POL00448520
POL00448520
Post Office Limited
SEG Tactical meeting
17 July 2024, 11.00 - 13.00hrs
Present: Owen Woodley, Chris Brocklesby, Karen McEwan, Neil Brocklehurst, John Dillon, Sarah Gray, Chrysanthy Pispinis, Max Jacobi.
Other attendees: Alison Hoyland (Deputy Company Secretary)
Other attendees as shown against agenda items.
Apologies: Ben Foat Nick Read, Preetha McCann
Topic (Decision/Discussion/Noting) Action owner Deadline
Actions
.
SEG noted the updated action log, including those actions marked for closure.
Branch Discrepancies
Mel Park (MP) joined the meeting.
.
.
SEG noted the pack on ‘Loss Recovery’.
NB presented the pack and the key points of note from the discussion included:
For now, SEG was invited to note the update and the proposed direction of travel on discrepancy/loss recovery
from branches; some decisions on interim steps were however required.
The final proposal would be dependent on a number of pre-requisites which would be explored in the
discussion.
By way of background, SEG noted that following the recommendations made in the GLO and ClJ in 2018/19,
POL had ceased action to recover established losses from Postmasters.
This activity had been on hold since this time, except where a Postmaster both agreed to repay the established
loss and proceeded to repay under a process established in 2021 to identify and resolve discrepancies arising
mainly during trading period balancing; this process was documented and regularly assured by the Assurance
and Complex Investigation Team.
A key consideration was whether Horizon transaction data might be a cause of the discrepancy.
Outcomes from the discrepancy review included:
o Write off below a de minimis value (£1,000).
o Write off where the cause cannot be established.
o Transaction correction if the cause was due to a processing error.
o An agreed repayment plan/deduction from remuneration for established losses considered and agreed to
be (on the balance of probabilities), due to the negligence, carelessness, or error of the Postmaster and/or
Strictly Confidential Page 1 of 2
POL00448520
POL00448520
Post Office Limited
SEG Tactical meeting
17 July 2024, 11.00 - 13.00hrs
their assistants.
— Any disputed discrepancy could be referred to an internal dispute process; if the Postmaster didn’t engage in
the process, disagreed with an upheld decision following the internal dispute process or agreed with the
outcome, but failed to engage in repayment, no further action was taken and the outstanding balance remained
on the Postmaster account and was then fully provisioned after 60 days.
— There was currently no independent review of the discrepancy outcome.
— The voluntary recovery/repayment process was predicated on Horizon data being robust and that POL could
rely on the data; POL was currently awaiting confirmation from both POL IT and Fujitsu and that this was the
case and this would be a key pre-requisite to any process that sought recovery in circumstances where the
Postmaster did not voluntarily agree.
— SEG considered the options for the process going forward and the associated pros and cons. The options were
to:
o Maintain the current situation.
o Maintain the current situation and communicate this as a policy decision to Postmasters.
o Cease all future recovery of losses.
o Seek recovery of established losses via a civil means/deduction from remuneration, following an agreed,
defined process with an external review board that would make the final recovery decision.
— SEG discussed a number of other alternatives, including:
© Some form of ‘losses’ pool, to which all Postmasters contributed and from which repayments would be
made.
o Insuring for losses.
— SEG agreed the recommended option, to seek recovery of established losses under an agreed process, was
the right direction of travel, noting that the final decision would be subject to a number of pre-requisites.
— While the detail of the new process was yet to be finalised, SEG agreed that it should include an external
board (on which representative Postmasters would sit) before any recovery action was taken. POL would follow
a defined process, starting with operational excellence initiatives, and including a review to confirm there were
no systems issues, providing for engagement with Postmasters to agree any root cause and remediation
activities e.g. training etc. The external board would only be engaged once all actions had been exhausted.
— SEG discussed the pre-requisites, which critically included assurance on Horizon data, Postmaster support via
consultation (and prior engagement with POL’s Postmaster NEDs) and Board approval. SEG agreed additional
Strictly Confidential Page 2 of 2
POL00448520
POL00448520
Post Office Limited
SEG Tactical meeting
17 July 2024, 11.00 - 13.00hrs
pre-requisites should include:
o A full cost benefit analysis.
o Assurance on capability and training, with the involvement of the People Team.
— Interms of policy decisions for now, SEG agreed that:
© The voluntary recovery process should continue.
o Payments made to date would not, for now, be repaid, although this would be kept under review as
against the final decision on the wider process; finance would undertake work in the meantime to provide
an estimate on the costs of repaying Postmasters.
o Any final agreed process to recover losses would not be applied retrospectively.
« SEG noted the next steps and the actions to be undertaken in relation to the network, communications, finance,
people, legal and technology and that a working group was being set up.
« On the finances, SEG noted that depending on the final decisions on process, there may be implications for POL’s
accounts which may need to be re-stated.
« On communications, SEG agreed it would be essential to be able to explain the steps POL had taken to date —
and that any new policy/process would be subject to a fully open and transparent consultation with Postmasters.
