"I'm sorry sir, he's in a meeting."

That should be the official motto of the Worcestershire County Council. In my recent experience, the folks I wanted to speak to were either in a meeting, work a four-day week, were on holiday, or had actually left the Council.

The Council's website helpfully shows the date when each page was modified, and the name of the person who handled the modification. As I tried to find out who actually was in charge of Data Protection issues, I used the website and several times I called numbers for people who were long gone.

I received a e-mail message from Lucy Dean at about 9:00 PM on Thursday night --- now there's someone who's devoted to her job.

Lucy wrote:

From: "Dean, Lucy (ES)"
Date: Thu, 18 Sep 2008 15:47:21 -0400
To: Craig Walsh Subject:
RE: FREEDOM OF INFORMATION ACT 2000 & DATA PROTECTION ACT 1998 - INFORMATION REQUEST CONCERNING ALL DATA HELD BY THE COUNCIL ON LUCIES FARM LTD. & YOURSELVES

Hi Craig

Sorry for not getting back to you yesterday. I was out of the office yesterday afternoon, and on leave today and Simon Wilkes was at the court yesterday on a case, so unfortunately I didn't get to speak to him until after I had left the office. We did catch up when he returned to the office, over a phone call, and he was going to looking into moving your data to a secure holding within County Hall. As I have been on leave today I haven't had chance to catch up with him, but I will try to get an update tomorrow and will then you.

Kind Regards

Lucy

I replied to Lucy at 9:17 PM. Now some of you reading this may think my message to Lucy was unfair, and perhaps it was. I just ask, however, that you put yourselves in our shoes, and remember that we have had eight months of this --- and we are squabbing over my data, not the Council's.

My message to Lucy:

Hi, Lucy ---

Gosh, Lucy, you’re working late!

There was an exchange of e-mail messages today, and I thought Simon copied you on these. I posted them in my blog at www.doggie-blog.com if you haven’t received them.

I understand, and accept, that the Council needs to retain its data on Marjorie, on me and on Lucies Farm Ltd. The Council’s data belongs to the Council, and I accept that I generally have no right to come in and say, “Lucy, I want you to please erase this.” I have no real problem with that --- except I don’t trust your colleagues in Trading Standards based upon their contradictory, and false, statements to me. I wish it were otherwise, Lucy, but it isn’t --- and the Council can’t go back and change what’s already been done.

But I feel that my data --- the data on Hutton’s hard drives and on the CD-ROM --- is totally different. I can’t understand why the Council won’t accept that the ownership of this data vests with me, and not with the Council. It’s my data, not the Council’s data. And as the owner --- clearly the owner --- of the data, I should be able to specify what happens to that data. And I specify that it be returned to me without delay, and with confirmation that no copies have been retained by anyone (Hutton, WCC, MHDC --- anyone).

I accept that the Council can retain (for example) a copy of Hutton’s report should it wish to do so. But the data that Hutton took from my computer is not part of his report --- it’s my data.

Another way around this, I suppose, would be for Marjorie and me to formally withdraw our disclosure requests under the DPA 1998, and Lucies Farm Ltd. to formally withdraw its disclosure request under the Freedom of Information Act. I understand from Simon’s earlier message that once the disclosure requests are satisfied, the Council would return my data. And our withdrawal of the requests would presumably satisfy them. So Marjorie and I could stop by your office tomorrow afternoon, formally withdraw the two DPA 1998 and one Freedom of Information Act requests, and you could hand over my data. We would then, of course, simply file fresh DPA 1998 and Freedom of Information Act disclosure requests. We’re entitled to do this. We’d do these the next business, and are happy to pay a fresh Stg 20.00 fee to the Council. Seems convoluted, but it is absolutely consistent with Simon’s earlier assurance.

I hope that common sense can prevail and that the Council, instead of continuing to display total arrogance, will simply apologise for all of the contradictory statements made by Trading Standards officers, hand over all copies of my data, and give us a simple letter confirming that no copies of my data have been retained by anyone.

If I complain to the ICO, do you honestly think they will see it any other way? Or when this is (almost inevitably) reviewed by the Local Government Ombudsman, do you think they will be pleased with the Council’s actions in this matter?

It should also be apparent from the cc’s on my earlier messages that the Worcester Evening News is about to do a story on this whole unpleasant affair. We are also working on getting the Telegraph interested in covering this. Do you think the ratepayers of Worcestershire will think that the Council had a right to continue to hold my data: my medical records, personal financial records, etc.?

I also don’t want you, and your colleagues, sifting through my data. You’re a nice lady, but the contents of my files are personal and I don’t want Council officials --- nice or nasty --- reading them.

I haven’t copied anyone else on this message, Lucy. I can imagine that life in the Council is pretty political, and that you have to deal with all sorts of egos and levels of bureaucracy.

I just want the Council to do the right thing --- hand me back my data tomorrow.

Will 3:30 PM work for you?

Kind regards,

Craig

It was not my intention to post this message here, but subsequent events led me to change my mind.

Yesterday morning (Friday) Marjorie was driving up to Birmingham to pick up a doggie guest, and I tagged along for the ride. My Blackberry rang: it was Judy Armitage, the Council's Customer Services Officer. Her request to me --- at least as I understood it --- was for me to please leave the Council alone, and let them get on with handling our formal complaint and our data disclosure requests. She explained that having to deal with my e-mail messags was causing problems.

I explained, politely, that I agreed entirely --- with one major exception: I wanted my data back.

It would take five minutes for someone with authority in the Council to simply make a decision: give this guy back his data. That is if folks in the Council actually spent some time at their desk.

Judy said she'd check further and would call me back.

And, sure enough, she did. She couldn't reach people, in meetings, etc. So I asked her to please give me the names and contact details for the people who were in charge of data protection and Trading Standards. At this point --- while Judy admitted that I hadn't sworn or shouted at her, or been rude (what would be the point of me doing that?) --- she said she was feeling "stressed" and "upset."

I apologised to Judy. She sounds like a nice lady, and it was never my intention to upset her --- or anyone. But I told Judy that my wife and I had also been upset, not just for the past few days but for the past eight months. That on may occasions Marjorie had been reduced to tears. And I just didn't want to now feel like I was walking on egg shells when dealing with someone who is, after all, the Customer Services Officer.


While I wasn't swearing or yelling, I would bet that others do. And I don't know that the Council --- or the public --- is well served by having a Customer Services Officer who is a fragile violet. (If you're reading this, Judy --- I am truly sorry. But perhaps dealing with upset customers is not the best career path for you.)

Judy told me that John Hobbs is the man in overall charge of Trading Standards, and she reluctantly gave me his telephone number, 01905-766-701. I also asked Judy for the cotact details for the Chief Executive, and Judy told me that --- are you ready? --- the Chief Executive was "in a meeting." I asked Judy for the name and number anyway, and she gave me the name of Trish Haines, and 01905-766-100.

I called Mr. Hobbs' number a dozen times, and there was no answer --- no voice mail, nothing.

I called Ms. Haines' number. Yes, she was in a meeting and her PA was also away from her desk. I left a mesage for her PA to please return my call.

I then tried to find the Council's Data Protection Officer. This search led me to out-of-date Council web pages, with contact details of people no longer there.

In the meantime I tried Hobbs again. The phone was answered, on what was probably the 10th ring, by what sounded like a little old lady. She explaind that she, too, was looking for Hobbs or for his PA, but that there was nobody in the office. The Mary Celeste!

I tried the legal department. I was told that the solicitor who would normally handle this was --- guess what? --- out for the day. The lady I spoke with, Judith, said she was the PA for the head of the legal departmet and that she would personally be sure someone called me back yesterday. Nobody did. Yet another broken promise.

The PA for Ms. Haines --- Rosemary Robinson --- did call me back, and she (too) said she'd have someone call me back. Nobody did. Keeping track of the broken promises?

I finally found out from a very helpful David Onions --- who was in a meeting, but to his infinite credit came out to take my call --- that the Council's Data Protection Officer is Sarah Lewis.

And I was able to speak with Ms. Lewis.

