experienced significant public criticism when welfare debt recovery letters based on data matched and data mined information provided by the ATO were automatically generated (colloquially called 'robo-debt').28

2.37 This incident was subject to two separate inquiries. In June 2017, the Senate Community Affairs References Committee published a report, Design, scope, cost-benefit analysis, contracts awarded and implementation associated with the Better Management of the Social Welfare System initiative. The wide-ranging report resulted in 21 separate recommendations for the better management of the debt recovery processes. The Senate committee's central finding was that the OCI program's design

26 Australian Taxation Office, Submission 9, pp. 3 and 5; Community and Public Sector Union (PSU Group), Submission 16, p. 13.

27 Australian National Audit Office Report No 29 of 2017-2018, 20 February 2018, pp. 7-8, https://www.anao.gov.au/work/performance-audit/unscheduled-taxation-system-outages (accessed on 18 April 2018).

28 Department of Human Services, Submission 13, p. 12; Commonwealth Ombudsman, Centrelink's automated debt raising and recovery system, Report No 02/2017, April 2017 Submission 12, p. 1; Community and Public Sector Union (PSU Group), Submission 16, p. 15.

22

was flawed by a fundamental lack of procedural fairness, a flaw which filtered throughout the OCI debt recovery process.29

2.38 In April 2017, the Commonwealth Ombudsman published its report into the robo-debt incident. The Commonwealth Ombudsman found the OCI to be a complex automated system, the design and implementation of which failed to sufficiently mitigate risk by involving customers and external stakeholders in the design and testing stages.30 Similar to the Senate committee's findings, the Commonwealth Ombudsman noted the requirement that automated decision making systems be consistent with the administrative law values of lawfulness, fairness, rationality, openness, transparency and efficiency, as set out in the Australian Government, Better Practice Guide on Automated Assistance in Administrative Decision-Making (February 2007).31

Department of Human Service's—'sale of Medicare card numbers on the darkweb'

2.39 On 4 July 2017 The Guardian Australia reported that a darknet trader had been selling Medicare patient's card details 'on request', and had sold at least 75 records since October 2016 by 'exploiting a vulnerability' in the government system.32 Medicare cards have a primary function of being a means to claim medical benefits. However, Medicare card numbers have a secondary function as one form of proof of identity under the Document Verification Service scheme adopted by the

29 Senate Community Affairs References Committee, Design, scope, cost-benefit analysis, contracts awarded and implementation associated with the Better Management of the Social Welfare System initiative, June 2017, p.119, https://www.aph.gov.au/Parliamentary_Business/Committees/Senate/Community_Affairs/Soci alWelfareSystem/Report (accessed on 18 April 2018).

30 Commonwealth Ombudsman, Centrelink's automated debt raising and recovery system: A Report About the Department of Human Services Online Compliance Intervention System for Debt Raising and Recovery, April 2017, http://www.ombudsman.gov.au/__data/assets/pdf_file/0022/43528/Report-Centrelinks-automated-debt-raising-and-recovery-system-April-2017.pdf (accessed on 18 April 2018).

31 Australian Government, Better Practice Guide on Automated Assistance in Administrative Decision-Making (February 2007), https://www.oaic.gov.au/images/documents/migrated/migrated/betterpracticeguide.pdf (accessed on 7 May 2018).

32 Paul Farrell, 'The Medicare machine: patient details of "any Australian" sold on darknet', The Guardian Australia, https://www.theguardian.com/australia-news/2017/jul/04/the-medicare-machine-patient-details-of-any-australian-for-sale-on-darknet, (accessed 15 August 2017). The 'darknet' is the World Wide Web content that exists on overlay networks which use the internet, but which require specific software configurations or authorisations to access. Due to the high level of encryption websites are not able to track the location and IP of the users, just as the users are not able to get this information about the host. The regular internet is called the 'clearnet' because it does not use encryption.

23

Australian Government to combat financial fraud. The Medicare card is accepted as one form of proof identity, and can therefore be a means of appropriating identity. 33

2.40 On 9 August 2017, the Senate Finance and Public Administration References Committee referred the issue of the compromised Medicare card incident for inquiry and report by 16 October 2017. The committee remarked that it was concerned that the Medicare card numbers security breach came to light through a media organisation investigation rather than the department, and that DHS had failed to promptly notify affected individuals once the breach had been identified. The committee did not comment further in light of DHS's referral of the security breach to the Australian Federal Police.34

2.41 The issue of potential identity fraud arising from stolen Medicare card numbers had previously been raised at the Senate Community Affairs Legislation Committee's Senate Estimates hearing on 22 October 2015.35 At the hearing the DHS confirmed 369 instances of possible identity theft from individuals; a small number of instances arose in 2014, with the remainder occurring progressively over the first half of 2015.

2.42 On 10 July 2017, Dr Peter Shergold, a former Secretary at the Department of the Prime Minister and Cabinet, led an independent review to examine access by health professionals to Medicare card numbers by using the Health Professional Online Services system or by telephoning DHS. The review found that while there had been no risk to patients' health records as a result of the reported sale of the Medicare card numbers, it noted that inappropriate access to Medicare card numbers might reduce public confidence in the security of government information holdings, such as the My Health Record system.36

33 The Document Verification Service (DVS), managed by the Department of Home Affairs, is a system that allows organisations, including businesses with a reasonable need to use a government identifier, to take information from a person's identity document with the person's consent, and compare that record against the corresponding record of the document's sponsoring agency. The checks are conducted in real-time to inform decisions that rely on the confirmation of a person's identity. The DVS is a key tool for organisations that are seeking to prevent dealings with any person who may be using fraudulent identities. See: https://www.dvs.gov.au/How-the-DVS-works/Pages/default.aspx (accessed on 31 May 2018).

34 Senate Finance and Public Administration References Committee, Circumstances in which Australian's personal Medicare information has been compromised and made available for sale illegally on the 'dark web', October 2017, https://www.aph.gov.au/Parliamentary_Business/Committees/Senate/Finance_and_Public_Ad ministration/medicareinformation/Report,

35 Community Affairs Legislation Committee, Proof Committee Hansard, Estimates, 22 October 2015, pp. 108-110.

36 Professor Peter Shergold AC, Final Report: Independent Review of Health Provider's Access to Medicare Card Numbers, September 2014, p. 2. https://www.humanservices.gov.au/organisations/health-professionals/subjects/independent-review-health-providers-access-medicare-card-numbers (accessed on 31 May 2018).

24

2.43 The review made 14 recommendations for immediate practical improvements to the security of Medicare card numbers. The report noted that because the Medicare card can be used to help verify an identity, it is therefore susceptible to theft for identity fraud and other illicit activities. Illegally obtained Medicare card numbers could also potentially be used for fraudulent Medicare claims or to enable ineligible individuals to access Medicare funded health services.37

Department of Human Services—child support replacement system

2.44 In 2013, the government began the process to replace the ageing child support IT system known as Cuba. This system processes payments of '$3.5 billion from separated parents to financially support the welfare of over 1.2 million children'.38 From the very start of this process, a number of flags were raised, with concerns about the adequacy of the tendering process and whether sufficient time was being allocated to build the replacement system and migrate customer information.

2.45 The delivery date of mid-2016 passed with the replacement known as PLUTO not complete. Finally, the project was delivered in mid-2017; however, a significant number of faults were identified with the new system. In early 2018, the Community Affairs Committee were told that although PLUTO was now operational, a significant number of functions were still being undertaken in the old Cuba system. The effect being that some information was being entered twice. Instead of a new replacement system, it appears that DHS has ended up with a hybrid system that has created more work for staff and is less reliable than the original system.

Australian National Audit Office Cyber Security Follow-up Report.

2.46 In June 2014, the ANAO Report No. 50 2013-14, Cyber Attacks: Securing Agencies' ICT Systems was tabled in Parliament. The report examined seven Australian Government entities' and their implementation of the mandatory strategies in the Australian Government Information Security Manual (Top Four mitigation strategies). The Top Four mitigation strategies are:

• application whitelisting: designed to protect against unauthorised and malicious programs executing on a computer. This strategy aims to ensure that only specifically selected programs can be executed;

• patching applications: applying patches to applications and devices to ensure the security of systems;

• patching operating systems: deploying critical security patching to operating systems to mitigate extreme risk vulnerabilities; and

• minimising administrative privileges: restricting administrative privileges provides an environment that is more stable, predictable, and easier to

37 Professor Peter Shergold AC, Final Report: Independent Review of Health Provider's Access to Medicare Card Numbers, September 2014, p. 10. https://www.humanservices.gov.au/organisations/health-professionals/subjects/independent-review-health-providers-access-medicare-card-numbers (accessed on 31 May 2018).

38 Department of Human Services, Submission 13, p. 14.

25

administer and support as fewer users can make changes to their operating environment.39

2.47 The audit found that none of the seven entities was compliant with the Top Four risk mitigation strategies and none was expected to achieve compliance by the Australian Government's target date of 30 June 2014.40

2.48 On 24 October 2014, the Parliamentary Joint Committee of Public Accounts and Audit held a public hearing to examine Report No. 50. Three of the seven audited entities—the ATO, DHS, and the Department of Home Affairs (Home Affairs41)— appeared before the hearing to explain their plans and timetables to achieve compliance with the 'Top Four' mitigation strategies. Each of these major Australian Government agencies are significant users of technology. All three agencies collect, store and use data, including national security data and personally identifiable information that can be used to identify, contact, or locate an individual such as date of birth, bank account details, driver’s licence number, tax file number and biometric data. 42

2.49 Each of the three agencies gave assurances to the Joint Committee of Public Accounts and Audit that compliance with the Top Four mitigation strategies would be achieved during 2016.43

2.50 The ANAO assessed that, of the three entities, only DHS was compliant with the Top Four mitigation strategies. DHS also accurately self-assessed its compliance against the Top Four mitigation strategies and met its commitment to the Joint Committee of Public Accounts and Audit of achieving compliance during 2016.44

2.51 Similarly, of the three agencies, only DHS was classed as cyber resilient. Cyber resilience is the ability to continue providing services while deterring and

39 Australian National Audit Officer Report, Cyber Attack: Cyber Attacks: Securing Agencies' ICT System, ANAO Report No. 50 2013-14, published on 24 June 2014, p. 14. https://www.anao.gov.au/sites/g/files/net4181/f/AuditReport_2013-2014_50.pdf

40 Australian National Audit Officer Report, Cyber Attack: Cyber Attacks: Securing Agencies' ICT System, ANAO Report No. 50 2013-14, published on 24 June 2014, p. 17. https://www.anao.gov.au/sites/g/files/net4181/f/AuditReport_2013-2014_50.pdf

41 Formerly the Australian Customs and Border Protection Service which became part of the Department of Immigration and Border Protection.

42 Joint Committee of Public Accounts and Audits, Review of the Auditor-General's reports Nos 42, 43, 48, 50 and 52, (2013-14), Official Committee Hansard, 24 October 2014, https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Public_Accounts_and_Audi t/Review_of_Auditor-Generals_Reports_32-54_2013-14 (accessed 4 June 2018).

43 Joint Committee of Public Accounts and Audits, Review of the Auditor-General's reports Nos 42, 43, 48, 50 and 52, (2013-14), pp. 14-23, Official Committee Hansard, 24 October 2014, https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Public_Accounts_and_Audi t/Review_of_Auditor-Generals_Reports_32-54_2013-14 (accessed 4 June 2018).

44 The Auditor General, ANAO Report No 42 2016-2017, Cyber Security Follow-up Audit, pp. 7-8, https://www.anao.gov.au/sites/g/files/net4181/f/ANAO_Report_2016-2017_42.pdf (accessed on 19 April 2018).

26

responding to cyber-attacks. Cyber resilience also reduces the likelihood of successful cyber- attacks. To progress to being cyber resilient, the ANAO found that both the ATO and Home Affairs needed to improve their governance arrangements and prioritise cybersecurity. 45

Australian Bureau of Statistics eCensus denial of service

2.52 On 9 August 2016, the Australian Bureau of Statistics (ABS) closed the 2016 Australian Census of Population and Housing (eCensus) form to new submissions by the public due to four separate instances of distributed denial of service resulting from a failed geoblocking strategy.46 The Office of the Cyber Security Special Adviser (OCSSA) published a report on the cyber security issues arising from the e-census cyber incident. The executive summary made the following observation:

The Australian Government's new paradigm of online engagement and services for Australians is not coming. It's already here.

Government’s response to the eCensus events of 9 August 2016 provides an opportunity to change the conversation about cyber security: to one of trust and confidence in the government’s digital transformation agenda, where 'digital first' is the overwhelming preference for Australians, underpinned by tangible security and adherence to privacy.

The 2016 eCensus tells us that more of the same is not enough: there is a new imperative to embrace cyber security as a core platform for digital transformation. And when we make the necessary changes we will increase the chance to deliver on the promise of Australia's Cyber Security Strategy, to strengthen trust online and better realise Australia’s digital potential.47

Department of Home Affairs

2.53 In November 2014, Home Affairs inadvertently published a database containing detailed sensitive personal information of approximately 10 000 asylum seekers on its website, where it remained publicly available for eight days. The

45 The Auditor General, ANAO Report No 42 2016-2017, Cyber Security Follow-up Audit, pp. 7-8, https://www.anao.gov.au/sites/g/files/net4181/f/ANAO_Report_2016-2017_42.pdf (accessed on 19 April 2018).

46 Special Adviser to the Prime Minister on Cyber Security, (now the National Cyber Security Adviser) Review of the Events Surrounding the 2016 eCensus: Improving Institutional cyber security culture and practices across the Australian Government, 13 October 2016, p. 3, http://parlinfo.aph.gov.au/parlInfo/download/publications/tabledpapers/a41f4f25-a08e-49a7-9b5f-d2c8af94f5c5/upload_pdf/Review%20of%20the%202016%20eCensus%20-%20final%20report.pdf;fileType=application%2Fpdf#search=%22publications/tabledpapers/a4 1f4f25-a08e-49a7-9b5f-d2c8af94f5c5%22 (accessed on 10 October 2017).

47 Office of the Cyber Security Special Adviser, (now the National Cyber Security Adviser) Review of the Events Surrounding the 2016 eCensus, at p. 3, http://parlinfo.aph.gov.au/parlInfo/download/publications/tabledpapers/a41f4f25-a08e-49a7-9b5f-d2c8af94f5c5/upload_pdf/Review%20of%20the%202016%20eCensus%20-%20final%20report.pdf;fileType=application%2Fpdf#search=%22publications/tabledpapers/a4 1f4f25-a08e-49a7-9b5f-d2c8af94f5c5%22 (accessed on 19 April 2018).

27

privacy breach has resulted in ongoing litigation which to date has cost the government approximately $1 million in legal fees.48

The NAPLAN online failure

2.54 NAPLAN is an annual assessment for all students in years three, five, seven and nine. It tests the types of skills that are essential for every child to progress through school and life. The tests cover skills in reading, writing, spelling, grammar and punctuation, and numeracy. The assessments are undertaken every year in the second full week in May. Federal, state and territory education ministers had agreed that NAPLAN will move online over a two-three year period. This means moving NAPLAN from the current paper-based tests to computer-based assessments.49

2.55 The NAPLAN online tests were recently undertaken by approximately 200 000 students in New South Wales. At their first NAPLAN online test year 5 students at Annandale North Public School found the [undo] button didn't work, and that one of their group was initially unable to log on and was still completing the test when others students had completed the test. Also, some students' headphones didn't work on the school-issued laptops or in the test.

2.56 A trial of the online tests was initially planned for 2017. The trial was abandoned by all states and territories due to technical issues, including power failures, browser issues, freezes and broken internet connections. 50

The Australian Apprenticeship Management System

2.57 On 18 May 2018, the Department of Education and Training notified the public that it had ceased work on the Australian Apprenticeship Management System (AAMS) project. The project was intended to deliver a new ICT system to replace the current Training and Youth Internet Management System (TYIMS) which supports Australian Apprenticeships. The departmental statement advised that work had ceased on the AAMS project rather than continue to invest in a system which ultimately may

48 Office of Australian Information Commissioner, Department of Immigration and Border Protection unlawfully disclosed personal information of asylum seekers, Media Release, 12 November 2014, https://www.oiac.gov.au/media-and-speeches/media-releases/dibp-unlawfully-disclosed-personal-information-of-asylum-seekers (accessed on 9 October 2017); ABC News, Immigration Department's asylum seeker data breach costs taxpayers nearly $1m in legal fees, 13 July 2017, http://www.abc.net.au/news/2017-07-13/asylum-seeker-data-breach-costs-$1-million-in-legal-fees/8705326 (accessed on 10 October 2017).

49 NAPLAN National Assessment Program, available at: https://www.nap.edu.au/home (accessed 15 June 2018).

50 Pallavi Singhai, First NAPLAN online test brings nerves and some technical glitches, Sydney Morning Herald, 15 May 2018, available at: https://www.smh.com.au/education/first-naplan-online-test-brings-nerves-and-some-technical-glitches-20180515-p4zfem.html (accessed 14 June 2018).

28

not have met the current business needs or future requirements of Australia’s apprenticeship and traineeship system.51

2.58 An amount of $20 million has been spent so for on the AAMS with no outcome. The project has been discontinued. The AAMS is in the DTA's 'engaged category' but because the DTA's role is confined to oversight, it has not involved itself ascertaining why the sponsoring department had determined not to proceed with the project or continue to investment in something that was not 'fit for purpose', despite the DTA's role in to ensure effective ICT investment.

2.59 The DTA did not appear to be aware to whom it should be reporting, its accountability mechanisms, or its formal reporting obligations. The DTA maintained that accountability for the AAMS rested solely with the Department of Education and Training, not the DTA.52

The Biometric Identification Services Project

2.60 In 2016 a Biometric Identification Services project was established by the Australian Criminal Intelligence Commission (ACIC) to replace the national automated fingerprint identification system, as well as adding facial recognition, palm prints and foot prints capability.53 The ACIC contracted NEC Australia to deliver the project at a budgeted $52 million, It appears costs have blown out to more than $100 million.54

2.61 A PriceWaterhouseCoopers report in late 2017 recommended the NEC Australian contract be overhauled, the project simplified and the timeline for delivery changed:

There is a low confidence in likelihood of delivery, which requires focus to achieve turnaround.

Poor communications, operational silos, limited collaboration and a failure to estimate the project's complexity had blown it off-track.55

51 Department of Education and Trainng, Departmental statement on AAMS project closure. 18 May 2018, available at: https://www.education.gov.au/departmental-statement-aams-project-closure (accessed 15 June 2018).

52 Finance and Public Administration Legislation Committee, Senate Estimates Hansard, 21 May 2018, pp. 101-110.

53 Sally Whyte, Chaos at bungled biometric identity project as costs, timeframe blow out¸ Canberra Times, 13 June 2018, available at: https://www.canberratimes.com.au/politics/federal/chaos-at-bungled-biometric-identity-project-as-costs-timeframe-blow-out-20180613-p4zl8k.html (accessed 5 June 2018).

54 Denham Sadler, NEC staff walked from identity gig, InnovationsAus, 12 June 2018, available at: https://www.innovationaus.com/2018/06/NEC-staff-walked-from-gig (accessed on 13 June 2018).

55 Sally Whyte, Chaos at bungled biometric identity project as costs, timeframe blow out¸ Canberra Times, 13 June 2018, available at: https://www.canberratimes.com.au/politics/federal/chaos-at-bungled-biometric-identity-project-as-costs-timeframe-blow-out-20180613-p4zl8k.html (accessed 5 June 2018).

29

2.62 In June 2018 the ACIC suspended the project. NECAustralia was also the contractor for the failed AAMS system recently cancelled by the Department of Education and Training.56

2.63 In parallel with the ACIC biometrics project, the May 2018 budget allocated $92.4 million to the DTA for the next phase of the Govpass digital identity system.57 Govpass is being developed by the DTA with the purpose of creating a digital identity for Australian citizens that is recognised and trusted by online government services. The benefit of this digital identity is that it gives more Australians the option to complete their government business online, rather than visiting a shopfront.58

2.64 The DTA has declined to comment on how the ACIC's biometric capabilities project aligns with the DTA's own verification services project. Nor is it clear how the ACIC and DTA's projects fit with the proposed Home Affairs hub allowing the exchange of biometric data between jurisdictions.59

56 Sally Whyte, Chaos at bungled biometric identity project as costs, timeframe blow out¸ Canberra Times, 13 June 2018, available at: https://www.canberratimes.com.au/politics/federal/chaos-at-bungled-biometric-identity-project-as-costs-timeframe-blow-out-20180613-p4zl8k.html (accessed 5 June 2018).

57 Denham Sadler, NEC staff walked from identity gig, InnovationsAus, 12 June 2018, available at: https://www.innovationaus.com/2018/06/NEC-staff-walked-from-gig (accessed on 13 June 2018).

58 Australian Public Service Commission, Govpass - your digital identity for government services, available at: https://www.apsc.gov.au/govpass-your-digital-identity-government-services (accessed 15 June 2018).

59 Denham Sadler, NEC staff walked from identity gig, InnovationsAus, 12 June 2018, available at: https://www.innovationaus.com/2018/06/NEC-staff-walked-from-gig (accessed on 13 June 2018).

Chapter 3

What is 'digital transformation' of government services Introduction 3.1 This chapter summarises evidence received by the committee regarding perspectives as to what 'digital transformation' entails. What is meant by 'digital transformation' of government services?

Perspectives 3.2 The committee has heard a variety of views as to what is understood by the term 'digital transformation'. Some submissions addressed the fundamental nature of the changes to society and government administration brought about by digital technology.1 Many focused on the rollout of the actual infrastructure, software and the devices needed to deliver services.2

3.3 Mr Paul Waller, Researcher, Bradford University, London and a former United Kingdom senior civil servant involved in policy development and delivery of e-government, observed that there is no generally accepted understanding of the term 'digital transformation' as applied to government. Mr Waller noted that implicitly or explicitly, the term mostly refers to a change in organisational form signalled by the terms 'joining-up' or 'integration', of government. Mr Waller commented that:

There is in academic or other literature little evidence of any type of "transformation" achieved beyond a change in administrative process, nor a robust framework of benefits one might deliver. This begs the question of what it actually means in reality and why it might be a desired goal.3

3.4 Mr Waller further commented that his research of the literature covering the last 20 years has led him to the conclusion that digital transformation of government services has been that governments have been going about the task the wrong way by applying:

…a very simplistic e-commerce model to what is actually a highly complex political and legislative context. The model is of very limited applicability in that context. In effect, digital transformation turned out to mean websites and transactions on websites…almost nothing [in the literature]

1 See, for example: Mr Paul Waller, Researcher, Bradford University, London, United Kingdom, Submission 18; Mr Martin Stewart-Weeks, private citizen, Committee Hansard, 23 March 2018; Community and Public Sector Union, Submission 16.

2 See, for example: Mr Paul Shetler, private citizen, Submission 26; SCOA Australia, Submission 1; ACCAN, Submission 11.

3 Mr Paul Waller, Researcher, Bradford University, London, United Kingdom, Submission 18, p. iii. Mr Waller was a senior civil servant in the United Kingdom (UK) Cabinet Office involved in e-government and digital government strategies, including leading e-government work for the UK's presidency of the European Union developing European policy.

32

acknowledged that government is about policy development, policy design and its implementation...4

3.5 Mr Waller contended that governments need to look at the issue starting with policy making and legislation as the core functions of government, and that:

The key there lies in understanding the impact of technology—any technology—on policy instruments, their selection in policy design and how that's translated into interactions with the real world in administrative legislation.5

3.6 Mr Martin Stewart-Weeks, who appeared in his private capacity, commented that digital transformation of government services is a triangle of issues: 'digital capability, the role and purpose of government, and [public sector] culture'. He further stated that:

…part of the challenge for the digital transformation conversation in government at any level… is that we often fail to make a connection… between [the] three elements whose interaction has a lot to do with where and how we can drive the transformation debate as far is it needs to go.6

3.7 The Community and Public Sector Union (CPSU) made a similar point, observing that there is a 'misunderstanding of digital', which the CPSU stated 'is not only about ICT or websites, but also about business transformation'.7

3.8 Mr Paul Shetler, the former Chief Executive Officer of the DTO, has a conception of digital transformation of government services as the delivery of simple, clear, fast services that meet users' needs.8 He advocated customer service as the key:

One of the things I've noticed working in government but also outside government in financial services and a number of other industries that are currently dealing with digital competition is that in many cases the companies don't really understand what business they're in. They don't really understand that they're competing against digital companies. When you are competing against digital companies, to some extent you are becoming one because you can be replaced in your customers' minds with a digital company. Government needs to have the same kind of mindset as industry in this regard. It needs to understand, 'What is the impact of digital on the business models we have, on the ways we can serve the public and

4 Mr Paul Waller, Researcher, Bradford University, London, United Kingdom, Committee Hansard, 14 March 2018, p. 1.

5 Mr Paul Waller, Researcher, Committee Hansard, 14 March 2018, p. 2.

6 Mr Martin Stewart-Weeks, Committee Hansard, 23 March 2018, p. 1. Mr Martin Stewart-Weeks is the principal of Public Purpose, an advisory practice working at the intersection of government, policy, and technology and innovation.

7 Community and Public Sector Union, Submission 16, p. 10.

8 Mr Paul Shetler, Committee Hansard, 14 March 2018, p. 16. Mr Shetler was the inaugural Chief Executive Officer of the newly created Digital Transformation Office, the predecessor to the Digital Transformation Agency.

33

on the kind of ways we can rethink and re-imagine our services so that we can make them meet user needs?'9

3.9 By contrast, the Australian Communications Consumer Action Network (ACCAN) focused on 'a government's use of computers, mobile devices and the internet to provide services and information for consumers in its jurisdiction' and digital services as 'allow[ing] consumers to complete government applications and transactions remotely…facilitated through the submission of an electronic form on a digital platform'.10

3.10 The DHS described its Digital Transformation Strategy as:

…a six year roadmap to harness current and emerging technologies to deliver smarter and more efficient services.11

3.11 The DTA as the government's lead agency for digital transformation sees its task in terms of making technology accessible:

…delivering better and more accessible digital services to individuals and businesses. This includes modernising myGov, providing Australians with secure control of their personal information, adopting cloud strategies to deliver better digital services, making it easier for small-to-medium enterprises to win government work and increasing the transparency of government services.12

3.12 Mr Randall Brugeaud, Acting Chief Executive Officer, DTA, agreed with the views expressed that turning analogue services into digital services is not transformation:

It's not simply sufficient for us to turn paper forms into electronic forms. In order for us to actually have a significant impact on the way government delivers services we need to think quite differently about how those services are delivered.13

Whether government is different from the private sector 3.13 Some submissions addressed the question of whether there was any relevant distinction between government and industry which would have bearing on how governments should approach the process of the digital transformation of their activities.

9 Mr Paul Shetler, Committee Hansard, 14 March 2018, p. 17.

10 Australian Communications Consumer Action Network, Submission 1, p. 7.

11 Department of Human Services, Submission 13, p. 20.

12 Digital Transformation Agency, Submission 10, p. 1.

13 Mr Randall Brugeaud, Acting Chief Executive Officer, Digital Transformation Agency, Committee Hansard, 7 May 2018, p. 2.

