WITNO0300200
WITNO0300200
Witness Name: Andrew Paul Dunks
Statement No.: WITN00300200
Dated: 24 May 2024
POST OFFICE HORIZON IT INQUIRY
SECOND WITNESS STATEMENT OF ANDREW PAUL DUNKS
I, Andrew Paul Dunks, will say as follows...
INTRODUCTION
1. I make this statement further to my first witness statement, dated 20 February
2023 (WITN00300100).
2. This witness statement is made to assist the Post Office Horizon IT Inquiry (the
“Inquiry”) with the matters set out in the Second Rule 9 Request, dated 5 April
2024, concerning the litigation support services provided by Fujitsu Services
Limited (“Fujitsu”) to Post Office Limited (“POL”), including my role in providing
evidence in civil and criminal proceedings against sub-postmasters (“SPMs”).
3. I remain employed by Fujitsu in the Customer Service Post Office Account
(“CSPOA’) Security Team as an IT Security Analyst, with my main responsibility
being cryptographic key management. I have been in the same role since I first
joined the team in 2002, and have never been promoted within the organisation.
Page 1 of 72
WITNO0300200
WITNO0300200
PREPARATION OF THIS WITNESS STATEMENT
4. Given the questions that have been asked of me in other proceedings (and when
I was last giving evidence before the Inquiry) about the precise wording used in
my witness statements, I wish to make completely clear that I have been assisted
in preparing this statement (and my first witness statement) by my lawyers,
Hickman & Rose.
5. I sometimes struggle with articulating exactly what I mean in my own writing and
speech, and this statement has therefore been primarily drafted by my lawyers
rather than by me, in order to help me convey the information that I wish to
provide to the Inquiry in the clearest way. It also contains a mixture of information
that I personally recollect, and information that is contained in the documents that
I have been asked to consider by the Inquiry (which I reference below).
6. I believe that this statement accurately reflects my answers to the questions
raised by the Inquiry. I have read through it carefully, and have asked questions
if I do not understand the meaning of a particular word or phrase that has been
used.
OVERVIEW
7. I summarised some of the many functions of the CSPOA Security Team in my
first witness statement, and my attention has now been drawn to a document
titled “Security Management Service: Service Description” which sets out a fuller
list of these functions and describes what they entailed. The most recent version
Page 2 of 72
WITNO0300200
WITNO0300200
of this document supplied to me by the Inquiry, version 6.0 dated 21 May 2015
(POL00002572),' gives the following list of functions (at page 7):
7.1. Implementation and maintenance of Post Office security policy and
procedures;
7.2 Compliance monitoring and audit;
7.3 Cryptographic key management;
7.4 Security event management and firewall event analysis;
7.5 System and physical access control;
7.6 Anti-virus and malicious software management;
7.7 Monitoring of any Intrusion Detection System (IDS) or Intrusion Prevention
System (IPS) in place;
7.8 Security incident reporting and problem management;
7.9 System security change management;
7.10 Security awareness and training;
7.11 Information Retrieval and Audit;
7.12 Subject Information Requests management;
7.13 Prevailing threats and vulnerability management;
‘I note that although this document states in the footer that it is version 5.0 dated 4 April 2014, the
document history on page 4 shows that it is actually version 6.0 dated 21 May 2015.
Page 3 of 72
WITNO0300200
WITNO0300200
7.14 Litigation support;
7.15 LINK compliance questionnaire;
7.16 Management of Risk;
7.17 Monthly Reporting;
7.18 File Integrity Monitoring;
7.19 PCI DSS support; and
7.20 PCI DSS internal penetration testing.
As explained in my first witness statement, when I first joined the CSPOA
Security Team my initial responsibility was for cryptographic key management,
however, over time I became involved in some of the other functions of the team.
One of the functions of the CSPOA Security Team was in providing “litigation
support” to POL.
Throughout my time at Fujitsu, I understood that the core litigation support
service provided by the CSPOA Security Team related to two things:
10.1 Supplying records of transactions and events (known as ‘audit data’)
concerning a particular post office branch extracted following receipt of an
Audit Record Query (“ARQ”) from POL; and
10.2 Supplying, summarising or analysing records of calls logged by the Horizon
System Helpdesk/Service Desk (the “HSD”) in respect of the branch
following receipt of an HSD call records request from POL.
Page 4 of 72
WITNO0300200
WITNO0300200
11. In addition to supplying the records, I was sometimes requested to provide a
witness statement about the work that I had performed, and on a small number
of occasions I was required to attend court to give evidence. However, in the
majority of cases the role simply involved extracting and supplying the requested
records.
12. I have been asked in this statement to provide further information about the
litigation support service and the nature and extent of my involvement in that
service from when I started working for the CSPOA Security Team in 2002,
through to 2019. I have also been asked to describe my involvement in the
following proceedings:
12.1 Rv. Thomas;
12.2 Post Office Limited v. Castleton;
12.3 Rv. Hamilton;
12.4 Rv. Misra; and
12.5 Bates & Others v. Post Office Limited (“the GLO Proceedings’).
LITIGATION SUPPORT
Organisational Structure
13. I have been asked to provide an overview of the organisational structure within
Fujitsu for the provision of litigation support to POL (including any material
changes to the service), the people involved and their respective roles, and the
contact that I had with them.
Page 5 of 72
WITNO0300200
WITNO0300200
14. The CSPOA Security Team was headed by the Chief Information Security Officer
(“CISO”). Below them sat the Operational Security Manager (who it appears from
the documentation was supported for a time by the Deputy Security Manager,
though I do not recall them having this job title), who managed the team of IT
Security Analysts of which I was part. This organisational structure remained the
same throughout my time working in the team.
15. Although all of the IT Security Analysts carried out the various functions of the
team as and when required, certain people had greater responsibility for
particular tasks. For example, I am the Cryptographic Key Manager, responsible
for managing and refreshing the cryptographic keys used across the CSPOA IT
estate. Another of the IT Security Analysts was the Litigation Support Manager,
responsible for managing the litigation support function of the team. Although we
were at the same level within the organisational hierarchy, I would defer to them
on matters concerning litigation support, as they would defer to me on matters
concerning cryptographic keys.
Chief Information Security Officer (‘CISO’)
16. The CISO had overall management of the CSPOA Security Team, including
litigation support. I attended whole team meetings that were led by the CISO,
and would know them to speak to around the office, but they were not responsible
for managing my day to day work, and I did not have frequent direct
communications with them about my work. I cannot recall all of the individuals
who sat as CISO between 2002 and 2019; I have set out below the details of
those who I recall, or who the documents provided to me by the Inquiry suggest
held that role at various times.
Page 6 of 72
17.
18.
19.
20.
WITNO0300200
WITNO0300200
The documentation provided to me by the Inquiry does not contain details about
who held the position of CISO prior to 2010, and I do not recall the names of the
individuals who held the position between 2002 to 2010, or how many different
people there were.
Thomas (‘Tom’) Lillywhite was CISO at certain points in time, but I cannot recall
when exactly. I recall that he sat above Donna Munro, the Operational Security
Manager at the time. According to documents provided to me by the Inquiry,
Thomas Lillywhite was recorded as CISO (and as such approval authority and
mandatory reviewer) for version 3.0 of the Security Management Service:
Service Description document (FUJ00002264),? dated 15 October 2010. I have
also been shown emails involving myself and Mr Lillywhite in May and July 2010
(FUJ00156144) and (FUJ00154905).
lan Howard is recorded as being CISO on version 1.0 of the Audit Data Extraction
Process (FUJ00152218), which is dated 1 March 2011, and Howard Pritchard is
recorded as being CISO in 2012 on versions 1.1 and 2.0 of the Management of
the Litigation Support Service document (FUJ00152220 and FUJ00152225,
respectively). I recall Howard Pritchard being the CISO, but do not remember lan
Howard at all.
The documents suggest that Tom Lillywhite returned as CISO at some point in
2013, however I have no recollection of this. He was recorded as an approval
authority, and listed as mandatory reviewer as CISO, in versions 3.5 and 4.0 of
the Security Management Service: Service Description document
2 I note that this is different to FUJ00002000 which has a similar title: “Service Description for the
Security Management Service” and is also version 3.0, but is from a completely different date.
Page 7 of 72
WITNO0300200
WITNO0300200
(FUJ00088868) and (FUJ00002555), dated 25 November 2013 and 4 December
2013, respectively.
21. The documents suggest that Keith Smith was CISO in 2014 and continued to
hold the role in 2015. I recall Mr Smith being CISO but not the precise dates that
he held the position. He was an approval authority for version 3.0 of the Audit
Data Extraction Process document (FUJ00152228), dated 4 September 2014.
He was also an approval authority, and listed as mandatory reviewer, for version
6.0 of the Security Management Service: Service Description document
(POL00002572), dated 21 May 2015. Both documents list him as CISO at the
time.
22. The Inquiry has not supplied me with any documents to assist me to refresh my
memory as to who held the position of CISO between 2015 and 2019. However,
I believe that Steve Godfrey was promoted from Operational Security Manager
to CISO at some point, though I do not recall precisely when this was.
Operational Security Manager
23. The Operational Security Manager (sometimes called Security Operations
Manager) reported to the CISO and had responsibility for managing the tasks
performed by the IT Security Analysts. They were my line manager and oversaw
all aspects of my work and responsibilities. As part of their role, they were
responsible for contributing to and reviewing the policies and procedures in
relation to litigation support. They were also sometimes involved in reviewing my
draft witness statements, and with assisting me in respect of issues or concerns
that I raised in relation to them (though the Litigation Support Manager would
usually be my first port of call).
Page 8 of 72
WITNO0300200
WITNO0300200
24. I cannot recall the exact details of when each Operational Security Manager
joined or left the Fujitsu Security Team. I have set out below details of those who
I recall, or who the documents provided to me by the Inquiry suggest held that
role at various times.
25. According to the documents disclosed to me by the Inquiry, Graham Hooper was
the Operational Security Manager in 2001 and 2002, as he is named as such on
version 2.0 of the Conducting Audit Data Extractions at Live document
(FUJ00152176), dated 27 November 2001, and version 1.0 of the Network
Banking Management of Prosecution Support document (FUJ00152205), dated
26 November 2002. I joined the CSPOA Security Team in 2002 and recall Mr
Hooper being in this role for a short period of time after I joined.
26. I recall that Mr Hooper was replaced by William (‘Bill’) Mitchell as Operational
Security Manager. The Inquiry have supplied me with an HSD witness statement
in the name William Leslie Mitchell (FUJ00122190) which states that he had
been employed as Security Manager since 22 September 2003. He was still in
this role in 2005 as he is recorded as a contributor to, approval authority, and
mandatory reviewer of version 2.0 of the Network Banking Management of
Prosecution Support document (FUJ00152209), dated 29 February 2005.
27. I believe that Brian Pinder succeeded Bill Mitchell as Operational Security
Manager. He is recorded as such on version 3.0 of a document titled “Service
Description for the Security Management Service” (FUJ00002000), dated 6
March 2006. I also note that it was Mr Pinder who appears to have first tasked
me with preparing HSD witness statements, as he sent me an email dated 22
Page 9 of 72
28.
29.
30.
31.
WITNO0300200
WITNO0300200
March 2006 (FUJ00122189), attaching the Bill Mitchell witness statement
(FUJ00122190) described above.
Copied to the 22 March 2006 email was Peter (‘Pete’) Sewell. According to
version 2.1 of the Management of the Prosecution Support Service for Audit
Record Queries (FUJ00122366) policy document, dated 6 June 2007, he was
the Deputy Security Manager. I note that he also describes himself as such in
the footer of an email on 8 August 2007 (FUJ00154664), though I do not
specifically recall this being his title. I am not entirely certain, but it may therefore
be that I technically reported to Mr Sewell rather than directly to the Operational
Security Manager for a period of time, though I recall having interactions with
both of them about my work and my role. Mr Sewell was involved in various
emails concerning the preparation of my witness statements, discussed below.
The next Operational Security Manager who I recall was Donna Munro.
According to version 3.0 of the Security Management Service: Service
Description document (FUJ00002264), in which she is described as having
authored, she was Security Operations Manager by 15 October 2010.