She did not really understand the differene between the Council's data about us, and the fact that the data seized from our house was my data. She felt that the Council had to go through my data to index it.

I said that the Council had already advised us, and our customers, that the data had been destroyed. And that I objected strongly to it being indexed, as it had nothing to do with the investigation --- an investigation that had, in any event, been closed.

Sarah assured me that she would keep all the information "confidential." I said that I had no reason to believe that she would not keep it confidential --- but that it was none of the Council's business, and wasn't the Council's property.

Her next point was that the Council retained information from investigatons for six years. I said that might be the case, and I didn't mind the Coucil keeping its own information for six years, but that I wanted my information --- all of it --- back now. And the only reason to index it was to comply with our disclosure requests, which we would happly withdraw. (And later re-submit.)

Sarah confirmed that the data had been recovered from Hatton, and that it had been given to her in a sealed bag with an evidence tag. She said it would be held under her control and the seal would not be broken.

She sent me the following e-mail:

From: Lewis, Sarah (ACS, Cultural Services) [mailto:SLewis2@worcestershire.gov.uk]
Sent: 19 September 2008 16:36
To: Craig Walsh
Subject: Information held

Dear Mr Walsh

Further to our conversation this afternoon, I can confirm that the data returned by Mr Hatton is in a box in a sealed bag that is held securely in the Corporate Information Management Unit at County Hall.

You stated on the phone that you do not wish anyone to open the sealed bag and to have access to this information, and that you do not wish the information held within the bag to be considered as part of your Subject Access Request. Please can you confirm by return email that this is the case.

Yours sincerely

Sarah

Sarah Lewis
Information Access Officer
Worcestershire County Council
County Hall
Spetchley Road
Worcester WR5 2NP
Tel: 01905 728544
Fax: 01905 766698
http://www.worcestershire.gov.uk/records

I replied promptly:

From: Craig Walsh
Date: Fri, 19 Sep 2008 11:50:14 -0400
To: "Lewis, Sarah (ACS, Cultural Services)"
Cc: "Armitage, Judy (CS, Consumer Relations)" , Marjorie Walsh Richard Slade, [...] "Wilkes, Simon (ES, TSS)" , "Dean, Lucy (ES)"

Subject: RE: Information held

Dear Sarah:

Thank you for taking the time to speak with me this afternoon, and for your follow-up e-mail.

Yes, it is my wish --- and that of my wife, Marjorie (I am her attorney-in-fact), and that of Lucies Farm Ltd. (I am a director of the Company) --- that this bag remain sealed, that it absolutely not be considered as part of our pending subject access requests, and that the sealed bag be returned to us as soon as possible.

We can see no reason why the sealed bag cannot be returned to us as early as Monday.

You have given me your undertaking that this sealed bag is not under the control of Trading Standards, and that nobody will open the bag without our prior consent. For the record, and for the avoidance of any doubt, can you please e-mail me with the serial number on the seal?

I have had a nice chat with Ms. Smith, and she has promised to call me back today. My other calls --- to Rosemary Robinson in Ms. Haines’ office and to Judith in your legal department --- have not resulted in the promised call-backs.

More broken promises, I’m afraid, from the Worcestershire County Council.

Kind regards,

Craig

I asked Sarah for the name of her boss. Apparently Sarah's boss is out on medical leave. And her boss? Amanda Smith, the Heritage Manager.

I had a very nice chat with Amanda. I said, "I understand you're the boss' boss of the Data Protection Officer." She said she wasn't, but then realised she was. Amanda explained that she was new to the Council.

Amanda listened to my tale of woe, said she'd see what she could find out, and she did call me back. She apologised for the fact that no one person had been my point of contact at the Council, and that had left me to wander through the Council's website and try to track people down. (Although it wasn't discussed, I think this one-point-of-contact role should have been played by Judy Armitage, but she never stepped up to the plate to do this.)

Amanda explained that someone should make the "strategic" decision to hand us back our data, and that a meeting --- there we go again ---- on Tuesday to discuss this. Apparently Sarah Lewis and Simon Wilkes, at least, would be at this meeting.

Amada said that my telephone calls that day, including to the Chief Executive's office, had achieved the desired result of getting people's attention. Amanda also offered to send me the details of the elected councillor with responsibility for these issues.

I advised Amanda that I'd already sent e-mail messages to Cllr Alwyn Davies (who I believe is the Chairman of the Council) and Cllr Jeremy Webb.

Surprise. Neither of them have replied.

I'm now off to prepare my formal complaint to the Information Commissioner's Office. In getting ready to do so, I read this on the ICO website:

The Act [...] states that anyone who processes personal information must comply with eight principles, which make sure that personal informaton is:

1. Fairly and lawfully processed
   
2. Processed for limitied purposes
3. Adequate, relevant and not excessive
4. Accurate and kept up-to-date
5. Not kept for longer than is necessary
6. Processed in line with your rights
7. Secure
8. Not transferred to other countires without adequate protection.

Without Prejudice? Without A Clue

Our solicitor just forwarded us this message from Phill Hatton, the computer forensic expert employed by the Worcestershire County Council. I didn't receive the original of this message: our "Heath Robinson" computer system must have decided it was spam:

From: Phill Hatton [mailto:forensic-computing@bulldog-office.com]
Sent: 12 September 2008 10:09
To: Craig Walsh
Cc: Armitage, Judy (CS, Consumer Relations); Slade, Richard; Marjorie J. Walsh; Dell, John (ES, TSS); Tom Wells; David DeMaid
Subject: Re: Lucies Farm Ltd. - Case 2007-1007 - Second Message
Mr Walsh

WITHOUT PREJUDICE

In response to your points:

1) I do not need to be registered under the Data Protection Act as I am not a data controller - I merely process other organisations' data (e.g. police forces and other enforcement bodies) on their behalf. Any Data Protection requests should be directed to the organisation siezing the data (in this case Worcestershire Trading Standards). However a number of exemptions apply because the information was obtained for the prevention or detection of crime.

2) I have confirmed that I am not required to register under the DPA with the ICO this morning, although I already knew this was the case.

3) My initial understanding was that Malvern Hills District Council were employing me for the investigation and commissioning the report. Thus their name appeared as the submittors. In the event, after the warrant execution, all my dealings were with Trading Standards and I ultimately sent the report to them. I have not sent a copy of my report, either electronic or paper, to MHDC. In my experience this is not an unusual state of affairs when dealing with a multi-agency investigation of this type.

4) You have commented that the witness statement on the disc is not dated or signed. The signed paper version (dated 5 May 2008) is with Trading Standards.

5) The hard drive with which you have been supplied contains a copy of all the data recovered from your system (and a copy of the material forming my report). In general terms the seizure of data not directly related to the case under investigation is regulated by Part 2 of the Criminal Justice and Police Act 2001 which clearly allows such seizure in the circumstances. In any event in this era of proceeds of crime investigations personal data of many kinds may be relevant to the case.

6) I have no personal knowledge of any statements made to you or your customers by Trading Standards staff.and can make no comment on such matters.

7) I continue to hold two copies of the data recovered from your system. The material supplied on hard drive to you is a further third copy I have made. I hold this data on behalf of Trading Standards and will delete it in a secure manner when instructed to do so by them. I understand that various matters are still on-going, including requests and complaints made by yourself and that deletion of the data could prejudice responses to these matters. Any requests for this data to be deleted should be made directly to Trading Standards and not to me.

8) To anticipate an inevitable further question I hold two copies in case technical issues or hardware malfunction render one inaccessible.

9) The hard drive supplied contains a copy of ALL the data I have relating to your case, other than various e-mails etc.to and from Trading Standards and the physical paper versions of my forms and contemporaneous notes (scanned copies of which have been supplied).

10) The data I currently hold is being stored in a secure manner at my premises. I am not prepared to discuss these security arrangements with you but they have been found appropriate by a range of police and law enforcement clients.

11) In all matters pertaining to this case I have acted as an agent of Worcestershire Trading Standards and MHDC. I do not believe there is any further benefit in you communicating directly with me over these matters and request that further communications, data protection requests etc. be directed to the appropriate agency. Any issues requiring my action or comment can then be forwarded to me.