34

3.14 Mr Waller disagreed with the contention that government should 'be like Amazon or a bank or supermarket'. He argued that governing a country is not the same thing as selling potatoes or paperbacks.14 He contended:

Governments do policies, not services…

… a government is about policy development, policy design and its implementation; legislation and administration of that legislation; appreciation of the principles of the rule of laws and separation of

powers;…the role of administrative legislation; and its political accountability.15

3.15 In that context, Mr Waller said:

There are words bandied around in the UK—I can't speak for Australia— about government being agile. In a sense, as policymakers, you have to respond to events in a way, but that's always been the nature of government. As Churchill said, 'Events, dear boy, events!' But on the other hand, in terms of the administration of public policy and legislation, the opposite is true. We, as nations, both pride ourselves as being adherents to the rule of law, so regulation is predictable. The execution and the administration of acts of regulation or whatever are carried out according to the law,

objectively, without favour and entirely predictably and stably. It's generally not regarded as a good thing if law and public administration chop and change constantly; the opposite is true. So, the dynamic in public administration as opposed to entrepreneurial start-ups is, to my way of thinking, completely the opposite.16

3.16 In that context, Mr Waller considered the language used to be an important distinction:

… Language, here, does play a big part, and my biggest hate is the word 'services', which gets used to apply in this context to everything from the entire health system or the taxation system down to a simple transaction or even just a bit of computer code. But it brings into play what I described as the ecommerce model, a very simplistic model…talking about the difference between public administration and entrepreneurial start-ups, I am desperately trying to move people away from the language and concepts from that world …Yes, they may look like customers in some sense…Are you a customer of a public health service? Not quite perhaps, because you're exercising an entitlement to something under the law. There are not really good words in the English language, but it's a matter of people exercising rights and entitlements rather than customers and providing services in the commercial sense.17

14 Mr Paul Waller, Researcher, Committee Hansard, 14 March 2018, p. 1.

15 Mr Paul Waller, Researcher, Committee Hansard, 14 March 2018, pp. 1-2.

16 Mr Paul Waller, Researcher, Committee Hansard, 14 March 2018, p. 4.

17 Mr Paul Waller, Researcher, Committee Hansard, 14 March 2018, p. 5.

35

3.17 Mr Martin Stewart-Weeks, agreed with Mr Waller that the digital transformation of government must proceed with 'deep, deep respect for the particular rhythms and contours of public work', however, he did not accept the proposition that the digital transformation process has been about trying to impose business techniques on government business:

This is not what it's about at all. The digital game we're playing is way deeper and way more significant, in my view…It's a whole different mindset about how you conduct enterprises of any sort. I would argue very, very forcefully that the digital transformation engine…or motivation is not primarily about a bunch of private sector techniques. This is in fact about the discovery of a very, very deeply significant and certainly potentially deeply disruptive new way of conducting human business of how we organise ourselves and get stuff done. It doesn't matter what sector it's in.18

3.18 Meanwhile, Mr Paul Shetler made no special reference to government being different from the private sector in delivering government services. He contended that:

Government needs to have the same kind of mindset as industry in this regard. It needs to understand, 'What is the impact of digital on the business models we have, on the ways we can serve the public and on the kind of ways we can rethink and re-imagine our services so that we can make them meet user needs?19

3.19 Mr Shetler partially accepted the proposition that the inherent difference between private enterprise and government is that the latter cannot go out of business. However, Mr Shetler observed that governments can suffer a similar thing to going out of business where governments suffer a crisis of trust. Mr Shetler saw the answer as governments being certain they can react in real time to their understanding of what the user needs are, as that is how private enterprise survives.20 He continued:

When I say 'more like Amazon', I mean more responsive to user needs… Government has a social purpose which is different from industry. …I'm not at all saying, 'Run government as a for-profit enterprise.' That's not what I'm saying, but I'm saying we should learn from the methods that for-profit enterprises use to deliver brilliant products and seeing what of those we can actually apply.21

3.20 Mr Stewart-Weeks accepted the premise that there is no reason why government cannot provide a similar user experience as provided by Netflix, Amazon or Uber. However, he observed:

[that the answer] has to do with the way in which you design those experiences. If you're going to help people pay their tax easily or get their student benefits easily and all the rest of it, I think there are more nuances

18 Mr Martin Stewart-Weeks, Committee Hansard, 23 March 2018, p. 4.

19 Mr Paul Shetler, Committee Hansard, 14 March 2018, p. 17.

20 Mr Paul Shetler, Committee Hansard, 14 March 2018, p. 20.

21 Mr Paul Shetler, Committee Hansard, 14 March 2018, p. 20.

36

and there are certainly more hurdles that you have to get across in the public space in order to be able to deliver the same kind of experience—that is to say, from the user's point of view, it's simple, it's easy, it's clear, it's relatively quick and it's safe... That doesn't mean to say that you run the Department of Human Services like you're running Netflix or Amazon…22

What questions should government be asking? 3.21 Some submissions identified various aspects of the digital transformation process the importance of which would appear not to have been fully appreciated in conceptual thinking about digital transformation, or indeed, have been overlooked, in the development of the overall framework for the digital transformation of government services.

3.22 Mr Waller has argued that the lack of progress in the digital transformation of government services has been taken to be a failure of execution, whereas it is actually a failure to understand the problem; governments are assuming that they are doing the right things badly whereas they have not actually known what is the right thing to do. Mr Waller observed that focus has been on the 'how' of things that are done rather than challenging the 'what' or why they are done.23

3.23 Mr Stewart-Weeks reflected that at present the conversation tends to be dominated by the technology, what is or isn't happening, and so forth. He observed that, important as these things are, they are only one half of the conversation24. He observed the trust and empathy and values between government and citizen is critical to digital transformation:

…the experience for most people of dealing with government is obviously significantly transactional…It's transactional at one level; people want to do their business with government whether it's paying taxes or fines or getting benefits or whatever. But the truth is that people's attitudes towards and their beliefs about whether the government is doing a good job or not are not transactional. There are also other very big issues at play: empathy; what I would call legibility—not so much transparency, but legibility: the ability for people to literally read and see what's going on and get a real sense of what's happening—trust; big issues around outcomes and public value; and so on and so forth.25

3.24 Mr Shetler contended the government approach to digital delivery does not allow for experimentation, and therefore precludes agility, agreeing that a prototyping methodology is best where there is uncertainty as to how to achieve an outcome. A project might be clear as to the outcomes to be achieved, but knowing the end result does not necessarily mean you know the best way of getting there. Mr Shetler put

22 Mr Martin Stewart-Weeks, Committee Hansard, 23 March 2018, p. 5.

23 Mr Paul Waller, Researcher, Bradford University, Committee Hansard, 14 March 2018, p. 2.

24 Mr Martin Stewart-Weeks, Committee Hansard, 23 March 2018, p. 2.

25 Mr Martin Stewart-Weeks, Committee Hansard, 23 March 2018, p. 2.

37

forward his belief that the only way to achieve experimentation is to bring digital skills in-house. 26

I think that, generally speaking you're talking about experimentation. That is why I believe government needs to have the digital skills in-house. Government needs to own that process. If you hand it off to a vendor, there are all kinds of things that can go wrong. The only way to manage that is purely on a time-and-materials basis, where you just shut things off if you don't want them.27

3.25 Ms Teressa Ward, Assistant Director-General, National Archives of Australia, focussed on the dimension of government as a repository of data that has a public value which is not presently being recognised. She noted that the National Archives is the custodian of the most significant national data and information of government. She contended that digital transformation must recognise that information collected by the government, or data, is a business asset that must be strategically managed:

…we consider that the successful delivery of trusted government services requires an increased focus on the value, governance and management of business information, including data.28

'Being digital' rather than 'doing digital'29 3.26 Some submissions posited the view that digital transformation requires a change of mindset about how policy is decided and delivered, proposing a much more consultative approach to design solutions.

3.27 Mr Waller observed that the purpose of government is to make, implement and administer policy decisions on behalf of the community, however, in relation to digital government, the dominant assumption has been that 'government is a service industry, with a private sector model in mind'.30

3.28 Of the way ahead, Mr Waller stated:

…we must start with the political process of policy design. Instead of building web sites to support existing administration, we must look at how technology can be embedded in policy realisation, through policy instruments.31

3.29 Mr Waller cited an example where the delivery of healthcare services was greatly assisted by using text messages to remind people about their appointments,

26 Mr Paul Shetler, Committee Hansard, 14 March 2018, p. 22-23.

27 Mr Paul Shetler, Committee Hansard, 14 March 2018, p. 23.

28 Ms Teressa Ward, Assistant Director-General, National Archives of Australia, Committee Hansard, 14 March 2018, p. 37.

29 Mr Martin Stewart-Weeks, Committee Hansard, 23 March 2018, p. 2.

30 Mr. Paul Waller, Researcher, Brunel University, London, Submission 18, p. 2.

31 Mr Paul Waller, Researcher, Brunel University, London, Submission 18, p. [v].

38

because the missing of appointments was one of the biggest drains on local healthcare services:

Again, it's just achieving a simple impact on, in this case, achieving healthcare policy through smart, clever little uses of simple technology making it easier for people. None of that is actually about websites, but, historically, we've always been thinking immediately of transactions on websites as being the solution to everything, and it hasn't really worked.32

3.30 Mr Stewart-Weeks observed that policymakers are trained to provide answers to policy problems, whereas the current environment is one where people want an opportunity to shape the question. He contended:

..the digital space starts from the premise that we may not even be asking the right question, and we may find our way to the right question much more quickly if we are way, way more open about who ought to be engaged in the first place, rather than keeping that whole policy process relatively closed, relatively elite and relatively secret.33

3.31 Mr Stewart-Weeks' solution is to ensure that, early in the process, policymakers should be engaging with customers, frontline staff, entrepreneurs and innovators who can think about ways in which digital tools and platforms might be able to ameliorate, or even avoid the problem, or to challenge the subject of the

proposed policy. He stated:

In other words, if you're going to be digital, as opposed to do digital, and you're thinking about the policy conundrum that you're trying to solve…would you be trying to solve that problem in the first place or are there other ways, perhaps with more user involvement, self-service and those kind of things? The policy problem itself may disappear, or at least it may go away or change. 34

3.32 Mr Stewart-Weeks referred to 'Policy Lab', a project within the cabinet office in the United Kingdom concerning open policymaking which examines whether the policymaking process

…could use digital capability, particularly in the early stages, a much more open and legible process in terms of people being able to see what is happening and see the issues that are being debated in order to have a chance much earlier in the formation and selection of the policy issues to be worried about in the first place—never mind waiting until somebody's got a draft paper or a draft bill, or whatever it might be and then we traditionally get consultation and feedback.35

3.33 The Australian Information Industry Association (AIIA) made a similar point:

32 Mr Paul Waller, Researcher, Bradford University, London, Committee Hansard, 14 March 2018, p. 3.

33 Mr Martin Stewart-Weeks, Committee Hansard, 23 March 2018, p. 5.

34 Mr Martin Stewart-Weeks, Committee Hansard, 23 March 2018, p. 5.

35 Mr Martin Stewart-Weeks, Committee Hansard, 23 March 2018, pp. 4- 5.

39

The efficiency of moving a service online is, in most cases, only realized where the business process that supports the service is re-engineered. Maximising the efficiency of technology requires leveraging the capability of the technology to improve and transform the business process and delivery method. This has still not been addressed by a range of government agencies that deliver outward facing services to consumers— while the technology is new, the underlying processes remain antiquated.

For example, the plethora of forms, the way in which these are compiled, how they are required to be completed and submitted continues to reflect old processes and old ways of thinking.36

3.34 Ms Ward provided an example of government being rather than doing digital, in the potential for artificial intelligence to be embedded in metadata, in this case, to assist in the sentencing and preserving of Commonwealth records.37 Ms Ward stated:

The Department of Finance… [have] a research project at the moment where they're looking at how metadata can work behind the scenes in information management and help with the sentencing of documents so that the user, the departmental officer who is typing away into their word document, doesn't need to be strictly aware of how that document will be sentenced.38

36 The Australian Information Industry Association, Submission 5, p. 2.

37 Ms Teressa Ward, Assistant Director-General, National Archives of Australia, Committee Hansard, 14 March 2018, pp. 38-39.

38 Ms Teressa Ward, Assistant Director-General, National Archives of Australia, Committee Hansard, 14 March 2018, p. 39.

Chapter 4

Challenges faced in undertaking digital transformation Introduction 4.1 This chapter details evidence regarding critical challenges to digital transformation including:

• Cyber security, risk and resilience.

• Privacy:

• The diversity of users and their needs:

Critical challenges to digital transformation

Systems architecture issues

4.2 Many submissions focussed on practical and technological challenges facing infrastructure and platform design, including hardware legacy issues, as well as complexity arising from the digitalisation of a diverse range of government activities and services in compliance with the applicable legislative regime.1

Infrastructure design

4.3 Submissions on infrastructure and platform design covered a variety of issues:

• quality assurance;

• the need for a consultative approach to platform design;

• a whole-of-government approach to standards;

• that systems must comply with administrative law principles; and

security; and

• privacy imperatives.

4.4 Several submissions emphasised that understanding the user's needs is paramount when designing digital systems, and recommended the co-design and user-testing of proposed government digital services.2 Mr Chris Hamill noted the need for digital services to be designed to resemble traditional services that consumers are used to, both in terms of style and format, and in terms of procedure, 'familiarity' being the key to engaging the less computer literate or less confident consumer.3

4.5 Ms Louise MacLeod, Senior Assistant Ombudsman, Operations Branch, Office of the Commonwealth Ombudsman, agreed, stating the need for designers to

1 See, for example, SCOA Australia, Submission 2; Department of Human Services, Submission 13; National Archives of Australia, Submission 22.

2 Commonwealth Ombudsman, Submission 12, pp. 3 and 5; COTA Australia, Submission 14, p. 6; Mr Chris Hamill, Submission 8, p. 9; Federation of Ethnic Communities' Councils of Australia, Submission 3, p. 3.

3 Mr Chris Hamill, Submission 8, p. 3.

42

understand their users, and to build into the design of a system explanations of what information is sought, and why:

so that people along the way understand what they have to complete, why they have to complete it and the consequences for not providing that information.4

4.6 The Royal Australian College of General Practitioners (RACGP) commented on the need for co-design, reporting that:

A previous lack of general practice clinical engagement has resulted in the delivery of some products which are not fit for purpose…5

4.7 SCOA Australia identified a further ongoing, and potentially intransigent design issue that needs to be accommodated in digital transformation, being that government systems must be designed and built so that they can actually be used by their intended users who may be relying on old and outmoded devices:

Firstly, users may be using a wide range of devices to access the system - Apple computer, Windows computer…MacOS, Windows 7 - 10 Linux… iPhone…Android,…All these devices will be expected to work with the government system.6

4.8 The CPSU contended that co-design in the development of public services be extended to include staff as well as the wider community, noting that employees are uniquely placed to provide input into how public services can be improved:

Properly involving and utilising the capacity and experience of the APS workforce will result in better designed services.7

4.9 DHS has advised that it has established a position of Chief Citizen Experience Officer to focus systemic improvement of the user's experience with the department's digital services:

[DHS] is also actively applying behavioural insights to understand how and why people make the decisions they do and using this knowledge to test and design more effective digital services.8

4.10 Furthermore, in relation to the Welfare Payment Infrastructure

Transformation program, Mr John Murphy, Deputy Secretary, Payments Reform, DHS, , acknowledged 'it is not exclusively about digital':

We fully recognise that for many people digital is a real, appropriate response but that a number of people, particularly those who are vulnerable, need to continue to have access to the services that the department provides

4 Ms Louise MacLeod, Senior Assistant Ombudsman, Office of the Commonwealth Ombudsman, Committee Hansard, 14 March 2018, p. 51.

5 Royal Australian College of General Practitioners, Submission 15, p. 5.

6 SCOA Australia, Submission 2, p. 3. See also: COTA Australia, Submission 14, p. 7.

7 Community and Public Sector Union (PSU Group), Submission 16, p. 11.

8 Department of Human Services, Submission 13, p. 26.

43

day in and day out. Essentially, what we're also looking to do as part of this program is ensure that the people who need access to our experts, of whom we have many, are able to access those people in a very timely way.9

4.11 The DTA promotes its Digital Service Standard (DSS), which articulates criteria that agencies should adopt to establish a 'sustainable multidisciplinary team' to undertake the development process, and recommends a user-centred approach to design.10

4.12 Two submissions noted the need for independent reviews of systems design. The Commonwealth Ombudsman described the need for an 'external perspectives in the design, testing and implementation of new digital systems'.11 Mr Ian Brightwell, who appeared in his private capacity, observed that agencies currently undergo a limited number of structured reviews such as 'Gateway' or the Implementation Readiness Assessments (IRAP). He recommended that review data should be shared more widely, including being published on the DTA's new program status dashboard.12

4.13 The Office of the Cyber Security Special Adviser (OCSSA) [now the National Cyber Security Adviser] and the Office of the Australian Information Commissioner (OAIC) are concerned about design that supports trust on line. The OCSSA recommended that cyber security be considered a core part of systems design to strengthen trust on line, noting:

Security needs to be embedded in all levels of systems architecture, in software and apps, as well as applied to the end-points that public the use to access these systems.13

4.14 The OAIC similarly recommended the adoption of a 'privacy by design' approach to build privacy into systems and projects from the design stage onwards.14

4.15 With respect to the design of automated decision making systems such as the DHS' Online Compliance Intervention automatically generated debt letters, the Commonwealth Ombudsman noted that the system must be consistent with administrative law values of lawfulness, fairness, rationality, transparency and efficiency.15 The Commonwealth Ombudsman noted that in 2004, the Australian

9 Mr John Murphy, Deputy Secretary, Payments Reform, Department of Human Services, Committee Hansard, 23 March 2018, p. 47.

10 Digital Transformation Agency, Submission 10, p. 21.

11 Commonwealth Ombudsman, Submission 12, p. 6.

12 Mr Ian Brightwell, private citizen, formerly the Chief Information Officer and Director of Information Technology at the New South Wales Electoral Commission, Submission 17, p. 5.

13 Office of the Cyber Security Special Adviser, Submission 6, p. 3.

14 Office of the Australian Information Commissioner, Submission 1, pp. 1-2.

15 Commonwealth Ombudsman, Submission 12, Centrelink's automated debt raising and recovery system, Report No 2/2017, April 2017, p. 26.

44

Research Council 'recommended the establishment of an interdisciplinary advisory panel to oversee automated systems'. The Commonwealth Ombudsman suggested:

One solution to this problem may be for agencies rolling out automated decision making systems to consider establishing advisory panels or delivery units to oversee major digitalisation projects, which include external stakeholders, in particular, the DTA, the Commonwealth Ombudsman, the Office of the Australian Information Commissioner and the Australian National Audit Office in the earliest stages of design and planning.16

4.16 Ms Ward considered that the digital delivery of government services requires recognition of the value of embedding information management functionality into digital platforms and services. She considered that this functionality needs to be considered at the outset of technical development, rather than being retrofitted, to enable information to be properly managed. Ms Ward stated:

…that digital delivery of government services should include information governance requirements and relevant whole-of-government and whole-of-agency digital government services delivery project, noting that the crucial role of information and data play in the delivery of trusted government services and reinforcing requirements under the Digital Continuity 2020 Policy that information management functionality be included in the design of digital platforms and services.17

Managing complexity

4.17 A number of department and agency submissions demonstrated the complexity of transforming to digital technology. Though the issues raised in the submissions have a whole-of-government application, the committee were advised that agencies each have their own particular challenges.

4.18 DHS advised that it made over $174 billion dollars in payments to citizens in financial year 2016-2017. It dealt with over 700 million digital and self-service transactions, with digital services being available 99.3 per cent of the time. It has 349 service centres across Australia, with 239 Access Points and 347 agents. It had 19 million visits to service centres, an average of 77 000 per day, and over 52 million phone calls.18

4.19 DHS explained the complexities it presently faces in seeking to implement welfare benefits:

Services are delivered as prescribed by numerous Acts of legislation that describe how benefits and payments must be calculated and delivered.

As the Government introduces new services and changes or ceases existing services, [DHS] needs to amend its systems, procedures and resources to

16 Commonwealth Ombudsman, Submission 12, p. 6.

17 Ms Teressa Ward, Assistant Director-General, National Archives of Australia, Committee Hansard, 14 March 2018, p. 37.

18 Department of Human Services, Submission 13, p. 5.

45

maintain their integrity. [DHS] faces several challenges when implementing new or changed government policies. These include:

• Policy initiatives that involve legislative uncertainty and/or rapid implementation

• Ageing legacy systems that provide day-to-day critical services yet are costly to maintain, are at end-of-life and prevent rapid and/or agile policy implementation, and

• High demand on technical, programme and project management capabilities, skills and resources.19

4.20 Mr John Murphy spoke about joining DHS after a banking career of some 36 years.20 He reflected on the complexity of the digital task for the department:

I would like to reiterate what I said earlier: the environment and the complexity in the government sector are far more pronounced than what you would see in the private sector…

…Our challenges are, in no particular order: the redesign of the business processes; the ability to implement the changes that we need to make, and by that I mean the culture, the reskilling, the retraining of our people, and the right-sizing of the department, by which I mean having the right people in the right place; and then the technology. Certainly, as I say, it's probably unfair to draw a direct comparison between government and the private sector. My point would be that the expectations of customers have gone up significantly. That includes being able to do things digitally, being able to stay in the digital channel, and equally—I think we would all agree we would expect—to be able to access services anytime, anywhere. You've only got to look in the private sector. You have, generally speaking, more access and greater access to various services outside of the normal business hours. The idea of normal business hours fell away many years ago.21

4.21 The ATO advised that its computing environment holds data securely for 25 million clients and partners.22 The ATO observed that it operates in a 'necessarily complex' environment, referring to its systems' 'co-dependencies'. The ATO stated that the taxation regime collects data from banks, states and territories, stock exchange companies, employers, private health insurance providers, Centrelink and other government agencies, and employee share schemes. It also interacts with the superannuation industry including self-managed superannuation funds, tax professionals, other government agencies, a variety of digital services providers, and intermediaries including financial advisers, insolvency practitioners and legal practitioners:

19 Department of Human Services, Submission 13, p. 32.

20 Mr John Murphy, Deputy Secretary, Payments Reform, Department of Human Services, Committee Hansard, 23 March 2018, p. 47.

21 Mr John Murphy, Deputy Secretary, Payments Reform, Department of Human Services, Committee Hansard, 23 March 2018, p. 48.

22 Australian Taxation Office, Submission 9, p. 5.

46

While our IT infrastructure is extensive to support the vast array of systems, millions of transactions and interactions needed to administer the tax system and superannuation systems each year, we don't and can't do it in isolation. We are integrated; our systems, our data, our technology, or legislative framework and our infrastructure all have co-dependencies across the economic and digital landscape.23

4.22 The circumstances of Home Affairs' are directly opposite to those of the ATO in that it is aggregating its business systems, but is equally complex. Home Affairs technologies represent critical infrastructure that allow the department to protect and manage the Australia's territorial border. The breadth of technologies is underpinned by a complex technology foundation of networks spanning unclassified to top secret material, and storage data infrastructure which is delivered by a range of models from in-house support to fully managed commercial services.24 Home Affairs' functions are undertaken 24 hours per day, seven days a week in 84 locations across Australia and 50 locations world-wide. It operates 250 SmartGates and kiosks, more than 3 000 CCTV cameras, patrol boats, surveillance aircraft, 2 000 terrestrial and satellite capabilities, 660 detection and inspection technology units and more than 11 000 personal defence equipment and wearables located within 48 armouries.25

4.23 Home Affairs submitted that it is managing complexity by:

Removing the dependencies between applications by developing independent business systems, or decoupled domains, enables the ability to more effectively make changes to business functionality and reduces the time to implement new functionality or change business processes. Using this approach, changes to business policy, process or functionality can occur without the need to impact or involve other business systems. By aggregating critical business information into a single service and providing this service to all business systems, each decoupled business system gains by:

• Having access to a deeper set of information

• Allowing effective decision making

• Simplifying and reducing maintenance requirements over time.26

4.24 Ms Ward identified a very different but equally significant complexity facing Commonwealth agencies' digital transformation is the capacity to retain and preserve Commonwealth records. She observed that Commonwealth records are being created in a range of digitalised formats. The obligation on departments and agencies in transferring material to the National Archives is to ensure the data, including

23 Australian Taxation Office, Submission 9, p. 16.

24 Department of Home Affairs, Submission 4, p. 3.

25 Department of Home Affairs, Submission 4, p. 3.

26 Department of Home Affairs, Submission 4, attachment, Technology Strategy 2020, p. 9.

47

metadata, is transferred in a readable format.27 Ms Ward stated that the National Archives is aware:

That around 87 per cent of agencies have moved from paper processes to digital processes, and we are also aware that data is being lost every day— either not well-managed, can't be found or kept in locations that aren't appropriate—and that access is rendered impossible both for now and the future.28

Legacy issues

4.25 A number of department and agencies' submissions demonstrated the difficulties arising from 'legacy' systems, such as new systems being overlaid on outdated hardware which in turn have been subject to ad hoc iterations of updates and upgrades, as well as outmoded business processes, and security vulnerabilities arising from old technologies.

4.26 Mr Ian Brightwell, who appeared in his private capacity, noted that ICT program failure in the APS is due in part 'to poor backend infrastructure and systems upon which to build online systems'.29

4.27 DHS drew attention to challenges it faces in delivering digital services, in particular that core ICT systems were not designed for modern digital services, such that changes to these services brings risk of unforeseen impacts.30 The DHS stated:

[DHS's] legacy ICT systems supporting delivery operations are now over 30 years old and were originally built to operate on a different scale…

4.28 [DHS] faces several key challenges in this area:

• The core ICT systems were not designed for modern digital services;

• Any changes to these systems brings the risk of unforeseen impacts, and

• Rules and processes are not standardised across payments, and complex rules cannot be easily changed.31

4.29 Mr Murphy summarised the legacy issue facing DHS:

But, essentially, the environment that we're working in is one that was largely designed back in the seventies, eighties and nineties, which was largely constructed around paper and telephones and largely based on face-to-face interactions. I think it's fair to say that that mode of operating has largely continued. I think we would all recognise that, in this day and age— particularly around customer expectations of digital, simple, clear, easy-to-

27 Ms Teressa Ward, Assistant Director-General, National Archives of Australia, Committee Hansard, 14 March 2018, p. 39.

28 Ms Teressa Ward, Assistant Director-General, National Archives of Australia, Committee Hansard, 14 March 2018, p. 37.

29 Mr Ian Brightwell, Submission 17, p. 6.

30 Department of Human Services, Submission 13, p. 33.

31 Department of Human Services, Submission 13, pp. 32-33.

48

use, safe and available anytime, anywhere—that is a very, very difficult proposition for the delivery of welfare without a fundamental change.32

4.30 Home Affairs stated that it will continue to sustain legacy technology capabilities as they are progressively decommissioned and replaced over the next 5- 10 years. Home Affairs will actively manage the costs associated with making changes and enhancements of legacy technology capabilities to minimise the costs involved.33

4.31 Mr Osmond Chiu, Policy and Research Officer, CPSU, reported the difficulties facing APS staff who use the technology:

many of the ICT systems that APS staff are using are quite old and outdated. The 2015-16 ICT trends report found that 44 per cent of the government's major applications are over a decade old and that 53 per cent of the government's desktops and laptops are past the end of their planned useful life. So when you have very old ICT software and systems, it can often mean that it takes a long time to log in and there can be massive delays. 34

4.32 Mr Alastair MacGibbon, NCSA, and head of the ACSC observed that legacy systems are hard to protect against threats:

…an issue we have- and government is very much not immune to [threats]—is the conflict of legacy systems. You have an application of a piece of software that only runs on a particular type of computer. You can't upgrade the computer system, because the software won't run on it. This happens not just in government…as a consequence, you end up with a series of legacy systems that are hard to protect. We know that newer systems generally have a lot of the bugs ironed out of them. The latest versions of the software have patched security vulnerabilities that previous versions haven't patched. If you're running old systems that you can't update the software on, then it could be that there are an increasing number of methods of attack, whether they're for state actors or criminal groups. Government is not immune from that.35

Cyber security, risk and resilience

4.33 Submissions from government specialists dealt with the need to embed cyber security protections and protocols in the design stage of infrastructure and software, being cognisant of the inherent vulnerability of internet based government

32 Mr John Murphy, Deputy Secretary, Payments Reform, Department of Human Services, Committee Hansard, 14 March 2018, p. 47.

