1st Report - Rewiring the state: Delivering digital government

GDS should require all departments and public bodies to disclose their annual spending on digital and data-driven activities, using guidance developed jointly with HM Treasury and with input from the National Audit Office. In its response to this report, the … Read more GDS should require all departments and public bodies to disclose their annual spending on digital and data-driven activities, using guidance developed jointly with HM Treasury and with input from the National Audit Office. In its response to this report, the government should commit to publishing this annually, as part of Public Expenditure Statistical Analyses. (Recommendation, Paragraph 16) Show less

View Details →

The new Government Digital Service (GDS) should develop and publish a comprehensive framework to evaluate the performance of digital spend, to include a set of metrics against which leaders of departments and public bodies can be held to account. The … Read more The new Government Digital Service (GDS) should develop and publish a comprehensive framework to evaluate the performance of digital spend, to include a set of metrics against which leaders of departments and public bodies can be held to account. The government should require each department and public body to publish annual progress reports against this framework. (Recommendation, Paragraph 19) Building block two: People Show less

View Details →

GDS should publish the succession plans for all digital and data director and director general roles in central government, and develop and publish similar plans for the digital and data aspects of all permanent secretaries’ roles. The government should consider … Read more GDS should publish the succession plans for all digital and data director and director general roles in central government, and develop and publish similar plans for the digital and data aspects of all permanent secretaries’ roles. The government should consider extending the requirement for all new directors and directors-general to be assessed against digital and data skills and behaviours to include future permanent secretaries. A Government Chief Digital Officer should be appointed at permanent secretary level. (Recommendation, Paragraph 32) Show less

View Details →

UK Biobank is in receipt of public funds, and so the government should help it to ensure that failings are addressed as a matter of urgency. This incident underlines that contractual arrangements to protect citizens’ data must also be accompanied … Read more UK Biobank is in receipt of public funds, and so the government should help it to ensure that failings are addressed as a matter of urgency. This incident underlines that contractual arrangements to protect citizens’ data must also be accompanied by robust technical protections. (Conclusion, Paragraph 47) Show less

View Details →

GDS and the Cabinet Office should publish quarterly reports on departmental and public sector body progress against the information and data security metrics it has committed to, together with its published principles for securing data in public services. These disclosures … Read more GDS and the Cabinet Office should publish quarterly reports on departmental and public sector body progress against the information and data security metrics it has committed to, together with its published principles for securing data in public services. These disclosures should be accessible via a single, publicly available tracker. (Recommendation, Paragraph 48) 51 Show less

View Details →

In its response to this report, the government should set out how it intends to measure departmental and public body efforts to bring about difficult but necessary cultural changes in relation to data protection. It should name the departments and … Read more In its response to this report, the government should set out how it intends to measure departmental and public body efforts to bring about difficult but necessary cultural changes in relation to data protection. It should name the departments and public bodies that have yet to adopt basic data hygiene practices, such as the use of Microsoft 365’s information protection labelling system, and state when this will be remedied. (Recommendation, Paragraph 49) Show less

View Details →

The findings of the internal review examining events at the UK Biobank should be published in full. In its response to this report the government and UKRI should set out the technical protections that will be put in place at … Read more The findings of the internal review examining events at the UK Biobank should be published in full. In its response to this report the government and UKRI should set out the technical protections that will be put in place at the UK Biobank to ensure it properly protects citizens’ data. They should also set out their view on whether an organisation with such inadequate data hygiene is a suitable candidate to receive public funds. (Recommendation, Paragraph 50) Building block four: Delivery Show less

View Details →

In its response to this report the government should confirm how many times the Digital Inter-Ministerial Group has met since publication of the blueprint for modern digital government; and should publish the minutes, including attendance, from each of these meetings. … Read more In its response to this report the government should confirm how many times the Digital Inter-Ministerial Group has met since publication of the blueprint for modern digital government; and should publish the minutes, including attendance, from each of these meetings. (Recommendation, Paragraph 54) Show less