Regards

Phill Hatton

I sent another e-mail to the data protection folks at Worcestershire County Council: won't bor you (or me) by repeating it again here. I received a repy this afternoon from the head of Trading Standards:

From: "Wilkes, Simon (ES, TSS)"
Date: Thu, 18 Sep 2008 09:26:30 -0400
To: Craig Walsh
Cc: "Stilgoe, Kevin (ES)"
Subject: FW: FREEDOM OF INFORMATION ACT 2000 & DATA PROTECTION ACT 1998 - INFORMATION REQUEST CONCERNING ALL DATA HELD BY THE COUNCIL ON LUCIES FARM LTD. & YOURSELVES

Mr Walsh,

To ease your concerns regarding secure data storage, I have arranged with Mr Hatton to take the data from him. It will be collected from Mr Hatton and returned to the County Council tomorrow. Two copies will be held in case of the failure of one of the holding devices. I think this is reasonable. Mr Hatton will remove the data from his systems once the transfer is complete. He will then hold none of your data.

Simon Wilkes
Operations Manager

I replied by return, with copies to some of the Council leaders (I obtained their e-mail addresses the old fashioned way --- from their web pages):

From: Craig Walsh
Sent: 18 September 2008 15:55
To: Wilkes, Simon (ES, TSS)
Cc: Stilgoe, Kevin (ES); Richard Slade; Armitage, Judy (CS, Consumer Relations); [...] sjclee@tinyonline.co.uk; aedavies@worcestershire.gov.uk; Tom Wells; jeremy@webb79.freeserve.co.uk
Subject: Re: FREEDOM OF INFORMATION ACT 2000 & DATA PROTECTION ACT 1998 - INFORMATION REQUEST CONCERNING ALL DATA HELD BY THE COUNCIL ON LUCIES FARM LTD. & YOURSELVES
Importance: High

Dear Mr. Wilkes ---

Thank you for your e-mail.

I am in agreement with your approach, but with two important caveats:

First Caveat:

You provide a clear undertaking on the part of the Worcestershire County Council that once the Council has received the data back from Hatton tomorrow that there are no other copies of our data anywhere but in the custody of the Worcestershire County Council. We have been very frustrated by the many contradictory statements given by your colleagues, and this has caused us to have no faith in their veracity.

Don’t believe me? In her letter of 12 February 2008 to our solicitor at the time, David deMaid, Tracey Blanchard wrote, “Photographs were not taken during the raid.”

This is not true.

The Hatton disc contains a folder called Admin/Photos that contains 34 items. I attach a couple of the photos to illustrate my point. One image (0001.jpg) is of my desk, and the second is the computer in the farm office (0023.jpg). Blanchard was present when these photos were taken by Hatton, yet she still advised our solicitor “photographs were not taken.”

Still don’t believe me? I his letter of 19 March 2008 to Mr. deMaid’s firm --- a letter that we call the “duel” letter --- John Dell wrote, “I am also informed that the information taken from the computer related only to the day to day management of the kennels, details of which will be forwarded to your client as soon as possible. [...] The server in the bedroom was accessed via the network from the main computer in the office and material was obtained from it. This will, of course, be forwarded to your client as soon as it is possible to do so.”

Again, not true.

Mr. Hatton copied every Excel spreadsheet and every Word document that he could find. Only a tiny proportion of the data on the CD-ROM relates to the dog kennel, because our scheduling, register, and reservations software is web-based, and sits on our server in Delaware. Just a look at the file names of some of the Word files will indicate what Hatton seized: “Craig Walsh – RLS – Dr. Webster,” “Mattioli Woods – Transfer of AXA Pensions,” “Worcester Primary Care Trust – Complaint,” etc. This is my personal confidential information, and this data cannot remotely fall into the category of being “related only to the day to day management of the kennels.” Yet that’s what Dell said.

Dell also said we would be sent the computer expert’s report “as soon as possible,” and Blanchard said “once we are in possession of the report from our computer expert, I will forward you a copy.”

Untrue.

We now know that Hatton was the previously unnamed computer expert. In Hatton’s e-mail of 12 September 2008 he indicates, “You have commented that the witness statement on the disc is not dated or signed. The signed paper version (dated 5 May 2008) is with Trading Standards.”

Why wasn’t this report sent to us shortly after 5 May 2008, as both Blanchard and Dell said would happen? I fact as I type this we still haven’t actually received the report --- since that would be the signed report. I am sure you will wish to correct this continued oversight --- see Caveat 2, below.

Still not convinced?

By e-mail dated 18 August 2008 Blanchard advised one of our customers, “All [emphasis added] the information is contained on a disc which is held in secure storage at the Trading Standards service, with restricted access. Information examined has been limited to the customer contact list.”

Not true.

Blanchard did not advise our customer that Hatton was also holding not one, but two, copies of our data. And Hatton certainly did not limit his examination to the customer contact list.

Still can’t understand why we don’t trust you and your colleagues?

Attached is a PDF file containing letters sent by Blanchard to me and to our customers on 4 September 2008. She advises me, “With regard to the data recovered from your computer, this was recorded on one disc, which has been held in a secure location at the Trading Standards office, with restricted access. Now that the investigation is complete, the disc will be destroyed.”

This is --- as we have learned --- absolutely not true.

Blanchard did not mention --- neither to me, nor to any of our customers --- that Hatton was holding two copies of our data in Wolverhampton. He is holding such a substantial amount of data that it doesn’t fit on a CD-ROM: it needs a computer hard drive.

It is nothing short of outrageous that your colleagues are entrusted to investigate whether the descriptions of our business on our web site are truthful or not --- and, if untruthful, “would give rise to possible offences being committed under the Trade Descriptions Act 1968 There could, of course, also be offences committed under The Fraud Act 2006” [to quote from Blanchard’s 12 February 2008 letter].

Does it not strike you as ironic that in the process of conducting their investigations of our veracity, your colleagues have apparently lied to us and to our customers on numerous occasions? Do you believe that the end justifies the means, and do you really believe that this incredible behaviour is acceptable? Do you and your colleagues believe that the niceties of the law somehow do not apply to how you handle these investigations?

You are aware that we have also filed a formal complaint with the Council on the whole issue of how this investigation was handled. This e-mail is limited to the single issue of the handling of our data. I would imagine that a referral to the Local Government Ombudsman is inevitable, and wonder how the Ombudsman’s office will view the facts that I have outlined above.

Our customers have sent us copies of all forms, letters, and e-mail messages sent to Trading Standards in response to the August questionnaire.

Second Caveat:

For the reasons stated above, we do not trust your colleagues to continue to hold our data. We would expect that our data --- all of our data --- be moved from the custody and control of Trading Standards to the custody and control of your Data Protection colleagues, or your legal department.

My wife and I wish to come to the Council offices tomorrow, once you have received the information back from Hatton, and to be shown where it will be held in the Council offices. At the same time, we will pick up the original copy of your undertaking, and will pick up the photocopy of Mr. Hatton’s report.

There is, I understand, an obligation to disclose all evidence to us, so if there are other parts of Hatton’s report that have not (as yet) been disclosed, I am hopeful that you will wish to promptly cure this oversight.

Please promptly confirm your agreement to these two caveats. Failing to receive your agreement, I will have no choice but to reluctantly proceed with my complaint to the ICO, as outlined in my earlier e-mail message.

I understand you are a busy man, Mr. Wilkes. This investigation has caused Marjorie and me considerable distress, and I would hope that you would recognise this and will give this matter your priority attention. I have tried to be factual and unemotional in this, and earlier, e-mail messages. I hope you will understand from the foregoing how incandescent we are with anger over the manner in which we have been treated, and this investigation handled.

I hope to hear from you by return.

