Electronic Travel Authorisation (ETA) alpha assessment
Service Standard assessment report Electronic Travel Authorisation (ETA) 14/09/2023
Service Standard assessment report
Electronic Travel Authorisation (ETA)
| From: | Central Digital & Data Office (CDDO) |
| Assessment date: | 14/09/2023 |
| Stage: | Alpha |
| Result: | Met |
| Service provider: | Home Office |
Service description
The Electronic Travel Authorisation (ETA) scheme will introduce a permission to travel requirement for those who do not currently need a visa or have an immigration status. An ETA provides a multi-entry permission to travel to the UK for a period of two years.
Service users
As applicants to the ETA service, we have identified the customer groups as:
- travellers who currently need an EVW to travel to the UK
- travellers who currently do not need permission to travel to the UK
User groups within these are:
- traveller completing the application for themselves
- someone else completing the application on behalf of a traveller
Secondary users:
- carriers, such as airlines, ferry and train companies
- caseworkers
- Border Force officers
1. Understand users and their needs
Decision
The service met point 1 of the Standard.
What the team has done well
The panel was impressed that:
- the team have learnt lessons from their approach to user research recruiting and will be trying different things moving forward like using specialist agencies. They also recognised the need to do less virtual UR to ensure they understand the needs of those with lower digital inclusion.
- it was good to see that the team understood the need to be inclusive and reached out to a diverse audience to uncover needs and pain points.
- it was evident that the team have used a number of research methods to understand the users and behaviours.
What the team needs to explore
Before the next assessment, the team needs to:
- private BETA is planned with countries where an EWV is already required to travel to UK so users are familiar with the need to do this and the experience. It is important to ensure that UR and needs are understood for more infrequent or new users.
- internal user needs at the Home Office and what the change will mean for them in terms of providing and support and guidance to external users at all touchpoints needs to be iterated further and perhaps needs equal billing to the external user experience.
- ensure that the end-to-end service journey is tested with users of assistive tools – this is to ensure that our services are accessible to all types of users.
- to test scenarios and further risky assumptions/unhappy paths with both internal and external users. For internal users it’s important to understand how they will support users by guiding them through the digital service if the need arises.
2. Solve a whole problem for users
Decision
The service met point 2 of the Standard.
What the team has done well
The panel was impressed that:
- the team are already engaging with GDS regarding GOV.UK guidance, signposting and search for the service.
- they are taking an evidence based approach to naming the service, collaborating with GDS. The names of similar services by other territories have been reviewed, and language that isn’t unique to the UK has been preferred. Search analytics have helped inform the naming process.
What the team needs to explore
Before the next assessment, the team needs to:
- provide more service mapping evidence ahead of the event so the assessors can more clearly see that the team have thoroughly considered the end-to-end service including context and non-digital elements.
3. Provide a joined-up experience across all channels
Decision
The service met point 3 of the Standard.
What the team has done well
The panel was impressed that:
- the team explained why this is a primarily app based service, with a fallback website. The app can read electronic passports (via NFC) and automatically recognise a passport’s visible Machine Readable Zone (MRZ) among other benefits.
- they have been collaborating with similar services, for design particularly with other teams using the Home Office passport details patterns.
What the team needs to explore
Before the next assessment, the team needs to:
- understand low digital inclusion needs and think about their Assisted Digital Service
4. Make the service simple to use
Decision
The service met point 4 of the Standard.
What the team has done well
The panel was impressed that:
- the team’s design process, and the quality of their design output is good.
- they have regularly presented designs for the service to colleagues for critique (both within this programme, and the wider department e.g. their design pattern working group).
- the designers have worked to reduce the number of questions the user is asked, and the amount of user data that’s collected.
- several examples of research based design iteration have been shown.
What the team needs to explore
Before the next assessment, the team needs to:
- this is relatively demanding service for users. Save and return functionality for incomplete journeys can significantly benefit users for this type of service. This isn’t currently a planned feature, but the team are planning to review placement of this feature in their roadmap.
5. Make sure everyone can use the service
Decision
The service met point 5 of the Standard.
What the team has done well
The panel was impressed that:
- the team have reasonable plans in place for accessibility testing.
What the team needs to explore
Before the next assessment, the team needs to:
- currently the service is only confirmed to be in English and this will be problematic for many users (the team are planning to review this).
- assisted digital phone support is not currently planned, but it will benefit users (the team are planning to review this).
6. Have a multidisciplinary team
Decision
The service met point 6 of the Standard.
What the team has done well
The panel was impressed that:
- the team have a Service Owner identified.
- the team are empowered to make decisions but have a dependency on multiple other components as part of their tech Stack but there is an established route for portfolio prioritisation and escalation for decisions which uses a scaled agile approach which fits well.
- the team work well together – there is a positive team dynamic with the skills & capability required to deliver a digital service.
What the team needs to explore
Before the next assessment, the team needs to:
- this is a large scale and complex global delivery so it is important to think about how the team may need to flex in size as they move forward but balance that with agile and lean and regular review of how the team(s) are working together to deliver the service vision and maintaining delivery at the pace required.
7. Use agile ways of working
Decision
The service met point 7 of the Standard.
