The Post Office and BS 10008
How the human stories at the heart of a technology system highlight the importance of trustworthy electronic records
The Post Office Horizon scandal featured in the drama Mr Bates vs The Post Office is widely discussed as the most widespread miscarriage of justice in British legal history. As it continues to be scrutinised in a Public Inquiry, here we outline how organisations can ensure they are in a position to rebut any legal challenges that their data faces and establish a framework for reliable information systems.
Reading time: 6 minutes
Electronically stored information
Inaccuracies in Horizon, the unreliable computer system used to track sales at Post Offices around the country, resulted in the wrongful convictions of sub-postmasters for theft, fraud and false accounting.
Around 900 sub-postmasters were prosecuted by the Post Office between 1999 and 2015 after the Horizon IT system, developed by Fujitsu, made it look like there were shortfalls in branch accounts. Computer systems are presumed to be operating correctly unless there is evidence to the contrary. This legal rule led to unjust consequences, and the resulting wrongful convictions may have removed the ‘rebuttal presumption’ by precedent. This is yet to be tested.
As early as 2001, faults and bugs in the system had been identified. One example was the “Dalmellington Bug”, named after the village in Scotland where an operator experienced the screen freezing at the point of the operator confirming receipt of cash. Each time they pressed ‘enter’, the record would update, which resulted in a £24,000 discrepancy that was the responsibility of the Post Office operator. Duplicate transactions were among the errors that Post Office operators were held responsible for, as many continue to pursue the remedy they deserve.
The Lord Chancellor’s Code of Practice on record management under s46 of the Freedom of Information Act 2000 defines that BS 10008 is best practice for Authorities. Failing to comply may place authorities in breach of their statutory obligations. ‘Authorities’ include government departments, legislative bodies, local authorities, NHS, schools and police. Given the millions of electronic records that these organisations handle, reliable digital information that retains its integrity and accuracy for the whole of its lifecycle is crucial.
Withstanding scrutiny
BS 10008 is the British Standard on Evidential weight and legal admissibility that applies to handling electronically stored information. Given that software systems and document management systems are at the heart of processing business-critical information, the management system standard BS 10008 upholds accountability and governance, ensuring that organisations can point to frameworks that follow best practice.
When disputes arise, electronic records and document management systems need to be robust and able to withstand scrutiny, which relies on proactive, ongoing management. BS 10008 ensures that organisations can prove compliance, through:
- External validation – organisations should not self-certify; achieving certification can validate that organisations are meeting their corporate governance obligations with annual audits and independent reports by the appropriate, accredited bodies.
- Internal audits – reviews must be on an ongoing basis to monitor the integrity of the data to meet the level of rigour demanded by the annual audit.
- Testing controls – continually monitoring the accuracy and processes of systems, including defining and upholding the agreed protocols around privileged access.
- Integrity of electronically stored information – being able to prove compliance two or three years down the line is crucial. The time frame of stored audit trails will be risk based, factoring in what the organisation and its stakeholders require, and taking compliance obligations into consideration.
Good governance
BS 10008 helps organisations achieve top quality electronic information and minimise their risks. The Post Office scandal underlined how the meticulous treatment of data is pivotal to the health, reputation and livelihood of individuals who work for all businesses and public bodies. The complexity and intricacies of the litigation and criminal proceedings that unravelled following the scandal coming to light highlights how frameworks should be robust and alert to risk from the outset.
Thousands were forced to use their own money to cover discrepancies caused by the Horizon IT system and continue to seek compensation from the government. The Post Office Horizon Inquiry examines corporate governance (or lack of), scrutinises how the post-masters were initially treated, and is investigating the public body’s leadership and management. Given the culture championed the investment in the system over its reliability and the subsequent lack of transparency, there are vital lessons to learn when it comes to building in accountability and ensuring that data has evidential weight.
Start your journey to achieve BS 10008
BS 10008 creates a continuous pathway to improvement. Once this commitment to upholding a quality management framework becomes part of an organisation’s culture, this creates efficiencies. Everyone understands how to handle and document business-critical information. Organisations maintaining certification can prove the authenticity and integrity of their information, ensuring the legal admissibility of electronic records to stand up in court. Processes around correct functionality, incident logs, back up and recovery, business continuity, cyber security and monitoring help ensure the integrity of the systems in place.
Implementing BS 10008 helps organisations follow a framework to enable them to demonstrate the trustworthiness of their systems and data. When systems and data are called into question, following this standard enables organisations to prove that they have the controls in place to substantiate the data and meet their compliance obligations. As the Post Office Inquiry demonstrates, placing faith in an organisation’s systems and controls without continuous monitoring can lead to the most tragic and unforeseen consequences. Ensure you have robust systems in place by following best practice at the earliest opportunity.
Elisabeth Belisle
Elisabeth is an Associate Consultant of the British Standards Institute (BSI), a BSI qualified Lead Auditor and member of the Standard Committee responsible for the publication of the BS 10008 Standard.
She owned and managed a BS 10008 Certified scanning and document management organisation for 15 years. She has both hands-on experience and deep understanding of this standard.