Recommendation 13

HM Government Accepted in Part

3. PAC conclusion: Legacy IT systems are a significant contributory factor in the cost of government services and an impediment to being able to gather better data to bring about improvements. 3a. PAC recommendation: DSIT should provide the Committee with a baselined list of legacy systems identified and the services they support alongside the Treasury Minute response to this report. 3.1 The government agrees with the Committee’s recommendation. Target implementation date: March 2026 3.2 The Department for Science, Innovation and Technology (DSIT) will share the available data with the chair of the Committee for dissemination to the Committee by the implementation date of March 2026. Given the nature of the systems included in this list many are less able to defend from cyber-attacks than other systems in government, so the department does not intend to make this list publicly available. The department will engage with the Committee directly to share this data whilst outlining the handling caveats. 3.3 DSIT last collected this data at the end of financial year 2023-24. Reporting was paused in financial year 2024-25 due to the burden that it was placing on departments and the effect this was having on their ability to focus in mitigating the risks posed by legacy systems. DSIT will publish the government’s Legacy IT Action Plan later in 2026 which will include how DSIT will establish an improved baseline of priority legacy systems. 3b. PAC recommendation: In addition, DSIT should, within six months from the publication of this report, indicate which legacy systems should be targeted as a priority for further investigation into how far their limitations result in additional people and process costs in the operational business areas they support which, if addressed, would significantly reduce the costs of those services. 3.4 The government disagrees with the Committee’s recommendation. 3.5 DSIT agrees that a more detailed analysis of the limitations posed by legacy systems on the additional people and process costs in the operational business areas they support would be beneficial. Research that has already been conducted by DSIT’s internal analysis team indicates that, in general, a legacy system costs around 40% more annually than a more modern equivalent. Whilst much of the research analysed is not specific to the public sector and there are clearly variations in the potential savings depending on the type of system and the way they are modernised (from approximately 25% to 80%), DSIT assesses that this is a reasonable estimate of the potential cost savings until more detailed analysis can be conducted. 3.6 DSIT is currently focussing on better understanding the wider landscape of legacy IT in the United Kingdom public sector alongside the costs associated with this (per the Committee’s recommendations in their reports on Use of AI in Government and Government cyber resilience), as well as prioritising the development of approaches to remediate legacy IT at scale and prevent new legacy IT. Having a more accurate and data-driven cross- government baseline is a pre-requisite to sequencing the required steps to address legacy systems. DSIT’s Legacy IT Action Plan, being published later this year, will set out improvements to the visibility process to baseline legacy cross government. This improved baseline will inform the sequencing and prioritisation of scalable interventions to remediate legacy systems. 3.7 The department does not agree that this recommendation should be an immediate priority of the next 6 months given the above work already in progress and work already undertaking to understand the exposure and impacts of legacy technology, for example, as part of the State of digital government review alongside the above internal research.