33 Department of Home Affairs, Submission 4, p. 17.

34 Mr Osmond Chiu, Policy and Research Officer, Community and Public Sector Union, Committee Hansard, 14 March 2018, p. 13.

35 Mr Alastair MacGibbon, National Cyber Security Adviser, Committee Hansard, 14 March 2018, p. 42.

49

infrastructure and systems to malicious threats to their integrity. The submissions also address risk mitigation and systems resilience.36

4.34 The NCSA identified issues of cyber risk, stating that 'with the vast opportunity of the internet comes risk'.37 The NCSA noted that the Cyber Security Centre's Threat Report of 2016 revealed the nature and extent of the threat against Australian Government networks. The NCSA stated:

As Government services move online there is a new imperative to embrace cyber security as a core objective of digital transformation.38

4.35 The NCSA also referred to the need for a culture of security, noting that 'there is a prevailing tick box compliance culture'; that agencies consider themselves secure if there is compliance with prescribed security procedures, whereas 'compliance does not equal security'.39 The NCSA further stated that 'security must be "baked in" to design and delivery' of digital services.40

4.36 Mr MacGibbon observed:

There is no such thing as a totally secure connected system, nor is there a totally stable connected system. Rather than looking at a binary secure or insecure state, I think we really need to enter into a world of asking about resilience and risk management.41

4.37 On the issue of the management of risk, Mr Mike Burgess, Director, Australian Signals Directorate (ASD), observed that the issue of risk-management of cyber intrusions is a reasonably new circumstance:

I'm not familiar with the SFIA framework [Skills Framework for the Information Age] from a management-of-your-cybersecurity-risk point of view, and it's fair to say there is no decent framework internationally recognised on how to manage cybersecurity risk effectively, because this risk is really a young thing, insofar as the internet is really only 10 years old

36 See, for example, National Cyber Security Adviser, (formerly the Office of the Cyber Security Adviser), Submission 6; Department of Defence, Submission 7; Mr Ian Brightwell, Submission 17.

37 National Cyber Security Adviser, formerly the Office of the Cyber Security Special Adviser, Submission 6, p. 1.

38 National Cyber Security Adviser, formerly Office of the Cyber Security Special Adviser, Submission 6, pp. 1-2.

39 National Cyber Security Adviser, formerly the Office of the Cyber Security Special Adviser, Submission 6, p. 2.

40 National Cyber Security Adviser, formerly Office of the Cyber Security Special Adviser, Submission 6, p. 2.

41 Mr Alastair MacGibbon, National Cyber Security Adviser, Committee Hansard, 14 March 2018, p. 43.

50

in the benefit we're seeing in society, even though it's been around longer, and there isn't yet a decent body of practice.42

4.38 The NCSA offered this warning to governments and the public at large:

Security of personal and financial information is not solely the government's responsibility. The government can only protect what it possesses... Everyone must take responsibility for their online security.43

4.39 The ASD advised that one of its functions prescribed by legislation is to provide material, advice and other assistance to Commonwealth and state authorities on matters relating to the security and integrity of information managed digitally.44 Under the Attorney-General's Protective Security Policy Framework ASD sponsors the Information Security Manual (ISM), which assists government agencies to apply a risk-based approach to protecting their information and systems:

The controls in the ISM are designed to mitigate the most likely and highest severity security threats to Australian government agencies.45

4.40 The ASD's Strategies to Mitigate Cyber Security Incidents and the Essential Eight provide a prioritised list of practical actions government agencies can take to make their information systems and online services more secure. The ASD stated:

…the advice that ASD provides to Australian Government agencies, when applied by an agency head as the system owner, should result in digital services that have been designed with due regard to security.46

4.41 Dr Nick Tate, Vice-President, Membership Boards, Australian Computer Society (ACS), considered cyber security to be a significant concern in light of attacks now being conducted by nation-states as well as organised crime. He stated that there is a need for dedicated cyber security task forces for all major departments and a national focus on the issue. In this regard, Mr Mike Burgess, Director, ASD, stated:

There is, however, good advice out there coming from my agency [about risk management], but what's missing is: how do senior executives know the value of their data and ensure they understand who's got access to it, where it is, who's protecting it and how well it's protected from a data security point of view?47

4.42 In response to a question from Senator McAllister, Mr Burgess advised that the management of risk is not the issue of having skilled people, but rather it is an

42 Mr Mike Burgess, Director, Department of Defence, Committee Hansard, 14 March 2018, p. 50.

43 National Cyber Security Adviser, formerly Office of the Cyber Security Special Adviser, Submission 6, p. 4.

44 Department of Defence, Submission 7, p. 1.

45 Department of Defence, Submission 7, p. 1.

46 Department of Defence, Submission 7, p. 2.

47 Mr Mike Burgess, Director, Department of Defence, Committee Hansard, 14 March 2018, p. 50.

51

issue of the skill of the chief executive and his or her management team, in identifying and managing the risk effectively.48

4.43 Mr Ian Brightwell, who appeared in his private capacity, recommended that agencies separate the roles of CIO [Chief Information Officer] and CISO [Chief Information Security Officer], with each having separate reporting line to the Chief Executive Officer to ensure difficult security decisions are elevated outside the ICT area of an organisation.49 As to the CIO role, Mr Brightwell said that CIO should not be lower than one level down from the CEO or agency head level because the responsibility rests at the CEO level:

Because the role of the CISO, I would argue, is largely around audit control and ensuring all the controls for security are in place. Largely, it's the CIO who has the job of implementing those cyber controls and the CISO is going to look at those and look at other controls managed by other levels. You've got to have them as far away from the people doing the job so they can effectively be responsible for reporting their efficacy in

implementation. If they're one and the same person, no-one is ever going to find out failure.50

4.44 The ATO advised that it maintains an expert in-house capability to conduct cyber-security resilience testing against ATO assets. The ATO testing team are industry certified and have knowledge of ATO systems.51 Mr Ramez Katf, Second Commissioner and Chief Information Officer, ATO, further advised that the ATO has established a security operations centre to specifically address cyber-security threats.52

4.45 DHS advised that it has established a Cyber Security Operation Centre and has significantly enhanced its cyber security monitoring, security threat intelligence, rapid detection and security incident response capability. Mr Charles McHardie, Acting Chief Information Officer, DHS, reported that in March 2017 the ANAO had assessed DHS as being cyber-resilient across all its operations.53

Privacy

4.46 Submissions identified privacy as a significant issue for the successful transformation of government services. Submissions from government privacy specialists dealt with the need to embed privacy principles and protections at the design stage of infrastructure and software, recognising and accepting that protecting citizens' privacy is a critical enabler to the government's transition to the digital

48 Mr Mike Burgess, Director, Department of Defence, Committee Hansard, 14 March 2018, p. 48.

49 Mr Ian Brightwell, Submission 17, pp. 7-8.

50 Mr Ian Brightwell, Committee Hansard, 14 March 2018, p. 9.

51 Australian Taxation Officer, answer to written question on notice, received 18 April 2018.

52 Ramez Katf, Senior Commissioner and Chief Information Officer, Australian Taxation Office, Committee Hansard, 23 March 2018, p. 16.

53 Mr Charles McHardie, Acting Chief Information Officer, Department of Human Services, Committee Hansard, 23 March 2018, p. 28.

52

delivery of government services. A number of submissions representing citizens' interest have raised the critical issue of the need for a more sophisticated approach to digital identity in light of data analytics.

4.47 The CPSU noted that there is a real risk that the transformation of digital delivery could be derailed because of community concerns about privacy and digital rights. The CPSU highlighted widespread community concern about the ABS' collection and storage of names in the 2016 census.54

4.48 COTA Australia (COTA) noted that older people have a strong belief in the importance of the privacy of their personal information. In order to engage this cohort, governments must actively engender confidence that the systems are safe and that information is protected. COTA Australia recommended regular risk assessments and periodic audits of privacy protection procedures, with all breaches being reported to Parliament.55

4.49 The Federation of Ethnic Communities' Councils of Australia (FECCA) and COTA also highlighted that confidentiality is an issue with older Australians, people with disability, and culturally and linguistically diverse (CALD) communities where they may be reliant on third parties to whom they must disclose sensitive personal information if they are to engage with government agencies on line, through which process their privacy is breached, and the third party may be placed in the position of a conflict of interest.56

4.50 The NCSA has acknowledged that trust and confidence in operating online are the salient factors to successful digital transformation:

…the potential for digital transformation and digital delivery of government services depends upon the extent to which the Australian people can trust and feel secure online.57

4.51 The OAIC recommended the use of privacy impact assessments (PIAs) to provide a systematic assessment of a project that identifies the impact the project might have on the privacy of individuals.58 The OAIC also advised the development of the Australian Public Service Privacy Governance Code (Code) which is to come into effect on 1 July 2018. The Code will set out specific requirements and practical steps an agency must take to comply with Australian Privacy Principles 1.1 (APP) (those include reasonable practices, procedures and systems in place to comply with APPs). The Code requires an agency to undertake a PIA on 'high privacy risk' projects.59

54 Community and Public Sector Union (PSU Group), Submission 16, p. 12.

55 COTA, Australia Submission 14, pp. 3-4.

56 Federation of Ethnic Communities' Councils of Australia, Submission 3, p. 4; COTA Australia, Submission 14, p. 5;

57 Office of the Cyber Security Special Adviser, Submission 6, p. 1.

58 Office of the Australian Information Commissioner, Submission 1, p. 2.

59 Office of the Australian Information Commissioner, Submission 1, p. 3.

53

4.52 DHS has advised that its operational framework is guided by its Operational Privacy Policy, and its policy is to undertake PIAs for all significant digital services.60

Digital identity

4.53 A number of submissions considered the security of a digital identity to be a significant enabler in the transition to digital government.

4.54 SCOA Australia said that a major issue contributing to the way data is used is the ability to positively and uniquely identify individuals.61 SCOA Australia advocated the introduction of a unique individual identifier on the basis that current identifiers are no longer sufficient.62 SCOA Australia contended that the lack of a strong identifier has a significant cost, often unheralded:

Organisations will attempt to data match and data mine large data sources irrespective, with the matching attempt on name, address, birthdate and other descriptive data. The twins, Mary and Margo Smith, therefore spend their lives being mistaken for each other, especially if they share a house and an occupation.63

4.55 On this point, Ms Ward referred to a Productivity Commission report that considered data and datasets as a value to the economy and the community.64 In that context, Dr Tate, ACS, drew attention to the potential dangers of the government's open data initiatives to privacy using apparently de-identified data. Dr Tate observed that data linking tools are such that it is difficult to keep data anonymous. Furthermore, Dr Tate considered there is a need for a framework for de-identification of government data, especially medical data:

…it is possible to take data from a whole range of different sources, not just medical ones, but often sources you wouldn't expect, and put them together and say, 'Hang on, now we can possibly work out who these are'. I don't know how extensive it is. But the initial work on that has certainly shown that it's possible…65

4.56 The ATO noted that taxpayers can now choose voice biometric authentication and cloud authentication and authorisation to establish proof of identity.66 The ATO also stated that it will continue to invest heavily in securing taxpayer information through robust identity authentication and authorisation platforms:

60 Department of Human Services, Submission 13, p. 27.

61 SCOA Australia, Submission 2, p. 2

62 SCOA Australia, Submission 2, p. 2.

63 SCOA Australia, Submission 2, p. 3.

64 Ms Teressa Ward, Assistant Director-General, National Archives of Australia, Committee Hansard, 14 March 2018, p. 38.

65 Dr Nick Tate, Vice-President, Membership Boards, Australian Computer Society, Committee Hansard, 14 March 2018, p. 33.

66 Australian Taxation Office, Submission 9, p. 8.

54

Increasingly the risk of identity theft in online and digital interactions needs to be anticipated, monitored and mitigated as fraudsters become more sophisticated in their operations.67

4.57 The ATO advised that it is continuing to invest heavily in securing taxpayer information through robust identity, authentication and authorisation platforms. It flagged the Tax File Number as a main identifier. It has also introduced the option of voice biometric authentication; and the use of cloud authentication and authorisation; and the linking of an Australian Business Number with myGov accounts.68

4.58 The DTA stated that it is working with agencies, other jurisdictions and the private sector to develop the GovPass program, to produce a common model for verifying data that can be used across government:

To complement the GovPass program, the DTA has developed the Trusted Digital Identity Framework, a comprehensive set of rules, policies and standards that will set a nationally consistent approach to accredit, govern and operate identity across the digital economy…The framework will be extended to address non-digital identity for individuals to allow alternate pathways for those unable to complete identity verification digitally.69

4.59 Mr Peter Alexander, Chief Digital Officer, DTA, advised that myGov has now has 12.5 million active accounts. He further advised that the DTA is looking to change the authentication process for myGov to build in the 'Tell Us Once' service, and payment and notification utilities. He also advised that the Trusted Digital Identity Framework is nearing completion; it will be a common framework across government which covers use of identity for digital services; the use of non-digital identities in a digital world for those without a digital identity to interact with government, and also an 'acting on behalf of others' authorisation.70

4.60 On 7 May 2018, Mr Gavin Slater, Chief Executive Officer, DTA advised the committee that the DTA had received $60M in the recent budget to work with agencies for the next phase on the development of a digital identity.

By October a system will be up and running that will allow people to apply for and receive their tax file number. Over the following 12 months the capability will be rolled out to a number of other high-volume government services, giving more than 400 000 people the opportunity to test this capability.71

67 Australian Taxation Office, Submission 9, p. 7. See also Digital Transformation Agency, Submission 10, p. 6. See also: Department of Human Services, Submission 13, pp. 23- 24; Australian Taxation Office, Submission 9, pp. 16-17.

68 Australian Taxation Office, Submission 9, pp. 7-9.

69 Digital Transformation Agency, Submission 10, p. 6. See also: Department of Human Services, Submission 13, pp. 23-24; Australian Taxation Office, Submission 9, pp. 16-17.

70 Mr Peter Alexander, Chief Digital Officer, Digital Transformation Agency, Committee Hansard, 7 May 2018, p. 10.

71 Mr Gavin Slater, Chief Executive Officer, Digital Transformation Agency, Senate Finance and Public Administration Legislation Committee, Estimates Hansard,21 May 2018, p. 101.

55

The diversity of users and their needs

4.61 Submissions emphasised the diversity of needs and circumstances of the Australian community which must be accommodated in the design, delivery, and ultimately, the acceptance by the public of government delivering services online. A number of submissions expressed dissatisfaction with the government's performance in the delivery of online services.

4.62 A number of submissions focussed on the need for inclusiveness, and particularly the need for the government to maintain traditional methods of dealing with citizens to accommodate sectors of society who are not digitally literate.72 Submissions concerning website design focussed on the user perspective and the need for user-friendly websites through consistency in screen presentation and language across the whole-of-government sector.

Public expectations of government in digital transformation

4.63 A number of submissions have expressed dissatisfaction in the government's delivery of digital services. Mr Chris Hamill, private citizen, observed:

…I think it's fair to say the government does not have a great track record when it comes to 'going digital'…

It makes no sense to build a digital service for the nation, if that digital service can't handle the nation.73

4.64 COTA Australia has made a similar point, expressing concern over the quality and reliability of systems used to deliver government services:

COTA views customer experience as a key quality domain in online services. In turn, this is comprised of response time, user friendliness, ease of access and availability and responsiveness of customer support. Feedback that COTA has received indicates that current online government services have far to go in this area of performance'.74

4.65 Many submissions stated that the success of digital delivery of government services is critically dependent upon the government's capacity to provide a secure and user-friendly service, accessible by all sections of the community, and especially the most vulnerable who are the most likely recipients of government services.75

72 See, for example: SCOA Australia, Submission 2, p. 3; Federal Ethnic Communities Councils of Australia, Submission 3, p. 1; Mr Chris Hamill, Submission 8, p. 1; Australian Communications Consumer Action Network, Submission 11, p. 6; COTA Australia, Submission 14, p. 3.

73 Mr Chris Hamill, Submission 8, p. 8.

74 COTA, Australia, Submission 14, p. 5.

75 See, for example: Office of the Australian Information Commissioner, Submission 1, p. 1; Federation of Ethnic Communities' Council Australia, Submission 3, p. 2; Mr Chris Hamill, Submission 8, pp. 3-5; Australian Communications Consumer Action Network, Submission 11, p. 6; COTA Australia, Submission 14, p. 3; Community and Public Sector Union (PSU Group), Submission 16, p. 3.

56

4.66 Submissions identified categories of vulnerable Australians, and the barriers each group faces in interacting with the government on line. The categories identified as vulnerable are older Australians;76 CALD communities77; people with disability;78 people on low incomes;79 rural and remote communities;80 remote and Indigenous communities;81 homeless people;82 and small business.83

4.67 COTA contended that digital inclusion is just as important as privacy and security:

It is just as important (and challenging) to understand and address inclusion as it is to ensure privacy and security when building government digital platforms, service delivery models and business practices. Given that many government programs are specifically targeted to disadvantaged and vulnerable, it is essential that delivery to be fit-for-purpose.84

4.68 The barriers all categories face are a lack of computer literacy, and affordability issues.85 Homeless people and those in rural and remote Australia face the additional barrier of availability of internet access, and network availability and coverage is an issue for those in remote Australia.86 A lack of services have led to poor literacy and access for CALD and Indigenous people.87

76 See, for example: Mr Chris Hamill, Submission 8, p. 1; Australian Communications Consumer Action Network, Submission 11, pp. 45-49; COTA Australia, Submission 14, p. 3.

77 See, for example: SCOA Australia, Submission 2, p. 3; Federation of Ethnic Communities' Councils of Australia, Submission 3, pp. 1-4; Australian Communications Consumer Action Network, Submission 11, pp. 17-26.

78 See, for example: SCOA Australia, Submission 2, p. 3; Mr Chris Hamill, Submission 8, p. 1; Australian Communications Consumer Action Network, Submission 11, pp. 26-33; COTA Australia, Submission 14, p. 9.

79 See, for example: Mr Chris Hamill, Submission 8, p. 1; Australian Communications Consumer Action Network, Submission 11, pp. 33-38; COTA Australia, Submission 14, p. 9.

80 See, for example: SCOA Australia, Submission 2, p. 3; Australian Communications Consumer Action Network, Submission 11, pp. 39-43; Tangentyere Council Aboriginal Corporation, Submission 19, p. 7.

81 See, for example: SCOA Australia, Submission 2; p. 3; Australian Communications Consumer Action Network, Submission 11; pp. 49-56.

82 See, for example: Australian Communications Consumer Action Network, Submission 11, pp. 57-60; Tangentyere Council Aboriginal Corporation, Submission 19, p. 7.

83 Australian Communications Consumer Action Network, Submission 11, pp. 61-68.

84 COTA, Australia, Submission 14, p. 3.

85 Australian Communications Consumer Action Network, Submission 11, p. 13.

86 Australian Communications Consumer Action Network, Submission 11, p. 16.

87 See, for example: SCOA Australia, Submission 2, p. 3; Federation of Ethnic Communities' Councils of Australia, Submission 3, p. 2; Australian Communications Consumer Action Network, Submission 11, pp. 17 and 52.

57

4.69 Older people are reluctant to engage in the online world, having significant concerns with security and privacy.88 COTA observed:

COTA hears from many older Australians that they hold strong belief in the importance of their personal, financial and medical information. Recent research reinforces this with the finding that older people are more likely than younger people to take steps to protect their personal information.

Issue related to privacy and security can create anxiety for many older Australians…To engage this cohort in the transition to digital systems government must actively engender confidence that the systems are safe and information is protected.89

4.70 COTA Australia noted that Australians over age 65 are increasingly vulnerable to scams, particularly those involving the loss of money, as well as an emerging trend of threat-based and impersonation scams representing to be from government agencies.90

The retention of traditional methods of engagement with citizens

4.71 SCOA Australia and COTA noted that government processes must recognise that there will always be Australians who cannot or will not use an automated process to interact with government.91 Mr Hamill advocated the need to maintain traditional methods of service delivery concurrently with digital delivery, on the basis that there are many Australians who cannot or will not engage in digital government for a range of practical reasons.92

4.72 COTA referred to the importance of inclusiveness. It supported the DTA's Digital Service Standard's recognition of the importance of digital inclusion:

The Australian Government has acknowledged the importance of digital inclusion in its Digital Service Standard, stating that the services 'need to ensure they are accessible to all users regardless of their ability and environment'. This high-level principle acknowledges government responsibility to all citizens and recognises it is increasingly evident that digital exclusion can further exacerbate the social and economic exclusion experienced by vulnerable Australians.93

4.73 ACCAN expressed a similar view that:

As traditional points of contact such as shopfronts and call centres give way to the Government's new digital channels, millions of digitally disconnected consumers will need to spend more time engaging with the government -

88 Australian Communications Consumer Action Network, Submission 11; COTA Australia, Submission 14, pp. 3-4.

89 COTA Australia, Submission 14, p. 3.

90 COTA Australia, Submission 14, p. 4.

91 See, for example: SCOA Australia, Submission 2, p. 3, COTA Australia, Submission 14, p. 11.

92 Mr Chris Hamill, Submission 8, p. 1.

93 COTA Australia, Submission 14, p. 7

58

exacerbating their social exclusion and the impacts of Australia's digital divide. Without taking positive action to eliminate barriers to universal digital access, the Australian Government risks alienating millions of vulnerable consumers who are effectively denied the opportunity to engage with crucial services such as healthcare, welfare and social housing - all of which are increasingly mediated by the internet.94

4.74 COTA also recommended the Australian government ensure appropriate, sustainable and adequately resourced legacy systems, including face-to-face, phone and paper based communications at no extra cost to the consumer are in place for people who are unable to access digital services.95 SCOA Australia noted that 86 year old Mrs Smith who has never used a computer must be catered for.96 ACCAN similarly supported the retention of non-digital points of contact until there is universal access to digital technology in Australia,97 as does Mr Hamill, who observed that the non-digital alternatives should not be:

…unreasonably inefficient, slow or unreliable, compared to their digital versions.98

4.75 The CPSU argued that the community choice of service delivery must be mandatory noting that government and agencies maintenance of the option of face-to-face and other delivery methods is 'vital' on the basis that not all members of the community want to, or are equipped to access government services digitally.99 In an answer to a question on notice, Mr Tull, Assistant National Secretary of the CPSU expressed concern that government business processes have been designed to push citizens onto online services:

The role of DHS staff has been changing from helping the most vulnerable and disadvantaged Australians, to implementing business processes that many in the community perceive are designed to make access to financial support from the government as difficult as possible.100

4.76 In its submission, the Tangentyere Council Aboriginal Corporation stated that the transfer from the existing Centrelink portal to myGov needs to be halted:

Future service delivery should not oblige individuals with poor literacy and numeracy; limited English; poor computer literacy; limited access to information technology; and limited internet to access Centrelink services via the internet. Individuals should not be obliged to create email addresses or purchase mobile phones unless they have the capacity to use and

94 Australian Communications Consumer Action Network, Submission 11, p. 6.

95 COTA Australia, Submission 14, p. 11.

96 SCOA Australia, Submission 2, p. 3.

97 Australian Communication Consumer Action Network, Submission 11, p. 5.

98 Mr Chris Hamill, Submission 8, p. 1.

99 Community and Public Sector Union (PSU Group), Submission 16, p. 11.

100 Community and Public Sector Union, answers to questions on notice, 14 March 2018 (received 4 April 2018).

59

maintain these devices and services in a sustainable manner that is not open to exploitation. Centrelink in particular needs to continue to operate Centrelink agencies in remote areas and for language speaking Aboriginal in a manner that is appropriate and accessible…101

4.77 Mr Murphy of DHS advised that the Welfare Payments Infrastructure Transformation program is not exclusively about digital:

We fully recognise that for many people digital is a real, appropriate response but that a number of people, particularly those who are vulnerable, need to continue to have access to the services that the department provides day in and day out. Essentially, what we're also looking to do as part of this program is ensure that the people who need access to our experts, of whom we have many, are able to access those people in a very timely way.102

Website design

4.78 The issue of website design is closely inter-related with the public's expectations of government; that the user as the ultimate arbiter of the success of the new technology must be at the forefront of website design. Many submissions focussed on the confusion and frustration citizens face when they are required to provide the same information to different departments and agencies, all of which have different web designs, some of which are better than others. Submissions focussed on the need for a whole-of-government approach to website design and data collection.

4.79 SCOA Australia observed that, as data is the basis of policy, there must be a consistent approach to its collection, as well as the application of standard definitions:

The data that Government uses should be defined, standardised, retained and maintained of a whole of Government basis by a central agency, most probably the ABS.103

4.80 FECCA advocated the use of consistent icons and layouts across all government websites to enable easier navigation of different agencies' websites by users.104 Mr Hamill recommended that the layout of digital services be designed to resemble the traditional versions consumers are used to, both in terms of style and formats, noting that the less computer literate can become confused if the format deviates from what they are used to.105

4.81 The Commonwealth Ombudsman commented that:

A key lesson from the [DHS Online Compliance Incident - robot-debt] experience is that the design of the online platform may have a significant bearing on the launch of a new process.

101 Tangentyere Council Aboriginal Corporation, Submission 19, p. 11.

102 Mr John Murphy, Deputy Secretary, Department of Human Services, Committee Hansard, 23 March 2018, p. 47.

103 SCOA Australia, Submission 2, p. 2.

104 Federation of Ethnic Communities' Councils of Australia, Submission 3, p. 3.

105 Mr Chris Hamill, Submission 8, p. 3.

60

Seemingly micro-level issues of design may have significant consequences…What icon should be used? Should the phone number appear prominently on each web page? This may determine whether people access help at the critical points or instead give up in frustration...106

4.82 The RACGP noted that standard terminology, including the use of structured data and national interoperable standards are vital to the safe sharing of digital information.107

4.83 In relation to DHS's 'Cuba' child care payments operating system replacement project,108 Ms Bridger, General Manager, Child Support and Redress, DHS, advised that a key lesson learnt by DHS during the project was that users must be very tightly intertwined with not only the program or design, but also the testing, trialling and iteration of any initiative. She further advised that recent experience of having the users involved allowed requirements to be acquitted more quickly.109

4.84 Mr Charles McHardie, Acting Chief Information Officer, DHS advised that DHS had recently established a new position of Chief Citizen Experience Officer to look after design change from the public perspective.110

4.85 The DTA stated that it is developing a whole-of-government design system in collaboration with a community from across the government

The design system works like a catalogue of reusable design components, including code, that can be used freely by agencies.

This brings consistency to the design of government websites and services…This empowers agencies to transform their services efficiently, bringing usability, accessibility and consistency to the forefront.111

Data storage security

4.86 Submissions indicated that data collection and data storage are a very sensitive issue for users, the concerns being demographically based.

4.87 COTA noted that older Australians are concerned about data security where data is held at third party data 'cloud' centres).112 'Cloud' is a term used to describe a global network of servers, each with a unique function. The cloud is not a physical entity. It is a vast network of remote servers around the globe which are hooked together and meant to operate as a single ecosystem. These servers are designed to

106 Commonwealth Ombudsman, Submission 12, p. 3.

107 Royal Australian College of General Practitioners, Submission 15, p. 5.

108 Cuba is discussed further in Chapter 4.

109 Ms Maree Bridger, General Manager, Child Support and Redress, Department of Human Services, Committee Hansard. 23 March 2018, pp. 29-30.

