POL00243542
POL00243542
Strictly confidential, commercially sensitive and legally privileged draft
Complaint Review and Mediation Scheme
Horizon Data
Issue
This question often phrased by Applicants and Second Sight is:
"Can Post Office remotely access Horizon?"
Phrasing the question in this way does not address the issue that is of concern to Second
Sight and Applicants. It refers generically to "Horizon" but more particularly is about the
transaction data recorded by Horizon. Also, the word "access" means the ability to view
transaction data without editing it - Post Office / Fujitsu has always been able to view
transaction data in order to provide support and conduct maintenance but this does not allow
access to any functionality that could be used to edit recorded transaction data. However it is
the alleged capacity of Post Office / Fujitsu to edit transaction data that appears to be of
concern.
Thus, this paper addresses the question:
Can Post Office or Fujitsu edit transaction data without the knowledge of a Subpostmaster?”
Post Office confirms There is no functionality in Horizon for either a branch, Post Office
or Fujitsu (suppliers of the Horizon system) to edit, manipulate or remove transaction
data once it has been recorded in a branch’s accounts. Post Office can only post
additional, correcting transactions to a branch's accounts, but only in ways that are
visible to Subpostmasters
This document
This document provides a generic, response to the general question posed above. It is noted
that, as yet, neither Second Sight or any Applicant have presented Post Office with a specific
evidenced example of data irregularities or anomalies that may suggest data integrity issues.
Nevertheless, Post Office is of course prepared to investigate incidents alleged by claimants
as part of the Complaint and Mediation Scheme providing they are clearly identified (by at
least the date, and preferably also the approximate time ) in an Applicant's Case
Questionnaire Response.
This document has been prepared with the assistance of Fujitsu and the Post Office IT&C
Team. Both have approved this document as being accurate.
Response
There is no functionality in Horizon for either a branch, Post Office or Fujitsu to edit,
manipulate or remove a transaction once it has been recorded in a branch's accounts.
Although once recorded a transaction cannot be edited or deleted, transactions (including
negative transactions) can be added to a branch's accounts , but only in the following ways:
Are the three ways below, the only ways to affect a branch's accounts?
1 In branch
POL00243542
POL00243542
Strictly confidential, commercially sensitive and legally privileged draft
Branch staff record additional transactions during their normal daily use of Horizon. So
long as they are logging on with their own unique User ID and not sharing User IDs
and passwords within a branch, each transaction will be logged against the user's own
User ID.
Horizon does not include functionality that allows either Post Office or Fujitsu to log on
to a branch terminal of Horizon remotely in order to edit transactions recorded by
Branch staff. It is possible for Fujitsu to view branch data in order to provide support
and conduct maintenance but this does not allow access to any functionality that could
be used to edit branch data.
There is the capability for Post Office employees to log on to a branch terminal locally
(i.e. by being physically in a branch) using a new User ID and password and then
conduct transactions. This would only be done in special circumstances (such as
when defunding a branch following a branch closure). Any transactions conducted
would be recorded against that new User ID and not against the User ID of any branch
staff.
2 TAs and TCs
Post Office can send transaction acknowledgements (TA) or transaction corrections
(TC) to branches. TAs are used to record transactions that have been processed in
branch through other systems (eg. the sale of Lottery products on the Camelot
terminal) and TCs to correct errors made by branches.
Both TAs and TCs need to be accepted by a.user logged into the branch Horizon
terminal before they are recorded in the branch accounts. They are therefore fully
visible to each branch.
3 Balancing Transactions
Fujitsu (but not Post Office) can manually inject a new transaction into a branch's
accounts using the Balancing Transaction, Process. This process is used in the event
of an accounting error that cannot be corrected by use of a TA or TC.
It is in ac¢ordance with good industry practice to have functionality of this nature in a
system like,Horizon.
Within the AuditStore is an audit log that automatically records any use of Balancing
Transactions. This,log’shows that a Balancing Transaction has only be used once in
the last 7 years (being the retention period for the log).
The circumstances surrounding this one incident are as follows:
« HNGX was being piloted amongst x branches over x month period. An issue
was reported by a Subpostmaster that resulted in a duplicate transaction being
generated when the application went off line unexpectedly.
e Fujitsu software support repaired the accounts by insertion of auditable records
into the branch database.
The use of this process is strictly controlled by Post Office. When the Balancing
Transaction Process is used, it leaves clear and identifiable audit trail and is done so
with full knowledge and consent of the Subpostmaster of the affected branch.
POL00243542
POL00243542
Strictly confidential, commercially sensitive and legally privileged draft
These access controls meet industry good practice standards and are audited under
1SO27001 and by LINK (the industry body for ATMs) and PCI (card payment
compliance).
Post Office Limited
DATE