 Well, good morning, and can I welcome everyone to this, the 30th meeting of the Public Audit Committee in 2022. The first item on our agenda is to agree to take agenda items three and four in private. Is the committee agreed? We are agreed, thank you very much. Our principal item on the agenda this morning is consideration of major ICT projects and the latest Scottish Government update, which the committee routinely receives. Can I welcome our witnesses this morning? We have Sharon Fairweather, who is the director of internal audit and assurance. Jeff Huggins, who is the director digital, and Yoroth Turner, who is the welcome deputy director of digital people, strategy and corporate services, director at Scottish Government. I hope that your salary reflects the length of your job title. There is no opening statement, so we are going to go straight to questions. I want to open by inviting Willie Coffey to kick us off, Willie. Thank you very much, convener. Good morning to the panel. Jeff, I wanted to start with yourself with me in your submission to, as you mentioned, some spend control issues with a couple of pilot projects, the Scottish Government's payment service and telephony services, but you were looking at spend control issues and you have highlighted that in your letter. Can you tell us a wee bit more about the outcome to that, because my intention was drawn to something that you said here that, on the basis of the pilot work that you did, we are developing new thinking on how to secure greater value and improved outcomes in respect of digital delivery. Can you give us a wee glimpse of what you mean by that and what the actual outcomes were to that process? The background is that, about two years ago, we began to do some work, mirroring work, that is happening south of the border in respect of spend controls, which applies in a number of areas such as recruitment in facilities and contracts. In that particular context, we were looking at it in relation to digital projects in terms of developing models by which we would effectively do an assessment of the decision-making that has been made in respect of a particular digital project to assess both the elements of the commercial strategy, technology choices and understanding of things such as lifetime costs. We had worked through the process, both in developing a greater understanding of how we spend money, both by doing procurement analysis and looking through budgets. The process effectively developed a review model whereby a team of people with expertise would engage with a programme team taking forward an ICT project to make an assessment and then offer a report and feedback. The intention at this stage was to be exploring effectively how to apply and when to apply controls. Again, as we discussed in March, the process interacts with the kind of officer responsibilities and effectively the mechanisms by which we control expenditure more generally. Much like Sharon's area of work around assurance, what we effectively have is a cross-cutting piece of work looking across portfolios, and that was the thinking. Across the summer, and I mentioned that in my March evidence, we identified two ways in which we would take the work that we done out and apply it in practice. We did that in respect of some work on future telephony solutions for the Scottish Government and looking in the context of hybrid and new opportunities. I guess that moving away from things like having a phone on your desk with your number, because you might not be at your desk every day, you might be somewhere else and needing to contact people. We also did a retrospective look at the decision making in respect of the payments programme. Neither of the reviews identified any particular problems or challenges. The challenges that came out are the ones that I have said in the letter, one of which is that doing the reviews is quite resource intensive. It would be a process that we could probably only apply to a limited number of programmes. The second issue that we identified with that was that it is difficult to move away from the individual judgment of assessors in the absence of having clear frameworks. We have a number of those frameworks in place for things such as design standards, accessibility standards, but in terms of some of the other areas, we are still in the development phase in respect of things such as commercial standards and data standards. I think that what that gave us alongside the interaction with the assurance process, which Sharon has offered you a fairly comprehensive letter on, gave us a pause as to whether that was the best value for money way to try to get value for money. As you have seen in the letter, we have identified at this stage a different course, not to say that we would not return to a similar spend control style model, but on the basis of having put in place some of those clear frameworks against which assessments are being made to enable us to operate that way. The other couple of things that you had mentioned is that increasingly we are also looking beyond making individual judgments of programmes to begin to apply red lines to expenditure, so things that must be done or things that cannot be done. An example of that is in terms of the work that we are doing in respect of cloud services. We might expect Scottish Government teams in developing new programmes to use the Scottish Government's contracts for clouds rather than to go out and take separate clouds, both in terms of value for money but also because we can share infrastructure and support and things like that. That idea of a red line becomes quite significant as well. In that answer there was a little bit that said that we probably would not be able to apply that to all projects. That is one of the lessons that you have learned. Perhaps you mean by that that it was too much investment to try to get that kind of information that you could then apply across the board. Does that give you any risk that you might be worried about if you do not apply that rigor across the board? There are a number of things that we currently do. Over the last three years, we have seen the development and implementation of the digital commercial service, which is a partnership between my directorate and Nick Ford's procurement directorate, which is intended to ensure that those who are engaged with digital and in purchasing and developing services have got the best quality commercial advice in place. It is intended to do that. There will be an element of value for money that is picked up also through the assurance process. However, the broader set of issues—that is what I covered in the second half of my letter—is beginning to think beyond individual programmes of work as to which are the digital interventions that we want to make over the next three to four years. As you will see from the schedule that you get, there is a very long list of different programmes of different sizes that we are currently engaged in. Our thinking is that we probably need to become more parsimonious in those things that we select and then manage those more aggressively with the appropriate capability and resources in place to execute properly. We are probably looking at something that lifts the approach up from the individual that we need to do this to what does the overall system need to look like. On the digital assurance framework itself, it gives rise to the next question about how we then make sure that we have the right people and the right balance to conduct reviews to a particular piece of work. That is one for you. I am looking at the organogram that has been submitted as part of your material. It looks a fairly complex structures, officers and responsibilities throughout that. What that means in practice and how you would, given what Geoff has just said, choose which skills you deploy to particular reviews that you undertake? Yes, certainly. There are several elements to the work that we do. One is around the engagement with all the public bodies to get the record, build the register of the projects that are on going out there and to do the assessment as to what level of assurance those projects are going to need. We have a pool of engagement managers who do that, who keep liaison contact with the bodies throughout the life of their projects in order to maintain the register and to maintain that engagement. Where projects are identified as major projects, then the review team that is put together is led by a review team leader that is accredited by the UK infrastructure and project authority. They are skilled individuals who are very experienced in undertaking these reviews. What we aim to do is to put review