ee ee eee
POLO00113697
POL00113697
POLO00113697
POL00113697
ee ee
e@
POL00113697
POL00113697
I
;
® Post Office Umited
Second Sight Support Services Ltd
By post ande-mailto:) G RO
27 July 2015
Dear Sirs,
Complaint Review and Mediation Scheme ("Scheme")
[refer to your Engagement Letter dated 1 July 2014 (which terminated on 10 April 2015) and the
extension of your services under the Agreement to Complete Work dated 15 April 2015 (together,
both documents form your Engagement Terms).
Ualso refer to the letter from Patrick Bourke to you of 11 June and your reply on 9 July 2015
regarding the provision of documents in response to Data Subject Access Requests (DSARs) from
Applicants. You have not provided the confirmations which Patrick sought for Post Office and
regrettably that means I now have to write to you in more formal terms.
Your Engagement
The scope of your engagement (as set out in the Scope of Services schedule to your Engagement
Letter) was to investigate specific complaints raised by Applicants about the Horizon system and
associated issues. You were not engaged to do any other work by Post Office.
In that role, you were supplied with information from a number of sources including Post Office,
the Working Group, Applicants and Applicants' professional advisors, You then analysed this
information to produce written reports on individual cases and, as required, to assist the Working
Group. All information supplied to or used by you during your engagement was for this exclusive
purpose,
Both Post Office and Second Sight were aware from the outset that your engagement was for a
limited term and purpose, It was also clear from the outset that large amounts of information,
including some very sensitive personal information, would be handled by Second Sight in
providing services to Post Office. You agreed that Post Office would take primary responsibility
for the use and security of that information.
POL00113697
POL00113697
Engagement Terms
Consistent with that agreement, your Engagement Terms clearly state that Post Office is, for the
purposes of the Data Protection Act (DPA), the Data Controller and that Second Sight is our Data
Processor. This arrangement was also reflected in the confidentiality provisions at clause 6 which
strictly limit what Second Sight can do with any information related to the Scheme, and gave Post
Office the right to access that information.
In particular clause 6.1.4 requires you to:
"upon demand procure the destruction and/or return to Post Office all copies of any
documents and materials held by Second Sight and/or SS Personnel which incorporate any
Confidential Information"
Confidential Information means:
"the POL Information, the Scheme Information, this letter and any and all information
relating to the Services which has been, is now or is at any time after the date of this letter
disclosed or made available by Post Office, its Representatives or a third party to Second
Sight, its Representatives or any other person at the request of Second Sight but shall not
include information which is accessible from public sources other thon as a result of
disclosure in breach of this letter by Second Sight or its Representatives."
As can be seen, Confidential Information includes Scheme Information, which means:
“any information relating to the Scheme disclosed by Post Office, a Subpostmaster or a
third party, including but not limited to, the applications submitted by Subpostmasters and
Post Office’s investigation findings concerning the applications submitted by
Subpostmasters."
Confidential Information also includes POL information, which means:
“all data and information belonging or licensed to Post Office; and all other proprietary or
confidential information relating to the POL Software; and all other proprietary or
confidential information relating to Post Office’s business, operations, technology and
processes which is owned by, licensed to or in the possession of Post Office."
These provisions mean that, amongst other things, the following categories of documents, which
are Confidential Information held by Second Sight, must be provided to Post Office on demand:
« Information regarding or referencing (including any information produced using
Information regarding or referencing):
o Applicant's cases;
© Post Office's processes and practices;
o Horizon;
othe Scheme; and/or
© the Services (as defined in your Engagement Terms).
¢ Communications (including letters, emails and voicemails) about the above information
either internally at Second Sight or externally with:
POL00113697
POL00113697
Applicants;
Professional Advisors;
JFSA;
The Working Group;
Post Office;
Members of Parliament or Government departments / ministers; and/or
Any other third party.
o000000
This information could be held in any format including paper copies and electronic copies and
may have existed before the Engagement Terms and/or before the Scheme.
Data Subject Access Requests
We first wrote to you on 21 May 2015 requesting that you provide to us any personal data you
held for several Applicants who had submitted DSARs to Post Office.
You responded on 28 May 2015 refusing to provide the required Information, asserting that there
was some undefined but overriding duty of confidentiality owed to Applicants that prevented
Second Sight disclosing to Post Office documents to which Post Office was not originally a party.
You also suggested that, as a result, Second Sight was the Data Controller of such personal data,
On 1 June 2015 we wrote to you explaining the errors in Second Sight's analysis of the position
under the DPA, namely that it was irrelevant whether Post Office was a party to the information;
the key factor being that, as a matter of data protection law, it was Post Office which had
determined the purposes and means for which information that related to the Scheme was being
processed,
On 1 June 2015 we also reminded you of Post Office's absolute contractual right under clause
6.1.4 of your Engagement Terms to access information held by Second Sight for any purpose
whatsoever (and regardless of whether Post Office was or was not a Data Controller).