Yours sincerely,

Craig W. Walsh

I did hear by return, surprisingly:

From: "Wilkes, Simon (ES, TSS)"
Date: Thu, 18 Sep 2008 11:58:52 -0400
To: Craig Walsh
Cc: "Dean, Lucy (ES)" , "Dell, John (ES, TSS)" , "Lewis, Sarah (ACS, Cultural Services)"
Subject: RE: FREEDOM OF INFORMATION ACT 2000 & DATA PROTECTION ACT 1998 - INFORMATION REQUEST CONCERNING ALL DATA HELD BY THE COUNCIL ON LUCIES FARM LTD. & YOURSELVES

Mr Walsh

In relation to your caveats:

1. Since I would not wish to mislead you, I will ask Mr Dell and Mrs Blanchard the question again on Monday. To my knowledge at this moment in time, the only copies of your data will be the ones held by the County Council, once the information has been taken from Mr Hatton.

2. I have asked the Data Protection Officer to investigate the possibliity of holding this information in a place other than the Trading Standards secure store. She will not have an answer for me before tomorrow. In any event I doubt very much that you will be allowed to see the exact location where this information is to be stored. I will confirm this tomorrow. As far as a paper copy of Mr Hatton's report is concerned, our Data Protection Officer has indicated that we will provide you with a paper copy of this when we disclose the information to which you are entitled. She is concerned to ensure that you get everything that the law allows, and to send things out piecemeal will risk something being missed.

I therefore cannot conform with the caveats that you have asked for. I do however, offer you my assurance that your data will be held in a secure manner.

Simon Wilkes
Operations Manager

How nice. Now they don't want to "mislead" us.

I replied that I couldn't see why speaking with Dell & Blanchard had to wait until Monday. Even if not in the office, surely they wouldn't be far from a telephone. And I suggested that if there wasn't a suitble place in the Council offices away from the control of Trading Standards, then why not put our data in the hands of a local solicitor or bank? A simple escrow agreement could be drawn up saying that both parties would need to consent to the release of the data.

I also tried to make the point that this data was different from data that the Council held about Marjorie, me, or Lucies Farm Ltd. This wasn't the Council's data about us --- this data belongs to us.

I suggested that the Council take advice from their solicitor, or from the Information Commissioner's Office. But in veiw of the stupendous arrogance they have displayed to date, I doubt they'll do that. They clearly consider themselves above the law --- while, at the same time, enforcing the law.

Make you proud to be British?

Phill Hatton's Messages from His Bat Cave

We have now received two e-mail messages from Phill Hatton. In my opinion, they display an incredible arrogance --- the type of behaviour that now seems to be the norm with local councils throughout Britain. Hatton does not seem to remember that he acts for a public body: a body funded by our rates and taxes, and probably yours.

The whole notion of "public service" seems to be dead. We now live in a world where the public are becoming increasingly alienated by the actions of arrogant bureaucrats --- like Hatton --- enforcing unpopular rules.

In this case, however, I believe the law is firmly on our side. This is my data. Their investigations are complete. There is no reason whatsoever why they should continue to hold my data --- except for the fact that they seem to consider themselves to be above the law, while paradoxically enforcing it.

Hatton writes:

From: Phill Hatton
Date: Tue, 16 Sep 2008 12:29:11 -0400
To: Craig Walsh
Cc: "Armitage, Judy (CS, Consumer Relations)" , "Dell, John (ES, TSS)" , Marjorie Walsh, Richard Slade

Subject: Re: Message is infected : FW: Possible False Positive [KLAB-6484187]

All on Craig WALSH's distribution list.

I have replied to Mr Walsh's question twice, on Friday and Monday. It appears he is not receiving my messages. This may be because my outgoing e-mail address is not the one he is sending messages to (this is a redundant old address, although I do get e-mail sent to it) or it could be for some other reason related to Mr Walsh's rather Heath Robinson computer network.

As I have quite openly stated in my witness statement and the two e-mails I currently hold two copies of all the data obtained from Lucies Farm and will delete it (securely) when Trading Standards tell me to.

The auto-run menu on the working CD (a copy of which Mr Walsh has) is sometimes reported as a virus by poorly configured AV systems, purely because it is an autorun file. Otherwise any viruses on the CD will have originated from the data recovered from Mr Walsh's system (although my AV system did not identify any).

If Mr Walsh does not recieve this message I would be grateful if someone will inform him of this.

As I stated in my original e-mail all further messages from Mr Walsh on this matter should be directed to Trading Standards rather than me.

Also, to answer a question Mr Walsh put to the secretary of the F3 computer forensics organsation on Friday, my post nominals stand for the following:

TD = Territorial Decoration, BA (Hons) = Bachelor of Arts (Honours), MTSI = Member of the Trading Standards Institute, MBCS = Member of the British Computer Society and DTS =Diploma in Trading Standards. Presumably Mr Walsh will now telephone these organisations and attempt to get them to confirm that I am a member. He is perfectly free to do so if he wants to waste his time.

Regards

Phill Hatton

and:

From: Phill Hatton
Date: Tue, 16 Sep 2008 12:45:51 -0400
To: Craig Walsh
Cc: "Dell, John (ES, TSS)" , "Wilkes, Simon (ES, TSS)" , "Armitage, Judy (CS, Consumer Relations)" , [...] Marjorie Walsh, Richard Slade, Tom Wells

Subject: Re: Possible Virus in CD-ROM Provided to Lucies Farm Ltd.

All on Mr Walsh's distribution list (except, it appears, Mr Walsh)

Mr Walsh's assumption that I operate from a domestic premises is false (although I once did and there is no particular reason why I should not, providing security is adequate). I in fact operate from a business premises and this is where the data is currently stored. My low profile on Internet search engines is a deliberate policy to enhance security.

The screen capture from his AV software below shows that his AV issue is with the autorun.exe file on the CD. This is absolutely not a virus.

Regards

Phill Hatton

In my opinion, the "Heath Robinson" comment is a bit rich coming from someone whose business earned Stg 7,649.00 in 2007 based upon the last set of published accounts. Pretty rich comig from a computer forensic expert who hasn't bothered to register under the provisions of the Data Protection Act 1998. Pretty rich coming from someone who doesn't even have his own e-mail domain, but instead uses a bulldog-office.com e-mail address.

Nothing wrong with operating from residential premises? What about the minor little detail of planning permission?

In our "Heath Robinson" world, we have a dedicated and managed Linux server in the States for our web content, and a dedicated and managed Microsoft Exchange mail server. Why didn't I receive Hatton's messages?

Because they were identified as spam.

And they're about as worthless as spam.

Trading Standards and Bully Boy Behaviour

I have been asking Worcestershire Trading Standards to confirm that they do not hold --- nor does Mr. Hatton hold --- a copy of my data. Please bear in mind that this data includes our personal financial information, letters to my doctor, an Excel spreadsheet with information about my wife's jewellery (sent to our insurance company), etc. There's nothing I wouldn't show to my daughter, but it's not the type of information you want anyone else reading, much less folks in the Council and their one-man-band computer forensics expert, Phill Hatton.

Mr. Dell sent me a message this afternoon:

From: Dell, John (ES, TSS) [mailto:JDell@worcestershire.gov.uk]
Sent: 16 September 2008 16:13
To: Craig Walsh
Cc: Wilkes, Simon (ES, TSS); Armitage, Judy (CS, Consumer Relations)
Subject: FW: Possible Virus in CD-ROM Provided to Lucies Farm Ltd.

Dear Mr Walsh,

Judy Armitage has asked me to respond to your last paragraph.

The current situation is that your data continues to be held on behalf of this authority by consultant Mr Hatton in order that we are able to respond to any further enquiries or actions by yourself. The disc of his report is held under secure storage conditions by this service.

You can remain assured that they are held in a secure manner and they will be destroyed once we are both satisfied that this matter has been concluded.

Yours sincerely,

John Dell Divisional Manager

My first reaction to Mr. Dell's message was, in a word:

What?!

With my blood pressure rising, I sent Mr. Dell the following reply:

From: Craig Walsh
Sent: 16 September 2008 17:17
To: 'Dell, John (ES, TSS)'
Cc: Wilkes, Simon (ES, TSS); Armitage, Judy (CS, Consumer Relations); [...] Forensic-computing@blueyonder.co.uk; Marjorie J. Walsh; 'Slade, Richard'; Tom Wells

Subject: RE: Possible Virus in CD-ROM Provided to Lucies Farm Ltd.

