FUJ00156111
FUJ00156111
From: Jones David M[/O=EXCHANGE/OU=ADMINGROUP1/CN=RECIPIENTS/CN=DJ]
Sent: Fri 12/02/2010 4:27:25 PM (UTC)
To: Roberts David (LON22)[David.Roberts:
Subject: FW: Royal Mail
David
The use of “will” suggests that JP is giving advice on our most complex and difficult contracts without checking — it's
not for me but I think you need to ensure he is aware of the risks of playing in this space without doing a lot of
homework!
Sorry if I stirred him up.
Have a good holiday
David
David M Jones, Head of Legal
UK Private Sector Division
FUJITSU,
Mob‘
E-mail: david jonesi
From: Prenovost Jean-Philippe
Sent: 12 February 2010 15:55
To: Jones David M; Roberts David (LON22)
Subject: RE: Royal Mail
Hi David,
Thank you for this.
I will indeed take it all into account.
Kind regards,
JP
From: Jones David M [mailto:David.JonesM:
Sent: Friday, February 12, 2010 3:42 PM
To: Prenovost, Jean-Philippe; Roberts, David (LON22) (FJ)
Subject: RE: Royal Mail
Importance: High
JP
I am sorry if I have upset you — not my intent - and I apologise.
I just thought for your sake you needed to check the contract. Set out below is one of the key HNGX Data related
clauses I though might need looking at. You need to be aware that Fujitsu has very onerous unlimited liability for
anyone accessing the Infrastructure and that the limitations on this for Banking Transactions are limited. So the
starting point is that any loss that arose from misuse hits Fujitsu without limit - so that the onus would be on us to
prove it was not caused by us,
FUJ00156111
FUJ00156111
This means Fujitsu may need to be able to go to the underlying data and prove beyond reasonable doubt the origin of
any loss. So to suggest to PO it is their problem rather than ours is mistaken
See 33 and 34 in the T and Cs. Here is the part from Clause 33....
33.1.1 Fujitsu Services shall preserve the integrity of the Post Office Data once Fujitsu Services has
received such Post Office Data, shall prevent any corruption or loss of such Post Office Data and shall
comply with the validation procedures set out in the applicable CCDs (relating to the Horizon
Applications or the Business Capabilities and Support Facilities) referred to in Schedules B4.2 or B3.2
(as the case may be) as such procedures may be updated and amended from time to time (save that
where any Post Office Data received by Fujitsu Services is stored, transmitted or otherwise processed
as part of the PostShop Solution, Fujitsu Services’ applicable obligation in respect of that data shall be
to use all reasonable endeavours to preserve the integrity and prevent loss or corruption of the data
and, for the avoidance of doubt, none of the validation procedures set out in the CCDs (relating to the
Horizon Applications or the Business Capabilities and Support Facilities) referred to in Schedules B4.2
or B3.2 (as the case may be) shall apply to the PostShop Solution). Fujitsu Services shall not be liable
for any loss or corruption of Post Office Data nor for any failure to perform the Services if it can prove
that such loss or corruption or failure to perform the Services was caused by Post Office Data which
was lost or corrupted before Fujitsu Services received it, and Fujitsu Services has complied with the
validation rules in relation to such Post Office Data.
33.1.2 In the event that the Post Office Data is altered, corrupted or lost in the course of performing the
Services (in breach of Fujitsu Services' obligations under Clause 33.1.2) Post Office shall have the
option, in addition to any other remedies that may be available to it either under this Agreement or
otherwise, to elect either of the following remedies:
(a) Post Office may require Fujitsu Services at its own expense to restore or procure the
restoration of the Post Office Data; or
(b) Post Office may itself restore or procure restoration of the Post Office Data, and
shall be repaid by Fujitsu Services any reasonable expenses so incurred.
33.1.3 For the purposes of Clauses 33.1.2 and 33.1.3, the term "Post Office Data" shall include the data of
Post Office's clients.
33.1.4 Post Office Data constitutes Confidential Information, and may not be reproduced without the prior
written consent of Post Office except as necessary to perform the Services, HNG-X Development or
Associated Change Development.
33.1.5 Fujitsu Services shall use all reasonable endeavours to ensure that data produced by the PostShop
Solution is accurate and complete.
33.1.6 Notwithstanding any other provision in this Agreement to the contrary, Fujitsu Services shall not be
responsible for the accuracy, completeness, validity or integrity of any data (including, without
limitation, any Personal Data) provided by or on behalf of Post Office for use in the performance
and/or operation of the PostShop Solution or any resulting data inaccuracy, incompleteness, invalidity
or integrity problems.
I hope that helps!