What the team has done well
The panel was impressed that:
- the team is working in an agile way with 2 week sprints and using all the key ceremonies to keep moving forward.
8. Iterate and improve frequently
Decision
The service met point 8 of the Standard.
What the team has done well
The panel was impressed that:
- the team is working in an agile and iterative way to good effect.
9. Create a secure service which protects users’ privacy
Decision
The service met point 9 of the Standard.
What the team has done well
The panel was impressed that:
- the team reused the Home Office infrastructure to manage the personal data new users will submit, which will therefore be protected with the same guarantees as data managed by other immigration and visas systems.
- no new PII database is being created to store or transmit data between the front- and back-ends. The app will not store any personal data after a transaction has been carried out, not even the outcome of the application.
- the team are aware of security principles behind the creation of web/app services, and are planning to run security testing and procure penetration tests.
What the team needs to explore
Before the next assessment, the team needs to:
- write a threat model, to provide a justification for the measures taken to protect the service, in particular to examine it from a potential attacker’s viewpoint: their motivations, the tools and techniques they might use, and how the team will protect the service from resulting attacks. The security architect (or any partner familiar with cybersecurity) should be familiar with this approach.
- continue engaging with the One Login team to share knowledge and experience of digital identity solutions. Each team has much to gain from each other.
10. Define what success looks like and publish performance data
Decision
The service met point 10 of the Standard.
What the team has done well
The panel was impressed that:
- the team have defined what good looks like for their service and have product goals defined with measures that they regularly review and iterate. They have a plan to breakdown key measures of success across the e2e journey.
What the team needs to explore
Before the next assessment, the team needs to:
- as you iterate your unhappy path keep checking the problems being solved for users can be measured as successful and make sure the feedback loops are in place to collect that qualitative insight.
- since this is a global service, think about how behaviours and definitions of a good user experience may differ from country to country by understanding needs and incorporate how you may need to adapt measures to reflect this.
11. Choose the right tools and technology
Decision
The service met point 11 of the Standard.
What the team has done well
The panel was impressed that:
- the team will reuse as much as possible existing code, libraries, or third-party services.
- for any new software written the technology used is standard within the home office and no advanced-but-unknown tech was selected for this critical service.
- the team have chosen to create an app based on the fact that only apps can read NFC chips and not based on the alleged fact that apps are more popular for users.
What the team needs to explore
Before the next assessment, the team needs to:
- the use of React is debated across government, mostly for accessibility reasons. The team has chosen to use it and therefore must always have in mind the fact that users may be using the app on old devices, limited bandwidth or assistive technology. While it is possible to make a React web app accessible is it a lot more difficult than by not using a JS framework, and the team therefore needs to accommodate for the time it takes to write an accessible React app and the time it takes to check it.
- the team should be prepared to demonstrate that the choices made were the best, especially at Beta assessment.
- the team should monitor ongoing efforts to include an NFC API in browsers, which will eventually make the native app redundant.
12. Make new source code open
Decision
The service did not meet point 12 of the Standard.
What the team has done well
The panel was impressed that:
- the team understands the arguments to make the source code open, even if it’s not in its power to make it happen.
- the team is making sure the service isn’t locked-in to working with a single supplier and is developing a contingency plan in case suppliers change.
What the team needs to explore
Before the next assessment, the team needs to:
- do its best to convince the decision makers on cyber-security that opening source code should be done for many reasons, but also it is official Government guidance.
- the team needs to open the source code written for this service unless they can demonstrate that either: the code contains keys and credentials, it includes algorithms used to detect fraud, or it reflects some unreleased policy.
- the team should also demonstrate at Beta assessment that the Home Office will own all intellectual property developed by third parties for this service.
13. Use and contribute to open standards, common components and patterns
Decision
The service met point 13 of the Standard.
What the team has done well
The panel was impressed that:
- the team have used GDS and Home Office design patterns appropriately.
- they have contributed improvements to the Home Office passport details design pattern (for use in their service and others).
- the designers have engaged with other GDS, Home Office and HMRC app teams to encourage design consistency and collaboration across our apps. -they have adapted our web focused design patterns to align with the iOS and Android app design guidelines.
- they have provided convincing explanations for decisions such as not using GOV.UK Pay or One Login ID verification.
What the team needs to explore
Before the next assessment, the team needs to:
- make sure that the controversial choice of using React in the web app properly argued for (see point 9 above).
- create a decision log to document the arguments for high-level choices relating to reusing (or not) common components.
14. Operate a reliable service
Decision
The service met point 14 of the Standard.
What the team has done well
The panel was impressed that:
- the team have carried out a thorough estimate of the service’s expected transaction volumes, including usage rate and peak loads.
- the service will run in containers deployed and managed by Kubernetes, which should greatly facilitate scaling, as needed.
- the team have developed a performance/stress test framework to ensure reliability.
- the deployment pipeline includes many checks before going to live, but also allows for quick deployment of critical bug-fixes.
What the team needs to explore
Before the next assessment, the team needs to:
- regularly run incident simulations during private beta to test failure remediation, including testing the user experience if the service goes offline for any duration.
- document what needs to happen should the business partner change.
Published 11 December 2023