She was also copied into an email dated 6 July 2010 concerning duplication of
transaction records in ARQ returns (FUJ00154905). Neither Pete Sewell nor
Brian Pinder were copied into the email, so it is likely that she had replaced them
by this point, though I have no specific recollection of when precisely she took
over.
Donna Munro continued in the role throughout 2011 and 2012. She was listed as
Security Operations Manager, and mandatory reviewer, on version 1.0 of the
Audit Data Extraction Process document dated 1 March 2011 (FUJ00152218)
Page 10 of 72
32.
33.
34.
WITNO0300200
WITNO0300200
and was involved in a June 2011 e-mail chain relating to improvements to the
Triole for Service (“TfS”) system, in connection with the process of reviewing
HSD calls and supplying witness statements (FUJ00231002). Ms Munro was
also listed as Security Operations Manager, and mandatory reviewer on versions
1.1. and 2.0 of the Management of the Litigation Support Service (FUJ00152220
and FUJ00152225) policy, dated 14 February 2012 and 23 April 2012,
respectively.
Kumudu Amaratunga succeeded Donna Munro as Operational Security
Manager. As with the other individuals, I cannot recall when Kumudu
Amaratunga joined the Security Team, however the documents disclosed to me
by the Inquiry indicate that he was in the role during 2013 and 2014. He was the
author of version 3.5 and 4.0 of the Security Management Service: Service
Description document, dated 25 November 2013 and 4 December 2013,
respectively (FUJ00088868 and FUJ00002555). Furthermore, he was the author
and mandatory reviewer for version 3.0 of the Audit Data Extraction Process
document (FUJ00152228), dated 4 September 2014.
I believe that Kumudu Amaratunga was succeeded in the role by Stephen
Godfrey. Mr Godfrey is listed as the author of version 6.0 of the Security
Management Service: Service Description (POL00002572) dated 21 May 2015.
My recollection is that at some point Stephen Godfrey was promoted to the
position of CISO, and that he was succeeded as Operational Security Manager
by Jason Muir, who had been one of the other IT Security Analysts for around a
couple of years at that time.
Page 11 of 72
WITNO0300200
WITNO0300200
35. I believe that Jason Muir was eventually succeeded by Farzin Dembali (who was
also promoted from IT Security Analyst), who is still in the role now.
Litigation Support Manager
36. When I first started working for the CSPOA Security Team, I believe that the
Operational Security Manager had responsibility for the process of managing the
litigation support function. They were the main point of contact with POL about
litigation support and were also involved in preparing witness statements for use
in litigation. Although some of the IT Security Analysts had greater responsibility
for the provision of litigation support than others at that time, I do not remember
them having any particular job title in that regard.
37. The Litigation Support Manager was a role subsequently held by one of the IT
Security Analysts within the CSPOA Security Team, reporting to the Operational
Security Manager (or deputy). The Litigation Support Manager took over
responsibility from the Operational Security Manager for running the litigation
support function and communicating with POL about it. This was not a role that
was more senior to the other IT Security Analysts (for example, I was called the
Cryptographic Key Manager), however, they did have particular responsibility for
this aspect of the service, and so the other IT Security Analysts would defer to
their expertise on matters relating to litigation support.
38. As another member of the team, I would regularly see them about the office and
in team meetings, though did not necessarily need to interact with them daily
about the work that I was doing. Although they were responsible for running the
overall process, they were not responsible for assigning me work or managing
me. If the Operational Security Manager had assigned me the task that week of
Page 12 of 72
39.
40.
41.
WITNO0300200
WITNO0300200
performing ARQ extracts then I would simply access the list of requests and
perform the relevant extractions — this did not generally require me to seek any
input from the Litigation Support Manager, though they would be my first port of
call if I had any queries or if there were any issues.
When I first joined the CSPOA Security Team there was no Litigation Support
Manager, but one of the IT Security Analysts, Jane Bailey, had particular
responsibility for litigation support tasks. I note that Ms Bailey authored version
2.0 of the Conducting Audit Data Extractions at Live document (FUJ00152176),
dated 27 November 2001, and version 1.0 of the Network Banking Management
of Prosecution Support document (FUJ00152205), dated 26 November 2002.
My recollection is that Ms Bailey ran the ARQ extraction process at the time, but
I don’t remember anything else about her responsibilities in respect of litigation
support. I recall that, sometimes, I would cover for Ms Bailey in extracting ARQ
data, but I cannot recall the specific instances when that happened. The ARQ
extraction would have been conducted from the office in Feltham (where the audit
data extraction workstations were then located) while my cryptographic keys
responsibilities were run from Bracknell (where the cryptographic key workstation
was located), which is where I was based throughout. I believe Ms Bailey left
Fujitsu before the Feltham office closed and the entire CSPOA Security Team
moved to Bracknell, though I do not recall precisely when this was.
My recollection is that at some time after the office move to Bracknell, Penny
Thomas was hired as an IT Security Analyst initially on a temporary basis and
carried out the litigation support functions. She was subsequently taken on full
time, and held the additional title of Litigation Support Manager. I can see from
Page 13 of 72
WITNO0300200
WITNO0300200
the documents disclosed to me by the Inquiry that she contributed towards
version 2.0 of the Network Banking Management of Prosecution Support
document (FUJ00152209), dated 29 February 2005, and that she was still in post
until at least 23 April 2012 when she authored version 2.0 of the Management of
the Litigation Support Service document (FUJ00152225). As part of Ms
Thomas's role she carried out ARQ extractions. She also updated the template
witness statements that were used for litigation support, and provided signed
witness statements for use in POL litigation.
42. After Ms Thomas left the role, I don’t have a recollection of anyone else being
called the Litigation Support Manager, or who became responsible for
communicating with POL in respect of litigation support. The overall responsibility
for managing the litigation support function remained with the Operational
Security Manager throughout.
43. Where in this statement I refer to the Litigation Support Manager I mean the
person who had responsibility for managing the litigation support process at the
relevant time (i.e. Penny Thomas while she worked for the CSPOA Security
Team, or whoever was responsible for this at all other times).
IT Security Analysts
44. There were several other individuals who worked in the CSPOA Security Team
as IT Security Analysts at various times between 2002 and 2019. I cannot now
recall all their names, or precisely when they worked for the team. I detail below
the names of those who I recall who were involved in the litigation support
function, though this may not be an exhaustive list.
Page 14 of 72
WITNO0300200
WITNO0300200
45. During and possibly before Penny Thomas's tenure in the Security Team, Neneh
Lowther was also part of the team. I do not recall when she joined. At some point
she left the security team, but still works at Fujitsu, and based on documents
disclosed to me by the Inquiry appears to have been in the role until at least early
2008.
46. I believe that Ms Lowther had a greater involvement than me in litigation support
at the time. She was the author of version 2.0 of the Network Banking
Management of Prosecution Support document (FUJ00152209), dated 29
February 2005. Ms Lowther was involved in an e-mail chain following the
resolution of the Lee Castleton proceedings in the High Court in January 2007
(FUJ00152663) and she was a contributor for version 2.1 of the Management of
The Prosecution Support Service For Audit Record Queries document
(FUJ00122366), dated 6 June 2007. She was also involved in the extraction of
ARQ data when requested by POL and the provision of witness statements. On
5 March 2008 Ms Thomas emailed both me and Ms Lowther (copying Peter
Sewell) updated versions of the template witness statements (FUJ00122522).
47. Rajbinder Bains is another IT Security Analyst in the CSPOA Security Team who
I recall originally joined as a temporary worker but then was taken on
permanently. I do not recall exactly when she joined the Security Team, but it
appears to have been by at the latest March 2011, as she is listed in the
distribution list for version 1.0 of the Audit Data Extraction process
(FUJ00152218), dated 1 March 2011. Ms Bains is still working as part of the
CSPOA but is no longer in the Security Team.
Page 15 of 72
WITNO0300200
WITNO0300200
48. I recall that Ms Bains was the main person responsible for performing ARQ data
extractions for a time. However, she did not want to be a witness in any court
proceedings and so I do not believe she prepared any witness statements. I got
the impression that she was nervous because it was something unknown to her,
and the idea of going to court and being questioned was a bit daunting. Where
POL requested a witness statement at the time of the ARQ request, I or someone
else would therefore perform the data extraction and supply the statement. If Ms
Bains had performed the data extraction and POL later requested a witness
statement, then I or someone else would re-extract the data.
49. I note that Christine Phillips and Jason Muir were listed as optional reviewers of
version 3.0 of the Audit Data Extraction Process document (FUJ00152228),
dated 4 September 2014 (along with me and Rajbinder Bains). Both were
members of the CSPOA Security Team, however, I cannot recall what role they
had in respect of litigation support at the time, if any. When Mr Muir was
subsequently promoted to Operational Security Manager, part of his
responsibilities would have included managing the litigation support function.
50. Farzin Denbali had joined the team initially as an IT Security Analyst (and was
later promoted to Operational Security Manager) by at least 2019, but I do not
recall precisely when he joined. He was involved in performing ARQ extractions
and following his promotion had responsibility for managing the litigation support
function.
51. Inote that aside from occasionally being listed as an optional reviewer, or being
in the distribution list, for the various policy documents concerning the litigation
support service that the Inquiry has supplied to me (and which I reference above),
Page 16 of 72
WITNO0300200
WITNO0300200
I am never listed as an author, contributor, approver or mandatory reviewer in
respect of any of these documents, and it is unclear which were sent to me at
the time.
52. Although I likely read some parts, of some versions, of some of these documents
at the time, I have no specific recollection of doing so. This reflects the fact that
I had no responsibility for negotiating the contractual relationship or scope of the
services with POL, setting the policies that would be followed in respect of the
litigation support service, or managing the process.
53. I and the other IT Security Analysts assisted the Litigation Support Manager as
and when required, in addition to performing the other tasks assigned to us by
the Operational Security Manager. We were very process driven and followed
local work instruction documents for many of the tasks that we performed, rather
than consulting the Fujitsu policies and service descriptions. The local work
instructions were informal documents, which at some stage had been written by
those actually performing the tasks, and which focussed on the practicalities of
how to do each task. I believe Penny Thomas drafted local work instructions in
respect of ARQ extractions, and I wrote the local work instruction in respect of
how to extract the HSD call records, though both documents may have been
updated by different people over the years. None of these local work instructions,
that I used on a day-to-day basis, have been disclosed to me by the Inquiry.
Others outside the CSPOA Security Team involved in litigation support
54. Outside of the CSPOA Security Team, there were others who I understood had
some oversight of the litigation support function, or who I came into contact with
as part of my role.
Page 17 of 72
55.
56.
57.
58.
WITNO0300200
WITNO0300200
I understood that Service Delivery Managers overlooked the different aspects of
the service provided by Fujitsu to POL, including the litigation support function,
though I am unsure of the exact organisational structure. I had some dealings
with the Service Delivery Managers as part of my role, though not necessarily in
respect of the litigation support work. I do not recall all of their names, their job
titles or the dates that they were in the role, but based on a review of the
documents disclosed to me by the Inquiry they included Richard Brunskill and
Susan Appleby-Robbins.
In respect of the ARQ data extractions I would sometimes seek assistance from
the Audit Support Team, who would assist with any issues with the audit
extraction software, and were involved in the software updates. I do not recall all
of the names of the people that I spoke to within the Audit Support Team, but
they included Gerald Barnes and Alan Holmes. However, I do not recall the
specifics of any communications that I had with them.
In respect of the HSD calls, as part of my due diligence when analysing whether
there could have been an impact on the integrity of the data, I would consult with
colleagues who had come across the issues before or who had greater technical
knowledge than me, such as the Software Support Centre (“SSC”), to better
understand the nature of the issues being raised and how they were resolved.
I do not recall the names of the individuals who worked within the SSC with whom
I have consulted in respect of the HSD calls over the years. I spoke to the SSC
about lots of different matters, not just in relation to the litigation support work. I
would usually either call someone in the team, or go over in person (they were
on a different floor but in the same building) and speak to whoever was available.
Page 18 of 72
WITNO0300200
WITNO0300200
59. I note that in an email dated 22 March 2006 from Brian Pinder to me with the
subject FW: Gaerwen Witness Statement (FUJ00122189), which appears to be
the first time I was tasked with preparing an HSD call witness statement, Mr
Pinder refers to Mik Peach, who was the head of the SSC and says:
“Any help always ask me or Peter [Sewell] but meanwhile I will have a
chat with Mik Peach on this too.”