teams together that are going to be able to follow a project through the life of the project, so that all the different assurances at the different stages and their teams may be supplemented by individuals with the right skillsets from the Scottish Government, if that is appropriate. That covers the major projects. As far as the digital assessment against digital service standards is concerned, we have changed the approach that we have taken to staffing those recently. We used to call on individuals with the relevant skillsets in the DDAP, the digital data and technology provision across the Scottish Government. We would pull people in for individual reviews out of their day jobs, if you like, but that was not proving a particularly effective way of managing the resource. We have now seconded individuals into our directorate for a period of time so that they can work exclusively within our directorate on digital service standard reviews for a period of time. Two years is the timescale that we were setting for the secondment, which means that we are bringing in really relevant skills into our directorate to undertake the reviews. We are giving them a different set of skillsets as a result of the reviews, and then they go back out into the organisation. There are three different strands of skillset that we use for the digital standards that we have set out in the letter. One of the issues that comes up and has come up regularly in the committee is when a piece of software has been commissioned right at the outset, the specification of that, the design, the embracement of quality standards, all that stuff. If you get that right, you have a chance that you will get everything right. Where does that sit within that framework? Where would that be, and where has that assurance done? The very first stage that we do within our technology assurance framework is that initial stage, looking at the set-up of the project, looking at the reasons why the project has been taken forward, what the objectives are of the projects, what the outcomes are, looking to achieve, whether there is the right level of planning in place, whether there is the right resource in place, whether there is the right skillset to deliver that. That is the very first gate, if you like, that we do within our major project reviews, is to ensure that, before we even go into the procurement phase, that the projects are set up as best they can for success at that early stage. That includes software development skills, ability, quality management, experience of the tools that are going to be used, all of that, or the technical side or the appraisal of whether the team is capable of delivering what the requirement is. Is that done in there? Yes, that is what we look at, and whether they have the right resource in order to deliver the project through to completion. It is often where we have the biggest concerns about resourcing, both about budget availability and availability of the right staff to deliver a project. I have noticed some part of the submission as well. The DAO was established in 2019, but the last time that project was stopped for any reason was 2019 as well. Has the experience had benefited you from identifying as early as possible whether a project should or shouldn't go forward? Are you saying that, since the DAO developed this process, every piece of work that has been undertaken has successfully gone through at various stages to completion? We have not had to stop a project since 2019, but the statistics that we have provided around the outcome of reviews that only about a third of major digital project reviews go through to the next stage without needing to undertake some form of remedial action, which might be pausing the project at that stage in order to put corrective measures in place. If we don't think that they have the right level of resourcing, for example, we will say that we cannot go on to the next stage of this project until you have addressed those things. We will ask for action plans against recommendations and we will follow up against those action plans before we allow them to proceed to the next stage. We think that that is helping projects to progress to completion successfully because we are trying to catch as much as possible, as early as possible, when they have time to rectify it and before the problems build up later in the process. Not that we are asking for it, convener, but is it possible to see that stage assessment so that if we wanted to see what the technical appraisals were of a piece of work at the beginning, we could see the review process being undertaken and being signed off, could you see that? You would like us to set out all the different elements that we look at for each of the individual stages. We can certainly provide that, that is not a problem. I was not specifically asking for it, but I was just asking if it is possible to see that if one wanted to have a look at that process. Yes, we can certainly provide that. Probably just when you are up my questions, convener, about common themes, identifying common themes and issues in learning, good practice and sharing good practice, which is another common theme at the Audit Committee. How do we capture all of that, lessons learned, sharing good practice to make sure that the best possible solutions are being deployed? There are several things that we do and are doing. We work very closely with Geoff's team, we work very closely with the centre of excellence around programme project management, and also within our team we try to gather together good practice. We have just seen from the letter that we have recently recruited in a continuous improvement individual who is going to be focusing a lot on that. However, we try to link up projects with other successful projects so that when we know that somebody is undertaking a project or programme and we have seen that done successfully somewhere else, we will try to link up the organisations so that people can learn from each other around good practice. The social security programmes have been well managed and well done, and we are drawing out lessons from social security in order to disseminate with others. We are trying to tie in together all those individual elements of getting messages out around good practice. We also report through to the Scottish Government DG Assurance Meetings and the Scottish Government Audit and Assurance Committee, where we try to disseminate good practice and indications of where to go for lessons learned, etc., as much as we can. However, there is more that we need to be doing. There is no doubt about that. The DEO itself assesses the effectiveness of that process. Is it by results that projects are getting through to completion and they are not being stopped and they are not overrunning in budget? Is that how you would measure the effectiveness of the processes that you are applying? That is a fair comment, because lack of failure is a success to us. We get feedback from the clients that we provide a service to and our major reviewers are independently accredited by the UK authority. However, for us, yes, lack of failure is a sign of success. Many thanks for that. That is a positive note to end on. Thank you very much, convener. I am now going to invite Craig Hoy to ask some questions. Thank you, convener, and good morning. I have just a few questions from relation to the Scottish Digital Academy. I suppose that I want to explore the impact of the academy and the courses that you have put in place. The First Minister's Digital Fellowship and Digital Champions programme has obviously been launched and undertaken. What impact is that having on the ground? We launched the academy in 2018 and we started with around six courses focusing on agile delivery. Since then, we have increased that. We now offer 41 different courses in a variety of topics, including agile leadership, cloud and things and skills, but it is also focusing on the wider skillset that people need to engage with digital transformation as well. It is not just for people in digital roles, it is how they understand how to engage with digital projects. We have now had over 4,500 people through the academy over the period. We have shifted into how we deliver over the pandemic as well. We were fully in-person. We are now very much online and hybrid delivery to enable people everywhere from Shetland Island Council to the borders to be able to access our services as well. We have also changed some of our funding models so that we can bring in more people without having to put a barrier up for them at the same time. What we are seeing through that is better engagement with digital transformation in