View Details →

The operational delays caused by the July 2024 machinery of government change, combined with shifting priorities, has hamstrung delivery of the vision set out in the blueprint. Unlike DSIT, the Cabinet Office is a coordinating department with the ability to … Read more The operational delays caused by the July 2024 machinery of government change, combined with shifting priorities, has hamstrung delivery of the vision set out in the blueprint. Unlike DSIT, the Cabinet Office is a coordinating department with the ability to drive change in the name of the Prime Minister. As digital is now essential to the operation of every government department and public body, we believe that the Cabinet Office should have housed the digital centre, not DSIT. However, at this stage in the Parliament, it would be unrealistic to recommend a reversal of the change. Instead, the government must follow the logic of the ‘digital centre of government’ label and empower GDS to deliver, with clear political and technical leadership. (Conclusion, Paragraph 59) Show less

View Details →

The government should commission an urgent review of the new GDS, to report no later than the September sitting of Parliament. The review should examine how GDS can set policies, coordinate effectively, and hold individual departments and public bodies to … Read more The government should commission an urgent review of the new GDS, to report no later than the September sitting of Parliament. The review should examine how GDS can set policies, coordinate effectively, and hold individual departments and public bodies to account for their 52 delivery against specified digital transformation metrics and outcomes. These should be designed to ensure that digital transformation is done with the highest possible levels of public consent and trust. (Recommendation, Paragraph 60) Show less

View Details →

The Prime Minister should appoint a cabinet-level minister responsible for driving effective digital transformation across the public sector and supporting other ministers in this work. A permanent secretary-level Government Chief Digital Officer and head of GDS should be appointed to … Read more The Prime Minister should appoint a cabinet-level minister responsible for driving effective digital transformation across the public sector and supporting other ministers in this work. A permanent secretary-level Government Chief Digital Officer and head of GDS should be appointed to support them, with the publication of a detailed delivery plan in the form of a command paper as their first task. The government should publish a live dashboard of progress made against commitments set out in the delivery plan, which details what has been delivered, where priorities or delivery timetables have been revised, and any relevant policy announcements. (Recommendation, Paragraph 61) Barriers to effective digital transformation Barrier one: Hype Show less

View Details →

The new digital centre (GDS) should commission an independent economic analysis for each of the planned activities set out in the roadmap for modern digital government, giving a range of possible financial and economic outcomes for each commitment. (Recommendation, Paragraph … Read more The new digital centre (GDS) should commission an independent economic analysis for each of the planned activities set out in the roadmap for modern digital government, giving a range of possible financial and economic outcomes for each commitment. (Recommendation, Paragraph 69) Barrier two: Legacy systems Show less

View Details →

GDS should set up a Legacy Systems Taskforce with a remit to drive progress in remediating legacy systems across the public sector. It should be empowered to mandate action by departments and public sector bodies 53 where necessary. The taskforce … Read more GDS should set up a Legacy Systems Taskforce with a remit to drive progress in remediating legacy systems across the public sector. It should be empowered to mandate action by departments and public sector bodies 53 where necessary. The taskforce should publish the results of the promised legacy mapping exercise in as transparent a form as possible given security risks, together with a clear action plan to remove legacy systems from the UK public sector. (Recommendation, Paragraph 79) Show less

View Details →

We welcome GDS’s commitment to work with HM Treasury to ringfence funding to address legacy systems, particularly given the significant costs that remediation will create for departments and public bodies that are already under financial pressure. In its response to … Read more We welcome GDS’s commitment to work with HM Treasury to ringfence funding to address legacy systems, particularly given the significant costs that remediation will create for departments and public bodies that are already under financial pressure. In its response to this report the government should confirm which programmes have been ringfenced or submitted for consideration. (Recommendation, Paragraph 80) Show less

View Details →

In its response to this report the government should set out how it intends to ensure that the public sector makes better use of the services provided by Crown Hosting. (Recommendation, Paragraph 81) Barrier three: Vendor lock-in

View Details →

Our view that Palantir’s increasing presence across the public sector represents an unacceptable point of weakness is not ideologically motivated or driven by concerns about the quality of their products. The government should retain the ability to pick and choose … Read more Our view that Palantir’s increasing presence across the public sector represents an unacceptable point of weakness is not ideologically motivated or driven by concerns about the quality of their products. The government should retain the ability to pick and choose individual suppliers and safeguard against the risk of vendor lock-in and debilitating dependencies, particularly in areas of critical national importance such as healthcare and national security infrastructure. (Conclusion, Paragraph 94) Show less