110 Mr Charles McHardie, Acting Chief Information Officer, Department of Human Services, Committee Hansard, 23 March 2018, p. 31.

111 Digital Transformation Agency, Submission 10, p. 23.

112 COTA, Australia, Submission 14, pp. 3-4.

61

either store and manage data, run applications, or deliver content or a service... Instead of accessing files and data from a local or personal computer, it is accessed online from any internet-capable device—the information will be available anywhere …and anytime it is needed.113

4.88 COTA recommended regular audits to ensure centres meet performance levels relating to security, with all breaches of security being reported to the Australian Parliament and the Australian National Audit Office.114

4.89 FECCA accepted the need to collect data for digital delivery of government services, and encouraged data collectors to use secure storage methods, noting that transparency and accountability will garner further trust.115

4.90 SCOA Australia stated that data should be retained and maintained on a whole-of-government basis by a central agency, but also makes the additional point about the location of cloud storage:

Are Australians concerned about whether their tax data is stored in Canberra or in Dallas?116

4.91 AusAccess advocated that proper protection of data held by the Australian government means cloud computing centres that are for government data only; are within Australian borders; are Australian owned, and staffed by Australians who have a security clearance.117 AusAccess recommended that the decision to grant 'protected status' to a multinational cloud service provider should be elevated to a cabinet or parliamentary level, taking the view that:

The data of Australians held by government should never be subject [emphasis in the original] to the actions of any foreign government.118

4.92 The AIIA noted the complexity and lack of transparency of the Information Security Registered Assessor Program (IRAP) arrangements administered by the ASD. Under the IRAP arrangement, ASD will certify an assessor who, once certified, is qualified to assess the implementation, appropriateness and effectiveness of an organisation's systems and security controls. The AIIA stated:

…current arrangements are complex, time consuming and costly and most critically not transparent or responsive to industry attempts to be more actively engaged in the process. While this has obvious impacts on industry, more importantly, it is inhibiting the operation of an effective and

113 What is the cloud? https://azure.microsoft.com/en-us/overview/what-is-the-cloud/ (accessed 5 June 2018).

114 COTA, Australia, Submission 14, pp. 3-4.

115 Federation of Ethnic Communities' Councils' of Australia, Submission 3, p. 4.

116 SCOA Australia, Submission 2, p. 3.

117 AusAccess, Submission 20, p. 3.

118 AusAccess, Submission 20, pp. 3.

62

competitive cloud market across government and undermining the government's broader procurement agenda.119

4.93 The DTA explained that it is developing a secure cloud strategy to increase government understanding and adoption of cloud services:

The strategy will address a number of areas to encourage government adoption of cloud, such as promoting cloud in a government context, building confidence in compliance and streamlining assurance processes, creating shared capabilities, guiding agencies to transition to the cloud, and working with industry to make cloud offerings more comparable and easier to adopt.120

4.94 In an answer to a question, the ATO has advised that it uses cloud storage, however, the ATO was adamant that it would never put its cloud services in an overseas data centre. The ATO stated that it maintains absolute control over the data centres the cloud services are offered from. The ATO confirmed that its contracting arrangements are that data be physically stored somewhere in Australia.121

4.95 The ATO advised that three of its eight applications are available by cloud and are benefitting from improved availability. The ATO stated that it continues to leverage cloud to improve availability of key applications, and will continue to work with the DTA on future cloud policies of strategies.122

4.96 DHS similarly confirmed that its cloud services are located onshore in Australia:

We as a department are a very small consumer of cloud based services. We have a very large on-premise [storage] in both of our large data centres here in Canberra. All of our customer data is kept on shore in both of those data centres. They are what are known as ASIO T4 accredited data centres, so they can handle data up to the secret national security classification. The only cloud services we are using are some add-ons to assist things such as website representations et cetera. We are not moving any customer data offshore.123

4.97 Mr McHardie further advised that it has embarked on a program to be able to access cloud based services, known as the 'elastic private information cloud' program (EPIC). The program has been established so that DHS can shift load across its low, mid and mainframe platforms in a more dynamic fashion, but also allows DHS to start

119 Australian Information Industry Association, Submission 5, p. 5.

120 Digital Transformation Agency¸ Submission 10, p. 10.

121 Mr John Dardo,, Chief Digital Officer and Deputy Commissioner, Digital Delivery, Enterprise Solutions and Technology, Australian Taxation Office, Committee Hansard, 21 March 2018, p. 9.

122 Australian Taxation Office, Submission 9, p. 6.

123 Mr Charles McHardie, Acting Chief Information Officer, Department of Human Services, Committee Hansard, 23 March 2018, p. 27.

63

the work which will enable DHS to access more cloud based services where appropriate:

It may be to use some cloud based storage, because it's very cost effective. But you should only consume it if you've done a proper risk based assessment and you know exactly where that data is going to be stored. The DTA may want to say a bit more about that approach.124

4.98 Mr Peter Alexander, Chief Digital Officer, Digital Division, DTA referred to the security and privacy regime currently in place through both the ASD's Information Security Manual, concerning how data is stored, the Australian privacy principles concerning the storage of people's private and personal data. The obligation imposed by that guidance is that agencies must 'control' the data:

…Control then has implications on knowing where it's stored, not putting it in the cloud, when we're talking about people's individual data. But we also have a set of security requirements.125

4.99 Mr Alexander further advised that the DTA has built a cloud strategy set of principles and policies for what agencies can use cloud, and how they do it. The DTA is also examining whole-of-government hosting. DTA intends to collect data on what departments and agencies are currently doing to obtain an overall picture of Australian government hosting arrangements. The DTA sees great advantages in obtaining cloud technology and public cloud services, but notes those things come with risks around privacy and security.126

124 Mr Charles McHardie, Acting Chief Information Officer, Department of Human Services, Committee Hansard, 23 March 2018, p. 27.

125 Mr Peter Alexander, Chief Digital Officer, Digital Division, Digital Transformation Agency, Committee Hansard, 23 March 2018, pp. 27-28.

126 Mr Peter Alexander, Chief Digital Officer, Digital Division, Digital Transformation Agency, Committee Hansard, 23 March 2018, p. 28.

Chapter 5

Whole-of-Government Issues Introduction 5.1 This chapter summarises the evidence received by the committee regarding systemic whole-of-government issues affecting the digital delivery of government services. Submissions have focussed on a number of cultural issues including change, change management and vested interests in the status quo, as well as a lack of strategic focus and leadership. A number of submitters stated that the outsourcing of ICT functions and services has resulted in the Australian Public Service (APS) not being able to develop the requisite IT skills and capability to undertake the digital transformation of government.

5.2 This chapter summarises the evidence with respect to the following issues:

• Leadership and accountability;

• Outsourcing has deskilled the APS;

• Rebuilding skills;

• Procurement; and,

• A common approach.

Leadership and accountability 5.3 Submissions discussed whole-of-government issues relevant to the successful digital transformation of government administration, including a need for leadership at the political level. Submissions also dealt with resistance to change, how the new technologies are changing organisational structures and the decentralisation and diffusion of power within the APS.1

The need for an agreed vision

5.4 In its submission, the Australian Information Industry Association (AIIA) focussed at the parliamentary level, recommending a more bipartisan and strategic approach to building and executing a government digital service agenda. The AIIA stated:

…digital government delivery to date has been hampered and undermined by the absence of an agreed vision and commitment….2

Senior leadership and digital capability

5.5 At the committee's Canberra hearing Mr Martin Stewart-Weeks commented on elements of the senior public sector who were resistant to digital transformation for

1 See, for example: Mr Ian Brightwell, Submission 17; Mr Paul Waller, Researcher, Submission 18.

2 Australian Information Industry Association, Submission 5, p. 5.

66

their own vested interests, and who did not have the 'confidence, capability and mindset' to make the necessary adjustments to the new technology. 3 Mr Stewart-Weeks suggested the possible solution of 'reverse mentoring' as a means of assisting senior public servants make the transition by ensuring senior managers are teamed with one or two people who can provide help and support, or alternatively to find senior people who have been converted to the new technology, or 'get' the new way of working, in order to provide peer support.4

5.6 In a similar vein, Mr Paul Shetler, who appeared in his private capacity, contended that there is a need to embed digital leadership skills at the Deputy Secretary level of the APS, with the focus being on those who may potentially be appointed Secretary of a department or agency—that is, to take an approach similar to the United Kingdom where two boards were created—'technology leaders' and 'digital leaders'—the latter being the more senior.5 The digital leaders were not technology specialists; they were directors-general who were tapped to be the next permanent secretaries. This cohort was tasked with implementing the government's digital agenda, in essence, 'making it happen'. Mr Shetler commented on his experience:

It was highly competitive. As someone who worked for one of them, I can tell you that was tremendously beneficial. It meant that I had a boss who had very much bought into what needed to happen and who did make it happen. I think that kind of push, that very conscious and aware push from the very top levels of the public service, is an absolutely necessary step when you are trying to transform an organisation.6

5.7 On the issue of leadership, Mr Ian Brightwell contended that the APS does not manage expectations by addressing the inevitability that there will be failures as a part of the process of innovation.7 He contended that there needs to be a consensus as to what constitutes 'acceptable failure'. Mr Brightwell observed that the APS can no longer avoid criticism because online ICT program failure is easy to identify and the public can readily see if the delivered system works or not.8

5.8 In reference to the establishment of the United Kingdom's Government Digital Service, Mr Paul Waller, Researcher, that the politics involved in almost saying a project was established on the basis of wrong assumptions is quite a difficult thing to do. He noted that institutionally, there is a huge amount of political capital

3 Mr Martin Stewart-Weeks, Committee Hansard, 23 March 2018, p. 3.

4 Mr Martin Stewart-Weeks, Committee Hansard, 23 March 2018, pp. 7-8.

5 In the UK Civil Service, a director-general (Band 3) in the UK civil service reports to a permanent Secretary, and is the equivalent to a deputy secretary reporting to a departmental secretary in the Australian Public Service.

6 Mr Paul Shetler, Committee Hansard, 23 March 2018, p. 18.

7 Mr Ian Brightwell, Committee Hansard¸ 14 March 2018, p. 8.

8 Mr Ian Brightwell, Submission 17, p. 5.

67

invested in the status quo.9 He also noted the difficulty of breaking out of this collective approach:

…I think there's an international see-who-blinks-first thing here, because everybody has been doing pretty much the same thing, egged on by international benchmarks that have created a reinforcing circle. Breaking out of that, whatever it is, is incredibly difficult.10

5.9 The CPSU stated that a key focus of government should be on fostering an agency and government culture which supports innovation and is willing to take risks. The CPSU suggested there should be a more effective risk framework, which recognises that digital transformation and innovation require the space for adaption and innovation.11

Devolved decision-making

5.10 Mr Stewart-Weeks commented on the organisational changes that are necessary to adopt new technology. He observed that a digitally transformed organisation has a very different conception about where power and authority are distributed in an organisation compared to the public sector. While concurring that the executive of organisations must retain 'exclusive and irreducible accountabilities', but he said that new technologies require new approaches:

My experience has been that some leaders…have done a terrific job of really trying very hard to allow as much of that power and authority back out into the system and allow that digital flexibility and agility to genuinely flourish across their agencies.12

5.11 On this point, Mr Ian Brightwell considered that the APS is unable to convey technical issues at the right level of decision maker, noting that he has observed that a large number of key decisions affecting system reliability and security are often made at a very low technical level without consultation with senior management and without proper consideration of the consequences:

The only real solution is to improve technology governance and introduce methodologies which ensure decisions are made in accordance with agency policies. This is not easy and requires a lot of education and cultural change.13

Outsourcing has deskilled the APS 5.12 Submissions contended that APS contracting with private sector vendors for the provision of ICT hardware and services in recent years has left the APS without

9 Mr Paul Waller, Researcher, Committee Hansard, 14 March 2018, p. 4.

10 Mr Paul Waller, Researcher, Committee Hansard, 14 March 2018, p. 4.

11 Commonwealth Public Sector Union, Submission 16, pp. 11-12.

12 Mr Martin Stewart-Weeks, private citizen, Committee Hansard, 23 March 2018, p. 3.

13 Mr Ian Brightwell, Submission 17, p. 7.

68

capabilities and capacity.14 Other submissions observed that the result of this is that digital delivery in the APS lacks a strategic focus, and opportunities have been subsumed in budget cost-savings measures.15

The skills shortage

5.13 Dr Nick Tate, Vice President, Membership Boards, Australian Computer Society (ACS), noted a Deloitte Access Economics report which identified a substantial shortage of skilled ICT professionals, including IT project managers across the marketplace.16

5.14 The AIIA reported that over the last number of years it has raised concerns about the deepening skills shortage both the ICT sector generally and in government sector. While noting some agencies are now addressing the issue, AIIA stated that:

...that generally government has been slow to address inherent skills issues across government in areas such as procurement, agile methods, cloud computing and data analytics. This has undoubtedly impacted how some initiatives have been executed, the cost, quality and reliability of some solutions and the pace of digital take-up across government.17

5.15 SCOA Australia also expressed concern that the APS's capability and expertise have been eroded by outsourcing.18 SCOA Australia noted that most digital delivery of Australian government services is now dependent on companies headquartered in other countries.19

5.16 Mr Osmond Chiu, Policy and Research Officer, CPSU, stated that 'outsourcing has driven deskilling' in the APS.20 He identified two reasons for the deskilling:

There are two primary reasons for these problems with government ICT at a Commonwealth level: that outsourcing and contracting out have left the APS overly reliant on external vendors and contractors, which has created critical issues with capability and cost; and that the implementation of previous ICT reviews and strategies has been focused on achieving savings, and the opportunities for strategic reform have been missed.21

14 See, for example: Community and Public Sector Union, Submission 16; Mr Paul Shetler, Submission 26.

15 See, for example: SCOA Australia, Submission 2.

16 Dr Nick Tate, Vice-President, Membership Boards, Australian Computer Society, Committee Hansard, 14 March 2018, p. 34.

17 Australian Information Industry Association, Submission 5, pp. 4-5.

18 SCOA Australia, Submission 2, p. 1-2.

19 SCOA Australia, Submission 2, p. 2.

20 Mr Osmond Chiu, Policy and Research Officer, Community and Public Sector Union, Committee Hansard, 14 March 2018, p. 1.

21 Mr Osmond Chiu, Policy and Research Officer, Community and Public Sector Union, Committee Hansard, 14 March 2018, p. 11.

69

The generalist manager

5.17 SCOA Australia also noted the correlation between limited ICT knowledge and experience available internally to government departments and outsourcing, noting that the circumstance mirrored the rise of the generalist manager.22 The generalist manager meant less focus on the need for knowledge and experience of the 'business' of the department:

So, many government departments are now faced with significant ICT operations and/or new projects with limited subject matter knowledge and experience for the task of specifying requirements, limited ICT knowledge and experience for appropriate involvement in ICT design and development and little ability to test the developed product adequately or to manage the contracts regulating the projects.23

5.18 Mr Ian Brightwell observed that most of the problems facing the APS with respect to the digital delivery of government services result from poor ICT governance.24 He attributed this circumstance to public servants typically being generalists:

I think one of the problems is that, unfortunately, the people who are often given project and program manager roles in these capacities don't have the background but are at the right level, and it's seen as an appropriate job. I think, generally, the people who have got the skills are, like a lot of people in the IT industry, often moving from program to program and project to project.25

Cost-saving policy leads to deskilling

5.19 In its submission, the CPSU emphasised the extent to which the APS is reliant on external vendors and contracts, noting that, as of 2017, the APS employed more than 14 000 ICT personnel, one third of whom were contractors. The CPSU referred to the Australian Public Service Commission's (APSC) State of the Service Report of 2012-13, which found that 47 per cent of agencies reported having skills shortages in ICT procurement, while 69 per cent of agencies reported having an overall ICT skills shortage.26

5.20 Mr Paul Shetler, former CEO of the DTO concurred with the CPSU:

In my time at DTO I saw dedicated public servants doing their very best to help Australians but often failing because of its shortage of digital skills. Instead of providing digital training to public servants, too often we've outsourced IT to large international technology vendors and consultants.

22 SCOA Australia, Submission 2, pp. 1-2.

23 SCOA Australia, Submission 2, p. 2.

24 Mr Ian Brightwell, Committee Hansard, 14 March 2018, p. 6.

25 Mr Ian Brightwell, Committee Hansard, 14 March 2018, p. 7.

26 Commonwealth Public Sector Union, Submission 16, p. 5.

70

Outsourcing makes the government seem smaller, but it is expensive and it contributes further to de-skilling the Public Service.27

5.21 SCOA Australia further observed that where outsourcing was initially introduced as both a savings measure, and as a means of capturing specialist ICT knowledge from third party ICT contractors, SCOA Australia contended that those policies are now impeding the capacity of the APS to deliver digital transformation.28 SCOA Australia stated:

During the past twenty five years successive governments at both Commonwealth and State/Territory level have pursued outsourcing of both ICT infrastructure and the development of new ICT applications supporting the delivery of government services. This outsourcing has been undertaken to reduce expenditure required for ICT services, yet the actual cost of government ICT has increased dramatically…29

Rebuilding skills 5.22 Submissions discussed the economic impact of the ICT skills shortage within the Australian economy, and the need for government to address the ICT skills shortage within the APS. Submissions suggested the need to create an ICT profession within the APS, and to establish a project management capability.30

An APS ICT digital profession

5.23 Mr Chiu of the CPSU considered that the lack of skills in the APS was due to the absence of a digital profession in the APS:

Developing an APS digital profession and having a taxonomy of roles might be helpful for developing that internal capacity. I think there's often a misunderstanding of what digital is; thinking it's more about ICT systems themselves, or websites, rather than seeing digital skills as something that should be throughout the APS.31

5.24 Mr Chiu agreed with the proposition that it would be worth examining an approach to an APS ICT capability in the context of a whole-of-government central function that would operate across multiple levels of government and multiple

27 Mr Paul Shetler, Committee Hansard. 14 March 2018, p. 16.

28 SCOA Australia, Submission 2, p. 1; See also, Community and Public Sector Union, Submission 16, pp. 5-9.

29 SCOA Australia, Submission 2, p. 1. See also: Community and Public Sector, Submission 16, pp. 5-8.

30 See, for example: Community and Public Sector Union, Submission 16; Mr Paul Shetler, Submission 26.

31 Mr Osmond Chiu, Policy and Research Officer, Community and Public Sector Union, Committee Hansard, 14 March 2018, pp. 14-15.

71

departments in order to retain the frequency and scope of the application of qualifications so that competencies can be both attained and sustained.32

5.25 Dr Tate of the ACS observed that government departments need to take responsibility for the development of the ICT skills base in government. He noted that the Australian economy will need about 81 000 new IT professionals by 2022:

The Australian government can help fill that gap with internal training and reskilling programs which would have additional downstream economic benefits for Australia. It would also enable government to take ownership of its future development road map, rather than relying on external sources for expertise. There are, in our view, real benefits to tackling these issues and accelerating the digital delivery of government services. 33

5.26 Mr Paul Shetler contended that outsourcing IT to large international technology vendors and consultants was at the expense of digital training for public servants.34 He said that for Australia to grow its presence in the worldwide digital economy, it needs to build a digital workforce:

One of the things we saw in the UK, for instance…when we were transforming the British government there we were also building up a huge cadre of digital professionals all throughout the London area who wound up in a number of other firms and businesses and so on and so forth. Now London is one of the digital capitals in the world. To a large extent that is a result of the hard work that was done by GDS and all the British government departments. You are talking about tens of thousands of professionals going through there, learning best practice and then going back out to industry. It's definitely one of the things we had in mind. It's a very virtuous side-effect of fixing government services. Government, after all, is the largest single customer in Australia.35

5.27 DHS advised that over the past five years it has established a highly skilled workforce, with a large in-house ICT capability that is proficient across a large range of technologies covering both infrastructure and architecture. DHS acknowledged the ongoing challenges of retaining a skilled workforce.36

Building digital competence

5.28 Mr Shetler recommended a whole-of-government, and even across levels of government, approach to developing digital competence. He suggested the formal professional training and accreditation of IT staff drawing from people already in the ranks who understand why they are working in the public service, and who actually

32 Mr Osmond Chiu, Policy and Research Officer, Community and Public Sector Union, Committee Hansard, 14 March 2018, p. 15.

33 Dr Nick Tate, Vice-President, Membership Boards, Australian Computer Society, Committee Hansard, 14 March 2018. p. 31

34 Mr Paul Shetler, Committee Hansard, 14 March 2018, p. 16.

35 Mr Paul Shetler, Committee Hansard, 14 March 2018, p. 17.

36 Department of Human Services, Submission 13, p. 32.

72

have a mission for what they are doing. He said the training must be coupled with practice, otherwise people forget it quite quickly.37 Mr Shetler agreed with the suggestion that an ability to pool ICT staff together across government would be a means of addressing the scarcity of skilled ICT staff:

[The DTO] had proposed some similar ideas in terms of—I don't want to use the term 'hit squad'—basically tiger teams, who, from a centralised level, help out troubled projects and so on and so forth, because in point of fact for some of the bigger stuff that you are dealing with, I agree with you, there is not necessarily going to be enough going on at any one area to keep people fresh, and those people should be able to be used across government.38

5.29 Dr Tate discussed work undertaken to develop an ICT competency framework, and in particular the UK 'Skills Framework for the Information Age' (SFIA), which allows departments to determine where a person sits within a whole range of skills and competencies.39

5.30 On the issue of skills and competence, Mr Ian Brightwell agreed with the proposition that the APS should adopt an approach that the exercise of delegated authority should be tied to task-specific competencies:

I think the senator was quite right in saying that you have to look at the competencies that are required for each job. You're handing out jobs that have very high price tags for failure and high risk profiles—and, you know, you wouldn't have brain surgery done by an intern. We're kind of doing that to some extent when we hand out the jobs for some of these big systems. If you look at the competencies of the people who are often given these jobs, they don't have the skill set or any reasonable grounds to claim it.40

Project management capability

5.31 Mr Mark Langley, President and Chief Executive Officer, Project Management Institute commented on the need for organisations to develop a culture of project management as an enabler to high agility, and with the competence and ability to select the right method for the right project.41 He continued:

It's the formality with which they use project management practices. That includes areas such as establishing a formal documented career path in the organisation. In the case of the public sector, it could be in a departmental or agency level, but more recently we've seen it implemented across federal government by requirement, including legislation. As an example, in the

37 Mr Paul Shetler, Committee Hansard, 14 March 2018, p. 21.

38 Mr Paul Shetler, Committee Hansard, 14 March 2018, pp. 21-22.

39 Dr Nick Tate, Vice-President, Membership Boards, Australian Computer Society, Committee Hansard , 14 March 2018, p. 35.

40 Mr Ian Brightwell, Committee Hansard. 14 March 2018, p. 7.

41 Mr Mark Langley, President and Chief Executive Officer, Project Management Institute, Committee Hansard, 14 March 2018, p. 26.

73

United States the PMIA Act is a recent act signed by Obama in 2016. But it's implementing a formal career path for project and program managers. It's having standardisation across government with the methods they use such that, as government employees move around in departments and agencies, they're all using the same approach, so they have a common language and framework to implement projects and programs. It takes out some of the variability and, again, focuses on excellence as a requirement rather than leaving it as optional for departments and agencies to implement.42

5.32 Mr Langley noted the need for accountability in project management, and engaged executive sponsorship:

…there's someone identified as an executive owner responsible for project management policy and strategy within a department or agency, and they further establish a cross-agency or - department knowledge-sharing program. They come together as some part of a council or some other formal structure and they share knowledge about what works and doesn't work in government so that they can bring it back to the individual departments and agencies.43

5.33 Mr Langley confirmed that Australia lags behind in formalised project management strategies and techniques within organisations:

…in many areas, Australia does lag … around the formalisation of project and program management. There's statistically less focus on training in those skills areas that I mentioned—leadership, strategic and business management and technical skills. They're less likely to have formal career paths for project and program managers in Australia. There's less focus on benefits realisation. To the interest of public sector projects and value for money, it's essential that we identify the benefits and have formal benefits realisation management procedures in place. In all those areas, Australia does lag the global average.44

5.34 Mr Brightwell noted that there is a need for some more flexibility to insert people at the deputy secretary or assistant secretary level in a two- or three-year program to deliver outcomes and for them to be fully integrated into the government department.45 He also agreed that those put in charge of ICT projects must remain with the project for the duration:

42 Mr Mark Langley, President and Chief Executive Officer, Project Management Institute, Committee Hansard, 14 March 2018, p. 27.

43 Mr Mark Langley, President and Chief Executive Officer, Project Management Institute, Committee Hansard, 14 March 2018, p. 27.

44 Mr Mark Langley, President and Chief Executive Officer, Project Management Institute, Committee Hansard, 14 March 2018, p. 29.

45 Mr Ian Brightwell, Committee Hansard, 14 March 2018, p. 7.

74

That's another problem. Classically, these people we're talking about will do two years. Halfway through the project they move, then you get another one, and then you get another one, because of normal career progression.46

Current initiatives

5.35 The ATO advised that it is developing a Staff Digital Capability Strategy to ensure its staff are equipped to support the delivery of digital services. The strategy includes embedding the European Commission Digital Competence Framework (DigComp) into the ATO's core capabilities as well as refreshing the existing capability framework to reflect contemporary requirements. DigComp is a tool to support a common understanding of digital competences and to enable people to develop digital competences to support their life chances and employability.47

5.36 The DTA advised that it is working with the APSC to raise digital capability across the APS through the Building Digital Capability Program.48 Mr Peter Alexander, Chief Digital Officer, DTA, advised that the DTA is working with the APSC in the Building Digital Capability program to establish:

… primarily two things: (1) a set of learning design standards for the digital transformation of government, which will then be shared, published and available to service providers to assist government and sell training and development services to agencies to meet their needs; (2) leadership transformation, building educative material for senior executives through the various cohorts the APSC train, from secretaries down, as to the various digital skills they need to operate in this world.49

5.37 Of the Building Digital Capability program, Mr Randall Brugeaud, Acting Chief Executive Officer, DTA stated:

…the capability-building initiative that is being coordinated through the DTA working with a number of agencies in government looking to engage more broadly with government executives in thinking about transformation. That involves not just technical folks, but policy as well. It is thinking about how we work in providing education to the most senior executive in government. That is something that is being done now that will support that initiative.50

46 Mr Ian Brightwell, Committee Hansard, 14 March 2018, p. 7.

47 Australian Taxation Office, Submission 9, p. 19; European Digital Competence Framework for Citizens (DigComp) http://ec.europa.eu/social/main.jsp?catId=1315&langId=en (accessed on 1 May 2018).

48 Digital Transformation Agency, Submission 10, p. 22.

49 Mr Peter Alexander, Chief Digital Officer, Digital Transformation Agency, Committee Hansard, 7 May 2018, pp. 10-11.

50 Mr Randall Brugeaud, Acting Chief Executive Officer, Digital Transformation Agency, Committee Hansard, 7 May 2018, p. 3.