On 4 June 2015, you responded again refusing to provide the documentation. Your response set
‘out several reasons why Second Sight believed it was the Data Controller of the information it
held. You did not challenge Post Office’s contractual right to access that information.
We sent you our substantive response on 11 June 2015. For the sake of completeness, we
corrected your misunderstandings of the controller / processer position, specifically that it was
Post Office which determined the purpose for which information that related to the Scheme was
being processed and not Second Sight. We also made clear that regardless of the position under
the DPA, Post Office has an unfettered contractual right to access the documents held by Second
Sight.
Our Proposed Solution
Nevertheless, in the interests of ensuring that Applicants had access to their personal data
through at least some route, in our 11 June 2015 letter we also proposed terms on which Second
Sight could provide information direct to Applicants. As Second Sight would be doing this without
POL00113697
POL00113697
Post Office's oversight, we asked that you indemnify Post Office against any liabilities arising from
your actions.
After being chased for a reply on 22 June 2015, you replied on 9 July 2015 continuing to refuse to
provide the required information and rejecting our proposal. Instead, you suggested that we
seek advice from the Information Commissioner on how to proceed.
Post Office has now received 42 DSARs from Applicants to the Scheme. In order to manage the
above impasse, Post Office has written to Applicants asking them to clarify whether they want
Post Office to retrieve information from Second Sight, making clear that this would mean Second
Sight passing information to Post Office that may be sensitive or that Post Office may not have
seen before.
So far, one Applicant has expressly requested information held by Second Sight — Amir Khan
(M132) - and 12 others have not clarified their position and so by default we must obtain
information from Second Sight for these individuals.
Current position
Regardless of the data protection position, on 6 July 2015 you submitted to Post Office your last
Final Case Review Report (CRR). In accordance with clause 1(b) of the Agreement to Complete
Work, your engagement therefore came to an end on 6 July 2015 (Termination Date),
On cessation of your work, you are required, pursuant to the Confidential Information Demand at
clause 9 of the Agreement to Complete Work, to provide to Post Office all Confidential
Information that you hold,
Accordingly, Second Sight must now provide to Post Office all the Confidential Information it holds.
This will also allow Post Office to respond to any DSARs, and renders moot any further discussion
of the position under the DPA. There is therefore no need to approach the Information
Commissioner's Office as you suggested in your last communication.
Demand
For the avoidance of doubt, Post Office demands, pursuant to clause 6.1.4 of your Engagement
Terms, that within 7 days of the date of this letter Second Sight:
1. delivers up to Post Office all Confidential Information in its original format, including all
versions of the same information in any different formats;
2, permanently and securely destroys all copies of that Confidential Information retained by
Second Sight; and
3. confirms in writing that it has complied fully with the demands made above.
POL00113697
POL00113697
-
This demand extends to any information that came into Second Sight's possession up to (and
potentially after) the Termination Date as the confidentiality provisions of the Engagement Letter
were restated at clause 8 of the Agreement to Complete Work,
The demand reflects standard practice for securing confidential information at the end of an
engagement. Post Office will be keeping all the documents provided by Second Sight (and Second
Sight will only be destroying duplicate documents) so no information will be lost by you
complying with this demand,
If Second Sight does not comply with this demand, it is effectively frustrating the legal rights of
Applicants to access their personal data and risks placing Post Office in breach of the DPA. Also
given that Second Sight's work is finished, you no longer need to hold this information.
Post Office takes Applicants’ information rights and the security of information very seriously.
We will take all necessary action, including if required legal action without further notice to you,
to ensure that Confidential Information held by Second Sight Is delivered up to Post Office
without delay.
You should notify me immediately if Second Sight encounters any difficulties In complying with
the above demand.
Publicity
Pursuant to clause 8.1 of the Engagement Letter, which was restated in clause 8 of the
Agreement to Complete Work, Second Sight is prohibited from making any public statements
about the Scheme and/or its Services unless Post Office has given its consent to those
statements.
I remind you that this restriction on making public statements continues to bind Second Sight
after the Termination Date and Post Office will take action to enforce this restriction if necessary.
Restrictive Covenant
1 also remind you that under clause 6.2 of the Engagement Letter, as restated in clause 8 of the
Agreement to Complete Work, Second Sight and the Second Sight Directors, Ron Warmington and
lan Henderson, are restricted from acting for another person against Post Office's interests for a
period of 15 months from the Termination Date (expiring on 27 October 2016).
POL00113697
POL00113697
i