organisations and that real drive to push to fasten them and make them quicker and recognise that they need the skills to deliver them at the same time. What we started with was looking at giving individuals the skills to deliver the transformation and what quickly became apparent was actually the wider organisation needed to understand how to set themselves up to deliver an agile methodology as well. We then started working with procurement teams, HR, Finance, to make sure that they had the right audit and artefacts to make sure that we knew that there was good governance in place as well. The fellowship programme as well we started in 2018-19 and that is a way of seconding industry experts into Scottish Government for up to 23 months and occasionally slightly longer if we work with the commission if there is a need. It has worked particularly well. We have now had 10 fellows and we are just bringing in an 11th as well from various organisations through SOPRASERIA, Deloitte, Digital, LIDOS and some others as well. That is in roles that lead transformation as well. We have had fellows in the digital directorate. We are now helping social security Scotland to bring in a fellow as well. It really allows us to share the expertise because all of our fellows come in and give sessions to civil servants, both fixed-term and permanent, to share their abilities and what they have learnt. Most recently we have run ones with Alasdair Hahn, who has joined us who previously worked at Skyscanner and NSS on how they built engineering teams and how that works. We have been able to share that in and look at what is right within the Scottish Government for it as well. We have still got a long way to go because we are still suffering from skill shortages, just as everybody is as well. However, we are investing in our own people to bring them in and try to find new pathways in so that they can join programmes. Do you know what the total cost of the academy has been to date? To date, not off the top of my head but I can certainly provide that to you. We run an annual budget for the academy of around £600,000 for delivery costs and there are staff costs on top of that. However, we have worked out up to around 2019-2020. We are estimating that we have saved the public sector around £2.5 million for courses that might have been procured on the open market, which are much more expensive to run. How do you determine which courses to offer in-house and to bring in external suppliers for? What is driving the choice of course subject matter? We do user research with our user base about what skills they need now, but also in 12 or 18 months. We go out and work with delivery bodies, agencies, course Scottish Government and where are your shortages and what do you need to help with. We also have contacts in our procurement directorate to see if people are asking for procurements with the major learning providers to see whether we can meet that need instead as part of it. We build our curriculum and there is enough flex because we work with a model where I have some in-house staff who deliver, who are experts in things, which means that we can create our own courses. We also work with partner organisations to deliver for us with flexible contracts that allow us to scale one course over another if there is a need and a demand for it. Have you done any benchmarking to assess the level of investment that you put in relative to, let's say, Governments like Singapore, for example, have almost adopted a digital delivery first principle? Are you lagging behind those Governments that are being ambitious in their approach to this? I haven't done formal benchmarking with it, but we do have relationships with the Canadian Digital Academy at the moment who are equivalent-ish about public sector size. We are much smaller than them, I have to say, on that. We are probably not as far along in our journey on that as well, but it is certainly something that we want to look at benchmarking formally. If you look at UK Government who have recently closed their digital academy and have sort of tuned it into the Government Skills Curriculum Unit, which is a much larger space looking at professional learning generally, so there are resources available elsewhere that we need to make sure that we are not duplicating. That was going to be my next question. Obviously, identifying as a digital academy puts into a silo, is there a broader suite of training provision and skills provision within the Scottish Government, the Scottish public sector, that you could come together with to create a more holistic approach? Absolutely. We work with our people directorate colleagues about that, especially the leadership skills that are needed in this space, and we are meeting with them to align our leadership curriculums to make sure that, again, there isn't duplication, that it's a clear, what's most important is the user pathway and the user journey in this, so that they only access the service once, and it's not confusing as to where they go. It's slightly difficult, I have to say, because all of my courses need to be accessible to the entire public sector in Scotland, so I can't put them behind on a closed learning platform. They have to be searchable on Google so that people can find them, whereas traditionally most in-house learning offer is on a closed learning platform, which you can't find from outside of it. Just in terms of driving take-up, could you give some indication of the methods and methodologies and the marketing that you're engaged in to make sure that you get buying and take-up within those broader range of Government organisations in Scotland? Absolutely. We also, for a coaching service, as part of the academy, work with senior leadership teams across the public sector in various organisations to help them to understand what their problems are and whether we can help or not, if they need some other help. That's where we then see that change and shift, and then becoming evangelical about it almost. You need to get on this, we need to get our teams on it and things because the feedback is really good, but we also make sure that we're in attendance at things like civil service live and events out there so that people know who we are and can talk about us. We attend conferences to share our learning. We also launched a new website this year so that people can access a book and find out what we do. We're also sharing success stories or case studies for work that we've done with Police Scotland, Dunedin Angus College, National Libraries, about what the end-to-end journey for them was and how we've helped them as well. If you push up against any resistance, be that institutionally or in terms of individuals, what typically is that resistance? Often cost and time. We have to recharge for some of our services because we have to recoup, otherwise we have to pull back on others. The time it takes to take people through training because it's not a half an hour and you're fully up to speed, it's a continual learning journey, and proving the investment that's quite difficult because it's not an immediate case of if you spend half an hour or two days here, you can at the end of the process achieve an X saving, but we're trying to work through what those metrics actually look like now so that we've got a better case to say it's absolutely proved. We know it's proved and people in the community and learning profession know the value of it, but selling that in more tangible metrics is quite difficult. I'd also like to pick up that theme of cross-departmental working or collaborative working. Jeff Huggins mentioned back in March and you referred to it again just this morning about the digital commercial service, which I think sits within your directorate but operates as a joint function with procurement. I wonder if you could develop that a little bit and tell us in what way that has changed the way procurement works or changed the way contract management arrangements work. Sorry, the decision to create the unit was based on a clear need to offer expertise, not least because quite often when we begin a technology project, we take it from the perspective of policy and intent. In terms of the particular skills that we're looking to bring into that, that knowledge of contracting contract management value over time, but also understanding the costs that may not be apparent at the outset of a process, issues in terms of things like vendor lock-in, access to data and the commercial value of different aspects of the contract. Our experience has been that it's a very welcome service in that it does bring that degree of expertise and assurance, but it also brings a