THE POPULAR FRONT FOR THE LIBERATION OF CPSA
FREEDOM! UNITY! SOCIALISM!
REVOLUTION UNTIL VICTORY!
The Anthony White Report
PUBLIC AND COMMERICAL SERVICES UNION
ALLEGATIONS OF UNAUTHORISED USE OF MEMBERSHIP DATA
1.2 In paragraph 6.1 of my Interim Report I explained that the main outstanding questions were:
1.2.1. Whether the information used to compile the name and address labels used in the mailing of the NMG leaflet came from the PCS membership database (as appears to be the case from the evidenced so far available) or from some other, as yet unidentified, source.
1.3 As at the date of my Interim Report I was optimistic that Mrs Marion Chambers, the leader of the National Moderate Group at the time of the mailing of the NMG leaflet, or other leading members of that Group involved in the mailing, would cooperate with my investigation by explaining how and from what source the information used to compile the name and address labels used in the mailing was obtained, and how the mailing was funded. As I indicated in paragraph 6.3. of my Interim Report, the provision of such information by Mrs Chambers or other leading members of the National Moderate Group would have avoided the need for PCS to incur substantial expenditure in engaging a forensic computer Investigator.
2. CORRESPONDENCE WITH MRS CHAMBERS AND OTHER REPRESENTATIVES OF THE NATIONAL MODERATE GROUP
2.1 I attach as Appendix 1. to this Report copies of my correspondence with Mrs
2.1.1. My letter to Mrs Chambers of 13 June 2000.
2.2 At the outset of my investigation I invited Mrs Chambers, through Chris Duffield, to meet with me to provide relevant information. Mrs Chambers declined this invitation but offered to provide a written statement. This led to the
2.3 I regret to say that I find it both surprising and disappointing that a trade unionist
Other members of the National Moderate Group
2.4 Organising and carrying out the mailing of the NMG leaflet must inevitably have involved considerable work. Persons other than Mrs Chambers must have been involved. The fact that I have been appointed to conduct an investigation is widely known throughout the union. Anyone otherwise unaware of the investigation would have learned of it through Staff Briefing SB40/00 or Members Briefing MB8/00. Yet it is noteworthy that not one member of the National Moderate Group has come forward with any information about the way in which the mailing was organised or funded. I shall return below to the significance which I attach to this.
2.5 In the absence of any reply from Mrs Chambers to the questions posed in my
Appendix 2. copies of my letters to Mr Curry and Mr Moffat of 4 July 2000. Mr
3.1 In the absence of information from Mrs Chambers or any other member of the
3.2 Clifford May of Vogon International Limited visited PCS headquarters with Mr Moore of BDO Stoy Hayward on 26 July 2000 in order to assess what steps might be taken to obtain evidence from the PCS computer system. In a Report dated 28 July 2000 Mr May recommended that four back up tapes of the Unix server which holds the PCS membership database be examined. A copy of this Report is attached as Appendix 3.
3.3 In a further Report dated 9 August 2000 Mr May set out the results of his examination of the back-up tapes. He was unable to discover any indication of when the data used in the production of the name and address labels was extracted, or by whom. A copy of this Report is attached as Appendix 4.
3.4 It is important to appreciate two points in relation to the back-up tapes which Mr May examined. First, they represent only "snapshots" of the PCS computer system on particular days. Second, the back-up tapes do not show deleted extraction programs or output files. It follows that if someone had enacted the data and then covered his or her tracks by deleting the extraction programme and output file before the next back-up the extraction of the data would not be revealed by an examination of the back-up tape.
3.5 Mr May's second Report states that the back up tapes showed only Gordon Paterson and Andrew Simpson of the PCS IT Department using Structured Query Language (SQL), the computer language which it would have been necessary to use in order to extract a list of members' names and workplace addresses from the membership database. However, both Mr May and Mr Moore emphasised to me that SQL is a relatively unsophisticated computer language which a computer literate person could learn from the Internet if so inclined. A person capable of learning and using the SQL would also be capable of accessing the PCS computer system from a PC which did not belong to them, and of covering their tracks.
3.6 At the conclusion of his second report Mr May suggested two possible further steps. First, the taking of an image copy of the PCS e-mail server. Second, the taking of image copies of selected employees' PC's. After discussing these steps with Mr May I decided that it would not be appropriate fir PCS to incur the substantial further expenditure which they would involve. There were a number of reasons for this. In both cases Mr May felt that the chances of uncovering incriminating evidence would be very slim. Copying the e-mail server would also risk infringing the privacy of communications between members, officers and others. Copying the PC's of selected employees would tend to undermine trust and confidence by suggesting that there were grounds for suspecting an individual/s of involvement whereas my investigation has not produced any grounds for suspicion in relation to any particular employee. Perhaps most importantly Mr May emphasised that any individual technically competent enough to extract the relevant membership data would in all likelihood be competent enough to cover their tracks.
4.2 In the absence of any viable alternative explanation of the source of the information used to prepare the name and address labels it seems to me that the inevitable inference is that an individual or individuals acting on behalf of the National Moderate Group obtained access to the PCS membership database, extracted information about members' names and workplaces addresses, and took steps to cover their tracks by deleting the extraction programme and output file. In my view this inference, and only this inference, fits with the fact that neither Mrs Chambers nor any other member of the National Moderate Group involved in the production and distribution of the leaflet has been prepared to come forward with an explanation of how the labels were prepared. If there was a legitimate explanation for the source of the information used to prepare the labels it would be a simple matter to provide it.