Importance: High

Dear Mr. Dell --

Thank you for your message, just received.

This is not what was agreed at all, and is completely contrary to earlier assurances given by the Council to us and to our customers.

To refresh your memory, attached is a PDF file.

In her letter to me of 4 September 2008 Ms. Blanchard wrote, “With regard to the data recovered from your computer, this was recorded on one disc, which has been held in a secure location at the Trading Standards office, with restricted access. Now that the investigation is complete, this disc will be destroyed.”

We now know that Ms. Blanchard’s statement was untrue. The “data recovered” was also held by Mr. Hatton, apparently at his home. There is also some indication that he may also have sent our data to the Malvern Hills District Council.

In Ms. Blanchard’s letter to our customers of 4 September 2008 --- a redacted copy is attached --- she advised the majority of our customers, “Please be assured that all data containing personal records will now be destroyed.”

Again, this appears to be untrue. You are now unilaterally continuing to hold our data at Trading Standards and are continuing to allow Mr. Hatton to hold a further copy. This is our data --- it does not belong to the Council or to Mr. Hatton. It largely belongs to me, and the overwhelming majority of the data is personal and has nothing to do with the dog kennel or farm operations.

Please confirm, immediately, if Mr. Hatton is holding our data on his premises. If this is the case, we have been unable to establish that he has an office, so would believe he would be holding our data in his home in Wolverhampton. This brings up questions about his lack of registration under the DPA 1998 and the security arrangements in place at his residence.

I am so incensed by this that I am minded to instruct our solicitors to obtain injunctive relief for the return of our data.

Your office has already advised us that your investigation is concluded: Ms. Blanchard talks about “detailed enquiries.” All that now remains is for us to try to ascertain if the Council acted in an appropriate manner in the conduct of its investigation, in accordance with the various policies stated on your website and embodied in the law. It is our absolute right to do this, as you are no doubt aware.

Please clarify the exact location of our data --- all of our data --- by return.

I fear that the expense of injunctive relief --- with an order for costs against the Council and Mr. Hatton --- is looming. This is truly unfortunate. I have tried to act in a constructive and courteous manner in lodging my complaint with the Council. My actions have been met with apparent deception --- and you are now holding our data effectively to ransom.

I look forward to hearing from you, or from your boss, immediately. I have copied the Worcester News on this e-mail, and if our data --- all copies of our data --- is not returned forthwith, we will also send an e-mail to all of our customers advising them of your volte face, and will encourage them to file complaints against the Council and Mr. Hatton with the Information Commissioner’s Office.

You and Ms. Blanchard have, I believe, seen how supportive --- and how vocal --- our customers can be. You can speculate on how vocal they will be when they learn about Mr. Hatton’s involvement, and the fact that Ms. Blanchard’s earlier assurances were apparently untruthful.

This will be my last e-mail on the subject. You have a very short period, Mr. Dell, in which to do the right thing. Otherwise we will have no choice but to seek assistance from the Courts.

Craig Walsh

No Virus - Phew!

In my posting last night I mentioned that Phill Hatton's CD-ROM appeared to contain a virus. To be sure that this wasn't a false positive, I handled the ostensibly infected file as though it was radioactive.

I sent it to the Kaspersky Lab and asked them to please analyse the file.

They just replied:

From: newvirus@kaspersky.com [mailto:newvirus@kaspersky.com]
Sent: 16 September 2008 13:46
To: Craig Walsh

Subject: Possible False Positive [KLAB-6484187]

Hello,

Autoexec.exe

We are sorry, it is false alarm. It will be fixed as soon as possible. Thank you for your help.

Please quote all when answering.

Best regards,

Evgeny Aseev
Virus analyst, Kaspersky Lab.

Phew! First bit of good news.

My project today was trying to figure out why the RSPCA inspector, Mark Lewis, was part of the 10 January 2008 raid. Despite written assurances from the RSPCA to me on 2 May 2008 that my "concerns will be forwarded to the relevant member of the Inspectorate in that region for a response," I heard nothing further. I made eight or nine telephone calls to the RSPCA today, being bounced from one person to another. I finally received a voice mail message from someone named Christine telling me that the inspector wouldn't speak with me, and that I needed to call RSPCA HQ. Which is, of course, where I started in the first place -- in April.

It Just Gets More Surrealistic

We copied Hatton-the-Computer-Expert's report to one of our networked hard drives so Marjorie and I could both review the files he'd copied from our hard drive in January, and apparently took back to his home in Wolverhampton.

I left Hatton's CD-ROM, received by us from the Worcestershire County Council last Thursday, in my computer.

My Kaspersky anti-virus software ran overnight and, to my amazement, identified a virus on Hatton's CD-ROM:

So the Worcestershire County Council --- the folks we trust to stop the sale of illegal DVD's and software programmes --- have apparently sent us a CD-ROM that contains a virus.

"Not so fast," I hear you say.

I have tried to find out more about Backdoor.Win32.ProRat.cbw -- and, in particular, what it does and if Kaspersky can come up with a false positive. When I know more, I'll post it here. I sent an e-mail to the Worcestershire County Council and asked for their comments on this, but (surprise) received no reply.

Marjorie and I received the first draft this afternoon of our solicitor's letter-before-action concerning the alleged trespass into our home. All I can say is that I wouldn't like to receive the letter.

At our solicitor's request, I've clarified the names and titles of the "Malvern 12." I was amazed that the Malvern Hills District Council actually brought Christine Thomas along on the raid. Why am I amazed? According to the MHDC contact centre, Ms. Thomas is a "Car Parks Officer."

Still no word from Tom Wells, our District and County Councillor. His silence is strange. Could he have been the one who pushed the two Councils to overreact? Pure speculation on our part, and we may never know. Perhaps our Freedom of Information and data disclosure requests will turn up something.

I'm quite pleased with the banner I "designed" for the new Tom Wells forum --- at www.tom-wells.info

Please stop by the forum, register, and blow Tom a kiss.

The Apparently Unregistered Computer Forensic Guru

Today's update on this whole nasty mess, from here in the Bat Cave.

I received a voice mail message from John Dell at Worcestershire Trading Standards --- and called him back. The hard drive with all of our data, and the CD-ROM with the report from the independent IT forensic expert would be delivered to me this afternoon. Sure enough, a young Trading Standards officer walked down the driveway to the farm gate, handed me a plastic bag sealed with a red evidence tag, and asked me to please sign a receipt.

He also gave me a compliments slip on which someone at Trading Standards had written the name of their computer expert:

Phill Hatton
Phill Hatton Forensic Computing Ltd.
P.O. Box 4523
Wolverhampton WV1 9BR

I did another search on the Information Commissioner's Website, and even called their office: neither Mr. Hatton, nor his business, appear to be registered as data controllers --- as required under the provision of the Data Protection Act 1968. An expert who overlooked the simple step of registration. You can even register online: I did.

While I am not a solicitor, it would appear that his handling of our data --- most of it our own personal data --- was not legal.

So I sent Mr. Hatton an e-mail this afternoon. I copied the folks at the County Council, and Tom Wells --- the gentleman who is both our District and County Councillor:

From: Craig Walsh
Sent: 11 September 2008 17:55
To: Forensic-computing@blueyonder.co.uk
Cc: Armitage, Judy (CS, Consumer Relations); Richard Slade; Marjorie J. Walsh; Dell, John (ES, TSS); Tom Wells.
Subject: Lucies Farm Ltd. - Case 2007-1007

Importance: High

Dear Mr. Hatton ---

We have just received a CD-ROM (labelled “Copy of Report for Mr. C. Walsh – 11-9-08”) and a hard drive in a tape cassette box from the Trading Standards Department at Worcestershire County Council.

Included on the CD-ROM are an undated, unsigned “Statement of Witness” apparently prepared by you on 5 May 2008, a copy of your CV dated 9 July 2007, and your “Standard Terms and Conditions” dated 9 April 2007.

