From: Phill Hatton [mailto:forensic-computing@bulldog-office.com]
Sent: 12 September 2008 10:09
To: Craig Walsh
Cc: Armitage, Judy (CS, Consumer Relations); Slade, Richard; Marjorie J. Walsh; Dell, John (ES, TSS); Tom Wells; David DeMaid
Subject: Re: Lucies Farm Ltd. - Case 2007-1007 - Second Message
Mr Walsh
WITHOUT PREJUDICE
In response to your points:
1) I do not need to be registered under the Data Protection Act as I am not a data controller - I merely process other organisations' data (e.g. police forces and other enforcement bodies) on their behalf. Any Data Protection requests should be directed to the organisation siezing the data (in this case Worcestershire Trading Standards). However a number of exemptions apply because the information was obtained for the prevention or detection of crime.
2) I have confirmed that I am not required to register under the DPA with the ICO this morning, although I already knew this was the case.
3) My initial understanding was that Malvern Hills District Council were employing me for the investigation and commissioning the report. Thus their name appeared as the submittors. In the event, after the warrant execution, all my dealings were with Trading Standards and I ultimately sent the report to them. I have not sent a copy of my report, either electronic or paper, to MHDC. In my experience this is not an unusual state of affairs when dealing with a multi-agency investigation of this type.
4) You have commented that the witness statement on the disc is not dated or signed. The signed paper version (dated 5 May 2008) is with Trading Standards.
5) The hard drive with which you have been supplied contains a copy of all the data recovered from your system (and a copy of the material forming my report). In general terms the seizure of data not directly related to the case under investigation is regulated by Part 2 of the Criminal Justice and Police Act 2001 which clearly allows such seizure in the circumstances. In any event in this era of proceeds of crime investigations personal data of many kinds may be relevant to the case.
6) I have no personal knowledge of any statements made to you or your customers by Trading Standards staff.and can make no comment on such matters.
7) I continue to hold two copies of the data recovered from your system. The material supplied on hard drive to you is a further third copy I have made. I hold this data on behalf of Trading Standards and will delete it in a secure manner when instructed to do so by them. I understand that various matters are still on-going, including requests and complaints made by yourself and that deletion of the data could prejudice responses to these matters. Any requests for this data to be deleted should be made directly to Trading Standards and not to me.
8) To anticipate an inevitable further question I hold two copies in case technical issues or hardware malfunction render one inaccessible.
9) The hard drive supplied contains a copy of ALL the data I have relating to your case, other than various e-mails etc.to and from Trading Standards and the physical paper versions of my forms and contemporaneous notes (scanned copies of which have been supplied).
10) The data I currently hold is being stored in a secure manner at my premises. I am not prepared to discuss these security arrangements with you but they have been found appropriate by a range of police and law enforcement clients.
11) In all matters pertaining to this case I have acted as an agent of Worcestershire Trading Standards and MHDC. I do not believe there is any further benefit in you communicating directly with me over these matters and request that further communications, data protection requests etc. be directed to the appropriate agency. Any issues requiring my action or comment can then be forwarded to me.
Regards
Phill Hatton
I sent another e-mail to the data protection folks at Worcestershire County Council: won't bor you (or me) by repeating it again here. I received a repy this afternoon from the head of Trading Standards:
From: "Wilkes, Simon (ES, TSS)"
Date: Thu, 18 Sep 2008 09:26:30 -0400
To: Craig Walsh
Cc: "Stilgoe, Kevin (ES)"
Subject: FW: FREEDOM OF INFORMATION ACT 2000 & DATA PROTECTION ACT 1998 - INFORMATION REQUEST CONCERNING ALL DATA HELD BY THE COUNCIL ON LUCIES FARM LTD. & YOURSELVES
Mr Walsh,
To ease your concerns regarding secure data storage, I have arranged with Mr Hatton to take the data from him. It will be collected from Mr Hatton and returned to the County Council tomorrow. Two copies will be held in case of the failure of one of the holding devices. I think this is reasonable. Mr Hatton will remove the data from his systems once the transfer is complete. He will then hold none of your data.
