1 Wednesday, 10 May 2023 2 (10.00 am) 3 MR BEER: Good morning, sir, can you see answering 4 hear me? 5 SIR WYN WILLIAMS: Yes, I can, thank you very much. 6 MR BEER: May I call Stephen Parker, please. 7 STEPHEN PARKER (affirmed) 8 Questioned by MR BEER 9 MR BEER: Good morning, Mr Parker, my name is Jason 10 Beer and I ask questions on behalf of the 11 Inquiry. Can you give us your full name, 12 please? 13 A. Stephen Paul Parker. 14 Q. Thank you very much for coming to the Inquiry to 15 assist us today and thank you also for the 16 provision of a witness statement. Can we look 17 at that to start with, please. It's dated 18 27 March of this year, and if you turn to 19 page 38 of it, you should see a signature. 20 A. I do and that's mine. 21 Q. Is that your signature? 22 A. Yes, it is. 23 Q. Are the contents of that witness statement true 24 to the best of your knowledge and belief? 25 A. Yes, they are. 1 1 Q. Thank you. For the purpose of the transcript -- 2 there's no need to display it -- that statement 3 is WITN00680100. 4 Mr Parker, I'm only going to ask you 5 questions today about the issues that arise in 6 what we call Phase 3 of the Inquiry. We may ask 7 you to return at a later stage in the Inquiry to 8 answer questions about Phase 5 of the Inquiry 9 and, in particular, the role that you took and 10 the evidence that you gave in the GLO trial, the 11 Bates trial, including the making of three 12 witness statements on 16 November 2018, 13 29 January 2019 and the 28 February 2019, and 14 then when you gave oral evidence before 15 Mr Justice Fraser on the 11 April 2019. 16 I'm going to be asking you some questions 17 today about some individual cases which are 18 going to be considered in Phase 4 of the Inquiry 19 because it's not currently our intention that 20 you should come along and give evidence in 21 Phase 4; do you understand? 22 A. I do. 23 Q. Thank you. Just as a general question, however, 24 those three witness statements that I mentioned, 25 the November 2018, the January 2019 and February 2 1 2019 witness statements, when you were making 2 your current witness statement, did you have 3 them in front of you when you were making it? 4 A. I did, and I cribbed some of the wording to save 5 rewriting it. 6 Q. When you say "cribbed" to you mean cut and paste 7 it? 8 A. Not exactly cut and paste. Cut and minor 9 changes. 10 Q. Okay. Did you write stuff afresh? 11 A. Oh, yes, yes. Most of it was. I mean, we're 12 probably only talking about one or two minor 13 paragraphs that were actually copied. 14 Q. I understand. Can we start, please, with your 15 career and qualifications. You tell us in your 16 witness statement that you left school at 16; is 17 that right? 18 A. That's correct, yes. 19 Q. Do you have any professional qualifications -- 20 A. I don't, no. 21 Q. -- that are relevant to what we're going to 22 speak about today? 23 A. No. 24 Q. I think you moved to ICL, as it was then called, 25 in 1985; is that right? 3 1 A. That's correct, yes. 2 Q. You stayed there until you retired in December 3 2019, it had changed name in the meantime. So 4 you worked for the company, you were a company 5 man for some 34 years; is that right? 6 A. That's correct, yes. 7 Q. You tell us in your witness statement that in 8 that time you received what you describe as 9 "industry specific, technical and skilled 10 training". Can you in broad terms tell us what 11 you mean by that? 12 A. It was generally training on particular 13 programming languages or methodologies. Some 14 people skills training for team leading and 15 management purposes. Just general IT industry 16 training. 17 Q. Was it externally provided or in-house or a bit 18 of both? 19 A. A bit of both. 20 Q. Can we look at the roles, in general terms, that 21 you performed when you moved to the SSC, and 22 I think you were there for 22 years by my 23 calculations; is that right? 24 A. Yes. 25 Q. Can we look at a couple of documents alongside 4 1 each other, please. I think we can do this. 2 They'll come up on the screen for you. 3 To start with, can we look at your Inquiry 4 witness statement, please, at page 2. It's 5 really paragraphs 4 and 5 that I'm interested in 6 there. Thank you. At the same time can we look 7 at FUJ00082231. Can we look at page 2 of that 8 witness statement, please, and, in particular, 9 paragraph 7. So on the left-hand side you've 10 got your High Court witness statement, on the 11 right-hand side you've got the Inquiry witness 12 statement; do you understand? 13 A. I do indeed. 14 Q. You'll see that paragraph 4 of the Inquiry 15 witness statement, on the right-hand side, is, 16 give or take a few words, the same as the first 17 sentence in paragraph 7 of your High Court 18 witness statement? 19 A. Yes, indeed. 20 Q. "I began working in July '97", "I began working 21 in July '97", yes? 22 A. Yes. 23 Q. If you look at paragraph 5 of the witness 24 statement on the right-hand side, your Inquiry 25 witness statement, the one beginning "My 5 1 technical role", and compare it to the rest of 2 paragraph 7 on the left-hand side -- 3 A. Yeah. 4 Q. -- do you see any difference? 5 A. You'll probably need to point out to me the 6 difference you're interested in. 7 Q. Just look at the witness statement on the 8 left-hand side. You say: 9 "Within this role [the third line] I was the 10 lead designer and part of the development team." 11 Yes? 12 A. Yes. 13 Q. Then, on the right-hand side, paragraph 5, you 14 say: 15 "Within this role I also developed some of 16 the support tools used by the SSC and was for 17 a few years the lead designer and part of the 18 development team ..." 19 A. Yes. 20 Q. So it's that. The insertion of the "I was for 21 a few years", rather than "I was the lead 22 designer". 23 A. Yes. I understand where you are here. 24 I couldn't remember exactly how long I was the 25 lead designer for and the development of things 6 1 like the SSC, live website, were a cooperative 2 effort. I took over that role in order to sort 3 out some problems we had with the website, and 4 carried on in that role for a period of time. 5 But my role in that gradually diminished, as 6 other people started to take over some of the 7 website's development. It's difficult for me to 8 quantify for you the exact periods when I was 9 leading it and when I was just contributing to 10 it. 11 Q. My question is, why has "I was the lead designer 12 and part of the development team" become "I was 13 for a few years the lead designer and part of 14 the development team"? 15 A. I have no particular reason for that, it was 16 just the way I was writing it at -- in the 17 second witness statement. 18 Q. If you had the witness statement in front of 19 you, the High Court witness statement in front 20 of you, which seems to be the case from what you 21 said earlier and certainly for these paragraphs, 22 because of materially the same language, what 23 motivated you to insert the phrase "for a few 24 years"? 25 A. I think because I didn't want to give the 7 1 impression that that was all I did for a long 2 period. I sort of wanted to just clarify that 3 slightly. 