75

Procurement 5.38 Submissions raised the need for a whole-of government approach to procurement, including the requirement for more flexible funding arrangements, such as experimental prototype funding schemes, and a mechanism to enable the development of common platforms that can be used across all levels of government.51

Whole of government

5.39 DHS advised that it is working with the DTA in relation to

whole-of-government ICT procurement and is supporting the use of the DTA's Digital Marketplace.52

5.40 The ATO advised that it utilises the mandated whole-of-government coordinated procurement arrangements put in place by the Department of Finance, and administered by the DTA. The ATO stated that where these arrangements have not met ATO requirements or direction for its ICT sourcing strategy, the ATO has sought the necessary exemptions from the arrangements.53

5.41 ACCAN recommended a whole-of-government procurement policy for accessible ICT products and services. ACCAN stated that, in alliance with Australian disability organisations:

[it had been] calling for increased awareness across all levels of government of the important role publicly funded procurement of accessible ICT has in provide greater access and inclusion for many Australians with disability.54

Procurement expertise within the APS

5.42 Mr Chiu of the CPSU observed that outsourcing had resulted in the loss of internal knowledge within the APS about what they need to do, and often, not having those internal critical skills to understand what they need for the outcomes they seek.55 Mr Chiu, noted that breaking up and outsourcing service provision can result in a lack of understanding, with the result that if a government is solely a procurer of services it may often not have an understanding of how a process works in practice which can lead to further problems down the line.56

5.43 In relation to the 2016 census failure, Mr Chiu put forward his view that the ABS did not have the internal expertise to assess the quality or suitability of the

51 See, for example: Mr Paul Shetler, Submission 26; Australian Communications Consumer Action Network, Submission 11.

52 Department of Human Services, Submission 13, p. 31.

53 Australian Taxation Office, Submission 9, p. 22.

54 Australian Communication Consumer Action Network, Submission 11, ICT Procurement Taskforce Consultation, 31 January 2017, p. 3.

55 Mr Osmond Chiu, Policy and Research Officer, Community and Public Sector Union, Committee Hansard, 14 March 2018, pp. 14-15.

56 Mr Osmond Chiu, Policy and Research Officer, Community and Public Sector Union, Committee Hansard, 14 March 2018, p. 15.

76

advice and products from their external supplier.57 More recently, the 2017 report of the ICT Procurement Taskforce identified that the capability and capacity issues in the APS included a lack of technical ICT capability in the market analysis required to articulate the requirements and sort and assess the potential solutions on offer.

Decision-making was often resting with individuals without technical expertise, and there was an inability to adapt as technology or circumstances changed.58

5.44 ACCAN recommended accessibility awareness training for all Government Procurement Officers and CIOs, stating that the training needs to include capability for implementing accessibility guidelines in all appropriate standards and policies.59 ACCAN referred to the 'current culture of government procurement', saying:

ACCAN understands the lack of awareness within government procurement of ICT about the inherent value of accessibility and usability of ICT products and services limits innovation while increasing risk.60

Access to tendering process in procurement

5.45 Dr Tate of the ACS observed that the government is the single biggest purchaser of IT equipment in Australia and has a role in making it easier for small and medium enterprises (SMEs) to access government contracts. He observed:

Procurement officers within government departments have a tendency to play it too safe when purchasing, relying too much on a handful of major international suppliers. This has hurt the local economy and missed an opportunity to use that purchasing power to give local businesses a head start which would help supercharge the Australian IT economy. What's more, this would provide access to new and innovative technology in government applications developed by start-ups and smaller players.61

5.46 Dr Tate stated that a reason SMEs may not participate in government procurement has more to do with government departments or agencies asking for very substantial risk mitigation of liability by insurance, rather than any frustration with the government procurement processes. He noted that some SMEs are not in a position to provide that level of warranty or assurance.62

57 Mr Osmond Chiu, Policy and Research Officer, Community and Public Sector Union, Committee Hansard, 14 March 2018, p. 12.

58 Mr Osmond Chiu, Policy and Research Officer, Community and Public Sector Union, Committee Hansard, 14 March 2018, p. 12.

59 Australian Communication Consumer Action Network, Submission 11, covering letter, and ICT Procurement Task Force Consultation, p. 3.

60 Australian Communications Consumer Action Network, Submission 11, and ICT Procurement Task Force Consultation p. 6.

61 Dr Nick Tate, Vice-President, Membership Boards, Australian Computer Society, Committee Hansard, 14 March 2018, p. 31.

62 Dr Nick Tate, Vice-President, Membership Boards, Australian Computer Society, Committee Hansard, 14 March 2018, p. 33.

77

5.47 Mr Paul Shetler made a similar point:

Government agencies should adopt the methods of Australian start-ups to deliver better user facing services at lower cost. Where contracting is appropriate, we should reduce the barriers to entry in government procurement that currently give international corporate giants an advantage over smaller, more-agile Australian firms.63

The 'undigital' nature of current procurement methodologies

5.48 Mr Martin Stewart-Weeks commented that traditional procurement mechanisms tend to be somewhat more inflexible, and that the public procurement process 'can be about as "undigital" as you could possibly hope for'.64 Mr Stewart-Weeks continued that SMEs find themselves 'stymied occasionally' by procurement processes that have not kept pace with developments.65 Mr Stewart-Weeks further observed that the senior leaders:

…get seriously tangled in some of the constraints and provisions that they've got to navigate in order to make this world work. I mentioned earlier the procurement game, which of course is the one that often seems to rear its head so quickly. I think sometimes they just despair in being able to get some of this new digital mindset going because it just doesn't seem to fit very well with the system. Often they are obliged to comply with legislation and regulations.66

5.49 Mr Shetler considered the business case approach to funding does 'not handle "agile" very well'. Instead, he advocated a prototype model of 'drip-feed' funding. Mr Shetler noted that the traditional budget approach to new projects pre-supposes a clear understanding of the requirements for the business case. He explained that this approach does not allow for shifting assumptions for digital projects where you may what outcome you are seeking, but you do not necessarily know the best ways of getting to that outcome:

So we've always felt that it's really a much better idea to go for more of a drip-feed kind of approach where you can say: 'Yes, I have this idea. I think it should be really great. Let's test this out.' 'Great, here's a small amount of money. Come back with a prototype and show us what it would look like.' bit more. We'll give you a bit more money.' Fund it that way so you're not funding something which is a fantasy which will end in tears.67

DTA response

5.50 Dr Anthony Vlasic, Chief Procurement Officer, DTA that the DTA has put in place a framework to address SMEs tendering for government contracts. Dr Vlasic

63 Mr Paul Shetler, Committee Hansard, 14 March 2018, p. 16.

64 Mr Martin Stewart-Weeks, Committee Hansard, 23 March 2018, p. 2

65 Mr Martin Stewart-Weeks, Committee Hansard, 23 March 2018, p. 2.

66 Mr Martin Stewart-Weeks, Committee Hansard, 23 March 2018, p.3.

67 Mr Paul Shetler, Committee Hansard, 14 March 2018, p. 22.

78

advised that the framework includes a number of policies, including the Fair Criteria Policy, the intent of which is to address how you make the process fair.68

Our view is that a combination of the Fair Criteria Policy, the Consider First Policy, which we're also thinking about, the Portfolio Panels Policy, which we're doing a review of, along with things like the digital marketplace, reviewing how we do panels, will make a big difference to the SME market.69

5.51 Dr Vlasic further advised that the DTA is addressing the circumstances of SMEs by articulating the 15 capabilities that it considers the Commonwealth needs for procurement, one of which is simpler engagement. Of the 15 capabilities, Dr Vlasic stated:

The best way to describe it is there are five categories. There's one for the suppliers, one for the buyers, one for the contracts per se, one for process and one for people. You need to do all these things at the same time to make some real progress.70

A common approach

Platforms

5.52 The DTA stated that it is coordinating work on a number of

whole-of-government platforms that will assist agencies deliver services:

A digital platform is a system…that provides functionality multiple agencies can use to deliver services to users. Any one service experienced by users might draw on multiple platforms, each delivering a different function.

Common platforms can be used and reused by an agency to ease their digital workload… Agencies won't have to reinvent the wheel every time they need to deliver a new service, and the government doesn't have to support and maintain a multitude of systems that all essentially do the same job.71

5.53 Mr Peter Alexander, Chief Digital Officer, DTA, advised that it is developing a platform strategy which will set out some whole-of-government platforms and capabilities which agencies would use for delivering a number of services.

For example, with identity, there is the Tell Us Once capability—if someone changes address or someone dies and we want to share a notification. They tell the government once that that has happened and we

68 Dr Anthony Vlasic, Chief Procurement Officer, Digital Transformation Agency, Committee Hansard, 7 May 2018, p. 7.

69 Dr Anthony Vlasic, Chief Procurement Officer, Digital Transformation Agency, Committee Hansard, 7 May 2018, p. 7.

70 Dr Anthony Vlasic, Chief Procurement Officer, Digital Transformation Agency, Committee Hansard, 7 May 2018, p. 7.

71 Digital Transformation Agency, Submission 10, p. 5.

79

share a notification—or payments. There'll be platforms where we do that. If your question is: if an agency is running a mainframe to deliver a particular type of service, and another agency that interacts with them is running another type of technology—x86 or a different type of infrastructure—do we say that they have to run the same? No, but what we say is they have to interoperate, and there has to be standardisation. We build to open standards so we can interoperate—share data in the systems. Could one agency run a mainframe for all agencies? That's something that would be explored in that platform strategy.72

5.54 Mr Brightwell agreed with the recent Digital Transformation Agency (DTA) ICT report on procurement regarding the need to better exploit the use of ICT platforms across government agencies, but observed that these recommendations may not be easy to implement.73 Mr Brightwell considered the approach that would be of greatest benefit to the Australian economy is for the Commonwealth to examine the viability of providing or facilitating the provision of ICT platforms which can be used at all levels of government.74

5.55 Mr Brightwell suggested a governance mechanism to facilitate the use of ICT platforms across all levels of government. He cited the PSMA Australia Limited as an example of a governance structure that facilitates broad and sustainable access to high-quality location data.75 PSMA is an unlisted public company owned by Australia's state and territory and federal governments—its shareholders are the various treasuries; with minsters appointing company directors. The directors largely represent the constituency of users. Mr Brightwell suggested the model could be applied on on an instance by instance basis, or an industry by industry basis, by identifying the stakeholders with common interests.76

Common activities need a common approach

5.56 Mr Paul Shetler stated that there are some activities that are undertaken across the whole of government that are best addressed by taking a common approach, including the activities of payments, notification services, and publishing. He observed that it makes no sense for government to have many different ways of delivering, for example, payments. He said that while actual delivery of a service must be undertaken by the relevant department, it is delivered on behalf of one government and there is a need for consistency in how things are done:

I've always thought that, the more you deal with direct end-user-facing things that should be devolved to the departments that are dealing with it as it is today—it makes complete sense. But they need to be supported by

72 Mr Peter Alexander, Chief Digital Officer, Digital Transformation Agency, Committee Hansard, 7 May 2018, p. 8.

73 Mr Ian Brightwell, Submission 17, p. 8.

74 Mr Ian Brightwell, Submission 17, p. 9.

75 Mr Ian Brightwell, Submission 17, p. 9.

76 Mr Ian Brightwell, Committee Hansard, 14 March 2018, p. 10.

80

common standards, common patterns, common templates and common platforms that allow them to do their work in a consistent way so that, when citizens deal with an agency here or an agency there, it is not like they are dealing with completely different things. It is government to them. It's one thing and it works in the same way.77

77 Mr Paul Shetler, Committee Hansard, 14 March 2018, p. 18.

Chapter 6 Case Studies

Introduction 6.1 This chapter addresses the circumstances of four quite different case studies to provide a practical insight into the nature of the issues and challenges posed by the digital transformation of government services and administration.

6.2 Each of the case studies is intended to showcase issues arising with different aspects of digital transformation. The case studies are:

• The Australian Taxation Office unplanned systems outages of the Storage

Area Network in 2016 and 2017. This case study explores questions of risk sharing in contractual arrangements for business as usual ICT infrastructure.

• The Department of Human Services' replacement of the child support

payments computer system, Cuba. This case study explores the challenges of replacing legacy infrastructure.

• The controversy caused by the automated Online Compliance Intervention

letters issued to welfare recipients also known as "robo-debt". This case study explores problems arising from failures at a policy design and selection stage.

• The Welfare Payments Infrastructure Transformation (WPIT) project to

replace Centrelink's aging ISIS computer operating system for welfare payments. This case study explores new, more sophisticated contractual arrangements for sharing risk with commercial partners and delivering value for taxpayers.

6.3 The committee has expressed views about the circumstances of each of the case studies below. The committee's conclusions about broader systemic implications of the case studies, however, are included in the committee’s views in chapter 1.

Australian Taxation Office—Unplanned Systems Outages1 6.4 In December 2016, and throughout 2017, the Australian Taxation Office (ATO) experienced a series of 'unplanned systems outages' due to hardware failure of its Storage Area Network (SAN). These outages were reported as having a significant effect on the ability of the public and tax professionals to engage with the ATO. A summary of the outages can be found below in Table 4.1:

1 The main source for this case study is drawn from an Australian Taxation Office report into the incident: Australian Taxation Office, 'What happened and why: Australian Taxation Office', 21 December 2016, ATO Systems Report, June 2017, available at https://www.ato.gov.au/About-ATO/Access,-accountability-and-reporting/in-detail/ATO-systems-report/ (accessed on 15 March 2018).

82

Table 4.1: A summary of the ATO's unplanned outages during 2016-2017.

Start date of the system

outage

Duration of the

outage

Services affected Cause of the outage and delay to restore services

12 Dec 2016 10 days All ATO systems

Storage area network hardware failure. Inadequate monitoring. Recovery tools stored on failed

storage area network.

2 Feb 2017 5 days All ATO systems,

website running

intermittently

Incorrect storage hardware installation.

22 Jun 2017 3 hours All ATO systems

Hardware failure on a server, leading to Active Directory domain controller failure.

5 Jul 2017 5 hours All ATO systems

Applications running incorrectly.

25 Sep 2017 6 hours All ATO systems,

website running

intermittently

Applications running incorrectly.

Background

6.5 In 2010, the ATO had signed a five-year contract with Hewlett Packard Enterprises (HPE) (now rebranded DXC) to provide centralised computing services, with a commencement date of July 2013.2 In July 2017, the ATO provided a brief description of the ICT services that were contracted:

In December 2010 we signed a five-year contract with HPE for Centralised Computing (CC) services. After a stabilisation period to ensure the proper transition from an earlier arrangement, the five-year contract term commenced in July 2013. The scope of the CC services offered to the ATO includes our large processing systems (systems of record), systems of client engagement (portals), data warehouse and internet gateway services.

At the beginning of 2015, a sourcing, design and implementation process commenced in relation to the ATO's storage area network (SAN) solution. HPE recommended the installation of a state-of-the-art HPE 3PAR SAN to

2 Mr Ramez Katf, Second Commissioner and Chief Information Officer, Enterprise Solutions and Technology, Australian Taxation Office, Committee Hansard, 23 March 2018, p. 14.

83

replace the existing EMC Corporation SAN. This was on the basis that the 3PAR solution created a more flexible storage environment that would better optimise costs was supported by HPE operating procedures and technical expertise.

This was agreed to by us, and the installation of the new 3PAR SAN was completed in November 2015.

We engaged HPE to provide turn-key IT solutions, whereby HPE designs, owns and operates computing infrastructure and provides services to the required ATO standard. Under this turn-key operation, ATO IT staff have no direct access to the SAN technology operated by HPE. Instead, we rely upon HPE to provide a full service. To enhance and coordinate the work of our IT contractors, the ATO also contracted with Leidos Holdings, Inc. (Leidos) as service integrator. Leidos operates a virtual dashboard over myriad ATO IT systems, and provides a problem management process should issues arise with parts of our IT infrastructure.3

6.6 Analysis of the centralised computing network data for the six months preceding the initial incident in December 2016 indicated a number of potential issues. From May 2016, at least 77 events relating to infrastructure components that were later found to have failed in the December 2016 incident were logged in the Leidos' incident reporting mechanism. In addition, at least 159 alerts were recorded in monitoring and management logs.4

6.7 Many of the system outages arose primarily because of failures in the centralised computing services provided by HPE/DXC. The design and build of the centralised computing network emphasised performance over other critical factors such as system stability, resilience and cost, with the result that there was insufficient resilience. Furthermore, the recovery process was extended as the tools required to restore ATO services were stored in the failed SAN, and were therefore inaccessible because they were dependent upon access to the failed SAN.5

6.8 Another significant factor was the failure in communication between the ICT provider (HPE/DXC and Leidos) and the vendor (ATO). It is not clear from the ATO report whether responsibility to inform the ATO of the infrastructure issues rested with HPE or Leidos. It is clear however that the ATO was not made fully aware of the

3 Australian Taxation Office, 'What happened and why: Australian Taxation Office', 21 December 2016, ATO Systems Report, June 2017, p. 2; available at https://www.ato.gov.au/About-ATO/Access,-accountability-and-reporting/in-detail/ATO-systems-report/ (accessed on 15 March 2018).

4 Australian Taxation Office, 'What happened and why: Australian Taxation Office', 21 December 2016, ATO Systems Report, June 2017, p. 2; available at https://www.ato.gov.au/About-ATO/Access,-accountability-and-reporting/in-detail/ATO-systems-report/ (accessed on 15 March 2018).

5 Australian Taxation Office, 'What happened and why: Australian Taxation Office', 21 December 2016, ATO Systems Report, June 2017, p. 3; available at https://www.ato.gov.au/About-ATO/Access,-accountability-and-reporting/in-detail/ATO-systems-report/ (accessed on 15 March 2018).

84

significance of the continuing trend of alerts, nor the broader systems impacts that would result from the failure of the system.

6.9 The Australian National Audit Office review of the ATO unplanned outages found that the ATO's response to the unscheduled outages found inadequacies in business continuity management planning relating to critical infrastructure.6 An independent review by PwC has found that the ATO had failed to plan for an incident of the nature and scale of that which the ATO experienced. Moreover, a level of risk continued to exist due to the absence of definitive evidence on the conditions that led to the technical failures in the first place. Investigations of the root causes of the technical failures are still yet to be completed by the service provider.7

DTA's response

6.10 Dr Lesley Seebeck, Chief Investment and Advisory Officer, Digital Investment Management Office, Digital Transformation Agency (DTA), advised the committee that the DTA had no involvement in the ATO outages of December 2016 and February 2017, on the basis that the DTA does not have oversight of operational processes; and that the issue was an agency responsibility.8 Mr Ramez Katf, Second Commissioner and Chief Information Officer, Enterprise Solutions and Technology, ATO, advised the committee that he had briefed Mr Gavin Slater, Chief Executive Officer of the DTA after Mr Slater joined the DTA in June 2017, after the two outages had occurred.9

The outage

6.11 Mr Katf confirmed that the SAN outage was caused by a fault in the fibre optic cabling, said to be an 'unprecedented event'. He advised that the faulty hardware was less than one year old. Mr Katf told the committee that it was highly reputable technology provided by a highly reputable provider with whom the ATO has a long standing relationship.10

6.12 Mr Katf confirmed that the system lacked resilience, and agreed with the proposition that the outage implied a single point of failure. Mr Katf stated that in

6 Unscheduled Taxation System Outages: Australian National Audit Office, available at https://www.anao.gov.au/work/performance-audit/unscheduled-taxation-system-outages (accessed on 16 March 2018).

7 Australian Taxation Office PwC Report, executive summary, pp. i-iii. available at https://www.ato.gov.au/uploadedFiles/Content/CR/downloads/pwc_post_incident-report.PDF accessed on 21 March 2018),

8 Dr Lesley Seebeck, Chief Investment and Advisory Officer, Digital Investment and Management Office, Digital Transformation Agency, Committee Hansard, 23 March 2018, pp. 18-19.

9 Mr Ramez Katz, Second Commissioner and Chief Information Officer, Enterprise Solutions and Technology, Australian Taxation Office, correction of Committee Hansard, 23 March 2018, p. 19, received 17 April 2018.

10 Mr Ramez Katz, Second Commissioner and Chief Information Officer, Enterprise Solutions and Technology, Australian Taxation Office, Committee Hansard, 23 March 2018, p 10.

85

developing the infrastructure the ATO believed resilience capability had been built into the technology. He advised that the construct taken in relation to the piece of hardware that failed due to multiple failures within the system, which impacted on all the ATO systems, noting that the 'resilience factor was, in fact, built in, but failed'.11

6.13 Mr Katf stated that he had not yet received a definitive answer as to the cause of the failure.12

Overview of the ICT purchasing decision

6.14 Mr John Dardo, Chief Digital Officer and Deputy Commissioner, Digital Delivery, Enterprise Solutions and Technology, advised that the initial procurement decision was to purchase ICT equipment, services or capability without having to design from the ground or build the system themselves:

We didn't want to build the telephony infrastructure, the network or the data centre. We didn't know how to build a data centre. It was about using industry expertise with leadership from within the office.13

6.15 The ATO advised that decisions concerning the sourcing of the ICT infrastructure were managed internally. Strategic advice was obtained from external experts, which were factored into the approach to market. All key decisions including the procurement approach, evaluation outcomes and contract execution were the responsibility of the ATO.14

6.16 The ATO further advised that the ICT Sourcing Program was itself managed primarily by ATO employees, supported by external engagements for specialist advisor expertise. The objective being to maximise the use of appropriately skilled internal resources, supplemented by external resources where necessary. The ATO does not retain the specialist adviser skill set as an enduring capability due to the potentially long periods between utilising these skills, whereas ongoing ATO employees are utilised in the governance and management areas.15

6.17 Mr Katf advised that for the architecture components the ATO service providers would undertake the primary design capability and the ATO would provide

11 Mr Ramez Katz, Second Commissioner and Chief Information Officer, Enterprise Solutions and Technology, Australian Taxation Office, Committee Hansard, 23 March 2018, pp. 12-13.

12 Mr Ramez Katz, Second Commissioner and Chief Information Officer, Enterprise Solutions and Technology, Australian Taxation Office, Committee Hansard, 23 March 2018, pp. 12-13.

13 Mr John Dardo, Chief Digital Officer and Deputy Commissioner, Digital Delivery, Enterprise Solutions and Technology, Australian Taxation Officer, Committee Hansard, 23 March 2018, p. 11.

14 Australian Taxation Office, answers to written question on notice from Hansard on 23 March 2018, received 18 April 2018.

15 Mr Ramez Katz, Second Commissioner and Chief Information Officer, Enterprise Solutions and Technology, Australian Taxation Office, answers to written question on notice from Hansard on 23 March 2018, received 18 April 2018.

86

assurance, review, design and sign-off of those items.16 Mr Katf further advised that the ATO has approximately 200 IT staff whose job is to make sure the ATO has an integrated design that goes from the end-user right down to the technology componentry. 17

6.18 Mr Dardo said that the broad suite of performance evidence in the ATO suggested that the ATO got the balance right between internal and external expertise in its approach to the ICT sourcing task.18 Mr Katf observed that it was not unusual to engage external advises to provide technical capability, but agreed that the danger is in the balance between ATO staff and external consultants:

I am very confident at the moment. We tend to bring in advisers—but, as you said, on short, sharp capabilities—to provide us with advice, but we supplement that with our own people to traverse the questions and to make sure that we maintain that capability in-house.19

6.19 In response to a recommendation of the ATO system report to enhance the ATO's IT capability pertaining to infrastructure design and implementation planning, Mr Katf advised that a new team has been established to strengthen the infrastructure and design capability, and actions have already been taken to improve the ATO's governance and design capabilities. A skills gap analysis has been undertaken and identified further recruitment requirements. To augment the existing capability, the ATO has engaged an external consultancy for the period from April to June 2018, four external contractors for the period from February to June 2018, and eight APS staff for the period from February to August 2008.20

Contracting arrangements

6.20 Mr Katf confirmed that the original contracts for the infrastructure were entered into in 2009 and 2010, and that the contracts related to three infrastructure service providers:

(a) DXC [formerly HPE] for the centralised computing covering the mainframe, midrange computers and data centres;

16 Mr Ramez Katz, Second Commissioner and Chief Information Officer, Enterprise Solutions and Technology, Australian Taxation Office, Committee Hansard, 23 March 2018, p. 14.

17 Mr Ramez Katz, Second Commissioner and Chief Information Officer, Enterprise Solutions and Technology, Australian Taxation Office, Committee Hansard, 23 March 2018, p. 14.

18 Mr John Dardo, Chief Digital Officer and Deputy Commissioner, Digital Delivery, Enterprise Solutions and Technology, Australian Taxation Office, Committee Hansard, 23 March 2018, p. 11.

19 Mr Ramez Katz, Second Commissioner and Chief Information Officer, Enterprise Solutions and Technology, Australian Taxation Office, Committee Hansard, 23 March 2018, p. 12.

20 Mr Ramez Katz, Second Commissioner and Chief Information Officer, Enterprise Solutions and Technology, Australian Taxation Office, answers to written question on notice from Hansard on 23 March 2018, received 18 April 2018.

87

(b) Leidos to manage the end-user PC devices, and service management capability, and in that sense in essence the integrator across the technologies; and

(c) Optus to provide the telephony.21

6.21 Mr Katf advised the 2009 DXC contract was amended in 2015 to provide revised data storage arrangements.22 All providers' contracts are held directly with the ATO. Leidos provided a broader capability that allows Leidos to assist the ATO in managing across all vendors, and the ATO'S own internal capability.23 Mr Katf confirmed that the current contracts are due for renegotiation in 2018.24

6.22 Mr Katf advised there was a separate internal group responsible for contract performance to manage the responsibilities and accountabilities of the ATO's vendors. He advised:

We are, in essence, the systems integrator, because we have the responsibility because we also own the business applications that sit on top of the [infrastructure]. This was a conscious decision, I think, that we are architected our own solution.25

6.23 Mr Katf advised that the ATO were the managers of service level agreements which allowed for penalties if key performance measures were not met. Each month the ATO measures the performance of the service providers against specified performance measures. The contract with each service provider included the thresholds for both the expected and the minimum performance level. Where the service provider fails to achieve the minimum performance level, the ATO at its absolute discretion can apply service credits (known under the contract as Performance at Risk Amounts). The service credits are a defined percentage of the monthly invoice that have been agreed as having regard solely to the reduction in value to the ATO of the services which have not been performed.

6.24 Where the service provider does not achieve the minimum performance level, and the service credits have been allocated by the ATO, these are accrued until the end

21 Mr Ramez Katz, Second Commissioner and Chief Information Officer, Enterprise Solutions and Technology, Australian Taxation Office, Committee Hansard, 23 March 2018, p. 10.

22 Mr Ramez Katz, Second Commissioner and Chief Information Officer, Enterprise Solutions and Technology, Australian Taxation Office, Committee Hansard, 23 March 2018, p. 16.

23 Mr Ramez Katz, Second Commissioner and Chief Information Officer, Enterprise Solutions and Technology, Australian Taxation Office, Committee Hansard, 23 March 2018, p. 14.

24 Mr Ramez Katz, Second Commissioner and Chief Information Officer, Enterprise Solutions and Technology, Australian Taxation Office, Committee Hansard, 23 March 2018, p. 18.

25 Mr Ramez Katz, Second Commissioner and Chief Information Officer, Enterprise Solutions and Technology, Australian Taxation Office, Committee Hansard, 23 March 2018, p. 14.