Simon Wilkes
Operations Manager
I replied by return, with copies to some of the Council leaders (I obtained their e-mail addresses the old fashioned way --- from their web pages):
From: Craig Walsh
Sent: 18 September 2008 15:55
To: Wilkes, Simon (ES, TSS)
Cc: Stilgoe, Kevin (ES); Richard Slade; Armitage, Judy (CS, Consumer Relations); [...] sjclee@tinyonline.co.uk; aedavies@worcestershire.gov.uk; Tom Wells; jeremy@webb79.freeserve.co.uk
Subject: Re: FREEDOM OF INFORMATION ACT 2000 & DATA PROTECTION ACT 1998 - INFORMATION REQUEST CONCERNING ALL DATA HELD BY THE COUNCIL ON LUCIES FARM LTD. & YOURSELVES
Importance: High
Dear Mr. Wilkes ---
Thank you for your e-mail.
I am in agreement with your approach, but with two important caveats:
First Caveat:
You provide a clear undertaking on the part of the Worcestershire County Council that once the Council has received the data back from Hatton tomorrow that there are no other copies of our data anywhere but in the custody of the Worcestershire County Council. We have been very frustrated by the many contradictory statements given by your colleagues, and this has caused us to have no faith in their veracity.
Don’t believe me? In her letter of 12 February 2008 to our solicitor at the time, David deMaid, Tracey Blanchard wrote, “Photographs were not taken during the raid.”
This is not true.
The Hatton disc contains a folder called Admin/Photos that contains 34 items. I attach a couple of the photos to illustrate my point. One image (0001.jpg) is of my desk, and the second is the computer in the farm office (0023.jpg). Blanchard was present when these photos were taken by Hatton, yet she still advised our solicitor “photographs were not taken.”
Still don’t believe me? I his letter of 19 March 2008 to Mr. deMaid’s firm --- a letter that we call the “duel” letter --- John Dell wrote, “I am also informed that the information taken from the computer related only to the day to day management of the kennels, details of which will be forwarded to your client as soon as possible. [...] The server in the bedroom was accessed via the network from the main computer in the office and material was obtained from it. This will, of course, be forwarded to your client as soon as it is possible to do so.”
Again, not true.
Mr. Hatton copied every Excel spreadsheet and every Word document that he could find. Only a tiny proportion of the data on the CD-ROM relates to the dog kennel, because our scheduling, register, and reservations software is web-based, and sits on our server in Delaware. Just a look at the file names of some of the Word files will indicate what Hatton seized: “Craig Walsh – RLS – Dr. Webster,” “Mattioli Woods – Transfer of AXA Pensions,” “Worcester Primary Care Trust – Complaint,” etc. This is my personal confidential information, and this data cannot remotely fall into the category of being “related only to the day to day management of the kennels.” Yet that’s what Dell said.
Dell also said we would be sent the computer expert’s report “as soon as possible,” and Blanchard said “once we are in possession of the report from our computer expert, I will forward you a copy.”
Untrue.
We now know that Hatton was the previously unnamed computer expert. In Hatton’s e-mail of 12 September 2008 he indicates, “You have commented that the witness statement on the disc is not dated or signed. The signed paper version (dated 5 May 2008) is with Trading Standards.”
Why wasn’t this report sent to us shortly after 5 May 2008, as both Blanchard and Dell said would happen? I fact as I type this we still haven’t actually received the report --- since that would be the signed report. I am sure you will wish to correct this continued oversight --- see Caveat 2, below.
Still not convinced?
By e-mail dated 18 August 2008 Blanchard advised one of our customers, “All [emphasis added] the information is contained on a disc which is held in secure storage at the Trading Standards service, with restricted access. Information examined has been limited to the customer contact list.”
Not true.
Blanchard did not advise our customer that Hatton was also holding not one, but two, copies of our data. And Hatton certainly did not limit his examination to the customer contact list.
Still can’t understand why we don’t trust you and your colleagues?
Attached is a PDF file containing letters sent by Blanchard to me and to our customers on 4 September 2008. She advises me, “With regard to the data recovered from your computer, this was recorded on one disc, which has been held in a secure location at the Trading Standards office, with restricted access. Now that the investigation is complete, the disc will be destroyed.”
This is --- as we have learned --- absolutely not true.
Blanchard did not mention --- neither to me, nor to any of our customers --- that Hatton was holding two copies of our data in Wolverhampton. He is holding such a substantial amount of data that it doesn’t fit on a CD-ROM: it needs a computer hard drive.
It is nothing short of outrageous that your colleagues are entrusted to investigate whether the descriptions of our business on our web site are truthful or not --- and, if untruthful, “would give rise to possible offences being committed under the Trade Descriptions Act 1968 There could, of course, also be offences committed under The Fraud Act 2006” [to quote from Blanchard’s 12 February 2008 letter].