60. One person from the SSC who I do recall interacting with concerning litigation
support was Anne Chambers. I recall sitting in a witness waiting room with Anne
Chambers for a couple of days prior to us both giving evidence (which I had
thought was at the Old Bailey, but now understand would more likely have been
the Lee Castleton proceedings at the High Court). My recollection is that after
that case Ms Chambers did not give evidence in court again, and that Mik Peach
did not want any of his team to go court. The Inquiry has provided me with a copy
of an email from Mik Peach dated 7 August 2007 with the subject “Requests for
data and calls” (FUJ00154664) in which he describes an ‘incident’ the previous
year “in which an SSC staff member ended up in court’ and says that “the SSC
is NOT in position to undertake this role.”
61. I was also aware that Gareth Jenkins (who I understood to be someone senior
with a very detailed knowledge of the workings of Horizon) gave evidence,
though I had limited, if any, direct interactions with him. However, I was aware
that Penny Thomas used to speak to Gareth Jenkins about matters concerning
litigation support, though I don’t know the specifics of what they discussed.
Page 19 of 72
WITNO0300200
WITNO0300200
The service provided by Fujitsu
Contractual Requirements
62. I have been asked to comment on the agreement in place between POL and
Fujitsu in respect of the provision of litigation support by Fujitsu to POL, and the
contractual requirements on Fujitsu in respect of the ability of POL to obtain audit
data, the type of data and the quality and completeness of the data.
63. I donot recollect seeing a copy of the agreement between POL and Fujitsu and
was not aware of what the contractual requirements were. As far as I was
concerned, I provided whatever data I was requested to supply, though as far as
I recall these requests only ever consisted of ARQs and HSD call data.
64. I was aware that there was a cap on the number of ARQ requests that Fujitsu
was required to assist with each year as part of the agreed service, however, I
was unaware of what the financial or other arrangements would be if that cap
was reached. I believe that the cap was increased at some point, though I do not
recall when.
65. I am unaware whether there were any changes to the contractual requirements
in respect of litigation support when the service moved from Legacy Horizon to
Horizon Online.
66. I am unaware of who from Fujitsu was contractually responsible for provision of
data to POL. The CSPOA Security Team was tasked with supplying data in
response to ARQs and in respect of HSD calls; I describe these tasks and my
role in respect of them, below. However, I am unaware what other parts of Fujitsu
may have been tasked with supplying other data.
Page 20 of 72
WITNO0300200
WITNO0300200
67. I am unaware of what the contractual requirements were in respect of how data
was to be presented by Fujitsu. I describe the process of extracting and
presenting the data that I carried out, below.
68. I am unaware of what additional prosecution support (if any) Fujitsu was
contractually obliged to provide to POL relating to audit data it supplied. I was
aware that POL could request that the person who supplied the data also provide
a witness statement accompanying the data, and I provided these as and when
requested. Although I am familiar with the term ‘expert’ in common usage, I was
not aware at the time that there was a distinction in law between witnesses of
fact and expert witnesses. I do not know what Fujitsu’s contractual obligations
were in respect of expert witness evidence.
69. I am unaware of what the contractual requirements on Fujitsu were in respect of
the ability of POL to obtain information from the PinICL, PEAK, KEL and
Powerhelp databases. Aside from information from the Powerhelp database (i.e.
the HSD call records), I don’t recall ever being requested to supply any such data
in connection with litigation support. Had I been requested to do so, I would have
sought instructions from my line manager about what to do.
Types of evidence
70. I have been asked to provide a detailed explanation of the different types of
evidence provided by Fujitsu to support litigation, including transaction logs,
event logs and call logs.
71. My general understanding of these terms is that transaction logs are the records
of transactions that had been entered into the counter terminals at the post office
Page 21 of 72
72.
73.
74.
WITNO0300200
WITNO0300200
branch (e.g. the sale of some stamps), whereas event logs are the automated
logs generated by the counter terminals at that branch. I also understand there
is a distinction between what I refer to as ‘counter events’, which are events
relating to the operation of the counter by the user (e.g. user logon and logoff)
and ‘system events’, which relate to how the system is running (e.g. database
connection status and automated error messages).
I understand call logs to be the records entered into the Fujitsu call handling
system (initially Powerhelp and later TfS) relating to the post office branch.
Although these are described as ‘call’ records, they include much more than just
the notes of the telephone calls made by the SPMs to the HSD. In addition to
any notes of calls with the SPMs, they record details about the teams assigned
to investigate the issues being raised, the steps taken by those teams and the
eventual resolution of the issue and close of the call.
The original call also did not necessarily have to arise from a telephone call from
the branch directly to the HSD (though this would predominantly be the case).
For example, calls would sometimes be made to the HSD by someone else on
behalf of the SPM, such as the Network Business Support Centre (“NBSC”),
which was POL’s helpline for dealing with business (as opposed to technical)
issues. If the SPM had raised a technical issue to the NBSC, then they would
refer the matter to the HSD which would log the call on the system.
An example of this can be seen at page 3 of my witness statement dated 14
January 2007 in respect of the proceedings against Jo Hamilton
(POL00044482). The call on 22 April 2004 at 08:57 shows a call from Trish at
the NBSC transferring a call in relation to a technical issue that had been raised
Page 22 of 72
75.
76.
77.
78.
WITNO0300200
WITNO0300200
to them (regarding a lost network connection), and its subsequent handling by
the HSD.
I also understood that certain system events would result in an automated ‘call’
being logged with the HSD for investigation. An example of this can also be seen
at page 3 of POL00044482. The call on 21 April 2004 at 23:17 shows an
automatic error event (regarding a critical NT error) being logged on the system,
investigated and resolved.
I believe that both transaction and counter event logs were included within the
audit data that was supplied in response to an ARQ, but that this did not include
system event logs. However, as discussed above, certain system events could
be seen as part of the HSD call records.
I do not know why system event logs were not supplied as part of the ARQ
process. I do not know whether these records are stored within the audit
database or somewhere else, or whether it would have been possible for the
CSPOA Security Team to extract them using the existing software tools if we had
been requested to do so. I understood that we were supplying the data that it had
been agreed with POL we would provide in response to a standard ARQ request.
If POL had any specific requirements in respect of the extraction or had wanted
additional data, then this could be specified on the ARQ request form.
The call logs were produced in response to an HSD call records request. It is
important to note that the call logs that we produced did not include calls that the
SPM made to the NBSC. The NBSC sat outside Fujitsu and, save for any
information that the NBSC provided when logging a call with the HSD (or vice
versa when business issues raised by SPMs were referred by the HSD to the
Page 23 of 72
WITNO0300200
WITNO0300200
NBSC), the CSPOA Security Team did not have access to any records of the
calls made by branches to the NBSC.
79. I describe ARQ and HSD call record requests in more detail in the following
sections.
Audit Record Queries
Process
80. I summarised at paragraph 12 of my first witness statement the process for
extracting transaction records in response to an ARQ.
81. ARQ requests could only be submitted by nominated persons within POL by
sending them to the CSPOA Security Team mailbox. The ARQ would be
submitted on an ARQ request form, a template of which can be seen at page 26
of version 1.0 of the Network Banking Management of Prosecution Support
document, dated 26 November 2002 (FUJ00152205). The form changed over
time but broadly speaking requested the same information.
82. Each ARQ would specify the relevant post office branch, date range, and any
specific details about the data sought. At the time records were requested by
POL we were not informed why they were required, though in general terms I
understood that they were needed for the purpose of an investigation into a post
office branch.
83. The member of the CSPOA Security Team who was dealing with the ARQ
extraction would log the details contained in the ARQ request, when the request
was received and when the data was sent out, on a central spreadsheet. The
Page 24 of 72
84.
85.
86.
87.
WITNO0300200
WITNO0300200
Litigation Support Manager would keep track of the ARQs on the spreadsheet
and make sure that any timescales agreed with POL for responding to ARQ
requests were complied with.
The person doing the extraction would logon to one of the dedicated secure audit
workstations and enter the parameters specified in the ARQ into the audit
extraction tool, which would then automatically extract the relevant data from the
audit database.
I understood that the format of the audit data stored in the database would be
unintelligible, or at least very difficult to use, in its original form. I understood that
part of what the audit extraction tool was doing was formatting the data so that it
could more easily be read by a human.
There were a number of different extraction reports available in the software,
which I understood would extract and export different fields from the data,
however, to the best of my recollection we almost always used the same
extraction report every time we performed an ARQ. Aside from picking from the
available extraction reports, I was not able to choose which fields would be
extracted. If POL required additional fields to be extracted, or if the form in which
the data was to be presented needed to change, then Audit Support would have
had to update the audit extraction tool to add a new extraction report.
Once the relevant data was extracted, it could then be presented in a number of
different file formats, as specified on the ARQ form. However, to the best of my
recollection POL always requested that the data be provided in Microsoft Excel
spreadsheet format. The software produced two separate spreadsheets; one
containing the transaction records, and the other containing the counter events.
Page 25 of 72
WITNO0300200
WITNO0300200
88. The person performing the extraction would check that the data extracted related
to the FAD (i.e. branch) code requested on the ARQ request form, and would run
their eye over the dates listed to make sure that the correct date range had been
supplied and that there were not any unexplained gaps in the data. The
spreadsheets would also indicate if there were any gaps or duplicates in the
records. A second person would later re-perform these checks to ensure that the
correct data was being produced in response to the request.
89. Finally, we would perform anti-virus checks, encrypt the data and place both
spreadsheets onto a compact disc, and send it to the Post Office.
90. This process remained largely the same throughout the entire period that I was
undertaking ARQ extractions. Although there were changes to the audit
extraction software made by the Audit Support Team (including a major change
as part of either the HNG or HNGx rollout that significantly reduced the time that
each extraction took to run), the actual steps that the user was required to take
were essentially the same. I also do not recall there being any differences
between carrying out audit data extractions on Legacy Horizon and Horizon
Online, save for changes to the Graphical User Interface (‘GUI’) i.e. how the
software looks, and the improvement to the speed of the extraction process. I
recall that the GUI also gave an option to perform the extraction using the
previous (slower) process.
Authorisation and Data Integrity Controls
91. There were a number of controls that I understood were in place to ensure that
the integrity of the data produced in response to an ARQ was guaranteed. I list
Page 26 of 72
WITNO0300200
WITNO0300200
these at paragraph 6 of my witness statement for the GLO Proceedings dated
16 November 2018 (FUJ00082232), and expand on them below:
91.1 Extractions could only be made through the audit workstations which were
located in secure rooms subject to proximity pass access. The sites were
subject to rigorous physical security controls. In order to gain physical
access to the audit workstations a person would need an electronic pass
which had been specifically authorised to access the room (in addition to
gaining entry to the Fujitsu building). This authorisation process was run by
Fujitsu Group Security (different to the CSPOA Security Team) who were
responsible for issuing the passes, and setting which areas the passes
could be used to access. I understood that Group Security would only issue
a pass giving access to the audit secure room if requested to do so by the
CSPOA Security Team. The CSPOA Security Team also performed regular
audits (on at least an annual basis as part of the external audit) of the list
of people with access to the room to ensure that anyone who did not require
access was removed. I had a pass which I needed to use to access the
room and so knew that this control was in place.
91.2 The audit workstation could only be accessed by a user logging in using
their PIN and two-factor authentication (“2FA”) device. This meant that even
if someone was able to physically access the workstations they couldn’t be
used unless they were a Fujitsu user, or had obtained both the PIN and the
2FA device of a user. When I performed audit extractions I had to logon in
this way, so I knew that this control was in place. Further, the CSPOA
Page 27 of 72
WITNO0300200
WITNO0300200
Security Team was responsible for managing the 2FA devices used by
everyone on the CSPOA, and this formed part of my duties for a time.
91.3 Each ARQ had to be submitted on an ARQ request form through the
designated route, to ensure that only those who had been authorised by
POL to make ARQ requests could do so. A record was kept of all incoming
ARQ requests and the extractions performed on a central spreadsheet,
which was regularly reviewed by the Litigation Support Manager. I
understood that the audit extraction software generated a log text file for
each extraction showing that the extraction had been completed and that
each of the various automated checks (described below) had been
performed successfully. We also saved the spreadsheets exported from
each extraction to a folder on the audit work station, so anyone logging onto
the workstation could see all of the previous extractions performed. I knew
that the audit work station was keeping records of previous extractions
performed as I could see the previous extractions when I logged on to the
workstation, so I knew this control was in place. Although I did not view the
log file every time I performed an extraction, I have previously looked at it
(though I cannot now recall when or why) and so knew it was being created
and what it contained. I believe the log file was mostly used by the Audit
Support Team to enable them to investigate any errors that occurred during
the extraction process.