Further, it was agreed that any changes to the process must reflect the new culture and posture of POL, i.e. that NB/MP
the process must be transparent, discussed, agreed and actioned in conjunction with Postmasters and that the NB
mistakes of the past could not be repeated. SEG reaffirmed POL’s stated position, that it would never again NB
exercise any prosecutorial power.
e On people, it would be essential that colleagues involved in the recovery process were capable and appropriately
trained; decisions would need to be made which function/s would undertake the work — and whether that might
need to be in a new function altogether.
e A further discussion would be arranged at SEG, once the work was sufficiently advanced and weekly updates
would be scheduled thereafter.
Actions:
— Prerequisites to include a cost benefit analysis and assurance on capability and training (People Team to be
involved)
— Interim Chair and Board to be updated pre-September Board.
— Weekly updates to be presented at SEG once working group set up.
Strictly Confidential Page 3 of 2
POL00448520
POL00448520
Post Office Limited
SEG Tactical meeting
17 July 2024, 11.00 - 13.00hrs
Data Breach Compensation Offer
Kirsty O’Connor joined the meeting.
The GLO Settlement Deed Data Breach paper was noted.
Key points of note from the discussion were:
« SEG had discussed the breach at its meeting on 26 June where it had agreed to consider the question of
compensation, post discussions with POL’s insurers.
« The team had spoken to the insurers and a proposal on compensation was now ready for review and the decision
on affordability was also being put to SEG, rather than the Opex Committee, due to timing considerations.
« SEG agreed the proposal to offer £2K to those affected; while the amount was at the higher end for such
breaches, the offer reflected the extenuating circumstances and prevailing context was at play. The anticipated
spend was £1.2m spend. The approval included the considerations on affordability, albeit SG noted that this would
add to the savings challenge. The costs would be fed into the 3+9 forecast.
« SEG confirmed that the compensation offer should not be expressed as an initial offer; it would remain open to
anyone to make the case for higher compensation, with a particularised claim setting out the harm/damage for
which they were seeking a higher amount.
Data Loss Prevention - Accelerated Plan
Neil Bennet joined the meeting.
SEG noted the paper on data loss prevention — accelerated plans.
Key points of noted form the discussions were:
« The longer-term actions for data loss included the enforcement of classification of documents to allow for technical
controls to be put in place to block confidential data going outside of the organisation and enforce document
sending controls with correct labelling in place.
« Inthe light of recent data breaches, it was proposed to accelerate the plans to put these controls in place.
« The new controls would require a change to business processes and would cause additional steps for the end user
across Teams, Exchange, Outlook, SharePoint, and OneDrive, Word, Excel, and PowerPoint.
« It was recommended that a pilot be sued with a controlled user group of 50; SEG noted that this should be made
up of relevant colleagues, for example, those that might be most impacted by the changes.
Strictly Confidential Page 4 of 2
Post Office Limited
SEG Tactical meeting
17 July 2024, 11.00 - 13.00hrs
POL00448520
POL00448520
«The roll out to the full estate would be subject to the pilot meeting exit criteria.
« The costs were included in the cyber security maturity plans, for which funding had already been agreed.
«The labelling convention and controls were as follows:
Label Controls
-Public I None
Internal I Can only send internally or to an approved set of partners.
Justification needed to de-classify
Confidential Encrypted
Cannot send externally except to pre-approved partners
Cannot forward, print, or copy the content.
Justification needed to de-classify
Strictly Encrypted
Confidential Cannot send externally.
Cannot forward, print, or copy the content.
Justification needed to de-classify
SEG RESOLVED to APPROVE the:
« implementation of business rules on information classification, that will block actions associated with labelled
information that does not align with the information classification policy; and
« deployment of information classification auto labelling across Microsoft (MS) applications for all end users.
SEG Sub-Committee Reports:
« SEG noted the IADG report.
* OW noted that NB should attend the Retail Committee meetings going forward, and his vies on the matters being
discussed Qand whether they were the right ones) would be welcome as part of the boarder review of
organisational governance — being led by CP
Strictly Confidential Page 5 of 2
POL00448520
POL00448520
Post Office Limited
SEG Tactical meeting
17 July 2024, 11.00 - 13.00hrs
Items for noting with no presentation:
FPOIA update
« SEG noted the update and key matters of note, including a request in relation to Horizon replacement, which was
being declined on the basis of appropriate exemptions.
« SPMP FOIA - SPMP request — being considered at Steerco —- MJ — agreed not to be disclose .
e JD suggested it might be helpful to add key themes into the weekly updates.
« Capacity/resourcing issues had been addressed by new joiners to the team and response times were coming
down.
« KMcE/CC noted a DBT data breach in relation to a FOIA request it had received in relation to CEO / CFO pay — the
respective teams were handling the implications that arose
AOB
« CB noted he was doing restorative justice meetings over the next couple of days
« SG asked if Postmaster contract reform might be suitable for progression as a priority; OW noted there were a
number of interdependencies, including the Strategic Review, the outputs form which might have a bearing on
future contracts — so the timing would need to be coordinated around those key dependencies
« CC noted the upcoming BBC documentary; the need for daily stand up meetings would be kept under review, as
against any follow up matters that arise.
« CP noted the plans keep SEG agenda under review over the next 7 weeks as against the priorities, but also to
allow for flexibility and the need to respond to pressing matters as they arose.
Strictly Confidential Page 6 of 2