4 Q. What would you say to the suggestion that to the 5 High Court you were seeking to emphasise or 6 maximise the extent, importance and duration of 7 your role, whereas to the Inquiry you're seeking 8 to reduce or minimise it? 9 A. That wasn't on -- that wasn't on my mind when 10 I made that change. 11 Q. So was it you remembered, after 2019, that it 12 was only for a few years that you were the lead 13 designer? 14 A. That's fair, yes. 15 Q. Can we take the left-hand witness statement down 16 and just look at paragraph 7 of the right-hand 17 witness statement, please. You say: 18 "Between December 2009 and March 2010 I was 19 a full-time Problem Manager/Operational Manager 20 of the SSC, responsible for the management of 21 incidents through the whole support process." 22 That wasn't the ultimate head of the SSC; is 23 that right? 24 A. That's correct. 25 Q. Who was, at this time, December 2009 to March 8 1 2010, the head of the SSC, the manager? 2 A. Tony Little. 3 Q. So had Mr Peach left by then? 4 A. Yes, I'm not sure exactly when Mr Peach left. 5 But, I mean, effectively, when Tony Little took 6 over, I acted in the problem/incident management 7 role for him while he was trying to concentrate 8 on other parts of the SSC. 9 Q. Was Mr Little previously a member of the SSC? 10 A. No, he wasn't. 11 Q. Where was he brought in from? 12 A. It was another part of Fujitsu. I can't 13 remember now exactly what his previous job title 14 was. 15 Q. Was this always an interim role until the 16 appointment of the manager of the SSC had been 17 made? 18 A. No, I don't believe it was. I believe -- 19 I mean, I don't know the intention behind 20 whoever bought Tony in but there was nothing 21 originally which suggested it was of 22 a short-term nature. 23 Q. In the event, it did turn out to be of 24 a short-term nature because in March 2010 you 25 took over as manager of the SSC? 9 1 A. Correct, yes. 2 Q. We can see that if we scroll down to 3 paragraph 8, please? 4 "In March 2010 I became the manager." 5 Yes? 6 A. Yes, indeed. 7 Q. You remained in that position as manager of the 8 SSC from March 2010 until you retired in 9 December 2019? 10 A. That's correct, yes. 11 Q. Yes, we can take that witness statement 12 down.Yes, we can take that witness statement 13 down. 14 You tell us in your evidence that your first 15 working contact with what became Horizon, it was 16 then known as Pathway, was way back in July 17 1997; is that right? 18 A. '87? No. 19 Q. '97. Did I say '87? 20 A. I believe so, but it was '97. 21 Q. You were then working as a support consultant in 22 the SSC? 23 A. Yes, that's correct. 24 Q. Were you providing first line support then? 25 A. No, that was third line support. 10 1 Q. That was third line, okay. So you were inside 2 what became Fujitsu from almost the very start 3 of the Horizon project? 4 A. Indeed, yes. 5 Q. To whom were you providing third line support 6 from July '97, until the end of rollout in 2000? 7 A. Sorry, do you mean -- I mean, we were providing 8 support for the Horizon service to the Post 9 Office. 10 Q. So there was no other project in which you were 11 engaged? You were full time on that? 12 A. Yes. 13 Q. In that time, what's your recollection of the 14 nature and extent of the faults that were 15 reported to you? 16 A. Very little, to be honest, after all these 17 years. I couldn't relate to you any particular 18 faults. I would say it was a busy job, which 19 is -- I would expect to have been normal for the 20 rollout of a new system. 21 Q. Can you recall whether the, I'm going to call it 22 birth of Horizon was particularly problematic or 23 regarded as particularly problematic within 24 Fujitsu? 25 A. I don't remember anybody using terms like that, 11 1 no. 2 Q. So it was just another IT system no greater or 3 fewer faults than might be expected? 4 A. Correct, yes. 5 Q. Can we look, please, at WITN04600100. 6 That's the wrong reference: WITN04600104. 7 Thank you. You'll see that this document is 8 entitled "Schedule of Corrective Actions [for 9 the] CSR+ Development Audit". Does that 10 description of the CSR+ development audit ring 11 any bells with you now? 12 A. The -- I remember the term CSR+ but not the 13 development audit, no. 14 Q. Now, if we just scroll down we can see the 15 distribution list and we can see that you're not 16 on it. I'm not going to suggest that you saw or 17 reviewed this document at the time. If we just 18 look at the "Abstract" at the top of the page, 19 it describes accurately what the document is: 20 "This document presents the Observations and 21 Recommendations resulting from the referenced 22 Internal Audit(s) along with the agreed 23 corrective action, the action owner, and the 24 date by which the action is to be complete. 25 A status field is included for quick reference 12 1 purposes." 2 Can we look at page 9, please, of the 3 document. The document is presented in this 4 sort of spreadsheet format and there are 5 a series of issues which are called "Reported 6 Observations" and then a recommendation for each 7 of them, and then in the right-hand column what 8 has been agreed in terms of the action to be 9 taken and a commentary on that. 10 Can we just look at the reference against 11 4.2.1. It reads: 12 "The audit identified that EPOSS continues 13 to be unstable. PinICL evidence illustrated the 14 numbers of PinICLs raised since the 1998 Task 15 Force and the rate of their being raised. 16 "The EPOSS Solutions Report [then there's 17 a reference back to it] made specific 18 recommendations to consider the redesign and 19 rewrite of EPOSS, in part or in whole, to 20 address the then known shortcomings. In light 21 of the continued evidence of poor product 22 quality these recommendations should be 23 reconsidered." 24 Thinking back to that three-year, or so, 25 period that you were working in the SSC, whilst 13 1 Horizon was being rolled out, essentially, 2 tested and rolled out, between July '97 and, 3 say, mid-2000, did you know that there had been 4 an audit that had identified that the EPOSS 5 system was unstable. 6 A. I don't remember now being aware of that, 7 I would have thought I would have heard 8 something quite honestly. But it's not in my 9 memory. 10 Q. Is that because you would have thought you would 11 have heard something because the correct 12 functioning of EPOSS is essential to the correct 13 functioning of the system as a whole? 14 A. Yes, yes. 15 Q. EPOSS is absolutely fundamental to this system? 16 A. Yes, indeed. 17 Q. Again, can you remember whether you knew that 18 an EPOSS report had recommended consideration of 19 a redesign and rewrite of EPOSS, either in whole 20 or in part? 21 A. I have no specific memory of that. 22 Q. That would be quite a big issue, wouldn't it? 23 A. I would agree, that would be a big issue, yes. 24 Q. A total rewrite of EPOSS? 