Five lessons to learn from the Post Office scandal

The Post Office Horizon scandal is the subject of an ongoing Public Inquiry and is widely accepted as one of the biggest miscarriages of justice in British legal history. The faulty software provided by Fujitsu, and known as Horizon, created false shortfalls in the accounts of hundreds of subpostmasters. Every organisation should examine its own record when it comes to the systems it invests in and the information it captures and stores.

Reading time: 6 minutes

Avoid the impact of faulty systems on individuals

Around 900 people were prosecuted for theft, fraud and false accounting, others were also forced to personally cover the shortfalls and had their contracts terminated.  The court proceedings, criminal convictions, prison sentences, debts and bankruptcies and loss of livelihoods took a toll on victims and their families.

Stress, illness, family breakdowns and reported suicides were the toll of the scandal. Every organisation has a duty of care to its people and the continual denials of responsibility from the Post Office prolonged the turmoil its subpostmasters faced.

Electronic records are captured and kept by every organisation. Certified standards exist to protect everyone involved in their existence – from the employee taking the data and inputting it into the system, to the organisation who has ultimate responsibility for its use. ISO Management Systems exist to reap the benefits of having robust processes in place that manage risks, drive efficiencies and sustainably fuel an organisation’s growth. Good governance should be at the heart of keeping employees safe in their roles, knowing that they are not going to be penalised for relying on a faulty system.

Every organisation should be vigilant in checking computer systems

New software needs to be robust. Knowledge of faults in the system are alleged at the time of the Post Office pursuing convictions. It was Computer Weekly who broke the story about issues with the Horizon system in 2009. This was when subpostmaster Alan Bates launched the Justice for Subpostmasters Alliance. It took until 2012 for forensic accounting to expose accounting discrepancies, that the Post Office continued to deny.

The group action in the High Court in 2017 resulted in an out of court agreement of £58 million in compensation, but much of this was taken by legal fees. Renewed urgent action was pledged by the government following public backlash in the wake of the ITV drama, and the ongoing public inquiry. A new Horizon Convictions Redress Scheme is processing compensation applications or subpostmasters can accept final offers of £600,000.

Although there were suggestions that the system was not as infallible as the Post Office wanted to believe, the consistent denials and unwavering belief in the system led to this scandal. Organisations should constantly be reviewing their information security measures and the processes they have in place to ensure systems are working as they should be.

Customers want organisations who can keep information secure

Anything that relies on computer generated evidence is now open to challenges. When we consider the scale of this implication – health records, criminal records, any records that contain sensitive and critical information needs to be stored in a system that has integrity.

Accredited bodies certifying public bodies and businesses to international standards of organisation demonstrate their commitment to quality processes. ISO 27001 shows that organisations actively manage their information security, minimising risks to the confidentiality, integrity and availability of information. BS 10008 helps organisations be in a position to rebut any legal challenges to their data. Obtaining certification in itself provides the relevant framework for organisations to demonstrate the trustworthiness of the system and data in court, as the implementation is externally validated. Certification assures clients that their data is being securely and correctly stored.

These pathways to continuous improvement in an organisation ensure that the organisation takes every opportunity to minimise the risks it faces. In a world where customers want to know that they are interacting with an organisation who holds itself to account and takes responsibility for its impact in society, consumers take their security concerns and their rights seriously. The public outcry at the treatment of Post Office subpostmasters for the IT failings of the organisation demonstrates the responsibility organisations have to wider society.

The financial risk necessitates good governance processes

While the Post Office consistently did not interrogate the robustness of the Horizon IT system provided by Fujitsu, there are suggestions that this was because of the level of investment made into the system. However, the scandal highlights the dangers of courts unquestioningly accepting the output of IT systems as reliable evidence.

Given the ramifications for subpostmasters and their communities, the scandal demonstrates the importance of evidence in securing justice for those affected by processes that let them down. The Post Office’s refusal to check that their systems were compliant led them to successfully rely on evidence of a fault computer system. If the Post Office had been required to prove that Horizon operated reliably, outcomes may have been very different.

Computer systems are currently presumed to be correct unless evidence proves that they are faulty. Following the wrongful convictions as a result of this presumption, there are suggestions that the High Court decision may have set a precedent, removing the presumption that this type of evidence will be automatically accepted. Organisations should be doing their own independent verification of the systems and processes they have in place to avoid eye-watering consequences further down the line.

Reputations are founded on a commitment to best practice

A commitment to best practice is something that organisations and its people can take pride in. Achieving certification to ISO 27001 requires organisations to demonstrate that they have implemented sufficient processes for an information security management system to meet the standards required of the standard 

Assessment is based on controls in place to manage risks to:

  • Information confidentiality, including whether adequate access controls are in place to prevent unauthorised access.
  • Information integrity.
  • Information availability.

In addition to the above, assessments for BS 10008 include risks to information authenticity.

Certifying to both ISO 27001 and BS 10008 is a powerful combination, as it ensures that information is being processed in a way that minimises risks, while also meeting the threshold for electronic information to have evidential weight in a court, which relies on ongoing management and scrutiny. Download our BS 10008 Requirements Checklist to see what’s involved and assess whether you’d be able to rebut challenges to the integrity and authenticity of your electronic information and computer systems. 

Start your journey to achieve certification

The meticulous treatment and processing of data is critical to the sustainable, long-term success of an organisation. BS10008 supports organisations who want to ensure they are taking a risk-based approach and upholding their compliance obligations. The accuracy and precision of agreed protocols, such as agreements around privileged access and retention of records, are crucial for upholding an information management framework.

Everyone should be protected by clear processes that govern how to handle and store electronic records that are critical to their operation. Of the 555 allies that fought the Post Office alongside Alan Bates in the High Court, 18 died without seeing justice or receiving full compensation. Every organisation has the responsibility to provide their people with robust best practices, recognising their role in society and the communities in which they operate and serve.

Elisabeth Belisle

Elisabeth Belisle

Elisabeth is an Associate Consultant of the British Standards Institute (BSI), a BSI qualified Lead Auditor and member of the Standard Committee responsible for the publication of the BS 10008 Standard.

She owned and managed a BS 10008 Certified scanning and document management organisation for 15 years. She has both hands-on experience and deep understanding of this standard.