91.4 Extractions could only be made by authorised individuals. If a person tried
to logon to the audit workstation, they would only be able to access it and
use the audit extraction software if their user account had been granted the
Page 28 of 72
WITNO0300200
WITNO0300200
requisite permissions to do so. If a user required permission to use the audit
software, the CSPOA Team would contact the NT Support Team who would
amend their permissions accordingly. One of the functions of the CSPOA
Security Team was to check that users across the CSPOA had the correct
permissions in respect of their access to the different parts of the Horizon
software; and this included checking that only the necessary people had
permission to use the audit extraction software. I understood that this was
done as part of the annual external audit, though don’t recall ever personally
performing this role within the CSPOA Security Team.
91.5 The required files were identified and marked using the dedicated audit
tools. As far as I was aware, the only way to access the audit data was to
use the dedicated tools that had been developed by the Audit Support
Team. I was aware that this software was regularly updated. Where any
problems with it were identified, these were promptly reported to the Audit
Support Team for them to deal with.
91.6 Checksum seals were calculated for audit data files when they were written
to audit archive media and re-calculated when the files were retrieved.
Although I did not understand how this worked, I understood that it was
essentially a way of checking that the data put into the audit archive was
identical to the data that was subsequently extracted, and had not been
changed in the interim. I knew that the audit extraction software was
performing various automated checks as I used it to perform the data
extraction, and if any check failed the extraction would not complete and
would need to be re-started. However, I accept that I did not personally
Page 29 of 72
WITNO0300200
WITNO0300200
know the detail of precisely what those checks were, and instead relied
upon what I was told by others and the information set out in the template
witness statements that were provided to me; I had no reason at the time
to doubt that what others had told me about this check was accurate (and I
have not been shown anything since suggesting that it was not carried out
as described).
91.7 The files were copied to the audit workstation where they were checked
and converted into the file type required. The person performing the
extraction would check to make sure that the FAD code and date range of
the data extracted matched that set out in the ARQ request form. This was
subsequently double-checked by someone other than the person who had
performed the initial extraction. The files were exported in the format
(usually Microsoft Excel) requested by POL.
91.8 Digital signatures that were generated at the time that messages were
originally sent from the counters to the Data Centre were checked as being
correct. Like with the checksum control, I did not understand what exactly
the software was checking, or how it worked, but knew that various
automated checks were being performed to ensure that the data put into
the audit archive was identical to the data that was subsequently extracted.
Again, I only knew the details about the automated checks being performed
based on what I was told by others and what was included in the template
witness statement but had no reason to doubt this information.
91.9 Checks were made using the Journal Sequence Number (“JSN”) that all
audited messages for each counter in the Branch had been retrieved and
Page 30 of 72
WITNO0300200
WITNO0300200
that no messages were missing. I understood that each transaction that
took place on each Horizon counter terminal was assigned a JSN, and that
each sequential transaction on the terminal should be assigned a
sequential JSN. By checking that all of the JSNs included in the extracted
data were sequential, I therefore understood that we could be sure that all
of the transactions had been successfully extracted. Again, I did not
understand how the software performed this check, but understood that it
was being performed. On exporting the data to excel, the spreadsheets
contained a sheet which confirmed that there were no gaps or duplicates. I
would check this every time I performed an extraction, so knew that this
control was in place.
91.10 System events generated when the transactions at the branch were
recorded were checked to ensure the system was functioning correctly. As
described in paragraph 75 above, I knew that certain system events would
result in an automated call being logged with the HSD for investigation. I
understood that either the relevant team would determine that the event
had had no impact on the integrity of the data, or, if there was an issue,
would have taken action to resolve it. I knew from my work reviewing HSD
call records in general that these system events were being checked, albeit
I would not review the system event calls in respect of the particular branch
unless I was also requested to produce the HSD call records.
91.11 The retrieved audit data was encrypted using PGP encryption. I
understood that this was to ensure that the data could not be accessed by
anyone other than those in possession of the current password (which was
Page 31 of 72
WITNO0300200
WITNO0300200
changed on a monthly basis), and therefore to guard against any tampering
with the data. I knew that this control was in place as I would perform the
encryption when I had extracted the ARQ data.
91.12 The requested information was copied onto removable CD media and
virus checked using the latest software. I knew that this control was in place
as I placed the information onto the CDs and ran the virus checks when I
had extracted the ARQ data, though I believe at some point this virus check
became automated because all files on the audit workstation were
automatically subject to anti-virus checking.
92. I note that version 1.0 of the Conducting Audit Data Extractions at CSR, dated 4
May 2000 (POL00029169), lists several of these controls. However, there are
some that are not listed there. I do not have a specific recollection of when these
additional controls were introduced, or how I first found out about them.
Witness Statements
93. The ARQ request form would indicate whether or not a witness statement was
required to accompany the data being produced, though sometimes this request
could be made subsequently. Whether or not a witness statement was
requested, there was no difference in the process undertaken for extracting the
data. However, I understood that where a witness statement was requested, it
had to be provided by the person who had carried out the extraction. If that
person was not available, or was not willing, to provide a witness statement, then
the extraction would be re-performed by the person providing the statement.
Page 32 of 72
94.
95.
96.
WITNO0300200
WITNO0300200
A template witness statement was used for the ARQ production process, which
was updated by the Litigation Support Manager and/or the Operational Security
Manager from time to time. I did not consider that there was anything improper
about using a template witness statement; this made sense to me as the
information being confirmed was largely the same each time and there would
have been no point re-drafting the whole statement every time. Although the
statement was in a standard form, I would not have signed it if I thought that it
was untrue in any particular case.
On the occasions on which I was requested to supply a witness statement in
respect of the ARQ records, I understood that my purpose was to supply the
records (referred to as ‘audit data’), describe the process by which I had
extracted it, and confirm the general controls (set out above) that I understood
were in place at Fujitsu to ensure that the audit data extracted from the data
centre and supplied to POL was the same as the data that had originally been
received by the data centre. I was not asked to summarise the transactions that
had taken place, or to analyse whether the audit data indicated that any software
errors had occurred. Aside from checking that the data extracted covered the
correct date range and FAD code, I would not generally look at the data that had
been extracted.
The witness statements that I supplied in respect of the production of the ARQ
records contained the following (or very similar) wording:
There is no reason to believe that the information in this statement is inaccurate
because of the improper use of the system. To the best of my knowledge and
belief at all material times the system was operating properly, or if not, any
Page 33 of 72
WITNO0300200
WITNO0300200
respect in which it was not operating properly, or was out of operation was not
such as to effect the information held within it.
97. Inote that this paragraph is included in the template witness statement appended
to version 1.0 of the Network Banking Management of Prosecution Support
document, dated 26 November 2002 (FUJ00152205).
98. My understanding at the time was that I was confirming that I had not improperly
used the audit extraction software to manipulate the data that I was exhibiting,
and that as far as I was aware the software had run properly when extracting the
data.
99. In each case I believed the software had run properly because if there was an
error it would say so and the extraction would not complete. If there was an error
message during the course of the extraction then I would do one of three things:
(1) attempt to re-run the extraction exactly as before to see if the error repeated;
(2) run the extraction on the mirror database which I understood contained an
exact copy of the data on the main database; or (3) report the error to the Audit
Support Team for them to investigate. I understood that the extraction process
was not changing the underlying data in the system, and so a failure in the initial
extraction process (i.e. to the extent it was not operating properly) would not
affect the information that I subsequently extracted and exhibited with my witness
statement.
100. I did not believe that I was verifying that the Horizon system as a whole was
operating properly at all times, or that there could not have been any software
errors that affected any of the information held within it.
Page 34 of 72
WITNO0300200
WITNO0300200
101. I now recognise that other people may not have had the same understanding as
me about what these words were intended to convey, or may have sought to use
what I said to give an impression that was never intended. However, at the time
I believed that everyone would have understood that the purpose of my
statement was just to produce the data that I had extracted from the system.
102. I have been asked whether the process for requesting and providing a witness
statement was different in respect of witnesses of fact and expert witnesses. As
set out above, although I understood the meaning of the word ‘expert’ in common
usage, I did not know that there was a distinction in law between types of
witnesses. I never received any training or instructions on the limits of the
evidence that I was allowed to give. I was not told about any additional obligations
or responsibilities of an expert witness, and as far as I am aware no one ever
used the term ‘expert witness’ in respect of my evidence.
PACE Certificates
103. I am asked to describe my understanding of whether PACE certificates were at
any point provided by Fujitsu to support a criminal prosecution and if so what the
process for their production was.
104. I am unfamiliar with the term ‘PACE certificates’ and was not aware at the time
of being asked to supply any such document.
105. I have been shown a copy of section 69 of the Police and Criminal Evidence Act
1984 (“PACE”), as in force from 1 January 1986 to 13 April 2000. Prior to being
shown this in course of preparing my witness statement for the Inquiry, I do not
believe that I had ever seen this before, or discussed it with anyone.
Page 35 of 72
WITNO0300200
WITNO0300200
106. I am informed that section 69 originally read as follows:
(1) In any proceedings, a statement in a document produced by a computer
shall not be admissible as evidence of any fact stated therein unless it is
shown—
(a) that there are no reasonable grounds for believing that the
statement is inaccurate because of improper use of the computer;
(b) that at all material times the computer was operating properly, or if
not, that any respect in which it was not operating properly or was out
of operation was not such as to affect the production of the document
or the accuracy of its contents; and
(c) that any relevant conditions specified in rules of court under
subsection (2) below are satisfied.
(2) Provision may be made by rules of court requiring that in any proceedings
where it is desired to give a statement in evidence by virtue of this section such
information concerning the statement as may be required by the rules shall be
provided in such form and at such time as may be so required.
107. I note the similarity between this piece of legislation and the paragraph included
in my ARQ witness statements (and the template witness statement) set out at
paragraph 96 above.
108. At the time I had no idea that this form of words had a particular meaning in law,
and no-one ever explained to me why it was included in the template statement
or what it was that I was supposed to be verifying. My understanding of what the
words meant was therefore based solely on my own reading of them.
Page 36 of 72
WITNO0300200
WITNO0300200
109. I have been informed that section 69 of PACE had in fact been repealed in 2000
before I even began to work for the CSPOA Security Team, and that there was
therefore no legal requirement for any of my witness statements to contain this
paragraph. This was not explained to me at the time.
110. I now also understand that there are phrases in my witness statements that are
commonly understood by lawyers to convey a particular meaning. This wording
all either comes from template witness statements or was drafted for me by the
lawyers for POL dealing with particular litigation. No-one ever explained to me
that these phrases were supposed to have a particular meaning, and I therefore
interpreted them based on my own understanding of the words.
111. For example, in some of my witness statements I say that I make the statement
“from facts within my own knowledge unless otherwise stated”® At the time, I
believed that where I had spoken to other people to obtain information, that
information was then within my own knowledge. No-one ever explained to me
that there were rules about what types of evidence could be given in different
proceedings (or indeed what the difference was between criminal and civil
proceedings in general).
Horizon System Helpdesk Call Records
112. I summarised at paragraph 20 of my first witness statement my role in providing
POL with records of HSD calls. Sometimes this role was limited to supplying the
records of the calls, but other times I was requested to summarise the calls to
assist the court to understand the terminology used. On some occasions (though
3 See, for example, my witness statement dated 24 June 2009 in respect of the proceedings inR. v
Misra (POL00051960).
Page 37 of 72
WITNO0300200
WITNO0300200
not all) I was also requested to analyse the records to give my opinion on, for
example, whether the calls related to faults which would have had an effect on
the integrity of the information held on the system.
113. I understood that the purpose of this role was to assess whether any technical
issues being raised in the calls could have affected the data that was stored
about the transactions in the audit records held by Fujitsu (i.e. the data that was
being produced in response to the ARQ request for use in the prosecution).