25 A. Would be a considerable amount of work, yes. 14 1 Q. Did you know by May 2000 -- ie the date of this 2 report, so we're well into rollout now -- that 3 the recommendation was that the earlier 4 taskforce report and its recommendations to 5 rewrite in whole or in part should be 6 reconsidered? 7 A. I wasn't aware of that, no. 8 Q. If we go over to page 10, please, and look at 9 the bottom right-hand box. The one dated 10 10 May, I think: 11 "Following response received from MJBC: 'As 12 discussed this should be closed. Effectively as 13 a management team we have accepted the ongoing 14 cost of maintenance rather than the cost of 15 a rewrite. Rewrites of the product will only be 16 considered if we need to reopen the code to 17 introduce significant changes in functionality. 18 We will continue to monitor the code quality 19 (based on product defects) as we progress 20 through the final passes of testing and the 21 introduction of the modified CI4 codeset into 22 live usage in the network. PJ can we make sure 23 this is specifically covered in our reviews of 24 B&TC test cycles. Closed.'" 25 Did you know that the quality of the EPOSS 15 1 code based on what were described as product 2 defects, was supposed to remain under review 3 during the introduction of the modified codeset 4 into live usage in the network? 5 A. I wasn't -- I can't remember that, no. 6 Q. We heard last week from Mrs Anne Chambers, she 7 told the Inquiry that she would have expected 8 this monitoring to have been done by the leaders 9 of the SSC team. You were, I think, the deputy 10 team leader in the month we're looking at here, 11 May 2000. Did you know that a monitoring 12 exercise should be undertaken? 13 A. I don't remember a monitoring exercise but 14 I would have expected that to have been done 15 just as much by the service managers, 16 development team and the SSC. So I wouldn't 17 have thought it was just purely an SSC function. 18 Q. You said -- you gave three people there -- 19 A. I did. 20 Q. -- three bits of the organisation -- 21 A. Yes. 22 Q. -- that you would expect to do the monitoring -- 23 A. Yes. 24 Q. -- one of whom was SSC? 25 A. Correct. 16 1 Q. Starting with SSC, can you remember whether, in 2 fact, any such monitoring of product defects 3 with the EPOSS code -- 4 A. I don't remember that monitoring being done. 5 Q. Right. The other two, I think you said service 6 managers -- 7 A. Service managers, yes, and also development. 8 Q. Just dealing with the service managers, who were 9 you referring to in your description of service 10 managers? 11 A. There is a Service Management Team who each 12 manage particular aspects of -- or each manage 13 particular aspects of the service, so whether it 14 was data centre service or counter service, or 15 whichever, there would be specific service 16 managers for those areas. 17 Q. So which of those would you, if this 18 recommendation was -- or this decision was to be 19 carried into effect, to have been doing the 20 monitoring? 21 A. I would have thought if there was a major 22 recommendation like that, they would have 23 probably just picked a specific person and asked 24 them to get on with it. I can't remember which 25 part -- what the official name was of the 17 1 service manager who would look after the counter 2 aspects of the service. 3 Q. You mentioned the development team, that they 4 would or might also have a role -- 5 A. Yes. 6 Q. -- in carrying a decision like this into effect? 7 A. Yes. 8 Q. Why would they have a role in carrying 9 a decision like this into effect? 10 A. Because they would be seeing the incident, 11 incidents being forwarded to them from the SSC. 12 They would also see the actual incidents coming 13 in to them from the test teams looking at 14 testing the actual, like, EPOSS code. 15 Q. Wouldn't the obvious repository for a decision 16 like this to be carried into effect be the SSC? 17 A. I wouldn't have said so, no. 18 Q. Why not? 19 A. Because a particular project like that would 20 probably require a separate person to actually 21 concentrate on that, rather than the ongoing 22 incident load on the support chain. 23 Q. But could not a decision like this be carried 24 into effect by saying to everyone in the SSC, 25 "If you see a defect, if you have a defect 18 1 reported to you that may be concerned with or 2 an investigation is concerned with the EPOSS 3 code, log it, pass it to the deputy manager, [to 4 you], or [by now you], the manager"? 5 A. That would be one way of approaching it, yes. 6 I don't remember that being done in this case. 7 Q. Can you remember anything at all about any 8 ongoing monitoring by any person at all within 9 Fujitsu of defects in the code for the EPOSS? 10 A. At any time or at this time? 11 Q. At this time and, I don't know, for six months, 12 a year or two afterwards? 13 A. I don't remember that, no. 14 Q. You see, Mr Parker, there's been a taskforce set 15 up into EPOSS in 1998 which recommends a total 16 or partial rewrite of the system. This review 17 in May 2000 said "You should reconsider, 18 Fujitsu, that recommendation", and the decision 19 was "Don't do that, we're going to do it through 20 ongoing monitoring". I'm trying to find out who 21 was going the ongoing monitoring? 22 A. I understand. I can't remember. No, I'm sorry, 23 I just can't help you with that. I don't 24 remember that going on. 25 Q. Would you agree that a fundamental problem with 19 1 the functionality of the EPOSS code is something 2 that should have been monitored? 3 A. Yes, I would, yes. 4 Q. Okay, can we turn, then, to -- that can come 5 down, thank you -- the lines of support that 6 were available, just to get these out there on 7 the transcript. You tell us on page 4 of your 8 Inquiry witness statement, from paragraph 13 9 onwards, about each of the four lines of 10 support, and you start at paragraph 13 with 11 first line support. Just trying to summarise 12 this, rather than reading it through, is it 13 right that, essentially for first line support, 14 there were three elements to it: two supplied by 15 Fujitsu and one supplied by the Post Office 16 itself? 17 A. Yes. I say cautiously yes, because I've 18 realised since that I have omitted one of the 19 teams from that paragraph 13, which was the 20 Incident Management Team, IMT, which was also 21 within the HSD. 22 Q. Okay. Is that a subset of the HSD? 23 A. Yes, it is. 24 Q. So far as the Fujitsu side of the house is 25 concerned, there were two elements. The Horizon 20 1 Service Desk, the HSD? 2 A. Yes, yes. 3 Q. That's sometimes called the Horizon System Desk 4 or HSH, yes? 5 A. It had various names, yes. 6 Q. And sometimes the Horizon Incident Team? 7 A. Yes. I believe that was the same as HSD, yes. 8 Q. Then the subset of it that you just mentioned 9 was? 10 A. The IMT, the Incident Management Team. 11 Q. What did the Incident Management Team do? 12 A. I have trouble now remembering their exact 13 function. I just remember the name. 14 Q. Then the second element provided by Fujitsu was 15 the Communications Management Team, you describe 16 it as, in paragraph 13. 17 A. Yes, correct. 