View Details →

The government should commit to exercising the February 2027 break clause in the Federated Data Platform contract and either develop an in-house replacement or seek an alternative developed by UK-owned and UK-based providers that are more compatible with UK values, … Read more The government should commit to exercising the February 2027 break clause in the Federated Data Platform contract and either develop an in-house replacement or seek an alternative developed by UK-owned and UK-based providers that are more compatible with UK values, and do not pursue either technical or contractual dependencies. It should publish a fully costed exit plan for the Federated Data Platform by the end of 2026. (Recommendation, Paragraph 95) 54 Show less

View Details →

In its response to this report the government should confirm the exact nature of Palantir’s access to identifiable and non-identifiable patient data, on what statutory basis this was authorised, when, and by whom; and whether the Information Commissioner was consulted. … Read more In its response to this report the government should confirm the exact nature of Palantir’s access to identifiable and non-identifiable patient data, on what statutory basis this was authorised, when, and by whom; and whether the Information Commissioner was consulted. (Recommendation, Paragraph 96) Show less

View Details →

The government should commit to wherever possible using UK-owned and UK-based suppliers to develop and implement the NHS Single Patient Record, and to awarding all associated contracts via open and transparent procurement processes. (Recommendation, Paragraph 97) Read more The government should commit to wherever possible using UK-owned and UK-based suppliers to develop and implement the NHS Single Patient Record, and to awarding all associated contracts via open and transparent procurement processes. (Recommendation, Paragraph 97) Show less

View Details →

In its response to this report the government should set out the reasons for awarding a £240 million Ministry of Defence contract to Palantir without a competitive tender process. (Recommendation, Paragraph 98)

View Details →

The best way for government to encourage innovation is by procuring it. The government should therefore require central departments and public bodies to spend a defined minimum percentage of their technology procurement budgets on products offered by UK-based and UK-owned … Read more The best way for government to encourage innovation is by procuring it. The government should therefore require central departments and public bodies to spend a defined minimum percentage of their technology procurement budgets on products offered by UK-based and UK-owned start-ups and SMEs by the end of the current Spending Review period, and to publish quarterly updates on progress made against this. (Recommendation, Paragraph 101) Show less

View Details →

The promised cloud consumption dashboard should include not only a breakdown of contract awards by company but their value, details of any break clauses, specific licensing terms and a value for money assessment. The government should require public bodies to … Read more The promised cloud consumption dashboard should include not only a breakdown of contract awards by company but their value, details of any break clauses, specific licensing terms and a value for money assessment. The government should require public bodies to publish the value of individual cloud contracts within three months of their being awarded. (Recommendation, Paragraph 109) 55 Show less

View Details →

The government should publish the findings of its investigation into the October 2025 AWS outage and its impact on suppliers and departments. In its response to this report, it should detail the steps it is taking to ensure greater resilience … Read more The government should publish the findings of its investigation into the October 2025 AWS outage and its impact on suppliers and departments. In its response to this report, it should detail the steps it is taking to ensure greater resilience across public sector cloud infrastructure. (Recommendation, Paragraph 110) Show less

View Details →

In its response to this report the government should detail how the ‘All of Government’ cloud contract will prevent vendor lock-in. It should set out the engagement it has had with the Competition and Markets Authority on the development of … Read more In its response to this report the government should detail how the ‘All of Government’ cloud contract will prevent vendor lock-in. It should set out the engagement it has had with the Competition and Markets Authority on the development of the contract, and how the contract will embed a pro-competition approach to cloud procurement. (Recommendation, Paragraph 111) Barrier four: Achieving sovereignty Show less

View Details →

In its response to this report the government should set out its definition of technology sovereignty and confirm whether a list of key capabilities or technologies where the government considers that the UK needs sovereign capability exists, whether this will … Read more In its response to this report the government should set out its definition of technology sovereignty and confirm whether a list of key capabilities or technologies where the government considers that the UK needs sovereign capability exists, whether this will be published or made available to Parliament, and if not, why not. The definition should be reviewed on an annual basis. (Recommendation, Paragraph 118) Show less