114. Certain issues (for example, ‘the printer has run out of ink’) were obviously
incapable of affecting the data stored by Fujitsu. I also understood that whenever
the HSD referred the matter to the NBSC that it was a commercial issue or user
error rather than a technical issue which might affect the integrity of the data,
unless it was subsequently referred back to the HSD by the NBSC for further
investigation.
115. Where there was a possibility that the issue being raised could have affected the
data, I examined the records of the investigations carried out by the engineers
assigned to deal with the call to confirm that they had either determined that there
was no impact on the data, or that a fix had been deployed to remedy any fault.
Where I was unsure of anything, I would consult with colleagues who had come
across the issues before or who had greater technical knowledge than me, such
as the SSC, to better understand the nature of the issues being raised and how
they were resolved, to satisfy myself that it had had no impact on the integrity of
the data.
116.1 now recognise that I should perhaps have made clearer in my witness
statements that I had spoken to other people and that some of the information
Page 38 of 72
WITNO0300200
WITNO0300200
contained in the statements came from them. However, my understanding at the
time was that once I had learned something from someone else, it was then a
matter within my own knowledge.
117. I nevertheless explained in my witness statements concerning the HSD calls that
I had not been involved in dealing with the technical aspects of the helpdesk calls
and that this was not my particular area of expertise.
118. On the occasions on which I was requested to give evidence at Court, I
emphasised that I was not a technical expert and could not give evidence about
any of the technical details relating to the calls.
119. I have been provided by the Inquiry with a copy of the transcript of my evidence
on 12 December 2006 in the proceedings in respect of Lee Castleton
(POL00069286). I note that at page 63 of the transcript is the following exchange
in which I made clear the limits of my knowledge and the limited purpose of my
evidence:
THE DEFENDANT: Can you explain to me what a critical event is,
please.
A: No, I cannot. It is not my —
Q: It is not your (inaudible). What sort of role do you take within the—
A: I work within the security team within Fujitsu Services. I undertake a
number of different roles within that.
Q: Could you, for the purposes of the court, help us to understand what
kind of roles you (inaudible).
A: It is to do with (inaudible) key management (inaudible), vulnerability
management and virus management and things along those lines.
Page 39 of 72
WITNO0300200
WITNO0300200
Q: So on this particular occasion the critical event was not anything to
do with a virus or security then.
A: I cannot say. I do not know. I have to say, I had no dealings in any of
these calls whatsoever. As it says in my statement, it says that I
generated these calls just for the purposes of the court. So for the
(inaudible) to see what the wordings in the calls were.
Q: But you do not actually have anything to do with any of the wordings
and (inaudible), you just -
A: No, I do not. I think it says in my statement that I have no experience
of any of these calls, I think it says that near the (inaudible).
Q: I believe it is paragraph 2 (inaudible).
HIS HONOUR JUDGE HAVERY: At the bottom, yes.
THE DEFENDANT: Do you have anything within your job description to
do with (inaudible) contact, (inaudible) knowing whether any computer
is connected to the main system or not?
A: No, I do not.
Q: You do not deal with that at all?
A: No.
120. On the rare occasions that I was called to give evidence about the HSD call
records, I believe that this exchange typifies the sort of evidence that I would
give. It was clear to me that it was clear to everyone else involved in the
proceedings, including the judge and the defence, what the limits of my evidence
was.
Page 40 of 72
WITNO0300200
WITNO0300200
My Involvement in Litigation Support
121. I believe that my first involvement in providing litigation support was in respect of
performing ARQ extractions. I don’t recall the precise circumstances about how
this came about, but it is likely that I was requested by the Operational Security
Manager to assist with this task.
122. I think that Jane Bailey would have been the person who showed me how to
perform the data extractions, as I recall having to go to the Feltham office where
the audit workstations were based, and she was the one who was mainly
responsible for dealing with ARQ requests at the time. I think that Penny Thomas
joined after the Feltham office closed and the entire CSPOA Security Team
moved to Bracknell, so I don’t believe it was her who would have trained me.
123. Based upon documents provided to me by the Inquiry, it appears that the first
time I was requested to provide an HSD call records witness statement was on
22 March 2006 (FUJ00122189). I discuss this email above, and in the section
below in respect of the proceedings against Noel Thomas.
Generic/template witness statements
124. I have been asked to describe the circumstances in which Fujitsu would provide
a ‘generic’ witness statement to support litigation, and how these statements
were updated. By the use of the word ‘generic’ I assume the Inquiry to be
referring to template witness statements.
125. Template witness statements were used to assist with the preparation of the ARQ
and HSD call records witness statements. The templates contained standard
Page 41 of 72
WITNO0300200
WITNO0300200
paragraphs that would be re-used, because there was no purpose in redrafting
wording each time if the position remained the same.
126. Witness statement templates were drafted and approved by others within Fujitsu
and shared with me usually either by the Litigation Support Manager or the
Operational Security Manager or both. Sometimes amendments to witness
statements were suggested by managers at Fujitsu, by POL or by their lawyers.
I do not recall particular examples, but I would have discussed with colleagues
in the security team at Fujitsu any significant proposed amendment to a witness
statement. I would have been satisfied with any amendment before accepting it
into a witness statement.
127. I am asked what changes were made to the statements after the introduction of
Horizon Online. I do not recall what specific changes were made as a result of
this.
Data integrity and system limitations
128. I have been asked to provide details of any limitations that I considered to be
present in the design or operation of Horizon in respect of the integrity of the
audit data and completeness of the HSD call logs provided to support litigation
conducted by POL, and any concerns that I had in that regard.
129. As far as I was aware, there was never any issue with the integrity of the audit
data that was held on the audit servers. However, I recall that an issue arose in
around 2010 with the data that we were exporting in response to ARQs made by
the Post Office. I recall the issue involved there being both gaps in the data that
we were exporting (i.e. the JSNs shown were not sequential) and duplicated
Page 42 of 72
WITNO0300200
WITNO0300200
transactions (i.e. transactions showing the same JSN). I am reminded by the
emails disclosed to me by the Inquiry that this was related to a difference
between legacy Horizon and Horizon Online, though I have no specific
recollection of being involved in any discussions about the cause of the issue at
the time.
130. I recall that, once Fujitsu became aware of the issue, we stopped performing
ARQ requests for a period of time while the matter was resolved. I believe that
we then had to resupply any ARQ data which could have been affected by the
issue, though do not specifically recall my involvement in respect of this.
131. I am asked about the ability of individuals to remotely access data in the audit
trail, and any impact that I considered this to have in respect of the integrity of
the system. I describe at paragraph 80 onwards the process by which the audit
data could be accessed, and the controls put in place to protect the integrity of
the system.
132. All access to the data in the audit trail was carried out ‘remotely’ in the sense that
the audit workstations did not themselves contain the raw data, and were instead
extracting it from the audit servers, which were in a different location. However,
I understood that this access was only possible through these audit workstations
and was not aware of anyone else having access.
133. I did not consider that our ability to access the data in the audit trail had any
impact on its integrity, as I understood that we were merely obtaining a copy of
it and not changing any of the underlying data held on the audit servers. I also
understood that the automated checks being performed by the audit system
Page 43 of 72
WITNO0300200
WITNO0300200
meant that even if the data had somehow changed, this would be apparent on
extraction.
134. In respect of the HSD call records, I am not aware of any issue with the
completeness of the call logs provided to POL.
135. A potential issue did arise in respect of a decision taken to archive historic call
records, however, this did not affect the completeness of the records, just the
ease with which I could access them. Rather than simply being able to download
the call records from the TfS system directly, I had to raise a ticket with another
team (I think called the TfS Support Team) to extract and supply me with copies
of the calls.
136. I have been shown an email chain from May 2010 regarding “Triole- archiving?”
(FUJ00156144) which relates to this issue. It appears from the email that I had
only recently become aware that the decision had been taken the previous year
in September 2009 to archive all TfS call data that was older than thirteen
months. I discovered this when I queried why there were no calls for a particular
Post Office before a certain date.
137. I identified that this had major issues for the HSD call record witness statements
that I had supplied, as it was possible that I had considered an incomplete call
record. I raised my concerns directly to Tom Lillywhite, the CISO, and stated that
I would have to go back over my previous statements and compare them with
the archived data.
Page 44 of 72
WITNO0300200
WITNO0300200
138. I recall that I reviewed all of my HSD call records witness statements prepared
since the TfS archiving was introduced, and I don't recall finding that any of them
had any call records missing.
139. The only extent to which the archiving of the calls affected the evidence that I
gave, is that when extracted from archive the call records were differently
formatted to those that I could obtain from the live system. I recall that a macro
was written by someone in Fujitsu to put them into a legible format.
Rv THOMAS
Background and My Role in Respect of the Proceedings
140. I have no specific recollection of the prosecution of Mr Thomas.
141. Based upon the material shown to me by the Inquiry, it appears that I prepared
a witness statement in respect of the records of calls that had been made to the
HSD regarding the Gaerwen Post Office branch, though I note that the version
of the statement dated 6 April 2006 that has been provided to me by the Inquiry
(POL00046194) is unsigned. I do not recollect whether the statement was ever
finalised and signed, or was further amended, and I do not know whether it was
used as part of the evidence against Mr Thomas.
142. In general, once I had supplied a witness statement I would not be told anything
further about the case unless there were questions about my statement or I was
required to attend court to give evidence. If I was not required to attend court, it
was therefore unlikely that I would find out the outcome of the case, or if there
had even been a prosecution following the investigation at all. It was very rare
Page 45 of 72
WITNO0300200
WITNO0300200
that I was required to attend court, so generally I did not know what the outcome
was.
143. It appears that I was first requested to provide litigation support in respect of this
prosecution in around March 2006. I have been shown an email dated 22 March
2006 from Brian Pinder to me, copying Peter Sewell, with the subject line ‘FW:
Gaerwen Witness Statement’ (FUJ00122189).
144. It appears from the content of the email that I must have had some prior
discussion with Mr Pinder about this task, but I cannot recall what that was or the
background to how I became involved in the case.
145. I have no specific recollection of the proceedings, so do not recall what I
understood my or Fujitsu's role was at the time. However, in general terms I
understood that Fujitsu was required to supply data requested by POL for the
purpose of investigations, and that my role was to extract that data from Fujitsu's
records and supply it in the requested format, together with a witness statement
if requested.
146. As I have set out at paragraph 112 above, my role in relation to the HSD witness
statements differed from case to case, depending upon what was requested by
POL or their external lawyers. Based on the material disclosed to me by the
Inquiry, in this case it appears that my role in R v Thomas included producing the
printouts of the call records themselves, as well as summarising the calls and
assisting the court to understand some of the terminology and acronyms used in
the records.
Page 46 of 72
WITNO0300200
WITNO0300200
147. I was also asked to analyse the call records and provide my opinion on whether
or not the calls related to faults which would have had an effect on the integrity
of the information held on the system. As set out above, I understood that the
purpose of this role was to assess whether any technical issues being raised in
the calls could have affected the data that was stored about the transactions in
the audit records held by Fujitsu.
Preparation of my Witness Statement
148. I have no specific recollection of the process of drafting my witness statement or
collating the data on which it was based.
149. I note that Mr Pinder’s email of 22 March 2006 (FUJ00122189) attached what he
described as the ‘statement template’, and that he instructed me to fill it in with
details from the calls and amend the details highlighted in yellow. The attached
‘template’ was the previous draft statement of Bill Mitchell in respect of a different
post office, mentioned above (FUJ00122190).
150. Although Mr Pinder had instructed me to amend the details ‘highlighted in yellow’,
I do not believe that I would have understood this as an instruction that I could
only amend these parts of the template, as is evident from the fact that I
subsequently amended other parts of the statement.
151. In order to prepare the statement I would have obtained copies of the call records
stored in Powerhelp in respect of this post office branch between the requested
date range, and then reviewed them and any other relevant records to satisfy
myself that the issues being raised would not have had an impact on the integrity
of the audit data in respect of the branch. If necessary, I would have consulted
Page 47 of 72
WITNO0300200
WITNO0300200
with other colleagues about the issues. However, I have no specific recollection
of the steps that I took in respect of this particular case.
152. I have been shown an email from me to Graham Ward dated 24 March 2006 with
the subject “Gaerwen WS” (FUJ00122206). The email attaches my draft witness
statement regarding the calls made to the HSD in respect of this post office
branch. I also confirm my opinion that “none of the calls logged have any affect
on the data integrity’ (sic). I suggested that Mr Ward ring me if he had any
questions.
