Corporate report

UKHSA Advisory Board: technology strategy

Updated 11 September 2023

Date: Wednesday 13 September 2023

Sponsor: Chris Coupland, Chief Technology Officer

Purpose of the paper

The main purpose of this paper is to obtain feedback on the main pillars of the UK Health Security Agency’s (UKHSA) proposed technology strategy.

Recommendations

The Advisory Board is asked to:

  • comment on the overall approach to the technology strategy
  • note that, once finalised, the Executive Committee (ExCo) will consider the technology strategy when making investment, policy, commercial and service decisions

Background

UKHSA prevents, prepares for and responds to infectious diseases, as well as environmental, radiological and chemical hazards, to keep all our communities safe, save lives and protect livelihoods. It provides scientific, clinical and operational leadership, working with local, national and international partners to protect the public’s health and build the nation’s health security capability

Technology is a critical enabler across the agency’s ‘Prevent – Detect – Analyse – Respond’ value chain, providing the knowledge management, laboratory, modelling, assessment and other systems that underpin the agency’s scientific and clinical leadership activities, the infrastructure and associated systems that support surveillance and data analytics, the monitoring, testing, response and other engagement solutions that underpin health protection operations, as well as the basic IT that enables colleagues to securely access systems and work collaboratively.

With less than 2 years of operation since it was formed from multiple organisations, UKHSA remains focused on integrating, rationalising, strengthening and reducing the cost of its inherited technology estate, as well as developing a competitive remuneration and career development proposition to attract the right digital and cloud-native skills it needs to deliver its strategy.

Today, the estate consists of over 400 applications, around a third of which are deemed to be ‘business critical’ and just over half of which are supported to a greater or lesser extent by technology. In addition to the UKHSA’s multi-cloud platform (circa 200 applications, 50%), underpinning this from an infrastructure perspective are 3 data centres (at Colindale, Porton and Chilton), running 3 High Performance Computing (HPC) clusters, some 600 physical servers and 1,800 ‘virtual’ equivalents, accessing almost 10 Petabytes of data (via more than 2,500 databases), across a network that connects 40 regional sites and transfers around 40 Terabytes of data every day.

Technology strategy

Following the 2023 to 2024 budgetary settlement, finalisation of the agency’s remit, corporate, science and data strategies, the technology group have worked with Science, Clinical Public Health, Health Protection Operations, Data and Surveillance, and corporate colleagues, as well as technology colleagues from the Department of Health and Social Care (DHSC) and the Central Digital and Data Office (CDDO), to develop an over-arching technology strategy.

Strategy pillars summary

Prioritise cloud technologies by:

  • adopting a cloud-first approach
  • migrating legacy systems, wherever appropriate, transforming them, as necessary
  • building a Cloud Centre of Excellence (CCoE), including an effective financial management (FinOps) capability
  • minimising any ongoing ‘on-premise’ datacentre footprint (by exception only)

Adopt a product-centric approach by:

  • defining enduring products, mapped to the UKHSA’s remit
  • implementing a user-centred, agile approach, based on DevSecOps (1) principles
  • resourcing via long-lived, dedicated multidisciplinary teams, or leveraged model
  • ensuring a composable build approach, so that services can be built from re-usable components
  • focusing on value and continual improvement, through lifecycle

Leverage core platforms and drive convergence by:

  • identifying critical capabilities using the UKHSA’s business capability model (BCM)
  • developing and maintaining ‘blueprints’ for these capabilities and important enterprise architecture (EA) domains
  • converging underpinning technologies, deprecating or decommissioning, otherwise

Enable data sharing and exploitation by:

  • collaborating with Data Analytics and Surveillance (DAS) colleagues to implement the cyber and data strategies
  • implementing an application programmable integration (API) first approach to improve visibility, access to and the exchange of health data across systems, including to and from the NHS, academia, peer organisations and private sector partners, subject to the necessary protections
  • evolving UKHSA’s infrastructure to support a unified data platform, as part of a wider data fabric architecture (2), compliant with all appropriate privacy and security considerations

Embrace innovation by:

  • fostering an open, supportive, cross-discipline, learning and ‘outside-in’ culture
  • focusing on value, including opportunities for digitisation and automation, including the use of artificial intelligence (AI) (3)
  • leveraging partners

Build an enduring Digital, Data and Technology (DDaT) capability by:

  • implementing a unified operating model, based on a full-lifecycle, product-centric model, while also catering for the effective ongoing management of legacy
  • developing and implementing a compelling proposition to attract, develop and retain an effective, in-house strategic DDaT workforce
  • partnering with industry and other organisations to provide, and selectively build, specialised capabilities, flex capacity to scale, and best practice

Strive for operational excellence by:

  • instilling a continuous improvement culture, where management and their teams are invested in business outcomes and empowered to implement change
  • attributing product or platform costs fully and aim to be benchmark on cost, service, productivity, delivery and security
  • embedding a fit-for-purpose assurance and wider governance model
  • promoting a sustainable approach

Wider alignment

The strategy aligns to, and implementation will comply with, relevant DDaT standards and policy, including:

Implementation

Implementation will be progressive, through planned strategic investments in agency capability, as well as specific transformation initiatives and other interventions – the most important of which are the Technology-sponsored ‘Big Rocks’ programme, the DAS-sponsored ‘Safer Cyber’ and ‘License-to-Operate’ programmes, and the anticipated implementation of DDaT more widely within UKHSA.

The ‘Big Rocks’ programme, approved at the end of June 2023, comprises 4 projects, to be delivered over a 3-year timeframe, for a total investment of circa £47 million (excluding VAT and risk). These 3 projects include:

  • cloud optimisation and operations, providing for infrastructure and application rationalisation, modernisation and migration to the cloud
  • API, which will improve access to, and the exchange of, health data internally and across the wider health ecosystem
  • strategic workforce, which will lay the foundations for a sustainable, fit-for-purpose UKHSA technology function (including operating model)
  • knowledge management, which will enhance the agency’s ability to manage, access and derive benefit from knowledge

The investment will avoid exposing the agency to unacceptable, heightened cyber security and resilience risks, endow it with greater digital agility and, over 5 years, reduce otherwise escalating technology costs by 15%.

DHSC approval to adopt the Cabinet Office DDaT framework is pending. If approved, then the strategic workforce project will also serve to implement this in technology, which should go a long way towards helping the agency compete for talent.

This technology strategy is fully aligned with the ‘Safer Cyber’ and ‘License to Operate’ programmes, which aim to improve multiple controls, and enhance the UKHSA’s overall security posture and maturity, through investing in people, process and technology.

Technology will also work closely with the Science Group, as well as Cyber Security, to look to progressively regularise ‘Shadow IT’, though surfacing such systems, remediating them (or retiring them, as required), and adopting them formally.

‘Big Rocks’ and ‘Safer Cyber’ both include an array of metrics against which success will be tracked, aligned to the outcomes set out in our Corporate Strategy. Further measures will be developed and shared with the Audit Review Committee (ARC), in its capacity as the oversight forum for major programmes. This will include the milestones and metrics by which the technology strategy, Big Rocks and related programmes, will be monitored and assured for delivery on time, function and budget, as well as the approach to be taken regarding benefits realisation.

Next steps

Next steps include:

  • finalising the more detailed technology strategy, incorporating feedback
  • reviewing it with Corporate Communications, prior to publishing it formally
  • developing further sub-strategies for key capabilities and associated domains
  • continuing to work with DHSC to secure investment approval to implement DDaT
  • with Cyber, submitting a joint proposal to the ExCo to better understand ‘Shadow IT’
  • with DAS, tabling a joint submission to the Advisory Board and/or ARC on AI
  • with DAS, tabling the milestones and metrics by which the technology strategy, ‘Big Rocks’ and related programmes, will be monitored and assured
  • reflecting the technology strategy in the financial year 2024 to 2025 business planning round

References

1. DevOps is a methodology used to integrate and automate software development (‘Dev’) and IT operations (‘Ops’) to improve and shorten the systems development lifecycle. DevSecOps integrates security (‘Sec’) as a shared responsibility throughout.

2. Data Fabric is an integrated layer (‘fabric’) of data and connecting processes, coupled with advanced analytical capabilities, that offers greater value compared with more traditional data management practices.

3. Artificial Intelligence uses algorithms to make predictions, or classifications, based on input training data. Encompasses machine- and deep-learning, as well as language processing. Generative AI (GenAI), such as OpenAI’s ChatGPT tool, learns the patterns and structure of its training data, to generate new data that has similar characteristics – whether language, code, molecules, images, or a variety of other data types.

Chris Coupland
Chief Technology Officer
September 2023