Post Office senior leadership warned of IT project data safeguarding risk


A data safeguarding risk has been raised with Post Office board members and senior executives as IT project insiders fear future access to important data on its delayed and over-budget project could be jeopardised.

The data, which might be required for future inquiries or investigations into the troubled project to replace the controversial Horizon system, could become inaccessible for future review after people leave the business, it is feared.

According to a source close to the project, the Post Office is ending its Strategic Platform Modernisation Programme (SPMP), which the Horizon replacement project known as New Branch IT (NBIT) sits within, and is letting staff go.

A data safeguarding risk was flagged as urgent to senior Post Office executives by the data safeguarding contractor being cut from the project.

There are fears over the possible destruction of potential evidence, directly relating to the programme’s non-delivery and massive overspend. According to the source, third parties will now decide what data is to be preserved. “How likely is it that they will leave damning evidence about their shortcomings in respect to decisions?”

Project staffing cuts

The source said the SPMP has been paused and reassessed, and the Post Office has told staff on the programme that it is being ended and that many staff, mainly contractors, will leave. Hundreds of staff will remain and the NBIT element will continue, but it is not yet clear in what form.

The Post Office confirmed that 80 consultants and 29 contractors will leave over the coming weeks. The source said the latest cuts are a second wave, with about 100 already cut.

Last week, a large group of staff on the SPMP were told they would not be needed beyond Friday 13 December, giving the Post Office about a week to secure the data they hold and ensure it can be accessed in the future.

The data could be vital for future inquiries into the project, the Post Office and why SPMP spent hundreds of millions of pounds more than it budgeted for but still failed to deliver NBIT. It includes data in emails, messaging apps, working documents and technical information documents.

The source told Computer Weekly: “Over the next couple of weeks, the SPMP is concluding its decision to let go of contractors and third parties, but without adequately completing a credible data safeguarding activity, the Post Office’s response to the risk is very weak. Something is not right about this.”

This could, the source alleged, lead to the loss of potential sources of evidence for the ongoing Horizon inquiry, future government investigations into SPMP overspending and failures in the Post Office’s legal responsibilities in terms of data retention.

The Horizon system is at the centre of one of the biggest miscarriages of justice in UK history and the project to replace it is of public interest. Work to replace the 25-year-old system began in 2021. The new platform being developed in-house by the Post Office is part of the wider SPMP. Its development costs have soared from £180m to well over £1bn, with the bill being paid by taxpayers. 

When asked about the data safeguarding risk that has been raised, the Post Office told Computer Weekly: “There is a structured offboarding process for people leaving, including the handing back of Post Office assets with knowledge transfer and handover of project deliverables being completed by Post Office colleagues for all of the teams affected.”

But the source said: “The Post Office has failed to safeguard project data for the last two-and-a-half years and now it has a few days to do it all.”

Even if it retrieves the data from staff leaving, it will then be left mainly to third parties to secure and make it accessible for the future, added the source. “We cannot leave unsupervised third parties to get on with it. There is a clear conflict of interest. Why is this still being allowed to happen?”

The Post Office said data related to NBIT would stay in Post Office teams: “What were key parts of the NBIT solution will continue to be operated by Post Office-led technology teams for the foreseeable future and are integrated to the Post Office branch technology architecture.”

It added that those parts of NBIT which are not being deployed will also be handed over so “requirements, designs and software is available should we need to review it as part of our future technology roadmap”.

The Post Office has been heavily criticised during the three-year public inquiry into the Horizon scandal for failing to disclose information on time, thereby delaying proceedings.

A Post Office manager is currently being investigated by the Metropolitan Police for allegedly instructing staff to destroy or conceal documents that could be of interest to the Post Office Horizon statutory inquiry.

Separately, the Post Office is in the process of replacing the current audit system for Horizon with a cloud-based system, to which it is migrating Horizon data, including legacy data. The Post Office plans to start testing after Christmas and will begin the migration of data in early 2025, at which point it will no longer rely on Fujitsu for data about branch accounts.

Horizon was responsible for phantom accounting losses and the use of its data led to hundreds of innocent subpostmasters being wrongly blamed and prosecuted in what became known as the Post Office scandal. The Post Office scandal was first exposed by Computer Weekly in 2009, revealing the stories of seven subpostmasters and the problems they suffered due to the accounting software (see timeline of Computer Weekly articles about the scandal below).



Source link