88

of the contract year where, at the ATO’s discretion, these amounts can be 'earned back' by the service provider.26

6.25 Mr Katf advised that penalties were imposed on DXC arising from the outages, but based on both internal and external legal advice no penalties were imposed on Leidos as the assessment was that Leidos did not breach any of its obligations, but it was very clear that DXC had not met the service levels. The settlement with DXC resulted in the ATO recouping its key costs, as well as providing the ATO with higher grade IT equipment relating to data storage.27

6.26 The ATO advised that it chose to not apply the standard contract performance framework to the contract that led to the outages of December 2016 and February 2017 on the basis that the contract performance framework was not intended to deal with an outage of the magnitude of the SAN outages. The contract contained other commercial remedies that are intended to deal with situations such as these, which were utilised.28

6.27 The ANAO noted that the ATO 'does not have measures at the corporate or strategic level to enable a confident assessment of whether risks exceed tolerances' and found that there was significant variation in the extent to which tolerances were specifically contracted for.29 The ANAO concluded that this lack of clarity around contract risk management could impact future procurement activities unless changes were made:

The ATO's ICT infrastructure continues to be modified in response to demands for online services, and the availability of new technologies to support digital platforms and address risks and issues with legacy ICT systems. Use of new technologies is resulting in the ATO entering into different types of contracts with service providers. In 2018, the three bundles of major ICT contracts will be due for renewal. The combination of these events provides the ATO with an opportunity to reassess its ICT service measurement approach, and where possible implement common approaches, at least in terms of reflecting tolerances that align with the ICT outage service standards that the ATO has committed to develop.74 Such an approach would support the ATO in its efforts to use digital technology

26 Mr Ramez Katz, Second Commissioner and Chief Information Officer, Enterprise Solutions and Technology, Australian Taxation Office, answers to written question on notice from Hansard on 23 March 2018, received 18 April 2018.

27 Mr Ramez Katz, Second Commissioner and Chief Information Officer, Enterprise Solutions and Technology, Australian Taxation Office, Committee Hansard, 23 March 2018, p. 15.

28 Mr Ramez Katz, Second Commissioner and Chief Information Officer, Enterprise Solutions and Technology, Australian Taxation Office, answers to written question on notice from Hansard on 23 March 2018, received 18 April 2018.

29 Australian National Audit Office, Unscheduled Taxation System Outages, ANAO Report No. 29 2017-18, February 2018, pp. 51-52, https://www.anao.gov.au/sites/g/files/net4816/f/ANAO_Report_2017-2018_29.pdf (accessed 18 June 2018).

89

and online services effectively and efficiently in the administration of the taxation and superannuation systems

Two particular matters to consider are:

• revise the service measurements applying to the Amazon Web Services cloud service contract that does not include service level provisions. This contract exposes the ATO to contractual and operational risks in the absence of measurable service levels.

• to the extent possible, align service measurements arrangements for services sourced through ATO procurement processes, and those obtained through whole-of-government and shared ICT procurement options.30

6.28 The ANAO recommended that the ATO enhance its capability in relation to resilience and risk.

Importantly, at an entity-level, greater definition is required as to how the ATO engages with key vendors, supported by greater analysis and monitoring of arrangements, including periodic reporting to the ATO

Executive. In this way, the ATO will better define and achieve strategic value from vendors, with better visibility and control of the breadth of, and reliance upon, vendor arrangements.31

6.29 The ATO accepted the recommendations in this report noting that improvements were already underway.32

Increase in contracting activity in 2009

6.30 The Austender website showed that in 2009, there was a significant increase in tenders for ICT services.33 Many of these contracts appear to be for short term contracts (that is, less than 12 months) for roles relating to solution design, systems architecture, SAP and mainframe specialists. It is not clear whether some of these roles related to the management of the increasing number of contracts. Furthermore, it

30 Australian National Audit Office, Unscheduled Taxation System Outages, ANAO Report No. 29 2017-18, February 2018, p. 53, https://www.anao.gov.au/sites/g/files/net4816/f/ANAO_Report_2017-2018_29.pdf (accessed 18 June 2018).

31 Australian National Audit Office, Unscheduled Taxation System Outages, ANAO Report No. 29 2017-18, February 2018, p. 30, https://www.anao.gov.au/sites/g/files/net4816/f/ANAO_Report_2017-2018_29.pdf (accessed 18 June 2018).

32 Australian Taxation Office, Bolstering the ATO's IT resilience, Media release, 20 February 2018, https://www.ato.gov.au/misc/downloads/pdf/qc54613.pdf (accessed 18 June 2018).

33 For example: Austender, Closed ATM View - 001 - 2009, https://www.tenders.gov.au/?event=public.atm.showClosed&ATMUUID=AE7BC8D5-0951-1941-D7043586078036A6 (accessed 18 June 2018); Austender, Closed ATM View - RFT 006-2009, https://www.tenders.gov.au/?event=public.atm.showClosed&ATMUUID=B5FC90BD-A047-8071-C3E5824F8FC073B0 (accessed 18 June 2018).

90

is not clear how the corporate knowledge of these contractors was retained by the ATO when contractors left the organisation.

Committee view

6.31 In many ways, the ATO represents one of the more advanced examples of digital transformation. Millions of Australians submit their tax returns online. Businesses, including tax agents, access ATO data everyday through digital portals.

6.32 The corollary of the penetration of digital into the work of the ATO, however, is that service delivery was increasingly dependent on its ICT infrastructure and contractors. A failure in either would mean that the ATO would be incapable of delivering the standard of service that it had promised, and that its end users reasonably expected. Ultimately, this is exactly what occurred. The committee considers the sheer volume of outages suffered by the ATO was largely unprecedented and entirely unacceptable. It was seriously disruptive to the general public.

6.33 It is the committee's view that the importance of ICT and digital services to the ATO’s business model was not reflected in the types of contracts it had with its ICT service providers.

6.34 This may partly be a legacy issue—contracts were entered into some years ago, and the volume and importance of digital services may have increased since then. The committee considers, however, that this is now a foreseeable risk that agencies and departments should budget for when making procurement decisions that are intended to last a number of years into the future.

6.35 The committee considers, however, that part of the issue with the ATO's contracting was a lack of awareness of precisely what level of service was being contracted for, and the agency’s consequent degree of exposure.

6.36 The committee notes the ANAO's conclusion that the ATO 'does not have measures at the corporate or strategic level to enable a confident assessment of whether risks exceed tolerances'.34

6.37 This is no longer a viable approach. The core business of much of the ATO is not delivery of tax services, but digital delivery of tax services. This is not just a question of delivery mechanism, but is built into the nature of the service that users have come to expect, that is, 24 hour access on demand.

6.38 The committee recognises that different standards of service are available at different price points. Ultimately, it is a procurement decision for each department to make about what standard of service they require. The committee considers, however, that this decision should be made with a full and complete understanding of the department’s risks and needs.

6.39 This requires a more digitally educated workforce that currently exists.

34 Australian National Audit Office, Unscheduled Taxation System Outages, ANAO Report No. 29 2017-18, February 2018, pp. 51-52, https://www.anao.gov.au/sites/g/files/net4816/f/ANAO_Report_2017-2018_29.pdf (accessed 18 June 2018).

91

Child support system replacement project Background

6.40 The Australian Government child support IT system is known as Cuba. Cuba processes payments of '$3.5 billion from separated parents to financially support the welfare of over 1.2 million children'.35

6.41 In the 2013-14 Budget, the Australian Government introduced a budget measure to replace DHS's Cuba. Funding for the project would be drawn from existing departmental resourcing.36 The replacement of Cuba was considered to be necessary because the existing system was 'getting close to the end of its useful life' and the new system would provide 'better support for staff and separated families'. The budget measure indicated that the new system would be introduced by December 2015.37

6.42 An expression of interest process to replace Cuba was advertised in July 2013 on Austender.38 From the outset, industry observers were sceptical of the tender's design:

Considering the work entailed, the projected timeframe for the project appears quite tight. DHS has entered an expressions of interest phase for the development work and plans to issue a formal request for tender document for the project in September or October this year, after short-listing a number of companies for the initiative.

It then expects to deploy the replacement project by mid-2016, giving it likely only about two and a half years to do so, while transitioning all existing customer data onto the new platform by the end of that year. It then plans to implement additional enhancements to the new system by the end of 2018, with a view to more fully supporting current government legislation and policy.39

6.43 Furthermore:

35 Department of Human Services, Submission 13, p. 14.

36 Budget 2013-14, 'Part 2 Expense Measures: Human Services', http://budget.gov.au/2013-14/content/bp2/html/bp2_expense-14.htm (accessed 19 March 2018).

37 Department of Human Services, 'Child support system (Cuba) replacement—Budget 2013-14', https://www.humanservices.gov.au/organisations/about-us/budget/budget-2013-14/budget-measures/improving-services/child-support-system-cuba-replacement (accessed 19 March 2018).

38 Austender, Closed ATM View—EOI 13/1000213548, https://www.tenders.gov.au/?event=public.atm.showClosed&ATMUUID=EF4D56F9-0338-4F29-4EBFB56837B2E786 (accessed 18 June 2018).

39 Renai LeMay, 'Introducing "The Cuba Replacement": The Federal Govt's newest major ICT project', Delimiter, 23 July 2018, https://delimiter.com.au/2013/07/23/introducing-the-cuba-replacement-the-federal-govts-newest-major-ict-project/ (accessed 18 June 2018).

92

Then, too, there are already indications that the CSS overhaul is going to have problems. Keen observers will have noted the following paragraph in its EOI document last week:

"Development of the child support system will require close liaison with SAP to redevelop base modules and avoid bespoke modification to aid efficient development of the new system and ensure upgrade pathways for SAP solutions are not compromised."

Is DHS really saying that it wants its project partner to work with SAP on re-developing SAP modules to fit its own needs, and then re-integrate those modules into the mainline SAP codebase, so that future upgrades aren’t a problem? Some would call that a rather 'ambitious' approach. Convincing a mega-vendor to do anything like this is always going to be a headache. And especially for a project as small (on global terms, $100 million is nothing) as the CSS overhaul.40

6.44 By February 2014, the tender process had concluded and the tender was awarded to Accenture. The then Minister for Human Services, Senator the Hon Marise Payne suggested that government's expectations were that in-house capability would be delivered as part of the tender:

Accenture and SAP will assist in building the replacement system while ensuring that the department is left with a skilled, in-house workforce able to maintain the system into the future, a reduced cost to the taxpayer.41

6.45 The replacement system known as PLUTO was supposed to be finalised by mid-2016. This deadline was not met. By the start of 2017 there were media reports of significant difficulties.

DHS claimed in 2013 that it could have a replacement up and running by December 2015 but more than 12 months after the mooted launch date for the new system, Child Support workers are still using CUBA and are still in the dark on the fate of the replacement project.

In mid-2016 agency staff were promised a stop-gap solution, the continued use of CUBA, but with modern, bolted-on front screens using technology supplied by German tech giant SAP and acting as a "wrapper" for the older CUBA technology.

But Fairfax understands that nothing has come of the promised SAP screens with insiders reporting that a "deathly silence" has fallen over the entire child support system replacement (CSSR) project.42

40 Renai LeMay, 'Introducing "The Cuba Replacement": The Federal Govt's newest major ICT project', Delimiter, 23 July 2013, https://delimiter.com.au/2013/07/23/introducing-the-cuba-replacement-the-federal-govts-newest-major-ict-project/ (accessed 18 June 2018).

41 Allie Coyne, 'Human Services picks Accenture for child support system overhaul', ITNews, 24 February 2014, https://www.itnews.com.au/news/human-services-picks-accenture-for-child-support-system-overhaul-373137 (accessed 18 June 2018).

93

6.46 DHS finally launched the new system in July 2017 with a number of problems becoming immediately apparent:

Child Support Agency staff report the new system, called Pluto, is slower and clumsier than the obsolete technology it was supposed to replace.

Both frontline public servants and the main workplace union has told Fairfax Media that large numbers of CSA public servants being ordered to drop everything to help with "emergency escalations" as the agency's phone lines are swamped with irate clients.

…Now that Pluto is finally operational, one frustrated user told Fairfax the process was a "shambles"

"It's no easier and considerably slower than Cuba while we're left making excuses to customers to calm them down," the insider said.

"We only have about half the information we used to, so it's very difficult telling customers where their payments are, when they can expect to receive payment."43

6.47 These issues were initially denied by the DHS, however, it was reported that soon after the initial denials, DHS finally acknowledged that PLUTO was not working as it should:

On June 19, Kate Hay, the general manager of the agency's call centres, wrote to her staff thanking them for their "understanding and commitment" during the roll-out of the new system.

"The executive and I acknowledge that this extremely busy period has meant that some of you feel that you are not on top of your work as you would like to be, please be assured that we realise that you are all doing your best to manage this and seeking assistance to manage some aspects which may not be within your direct control," Ms Hay wrote.

"We also note that there have been more escalations required recently to meet our demand which, can seem disruptive to your day."44

42 Mr Noel Towell, 'Child support system the latest federal government tech-wreck', The Canberra Times, 30 January 2017, http://www.canberratimes.com.au/national/public-service/3-billion-child-support-system-the-latest-federal-government-techwreck-20170126-gtz2m6.html (accessed 19 March 2018). See also: Mr Noel Towell, 'Contractors for government's child support system costing taxpayers $100,000 a day' The Canberra Times, 14 February 2017, http://www.canberratimes.com.au/national/public-service/govts-child-support-tech-wreck-chews-up-100000-a-day-20170208-gu85fu.html (accessed 19 March 2018).

43 Noel Towell, 'Australia's $3 billion child support program a "shambles", say public servants'', The Canberra Times, 21 June 2017, https://www.smh.com.au/public-service/new-child-support-pay-system-a-dog-say-public-servants-20170620-gwup4d.html (accessed 18 June 2018).

94

6.48 At the committee's Sydney hearing, Mr Osmond Chiu, Research and Policy Officer at the CPSU informed the committee of his members' experience with the new system:

There have been a range of issues with that, which occurred last year. It's a new system that was introduced, and many people who rely on child support payments couldn't actually use the system. This is a new system, and they had to drag child support staff from their usual work to answer the phones because the system didn't work.45

6.49 At the recent Senate Community Affairs Legislation Committee's Additional Estimates, DHS staff told the committee that staff have to use both the old system (Cuba) and the new system concurrently. As Ms Maree Bridger, General Manager, Child Support and Redress Division, DHS explained:

[Staff] need to use both systems, but, because everything that Cuba does is not replicated in Pluto, at times they will need to enter some things into Pluto and at other times they will need to enter them into Cuba, and there are some teams that do complex functions that are solely undertaken in Cuba.46

6.50 Mr Charles McHardie, Acting Chief Information Officer at DHS, explained how the systems currently interact with each other:

Pluto is the front end. It's collecting the data. It pushes it into Cuba. It does the calculations and remains the system of record to provide that payment assurance.47

6.51 Similarly to the Welfare Payments Infrastructure Transformation Program (WPIT), Mr McHardie pointed out that the replacement of Cuba would be the last step in the replacement program.48 The WPIT case study is discussed later in the chapter.

DTA response

6.52 Dr Seebeck of the DTA advised the committee that the Cuba replacement project had been captured in the DTA's digital investment review data collection, but the project is not within the DTA's 'engage category' because the project was nearing its end following re-scoping. Furthermore, the DTA had confidence in the department that action was being taken. She observed that the Cuba project faced the types of

44 Noel Towell, 'Problems with child support payment system "Pluto" could be allowing parents not to pay', The Canberra Times, 23 June 2017, https://www.canberratimes.com.au/public-service/problems-with-new-child-support-payment-system-pluto-20170622-gww4iv.html (accessed 18 June 2018). See also: Noel Towell, 'Child support agency acknowledges "disruption" with new computer system', The Canberra Times, 6 July 2017, https://www.canberratimes.com.au/public-service/problems-with-new-child-support-payment-system-pluto-20170622-gww4iv.html (accessed 18 June 2018).

45 Mr Osmond Chiu, Research and Policy Officer, CPSU, Proof Hansard, 14 March 2018, p. 13.

46 Senate Community Affairs Legislation Committee, Estimates Hansard, 1 March 2018, p. 132.

47 Senate Community Affairs Legislation Committee, Estimates Hansard, 1 March 2018, p. 133.

48 Senate Community Affairs Legislation Committee, Estimates Hansard, 1 March 2018, p. 133.

95

problems that were not uncommon when dealing with legacy systems. She advised that the project commenced before the mandated requirement that all projects follow the DTA's Digital Service Standard.49

DHS response

6.53 Ms Maree Bridger, General Manager, Child Support and Redress, DHS advised that an independent review in 2009 determined that Cuba was nearing the end of its life. The 2013-2014 budget allocated $102.3 million to replace the legacy system (Cuba) which did not automate all child support processes; with some processes being completed manually.50 The allocated budget was spent over the years 2013-201651 with the $102.3 million being funded internally by the department.52 The government's plan was that once Cuba was replaced, Cuba would then be enhanced to accommodate those transactions that were currently being done manually. As at March 2018, not all existing legacy processes have been transferred to the new system.53

6.54 Ms Bridger advised that the allocated $102.3 million had been spent on progressing the Cuba project to its present state of development.54 Ms Renee Leon, PSM, Secretary, DHS, advised the committee that the expenditure has delivered benefits. DHS told the committee that it has made considerable progress with the child support system redesign. However, Ms Leon noted that the Cuba replacement program was more complex than had been anticipated, requiring more work from the department. Moreover, the department has obtained new technologies which are now being utilising to build a better system.55

6.55 Mr McHardie explained that Deloitte has been engaged to assist DHS with an evaluation of the rollout of Pluto. Deloitte will assist in assessing the approach DHS has taken to date and with the prioritisation of the next steps. Mr McHardie indicated that the Deloitte report will assist the Department to clarify the project.56

49 Dr Lesley Seebeck, Chief Investment and Advisory Officer, Digital Investment Management Office, Digital Transformation Agency, Committee Hansard. 23 March 2018, p. 24-25.

50 Ms Maree Bridger, General Manager, Child Support and Redress, Department of Human Services, Committee Hansard, 23 March 2018, p. 20.

51 Mr Charles McHardie, Acting Chief Information Officer, Department of Human Services, Committee Hansard, 23 March 2018, p. 26.

52 Ms Maree Bridger, General Manager, Child Support and Redress, Department of Human Services, Committee Hansard, 23 March 2018, p. 22.

53 Ms Maree Bridger, General Manager, Child Support and Redress, Department of Human Services, Committee Hansard, 23 March 2018, p. 20.

54 Ms Maree Bridger, General Manager, Child Support and Redress, Department of Human Services, Committee Hansard, 23 March 2018, p. 22.

55 Ms Renee Leon, PSM, Secretary, Department of Human Services, Senate Community Affairs Legislation Committee, Estimates Hansard, 31 May 2018 p. 127.

56 Mr Charles McHardie, Acting Chief Information Officer, Department of Human Services, Committee Hansard, 23 March 2018, p. 32. This contract is worth $490 000.

96

6.56 On the engagement of Deloitte to clarify the strategy that would lead to the implementation of Cuba and Pluto, Ms Leon said:

At every Estimates the plan will become clearer...I don't think we said it was an endless project. We said we're in the process of scoping now. We don't at this point have a timeframe for it, but we don't intend to run it an unbounded fashion.57

6.57 Cuba comprises a 'front-end' function, a generic term which refers to the staff interface with a computer screen to process information, and a 'back-end' function, which is the calculation engine that assists with, in Cuba's case, assessing the quantum of child support payments, and the storage of data in a legacy database.58 In July 2017, Pluto replaced the front-end function of Cuba, but Cuba continued to undertake the back-end functions.59 Mr McHardie advised that it still remains necessary to replace the Cuba back-end legacy system.60

6.58 Mr McHardie confirmed that in 2016, a decision was taken to move from an out-sourced delivery methodology to an in-house delivery approach led by the Chief Information Officer Group. The decision to vary the approach originally agreed upon was to enable the department to leverage off work being done for the Welfare Payment Infrastructure Transformation (WPIT) program in relation to the Centrelink processes. In anticipation of the WPIT program, the department started to move the front-end staff-facing processing screens online and mobile component that the public view into a new pattern using SAP technology that was being built in-house. In April 2016, that aspect of WPIT was leveraged in order to build Pluto. 61

6.59 Mr McHardie advised that the work undertaken by contractor Icentia between 2014 and 2016 had not been abandoned. Incentia had undertaken an examination of how Cuba was constructed—the functional building blocks and all the functional requirements in Cuba that would need to be replaced. This process addressed how SAP, the customer relationship management system could be utilised to replace Cuba in its entirety Pluto is built of a SAP platform.62

57 Ms Renee Leon, PSM, Secretary, Department of Human Services, Senate Community Affairs Legislation Committee, Estimates Hansard, 31 May 2018 p. 132.

58 Mr Charles McHardie, Acting Chief Information Officer, Department of Human Services, Committee Hansard, 23 March 2018, pp. 23-24.

59 Ms Maree Bridger, General Manager, Child Support and Redress, Department of Human Services, Committee Hansard, 23 March 2018, p. 20.

60 Mr Charles McHardie, Acting Chief Information Officer, Department of Human Services, Committee Hansard, 23 March 2018, p. 24.

61 Mr Charles McHardie, Acting Chief Information Officer, Department of Human Services, Committee Hansard, 23 March 2018, pp. 20-21. The financial year 2013-2014 decision to outsource the program was varied in 2016 when the work was brought back in House.

62 Mr Charles McHardie, Acting Chief Information Officer, Department of Human Services, Committee Hansard, 23March 2018, p. 21.

97

6.60 Mr McHardie acknowledged that the contractors undertaking the initial examination of Cuba found it to be more technologically complex than they had envisaged at the outset, however, a lot of the discovery phase work allowed the department to leverage as the project went forward.63

6.61 Mr McHardie advised that the selection of SAP was a technical decision. He stated that the department is using the SAP platform for all of the staff-facing capability for the Centrelink Master Program, Mr McHardie advised that the decision to continue with the SAP platform was based on work undertaken in the early stages of the WPIT Program. Mr McHardie noted that DHS had invested heavily in its workforce in SAP technology and has built up a very large skill set with SAP. He also noted that DHS has been using the SAP business suite across many of its ICT builds, both for the department and on behalf of other departments and agencies.64

6.62 Mr McHardie further advised that project methodology had evolved in recent times, adopting a service delivery design process which involves including both members of the public and the department's processing officers so that for large systems DHS can build capability in multi-disciplinary teams and iterate the process starting with a prototype. He advised that Pluto was now being built by multi-disciplinary teams on the service delivery model.65 Ms Bridger confirmed that the service delivery methodology was not widely used at the time the Cuba project started.66

6.63 Mr McHardie further explained that DHS is focussing on change management. It has introduced an new general manager of change management to address change at the staff and enterprise level, including training and communication issues, and a new Chief Citizen Experience Officer to look after change from the public perspective. He considered DHS had made significant improvements in the way it is organising itself to delivery large scale ICT projects, such as WPIT.67

Committee view

6.64 The replacement of aging infrastructure is not a particularly transformative project—it is part of the usual and necessary business required to enable the agency to continue to undertake its work. It is also the type of project which has been, and will need to be, replicated across departments and agencies over the coming years.

63 Mr Charles McHardie, Acting Chief Information Officer, Department of Human Services, Committee Hansard, 23 March 2018, p. 25.

64 Mr Charles McHardie, Acting Chief Information Officer, Department of Human Services, , Senate Community Affairs Legislation Committee, Estimates Hansard, 31 May 2018 p. 128.

65 Mr Charles McHardie, Acting Chief Information Officer, Department of Human Services, Committee Hansard, 23 March 2018, p. 30.

66 Ms Maree Bridger, General Manager, Child Support and Redress, Department of Human Services, Committee Hansard, 23 March 2018, pp. 29-30.

67 Mr Charles McHardie, Acting Chief Information Officer, Department of Human Services, Committee Hansard, 23 March 2018, p. 31.

98

6.65 The replacement of Cuba is far from an exemplar. It is a project that was supposed to be completed by late-2015, then mid-2016, was supposedly completed in mid-2017, ran into immediate problems, and then was suspended in mid-2018.

6.66 The committee considers that the consequences of this failure are serious.

6.67 The end users of technology are not always the public—they are quite often departmental employees. That does not make user-centredness and ease of use any less important. The failed replacement of Cuba demonstrates why.

6.68 The committee heard evidence that the partial roll out of Pluto meant that staff were required to use both the old and new systems. These systems were not interoperable. Some functionality remained on the old system whilst some resided on the new. Staff were required to manually transfer data between them. Training on the new system was complex and took extended periods of time.

6.69 The impacts of this on staff are regrettable. ICT changes should not make work needlessly more difficult. However, the impacts on public servants also flow through to the service that is able to be delivered to the public. The committee heard evidence that staff were pulled from answering hotlines in order to receive training. The need to use two systems substantially increased the amount of time it took to undertake any task. In the absence of further resourcing, a backlog built up.

6.70 This was all happening within the Child Support Agency—a government function designed to help often vulnerable people and their children, at times of conflict, need, and distress.

6.71 A substantial sum of taxpayer funds have been sunk into a project that has been suspended indefinitely.

6.72 The committee appreciates that there are unexpected difficulties that arise with replacing aging ICT infrastructure such as Cuba. However, departments and agencies undertaking projects like this should expect that unexpected difficulties will arise.

6.73 The scoping of the project was criticised by industry observers as being unduly optimistic when it was first released. The committee has no doubt that that this is true.

6.74 There are incentives inadvertently built into both the department’s internal budgetary processes and the tender processes to present a project as being cheaper and easier to complete than it may actually be. The replacement of Cuba demonstrates that succumbing to these incentives has real consequences.

Online Compliance Intervention (Robodebt)

Background

6.75 The Online Compliance Intervention (OCI) process applied an automated system to a data-matching process comparing income data held by the Australian Taxation Office with the income payments data of Centrelink in an effort to identify discrepancies as the basis to recover overpayment of welfare support payments from

99

Centrelink and former Centrelink recipients.68 Data-matching between Centrelink and the ATO has been undertaken for approximately 20 years. Prior to the introduction of OCI, the process of checking the ATO lump sum income records against [Centrelink's] fortnightly income records', identifying where someone has been overpaid was undertaken by departmental personnel.69

6.76 OCI represented part of a 2016 Coalition election commitment to improve the sustainability of the welfare system by reducing overpayment of income support payments.70

6.77 From November 2016, under the OCI, 'where there was a discrepancy between the income declared to the ATO and Centrelink's records, a letter was automatically generated that asked recipients to use an online portal to update their details', in effect, outsourcing the department's role to the 'individual income payment support recipients'.71

6.78 In 2016-17, the Government forecast that the program would deliver $3.7 billion worth of savings. However, for the period July-December 2016, the 'department had sought repayment of $300 million worth of purported debts and actually recovered $24 million'.72

6.79 In its submission to the committee, the CPSU summarised its view of the OCI, stating:

There are three fundamental failures built in to the OCI. Firstly, the human oversight involved in assessing discrepancies and raising debts has been limited. A second and related flaw is that the administrative cost of managing overpayments has been transferred from the Department to ordinary Australians, with the Department no longer taking responsibility for contacting employers to investigate discrepancies before debts are

68 Senate Community Affairs References Committee, 'Design, scope, cost-benefit analysis, contracts awarded and implementation associated with the Better Management of the Social Welfare System Initiative', June 2017, pp. 1-2, https://www.aph.gov.au/Parliamentary_Business/Committees/Senate/Community_Affairs/Soci alWelfareSystem/Report (accessed 19 March 2018).

69 Senate Community Affairs References Committee, 'Design, scope, cost-benefit analysis, contracts awarded and implementation associated with the Better Management of the Social Welfare System Initiative', June, p. 2.

70 Liberal Party of Australia and The Nationals, The Coalition's policy for better management of the social welfare system, June 2016, https://cdn.liberal.org.au/pdf/policy/2016%20Coalition%20Election%20Policy%20-%20Better%20Management%20of%20the%20Social%20Welfare%20System.pdf (accessed 19 March 2018).

71 Senate Community Affairs References Committee, 'Design, scope, cost-benefit analysis, contracts awarded and implementation associated with the Better Management of the Social Welfare System Initiative', June 2017, p. 3.

72 Senate Community Affairs References Committee, 'Design, scope, cost-benefit analysis, contracts awarded and implementation associated with the Better Management of the Social Welfare System Initiative', June 2017, p. 4.