18 Q. Sorry, you describe it in paragraph 13 as the 19 "Communications Monitoring Team"? 20 A. Yes. 21 Q. Is that a typo, should that be "Communications 22 Management Team"? 23 A. It was probably my memory rather than a typo. 24 With these sorts of acronyms, occasionally the 25 actual meaning of it gets lost in time. 21 1 Q. The only reason I ask is, if we just go on to 2 paragraph 15, you describe it there as the 3 "Communications Management Team" -- 4 A. Right, right. 5 Q. -- and every other document I can find calls it 6 "Communications Management" rather than 7 "Monitoring". 8 A. In which case, it should be "Management Team", 9 yes. 10 Q. Okay. Then, so far as the Post Office side of 11 the house was concerned, it was the NBSC; yes? 12 A. Yes. 13 Q. You describe it back in paragraph 13 as the 14 "National Business Support Centre". 15 A. Yes. 16 Q. Again, other documents describe it as the 17 "Network Business Support Centre". Can you 18 recall, or -- 19 A. I suspect now the latter is probably the 20 accurate one. 21 Q. Okay, thank you. Dealing with those three 22 elements of first line support, then, Horizon 23 Service Desk, Communications Management Team, 24 both Fujitsu and then the NBSC, Post Office, how 25 would a subpostmaster know which of those three 22 1 elements of first line support he or she should 2 contact, if they've got an issue? 3 A. I don't know what information was given to 4 subpostmasters in terms of where to call. 5 I would have expected them to have been given 6 one number and then been onwardly routed, but 7 I don't know what the guidance was and given to 8 me. 9 Q. So if they had a discrepancy, a failure to 10 balance, for example, which of those three would 11 you expect them to either contact or be routed 12 to? 13 A. NBSC, initially. 14 Q. Why NBSC initially? 15 A. Depending upon whether it was a business issue 16 or a suspected problem with Horizon. 17 Q. How would a subpostmaster know whether their 18 discrepancy was a business issue -- 19 A. They wouldn't. 20 Q. How would they know who to call, then? 21 A. Well, I can only go back to saying I don't know 22 how they were told to call in but I would have 23 expected them to have a single point of contact, 24 which then they talked to, and then it would be 25 onwardly routed appropriately. 23 1 Q. Did you know anything about that routing, how 2 had person -- 3 A. No, I didn't. 4 Q. -- would decide whether this was a business 5 issue or a software issue -- 6 A. No, I didn't. 7 Q. -- or a hardware issue? 8 A. No. 9 Q. Did you ever form an impression of how 10 technically knowledgeable the average 11 subpostmaster, assistant or Crown Office 12 employee in the Post Office was? 13 A. I would just -- no, I didn't. My only thought 14 on that would be, like any -- in a population 15 that's going to actually vary wildly. 16 Q. So fairly representative of the population at 17 large? 18 A. I would have thought so, yes. 19 Q. Many of the subpostmasters who would have given 20 evidence to the Chair in Phase 1 of this Inquiry 21 last year said that, when they were speaking to 22 the Helpdesk staff, they appeared to be using 23 scripts when they spoke to them. Were you aware 24 of that practice, the use of a script by the 25 Helpdesk? 24 1 A. I was aware of that practice. I didn't ever get 2 involved in writing of such scripts, and it's 3 a fairly common, like -- and process within 4 helpdesks to have a script of some sort. 5 Q. Did you ever see any of the scripts that the 6 Helpdesk was reading out down the phone? 7 A. Don't remember seeing any of them. 8 Q. Can you remember, with that in mind at all, 9 whether what the content of the scripts was, how 10 they worked? 11 A. Only to the extent that I would occasionally see 12 in incidents which came to the SSC, a clear 13 series of questions and answers in that incident 14 text, and I assumed those would come from that 15 kind of a process. 16 Q. So it would say, "Ask question A" -- 17 A. "Answer" -- 18 Q. -- "If answer is A1 then ask this"? 19 A. Not to that extent but I would see -- you would 20 see a series of "Ask this, answer that" within 21 the text. 22 Q. Who was responsible within Fujitsu for producing 23 the scripts, to your knowledge? 24 A. To my knowledge, I would expect it to be some of 25 the senior technicians within the HSD. 25 1 Q. So ie the HSD produced its own scripts for 2 itself? 3 A. I believe so, yes. 4 Q. Okay. Was there any SSC involvement in looking 5 at, amending or approving the HSD scripts? 6 A. I can't say we never saw one but there was 7 certainly no such process. It would be a rarity 8 for us to see and comment on such scripts. 9 Q. So you were seeing them almost by chance because 10 a bit of them had been -- or the answers to a 11 bit of them had been cut and pasted into a PEAK? 12 A. Correct, yes. 13 Q. In your time in the SSC, did the SSC ever draw 14 up the scripts for HSD? So that, for example, 15 they -- I'm sorry -- that so, for example, they 16 ensured accuracy that was in line with the SSC's 17 current understanding of an issue? 18 A. I don't recall those, no. 19 Q. Were the scripts paper based, to your knowledge, 20 or on a computer system? 21 A. I don't know. 22 Q. Where would the scripts, to your knowledge, be 23 held, ie within which department within Fujitsu? 24 A. Within the Helpdesk within HSD. 25 Q. What was the system or systems that HSD used to 26 1 go about its business? 2 A. They would have a call logging system, which 3 was, in the early days, PowerHelp; in the latter 4 days, TfS. 5 Q. Just dealing with those in turn. PowerHelp. 6 A. Yes. 7 Q. You described it as a call logging system? 8 A. Yes. 9 Q. To your knowledge, would that contain any 10 scripts which HSD staff were asked or required 11 to read out? 12 A. It would be a logical place to put them but 13 I don't know. 14 Q. TfS, does the same answer apply to that? 15 A. It does, yes. 16 Q. You were telling me about the systems that were 17 in place. 18 A. Mm-hm. 19 Q. Those were the first level, a call logging 20 system. What other HSD systems were there? 21 A. They would have access to the SSC's KEL system. 22 I remember at some point in the process they 23 also had their own Knowledge Base and I think 24 I've been reading recently it was called HSD1 25 but I only remember that through very recent 27 1 reading. And they would have access to 2 reference kits, reference counters, in order to 3 try out scenarios. 4 Q. So dealing with those in turn, on what system 5 were the KELs kept, so far as HSD was concerned? 6 A. HSD had access to the SSC KEL, which I believe 7 they used. Because I saw queries going through 8 it. 9 Q. Did they have read-only access to it? 10 A. No, they were able to generate KELs, although 11 the SSC would approve them and check the 12 content. 13 Q. Did the KELs contain any script, the KEL system 14 contain any scripts? 15 A. I don't remember it doing so unless the HSH 16 generated one. I don't remember seeing scripts 17 in the KEL. 18 Q. To what extent did you have access to their 19 systems, like PowerHelp? 