particular expertise into the area for those who might not be commercially minded. In terms of how we're thinking in terms of quality digital provision across government, we're looking to broaden that out beyond commercial to have clear data frameworks in place, clear architecture frameworks. We already have the design framework, but we need to be a bit more explicit about our capability framework. In addition to the work that Sharon's team already does in making an assessment of teams, we need to understand across each of those five domains that there needs to be an appropriate set of arrangements in place, a clear understanding of what's required and all those things have to happen effectively if you're going to get the good outcome that you want alongside good programme management. We've taken the idea from the digital commercial service and begun to extend it across those other domains in such a way to try and tie what we're doing at a government level together, as opposed to seeing it developing independently in different parts of the organisation. One of the things that the Auditor General has been speaking about is the ambition of more innovation in the public sector, and it's even used the expression risk taken. Do you think that you are doing things that are innovative, which involve taking some risk, calculated, I presume? I think that there's different ways and different areas in which we take different approaches. Fundamentally, I'm keen to do some really dull things, which are about effective programme delivery, which delivers good services for people. Most technology that we use on a day-to-day basis is relatively straightforward. We do things like we make a payment, we apply for something, we look for a licence, we might update a record, we might make an appointment. None of these technologies are out there innovative. The challenge is to make them work really well for citizens so that you don't notice that they're happening, so that they just become part of how you do your life. That requires a lot of hard work in terms of design, data management, architecture. It's things like the work that we're doing on Citizen ID, things that we're doing on cloud, but most of the stuff that we're doing is—I'm really sorry, but it's really quite dull. Ultimately, our objective is that most of the things that we do you don't notice, because they just become part of your expected life. At the same time, I then have a lovely group of people over in CivTech who are doing innovation exactly for things out there that you might not have contemplated or thought about, which have the potential to build businesses in Scotland and have the—so running over the next period of time two challenge cycles a year, so the challenge cycles in CivTech 8 are focused around a range of environmental challenges. We're effectively asking people to think beyond the normal, and you may have seen some of the coverage on the BBC in terms of using sensors and technology to track beaver burrows, which I'll confess that I hadn't imagined would be a business at some point in the future, but it would appear there's a technology there, which is the potential to grow the economy, solve real problems and is very much in that innovation space. So it allows us to do, I guess, that innovation in a controlled space over here while doing the really important and very dull work that we try and do in digital over here at the same time. Thanks. I mean, you mentioned in the passing there citizen ID. Could you tell us what that is? One of the citizen identification—it's basically the piece of work that the Scottish Government's been working on since about 2017 to effectively give the individual who wants it an identity which they control, including the use of and the information related to it, so that when they come to log on and apply for a benefit, that they can basically demonstrate who they are. So I guess a key example that we've seen of that over the last two or three years would have been your Covid passport, your status app, which basically enabled you to demonstrate that you had what your vaccination status was, but it also had to know that you were you, so that you weren't just running around with a piece of paper that said, you know, Joe Bloggs. So that ability to verify that this person is that person and to use that in the digital landscape, I guess it's a bit like your bank login, and the proposition is that it enables you, having created your identity and used it for one purpose with government, that you can then use it as you choose under your control for other purposes. So it's quite interesting because it's a piece of work that Sharon's—and I thought of mentioning it in the earlier question—team reviewed in this summer of 2021 as a piece of work that was going on then, and it was one of the reviews which came out fairly red, and we had a long think about whether to continue with the programme or not. Over the last 14 months, we've taken it from being fairly red to being amber green in terms of review, and the work will go live in February of next year with Disclosure Scotland, and it will be a mechanism that they use as part of their process of issuing disclosure certificates, but the intention then is, if you've created an idea for that purpose, you might want to use it for another purpose. It's intended to get away from the fact that, for every service that you access from government, you've got a different login and a different password, and having to remember that so that you can seamlessly move between services. If I take myself as an example, I've got—I've had a Covid passport, I've got vaccination certificates and so on, so do I have a citizen's ID? No, not at the moment. No, you don't. You effectively what you have is—you have those different things. The choice down the line is if you wanted to have a thing which you could use to do more than one thing, you could have it. You don't think primary legislation would be required in order to do that, for example? It's entirely within the control of the citizen, so no—the UK government is considering whether it requires—because it is also doing work in this area—under the one login scheme, and it's considering whether it requires legislation for some aspects of the scheme, and we'll continue to follow that. However, in terms of where we are with the process and the decisions that we've made so far, no, we don't require primary legislation. Craig, why do you want to comment on this? Yeah, just a brief question. If I may, I think that you last—what before us—you referred to the cost of the Covid passport scheme and the cost of the infrastructure and the architecture for it. Do you know if the final published costs included—what I think you referred to—a fee per person that registered that I think was paid to a third-party agency or something in terms of that verification? Do you know whether or not the total published costs of the scheme ended up including that nominal subscription fee per registrant? I'll be honest and say it. I haven't seen the final costs, but the one component of the cost—and I guess this is one of the components that we want to not have to pay again and again—is the process by which they used a particular product to verify that this person is that person using biometrics. If you recall, and the cost per item of that was—I can't recall, but it was more than a pound. Imagine that every time if you created a new login for a new service, we had to pay that pound. The idea is that once you've done that, you've done that. Before I pass over to Colin Beattie, I'd also like to take up a question about one individual project that came out in the July summary. That was the Highlands and Islands airport's limited air traffic management strategy programme, the remote tower solution. In the narrative in the report, it says that this project has been paused. I mean, my understanding is that it's been abandoned. My first question is, what is the status of that project? Secondly, £45 million of public money had been allocated to it. What's happened to that £45 million? Sharon? I don't have the answer to the second part of your question. We can certainly come back to you on that. My understanding is that the programme is now rethinking the programme. You'll get your next six-month update before Christmas, so you'll have a further update on that in the next couple of weeks, which will give a clear picture of where the programme is. However, my understanding is, yes, that they're rethinking the whole programme. That will still be listed in the updated... You'll have a follow-up in the next update that you get in the next couple of weeks. We'll have a follow-up to it