4.3 The closest that Mrs Chambers has come to providing an explanation is in the penultimate paragraph on the first page of her letter of 19 July 2000 where she refers to lists of names and addresses built up over 20 years from a variety of sources. Mrs Chambers does not actually say that such a list was used to prepare the name and address labels but if that were her explanation it would appear farfetched. The sheer scale of the mailing of the NMG leaflet, and the uniformity of the labels used, suggest that an aggregation of details from various sources is unlikely to have been used to provide the names. Further, the chance that a list compiled over 20 years from various sources would contain errors, omissions and other features identical to those appearing in the PCS membership date (as set out in paragraph 5.6 of my Interim Report) seems to me to be remote in the extreme.
4.4 That the PCS membership records were accessed surreptitiously to obtain the members' names and workplace addresses used in preparing the labels used to mail the NMG leaflets is also indicated by another piece of evidence drawn to my attention by Mr Moore. He points out that the labels used in the mailing bore text identical to the corresponding entries in PCS membership records but with the lettering in upper, rather than lower, case and with commas, full stops, hash characters and apostrophes removed. Mr Moore told me that in his experience this sort of change, i.e. alteration of case and deletion of punctuation, is often made in an attempt to disguise the source often which has been copied. The fact that such changes were made when the labels were produced for the mailing of the NMG leaflets suggests that those responsible knew that they had obtained the information about the members' names and addresses improperly.
4.5 For these reasons I have reached the conclusion that the inference which I have described in paragraph 4.2 above as inevitable is also the correct inference to draw from the available evidence.
4.6 The evidence does not, however, enable me to identify the individual/s responsible for accessing the PCS membership records on behalf of the National Moderate Group. Unsurprisingly no one confessed. Although everyone I interviewed had their suspicions in no case was the suspicion grounded on any actual evidence of involvement on the part of the person/s suspected.
4.7 In particular I feel it appropriate to record that although suspicion naturally fell upon Gordon Paterson, Manager of the PCS IT Department, he struck me as an open and reliable witness who gave his evidence to me in a helpful and undefensive fashion - indeed he was a much less guarded witness than many of his more overtly political colleagues. He seemed to me to be genuinely concerned about the possibility that someone had surreptitiously gained access to the membership data. He recognised that anyone with SQL competence could have obtained the information and deleted the record of the extraction. I feel that if he could have helped me identify the person/s responsible he would have done so. I have singled out Mr Paterson for mention because his role within PCS makes him an obvious suspect and because a recent article in the Trade Union Review has suggested that even if my investigation does not identify the person responsible for accessing the membership records "it is difficult to see how the manager responsible for this area in (PCS) could remain in post". If this was aimed at Mr Paterson it was, in my view, misguided.
5.1 The evidence available to me does not support the inference that PCS funds were used to produce or distribute the NMG leaflet. Mrs Chambers has referred in her letter of 19 July 2000 to the National Moderate Group collecting money from supporters. Several witnesses told me that National Moderate Group Members and external political sympathisers contributed to the Group's funds. I interviewed the PCS Director of Finance, David Newlyn, who was very clearly on top of the finances of the Union. Mr Newlyn was satisfied that no PCS money had been used to fund the NMG leaflet.
5.2 Several witnesses told me that they suspected that Centurion Press might have
6.1 Given the limited nature of the conclusions drawn above there is little more to say about the legal position than is set out in my Interim Report at paragraphs 4.2 and 4.3.
6.2 PCS as the data controller in relation to the membership data held on its computer system is under a duty under section 4(4) of the Data Protection Act 1998 to comply with the data protection principles in relation to that data. One of the data protection principles requires that appropriate technical and organisational measures shall be taken against unauthorised processing of the data, (Schedule 1, Part 1, para 7). Although a determined "hacker" can defeat the most rigorous of organisational measures it is clear from Mr May's first report that more could be done to protect PCS membership and other data from unauthorised access. I recommend that PCS obtains advice from either Mr Moore or Mr May as soon as possible on the steps which it should take to put in place appropriate technical and organisational measures to protect its data.
6.3 Given that the evidence does not enable me to identify the individual/s responsible for obtaining unauthorised access to the membership data on behalf of the National Moderate Group it is also impossible to identity any person who may have committed an offence under section 55 of the 1998 Act.
6.4 Since the evidence does not support the inference that PCS funds were used to pay for the production or distribution of the NMG leaflet PCS has not acted in breach of any of the "level playing field" provisions contained in sections 46-52 of the Trade Union and Labour Relations (Consolidation) Act 1992. The National
7.1 On the basis of the evidence available to me and in the absence of an explanation from Mrs Chambers or any other member of the National Moderate Group involved in the production and distribution of the NMG leaflet of the source of information about members' names and workplace addresses used to prepare the labels used in that mailing, I conclude that the correct inference to draw is that a person or persons unknown acting on behalf of the National Moderate Group surreptitiously extracted information from PCS membership records and deleted any record of the extraction to cover their tracks.
7.2 There is no evidence that PCS funds were used to pay for the production or distribution of the NMG leaflet.
7.3 PCS should obtain advice from its auditors or from other appropriate computer experts on the steps which should be taken to put in place appropriate technical and organisational measures to protect its date from further unauthorised use.
7.4 A list of persons whose complaints were considered in the course of my investigation is attached as Appendix 6.