Best wishes
David
FUJ00156111
FUJ00156111
David M Jones, Head of Legal
UK Private Sector Division
From: Jones David M
Sent: 12 February 2010 12:53
To: Prenovost Jean-Philippe
Subject: RE: Royal Mail
Hi JP
Before I read this and understand it - have you looked at the Post Office Contract and considered all this in the
context of our security obligations and the security services we supply?
I am not sure without checking that we can ignore the second part of the question as you have done — at least not
internally - Have you checked?
Are you also aware for example that we have unlimited liability in certain key respects such as fraud and that we also
therefore have a vested interest in ensuring that the security of the systems are 100%.
None of this relates to the small work I am doing but I am concerned that you are being a little superficial in your
approach! It is not enough to answer the questions you are being asked you need to consider what questions you
should have been asked — and should be asking!
Best wishes
David
David M Jones, Head of Legal
UK Private Sector Division
FUJITSU
From: Prenovost Jean-Philippe
Sent: 12 February 2010 11:30
To: Jones David M
Subject: RE: Royal Mail
Hi David,
The issue I have been asked to provide guidance on is, from my perspective, a very specific one. My response, which
I attach below for your information, was straightforward and based on a conversation I had with someone close to the
solution. If this overlaps in any way with what you are doing, please do let me know and I will step away from this
To provide you with further background so that you have the full picture, Suzie Kirkham originally approached me
(some months ago) with a view to determining how we could respond to the following request from Royal Mail:
“Fujitsu are requested to document a proposal that addresses how Track II data can be removed
from the Historical Audit logs. The solution must consider the impact on prosecution cases and
how we can “prove beyond reasonable doubt” the data can continue to be used as evidence in
court”
My response to that was that Fujitsu could respond to the first part of the requirement as it was a technical one but that
FUJ00156111
FUJ00156111
the second part, which is effectively a requirement to provide a legal opinion, fell outside of the scope of services
offered by Fujitsu. This eventually lead to the questions which Hugh asked this week.
My response to those questions was as follows:
“Further to our conversation of yesterday, please find below a summary of our position which should answer the
various questions you sent me over the course of Wednesday and Thursday.
1) In relation to historical Horizon data, which, for the purposes of compliance with the PC! standards, will
require processing with a view to deleting Track 2 data, Fujitsu will not be in a position to testify that the data
is true, accurate and (crucially) unchanged.
2) However, in relation to data generated moving forward under the interim Horizon PCI solution and the HNG-X
solution, Fujitsu will be in a position to testify as it did “pre-PCI” as the data generated will not contain Track 2
data, will be PCI compliant and will therefore not require processing. Fujitsu will be in a position to assert this
as the data will simply be generated and sealed without further intervention. Needless to say, should the seals
be breached or data be processed in any way for some other reason, Fujitsu we revert to its position under 1)
above.”
Hugh and I had a productive discussion yesterday which lead to the above email. For what it’s worth, he fully
understands our stance.
Suzie has now contacted me to ask for wording “to clarify our legal position” in our response to the request (which of
course has yet to be submitted). My instinct would be to simply state that we are responding to the first part of the
request and that, for reasons already discussed at the legal level, Fujitsu will not respond to the second part.
In summary, if you feel that this impinges on the expert guidance you are giving, please do let me know.
Kind regards
JP
From: Jones David M [mailto:David.JonesM:
Sent: Friday, February 12, 2010 11:02 AM
To: Prenovost, Jean-Philippe
Subject: RE: Royal Mail
JP
OK — but please copy me as it is relevant to the expert evidence work I am providing guidance on.
I assume that you have checked whether the resulting position will give us any issues meeting our security and
security services obligations under HNG-X and that where this is a mandated change that impacts that you have
clarified with the customer a release to those obligations.
Thanks
David
David M Jones, Head of Legal
UK Private Sector Division
From: Prenovost Jean-Philippe
Sent: 12 February 2010 10:01
To: Jones David M
Subject: Royal Mail
Hello David,
FUJ00156111
FUJ00156111
Thank you for offering to provide guidance on the Track 2 data issue but I was able to speak to an engineer yesterday
and he explained with great clarity the exact issues in play in terms of evaluating data integrity which in turn will allow
me to respond to RM in a very straightforward manner.
Please do not spend any time reviewing the email I sent you yesterday.
Thank you for your offer in any event.
Kind regards,
JP
Jean-Philippe Prénovost
Corporate Legal Counsel
FUJITSU
The Boulevard, Cain Road, Bracknell, Berkshire, RG12 1HH
Telephone:f
Mobile:
E-mail: jean-philippe prenovost_
Web: http:\uk.fulitsu.com
Fujitsu Services Limited, Registered in England no 96056, Registered Office 22 Baker Street, London, W1U 3BW
This e-mail is only for the use of its intended recipient. Its contents are subject to a duty of confidence and may be privileged. Fujitsu Services does
not guarantee that this e-mail has not been intercepted and amended or that it is virus-free.