in the current position. Okay. I'll keenly look for the language that's used in that. I'm going to bring in Colin Beattie. Historically, there's always been a shortage of skills. There's always been a shortage of bodies in the area of digital posts. I presume that still continues, as far as I'm aware. How do you recruit people for those posts, and how do you specifically ensure that the mix of skills and resources that you need are within that recruitment process? I'll offer something at a higher level, and then I'll bring Yareth in more specifically on the recruitment process. One of the challenges that we've identified is... The quantum of resource against the number of projects, there's two ways to solve that. You can have more resource or fewer projects. One of the things that we need to look very carefully at is whether we're trying to do too many things and whether we should scale back the activity to the capability that we're likely to be able to have and the resources that are available. Partly because the experience is that when we overextend ourselves, then we reach into the contractor market and the managed service contract market, and those begin to raise the cost of delivering a programme and begin to reduce our control. At a macro level, one of the challenges that I'm seeing for 2023 is to begin to think what's the size of the programme and can we ensure that we're not sizing the programme at a size that is bigger than the capability to deliver? I think that those things potentially can get out of whack. Partly that's in the context of lots of individual decisions being made as to what to convince, which then takes us into the situation where I'm competing with Sharon and I'm competing with Health for the same resources. One of the things that I'm leading to in my letter is that we need that corporate understanding of what we're collectively trying to do and to size it within the capability. You're also already referred to some of the work that we're doing in respect of the digital fellows that we've brought in in terms of having a really good understanding of what team composition should look like and how we both the individuals and the structures. In my mind, quite often, I would think more at the team level than at the individual level as to how many teams I've got in place to do digital activity rather than just at the how many architects or how many programmers, because, ultimately, the unit here isn't the person, it's the team, but yours can say a bit more about the work that we're doing on recruitment. Are you still paying off-scale to recruit a digital area? What do you mean by off-scale? Several years ago, you were paying according to a civil servant scale for people coming in to technology, but then, because of the shortages, you took that off-scale and started to pay according to market. We offer an allowance for DAT professionals, which, at the moment, I think is. For our BNC, that's £5,000 on top of standard salary scales. We work with standard salary scales but an allowance, which reflects the market dynamics. Are you satisfied that that brings salaries to a level that is competitive? I'm going to bring yours in. I am, because we've worked through this very carefully, because one of the big questions for me is where are the challenges in recruitment? Is the challenge that we're not paying enough or is it that we're not offering a good enough job? I think that what we've been working through has identified that we do pay well enough, so we need to work on the quality of work, which we've been doing in the recruitment process, but you're the expert on that. I did a full benchmarking exercise in March-April this year, because there is a business case for the allowance that we do that gets renewed. That was using the Aon Radford Global Compensation Database for market rates for all of our roles, and that's what the adoption of the digital data and technology frameworks allowed us to do, because we've standardised the roles that we have in teams across. It showed that, whilst there are outliers generally, we're not too bad. Around 60 per cent of our roles pay between the 25th and the 75th percentile of the market rate, where we really see differences, is in our most senior posts, which is not unexpected, and in our more technical spaces like cybersecurity and architecture development operations and things like that. What we did as a result of that benchmarking was increase the allowance from what was £4,000 to £5,000 to address that, to bring that in line of where they were. Our turnover rates are much, much lower than industry comparatively. Once people come and join us, they tend to stay. In industry, it's around 18 per cent, ours is around 8 per cent. What we find whilst there's internal churn as well, the work that people get to do when they're with us is what is most rewarding. That's why what we've done as well is develop a business case to implement a specialist recruitment service to bring in digital people, recognising that the market is very competitive in this. Most people in this place have got multiple job offers and can't wait for our usual timescales. We need specialist people who know the market and where to talk to people and sell what our employer value proposition is about why it is so good to come and work for the Scottish Government. Even if you don't stay for 20, 30 years and you're only with us for two, three years, that's absolutely fine and we really love you to come as well. We're embedding that at the moment and we've been working over the summer to define that service module using people who've got digital market expertise and know how to do the candidate management of people because it needs much more active engagement and shortening of timescales as well because the people aren't waiting around and we need to make sure that we're changing our systems to account for that as well. Given the competitive market, you wouldn't think that £1,000 extra would swing it one way or the other for a senior IT person? You wouldn't necessarily. We have also changed some other things so it used to be paid after a nine-month qualifying period. We have now changed that so it's paid after three months but it's retroactively paid to the start date as well but it's not all about the salary level because we're never going to compete with some of the biggest payers and I don't think that as a Government we really should be trying to at times. What we try and sell is one, as I said, the work that people can do but also the additional benefits that they get from working in the public sector, which is the additional flexibility about when you work, where you work, the additional holiday allowances, potentially the pension contributions that you would get as well because there are other benefits for working in the public sector. One of the things that I've been aware of having been in the private sector previously was employers encouraged employees in this area to move on after a period in the job. The reason being, they go out there, they get more skills, more experience, a broader exposure and then they come back in a few years time with much higher skills. What you don't want is somebody that's going to settle down for 20, 30 years and just be in that groove and tick the box. Is that the consideration you've taken? Yeah, absolutely. That's why we've implemented our career pathways using the DDAAP framework so that people can see the skills they need to develop and we support them through the academy and others to develop those skills as well to move around internally, be that in digital directorate, in agriculture and rural economy, social security and also support outward circumvents where we can as well as inward circumvents so that people can go out to industry. We also are looking at how we use the kind of reinstatement rules potentially so that people can go to private sector and then come back to government within the limits set out by the commission that allow them to do that and build those skills and support and really changing our thinking to say even if we're building the skills in the sector, in the market, if they leave us they still retain in the sector and Scotland needs that. There were 22,000 digital jobs advertised in Edinburgh and Glasgow last year according to Accenture and we're never going to meet that on our own and we need to work together as an industry to help meet that need. It is quite interesting as a challenge because in terms of recruitment because historically the model of civil services there is a lot of candidates applying for a small number of jobs and we need to apply some very fair and transparent processes. In this area, many