20 A. We were able to examine PowerHelp in order to 21 see what had been logged in there because not 22 all information came over the interface between 23 PowerHelp and PEAK. I don't -- I think 24 I probably used that a couple of times, quite 25 rarely. That's about what I remember about 28 1 PowerHelp. 2 Q. Did HSD have access to PinICLs and PEAKs? 3 A. I think they did, yes. 4 Q. Were there any scripts kept on PinICLs and 5 PEAKs? 6 A. Not for the purposes of Helpdesk support, no. 7 I say it that way because PEAK was also used in 8 latter years in order to create sequences for 9 software delivery and release management type 10 purposes. So you would sequences of actions but 11 they were not to do with the first line 12 Helpdesk. 13 Q. If I, as the investigator, now wanted to find 14 scripts within Fujitsu, where should I look? 15 A. I would be -- I think my first port of call 16 would have been PowerHelp but I'm aware that the 17 PowerHelp system is no longer in existence. 18 Q. Where else might you look, or might I look? 19 A. I would only be going back to people who worked 20 at the HSD at the time to ask where they were 21 actually kept because, as I say, I'm not sure. 22 I would expect PowerHelp but I'm not sure. 23 Q. You mention that they had their own Knowledge 24 Base. To your knowledge, were any scripts kept 25 within that Knowledge Base? 29 1 A. I don't know. 2 Q. Did you, within the SSC, have access to HSD's 3 Knowledge Base? 4 A. I don't think we did, no. 5 Q. Looking at other functions of the HSD, did it, 6 the HSD, have any form of remote access, however 7 one might define that term? 8 A. No, the HSD had no remote access. 9 Q. Turning to the second element of the Fujitsu 10 first line support provision, the Communications 11 Management Team, what did it do? 12 A. As I remember, the Communications Management 13 Team were more concerned with network issues, 14 computer network issues. 15 Q. What do you mean by that, computer network 16 issues? 17 A. Communication between computers within each 18 outlet, between those outlets and the data 19 centres. 20 Q. Where was it based? 21 A. Stevenage. 22 Q. How many people worked in the Communications 23 Management Team? 24 A. I don't know. 25 Q. Did it, the Communications Management Team, have 30 1 any form of remote access, however one might 2 define that term? 3 A. No. 4 Q. Can we turn to the third element, the element 5 provided by the Post Office, the NBSC. Where 6 was the NBSC based? 7 A. I'm not sure. I think it was Chesterfield but 8 I'm not sure. 9 Q. How would the HSD communicate with the NBSC? 10 A. My assumption would be via -- I was going to say 11 via phone calls but no, I don't know. I don't 12 know what the linkage was there. 13 Q. How would the SSC communicate with the NBSC? 14 A. Generally via the HSD. 15 Q. So you would route it back down from first to 16 third line support -- 17 A. (The witness nodded) 18 Q. -- expect Fujitsu's first line support to link 19 it to NBSC -- 20 A. To then liaise with the NBSC, yes. 21 Q. Did it to your knowledge, the NBSC, have any 22 form of remote access? 23 A. I don't believe so but I never had a lot to do 24 with that and I don't think I ever had anything 25 to do with that environment. 31 1 Q. Can we turn, then, to second line support and go 2 forward to paragraph 17 of your witness 3 statement, please. Thank you. 4 You tell us that second line support was 5 provided by the System Management Centre, the 6 SMC, and you describe, non-exhaustively, a list 7 of its responsibilities. Where was the System 8 Management Centre based? 9 A. Also Stevenage. 10 Q. Did it, the System Management Centre, have any 11 form of remote access, however so defined? 12 A. Yes, they did, via -- 13 Q. What was the extent of it? 14 A. I can't remember all of the things they were 15 able to do but it was, as I mentioned, I think, 16 in my witness statement, it was via Tivoli 17 scripts, as they were called, which would 18 perform particular actions on parts of the 19 Horizon System. 20 Q. What was, in general terms, the purpose of the 21 SMC performing those functions via Tivoli? 22 A. Just general support of the Horizon service. 23 Q. What do you mean by "general support"? What was 24 their access and what were they doing that you 25 didn't do in third line? 32 1 A. The nature of the scripts they had was to 2 perform very tightly controlled specific 3 actions, and I can't remember a great deal of 4 them. I can't really give you a list of those 5 things. 6 Q. Can we turn to third line support, then, the SSC 7 itself. That witness statement can come down. 8 Thank you. 9 Can we look at a document, please, 10 FUJ00120446. 11 This is the ICL Pathway "CS Support Services 12 Operations Manual", version 2. Can you see that 13 from the top? 14 A. I can. 15 Q. It's dated, we can see, 29 January 2001, and we 16 can see a description of the document in its 17 "Abstract": 18 "This is the top level procedures document 19 describing the activities carried out by the 20 Support Services Unit within ICL Pathway 21 Customer Service." 22 Just on that description of support services 23 unit, what did that refer to? Is that the SSC 24 or is it something greater than that? 25 A. I don't remember the SSC ever being described 33 1 that way but, given that it's CS support 2 services and Peter Burden wrote it, it could be 3 describing any of the units SSC, MSC, et cetera. 4 Q. Okay, so it's a group of support -- 5 A. I would assume so, yes. 6 Q. Including the SSC? 7 A. Yes, I would assume so, yes. 8 Q. I think we can see at the foot of the page, the 9 distribution list. It was distributed to the 10 SSC manager which by this time, January 2001, 11 would have been you? 12 A. Not in 2001, no. That would have been Mik 13 Peach. 14 Q. No, I'm so sorry, Mr Peach -- 15 A. Yes. 16 Q. -- and you were his deputy? 17 A. Yes. 18 Q. Thank you. Can we go to page 8, please, and 19 paragraph 4.1. If we just scroll up a little 20 bit so we can see the heading. A little bit 21 more, "system Support Centre": 22 "This section of the manual describes the 23 operations and responsibilities of the SSC." 24 You'll see under the "Overview" it sets out 25 an overview of the tasks of the SSC covering the 34 1 responsibilities of the SSC both to the lower 2 and upper levels of support; can you see that? 3 A. I can. 4 Q. If we scroll down, please, to 4.1.1. It lists 5 the responsibilities of the SSC to the first and 6 second line limbs of support ie looking 7 downwards. You'll see from number 5 that one of 8 the SSC's responsibilities was to: 9 "Ensure that the incident is resolved within 10 the total time allowed by the contract between 11 the customer and Pathway." 12 So that means ensure the incident is 13 resolved within the total time allowed by the 14 contract between the Post Office and Fujitsu? 15 A. Yes, that's right. 16 Q. Were there any SLAs, service level agreements, 17 that you were aware of that set out the total 18 time allowed by the contract for the resolution 19 of incidents? 