153. I am told by the Inquiry that attached to this email was the document with Unique
Reference Number (“URN”) FUJ00122196, an unsigned witness statement in my
name dated 22 March 2006. However, I note that the URN for this document is
not sequential to the URN of the email, so am unsure whether or not this is the
version of the statement that was attached to the email.
154. The statement that I have been shown (FUJ00122196) summarises the 14 calls
made in respect of this branch to the HSD, including the issue raised and the
resolution. The statement also produced copies of the call records as an exhibit
(though this has not been provided to me by the Inquiry).
155. I have also been shown another version of an unsigned draft witness statement
in my name, also dated 22 March 2006 (FUJ00122188). There are some minor
differences between the text of this version and FUJ00122196 (the latter contains
duplicated wording “A breakdown and an overview of the calls are given in date
order below” in paragraph 3, which is not present in FUJ00122188). I do not
recollect which of these two statements came first.
Page 48 of 72
WITNO0300200
WITNO0300200
156. FUJ00122188 appears to have been printed and stapled to a copy of one of the
HSD call records; I note that the call record shows a date in the bottom right
corner of 24 March 2006, which may well be the date the document was printed.
The document also contains handwritten notes.
157. One of the notes appears to say:
“CRITICAL” WHAT MENT.
ARE BAD BLOCKS COMMON.
WHAT PROCESS RUNNING AT TIME.
PARTITION.
158. These notes appear to relate to two calls made on 18" June 2005 and 13" July
2005 to the HSD in respect of ‘critical events’ concerning a ‘bad block’ on the
counter. I do not know whether these are my notes prepared as part of my due
diligence investigating the calls, or whether they are Mr Ward's queries about my
draft witness statement (though I note that the statement they are attached to
contains slightly different wording to the version that I apparently sent to him).
159. I have also been provided with another printed unsigned version of a statement
in my name, this time dated 6 April 2006 (POL00046194). This version of the
statement contains an additional paragraph explaining what is meant by a critical
event, and the nature of the bad blocks issue. Although I do not now recall from
where I obtained this information, it would likely have come from a colleague with
a greater technical understanding of the issue. From my conversations and
based on the information that I knew at the time (but which I cannot now recall),
I would have been satisfied that this would have had no impact on the integrity
of the data.
Page 49 of 72
WITNO0300200
WITNO0300200
Other Reflections
160. I have been asked whether there are any other reflections that I have about this
matter that are relevant to the Inquiry’s Terms of Reference. The only other
matter that I recall that I now understand may be relevant to the prosecution of
Mr Thomas (although at the time I do not believe I connected the two), is that at
some point I was required to travel to Anglesey in Wales with Pete Sewell to
collect a Horizon terminal that was in use at a Post Office under investigation. I
now believe this is likely to have been Mr Thomas's post office in Gaerwen
(Anglesey), though cannot be certain.
161. I recollect this because it was not an ordinary part of my job; as far as I can recall
there have been no other occasions before or since in which I have been
requested to travel to a Post Office to collect a Horizon terminal. I do not recall
who requested that we do this, when this was (including whether it was before or
after I was asked to prepare a witness statement in respect of the case), or what
I was told at the time about why the terminal was required. I was not asked to
remove anything else from the Post Office.
162. We had to travel a long distance from the office in Bracknell in Berkshire where
I was based, and I believe we stayed in a hotel overnight on the way. I recollect
that we attended the post office and were let in by a person who I think was the
area manager. We removed the Horizon terminal, drove it back to the office in
Bracknell and placed it in one of the secure rooms used by the CSPOA Security
Team. As far as I can recollect, nobody ever asked to see it or examine it, and
as far as I am aware itis still in the possession of the CSPOA Security Team to
this day (though I have not looked for it to confirm).
Page 50 of 72
WITNO0300200
WITNO0300200
163. Over the years the CSPOA security team accumulated a number of Horizon
terminals from various post offices, though I do not believe I was ever requested
to personally collect one again. I don’t recall being told why we were holding onto
the terminals, though I assumed it was in case they were ever required as part
of an investigation into the post offices. I don’t recall what instructions we were
given in respect of the storage of the terminals; we logged the serial numbers of
each terminal we received and which post office it came from, and stored this on
a piece of paper kept in a safe. No record was kept of when the terminals were
received or if they were subsequently taken away by someone, but as far as I
can recollect, no-one ever did.
POST OFFICE LIMITED V. CASTLETON
Background and my role in respect of the proceedings
164. I have little recollection of the case brought by POL against Mr Castleton.
165. There were only a few cases in respect of which I was required to attend court,
and I was not called to give evidence each time I did so. One of the times I do
recall attending court to give evidence was in a case that I thought was at the
Old Bailey; I now think I am mistaken and this must have been the case involving
Mr Castleton at the High Court.
166. Based upon the material shown to me by the Inquiry, I can see that with the
assistance of others, I prepared a witness statement in respect of the records of
calls that had been made to the HSD regarding the Marine Drive Post Office
branch and that I gave evidence in the proceedings.
Page 51 of 72
WITNO0300200
WITNO0300200
Preparation of my Witness Statement
167. It appears that I was first asked to provide litigation support in respect of this
prosecution in August 2006. I have been shown an email dated 17 August 2006
from Brian Pinder to me, copying Stephen Dilley, with the subject line ‘RE: First
draft Witness Statement of Ann Chambers (Post Office Limited -v- Lee Castleton)
(FUJ00122285).
168. Stephen Dilley had asked for someone from Fujitsu who was comfortable
summarising all the call logs to HSD, I was asked by Mr Pinder to see if we had
completed this work and otherwise to discuss it with Mr Dilley. I can see that I
explained to Mr Dilley that in the past I had provided a statement listing all calls
logged to the helpdesk and given a brief explanation of the call if necessary. I
can see I provided Mr Dilley with an example of a statement I had produced for
POL in the past.
169. I also asked him to note that: “! have no technical knowledge of the audit retrieval
system and supply this statement only as an overview of the calls logged.” I do
not recall this email. However, it is consistent with my belief that while I had
enough knowledge to follow what was being discussed in the HSD call records,
to understand the technical issues in depth I would have needed to speak to
other people with a greater technical knowledge than me. I wanted to make this
clear so that I was not put in the position when giving evidence of being asked
questions that I was unable to answer.
170. Mr Dilley replied on 22 August 2006 sending me a draft witness statement and
17 other attachments each named “Call Details” followed by a call reference
number (POL00071062). I have not been provided with copies of the
Page 52 of 72
WITNO0300200
WITNO0300200
attachments to this email by the Inquiry. I do not recall this email nor do I recall
the steps I took to collate the HSD call data for my statement, although I note
that the various drafts of my statement refer to 23 rather than 17 HSD calls.
171. In this email Mr Dilley says that as this was a civil case the witness statement
was in a slightly different format to criminal proceedings. I do not recall being
given any explanation of the difference between civil and criminal proceedings
or understanding what the difference was.
172. I can see that on 5 September 2006 Mr Pinder sent Mr Dilley an email copying
in me and Peter Sewell which also forwarded earlier emails that had not been
sent to me (POL00081490_032). Mr Pinder explained to Mr Dilley that I had
concerns about being asked technical questions that might arise concerning a
particular call that I would not be able to answer. Mr Pinder suggested a further
paragraph be included in the statement to address this, which included the
phrase: “this area is not my particular area of expertise”. I have seen that this
phrase was included in later drafts of my statement.
173. Mr Pinder also proposed a further addition to the statement, that, based on my
overview of the call logs: “there does not appear to be any reasonable grounds
for believing that the information stored on the Horizon system would be
inaccurate because of improper use of the computer terminal.” I have not seen
this proposed amendment in later drafts of my statement that have been provided
to me by the Inquiry.
174. I do not recall this email or the communication(s) with Mr Pinder that led to it. I
do, however, remember wanting to be clear about the limits of my technical
Page 53 of 72
WITNO0300200
WITNO0300200
expertise and that I would not be able to answer in depth technical questions in
court.
175. I can see that on 6 September 2006 I sent an email to Mr Dilley attaching a
version of my draft witness statement (FUJ00122300). The Inquiry has
suggested to me that POL00072808 was the attachment but as this is dated 4
October 2006 this does not seem to be correct. My email was forwarded to Mr
Pinder, Gareth Jenkins and Tom Beezer. Mr Dilley explains that he had been
working on the statement with me that day and sets out answers to my concerns
about not being able to answer technical queries on the helpdesk calls. Mr Dilley
also asks whether Mr Jenkins would be willing to give evidence about the HSD
call logs in my place. I can see that Mr Pinder responded the next day.
(POL00069609). I do not recall these emails nor do I recall meeting with Mr Dilley
to work on my draft statement.
176. I can see that on 27 September 2006 Mr Dilley emailed me copying in Tom
Beezer, Richard Morgan, Mandy Talbot, Carol King and Andy Pearson
(FUJ00122333) with a “final copy” of my witness statement for approval together
with my exhibit. On 4 October 2006 he emailed me again copying the same
people (POL00069464), attaching an amended copy of my statement (not
confirmed as supplied to me by the Inquiry).4 I can see that I responded on 16
October 2006 attaching a copy of the statement (which has also not been shared
with me by the Inquiry) and two minutes later Mr Dilley asked me to sign the
statement. I do not recall these emails.
4 I note that based on the date of the email, the attached statement may be a copy of POL00072808,
though as this has a non-sequential URN it is not clear to me whether or not this is the case.
Page 54 of 72
WITNO0300200
WITNO0300200
177. As set out at paragraph 126 above, sometimes amendments to witness
statements were suggested by managers at Fujitsu, by POL or by their lawyers.
I can see that is what happened in this case. I would have been satisfied with
any amendment before accepting it into a witness statement.
Trial and Other Reflections
178. I have been asked to explain what I meant in my email to Graham Ward on 13
September 2006 (FUJ00154739) when I said: “We spoke at great length to the
solicitor for Marine Drive and the contents are his words.” I do not recall this email
nor do I recall speaking to the solicitor for Marine Drive. However, having now
seen the emails supplied to me by the Inquiry that I have referred to above, I
think this is a reference to Mr Dilley, the solicitor for POL on the Marine Drive
(Lee Castleton) case.
179. I can see that my email to Mr Ward was about adding the wording used in the
Marine Drive statement, that explained I was not a technical expert and that I
was simply helping to clarify call logs for the benefit of the Court, into the
statement for another case (Caledonian Road), and for use in my future witness
statements generally.
180. Although I do not recall those communications, it is apparent I must have
discussed with Mr Dilley what I wanted to say about this issue and that he then
drafted the words that best reflected this which were included in my witness
statement, namely: “/ was not involved with any technical aspects of these calls.
This area is not my particular area of expertise and I make this statement simply
to help clarify the call logs for the benefit of the Court.”
Page 55 of 72
WITNO0300200
WITNO0300200
181. I have set out at paragraph 119, above, an excerpt from the transcript of my
evidence in the case. I believe that the limits of my evidence were clear to
everyone involved in the proceedings, including the judge and Mr Castleton, and
that these matters were outside my particular area of expertise.
182. I have been asked about my reaction to the outcome of the case at the time. To
the best of my recollection, I think there was a sigh of relief that the outcome
confirmed the view held within Fujitsu, that Horizon was a robust system. Our
belief in Horizon had been upheld.
RV. HAMILTON
183. I have no specific recollection of the prosecution of Ms Hamilton.
184. Based upon the material shown to me by the Inquiry, it appears that I prepared
a witness statement, dated 14 January 2007, in respect of the records of calls
that had been made to the HSD regarding the South Warnborough Post Office
branch (POL00044482). It appears that Penny Thomas prepared the witness
statement in respect of the ARQ data (POL00044481),.
185.1 have no specific recollection regarding the preparation of this witness
statement, and have not been provided with any documents by the Inquiry
relating to how it was prepared.
186. I note that the statement simply summarises the calls made to the HSD and does
not express any opinion in relation to them. I have not been provided with the
underlying call records that I am summarising, and cannot now recollect any of
them, so I cannot provide any further information than that which is set out in the
witness statement.