100

raised. The business process has been designed to minimise cost to the government by reducing the usual manual oversight requirements and removing employer verification of PAYG anomalies prior to customer contact commencing. The business process design has all but ensured high rates of error in the calculation of debt. Staff have been directed not to fix errors they could clearly identify. Instead they have been instructed to refer customers to online self-service portals in an attempt to transfer the administrative burden of debt recovery onto the customer.

Thirdly, the onus of proof has in effect been reversed, with customers now obliged to investigate alleged discrepancies and provide evidence that an overpayment doesn’t exist - rather than the burden being on government to show that it does.73

6.80 In June 2017, the Senate Community Affairs References Committee reported on its inquiry into the OCI and found a number of serious shortcomings with OCI, including:

• a fundamental lack of procedural fairness at every stage of the OCI program;

• the lack of procedural fairness disempowered people in dealing with the OCI debt;

• the department had a fundamental conflict of interest - the harder it was for people to navigate this system and prove their correct income data, the more money the department recouped; and

• the department did not apply 'best practice'. 74

6.81 Concurrent to the Community Affairs inquiry, the Commonwealth Ombudsman conducted an own-motion investigation which reported in April 2017.75 The Government accepted all eight of the Ombudsman's recommendations.76 A

73 Commonwealth Public Sector Union, Submission 16, p. 15.

74 Senate Community Affairs References Committee, 'Design, scope, cost-benefit analysis, contracts awarded and implementation associated with the Better Management of the Social Welfare System Initiative', 21 June 2017, pp. 23, 36, 39, 55, 59, 69 and 77-78; available at: https://www.aph.gov.au/Parliamentary_Business/Committees/Senate/Community_Affairs/Soci alWelfareSystem (accessed 7 June 2018).

75 Commonwealth Ombudsman, Submission 12; See also: Commonwealth Ombudsman, 'Centrelink's automated debt raising and recovery system: A report about the Department of Human Services' Online Compliance Intervention System for Debt Raising and Recovery', April 2017, available at: http://www.ombudsman.gov.au/__data/assets/pdf_file/0022/43528/Report-Centrelinks-automated-debt-raising-and-recovery-system-April-2017.pdf (accessed 21 March 2018).

76 Australian Government response to the Community Affairs References Committee Report: Design, scope, cost-benefit analysis, contracts awarded and implementation associated with the Better Management of the Social Welfare System initiative, Senate Community Affairs References Committee, p. 3. available at: https://www.aph.gov.au/Parliamentary_Business/Committees/Senate/Community_Affairs/Soci alWelfareSystem/Government_Response (accessed 7 June 2018).

101

critical recommendation of the Ombudsman was that future letters to income recipients should 'expressly inform individuals [that] if they do not clarify income data, ATO annualised data will be averaged and this may result in a debt'.77

The development of OCI

6.82 Mr McNamara, Acting Deputy Secretary, Integrity and Information, DHS, advised the committee that a number of budget measures underlie the OCI data matching process. The first measure in the 2015-2016 budget was the 'Strengthening the Integrity of Welfare Payments', which led to an increase in compliance reviews, initially for the 2015-2016 financial year.78 The government's decision was that the OCI reviews would be undertaken online in parallel with a manual process.79 Accordingly, compliance reviews were undertaken manually by DHS staff without reference to an online system; concurrently during the same year the online system was developed. In July 2016, the online system was trialled with a 1 000 person pilot, before being more fully rolled out in August-September 2016.80

6.83 In evidence to the committee, Mr McHardie, Acting Chief Information Officer, DHS, advised that the system was built in 2015-2016 as an in-house project.81 Ms Liz Bundy, Acting General Manager, Integrity Modernisation, DHS, said DHS used a waterfall methodology involving joint design sessions with ICT staff working through the requirements for the project, and then building to those requirements.82 The analysis and design of the OCI was completed in October 2015

See also: Commonwealth Ombudsman, Submission 12; Commonwealth Ombudsman, 'Centrelink's automated debt raising and recovery system: A report about the Department of Human Services' Online Compliance Intervention System for Debt Raising and Recovery', April 2017, http://www.ombudsman.gov.au/__data/assets/pdf_file/0022/43528/Report-Centrelinks-automated-debt-raising-and-recovery-system-April-2017.pdf (accessed 21 March 2018).

77 Senate Community Affairs References Committee, 'Design, scope, cost-benefit analysis, contracts awarded and implementation associated with the Better Management of the Social Welfare System Initiative', 21 June 2017, p. 10, available at: https://www.aph.gov.au/Parliamentary_Business/Committees/Senate/Community_Affairs/Soci alWelfareSystem/Government_Response (accessed on 7 June 2018).

78 Mr Jason McNamara, Acting Deputy Secretary, Integrity and Information,Department of Human Services, Committee Hansard, 23 March 2018, pp. 34-35.

79 Mr Jason McNamara, Acting Deputy Secretary, Integrity and Information, Department of Human Services, Committee Hansard, 23 March 2018, p. 35.

80 Mr Jason McNamara, Acting Deputy Secretary, Integrity and Information, Department of Human Services, Committee Hansard, 23 March 2018, pp. 34-35.

81 Mr Jason McNamara, Acting Deputy Secretary, Integrity and Information, Department of Human Services, Committee Hansard, 23 March 2018, p. 35.

82 Ms Liz Bundy, Acting General Manager, Integrity Modernisation, Department of Human Services, Committee Hansard, 23 March 2018, p. 35.

102

for a start date of July 2016. This occurred before the introduction of the DTA's Digital Service Standards.83

6.84 Dr Seebeck advised that the DTA was not involved in the development of the OCI project.84 Mr Peter Alexander, Chief Digital Officer, Digital Division, DTA advised that in January 2017 the DHS sought DTA advice on how to improve the screens, and received expert advice on user experience and interaction design. Since then the DTA has provided intermittent advice to DHS on items of technology or user research.85

The ATO role in data matching

6.85 Mr McNamara further advised that DHS has always coordinated a data matching process with the ATO. The data matching has shown that DHS's capacity to action the anomalies disclosed by the data matching was limited; only a certain number of reviews relative to the significant number of discrepancies between the DHS and ATO datasets. DHS had established a backlog of discrepancies that had not been actioned. The OCI compliance measures were intended to address the backlog of discrepancies.86

6.86 The ATO was not involved in the process because data matching with the ATO has been a longstanding process; as such, the OCI project did not change DHS's interaction with the ATO.87 The existing ISIS88 operating system applied back-end established rules to data match ATO and DHS records to identify a pool of anomalous records; a further selection process was taken to identify from the pool those people in all probability had been overpaid; the process was not to chase small anomalies.

The OCI letters

6.87 Letters were then sent to those identified seeking an explanation of the anomaly. Where previously recipients of letters would have been required to contact a compliance officer to resolve the anomaly, the OCI letter directed the recipient to an

83 Mr Charles McHardie, Acting Chief Information Officer, Department of Human Services, Committee Hansard, 23 March 2018, p. 35.

84 Dr Lesley Seebeck, Chief Investment and Advisory Officer, Digital Management Investment Office, Digital Transformation Agency, Committee Hansard, 23 March 2018, p. 35.

85 Mr Peter Alexander, Chief Digital Officer, Digital Division, Digital Transformation Agency, Committee Hansard, 23 March 2018, p. 36.

86 Mr Charles McHardie, Acting Chief Information Officer, Department of Human Services, Committee Hansard, 23 March 2018, p. 35.

87 Mr Jason McNamara, Acting Deputy Secretary, Integrity and Information, Department of Human Services, Committee Hansard, 23 March 2018, p. 40.

88 ISIS (Income Security Integrated System) is a legacy system which is old mainframe based echnology. It is the legacy operating system that undertakes Centrelink's income entitlement assessment; it processes all claims from a legacy perspective in the Centrelink master program. See, Mr Charles McHardie, Acting Chief Information Officer, Department of Human Services, Committee Hansard, 23 March 2018, p. 21.

103

online site to update their financial data. Having entered their data online, ISIS would then undertake back-end [income/debt] calculations. 89

6.88 Mr McNamara advised that the OCI measure allowed more letters to be sent to potential debtors than was previously the case.90 Mr McNamara said the online compliance process was predominantly for those with relatively simple arrangements; the OCI letters would not be sent to those with reasonably complex financial circumstances. Also, as an example, Mr McNamara advised that if a large amount of income was entered in one month compared to average weekly earnings, the OCI process would direct the person to telephone the DHS directly rather than using the online system.91

DHS' assessment of OCI

6.89 Mr McNamara stated that he was satisfied that OCI met its project intention in achieving considerable savings. He confirmed that the effects of OCI on the community were included in the metrics for the project, observing that it has always been the case that people have been required to advise Centrelink of any change in their circumstances. He said that the fact that the data matching process identified some people who had failed to update DHS of their circumstances did not absolve DHS from the need to assess those welfare recipients.92 Mr McNamara observed that people react differently to the compliance review process:

…One of the things we've found in the compliance review space, I think it's fair to say, is that people who really don't think they've done the wrong thing and who have genuinely tried to comply with the system do find the idea of talking about their previous history quite confronting. It doesn't really make any difference—the nature of our system. They see it as an integrity issue, and I can accept that. I think that's quite appropriate. If you've been giving us information quite often and you've been doing it quite diligently, for someone to turn up and say, 'I want to essentially audit what you've told me,' can be quite confronting.

In this particular case, there's quite a number of examples we have within the system where, for instance, people quite diligently told us their net pay, but they told us they'd put it in gross pay on our online app. They're diligently telling us the wrong information. Therefore, five years later, when we come along because we now have the capacity to look at the data match and say, 'Hang on—you haven't quite told us the right information', people quite rightly become upset. The difficulty for us is they were overpaid at the time, and some people find this quite confronting as a

89 Mr Jason McNamara, Acting Deputy Secretary, Integrity and Information, Department of Human Services, Committee Hansard, 23 March 2018, pp. 41-42.

90 Mr Jason McNamara, Acting Deputy Secretary, Integrity and Information, Department of Human Services, Committee Hansard, 23 March 2018, p. 42.

91 Mr Jason McNamara, Acting Deputy Secretary, Integrity and Information, Department of Human Services, Committee Hansard, 23 March 2018, p. 42.

92 Mr Jason McNamara, Committee Hansard, 23 March 2018, p. 38.

104

process. As we've rolled that out, we've understood that nature—that some people are in that category, where other people are in the category of: 'I just needed the money at the time. I've told you the wrong thing. How do I pay it back?' My compliance officers deal with a spectrum of people at the moment, and the online system has to deal with that spectrum.93

6.90 In response to the observation that the OCI was only focussed on budget savings—that user's experience was not the primary purpose of the project—Mr McNamara stated that the issue for DHS compliance has always been the integrity of the welfare system. He said to date DHS had saved $900 million through income matching, and have recovered nearly $270 million. He confirmed that the measures are expected to save $3.7 billion over the period of the project in 2021, and that he was confident DHS will make those types of savings.94

Systems design issues

6.91 Ms Liz Bundy, Acting General Manager, Integrity Modernisation, DHS, advised that staff became involved with the rollout of the OCI from May 2015 for a commencement date of 1 July 2015, with approximately 200 staff across five compliance sites being involved. Ms Bundy told the committee that a team of compliance staff located in Brisbane worked with the ICT staff to design the system requirements.95 Mr McHardie stated that DHS had 136 ICT staff involved in some capacity during the building of the system in the 2015-2016 fiscal year. Mr McNamara contended that operational staff were part of the design process.96

6.92 Mr McNamara said that DHS subjected OCI to significant user testing prior to the system being released, not only from an IT perspective, but also from the user's perspective. However, Mr McNamara did agree that some aspects of the communication process could have been clearer on the initial rollout, noting that key changes have since been made to the covering letter and the online system to improve clarity.97 Mr McNamara advised that in January and February 2017, a number of enhancements and changes were made to the compliance letters to clarify the letters and simplify the language of the letters, on what is now called 'employment income

93 Mr Jason McNamara, Acting Deputy Secretary, Integrity and Information, Department of Human Services, Committee Hansard, 23 March 2018, p. 44.

94 Mr Jason McNamara, Acting Deputy Secretary, Integrity and Information, Department of Human Services, Committee Hansard, 23 March 2018, p. 46.

95 Ms Liz Bundy, Acting General Manager, Integrity Modernisation, Department of Human Services, Committee Hansard, 23 March 2018, pp. 40-41.

96 Mr Jason McNamara, Acting Deputy Secretary, Integrity and Information, Department of Human Services, Committee Hansard, 23 March 2018, p. 41.

97 Mr Jason McNamara, Acting Deputy Secretary, Integrity and Information, Department of Human Services, Committee Hansard, 23 March 2018, pp. 38-39.

105

confirmation'.98 Mr McHardie advised that DHS had involved the DTA in building the employment income confirmation system.99

6.93 Mr McNamara also conceded that a decision was made to not include the OCI dedicated helpline telephone number in the covering letter to welfare recipients. He further conceded that it would have been more useful for people to have had been made aware of the helpline number in the covering letter.100 Mr Alexander observed that in DTA's view, the original compliance letters were confusing and complex. He observed that DHS has since moved away from the old waterfall testing model, adopting the Digital Service Standard.101

6.94 Noting that DHS had done a lot of user testing, Mr McNamara commented that it is the nature of how the user testing interacts with the design. He stated that DHS has evolved and has become a lot more interactive with the customer early on in the design stage. He noted that the Digital Service Standard is more about an interactive way of doing things.102 Mr Alexander noted that the Digital Service Standard would 'not solve all the problems of the world'; it is a set of 13 processes that, if followed, solves a lot of problems. There is now a government-mandated standard for agencies.103

6.95 Dr Seebeck observed that until a system is 'tested in the wild' you are not going to have a full understanding of it, and that this goes back to understanding the test data.104 She said the OCI was a good example of automation; that what DHS did with the testing was done with the best of intent:

It is putting it in the wild, learning to go through the beta and coming back and speaking to us [DTA] about the user-centred design.105

98 Mr Jason McNamara, Acting Deputy Secretary, Integrity and Information, Department of Human Services, Committee Hansard, 23 March 2018, p. 4

99 Mr Charles McHardie, Acting Chief Information Officer, DHS, Committee Hansard, 23 March 2018, p. 44.

100 Mr Jason McNamara, Acting Deputy Secretary, Integrity and Information, Department of Human Services, Committee Hansard, 23 March 2018, p. 39.

101 Mr Peter Alexander, Chief Digital Officer, Digital Division, Digital Transformation Agency, Committee Hansard, 23 March 2018, p. 44.

102 Mr Jason McNamara, Acting Deputy Secretary, Integrity and Information, Department of Human Services Committee Hansard, 23 March 2018, pp. 44-45.

103 Mr Peter Alexander, Chief Digital Officer, Digital Division, Digital Transformation Agency, Committee Hansard, 23 March 2018, p. 45.

104 Dr Lesley Seebeck, Chief Investment and Advisory Officer, Digital Investment Management Office, Digital Transformation Agency, Committee Hansard, 23 March 2018, p. 45.

105 Dr Lesley Seebeck, Chief Investment and Advisory Officer, Digital Investment Management Office, Digital Transformation Agency, Committee Hansard, 23 March 2018, p. 45

106

Committee view

6.96 The "Robo-debt" project applied many of the techniques of digital transformation with none of the underlying principles. Data matching and automated decision making could, in other contexts and with appropriate safeguards, make positive contributions to the delivery of government services. This project, however, represented a failure in policy conception and design.

6.97 The committee finds it extraordinary and disturbing that the department could describe the project has having gone 'very well' despite the well documented hardship and distress it caused countless Australians.

6.98 That evaluation was a direct result of the very limited conception of digital brought to the project by both the department and the minister.

6.99 Where digital transformation is undertaken solely to reduce costs or identify savings, it is likely to do so at the expense of user experience.

Welfare Payment Infrastructure Transformation106

Background

6.100 In 2014, the Treasurer, the Hon. Joe Hockey MP said that the government had no choice but to replace Centrelink's information and communication technology system arguing that problems affecting the system were affecting the quality of services to customers.107

6.101 As part of DHS's Digital Transformation Strategy, the Welfare Payment Infrastructure Transformation Programme (WPIT) was implemented to replace the ageing Centrelink ICT system.108 DHS described the project as a business led, user centred, technology enabled project that will be delivered in five stages over seven years from July 2015-2022.

106 The main source is the Department of Human Services, 'Annual Report 2016-17: Part 3— Transformation and Technology: Reform of service delivery', pp. 1-4, available at https://www.humanservices.gov.au/organisations/about-us/annual-reports/annual-report-2016-17/reform-service-delivery , (accessed on 16 March 2018). See also: D. Arthur, 'Changes to welfare system compliance and ICT systems', Australian Parliamentary Library, May 2015, https://www.aph.gov.au/About_Parliament/Parliamentary_Departments/Parliamentary_Library/ pubs/rp/BudgetReview201516/WelfareSystem, (accessed on 16 March 2018).

107 D. Arthur, 'Changes to welfare system compliance and ICT systems', Australian Parliamentary Library, May 2015, available at: https://www.aph.gov.au/About_Parliament/Parliamentary_Departments/Parliamentary_Library/ pubs/rp/BudgetReview201516/WelfareSystem (accessed on 16 March 2018).

108 The Digital Transformation Strategy together with the Technology Plan 2016-2020, provides the overarching strategy and central point for the department's business for ongoing digital transformation. The strategy governs internal strategies and plans, including the Welfare Payment Infrastructure Transformation (WPIT): Department of Human Services, 'Annual Report 2016-17: Part 3—Transformation and Technology: Reform of service delivery', p. 1. available at: https://www.humanservices.gov.au/organisations/about-us/annual-reports/annual-report-2016-17/reform-service-delivery (accessed on 16 March 2018). See also, Department of Human Services, Submission 13, pp. 20, 22.

107

6.102 The project is intended to:

• provide customers with faster, more connected and automated digital services;

• give staff a modern ICT platform that makes it easier for them to do their jobs;

• position the department to meet future policy needs of government. 109

6.103 The 2015-2016 Budget allocated funding of $60.5 million over four years from 2015-2019 to deliver the first stage of WPIT—Tranche one—by 31 December 2016.

6.104 Tranche one covered:

• Business planning, scoping and design and the implementation of digital improvements and new services; the selection of the major commercial partners for the project;

• Digital enhancements:

• a 'claim tracker' capacity to allow welfare recipients to track the progress of their claims;

• an online 'payment and service finder' to help potential claimants to

understand what payments and services might best suit their circumstances;

• the introduction of virtual assistant, 'Sam', on the families and students

website pages;

• a new training tool to assist staff in their jobs; and

• a new Scaled Agile Framework (SAFe) delivery model, which has assisted in delivering in ways of working to implement incremental changes for both staff and students.110

6.105 According to the DHS 2016-17 Annual Report, the WPIT budget measures initiatives for Tranche one were delivered as agreed and within timeframes and on budget.111

109 D. Arthur, 'Changes to welfare system compliance and ICT systems', Australian Parliamentary Library, May 2015, p. 1, available at: https://www.aph.gov.au/About_Parliament/Parliamentary_Departments/Parliamentary_Library/ pubs/rp/BudgetReview201516/WelfareSystem (accessed on 16 March 2018).

110 Department of Human Services, Welfare Payment Infrastructure Transformation - Tranche One - Budget 2015-2016, July 2017, available at: https://www.humanservices.gov.au/organisations/about-us/budget/budget-2015-16/budget-measures/improving-services/welfare-payment-infrastructure-transformation-tranche-one (accessed 16 March 2018).

111 Department of Human Services, 'Annual Report 2016-17: Appendix A—Annual Performance Statement, p. 9, https://www.humanservices.gov.au/organisations/about-us/annual-reports/annual-report-2016-17/appendix-annual-performance-statement, p. 9, (accessed on 16 March 2018).

108

6.106 In December 2016, the government committed $313.5 million net expenditure over four years for the delivery of the second stage—Tranche two. This tranche marked the transition from the foundation planning and set up phase into the first of its core delivery phase. The tranche is to focus on student payments for Youth Allowance and Austudy, with some student claim processing being automated, and is expected that decisions on student's payment applications will be delivered more quickly.112

6.107 Together with DHS's commercial partners, tranche two will also address the co-designing of the core system features required to support all welfare payments into the future—that is, to provide a template for the delivery of payments for job seekers, families, older Australians and people with disability.

6.108 During tranche two a concept of operations is also to be developed for the delivery of tranches three to five.

6.109 On 22 March 2017, the Minister, the Hon Alan Tudge, announced that Accenture had been selected as the preferred tenderer to provide systems integration services for the delivery of welfare payments.113 An article in Computerworld reported that Accenture will work with Capgemini, IBM, and HP Enterprise as members of a panel that will provide systems integration services. Computerworld reported that SAP is the preferred software vendor for the WPIT.114

DHS Response

6.110 Mr John Murphy, Deputy Secretary, Department of Human Services advised that a budget measure in the 2013-2014 financial year funded a two-year study to look at options to replace ISIS. This preliminary work was funded by DHS. WPIT was announced as a budget measure in the 2015-2016. Mr Murphy explained that DHS is currently operating a system that was largely designed in the 1970s, 1980s and 1990s based on paper, telephones and face-to-face interactions. At its heart, the WPIT project is designed to transform DHS's businesses processes:

…from my point of view,…this really is about a business transformation that needs to really stare into 30 or 40 years of complexity that has been built up. As I said earlier, I have come from the private sector. One of my observations, having joined government, is that this is a far more complex

112 Department of Human Services, 'Annual Report 2016-17: Part 3—Transformation and Technology: Reform of service delivery', p.3, available at https://www.humanservices.gov.au/organisations/about-us/annual-reports/annual-report-2016-17/reform-service-delivery , (accessed on 16 March 2018).

113 The Hon. Alan Tudge, Minister for Human Services, Centrelink Digital Transformation moves from development to delivery, media release, 22 March 2017: http://pandora.nla.gov.au/pan/65939/20170323-0301/www.mhs.gov.au/media-releases/2017-03-22-centrelink-digital-transformation-moves-development-delivery.html (accessed 21 March 2018).

114 Government pushes ahead with work on Centrelink pay system, Rohan Pearce, Computerworld, 22 March 2017, available at: https://www.computerworld.com.au/article/616420/government-awards-major-centrelink-payment-system-contract/ (accessed on 16 March 2018).

109

environment than the one I'm used to working in. My banking colleagues may not like me for saying that, but it is more complex because of the nature of the services we provide. Therefore, what we need to do around digital is more challenging. Also, the way that we think about supporting our customers, our citizens, needs to be far more layered and for more nuanced than you would see in the private sector.115

6.111 Mr Murphy noted the challenges facing WPIT to be:

• the redesign of the business processes;

• to change the culture by the reskilling, the retraining of our people; and,

• the right-sizing of the department, by having the right people in the right

place; and then the technology.

6.112 Mr Murphy told the committee that the expectations of customers have increased significantly, including doing things digitally, and to be able to access services at a time of their choosing, noting that the idea of normal business hours fell away many years ago.116

6.113 WPIT is being approved and progressed in staged tranches. Work on the project is undertaken only to the extent of the government approved level of funding. In the case of the WPIT program, work is approved to 30 June 2018.117 Mr Murphy observed that from his experience, the level of investment in WPIT is not unusual, particularly given the nature of the transformation of the WPIT program, which is to truly transform the welfare part of DHS, which is a significant undertaking.118 He stated that he was confident that the value that is being delivered is matched by the level of investment. He noted that $104 million was returned to the budget in the last MYEFO as it was not required. 119

6.114 The second tranche of WPIT, which commenced on 1 January 2017, and concluded on 30 January 2018, focussed on students who access Youth Allowance and Austudy. The reason for choosing the student category was because as a group students are more digitally literate, so are a good group for testing systems design. The funding for tranche two was $313.5 million.120

115 Mr John Murphy, Deputy Secretary, Payments Reform, Committee Hansard, 23 March 2018, p. 47.

116 Mr John Murphy, Deputy Secretary, Payments Reform, Committee Hansard, 23 March 2018, p. 48.

117 Mr John Murphy, Deputy Secretary, Payments Reform, Committee Hansard, 23 March 2018, p. 51.

118 Mr John Murphy, Deputy Secretary, Payments Reform, Committee Hansard, 23 March 2018, p. 51.

119 Mr John Murphy, Deputy Secretary, Payments Reform, Committee Hansard, 23 March 2018, p. 52.

120 Mr John Murphy, Deputy Secretary, Payments Reform, Committee Hansard, 23 March 2018 p. 49.

110

6.115 Mr McHardie advised that DHS is not focussing on one core technology end to end: that the process 'is not a monolithic ICT build'. WPIT is replacing the monolithic ISIS system built in the 1980s by one vendor. The new system is using the right technology where it fits best across the four core functional blocks: interaction with the welfare recipient; claims processing; eligibility assessment; and a payment figure. All customer-facing screens are being built in-house by DHS, using open source software called Angular, which stops vendor lock-in. The eligibility assessment is built around the SAP business suite, where DHS has taken a vendor non-industry specific platform and custom developed it into DHS's own industry specific platform. A SAP payments system currently in use in the department to pay its own employees and several other departments is being used for tracking of the payments that go out to Australian citizens.121

6.116 Mr McHardie noted that DHS has gained considerable experience within the department of doing custom development work on the core SAP platform. Almost 500 public servants are now qualified and certified as SAP professionals, whether they are enterprise architects, developers or testers:

We now have a lot more control of our destiny, particularly when we need to work on core products such as SAP.122

6.117 Mr McHardie advised that the cost profile of WPIT has not changed. In having a better understanding of the available products and a capacity to do work in-house, DHS is in a better position to cost projects than was previously the case. DHS is constructing the WPIT program on the basis that each tranche is largely self-contained. The benefits are derived from the tranche, rather than being reliant on the final piece of work being delivered:

The days of monolithic 10-year programs, when you wait to the end to get the value, and I mean value both in terms of customer experience and also in terms of financial benefit, that boat has well and truly sailed.123

6.118 Mr Murphy observed that from a business point of view, it's not whether it's a large vendor or a series of small vendors; it's their ability to respond to the business need. It is not a question of big or large. What is needed is technology that is able to respond to the business need. I'm expecting that, in a program of the scale of the WPIT program a mix of capabilities will be brought to bear. DHS does not want to lock itself into a technology that might be overtaken in two, three, four, five years, for example.124 Mr McHardie advised that DHS carries the risk on the in-house approach

121 Mr Charles McHardie, Acting Chief Information Officer, Department of Human Services, Committee Hansard, 23 March 2018,p. 49.

122 Mr Charles McHardie, Acting Chief Information Officer, Department of Human Services, Committee Hansard, 23 March 2018, p. 50.

123 Mr Charles McHardie, Acting Chief Information Officer, Department of Human Services, Committee Hansard, 23 March 2018, p. 50.

124 Mr John Murphy, Deputy Secretary, Payments Reform, Committee Hansard, 23 March 2018, p. 50.

111

to the delivery of the ICT, whereas if a systems integrator had been engaged to build the system from top to bottom, the systems integrator would bear the risk.125

6.119 Mr Murphy further advised that DHS has adopted a key-performance-indicator (KPI) framework for its contracts with commercial partners. He stated that it is an evolving framework, but a considerable amount of discussion with commercial partners is about risk. Within the WPIT project, there has been a shift from a procurement focus where DHS chose ITS major commercial partners, to now managing the commercial partners using KPIs, frameworks, discussions and course setting.126

Committee view

6.120 The replacement of Centrelink’s legacy system, ISIS, represents a mammoth undertaking. The approach DHS has taken appears to represent a substantial divergence from the patterns of the path. It is too early to tell, but the committee is hopeful that this decision may pay dividends.