20 A. There were targets for the resolution of 21 incidents. I don't remember there ever being 22 any SLAs. 23 Q. Where were the targets recorded? 24 A. I remember there being documents with them in 25 but I couldn't point you to them immediately. 35 1 Q. So, even if there wasn't an SLA, there were, 2 nonetheless, targets which placed the 3 responsibility on the SSC to make sure that 4 Fujitsu's contractual obligations to the Post 5 Office were met in terms of timeliness? 6 A. In terms of timeliness, yes. 7 Q. That responsibility included responsibility on 8 the SSC to ensure that first and second line 9 support met such targets too, did it? 10 A. I don't remember a particular text on that but, 11 I mean, certainly the SSC would assist first 12 line, second line, to ensure that they could 13 resolve their incidents, yes. 14 Q. Was the meeting of those targets an important 15 driver to the work of the SSC? 16 A. I wouldn't describe it as an important driver. 17 I would describe it as a means of measuring the 18 effectiveness of the SSC, yes. 19 Q. How was it monitored? 20 A. Mik Peach actually produced statistics on the 21 SSC's processing of incidents, and reported them 22 back via various means, including a web-based 23 portal. 24 Q. Reported them to whom? 25 A. It would have been reported to both -- well, it 36 1 would have been reported initially into the 2 Fujitsu structure, so the service managers and 3 Mik's immediate superior, and the development 4 teams, et cetera. I mean, it was a generally 5 available measure within Fujitsu. 6 Q. When you took over in 2010, did you do that? 7 A. By 2010, we were relying more on the automatic 8 generation of that information via PEAK. 9 Q. Were you aware of contractual penalties for 10 failure to meet such targets? 11 A. Not targets on general incidents through the 12 SSC. There were SLAs on other parts of the 13 service, which the SSC would be involved in 14 processing incidents for. 15 Q. Were you aware of contractual penalties 16 concerning those? 17 A. Yes, I was. 18 Q. Did they have an impact, an important impact, on 19 the work of the SSC? 20 A. They had an impact on the work of the SSC in 21 determining priorities applied to the workload 22 as it came in, yes. 23 Q. Was there a desire to close incidents in order 24 to meet such targets? 25 A. No. I mean, we would want to close incidents 37 1 when we get to the root cause, not just in order 2 to fulfil timescales. 3 Q. If we go over the page, please, to 4 subparagraph 7, thank you. One of the 5 responsibilities of the SSC at 7 was to: 6 "... create and maintain a register of known 7 deficiencies within the Pathway system and the 8 solution to these problems, where known." 9 At 8, the SSC was to: 10 "... allow HSH [which we've been calling 11 HSD] and the SMC access to this register so they 12 can fulfil their function of filtering out known 13 errors." 14 Was that obligation essentially fulfilled 15 through KEL? 16 A. Yes. 17 Q. How were HSH required to use the KEL system to 18 filter out known errors? 19 A. Don't quite understand the question. I mean, 20 the -- 21 Q. How would first line support use KEL to filter 22 out known errors? 23 A. In the same way that third line support would 24 use the actual KEL, by specifying keyword 25 searches to retrieve relevant KELs. 38 1 Q. So, when you retrieved the relevant KEL, how was 2 it used to filter out known errors, as this 3 document describes it? 4 A. By examining the text in there and matching it 5 to the symptoms that were presented in the 6 incident and making a technical decision, 7 whether or not it was the same problem. 8 Q. In what respect is that filtering out known 9 errors? 10 A. It would -- it's filtering out known errors in 11 that it wouldn't be necessary then for the HSH 12 to forward that incident through the -- upwards 13 through the support chain. They would recognise 14 that that incident is already known about, there 15 is already a solution to it and, hence, they 16 wouldn't need to actually forward it -- forward 17 it on. 18 Q. Was there, over time, a tendency by first line 19 support to escalate issues to the SSC 20 inappropriately when, in fact, there was a fix 21 in a KEL? 22 A. That sort of thing always happens to some 23 degree. I wouldn't describe the HSD's 24 forwarding as being any worse or better than 25 like anything else. I mean, you always get some 39 1 instance whereby a previous level of support 2 will miss a known error and fail to filter it. 3 Q. Was there any pressure placed by the SSC on 4 first line support not to escalate issues by 5 reference to the KELs? 6 A. There would be meetings where we would 7 occasionally discuss particular issues and 8 assist the HSH in fulfilling their filtering 9 responsibilities. There would be -- that would 10 be an ongoing process. 11 Q. If we go down the page, please, to the SSC's 12 responsibilities to fourth line support. It 13 says: 14 "The responsibilities of the SSC to fourth 15 line support [so looking upwards] are ..." 16 Then it sets them out over 13 subparagraphs. 17 Paragraph 2 places an obligation on the SSC: 18 "... to filter out all calls for which the 19 problem is already known to the support 20 community and for which a solution is already 21 known or has been generated. This includes 22 problems for which the SSC knows a resolution 23 but has not yet incorporated the resolution into 24 the KEL." 25 Is that right? 40 1 A. Yes, that is right. 2 Q. At 3, there was: 3 "... a responsibility to retain to you 4 duplicate incidents in the PinICL systems and 5 ensure that when the resolved incident is 6 received by the SSC, the duplicated calls are 7 closed. Duplicates incidents are repetitions of 8 an incident that has already been passed to 9 fourth line support." 10 Yes? 11 A. Yes, indeed. 12 Q. Then over the page, please, at 11. The SSC is 13 required to: 14 "... ensure that for any code error 15 a probable solution is indicated prior to 16 passing the incident to fourth line support and, 17 wherever possible, the proposed solution has 18 undergone limited testing." 19 Was the SSC under pressure to avoid passing 20 problems up to fourth line support? 21 A. No, I mean, if we identified a new issue, then 22 it would be passed on to the fourth line. 23 Q. So if a problem was resolved under existing KEL 24 guidance, that wouldn't be passed up? 25 A. It shouldn't be, no. 41 1 Q. If there was insufficient evidence of a system 2 fault, that wouldn't be passed up, would it? 3 A. It shouldn't be, but I would caveat that by 4 saying that, in some cases, we may want to talk 5 to development about a fault in order to see if 6 they could give us any help with ways to 7 identify what the fault was. 8 Q. Might that take place on an informal basis? 9 A. It would be on an informal basis, yes. 10 Q. But if no fault with the system could be 11 positively identified, that would be written up 12 as a user error, wouldn't it? 13 A. Not necessarily user error. User error was just 14 a categorisation. 