I received a voice mail message from John Dell at Worcestershire Trading Standards --- and called him back. The hard drive with all of our data, and the CD-ROM with the report from the independent IT forensic expert would be delivered to me this afternoon. Sure enough, a young Trading Standards officer walked down the driveway to the farm gate, handed me a plastic bag sealed with a red evidence tag, and asked me to please sign a receipt.
He also gave me a compliments slip on which someone at Trading Standards had written the name of their computer expert:
Phill Hatton Forensic Computing Ltd.
P.O. Box 4523
Wolverhampton WV1 9BR
I did another search on the Information Commissioner's Website, and even called their office: neither Mr. Hatton, nor his business, appear to be registered as data controllers --- as required under the provision of the Data Protection Act 1968. An expert who overlooked the simple step of registration. You can even register online: I did.
While I am not a solicitor, it would appear that his handling of our data --- most of it our own personal data --- was not legal.
So I sent Mr. Hatton an e-mail this afternoon. I copied the folks at the County Council, and Tom Wells --- the gentleman who is both our District and County Councillor:
From: Craig Walsh
Sent: 11 September 2008 17:55
To: Forensic-computing@blueyonder.co.uk
Cc: Armitage, Judy (CS, Consumer Relations); Richard Slade; Marjorie J. Walsh; Dell, John (ES, TSS); Tom Wells.
Subject: Lucies Farm Ltd. - Case 2007-1007
We have just received a CD-ROM (labelled “Copy of Report for Mr. C. Walsh – 11-9-08”) and a hard drive in a tape cassette box from the Trading Standards Department at Worcestershire County Council.
Included on the CD-ROM are an undated, unsigned “Statement of Witness” apparently prepared by you on 5 May 2008, a copy of your CV dated 9 July 2007, and your “Standard Terms and Conditions” dated 9 April 2007.
I understand from your “Statement of Witness” that you and your colleague, Mr. Andrew Turner, came into our residence on 10 January 2008 and --- among other things --- took copies of many of the files on my computer and the file server. According to your statement: “I decided that the most appropriate means of recovering the Outlook PST file containing the calendar data was to remove that hard drive from system 2007-107-01, connect it to my portable forensic PC system and perform a preview of the data using Encase software. I did this and accessed the contents of the drive. I then copied all Outlook files, all Microsoft Word and Excel documents and data folders for Sage and Quicken accounts onto a hard drive installed in my PC system. [...] I identified material of potential interest on the PC system identified as POICSERVER. I determined that this system was the PC tower located in an upstairs bedroom. This system consisted of an older Dell PC tower and an external data storage device. For a number of reasons I decided that shutting this system down and imaging or previewing the drives would not be appropriate and so I accessed the material via the network connection from system 2007-107-02 and copied it onto an external storage hard drive I had brought with me.”
You then explain, “On 10 January 2008 Mr TURNER copied all the recovered data onto a laboratory hard drive and made a further archive copy. On 5 May 2008 I examined the data. I identified the particular Outlook PST file and imported it into an installation of Outlook which did not contain any data. I determined that what appeared to be dog’s names had been entered on various days from January 2005 to January 2008. I produced a series of weekly printouts detailing this information which forms part of appendix B. A version of this listing in Adobe PDF format is present on the working disc. I then organised the data I had recovered from system 2007-107-01 by file type (e.g. Word, Excel etc) and subsequently copied this material to the working disc. I left the material from system 2007- 107-04 as originally organised and also copied this to the working disc.”
From your statements it seems clear that copies of our data were, at least from 10 January 2008 until 5 May 2008 --- and, more likely, from 10 January 2008 until yesterday or today --- under your control and supervision. As you took copies of all Word and Excel documents, this included such items as my letters to the NHS and my solicitors concerning my disability, my letters concerning our personal finances, etc. It was my intention to send you a subject access request under the provisions of the Data Protection Act 1998 (DPA) but I was amazed to note that you do not appear to be registered as a data controller under the provisions of the DPA. I have checked register on the Information Commissioner’s Office website: http://www.ico.gov.uk/ESDWebPages/search.asp using your name, post code, etc., but have not found a registration. Wishing to give you every benefit of the doubt, I also called the ICO, and they have confirmed that you are not currently registered, nor were you registered during the time period in which you were handling our personal data, as well as data belonging to Lucies Farm Ltd.
There are limited exemptions to registration, but none would seem to apply to you in this instance.
While our data was in your possession, the Council was advising our customers, “All the information is contained on a disc which is held in secure storage at the Trading Standards Service, with restricted access. Information examined has been limited to the customer contact list. I am therefore unable to tell you whether or not your credit card details are contained on this disc, but such information will definitely not be accessed.” But it now appears that this was not completely correct. While one copy of the information may have been held on the disc “held in secure storage,” it is becoming increasingly evident that another, more extensive copy our data was held by you --- someone not registered under the DPA.