Page 56 of 72
WITNO0300200
WITNO0300200
187. I note that the statement also makes clear that I was not involved with any of the
technical aspects of the calls, that this was not my particular area of expertise,
and that I made the statement simply to help clarify the call logs for the benefit of
the Court.
188. I have no recollection of whether I was even informed about the outcome of this
case. If I was, I have no recollection of what my reaction was to it at the time.
189. I have no other reflections in respect of this matter.
RV. MISRA
Background and my role in respect of the proceedings
190. I have some recollection of the prosecution of Ms Misra as I was called as a
witness in those proceedings. My recollection of Ms Misra’s case relates to
attending court on the day, rather than the time leading up to this.
191. From the material provided to me by the Inquiry, it appears that I prepared four
witness statements, however I have no specific recollection of the process of
preparing them.
192. Based upon the material shown to me by the Inquiry, it appears that my role in
the proceedings was to provide information concerning the records of calls that
were made to the HSD regarding the West Byfleet Post Office branch. I appear
to have initially just provided the conclusion of my analysis of the call records. I
subsequently provided witness statements summarising each call, and finally
appear to have produced the call records themselves. I do not recall why my
statements in respect of this matter were prepared in this way, however, I would
Page 57 of 72
WITNO0300200
WITNO0300200
have provided whatever was requested by POL or the lawyers dealing with the
proceedings.
193. Some of the witness statements provided to me by the Inquiry are unsigned; I do
not recollect whether these statements were ever finalised and signed, or were
further amended, and I do not know whether they were used as part of the
evidence against Ms Misra.
Preparation of my Witness Statements
194. The Inquiry has provided me with a signed witness statement dated 24 June
2009 (POL00051960). In this statement, I confirmed that I had reviewed the calls
pertaining to the West Byfleet Post Office branch between 30 June 2005 and 14
January 2008, and that the calls were all of a routine nature, and did not fall
outside the normal working parameters of the system or affect the working order
of the counters. Although the language used is different to that used in previous
witness statements, I understood that the purpose of my role was the same;
namely to assess whether any technical issues being raised in the calls could
have affected the data that was stored about the transactions in the audit records
held by Fujitsu.
195. Although I did not summarise the calls in the statement, I am sure that I reviewed
and analysed them at the time, before reaching my conclusion. I would have
satisfied myself through my due diligence that the issues being raised either were
not capable of affecting the working order of the counters and the integrity of the
transaction data held by Fujitsu, or that if there might have been an issue that it
had been investigated and resolved. I would not have signed a witness statement
unless I had been satisfied that this was the case.
Page 58 of 72
WITNO0300200
WITNO0300200
196. When I stated that “All the calls are of a routine nature”, I meant that these were
the type of calls which were frequently made to the HSD, and which I would
regularly see when reviewing the call records. I note that some of the calls made
to the HSD in respect of this branch (as set out in my second witness statement,
discussed below) related to balance discrepancies that the SPM was stating
were repeatedly being shown on the system. I cannot recall what information I
reviewed at the time as part of my analysis, but I note that the calls were
repeatedly referred by the HSD to the NBSC. I would therefore likely have
understood this to be a commercial or user issue rather than a technical error. I
would often see commercial issues such as this being raised by the SPMs and
then referred to the NBSC, and therefore would have considered these calls to
be of a routine nature.
197. I have been shown an email from 16 November 2009 from John Longman
(FUJ00152894), where it suggests we had a telephone conversation. In this e-
mail, Mr Longman summarises that call. He suggests that Ms Misra’s defence
team raised certain points and requested certain data. It is clear to me from this
email chain that I subsequently communicated with Leighton Machin, who
provided answers to the questions raised, which I then forwarded to John
Longman. Apart from the e-mail shown to me, I do not have a specific recollection
of this exchange.
198. The Inquiry also provided me with an unsigned statement dated 29 January 2010
(FUJ00122676). While I do not recall drafting it specifically, I am shown an email
from John Longman dated 29 January 2010 (FUJ00122675), where he asks me
Page 59 of 72
WITNO0300200
WITNO0300200
to treat it as the final statement and to send him a signed copy. I do not know
whether I signed it, or if it was further amended before I did so.
199. This second witness statement set out all of the calls relating to the West Byfleet
branch between 20 June 2005 and 31 December 2009 (i.e. an extended date
range compared to the first statement), meaning the number of calls had
increased to 135. The statement also summarised the resolution and outcome of
the issues raised in the calls. As with the first witness statement, I would have
reviewed the extra calls and satisfied myself that my conclusion remained
correct.
200. I have been shown an e-mail dated 12 February 2010 from Mark Dinsdale to me
and Penny Thomas with the subject “Re: West Byfleet” (FUJ00154881), in which
I am requested to provide a third witness statement. I have no recollection of this,
but it appears from the email exchange that Ms Misra’s defence team had
requested disclosure of further call records.
201. The third witness statement that I appear to have provided is dated 29 March
2010 (POL00054518). As requested by Ms Misra’s defence team, this statement
now covers the period from 1 January 2005 to 30 June 2005 and summarises an
extra 13 calls and their resolution. Therefore, all in all for Ms Misra’s proceedings,
I would have reviewed the calls from the period 1 January 2005 to 31 December
2009.
202. Finally, the Inquiry has provided me with a copy of a fourth witness statement in
respect of Ms Misra’s proceedings, dated 30 March 2010 (FUJ00122854). This
statement produces a CD containing details of all the calls between 1 January
2005 and 31 December 2009. As with the other witness statements, I have no
Page 60 of 72
WITNO0300200
WITNO0300200
specific recollection of this, but it would have been produced as a result of a
request by POL or their lawyers, either passed to me directly or via someone like
Penny Thomas. I have no recollection as to whether this statement was signed
and served.
203. In connection with the preparation of my witness statements, I have also been
shown an email sent by Penny Thomas from 26 February 2010 with the subject
line FW: ARQ436-490 Witness Statement Support for West Byfleet, 126023
(FUJ00152990). Ms Thomas forwarded me some information provided by Anne
Chambers (of the SSC) who had reviewed the system event logs and identified
areas for further investigation. In respect of three of the events (2/3 May 2006
and 4 February 2008) she suggested that the HSD call records (Powerhelp / TfS)
be reviewed.
204. I have no recollection of this email or what precisely I did in relation to it. I note
that the three system events highlighted by Ms Chambers are shown in the HSD
call records that I summarised in my second witness statement. The Inquiry has
not provided me with copies of the underlying call records, and I do not recall
what additional information I reviewed and obtained at the time, but I would have
satisfied myself at the time that the system events did not affect the integrity of
the data.
ARQ gaps and duplicates issue
205. The Inquiry has asked me about an issue where it was identified that several
ARQ data returns contained duplicated transactions being recorded. While I
recall the issue, I do not recall its connection to, or impact on, Ms Misra’s
proceedings. I recall that, once Fujitsu became aware of the issue, we stopped
Page 61 of 72
WITNO0300200
WITNO0300200
performing ARQ requests for a period of time while the matter was resolved. I
believe that we then had to resupply any ARQ data which could have been
affected by the issue, though do not specifically recall my involvement in respect
of this.
206. Based on the documentation provided to me by the Inquiry, it does not appear
that I was responsible for supplying ARQ data in respect of her proceedings, as
my witness statements are confined to the HSD call records.
Trial and Other Reflections
207. I recall attending court for Ms Misra’s trial in October 2010. I arrived at court by
train and sat in a waiting room. I am unsure if this was a witness waiting room or
another public room. I was nervous before being questioned because it was an
environment with which I was still not very familiar. I was then called into court
and gave evidence. I have a general recollection of giving evidence, but not of
the specific questions that I was asked.
208. The only matter that sticks in my mind is a conversation that I had with someone
while waiting to give my evidence. In the waiting room, I was sitting alongside
several other people. I began talking to a man who I understood worked for POL,
though I do not recall him telling me precisely what his role was. I do not recall
his name or what he looked like, and had not met him before. He said words to
the effect of ‘the money had stopped going missing when they replaced the
subpostmistress’.
209. I do not know why he told me this information, but got the impression that he was
trying to convey to me that the losses had been caused by Ms Misra and not by
Page 62 of 72
WITNO0300200
WITNO0300200
issues with the Horizon system as she was claiming, and that he clearly believed
that she was guilty. The reason that this sticks in my mind is because it was so
unusual for me to hear someone making such a matter of fact statement about
an SPM being guilty, especially before the verdict in the case.
210. This conversation did not affect my evidence because as far as I was concerned
I was not there to pass judgment on Ms Misra, and was just there as a neutral
witness to assist the court in explaining the information contained in my witness
statement.
211. At some point I found out that Ms Misra had been convicted, but I do not
remember when this was or my reaction to it at the time.
POL’S RESPONSE TO CASES BROUGHT BY SPMS CHALLENGING THE
INTEGRITY OF HORIZON
Background and my role in respect of the proceedings
212. I have considered the documents provided to me by the Inquiry relating to my
involvement in POL’s response to cases brought by SPMs challenging the
integrity of Horizon.
213. As far as I can recall, my knowledge of these challenges and my involvement in
them was limited to producing ARQ and other data requested by POL, and in
respect of the GLO Proceedings making a witness statement and giving
evidence about the production of ARQ data.
214. My first recollection of hearing that some SPMs were complaining about or
appealing their convictions and blaming losses on the Horizon system may have
Page 63 of 72
WITNO0300200
WITNO0300200
been in 2009 although I am not sure of the date. I do not recall playing any part
in responding to those criticisms at the time.
215. I have been shown an email provided to me by the Inquiry which was sent to me
by Penny Thomas on 21 November 2011 (FUJ00123679). Ms Thomas forwards
emails she has exchanged with John Longman and asks me to re-read my
witness statement from Mr Castleton’s case and to let her know if I think anything
has changed. She says she is: “pretty sure it hasn’t’. The attached witness
statement has not been provided to me by the Inquiry. The emails she forwards
refer to ongoing Horizon Integrity cases. I do not recall this email or what I did in
respect of re-reading my statement at the time. I recollect that there were
challenges being made by SPMs to the Horizon system, but I do not recall having
any other involvement in this.
216. I do remember at one stage there was an increase in ARQ data requests and
being told that this was connected to an investigation by Second Sight who were
looking into the Horizon system. I don’t recall hearing anything more about this,
when this was, or the outcome of the investigation.
217. I do not know what the Initial Complaint Review and Mediation Scheme or Swift
Review were.
Preparation of my Witness Statement
218. I have been provided by the Inquiry with two e-mail exchanges from November
2018:
Page 64 of 72
WITNO0300200
WITNO0300200
218.1 The first email chain relates to a witness statement I provided to Matthew
Lenton covering data supplied as a result of a request made on 3 October
2018 (FUJ00184492).
218.2 The second email chain is an exchange between lawyers at Womble
Bond Dickinson, Matthew Lenton and Jason Muir (FUJ00160652); I note
that I was not copied into any of the emails in this chain.
219. I can see these emails are about me providing a witness statement covering the
production of ARQ data extracted for the lead claimants: “Bates, Stubbs etc”, in
what I now know were the GLO Proceedings.
220. The Inquiry has provided me with a copy of a witness statement dated 16
November 2018 (FUJ00082232) from these proceedings. At the time I
understood that the claim was being made by SPMs who were blaming the
Horizon system for losses. My involvement was to produce ARQ data and a
witness statement which was to be used as part of POL’s defence of the case. I
also gave evidence at court in this case.
221. I have no recollection of the process of drafting the witness statement. Having
considered the emails provided by the Inquiry, I can see that some of the data to
be extracted had been used in earlier prosecutions and was to be re-extracted
for the purposes of the GLO Proceedings. I can see that I provided the lawyers
working on the case with a witness statement, and that they edited it to conform
with their house style.
Page 65 of 72
WITNO0300200
WITNO0300200
Trial and Other Reflections
222. I gave evidence in the GLO Proceedings on 20 March 2019. Sometime before
attending court, I attended a half-day training on the general procedures relevant
to my giving evidence which took place in a meeting room at the Fujitsu office in
Bracknell. There were around four or five other people there, but I cannot recall
who they were. I do not recall the specifics of the training or when it was held,
but I recall that it was all general in nature rather than relating to the actual
evidence that we were going to give.