Does it not strike you as ironic that in the process of conducting their investigations of our veracity, your colleagues have apparently lied to us and to our customers on numerous occasions? Do you believe that the end justifies the means, and do you really believe that this incredible behaviour is acceptable? Do you and your colleagues believe that the niceties of the law somehow do not apply to how you handle these investigations?
You are aware that we have also filed a formal complaint with the Council on the whole issue of how this investigation was handled. This e-mail is limited to the single issue of the handling of our data. I would imagine that a referral to the Local Government Ombudsman is inevitable, and wonder how the Ombudsman’s office will view the facts that I have outlined above.
Our customers have sent us copies of all forms, letters, and e-mail messages sent to Trading Standards in response to the August questionnaire.
Second Caveat:
For the reasons stated above, we do not trust your colleagues to continue to hold our data. We would expect that our data --- all of our data --- be moved from the custody and control of Trading Standards to the custody and control of your Data Protection colleagues, or your legal department.
My wife and I wish to come to the Council offices tomorrow, once you have received the information back from Hatton, and to be shown where it will be held in the Council offices. At the same time, we will pick up the original copy of your undertaking, and will pick up the photocopy of Mr. Hatton’s report.
There is, I understand, an obligation to disclose all evidence to us, so if there are other parts of Hatton’s report that have not (as yet) been disclosed, I am hopeful that you will wish to promptly cure this oversight.
Please promptly confirm your agreement to these two caveats. Failing to receive your agreement, I will have no choice but to reluctantly proceed with my complaint to the ICO, as outlined in my earlier e-mail message.
I understand you are a busy man, Mr. Wilkes. This investigation has caused Marjorie and me considerable distress, and I would hope that you would recognise this and will give this matter your priority attention. I have tried to be factual and unemotional in this, and earlier, e-mail messages. I hope you will understand from the foregoing how incandescent we are with anger over the manner in which we have been treated, and this investigation handled.
I hope to hear from you by return.
Yours sincerely,
Craig W. Walsh
I did hear by return, surprisingly:
From: "Wilkes, Simon (ES, TSS)"
Date: Thu, 18 Sep 2008 11:58:52 -0400
To: Craig Walsh
Cc: "Dean, Lucy (ES)"
Subject: RE: FREEDOM OF INFORMATION ACT 2000 & DATA PROTECTION ACT 1998 - INFORMATION REQUEST CONCERNING ALL DATA HELD BY THE COUNCIL ON LUCIES FARM LTD. & YOURSELVES
Mr Walsh
In relation to your caveats:
1. Since I would not wish to mislead you, I will ask Mr Dell and Mrs Blanchard the question again on Monday. To my knowledge at this moment in time, the only copies of your data will be the ones held by the County Council, once the information has been taken from Mr Hatton.
2. I have asked the Data Protection Officer to investigate the possibliity of holding this information in a place other than the Trading Standards secure store. She will not have an answer for me before tomorrow. In any event I doubt very much that you will be allowed to see the exact location where this information is to be stored. I will confirm this tomorrow. As far as a paper copy of Mr Hatton's report is concerned, our Data Protection Officer has indicated that we will provide you with a paper copy of this when we disclose the information to which you are entitled. She is concerned to ensure that you get everything that the law allows, and to send things out piecemeal will risk something being missed.
I therefore cannot conform with the caveats that you have asked for. I do however, offer you my assurance that your data will be held in a secure manner.
Simon Wilkes
Operations Manager
How nice. Now they don't want to "mislead" us.
I replied that I couldn't see why speaking with Dell & Blanchard had to wait until Monday. Even if not in the office, surely they wouldn't be far from a telephone. And I suggested that if there wasn't a suitble place in the Council offices away from the control of Trading Standards, then why not put our data in the hands of a local solicitor or bank? A simple escrow agreement could be drawn up saying that both parties would need to consent to the release of the data.
I also tried to make the point that this data was different from data that the Council held about Marjorie, me, or Lucies Farm Ltd. This wasn't the Council's data about us --- this data belongs to us.
I suggested that the Council take advice from their solicitor, or from the Information Commissioner's Office. But in veiw of the stupendous arrogance they have displayed to date, I doubt they'll do that. They clearly consider themselves above the law --- while, at the same time, enforcing the law.
Make you proud to be British?
Posts
0 comments:
Post a Comment