I understand from your “Statement of Witness” that you and your colleague, Mr. Andrew Turner, came into our residence on 10 January 2008 and --- among other things --- took copies of many of the files on my computer and the file server. According to your statement: “I decided that the most appropriate means of recovering the Outlook PST file containing the calendar data was to remove that hard drive from system 2007-107-01, connect it to my portable forensic PC system and perform a preview of the data using Encase software. I did this and accessed the contents of the drive. I then copied all Outlook files, all Microsoft Word and Excel documents and data folders for Sage and Quicken accounts onto a hard drive installed in my PC system. [...] I identified material of potential interest on the PC system identified as POICSERVER. I determined that this system was the PC tower located in an upstairs bedroom. This system consisted of an older Dell PC tower and an external data storage device. For a number of reasons I decided that shutting this system down and imaging or previewing the drives would not be appropriate and so I accessed the material via the network connection from system 2007-107-02 and copied it onto an external storage hard drive I had brought with me.”

You then explain, “On 10 January 2008 Mr TURNER copied all the recovered data onto a laboratory hard drive and made a further archive copy. On 5 May 2008 I examined the data. I identified the particular Outlook PST file and imported it into an installation of Outlook which did not contain any data. I determined that what appeared to be dog’s names had been entered on various days from January 2005 to January 2008. I produced a series of weekly printouts detailing this information which forms part of appendix B. A version of this listing in Adobe PDF format is present on the working disc. I then organised the data I had recovered from system 2007-107-01 by file type (e.g. Word, Excel etc) and subsequently copied this material to the working disc. I left the material from system 2007- 107-04 as originally organised and also copied this to the working disc.”

From your statements it seems clear that copies of our data were, at least from 10 January 2008 until 5 May 2008 --- and, more likely, from 10 January 2008 until yesterday or today --- under your control and supervision. As you took copies of all Word and Excel documents, this included such items as my letters to the NHS and my solicitors concerning my disability, my letters concerning our personal finances, etc. It was my intention to send you a subject access request under the provisions of the Data Protection Act 1998 (DPA) but I was amazed to note that you do not appear to be registered as a data controller under the provisions of the DPA. I have checked register on the Information Commissioner’s Office website: http://www.ico.gov.uk/ESDWebPages/search.asp using your name, post code, etc., but have not found a registration. Wishing to give you every benefit of the doubt, I also called the ICO, and they have confirmed that you are not currently registered, nor were you registered during the time period in which you were handling our personal data, as well as data belonging to Lucies Farm Ltd.

There are limited exemptions to registration, but none would seem to apply to you in this instance.

While our data was in your possession, the Council was advising our customers, “All the information is contained on a disc which is held in secure storage at the Trading Standards Service, with restricted access. Information examined has been limited to the customer contact list. I am therefore unable to tell you whether or not your credit card details are contained on this disc, but such information will definitely not be accessed.” But it now appears that this was not completely correct. While one copy of the information may have been held on the disc “held in secure storage,” it is becoming increasingly evident that another, more extensive copy our data was held by you --- someone not registered under the DPA.

I would appreciate your confirmation that you do not continue to hold any of our data, and would appreciate any comment you may wish to make about your apparent failure to register your business to comply with the DPA.

My wife and I may have no choice other than to file a formal complaint with the ICO about the handling of our data by you and by the Council. I am sending you this e-mail in the spirit of fairness, to give you a few days to offer your comments in the hope that a formal ICO complaint will not be necessary.

To illustrate the seriousness of this matter, attached is a copy of a PDF document that I just downloaded from the ICO website. I find it incredible that the County Council, while investigating our alleged violation of various laws, would themselves use an external consultant to handle our data who appears --- at least based upon the information I’ve gathered this afternoon --- to have violated the provisions of the DPA.

I look forward to hearing from you.

Yours sincerely,


Craig W. Walsh


Mr. Hatton's terms and conditions indicate:

I will use my experience, care and skill in fulfilling your instructions to the best of my ability. However you must be aware that it is essential to the credibility of my evidence that I am an independent expert witness and my primary duty is ultimately to the court rather than my customer.

His CV indicates a virtual alphabet after his name:

Phillip Hatton TD BA(Hons) MTSI MBCS DTS

I'm always a little leary of people who put a lot of letters after their name. I guess it goes back to when I was a young bank employee. I'd just been promoted, and became an officer of the bank. My grand title was Assistant Cashier & Loan Officer. I had an old boss at the time --- a cynical old coot --- and when he saw my eagerness, he pointed out to me, "President is one word."

But I digress.

Companies House records indicate Mr. Hatton was born on 20 December 1963 (let's see how he likes others looking at his personal informaton). He apparently lives at 18 Allen Road in Wolverhapton:

View Larger Map

He attended Wolverhampton Grammar School (1975-1982), and then got a BA (2:2) in Philosophy from St. David's University College in Lampeter in 1987. He joined Woverhampton Trading Standards upon graduation, and was with them until 2004.

According to his CV he started Forensic Computing Consultants in January 2004. He writes, "I have lectured to students at Manchester Metropolitan University on computer crime and devised and partly delivered a course for the Training Standards Institute on computer seizure and internet investigations."

It is inconceivable to me that he apparently overlooked the simple task of registering under the Data Protection Act 1998, and that the Council didn't bother (as I did) to confirm his registration.

Despite his glowing CV, here are some of the photos he took during his investigation (also included on the CD-ROM):

As you read our tale of woe (if you haven't shut off by now), please ask yourself how you'd like Phill to come and take photos of your computer? And then copy many files onto his hard drive and skedaddle. (He was a bit bothered by the fact that we have 2TB of data storage, but that's what you need to deal with high res photos.)

I originally looked at Phill's CD-ROM on my MacBook. When I popped it into my PC this evening, it surprised me by auto-running. Up popped his sales pitch and CV and general background information. But the upsetting thing is that the introductory "splash" screen indicated his report was prepared for the Malvern Hills District Council.

So I sent him another e-mail message:

From: Craig Walsh
Sent: 11 September 2008 22:47
To: Forensic-computing@blueyonder.co.uk
Cc: Armitage, Judy (CS, Consumer Relations); Richard Slade; Marjorie J. Walsh; Dell, John (ES, TSS); Tom Wells

Subject: Lucies Farm Ltd. - Case 2007-1007 - Second Message

Dear Mr. Hatton ---

I have just opened your report on my PC --- instead of my MacBook --- and I now see that it has an auto-run feature. Your introductory screen shows that this report was prepared not for the Worcestershire County Council, but for the Malvern Hills District Council (MHDC).

Here’s a screen capture:

I had assumed, prior to seeing this auto-run screen a few minutes ago, that you were hired by the Worcestershire County Council, and your report submitted only to their Trading Standards Department. I certainly obtained your report, today, from the County Council.

It now appears that you may have been hired by the MHDC or may have also provided your report to them. A report that I now see includes such personal items as a listing of my wife’s jewellery (prepared for our insurance company), personal medical information, privileged correspondence sent to our solicitors, etc.

Does this mean that our personal data was also sent to the MHDC? If so, then Ms. Blanchard’s assurance to our customer (sent by her at 3:49 PM on 18 August 2008) becomes even more misleading and inaccurate:

“All the information is contained on a disc which is held in secure storage at the Trading Standards Service, with restricted access. Information examined has been limited to the customer contact list. I am therefore unable to tell you whether or not your credit card details are contained on this disc, but such information will definitely not be accessed.”

Please immediately confirm if you have also sent your CD-ROM to the District Council, and, if so, the name of the person at the MHDC who received this information. We are entitled to this information under the provisions of the Data Protection Act 1998 --- your response is not optional. While responding, please advise the name and contact details of all other parties that may have received this CD-ROM.

I look forward to hearing from you in response to the foregoing question, and to my earlier e-mail, as a matter of urgency.

I am, as you may appreciate, incandescent with rage at the manner in which our personal details have apparently been handled, by someone who hasn’t even taken the time (apparently) to register under the provisions of the Data Protection Act.

I look forward to hearing from you.