I would appreciate your confirmation that you do not continue to hold any of our data, and would appreciate any comment you may wish to make about your apparent failure to register your business to comply with the DPA.
My wife and I may have no choice other than to file a formal complaint with the ICO about the handling of our data by you and by the Council. I am sending you this e-mail in the spirit of fairness, to give you a few days to offer your comments in the hope that a formal ICO complaint will not be necessary.
To illustrate the seriousness of this matter, attached is a copy of a PDF document that I just downloaded from the ICO website. I find it incredible that the County Council, while investigating our alleged violation of various laws, would themselves use an external consultant to handle our data who appears --- at least based upon the information I’ve gathered this afternoon --- to have violated the provisions of the DPA.
I look forward to hearing from you.
Yours sincerely,
Craig W. Walsh
Mr. Hatton's terms and conditions indicate:
I will use my experience, care and skill in fulfilling your instructions to the best of my ability. However you must be aware that it is essential to the credibility of my evidence that I am an independent expert witness and my primary duty is ultimately to the court rather than my customer.
His CV indicates a virtual alphabet after his name:
I'm always a little leary of people who put a lot of letters after their name. I guess it goes back to when I was a young bank employee. I'd just been promoted, and became an officer of the bank. My grand title was Assistant Cashier & Loan Officer. I had an old boss at the time --- a cynical old coot --- and when he saw my eagerness, he pointed out to me, "President is one word."
But I digress.
Companies House records indicate Mr. Hatton was born on 20 December 1963 (let's see how he likes others looking at his personal informaton). He apparently lives at 18 Allen Road in Wolverhapton:
It is inconceivable to me that he apparently overlooked the simple task of registering under the Data Protection Act 1998, and that the Council didn't bother (as I did) to confirm his registration.
As you read our tale of woe (if you haven't shut off by now), please ask yourself how you'd like Phill to come and take photos of your computer? And then copy many files onto his hard drive and skedaddle. (He was a bit bothered by the fact that we have 2TB of data storage, but that's what you need to deal with high res photos.)
I originally looked at Phill's CD-ROM on my MacBook. When I popped it into my PC this evening, it surprised me by auto-running. Up popped his sales pitch and CV and general background information. But the upsetting thing is that the introductory "splash" screen indicated his report was prepared for the Malvern Hills District Council.
So I sent him another e-mail message:
From: Craig Walsh
Sent: 11 September 2008 22:47
To: Forensic-computing@blueyonder.co.uk
Cc: Armitage, Judy (CS, Consumer Relations); Richard Slade; Marjorie J. Walsh; Dell, John (ES, TSS); Tom Wells
Subject: Lucies Farm Ltd. - Case 2007-1007 - Second Message
Dear Mr. Hatton ---
I have just opened your report on my PC --- instead of my MacBook --- and I now see that it has an auto-run feature. Your introductory screen shows that this report was prepared not for the Worcestershire County Council, but for the Malvern Hills District Council (MHDC).
Here’s a screen capture:
I had assumed, prior to seeing this auto-run screen a few minutes ago, that you were hired by the Worcestershire County Council, and your report submitted only to their Trading Standards Department. I certainly obtained your report, today, from the County Council.
It now appears that you may have been hired by the MHDC or may have also provided your report to them. A report that I now see includes such personal items as a listing of my wife’s jewellery (prepared for our insurance company), personal medical information, privileged correspondence sent to our solicitors, etc.
Does this mean that our personal data was also sent to the MHDC? If so, then Ms. Blanchard’s assurance to our customer (sent by her at 3:49 PM on 18 August 2008) becomes even more misleading and inaccurate:
“All the information is contained on a disc which is held in secure storage at the Trading Standards Service, with restricted access. Information examined has been limited to the customer contact list. I am therefore unable to tell you whether or not your credit card details are contained on this disc, but such information will definitely not be accessed.”
Please immediately confirm if you have also sent your CD-ROM to the District Council, and, if so, the name of the person at the MHDC who received this information. We are entitled to this information under the provisions of the Data Protection Act 1998 --- your response is not optional. While responding, please advise the name and contact details of all other parties that may have received this CD-ROM.
I look forward to hearing from you in response to the foregoing question, and to my earlier e-mail, as a matter of urgency.
I am, as you may appreciate, incandescent with rage at the manner in which our personal details have apparently been handled, by someone who hasn’t even taken the time (apparently) to register under the provisions of the Data Protection Act.
I look forward to hearing from you.
Yours sincerely,
Craig W. Walsh
Posts
0 comments:
Post a Comment