15 Q. If no fault in the system could be identified, 16 what was the code for closing the incident then? 17 Was there a code which said, "No fault can be 18 identified but do not categorise this as a user 19 error; the position is simply unknown"? 20 A. Without referring to a document, I can't 21 remember all of the closure categories. 22 Q. If there was insufficient evidence of a fault or 23 no evidence of a fault, would that be referred 24 back to the subpostmaster sometimes for more 25 information or evidence? 42 1 A. Yes, it would. 2 Q. What would happen if the subpostmaster couldn't 3 produce any more information or evidence? 4 A. If the information we had was inadequate to 5 diagnose what the problem was then that call 6 would have to be closed but that would only be 7 done after we've exhausted any lines of enquiry. 8 Q. Who would be chasing those lines of enquiry? 9 A. Occasionally I would expect the postmaster, 10 maybe, or a Problem Manager. 11 Q. When you refer to the Problem Manager, who are 12 you referring to then? 13 A. Well, it's part of the problem management 14 process, which was used within the support 15 chains, which is that if you get multiple 16 incidents with potentially the same root cause, 17 then a Problem Manager would start to collate 18 those and progress the problem. 19 Q. Where did the Problem Manager sit within the 20 four lines of support? 21 A. There would be -- the Problem Manager function 22 would be within all of the Service Delivery 23 Units so there would be a function for that 24 purpose within HSH or within, like, other teams. 25 Q. Within the SSC? 43 1 A. Problem management would also happen within the 2 SSC, yes. 3 Q. That's a different issue. Problem management 4 may also happen within the SSC, that's small 5 "p", small "m". 6 A. Yes, understand. 7 Q. You were referring to the Problem Manager which 8 I interpreted to mean a capital "P" and 9 a capital "M". Was there a person within each 10 of the four lines of support who was called 11 a Problem Manager? 12 A. I can't be sure because the theory is the 13 problem can be raised by, like, anybody. So 14 there's a problem initiator within the process. 15 I can't -- I think the Service Delivery Managers 16 just also performed the function of Problem 17 Manager. So, I mean, that was certainly true in 18 my case: as a Service Delivery Manager for the 19 SSC, I would also occasionally take on the role 20 of a Problem Manager. 21 Q. You're talking there about collecting or 22 collating, bringing together into a basket 23 a series of problems of the same or a similar 24 nature. 25 A. Correct. 44 1 Q. You said occasionally you would do it. 2 A. Correct, yes. 3 Q. Was there a systematic and/or written policy 4 that prescribed how this would be done? 5 A. Yes, there was. 6 Q. How would it be done, then? You get a PinICL 7 that is escalated or a PEAK that's escalated to 8 SSC? 9 A. Yes. 10 Q. The first one that they've seen. 11 A. Yes. 12 Q. It's dealt with by SSC diagnostician number 1, 13 on their shift. A week later another one comes 14 in to diagnostician 2. Another problem comes in 15 to HSH, doesn't get escalated for one reason or 16 another. Week 4, a problem of a same or similar 17 nature comes into diagnostician 4. How are they 18 all collected together in a basket? What was 19 the system for linking them? 20 A. Within the SSC, it would be recognised by the 21 fact a KEL has been raised with an incident 22 reference on it, and then any -- as further 23 incidents come in, which reflected the same 24 KEL -- 25 Q. Hold on. That assumes that the problem that 45 1 you're confronted with is a known error. 2 A. If it's got as far as the SSC, then we would 3 have raised a KEL for an incident, even if we 4 hadn't necessarily been able to get to the 5 bottom of it. 6 Q. So Known Error Logs were raised in respect of 7 unknown errors? 8 A. Where we could say -- yes, yes. 9 Q. So were they called "Unknown Error Logs"? 10 A. No. 11 Q. So what was the effect of raising an unknown 12 error on a Known Error Log, then? 13 A. The effect would be to allow visibility of the 14 fact this problem has happened before, the steps 15 taken. 16 Q. So in my example, week one, diagnostician one, 17 gets a new error that hasn't been seen before. 18 They create a KEL for that, do they? 19 A. (The witness nodded) After investigation, yes. 20 Q. Yes. And they can't find what the fault is -- 21 A. Yes. 22 Q. -- and the incident is closed? 23 A. Yes. 24 Q. Week 2, somebody calls in with what is, in fact, 25 the same or a similar problem. 46 1 A. Mm-hm. 2 Q. How is that linked to what happened the week 3 before? 4 A. By virtue of searching the KEL and finding the 5 information on there. 6 Q. How does one search a KEL or the KEL system? 7 A. You use technical knowledge to define 8 a series -- one or more keywords which describe 9 the problem and then put those into the KEL 10 system, and they may be combined with -- the 11 various terms can be combined together that they 12 should all be present or just some of them 13 present. The system would return a series of 14 matching KELs in a priority order of how well 15 they matched the criteria and then the 16 diagnostician would then look and examine each 17 one further to see if it matches the incident 18 they are working on. 19 Q. We can take the document down from the screen. 20 Thank you. 21 We're going to hear some evidence from 22 Mr Peach, Mik Peach, next week, assuming he 23 gives evidence in accordance with his witness 24 statement, that the KEL system was written 25 primarily by you; is that correct? 47 1 A. Yes, it is. 2 Q. So you wrote the code for it, did you? 3 A. I wrote the code for it until other people took 4 over later on. So I think currently, and 5 certainly while I was managing the unit, John 6 Simpkins enhanced the KEL and it was -- it 7 wasn't just me. I mean, other people provided 8 parts of the development effort for the KEL at 9 various times. 10 Q. You mentioned, essentially, a search function 11 within it -- 12 A. Yes. 13 Q. -- that would return a series of hits -- 14 A. Yes. 15 Q. -- essentially on relevance grounds. 16 A. Yes. 17 Q. Is that right? 18 A. Yes. 19 Q. Was what was searched the entirety of the text 20 of the KEL -- 21 A. Um -- 22 Q. -- or was it the subject line or the summary 23 line? 24 A. No, it was the entirety of the text. 25 Q. So every single word on the KEL, there was 48 1 essentially a free text search of all of those 2 KELs? 3 A. I'll clarify that slightly. It was a free text 4 search of the symptoms, the problems and the 5 solution. There were certain fields on there 6 like release number or other specific criteria 7 like that, which I don't -- which were not part 8 of the free text search. 9 Q. Was there any system of auditing or monitoring 10 to ensure that information recorded on a KEL was 11 accurate and enabled future free text searching 12 to occur appropriately? 13 A. There was when the KELs were created outside the 14 SSC. So the SSC would perform an approval 15 function when a KEL had been written outside the 16 SSC. Within the SSC it would just be 17 discussions amongst peers about "You raised this 18 KEL, I would suggest this wording change", 19 et cetera. 