Yours sincerely,

Craig W. Walsh

40 Days For This, 20 Days For That

No reply from Mr. Dell to my e-mail to him of 6 September, other an e-mail "read" receipt. I understand that it will take time for the Council to reply to my complaint. But on the evening of 8 September I sent the following e-mail to Judy Armitage, their Customer Service Manager:

Dear Ms. Armitage:

You were in the office early this morning --- I see that you read my e-mail message just before 8:00 AM.

While I appreciate it will take the Council time to reply to my formal complaint, it shouldn’t take long to simply hand over the disc containing our data and your computer expert’s report.

Your colleagues --- Mr. Dell and Ms. Blanchard --- assured our solicitor that the computer expert’s report would “be forwarded to your client as soon as possible.” This undertaking was provided by Mr. Dell on 19 March 2008 ---over five months ago --- but we never received the report. I have re-confirmed this with Mr. deMaid at William Graham Law this morning: he advised me, “I can't see I ever received any report from their expert.”

You will appreciate that we do not wish our data disc to remain in the possession of the Council any longer. So while we acknowledge it will take you --- or the Senior Manager responsible for the operations of Trading Standards --- time to provide us with a detailed reply to our complaint, it won’t take more than five minutes to run off a copy of the expert’s report, and to provide us with the original disc. (No copies of the disc are to be kept --- Trading Standards has
already agreed to that.)

I would, therefore, like to send a messenger to pick up a copy of the computer expert’s report and the disc tomorrow, Tuesday. Please advise where the messenger should present himself. I will e-mail you with the name of the messenger, and provide him (or her) with a letter of authorisation. In the alternative, a representative from the Council can hand-deliver this material to Lucies Farm Ltd. We’re less than five miles from your offices.

We have today delivered our personal requests (in Marjorie’s and my name) for disclosure under the provisions of the Data Protection Act, and the Company’s request for disclosure under the Freedom of Information Act. Your colleague receipted our forms and our Stg 20.00 payment, and copied our passports. The 40 day “clock” is now ticking on these disclosure requests. We have every reason to believe that the Council will provide us with full disclosure within the letter --- and spirit --- of the two Acts.

Please let me know (e-mail would be best) where and when the disc and copy of the report can be picked up.

Thank you, Ms. Armitage, for your kind assistance in this matter. I am sorry to be (for want of a better word) “pushy,” but we have been very distressed by what we believe was the illegal removal of data from my personal computer, and I want the data disc back without delay. I want to see what personal information may have been reviewed by the Council and its computer forensic expert.

I believe that anyone in my position would feel the same way.

We also need a copy of the report so that we can serve disclosure requests upon your expert. We understand that he was not a Council employee.

Yours sincerely,

Craig W. Walsh

I received a brief reply the next morning:

Good morning Mr Walsh,

I have asked Simon Wilkes ( Unit Manager, Operations) to investigate your complaints.

He has 20 working days from yesterday to respond to you.

Kind regards,

Judy Armitage

I, in turn, responded from afar, with my Blackberry:

Hi, Judy ---

Thank you for your quick reply. I appreciate it.

I understand that Mr. Wilkes has 20 working days, from yesterday, to respond to my complaints --- and that’s fine. In the meantime, however, we would like our data disc back, as well as a copy of your computer expert’s report.

Your colleagues in Trading Standards said that they would be destroying the disc, and I don’t want them to do that. But on the other hand, we don’t want the disc (and data contained therein) to remain in the Council’s possession any longer than absolutely necessary. I see no reason why the disc can’t be handed over today or tomorrow.

In addition, we --- quite reasonably --- wish to request disclosure under the provisions of the Data Protection Act from the external computer forensic expert(s) employed by the Council. We were advised by Mr. Dell that the expert’s report would be sent to us “as soon as possible,” and that was over five months ago. So while we accept that the Council will need time to respond formally to our complaints, we would in the meantime appreciate the immediate return of our data disc, and a copy of the computer report (as already promised to us in March).

Can you please arrange for this as a matter of some urgency? If the Council feels that it can’t comply with this simple request (and non-compliance will, I fear, ultimately be reviewed by the Local Government Ombudsman), can we at least have the name and address of the external expert?

We feel that we now have no choice but to involve the Information Commissioner’s Office in this matter, to review the handling by the Council and its external expert of the data seized from my computer. We will now reluctantly lodge a complaint with the ICO and ask them to please independently review the handling of our data following the seizure to be sure that it was in full compliance with the provisions of the Data Protection Act 1998.

Kind regards,

Craig

Within half an hour Judy replied:

Good morning Mr Walsh,

I have just heard from Mr Wilkes who tells me that our expert has a hard drive with the data on, which we will give you, along with a disc with the report on. Unfortunately, it is not possible to get the hard drive until Thursday. They have offered to drop it into you at Lucie's Farm.

Is this convenient for you?

Kind regards,

Judy Armitage

Progress --- but we still don't have the name of the external "expert." I wrote back to Judy yesterday afternoon:

Thank you, and Mr. Wilkes, for undertaking to deliver the hard drive (containing all of our data) and the disc (containing the report) to Lucies Farm Ltd. on Thursday of this week. This is convenient for us: it would be helpful to know the approximate time of delivery so that I can be at the farm to personally receive the drive and disc.

I was, however, concerned to hear that an external consultant was still in possession of our data. This is inconsistent with information provided by Ms. Blanchard and Mr. Dell on numerous occasions to our customers. In an e-mail to one of our customers sent by Ms. Blanchard on 18 August 2008 (3:49 PM), and forwarded to me by our customer, Ms. Blanchard wrote:

Further to your email and our telephone conversation this morning. I am able to confirm that under the legislation we enforce, I have the power to seize or detain any goods or documents. This is how I have obtained the customer database for Lucies Farm.

All the information is contained on a disc which is held in secure storage at the Trading Standards Service, with restricted access. Information examined has been limited to the customer contact list. I am therefore unable to tell you whether or not your credit card details are contained on this disc, but such information will definitely not be accessed.

This does not appear to be quite truthful based upon your e-mail this morning. It now seems that not “all the information is contained on a disc which is held in secure storage at the Trading Standards Service, with restricted access.” I now understand that your external computer expert is also holding a copy of our data, and this was certainly the case on 18 August when Ms. Blanchard sent this e-mail message.

When the drive and disc are returned on Thursday --- or before --- I would appreciate the Council’s simple undertaking that no other copies of our data have been made or retained.

As I mentioned in earlier messages, my wife and I are particularly concerned by the involvement of external individuals with the seizure of our data. We wish to personally file data disclosure requests with the as-yet-unnamed external expert.

In an undated report by Paul Hine of the Malvern Hills District Council, providing a “written report of the search under Animal Welfare Act 2006 Schedule 2, Section 13A,” Paul wrote that the “multi-agency visit” included “Phil Hatton Computer Forensic I.T. Expert and his [unnamed] assistant.” Paul’s report says, “The IT Forensic Officers commenced the mirroring and downloading of files relating to the animal boarding business from the computers found, while the office [in our residence] was searched for papers relating to the animal boarding business.”

I have searched the Register of Data Controllers on the ICO website --- http://www.ico.gov.uk/ESDWebPages/search.asp --- for either Phil Hatton, Philip Hatton, or Phillip Hatton. The only registration I could find was for Philip John Hatton in St. Albans --- and he does not appear to be in the computer forensics business.

Can you please, as a matter of some urgency, provide me with the name and address of the entity you call “our expert” in your e-mail message sent to me this morning? We will then be able to confirm their registration under the Data Protection Act 1998 (DPA) and will be able to send them our disclosure requests.

We would like this information as soon as possible. As you know, the DPA allows a fixed time for the disclosure of data, so the sooner we an file our requests the better. I hope this isn’t a huge imposition on you or Mr. Wilkes. I simply need the name of the firm and their address. [...]

Thank you again for your assistance in this unfortunate matter.

Kind regards,

Craig

No reply to this as yet.

It will be interesting to see if the hard drive and data disc arrive tomorrow (Thursday) as promised, and if the Council gives us the name of their external "expert." Otherwise Marjorie and I will need to start calling computer forensic firms in the area looking for Phil Hatton.