of the people in the digital world never apply for a job. They get approached on LinkedIn, they get tapped up by a friend in a different company and I've seen applications in other areas where they say almost they don't fill any of the competences they don't give any because they're in a very fluid market where they effectively what we then have done is we've done research as to why people join to actually understand why some people in the context of government or the NHS or which seems like an odd thing to do if you're a technologist why do people actually join us and the two main motivators are the work is of value and they take a long personal value for it and the second is they get to work with people they want to work with you know so that means the environment that you're working in needs to be effective and needs to be productive in that process so it is quite I think the two to four year element it also requires us to get into a situation where we don't presume we've recruited somebody and we've now got them you know it means it does take us into a situation where I think over the next three to four years we're going to be engaged in a lot more continuous improvement as people effectively rotate through our system and back out into the private sector you know as you described which is is really desirable but it requires you know our approach to how we're actually sort of you know managing that flow to be quite different from what it would be traditionally for civil servants. Can I ask for an interpretation in your letter actually Jeff? You state target support and greater control of digital capability is that simply about sharing resources and people? It's a bit more and it comes back a bit to the point that I made earlier as to whether we're trying to do too many things some of the time and you know it's certainly in talking to the minister Mr McKee and and talking to JP Marks the permanent secretary you know they they clearly think that we should be managing our capability across the organisation in a different way than we currently do and so the conversations that we've been having and you know which we'll have next week again at the digital board are beginning to think effectively about how we actually do that both in career development but also in allocating people to priority areas of work so we're not quite there yet but it might be a bit more than just having a nice chat if that's your question. Just moving on to slightly different thing you've you've have touched on the need to prioritise projects and so on how do you decide which projects are going to be prioritised what's the criteria used and you know it's not just about whether you've got the right skills are so unavailable for that project projects in themselves have a priority and need to be staffed in order to deliver for the public good so how do you do that prioritisation process? So again we've identified that's another of the items that we'll talk about on Monday at the digital board and which will be part of the work program for 2023 and in my mind and you know this isn't the settled position because we'll continue to work with colleagues to get to a settled position on it but in my mind there's three or four elements to it so first of all there's a non-digital element to it so we need to understand the business need of the organisation to achieve public good so it needs to be somewhere and it needs to have a priority in terms of the the government's programme. The second thing which I bring in in terms of the prioritisation is the degree to which making the change or taking the programme forward contributes more broadly than the programme itself you know so if we think in terms of the capability to create new data sets or to create new processes which might be used for more than one by more than one organisation and might be used to create infrastructure that's used by a number of organisations something which adds to the overall system as opposed to simply solves an individual problem again as a key one and one which you know the committee will be familiar with is our ability to bring data together from multiple systems you know so the the challenge that we have that data is you know overhearing one bit of the system and overhearing one bit of the system another bit of the system and we need both those bits of data to make a decision so so that's that's a common problem that we have across government whether it's in health or whether it's injustice and so finding solutions which solve common problems also I would give prioritisation to as well I mean you've got an enormous number of projects the resources needed to prioritise these must be considerable yeah it's again you know as we look into and part of the challenge is that we don't get to start with a greenfield and a blank piece of paper so we have a stock of the projects that you have in front of you as the as the list but in terms of how we consider what gets added to that list you know next year or the year after and the year after that you know focusing on fit focusing on value but also being quite clear that we need to cut our cloth to ensure that we have the capability to deliver these projects efficiently so you assess the pipeline rather than the existing projects and the impact they're making I think we need to do both you know I don't think we can do one or the other but the processes that we apply between the two might be different and and the other aspect of this is I don't think it's purely my job as director digital to make that assessment in that these are also business decisions they're not just digital decisions and I think that's part of the objective that we have is to be able to blend that business decision with the digital decision you know because ultimately as citizens you know we we live our lives across multiple parts of government you know and and so the system needs to be orientated in that way to understand it from the citizen point of view so who makes a business decision I would push that fairly far up the organisation to what we might describe you know there's a question as to whether that should sit with the executive team in there who's making the decision now the decisions at the moment and we we discussed this in in march each of decisions at the moment are largely made within individual portfolios you know and individual directorates and under the accountability arrangements under which we allocate resources out to dgs and then down to directors and that they set within the ministerial portfolios you know what what what we're suggesting is that we need to step beyond that to actually understand the system of impact of that and to begin to think about it at a at a system level is there a time frame the I think as I've referred to in my letter we intend so we meet on monday's digital board with the objective of putting in place a work programme for 2023 you know this is not a small change in terms of what we're considering and it's a change to how people currently operate and what they do and what their accountabilities are and and so what we've what we've agreed is that we'll set out the initial work plan for 2023 which will begin to get into the areas of prioritisation portfolio management you know the frameworks that we apply to actually support the the change processes and effectively create this as a program not just as a policy or as a strategy with an sro appointed to take it forward but I think as I've indicated to the clerk you know as we work through this I'd be very very happy to come and talk to the committee again about that committee would be interested in how this progresses because the process at the moment still seems a bit fragmented than to departmental level let me just conclude by asking you one simple and easy question the r100 programme the savings from that what does that mean for delivery um so what we've done with with r100 is effectively for a couple of reasons we've effectively reprofiled the delivery of the programme um so the we will still um we'll actually probably cover more than we had intended originally but we we're the period over which the programme will be delivered will be different and it comes back to some legacy issues in respect of supply chain and covid in previous years but the the intention is that we'll still continue to deliver r100 as previously said out we're expecting as part of the reprofiling that we'll be able to offer broadband to an additional 2600 rural properties most mostly in the highland and islands but effectively as we've I think already put in the public domain the the programme itself isn't in any way reduced um it's just will be extended over a slightly longer