View Details →

The government should use its promised update to the Procurement Act 2023 to require public sector bodies to prioritise open-source tools and technology over proprietary offerings, to support innovative alternatives to incumbent suppliers and reduce the risk of vendor lock-in. … Read more The government should use its promised update to the Procurement Act 2023 to require public sector bodies to prioritise open-source tools and technology over proprietary offerings, to support innovative alternatives to incumbent suppliers and reduce the risk of vendor lock-in. (Recommendation, Paragraph 126) Show less

View Details →

The government should publish a technology sovereignty strategy that sets out how it intends to support the development of sovereign alternatives to incumbent providers across the public sector. Informed by the cross-government definition and list of required sovereign capabilities recommended … Read more The government should publish a technology sovereignty strategy that sets out how it intends to support the development of sovereign alternatives to incumbent providers across the public sector. Informed by the cross-government definition and list of required sovereign capabilities recommended above, the strategy should set stretching targets for the procurement of sovereign, open-source alternatives and detail further support for UK SMEs and start-ups that provide these services. The government should also launch advanced market commitments for the sectors deemed to require sovereign capabilities. (Recommendation, Paragraph 127) Show less

View Details →

The government should in its response to this report set out what contingencies it has in place to safeguard citizens’ data should the United States trigger data access provisions in the CLOUD Act 2018, and share any impact assessments that … Read more The government should in its response to this report set out what contingencies it has in place to safeguard citizens’ data should the United States trigger data access provisions in the CLOUD Act 2018, and share any impact assessments that it has undertaken relating to this. (Recommendation, Paragraph 128) Show less

View Details →

As part of the government’s wider reset in its relations with the European Union, and its technology sovereignty strategy, DSIT should establish a unit dedicated to monitoring and disseminating digital government best practice from across the EU, with a remit … Read more As part of the government’s wider reset in its relations with the European Union, and its technology sovereignty strategy, DSIT should establish a unit dedicated to monitoring and disseminating digital government best practice from across the EU, with a remit to engage with Commission and member state-level bodies. This unit should have a particular focus on how the EU and its member states are encouraging the development of sovereign alternatives to incumbent providers. (Recommendation, Paragraph 129) Digital ID Show less

View Details →

If external suppliers are deemed necessary to support the development or implementation of the new digital ID, no contracts relating to the development or implementation of the new digital ID should be awarded without a competitive tender process, and all … Read more If external suppliers are deemed necessary to support the development or implementation of the new digital ID, no contracts relating to the development or implementation of the new digital ID should be awarded without a competitive tender process, and all contracts should be published in full. The government should announce the decision to use external suppliers to Parliament before tendering. (Recommendation, Paragraph 144) Show less

View Details →

Inadequate data on digital spend prevents the government from making informed decisions regarding policy interventions, and prevents those responsible from being properly held to account. (Conclusion, Paragraph 15)

View Details →

Delivering successful digital transformation will require a new approach to digital and technology spend, underpinned by clear standards, approval processes, and lines of accountability. The current approach to funding, whereby it is easier to secure capital funding than resource, public sector organisations are limited in their ability to secure funds …

View Details →

By the end of the current Spending Review period a meaningfully higher percentage of digital and technology spend should come from departmental resource budgets, as opposed to capital budgets, in order to better reflect the reality of modern public service delivery. We suggest a target of 75%, up from an …

View Details →

The public sector needs more of the right people to deliver the government’s ambitions for the digital transformation of the state. There are 100,000 digital and data professionals but not enough are in leadership roles, which are too often filled by generalists. Enthusiasm from non-experts at the top and insufficient …

View Details →

The cross-government digital workforce strategy should include detailed targets for departments and public bodies to meet by the end of the current Spending Review period, including: the publication of departmental plans to reduce the proportion of total workforce and cost of contractors in digital and technology roles; a clear plan …

View Details →

It is a fundamental duty of government, public sector bodies and bodies in receipt of public funds to keep safe the data they hold on citizens. This duty has not been consistently upheld in the UK for some time. An Information Security Review, whose existence was - seemingly unnecessarily - …

View Details →

Successive governments have made a series of promises designed to address the institutional failings outlined in the Information Security Review. Yet we remain concerned that the current government is not holding itself to, or delivering, the standards of information and data security needed to secure and maintain public trust. This …