223. I was nervous when I learned that I was going to be called to give evidence in
court. I believe it was my first-time giving evidence in respect of ARQ data (in the
past, this responsibility would have been left to Penny Thomas) and I had only
given evidence before on a few occasions, and never in such a high-profile case.
224. I remember attending Court to give evidence. I have considered the transcript of
my evidence from that date provided to me by the Inquiry (POL00111977).
225. I can see that I was asked questions about whether I had looked at any specific
Fujitsu documents when setting out the controls for the extraction of audit data
in my witness statement. When I first answered these questions, I must have
thought that the barrister was asking me about whether I had looked at any
official Fujitsu policies and procedures, which I had not. However, I accept that I
would have used the template or one of my previous ARQ witness statements
(which contained the list of controls) as the starting point for my witness
statement for the GLO Proceedings. I can now see that this could be viewed as
‘looking at another Fujitsu document’. I had no intention to mislead anyone about
Page 66 of 72
WITNO0300200
WITNO0300200
this, and later explained that “we do have a standard witness statement that we
produce for ARQs.”
226. I was questioned in detail about the wording of Paragraph 8 of my statement:
“There is no reason to believe that the information in this statement is
inaccurate because of the improper use of the system. To the best of
my knowledge and belief at all material times the system was operating
properly or if not any respect in which it was not operating properly was
not such as to effect the information held within it.”
227. I have explained at paragraph 107 above where I now think this wording
originates. I now see that this was a piece of legal drafting for a purpose that I
did not understand, and that its wording mirrors that used in a piece of legislation
of which I was unaware at the time. I had my own understanding of what the
words meant at that time, which was that it was my belief that the system was
operating properly when I extracted the data. I think that being asked questions
about what each separate part of the paragraph meant did not assist me in
explaining my overall understanding of its meaning.
228. I was asked whether these words were a ‘Fujitsu party line’ and I said I was not
aware of any party line. When I later confirmed that we used template witness
statements, and that these words may be part of that template, I was accused of
having given inconsistent evidence.
229. I think this criticism was unfair as I did not consider that the use of template
witness statements containing standard paragraphs to be the same as having
a
‘party line’. I understood a party line to mean a position adopted by an
Page 67 of 72
WITNO0300200
WITNO0300200
organisation that everyone was expected to stick to, regardless of whether it was
correct. I did not believe that this was the case. I did not feel under any pressure
from Fujitsu to include things in my statements that I did not believe to be true,
and I would not have signed them had they done so. Although the wording was
included in the template and in multiple ARQ witness statements, this was
because (based upon my understanding of the meaning of the paragraph) it was
correct on each occasion that it was used.
230. When the barrister later told me that using a standard witness statement meant
that I was adopting a Fujitsu party line, I accepted that this could be the case.
This was because my understanding of the way he was using the term ‘party line’
had changed as a result of his questioning. Based on the new definition that he
appeared to be giving me, I accepted that if by ‘party line’ he meant ‘used a
template witness statement’, then we had done so. I was not accepting that
Fujitsu had a ‘party line’ of the type that I describe in paragraph 229, above.
GENERAL
231. I have been asked to reflect on my involvement in the prosecutions and civil
proceedings brought by POL against SPMs, and whether there is anything that I
would have handled differently with hindsight.
232. At the time that I produced the witness statements I believed that all of the
information that I was providing was true, and in particular that there was no issue
with the integrity of the data. However, based on everything that has
subsequently emerged, I do not now know whether this was in fact correct.
Page 68 of 72
WITNO0300200
WITNO00300200
233. When I was asked to provide my opinion about the effect on the integrity of the
data, I believed that I was qualified to do so based on the information that I had
at the time. Although I sought to make clear in the witness statements and when
giving evidence that this was not my area of expertise, with hindsight I should
simply never have agreed to give my opinion on this matter, when there were
many others working at Fujitsu with a greater technical knowledge who obviously
would have been in a better position to do so.
234. I considered myself to be a neutral witness just there to produce data and to
assist the court with understanding what was being discussed in the calls. I saw
it as just another part of my job, and I agreed to do it because I wanted to be
helpful. I was not trying to help secure anyone’s conviction and had no opinion
either way on whether the SPMs were guilty or innocent of what they were
accused of doing.
235. Looking back now I think I was naive in agreeing to provide the statements, and
did not think about the fact that other people might have a different understanding
to me about what the words in my statement meant.
236. It upsets me greatly to think that I played any part in the prosecutions of innocent
people, and am truly sorry for what they must have gone through.
Statement of Truth
I believe the content of this statement to be true.
Page 69 of 72
WITNO0300200
WITNO0300200
Index to Second Witness Statement of Andrew Paul Dunks
URN
Document Description
Control number
WITNO00300100
WITNO0300100 - First Witness
Statement of Andrew Paul Dunks
WITNO0300100
POL00002572
Fujitsu Security Management Service:
Service Description v 5.0
VIS00003586
FUJ00002264
Fujitsu and Post Office Document re:
Security Management Service: Service
Description v3
POINQ0008435F
FUJ00156144
Email chain from Tom Lillywhite to
Andy Dunks, Penny Thomas, David
Keeling and others - Re: Triole -
Archiving?
POINQ0162338F
FUJ00154905
Seema Misra case study: Email trail
from Thomas Penny to Prenovost
Jean-Philippe, and Lillywhite Tom cc:
Welsh Graham, Jenkins Gareth, Munro
Donna et al re: FW: Duplication of
Transaction Records in ARQ Returns
POINQ0161100F
FUJ00152218
Audit Data Extraction Process, Fujitsu
v1.0
POINQ0158412F
FUJ00152220
Management of the Litigation Support
Service, Fujitsu v1.1
POINQ0158414F
FUJ00152225
Management of the Litigation Support
Service - v2.0
POINQ0158419F
FUJ00088868
Office
Service:
Fujitsu/Post
Management
Description (v3.5)
Security
Service
POINQ0095039F
10
FUJ00002555
Fujitsu Security Management Service:
Service Description, HNG-X and HNG-
X Application Roll Out Transitional
Period, Version 4.0.
POINQ0008726F
11
FUJ00152228
Audit Data Extraction Process - v3.0
POINQ0158422F
12
FUJ00152176
Conducting Audit Data Extractions at
Live - ICL Pathway Ltd - v2.0
POINQ0158370F
13
FUJ00152205
Network Banking Management of
Prosecution Support v1.0
POINQ0158399F
14
FUJ00122190
Witness Statement of William Leslie
Mitchell Version 3.0 11/02 CS011A
(Side A)
POINQ0128404F
15
FUJ00152209
Network Banking Management of
Prosecution Support v2.0 dated 29
February 2005 (sic)
POINQ0158403F
16
FUJ00002000
Fujitsu Service Description for the
Security Management Service, version
3.0
N/A
17
FUJ00122189
Email to Andy Dunks and Peter Sewell
from Brian Pinder Re: Gaerwen
Witness Statement with attachments
POINQ0128403F
18
FUJ00122366
Fujitsu Management of the Prosecution
Support Service For Audit Record
POINQ0128580F
Page 70 of 72
WITNO0300200
WITNO0300200
No.
URN
Document Description
Control number
Queries (Security —_ Classification)
Version 2.1
19
FUJ00154664
Email from Peter Sewell to Penny
Thomas re Requests for data and calls
from POL
POINQ0160859F
20
FUJ00231002
Email chain from Penny Thomas to
Andy Dunks, cc'ing Donna Munro and
Rajbinder Bains re: TFS Updates
POINQ0237156F
21
FUJ00152663
Email from Brian Pinder to Peter
Sewell, Andy Dunks, Penny Thomas
and others re: Lee Castleton - Marine
Drive (FAD 213337) - Court Judgement
POINQ0158858F
22
FUJ00122522
Email from Penny Thomas to Neneh
Lowther and Andy Dunks Re Updated
witness statements
POINQ0128736F
23
POL00044482
Witness Statement of Andrew Paul
Dunks
POL-0040961
24
FUJ00082232
Witness statement of Andy Dunks
POINQ0088403F
25
POL00029169
ICL Pathway Conducting Audit Data
Extractions at CSR Process (v1)
POL-0025651
26
POL00051960
Witness statement of Andrew Paul
Dunks dated 24/06/09
POL-0048439
27
POL00069286
Transcript of POL v Lee Castleton Trial
- HQ05X02706
POL-0065849
28
POL00046194
Unsigned witness statement of Andy
Dunks
POL-0042673
29
FUJ00122206
Email to Graham C Wards from Andy
Dunks Re: Gaerwen WS
POINQ0128420F
30
FUJ00122196
Witness Statement of Andy Paul Dunks
Version 3.0 11/02 - detailing reports of
monitor faults and other failures of
Horizon system. CS011A (side A)
POINQ0128410F
31
FUJ00122188
Witness Statement of Andy Paul Dunks
Version 3.0 11/02 CS011A (Side A)
POINQ0128402F
32
FUJ00122285
Email from Dunks Andy to Stephen
Dilley, Dunks Andy, Graham C Ward
and Sewell Peter in re to First draft
witness statement of Ann Chambers
(PO v Lee Castleton).
POINQ0128499F
33
POL00071062
Email chain between Stephen Dilley
and Brian Pinder and others Re: Draft
Statement - Post Office Limited v Lee
Castleton
POL-0067625
34
POL00081490_032
Lee Castleton case study - Email from
Stephen Dilley to Brian Pinder, re PO
witness statement request
POL-0078053_032
35
FUJ00122300
Email from Stephen Dilley to Peter
Sewell re Marine Drive WS.
POINQ0128514F
36
POL00072808
Witness Statement of Andrew Paul
Dunks for Post Office Limited and Lee
Castleton
POL-0069371
37
POLO00069609
Email from Brian Pinder to Stephen
Dilley to Stephen Dilley- RE: Andy's
POL-0066172
Page 71 of 72
WITNO0300200
WITNO0300200
No.
URN
Document Description
Control number
draft statement and questions he could
be asked at court
38
FUJ00122333
Email from Stephen Dilley to Andy
Dunks, Tom Beezer, Mandy Talbot,
Carol King and others re Witness
Statement of Andrew Dunks, Post
Office v Castleton
POINQ0128547F
39
POL00069464
Email from Stephen Dilley to Andrew
Dunks re Witness Statement of Andrew
Dunks in PO v Lee Castleton
POL-0066027
40
FUJ00154739
Meeting invitation from Brian Pinder to
Peter Sewell and Andy Dunks Re:
Caledonian Road witness statement
POINQ0160934F
41
POL00044481
Post Office Witness Statement of
Penelope Anne Thomas
POL-0040960
42
FUJ00152894
Seema Misra Criminal Case Study -
Email from Andy Dunks to John
Longman Re: WS for West Byfleet -
Additional Information Requested
POINQ0159089F
43
FUJ00122676
Post Office, Witness statement of
Andrew Paul Dunks
POINQ0128890F
44
FUJ00122675
Email from John Longman to Andy
Dunks re: WS for West Byfleet -
Additional Information Requested.
POINQ0128889F
45
FUJ00154881
Seema Misra Case Study - Email from
Mark Dinsdale to Penny Thomas, Andy
Dunks, cc'ing Post Office Security and
others re: West Byfleet - Horizon
Service Helpdesk Calls
POINQ0161076F
46
POL00054518
Witness Statement of Andrew Paul
Dunks relating to Seema Misra.
POL-0050997
47
FUJ00122854
Draft witness statement for Andrew
Paul Dunks - West Byfleet
POINQ0129068F
48
FUJ00152990
Seema Misra case study: Email from
Penny Thomas to Andy Dunks re FW
ARQ436-490 Witness Statement
Support for West Byfleet, 126023
POINQ0159185F
49
FUJ00123679
Email from Penny Thomas to Andy
Dunks re Castleton witness
statements.
POINQ0129893F
50
FUJ00184492
Email from Andy Dunks To: Dave
Ibbett, Matthew Lenton, Pete
Newsome and others re WS for audit
data
POINQ0190209F
51
FUJ00160652
Email from Lucy Bremner to Matthew
Lenton cc. Jonathan Gribben, Dave
Ibbett and others re: Witness
Statement re Pulling ARQ Data.
POINQ0166830F
52
POL00111977
Opus 2 International Housekeeping
Statement, Horizon Issues-Alan Bates
Others v Post Office Limited
POL-0109545
Page 72 of 72