period of time okay leave it in that thank you right thank you can I just take you back to a couple of points that you've made in your answers to calling BT just for clarification first of all um if I take a project like the um Highlands Islands traffic management system uh change that was proposed or if I look at the series of police Scotland it initiatives which are listed again in the programme there are four of them currently do they get ministerial sign-off the the the these are programmes of work which will currently sit within their own accountability structure so the police scotland will have their own accountability structure um the the allocation that they receive they they then operate under the delegated assurances and authorities that they have so I don't know whether any individual particular projects have been in front of ministers but I would say that with in the powers of those organisations that they have the power to take forward projects but isn't there any kind of threshold uh that requires ministerial approval um I mean look we've been discussing in the context of the ferries uh the role that ministers have clearly played in the uh signing off of the award of contracts or the the award of the status of preferred bidder and so on so I'm just trying to understand in this area of ICT whether there is an equivalence whether ministerial sign-off is a part and parcel of the routine way in which these projects are given the green light I think for external NDPBs I think they've generally got the authority to take forward work within their delegated authority their budgets and the framework under which they're expected to operate so so I think it's a no I don't think they do go to ministers I'm happy to write if I'm wrong but I think that's I think that's as I understand it okay I mean if you if on reflection you think there is a a nuance to that answer then please mr Huckins come back to us the other thing you mentioned there as well uh was the digital board which I think you said was due to meet soon um that's the board which is ministerial led isn't it and I think Cozzler are involved too so it's it's it's a board which is um chaired by an external um Lindsay Montgomery um at the previous meeting on the 29th of September the minister attended and with myself gave a presentation in terms of how we saw the future developing there's a question as to whether in 2023 when it probably becomes the digital program board as opposed to the digital board whether at that point the minister wishes to chair it himself so I'll have that conversation with him sometime in the next week or so but he's fully in fully you know up to speed and informed of what's going on at the board and you know I spoke with him last Friday to talk through the approach that we're taking next Monday yeah sorry I mean I thought when you gave evidence in March I thought what you had said was that there was understandably an officials uh uh composed group that has oversight of these things but I thought you said that there was a ministerial led um so there's body as well which had I think you said Cozzler were involved in that yeah there's a second there's the um joint board which oversees the digital strategy which is a shared strategy between the Scottish Government and Cozzler and that met most recently about two weeks ago so that does also exist it it it's focused and who chairs that mr it rotates between the minister and the council spokesman for for digital and it's identified priorities you know for priorities digital inclusion connectivity common componentry and the work of the academy so it's very much focused in those areas of activity but effectively it's a political clearinghouse to assure um ongoing delivery of the strategy but also potentially to address any challenges or difficulties that we're having between different parts of the system the digital board is a Scottish Government entity which is intended to get our ourselves organised to be effective in delivering digital and it also it has representatives from the local government digital office in attendance it also has representatives from the agency's group and from the ndpb's group and one of the discussions I guess going into 23 is also the degree to which it you know how far its reach is in terms of the next stage of work and I guess that comes back to your previous question about police scotland and ndpb's yeah I mean and presumably these bodies have terms of reference and it would and would it be possible to share those with us happy to share the current terms of reference for the digital board but I suspect we'll have new terms of reference in February which reflect the changes that we're making so whichever you would wish or happy to see the ancient and the modern and we can then compare the two thank you sharing dowry has got some questions for you thank you good morning I wanted to ask you about social security scotland and so far that seems to have been classed as a kind of good news stories far as systems are concerned but in day one of the launch of the new scottish child payment the system crashed so it was just to see if you could tell us a bit more about what happened in any learnings that you've taken from that happy to do that I've had a good conversation with a number of colleagues at social security to properly understand it so the first thing I should probably say the system didn't crash the timetable effectively on the day and is that the the the new benefit the child payment benefit launched at 8 o'clock on the 14th of November at around 10 o'clock 150,000 sms notifications were issued to people including a web link that allowed people to go on to the site and to begin to make an application and a lot of people clicked that link at the same time and what happened next was that the system understood that as a denial of service attack because it wasn't expecting quite so many and the protective measures that we have in place for the system effectively kicked in and the system closed on believing that it was subject to some form of cyber attack whereas in fact what had happened was that 150 many of 150,000 people had done exactly what we wanted them to do which was to go on to the site so the site was off for about an hour and 45 minutes during that time telephone applications were still operating and still been taken forward but the corrective action was taken by 1145 and the system went back on so looking forward we've got different ways in which the agency might approach that in the future so they might stagger the process of issuing sms you know they might calibrate the dns protection at the point in time whenever they're likely to be receiving a wave of applications of that kind but you know they'll now learn from the process make you know sensible decisions and we would expect not to have that problem again but clearly the system was capable of scaling for the demand and the system was robust in in in in every other way so it's it's it's an example of where we've applied a protection in the system against a particular threat which has given us a different problem and that's probably just part of the you know the agile learning process that we need to be involved in we've had 89,000 applications in the first two days of the process which is not a small number and again in in that context you know it's an interesting piece of work and you may wish to you know to hear more from social security on it because again you know in this case also looking at the process by which they're able to automate additional elements of the of the application process in such a way to process quickly and at a lower cost per transaction in terms of doing that which again are all the sorts of things that we expect digital to do the first payments were made on the 21st in the week commencing the 21st of November so in terms of that so the story is probably not as reported it was it was sort of quite interesting because you know as you might expect various people who run SMEs and private sector companies regularly email me to ask me for meetings to help me solve my problems and while I appreciate the generosity that they offer me in this case a number of the emails which I got did seem to suggest that they thought that they knew what had happened and that they were not going to solve this problem for the future whereas in fact you know the story is probably a lot more straightforward and I think we can have confidence in the people at social security to get the future right on this one thanks I know you're saying the system didn't crash but to the normal person in the street when they don't get access they would have thought that the system