6.121 The committee is heartened by two aspects in particular.

6.122 First, DHS has acted to build its internal ICT and digital expertise. Almost 500 public servants are now qualified and certified as SAP professionals, whether they are enterprise architects, developers or testers:

We now have a lot more control of our destiny, particularly when we need to work on core products such as SAP.127

6.123 This has not substantially increased the cost profile:

CHAIR: If you were to compare the input costs for projects back in 2013, when you were more reliant on external providers to deliver these interactions with these big platforms, and where you are now, where you've got 500 people who are accredited and on staff, does that produce a different set of cost drivers when you're scoping up a project for the future?

Mr McHardie: I think it does in the initial costings that are put together for projects, particularly when there are government directed activities, where government is looking at a range of solutions that it could roll out to meet legislative change or new legislative policy, or when replacing large elderly legacy systems. We understand these products so much better now, and with us doing the in-house build we're able to cost up those bodies of work much more effectively.

CHAIR: So you're a more informed buyer when you do go externally, but you're also able to deploy internal labour to drive down cost?

125 Mr John Murphy, Deputy Secretary, Payments Reform, Committee Hansard, 23 March 2018 p. 51.

126 Mr John Murphy, Deputy Secretary, Payments Reform, Committee Hansard, 23 March 2018, p. 51.

127 Mr Charles McHardie, Acting Chief Information Officer, Department of Human Services, Committee Hansard, 23 March 2018, p. 50.

112

Mr McHardie: Correct.128

6.124 The committee believes that this is a clear demonstration of the benefits of bringing expertise in house.

6.125 Second, DHS has moved to shift more risk onto its contractual partners:

The DHS has also raised the spectre of shared incentives to ensure it gets the best possible resources for its vendors. It is yet to make a final decision on specifics, but flagged an increase in base fees as a reward for excellent performance scores, balanced by reduced base fees for low performance.

"Under each work order it is likely that fees will only be paid if specified miles are met" the department warned.

"There may also be liquidated damages payable for late delivery, and other remedies available to the department for poor performance."

…"The contractual arrangements are likely to require SI panel members to accept significant financial risk," it warned. The department is only inviting bids from organisations that have the depth to commit "significant financial and human resources" over the full five to seven years the project is estimated to take.

It cautioned that contractors will only be paid once milestones are successfully passed—meaning systems integrators could have to fund a significant commitment of resources for some time before they receive their first dollar.

Key executives from the successful panellists will also be expected to commit facetime to the department, especially if any disputes arise.

DHS has made it clear that panellists will not be paid for any work they put into the "competitive dialogue" phase that will result in integrators being picked for each different tranche of work.129

6.126 The committee is hopeful that building in house expertise and making contractual partners take responsibility for delivering to contract will help prevent some of the appalling waste and delay that has marred previous projects. It will remain to be seen whether the government is able to execute this new approach in the roll out of the remaining tranches of WPIT.

128 Committee Hansard, 23 March 2018, pp. 49-50.

129 Paris Cowan, 'Human Services gets tough on WPIT contractors', 2 August 2018, https://www.itnews.com.au/news/human-services-gets-tough-on-wpit-contractors-432237 (accessed 22 June 2018).

113

Senator Jenny McAllister Chair

Government senators' dissenting report 1.1 Government senators are supportive of the considered approach being undertaken by the government with respect to the digital transformation of government service delivery. There are few aspects of our lives that are not touched by technological changes and government service delivery is no exception. The Government has a central role in ensuring that it is easy for citizens to access government services efficiently and to the same or better standard than is currently the case.

1.2 Government senators also accept that digital transformation is a highly disruptive process. It is to be expected that a paradigm shift in the way in which people have traditionally communicated and conducted their business with government will not be without its challenges.

Leadership 1.3 The evidence before the committee has been helpful in articulating the complexity of managing the transition to digital delivery of government services. The evidence has shown that there is not a simple one size fits all solution. There are legacy issues which require individually tailored approaches—for example, the digital transformation journey for the Australian Taxation Office cannot be the same as for the Department of Home Affairs.

1.4 Government senators disagree with the majority view that a centralised mega-agency is the answer to the whole-of-government approach to digital transformation of government services. Such an approach to digital transformation is rooted in the old command-and-control view of the public sector that does not acknowledge the need for active engagement, flexibility and collaboration. The functions of government departments and agencies are diverse and distinct and it is important that the relevant corporate and policy expertise and knowledge are harnessed when transforming service delivery.

1.5 Where appropriate, Government senators support an approach where departments and agencies have the ability to build digital platforms and solutions to meet their particular portfolio programs. Such platforms and solutions should be leveraged as appropriate across the government and more importantly, should continue to place the users and their experience at the centre.

1.6 The majority report has criticised a supposed lack of strategic focus at the ministerial and senior executive level of the Australian Public Service (APS) in relation to digital transformation. Not only does this reflect a callous disregard for the hard work and dedication of senior public officials, but also a disregard for the facts. Government senators note that Cabinet has strategic oversight of digital transformation through the Digital Transformation and Public Sector Modernisation Committee (DTPSMC). One of the committee's objectives is to modernise the APS so

116

that it is best structured to meet the challenges that the digital delivery of government services so clearly pose. Decisions of the committee are Cabinet decisions.1

1.7 The Digital Transformation Agency (DTA) provides whole-of-government guidance through a range of measures with the DTA being tasked to develop a Digital Transformation Strategy for the Commonwealth. The strategy will be accompanied by a clear roadmap with key performance indicators which will set out important milestones to be achieved over the next two years.2 The DTA also sponsors the Digital Service Standard setting out criteria applicable to all government departments and agencies ensuring digital teams build government services that are simple, clear and fast.3

1.8 In addition, the Government's whole-of-government cyber security response is the responsibility of the Australian Cyber Security Centre within the Australian Signals Directorate (ASD).4 The ASD provides material, advice and other assistance to Commonwealth and state authorities on matters relating to the security and integrity of information managed digitally.5 Under the Attorney-General's Protective Security Policy Framework, ASD sponsors the Information Security Manual (ISM), and/however/outlining that responsibility rests with government departments and agencies to apply a risk-based approach to protecting their information and systems.6

1.9 The Office of the Australian Information Commissioner (OAIC) provides a whole-of-government perspective on information policy matters. The Information Commissioner reports to the Attorney-General on matters relating to Australian Government information management policy and practice, including FOI and privacy.7

1 Australian Government Directory, Cabinet Committees, Digital Transformation and Public Sector Modernisation Committee, available at: https://www.directory.gov.au/commonwealth-parliament/cabinet/cabinet-committees/digital-transformation-and-public-sector-modernisation-committee (accessed 14 June 2018).

2 Hon. Michael Keenan, MP, Address to the Australian Information Industry Association, Delivering Australia's digital future, media release, 13 June 2018, available at: https://ministers.pmc.gov.au/keenan/2018/delivering-australias-digital-future (accessed 14 June 2018).

3 Digital Transformation Agency, Digital Service Standard, available at: https://www.dta.gov.au/standard/ (accessed 14 June 2018).

4 The Australian Cyber Security Centre, https://www.acsc.gov.au (accessed 4 June 2018).

5 Department of Defence, Submission 7, p. 1.

6 Department of Defence, Submission 7, p. 1.

7 Office of the Australian Information Commissioner, available at: https://www.oaic.gov.au/about-us/ (accessed 20 June 2018). The Office of the Australian Information Commissioner (OAIC) is an independent statutory agency within the Attorney General's portfolio with functions conferred by the Australian Information Commissioner Act 2010.

117

1.10 Government senators believe that strategic leadership is being provided not only by the Cabinet, but also by senior public servants. The government has a coherent strategy to implement the digital transformation of government.

The Australian Public Service 1.11 Government senators note the evidence before the committee concerning a general marketplace shortage of ICT professional staff, mirrored by a skills shortage in the APS. Dr Nick Tate from the Australian Computer Society referred to statistics on the overall ICT economy which identify that there is a substantial skills shortage for a range of ICT professionals. He stated that 81 000 new ICT professionals will be needed by 2022.8 This figure is significant. The evidence of Mr Shetler is also pertinent. He observed that the digital talent pool in Australia to be broadly based, but shallow, particularly for certain kinds of fields like product management for designing a service in a new way. 9 These shortfalls present challenges for the both the private and public sectors.

1.12 Government senators do not agree with the majority report's conclusion that the cause of the ICT skills shortage in the APS is the outsourcing of ICT products and services to external vendors. Government senators are of the view that the ICT capability issues within the APS is a consequence of a wider marketplace shortage of ICT professionals that makes it more challenging for APS to secure and retain a range of highly sought after capabilities and skills. Notwithstanding this, government senators agree that there is merit in the majority's recommendation that the APS introduce a specialist APS ICT career stream to address a market failure.

1.13 Government senators disagree with the contention of the majority report that unsuccessful projects indicate a broader systemic issue. Mr Ian Brightwell10 contended that the APS does not manage expectations by addressing the inevitability that there will be failures as part of the process of innovation and added that there needs to be a consensus as to what constitutes "acceptable failure". The government senators consider that the majority report is a clear manifestation of this point and behaviour.

1.14 While any failure is regrettable and should be addressed as soon as possible, it must be highlighted that over the period of this government, there have been hundreds, if not thousands of digital projects, both large and small, funded by the government that have been delivered successfully. For example:

• SmartGates (Department of Home Affairs) cleared 24.2 million people in 2016-17, up from 6.8 million in 2014-15. Installation of new SmartGates

8 Dr Nick Tate, Vice-President, Memberships Boards, Australian Computer Society, Committee Hansard, 14 May 2018, p. 31.

9 Mr Paul Shetler, Committee Hansard, 14 May 2018, p. 20-21.

10 Ian Brightwell, Submission 17, p. 5.

118

technology will allow 90 per cent of travellers to self-process at the border, cutting processing time to as little as 15 seconds;11

• A virtual assistant named Alex is providing better self-service capability at the Australian Taxation Office and IP Australia. As of 1 March 2018, Alex had more than 2.5 million conversations with ATO clients, resolving 88 per cent of issues on first contact;12

• The myTax service allows people to quickly and easily lodge tax returns online with information pre-filled from employers, banks and government agencies. Ninety-eight per cent of all individual incomes tax returns are now lodged electronically and 95 per cent of individual returns are assessed and processed without human intervention;13

• IP Australia has increased digital self-service adoption from 12 per cent to more than 99 per cent for more than 850 000 customer service requests, reducing calls by 15 per cent.14

1.15 Within this context of successful delivery, the very few examples handpicked by the committee represent very much isolated unfortunate exceptions against a background of high performance in the delivery of digital solutions.

1.16 Government senators consider that there is merit for a proposed separation of the roles of Chief Information Office (CIO) and Chief Information Security Officer (CISO) and the need for the CIO to be a member of a government department's executive decision-making body. Mr Ian Brightwell identified that the executive's decision-making process is vulnerable to poor judgement where the distinctly different functions of the CIO and CISO are combined.15

1.17 However, government senators consider these issues should be considered as part of the Thodey Review, which the government announced on 4 May 2018. The Thodey Review, which is to report in 2019, is tasked with examining the capability,

11 Hon Peter Dutton, MP, Minister for Home Affairs and Minister for Immigration and Border Protection, Completion of departures SmartGate roll-out, Media Release, Thursday, 25 August 2016 available at: http://minister.homeaffairs.gov.au/peterdutton/Pages/Completion-of-departures-SmartGate-roll-out.aspx (accessed 27 June 2018).

12 Australian Taxation Office, Introducing Alex, our new web assistant, 15 September 2015, available at: https://beta.ato.gov.au/Tests/Introducing-Alex--our-new-web-assistant (accessed 27 June 2018).

13 Australian Taxation Officer, MyTax replaces e-tax, https://www.ato.gov.au/Individuals/Lodging-your-tax-return/In-detail/MyTax-replaces-e-tax/ (accessed 27 June 2018).

14 IP Australia, Further recognition for Alex, 22 September 2017, available at: https://www.ipaustralia.gov.au/about-us/news-and-community/news/further-recognition-alex (accessed 27 June 2018).

15 Mr Ian Brightwell, Committee Hansard, 14 May 2017, p. 9.

119

culture and operating model of the APS to ensure it is fit for purpose.16 The findings of this review will be important as the APS drives policy and service implementation and uses technology and data to deliver programs and services for the Australian community.

1.18 The government's Digital Transformation Strategy—to be developed by the DTA—will operate in parallel to the Thodey Review by addressing the government's resourcing, infrastructure and business models to allow the government to engage with new technologies, and to challenge the current approach to service delivery within the APS.17

1.19 Government senators are of the view that the systemic issues of a general marketplace shortage of ICT skills and the executive role of a CIO should also be considered in the wider context of the government's revitalisation of the APS, which has not been reviewed since the Royal Commission on Australian Government Administration which reported in 1976 (the H.C. Coombs report).18

Common platforms and procurement 1.20 Government senators agree with the majority report in respect to the need for the development of common digital platforms for the delivery of government services for standardised information and standard circumstances. Government senators also concur with the majority report's view that government procurement policies and practices should be open to small and medium business enterprises (SME).

1.21 Government senators disagree with the contention of the majority report that outsourcing of ICT goods and services has eroded the competence or capability of the APS to undertake government procurement. Mr Martin Stewart-Weeks made the point that the procurement process itself is 'about as undigital as you could possibly hope for'.19 Mr Shetler observed that the business case funding approach to procurement 'does not do "agile" very well'.20 SCOA Australia observed that outsourcing had been undertaken to dramatically improve the technical ICT skills available to government departments, despite the later poaching of APS ICT staff by vendors.21 The evidence poses a more subtle set of circumstances than outsourcing of ICT goods and services being the cause of the APS' loss of capability. The evidence is equally open to the

16 Hon Malcolm Turnbull, Prime Minister, Review of the Australian Public Service, Media Release, 4 May 2018, available at: https://www.pm.gov.au/media/review-australian-public-service (accessed 15 June 2018).

17 Hon Michael Keenan, MP, Address to the Australian Information Industry Association, Delivering Australia's digital future, media release, 13 June 2018, P. 3. available at: https://ministers.pmc.gov.au/keenan/2018/delivering-australias-digital-future (accessed 14 June 2018).

18 Royal Commission on Australian Government Administration report, H.C. Coombs, 30 August 1976, available at: http://apo.org.au/node/34221 (accessed on 18 June 2018).

19 Mr Martin Stewart-Weeks, Committee Hansard, 23 March 2018, p. 2.

20 Mr Paul Shetler, Committee Hansard, 14 March 2018, p. 22.

21 SCOA Australia, Submission 2, p. 1.

120

view that the APS has not been responsive or proactive in responding to a rapidly changing technological environment, and hence the need to modernise the APS.

1.22 In fact, the government has been proactive in regards to procurement and already addressed the concerns of the majority through the implementation of a number of initiatives aimed to address a range of procurement issues:

• A Digital Sourcing Framework to provide a set of principles to achieve a fair,

effective and efficient ICT procurement process, including the use of open standards and cloud first approaches, as well as preventing platform duplication;

• Consultation has commenced on a new Portfolio Panel Policy with the aim of removing some of the burdens on industry sellers to government. It will focus on reducing the current number of panels and simplifying the process to join a panel thereby encouraging more opportunities for collaboration and co-design with buyers and sellers;

• The government has in place a Capped Term and Value Policy which limits

major ICT expenditure to not exceed $100 million per contract or a three-year initial term. The policy addresses the fact that ten ICT vendors accounted for 43 per cent of the dollar value of the government ICT expenditure. The capping on value allows SMEs to engage more directly as the prime contractor the government ICT purchase contracts rather than as sub-contractors;

• A Fair Criteria Policy will provide guidance across the end-to-end

procurement process that buyers and sellers must undertake. The policy will include considerations such as insurance, liability, security and financial criteria. The aim of the policy is to even the playing field for sellers of all sizes, and encourage competition.

• The Digital Marketplace that connects small business with government buyers

has transacted over $151m of business, with over 70% going to SMEs. The Digital Marketplace will continue to be updated and a new Training Marketplace capability will be added to give government buyers more focus and flexibility to source the training and development expertise they need from the marketplace.22

The Digital Transformation Agency 1.23 The majority report has incorrectly concluded that the DTA has no purpose or responsibility under its current remit. Nothing could be further from the truth. Government senators consider the position taken by the majority to be outmoded and reminiscent of a time when power was centralised in the central agencies—as Mr Paul

22 The Hon. Michael Keenan, MP, Address to the Australian Information Industry Association, Delivering Australia's digital future, media release, 13 June 2018, available at: https://ministers.pmc.gov.au/keenan/2018/delivering-australias-digital-future (accessed 14 June 2018).

121

Waller observed, institutionally there is much vested in the status quo.23 The government's decision to establish the DTA reflects the need to shift thinking to a new paradigm.

1.24 Government senators consider the DTA to be achieving exactly that which it was intended to achieve at every stage of its mandate. The DTA is the government's lead agency for the digital transformation of government administration. It has a whole-of-government focus for the development of strategy, policies and guidelines to assist departments and agencies to undertake digital transformation.

1.25 Responsibility and accountability for delivering the digital transformation agenda is properly the role of all departments and agencies across the government. Their role is an integral part of the legislative framework accountability of the APS, including the Public Governance and Accountability Act 2013 and the portfolio legislation administered by a department of agency for the delivery of solutions and services to citizens and business.

1.26 As part of its role, the DTA deliberately presents a different business model to the traditional APS hierarchical and bureaucratised approach. The DTA takes a collaborative and persuasive approach to change and innovation. This model is designed to attract a new generation and new approach to the business of government, aligned with Australia's future in a digital world.

1.27 In that sense, government senators believe that the DTA is taking a new approach that requires new thinking and organisational flexibility to find the best way for government to make the transformation to a digital future.

Senator James Paterson Senator Amanda Stoker

Deputy Chair Senator for Queensland

23 Mr Paul Waller, researcher, Committee Hansard, 14 March 2018, p. 4.

Australian Greens' additional comments Summary 1.1 The Australian Greens support improving the digital delivery of government services and welcome the opportunity to contribute to this inquiry.

1.2 In order to effectively deliver government services digitally to Australians, all Australians will need to have access to affordable, quality broadband internet.

1.3 Australians will also need to feel assured that the Government is prioritising the security and privacy of their personal information and communications.

1.4 We will also need to ensure that the needs of all Australians are met, particularly vulnerable groups and communities, by co-designing and testing with vulnerable groups, providing learning resources, using intuitive design principles, retaining adequate provision of non-digital channels, using plain English, and providing unmetered access to digital government platforms.

Affordable, quality broadband internet 1.5 Affordable, quality internet is fundamental to the future of our economy, jobs, education, essential services, and way of life. Fast, reliable broadband has the potential to transform the lives of Australians. The NBN is not just a piece of infrastructure; access to digital networks is a right and it is incumbent upon government to make it fast and affordable.

Prioritising security and privacy

1.6 Security of digital government platforms needs to be a priority, as noted in the submission by ACCAN:

As the digital sharing of consumers' personal and biometric details becomes an unavoidable part of government interactions, consumers need to be assured that their personal and business information is safe from unauthorised third-party access. A technical analysis of digital government's capacity to store and safeguard consumer data is timely in light of the Federal Government's ambitious adoption of cloud technology

to deliver its digital services and the heightened debate over data security on de-centralised cloud storage.1

1.7 ACCAN also notes that the Government's use of biometric data increases the need for review and discussion of the Government’s security practices:

A detailed discussion on the ability of digital government to manage private data securely is pertinent in light of the Federal Government's move towards using biometric data to identify individuals.2

1 ACCAN, Submission 11, p. 68.

2 ACCAN, Submission 11, p. 68.

124

The reliance on biometric technology as a recognition tool calls for answers on the procedures in place when one's biometric data is compromised by identity theft. Unlike passwords, an individual's biometric details are assigned at birth and cannot be reset.3

Needs of all Australians

1.8 ACCAN’s submission4 defines the needs of eight vulnerable consumer groups and offers recommendations on how digital government can be more inclusive for all groups:

• Free or subsidised digital literacy resources;

• Co-design with vulnerable consumer groups that begins early in

development;

• Use of intuitive design principles, such as a 'breadcrumb trail' and

universal symbols;

• Retention of existing, non-digital channels alongside digital platforms;

• Use of plain English to increase clarity for everyone, including people

with lower English proficiency; and

• Unmetered access to digital government platforms to partially address

affordability issues.

Recommendation 1

1.9 The Australian Greens support the recommendations made by ACCAN in their submission.

Senator Jordan Steele-John

Senator for Western Australia

3 ACCAN, Submission 11, p. 69.

4 ACCAN, Submission 11, p. 66-68.

Appendix 1

Submissions and additional information received by the committee

Submissions

1. Office of the Australian Information Commissioner

2. SCOA Australia

3. Federation of Ethnic Communities' Councils of Australia (FECCA)

4. Department of Immigration and Border Protection (now known as Department of Home Affairs)

5. Australian Information Industry Association

6. Office of the Cyber Security Special Adviser

7. Australian Signals Directorate

8. Mr Chris Hamill

9. Australian Taxation Office

10. Digital Transformation Agency

11. Australian Communications Consumer Action Network

12. Commonwealth Ombudsman

13. Department of Human Services

14. COTA Australia

15. Royal Australian College of General Practitioners (RACGP)

16. Community and Public Sector Union

17. Mr Ian Brightwell

18. Mr Paul Waller

19. Tangentyere Council Aboriginal Corporation

20. AusAccess Pty Ltd

21. Vault Systems

22. National Archives of Australia

23. The Australian Democrats (Qld)

24. Australian Small Business and Family Enterprise Ombudsman (ASBFEO)

25. 25 Project Management Institute

26. Paul Shetler, Jordan Hatch and Catherine Thompson

126

Tabled Documents • OCI Design Process, tabled by Mr Charles McHardie, Acting Chief Information Officer, Department of Human Service on 23 March 2018

Additional Information • Clarification from Mr Ramez Katf, Second Commissioner and Chief Information Officer, Australian Tax Office, received 17 April 2018

Answers to Questions taken on Notice • Department of the Prime Minister and Cabinet, answers to written questions on notice, received 13 March 2018.

• Australian Tax Office, answers to written questions on notice, received 13 March 2018

• Bureau of Meteorology, answers to written questions on notice, received 14 March 2018.

• The committee asked the Bureau of Meteorology to provide additional information in relation to an answer to the written question on notice received 14 March 2018. The Bureau of Meteorology provided an updated answer to the question on notice, received 22 March 2018.

• The committee asked the Bureau of Meteorology a supplementary question in relation to an answer to the written question on notice received 14 March 2018. The Bureau of Meteorology provided a response, received 5 April 2018.

• Digital Transformation Agency, answers to written questions on notice, received 14 March 2018.

• Department of Education and Training, answers to written questions on notice, received 14 March 2018.

• Department of Health, answers to written questions on notice, received 15 March 2018.

• Department of Finance, answers to written questions on notice, received 15 March 2018.

• Department of Education and Training, answers to written questions on notice, received 19 March 2018.

• Australian Bureau of Statistics, answers to written questions on notice, received 20 March 2018.

• Letter of clarification from Ms Samantha Palmer, General Manager, Culture and Communication Division, Australian Bureau of Statistics dated and received 21 March 2018.

• Mr Ian Brightwell, answers to written questions on notice, received 21 March 2018.

• Mr Martin Stewart-Weeks, answers to written questions taken on notice, received 26 March 2018.

• National Disability Insurance Agency, answers to written questions on notice, received 29 March 2018.

127

• Australian Computer Society, answers to written questions taken on notice, received 3 April 2018.

• Project Management Institute, answers to written questions taken on notice, received 4 April 2018.

• Community and Public Sector Union, answers to written questions taken on notice, received 4 April 2018.

• National Archives of Australia, answers to written questions taken on notice, received 5 April 2018.

• Australian Taxation Office, answers to written questions on notice, received on 18 April 2018.

• Department of Human Services, answers to written questions on notice from Hansard on 23 March 2018, received 24 April 2018.

• Department of Human Services, answers to written questions on notice from Hansard on 23 March 2014, received 7 May 2018.

• Department of Human Services, answers to written questions on notice from Hansard on 23 March 2018, received 9 May 2018.

• Australian Taxation Office, answers to written questions on notice No 6 received on 19 April 2018.

• Department of Human Services, answers to written questions on notice from Hansard on 23 March 2018, received 15 May 2018.

• Department of Human Services, answers to written questions on notice from Hansard on 23 March 2018, received 15 May 2018.

• Bureau of Meteorology, answers to written questions taken on notice, received 21 May 2018.

• Department of Human Services, answers to written questions on notice from Hansard on 23 March 2018, received 24 May 2018.

• Digital Transformation Agency, answers to written questions on notice from Hansard on 7 May 2018, received 24 May 2018.

• Department of Human Services, answers to written questions taken on notice, received 19 June 2018.

• Department of Human Services, answers to written questions taken on notice, received 19 June 2018.

• Department of Human Services, answers to written questions taken on notice, received 19 June 2018.

• Department of Human Services, answers to written questions taken on notice, received 19 June 2018.

Appendix 2

Public hearings

Wednesday 14 March 2018 Adina Apartment Hotel Sydney, Town Hall Sydney, NSW

Witnesses

Mr Paul Waller

Mr Ian Brightwell

C

ommunity and Public Sector Union Mr Osmond Chui, CPSU Policy and Research Officer

Mr

Paul Shetler

P

roject Management Institute Mr Mark Langley, President and Chief Executive Officer

A

ustralian Computer Society Dr Nick Tate, Vice-President - Membership Board

N

ational Archives of Australia Ms Teressa Ward, Assistant Director-General

O

ffice of the Cyber Security Special Adviser Mr Alastair MacGibbon, Cyber Security Special Adviser

A

ustralian Signals Directorate Mr Mike Burgess, Director

O

ffice of the Commonwealth Ombudsman Ms Jaala Hinchcliffe, Deputy Ombudsman Ms Louise Macleod, Senior Assistant Ombudsman, Operation Branch Ms Fiona Sawyers, Senior Assistant Ombudsman

130

Friday 23 March 2018 Parliament House Canberra, ACT

Witnesses

Mr Martin Stewart-Weeks

A

ustralian Taxation Office Mr Ramez Katf, Second Commissioner and Chief Information Officer, Enterprise Solutions and Technology Mr John Dardo, Chief Digital Officer and Deputy Commissioner Digital Delivery, Enterprise Solutions and Technology

D

igital Transformation Agency Mr Peter Alexander, Chief Digital Officer, Digital Division Dr Lesley Seebeck, Chief Investment and Advisory Officer, Digital Investment Management Office Mr Daniel Bamford, Head of Portfolio Office, Digital Investment Management Office

D

epartment of Human Services Mr John Murphy, Deputy Secretary, Payments Reform Mr Charles McHardie, Acting Chief Information Officer Mr Jason McNamara, Acting Deputy Secretary, Integrity and Information Ms Maree Bridger, General Manager, Child Support and Redress Ms Liz Bundy, Acting General Manager, Integrity Modernisation

D

igital Transformation Agency Mr Peter Alexander, Chief Digital Officer, Digital Division Dr Lesley Seebeck, Chief Investment and Advisory Officer, Digital Investment Management Office Mr Daniel Bamford, Head of Portfolio Office, Digital Investment Management Office

Monday 7 May 2018 Dialogue Business Centre Barton, ACT

Witnesses

Digital Transformation Agency Mr Randall Brugeaud, Acting Chief Executive Officer Mr Peter Alexander, Chief Digital Officer Dr Lesley Seebeck, Chief Investment Advisory Officer Dr Anthony Vlasic, Chief Procurement Officer