View Details →

The advertisement of UK Biobank datasets on a Chinese e-commerce platform points to a particularly egregious example of inadequate data hygiene. The seriousness of the breach was compounded by a response that showed a lack of appreciation of the trust placed by 500,000 volunteers in the Biobank, a valuable study …

View Details →

The roadmap for modern digital government lacks overarching metrics by which the success or failure of delivery of the vision set out in the blueprint could be assessed. The decision to publish it as a website, rather than a command paper, also allows updates to be made without triggering GOV. …

View Details →

The government is right to highlight the potential for technology to support better public service delivery. But its estimate that the digitisation of public services could deliver an annual saving of £45 billion is worryingly optimistic. While assumptions are an unavoidable part of economic projections, hyperbole diminishes the case for …

View Details →

Legacy systems present huge efficiency, cost and security risks, and it is therefore deeply concerning that government still does not know the full scale of the problem. While it may be difficult for ministers to argue in favour of spending public funds on systems that still (just about) work, if …

View Details →

Of the small number of technology providers that the UK public sector relies upon, Palantir concerns us most. In the United States it has supplied software for that country’s military and immigration services, supporting highly controversial policies and activities. Its co-founder has criticised the concept of a national health service …

View Details →

We believe that vendor lock-in should not be viewed as inevitable, and that dependence on a small number of suppliers does not automatically lead to better delivery of public services or better use of public money. (Conclusion, Paragraph 106)

View Details →

GDS should produce a strategy to end vendor lock-in across the public sector, which includes targets for the diversification of suppliers across government departments and public bodies, progress against which is published on a quarterly basis. (Recommendation, Paragraph 107)

View Details →

The public sector’s dependence on AWS and Microsoft’s cloud products undermines fair competition, fails to deliver value for money, can prevent domestic alternatives from scaling and—when outages occur—exposes a lack of resilience. The government is rightly seeking to coordinate cloud contracting, but this should be done in such a way …

View Details →

Sovereignty means different things to different people, including within government. Ultimately it comes down to choice, and having the ability to make choices rather than being dependent on individual providers is particularly important when it comes to technology. Leverage as the Secretary of State described it should be pursued, but …

View Details →

Setting a cross-public sector definition of sovereignty and agreeing a strategy that is clear about the sectors and services where sovereign capability matters most, is a prerequisite for the effective use of technology by government departments and public bodies. We are therefore concerned by the current lack of clarity over …

View Details →

The UK’s reliance on a small number of US-based providers for digital infrastructure and public service delivery is a strategic and economic vulnerability. The government’s digital transformation ambitions could be derailed at any time by a decision taken outside our shores based on the narrow interests of a foreign commercial …

View Details →

Building sovereign alternatives to US tech providers will require targeted support for start-ups in strategic sectors; a robust approach to competition policy that does not shy away from confrontation with incumbent firms but instead supports the development of a diverse ecosystem of providers; and establishing technology and digital procurement targets …

View Details →

While technology can help improve people’s experience of public services, and activities such as banking are increasingly done online, the difference between interactions with the state and a bank is that citizens have a choice 57 about which bank to interact with and can freely move between different providers. We …

View Details →

It would be irresponsible to roll out a digital ID built on the UK’s current digital infrastructure. The public sector holds citizens’ data on trust, and should therefore hold itself to a higher standard. The operational and security problems relating to the eVisa system, One Login’s temporary loss of certification …

View Details →

The digital ID will be a significant test of the government’s wider digital transformation ambitions: if it does not succeed, or results in a worse experience for citizens when they interact with government, there will be far-reaching political consequences. Citizens’ consent is a pre-requisite for delivering digital transformation, and the …

View Details →

Uncertainty over the eventual cost of the digital ID scheme make it impossible to take an informed view on whether it will prove a worthwhile undertaking, even if the operational and security challenges examined in this report were to be resolved. The government was, however, right to say that the …

View Details →

The announcement of the government’s final decision on digital ID should be accompanied by full costings and a full impact assessment, as well as details of controls to ensure the scheme, if it is taken forward, does not exceed its delivery timetable or agreed budget. (Recommendation, Paragraph 143)

View Details →

If the government decides to proceed with the new digital ID, Parliament should be given an opportunity to vote on each use case before it is added and given full access to the government’s internal impact and cost assessments to inform its decision. (Recommendation, Paragraph 145) 58

View Details →