had crashed so were you not expecting to get everybody applying to it at the same time then because it was highly advertised in advance we were all told to advertise it in social media so you were kind of expecting it you would have been expecting 150,000 applications should you have done that a different way in the first place so they received 89,000 applications over the first two days many of which were on the telephone because not everybody will use a web link I think the learning point is the the process by which they give access to the web link which just you know and again it's this frictionless government aspect of it which is you make something easy and people will use it in a way in which you know because if you imagine historically what you would have needed to do to apply for a benefit and you know the documentation and things like that I think the learning point is people will take up an offer like that and I think if they hadn't put the web link out they wouldn't have had the same volume at the same point in time you know because you know this is not just a lot of people applied in the first couple of days a lot of people applied at 10 o'clock or a lot of people click the link at 10 o'clock and you know that's you know that's the learning point in terms of that and you know with things like SMS you can stagger the delivery so that they're going out at five minute intervals and batches and things like that and that might be their solution or they might just recalibrate the DNS protection for free to ship up. Do you know where we are in uptake for it for people that are eligible? Pardon? Do you know where we are in the uptake of it for people that are eligible? I don't have that figure. I do know that there's been 89,000 applications in the first two days and I do know that payments were made before the end of November and the week commenced in the 21st. I don't have those figures, I'm sorry. Just another one, you touched on some data collection with Colin's questions but obviously at the moment when the cost of living crisis we're continually hearing that people not claiming benefits are entitled to. Where are we with data collection for the new social security system to make sure that people that are entitled to benefits can get it automatically rather than having to go in and click on links or SMS messages on the day that the new benefits go live? This is one of the areas where social security is under particular duties to maximise benefit take-up and to make it straightforward. There's challenges with this area because of issues to do with GDPR, privacy and choice. That's why telling somebody that this may be something that you're eligible for works quite well as a methodology rather than saying that here is a benefit that you are entitled to. Again, people have to make that decision to apply. Also, the latter is more likely to be subject to things such as fraud as well. The agencies continue to work through different ways in which they can better target and make people aware. If you have this, you might get that sort of approach, but it's an iterative process. I guess that the other side of it is also doing it in a way that people feel comfortable with as well because, again, people may react differently to receiving information about eligibility. I think that there's design elements to that as well. Did some people get an automatic entitlement to the Scottish child payment or did everybody have to apply? People will have to apply. So none of it was automatic? The process in terms of application was for those who were then eligible because, of course, it's based on access to another benefit. Having made the application, the process is very straightforward, but people have to say, I would want that benefit because at some point they have to sign to indicate that they consider that they're eligible. Just in the reverse on that, you said about fraud and everything as well. Is there something in place in the new system to make sure that once people are not eligible for the benefits, then that benefit would stop? If I'm doing it into full-time employment or if children reached a certain age? Social Security Scotland will have a range of measures in place to ensure that they're continuing to assess eligibility but also to prevent fraud. I think that I'm probably stepping outside my expertise to try and talk about their programme. They're a mature programme running with the fact of playing. I'm not going to finish. I'm going to allow Willie Coffey to come back in, and then I'll turn to my last question. Willie, over to you. Thank you very much, convener. Just on the issue that Sharon was raising there, it sounds from your explanation that we didn't carry out any kind of advanced load testing in that system, because, clearly, that would have and should have identified it. The system thought that it was a cyber attack, so why did we not do that in advance? I know that the chief digital officer at Social Security Scotland will have undertaken load testing. I think that the challenge is undertaking load testing in a live system. I guess that the mental constructs will now always, forever after, look at this in a different way now, having had the experience, and we'll think differently about DNS protection, I guess, as well, and understand where it fits into the process. The load testing on the system says that the system was able to process the rate that was coming in. The challenge was that, effectively, we stopped the applications coming in simply using the DNS, but I think that the learning on that is unfortunate, but, again, it means that it's less likely that we and others will make that mistake in the future. The load testing didn't pick up. It thought that there might be a cyber attack, but when it went live in real time, it did. Yes, but I guess that's because the load testing will have been based on those applications that had made it to the system, and, effectively, the throttle applied before it made it to the system. It basically was the number of connections going in. Again, I'm confident that the system was fully geared up to manage that number of processes. My final question is turning to the summary of the projects that you issued to us back in July. There was one project on there that you'll forgive me, caught my eye. That was the enhancement and replacement of the CalMacFerry's booking system, which was started, I think, in 2016, but the date set on the note for completion and, presumably, going live was November 2022. We are now in December. Can you assure us that that system is now live? I'm going to be very grateful for Sharon's pick, isn't it? So the system isn't yet live. They are planning to go live in the spring. They are currently undergoing staff training. They have to start training up about 700 staff on the new system, and their intention, as I say, is to go live in the spring. We don't have an exact go-live date yet. They have another pre-go-live-gate review coming up post Christmas. So why in the note does it tell us that the expected start date is November 2022, not spring 2023? Because the note that you've got was for the update that was in July, not the December update, if you know what I mean. Yes, because you haven't issued that to us yet. No, no, no, none of that. That's due in the next couple of weeks. Okay, so I'm just trying to understand then. I mean, this is a project which started in 2016, so presumably there must have been an understanding that staff training was required before the system went live, and isn't that planned in advance of the system going live? Yes, it is, but it's not the staff training that has slowed things down. They had done all of the assurance processes that they were due to do, and they did user acceptance testing over the summer that raised a number of issues that they wanted to resolve before they went live. So they've now resolved those user testing issues that have come up, and so that you wouldn't do the staff training until you've got your final, you're towards your final product that you're then going to roll out. So they needed to iron out these other issues first. Why is it taking six years in the first place? Isn't that unusually long? I don't have enough detail on the project to be able to answer that. We can certainly get more information for you. Okay, so I'm also bound to ask, is it on budget? Yes, it is still within budget. Okay, okay, well look. Thanks for that answer, and thanks for your other answers this morning. So can I thank Sharon Fairway, Jeff Huggins and Yorofa Turner for your contributions this morning? I am now going to end the public part of this morning's session and go into private session.