Update from Worcester Trading Standards

I received a call this morning from one of our regular customers, Dave Hill. Dave is a no-nonsense kinda guy, and he told me he'd just received a letter from Worcester Trading Standards. He told me to pin my ears back. Pin my ears back? What ever could that mean? Sounded painful.

Dave read me the following letter:

In case it's too tiny to read on your computer screen -- it is on mine -- the letter says:

"With regard to our investigation concerning the Trade Descriptions Act 1968 and the above premises. May I take this opportunity to thank everyone who took the time to complete and return the questionnaire, the information was extremely useful.

"I am now in a position to inform you that our enquiries are complete and we will be taking no further action with regard to this matter and therefore, for those that were concerned, there is absolutely no reason why you should not continue to use the facilities of Lucies Farm.

"Please be assured that data concerning personal records will now be destroyed."

The letter was signed Tracy Blanchard, Enforcement Officer. Neither Marjorie nor I have ever met or even spoken with Ms. Blanchard.

In our morning post, on a rainy Saturday, was a recorded second-class letter from Ms. Blanchard. She wrote to us to say, "Detailed enquiries have been undertaken and I am now in a position to inform you that there will be no requirement to interview you regarding this matter and we will not be pursuing this matter further. With regard to the data recovered from your computer, this was recorded on one disc, which has been held in a secure location in the Trading Standards office, with restricted access. Now that the investigation is complete, the disc will be destroyed. I have also enclosed the paperwork that was seized from you at the time of the warrant."

Not exactly seized from me. We weren't at home. More taken from my desk.

With Ms. Blanchard's letter was a plastic bag containing eight or nine sheets of paper. Several were my efforts to create a dog walking schedule in Excel --- I thought (wrongly) that I could do a better job than Marjorie. And there were four or five walking schedules that were stained and marked: I think they removed them from the trash container in the stable office.

This brings almost eight months of hell to a close for Marjorie and me. Guess what? The Council, after what they called "detailed enquiries," found nothing wrong. How much did this cost the taxpayers?

I sent John Dell, the Divisional Manager in Worcestershire Trading Standards (and Tracy Blanchard's boss) the following e-mail this evening:

Dear Mr. Dell ---

I acknowledge the safe receipt in today’s post of Ms. Blanchard’s letter of 4 September 2008, advising me that the Council is “now in a position to inform you that there will be no requirement to interview you regarding this matter and we will not be pursuing this matter further.”

Ms. Blanchard goes on to say, “With regard to the data recovered from your computer, this was recorded on one disc, which has been held in a secure location at the Trading Standards office, with restricted access. Now that the investigation is complete, this disc will be destroyed.”

My wife and I are pleased --- but not at all surprised --- to hear that your “detailed enquiries” have found no evidence of wrongdoing on our part. I understand that Ms. Blanchard also wrote to our customers on 4 September 2008 to advise, “I am now in a position to inform you that our enquiries are complete and we will be taking no further action with regard to this matter and therefore, for those that were concerned, there is absolutely no reason why you should not continue to use the facilities of Lucies Farm.”

This matter has, as you will imagine, caused Marjorie and me considerable personal distress, beginning with the invasion of our private residence in January 2008 and culminating with your office sending the majority of our customers a questionnaire --- one that resembled a marketing questionnaire --- along with a covering letter ominously headed, “Trade Descriptions Act 1968.”

While expressing their complete confidence in the care that we provide to their dogs, many of our customers --- as you are fully aware --- have expressed concerns that their personal data found its way into the Council’s possession. Customers have been upset that the Council has had access to their names, their addresses, the names of their dogs, the dates of their vacations, and their credit card details. Many of our customers kindly provided us with copies of their completed questionnaires and letters they sent to your office. Other customers sent us contemporaneous e-mails detailing their telephone conversations with you and with Ms. Blanchard.

Marjorie and I have spent many hours on the telephone assuring our customers that this data was seized from our computer system without our knowledge and consent, and despite the fact that the data lay behind not one, but two passwords. We have also retained computer experts of our own to install impregnable security on our computer systems to allow us to assure our customers this can never happen again.

One such customer letter to Ms. Blanchard, [...] dated 25 August 2008, says (in part), “I am most concerned because I understand that you attended Lucies Farm premises and impounded records concerning the fact that we have used the premises to look after our dog while we are away on holiday. What’s more I have been informed that you impounded details which would give your officers and others information concerning our banking details. This I believe is strictly against the Data Protection Act and before I take out a prosecution against Worcester County Council I should be interested to hear your views on the matter.”

In your own letter of 19 March 2008 to the solicitors acting for us at the time (William Graham Law Ltd. in Cardiff) you wrote, “I am also informed that the information taken from the computer related only to the day to day management of the kennels, details of which will be forwarded to your client as soon as possible. [emphasis added]” In an earlier letter (12 February 2008) to William Graham Law Ltd., Ms. Blanchard wrote, “Once we are in possession of the report from our computer expert, I will forward you a copy.” We assumed that you, and your colleagues, would do precisely that --- yet no details were forthcoming.

I also understand, from a conversation that you personally had with one of our customers on 19 August 2008, that “He [you] said that he didn’t know how long they had had the disc as it had [been] sent via their ‘consultant’ who had copied the data in January but who then had to forward it on to them. I asked who is this ‘consultant’ that was able to access private individual’s data? He apparently was employed by them for the task as an ‘expert witness’ and said that he was totally reliable as he is an ex-trading standards official. I replied that this did not instill me with any confidence.”

Ms. Blanchard now indicates this disc, containing our data, “will now be destroyed.” This is at variance with your letter to William Graham Law Ltd of 19 March 2008, and we formally request that the disc not be destroyed, but be returned to us immediately, along with your absolute assurance that no copies have been retained by either the Council, your external “consultant,” or any other party.

Please advise me, at your earliest convenience, of the exact date on which “the report from our computer expert” was received by your office, and please advise me why a copy was not forwarded to us --- or to our solicitors --- at the time of receipt.

We have been concerned, as you are well aware, that your “expert” took a complete copy of the hard drive from my personal computer, containing information relating to our personal finances, my medical condition, etc. While there is nothing on my computer that I wouldn’t show to my daughter --- I am extremely uncomfortable that this information, in its entirety, was copied by your “expert” and was reviewed by him --- and by your colleagues. I am sure that anyone --- yourself included --- would feel the same way.

My wife and I will be hand-delivering to the Council offices on Monday our subject access requests for full disclosure under the provisions of the Data Protection Act 1998 (DPA). We will, at the same time, provide proof of our identity and the requisite fees of £10.00 each. We understand that information concerning all third parties will need to be redacted, but we expect --- and I am sure the Council will wish to provide --- full compliance with the provisions of the DPA. We do not expect wholesale redaction of the file, but appropriate redaction of third party names and addresses --- nothing more.

We also expect the name of your “consultant” --- as he also held (and may still hold) our data --- so that a similar subject access request can be sent to him.

Please also consider this a formal complaint under the provisions of your corporate procedure for the handling of complaints, as outlined on your website:

http://worcestershire.whub.org.uk/home/wccindex/wcc-cr/wcc-crcorporate-procedure.htm?hilightTerm=complaint%20procedure#cs-cr-corporate-procedure-5

As you are (I presume) a “senior manager,” I would imagine that this should move to Stage 2, and should now be investigated by the Customer Services Officer, Judy Armitage. I have copied Ms. Armitage on this e-mail, as well as your colleagues who handle DPA matters.

We look forward to hearing from you within the timeframes under the DPA and the Council’s own complaint procedure.

While I have also copied Mr. DeMaid at William Graham Law on this matter for his information, please be advised that we have transferred our representation in this matter to our long-time solicitors, Bracher Rawlins in London. I have also copied Richard Slade on this e-mail.

Yours sincerely,

Craig W. Walsh

It's not my intention to make this doggie blog a political action website, but I thought I should at least advise our customers of the outcome (so far) of the "detailed investigations." I will post the reply I receive here. My expectations are modest, and the Council -- our supposed public servants -- will no doubt let me down again.