20 Q. The Inquiry has heard some evidence that not all 21 problems that were called in were, on searching 22 the KEL system, returned by the -- or matched 23 with the appropriate KEL and that, where there 24 were KELs in place, these were not always 25 spotted by those who were handling the PinICLs 49 1 or the PEAKs. Did anyone ever examine how the 2 KEL system was operating in practice? 3 A. We certainly didn't do any monitoring of how 4 the -- ongoing monitoring of how the KEL system 5 was working in practice. We would expect that 6 if somebody found, or a KEL that they had 7 a problem with, they would either change it 8 themselves and we would approve it, or they 9 would contact us to have a KEL changed. 10 Q. Were KELs accessible to the Post Office? 11 A. No. 12 MR BEER: Thank you. 13 Sir, that would be an appropriate moment to 14 take a break before we look at some example KELs 15 to see the system working in practice. 16 SIR WYN WILLIAMS: All right, what time shall we 17 start again? 18 MR BEER: 11.30, please. 19 SIR WYN WILLIAMS: All right, that's fine. 20 MR BEER: Thank you, sir. 21 (11.15 am) 22 (A short break) 23 (11.30 am) 24 MR BEER: Sir, good morning, can you see and hear 25 me? 50 1 SIR WYN WILLIAMS: I can indeed. 2 MR BEER: Thank you. Mr Parker, we were going to 3 look at some example KELs to see the system 4 operating in practice. Can we start, please, 5 with FUJ00059025. Thank you. This is a KEL 6 which advised on how to reboot and reload 7 a counter. You can see that it was raised by 8 a Pat Carroll on 15 June 1999 and was last 9 updated by you on 28 January 2004. 10 If we just look at the "Problem": 11 "Counters are being rebooted or reloaded by 12 switching off the base unit and this may 13 prejudice the integrity of the messages held on 14 the counter making the possibility of 15 an altogether more serious and resource 16 consuming failure greater." 17 Now, the Inquiry has heard evidence so far 18 of subpostmasters being advised to reboot as 19 a response to their suggestion that they think 20 that there is a problem with the system, which 21 is causing a discrepancy in data. Was that 22 advice that you knew was given, just switch the 23 system on and off again or reboot the system? 24 A. To my mind, they are two different things, 25 rebooting the system, I would have expected the 51 1 Control Alt Del method to be used because that 2 is a tidy way of doing it. I wouldn't have 3 expected people to just turn on and turn off 4 base units because there are some risks inherent 5 with any computer system if you do that. 6 Q. This records counters being rebooted or reloaded 7 by switching off the base unit? 8 A. Yes, it does, yes. 9 Q. That's the wrong thing to do, is what you're 10 saying? 11 A. Yes. 12 Q. It says that this may prejudice the integrity of 13 messages held on the counter. In what way might 14 it prejudice the integrity of messages held on 15 the counter? 16 A. Simply turning off a computer system with 17 a spinning disk-drive in it can cause failures 18 in the disk storage. 19 Q. So, essentially, this KEL is saying that some 20 subpostmasters were rebooting in a way that 21 would cause new problems or could cause new 22 problems? 23 A. Which could cause new problems, yes. 24 Q. What would the "altogether more serious and 25 resource consuming failure" be? 52 1 A. I don't remember exactly why that sentence or 2 that ending of the sentence is on there. My 3 interpretation of it is you would get a symptom, 4 which was known as a CRC error which was a disk 5 error, which could prevent the application from 6 working. It would -- in fact, I believe, if 7 I remember correctly, it would stop it dead. 8 Q. So a total shutdown? 9 A. It wasn't a total shutdown but the underlying 10 system would just stop. 11 Q. Is that the altogether more serious issue that's 12 referred to, do you think? 13 A. That's all I can assume. As I say, I don't 14 remember the exact reason that final part of the 15 sentence was put on there. 16 Q. So presumably, given the contents of this KEL 17 that message would have been passed out to all 18 subpostmasters who were using Horizon, "Don't 19 reboot or reload your system by switching off at 20 the base unit; always reboot using control, alt, 21 delete keys?" 22 A. I would expect that to have happened, yes. 23 Q. How would your expectation have been carried 24 into reality? This KEL is sitting within the 25 SSC, saying, "This is the problem, this is what 53 1 happens if the subpostmaster does the wrong 2 thing". How would that -- these words in the 3 KEL get translated into an estate-wide message 4 to subpostmasters? 5 A. My recollection is sketchy but I believe this 6 particular problem was notified directly to the 7 HSH in order to ensure they were giving out that 8 particular advice. I'm not sure exactly how it 9 was communicated to the Post Office because that 10 wouldn't have been something I was involved in. 11 Q. Who would have been involved in it? You've got 12 a KEL that's saying there's a problem here, and 13 there are serious consequences for 14 subpostmasters if they do something. What was 15 the system to ensure that they didn't do that 16 something? 17 A. I would expect that either the SSC on raising 18 the KEL would have told one of the service 19 managers responsible for that part of the 20 service and that would have then been like 21 onwards -- onward communicated as appropriate to 22 the Post Office, is one route. The other would 23 be direct contact from HSH on to the Post 24 Office. I would expect the former to have been 25 more likely. 54 1 Q. Where would we find a record of that? Because 2 there's nothing on this KEL to suggest -- 3 A. Understand. 4 Q. -- that happened. 5 A. Mm. 6 Q. Where would we find evidence? 7 A. I don't know how the service managers recorded 8 that kind of thing. 9 Q. When you say, "The service managers" who are you 10 referring to there? 11 A. There were a number of service managers 12 responsible for different parts of the Horizon 13 service and they were within Fujitsu, and so we 14 would have -- it would have been via one of them 15 that that information was actually relayed to 16 the Post Office. 17 Q. We've got on this Pat Carroll and you? 18 A. Yes. 19 Q. How would these service managers have learnt 20 from this KEL that that's what they needed to 21 do? 22 A. We -- a member of the SSC, probably Mik, would 23 have gone to see them. 24 Q. So Mik would -- when you say gone to see them, 25 spoken to them, emailed them, or seen them 55 1 face-to-face? 2 A. Probably seen them face-to-face. They were 3 mainly based in the same building. 4 Q. What I'm trying to uncover is what was the 5 system for communicating known faults with 6 Horizon back to the subpostmaster community? 7 A. We had no means to -- we had no means to do 8 that. 9 Q. Did anyone, to your knowledge, in your 22 years 10 in the SSC, think there's an issue with that? 11 There's a problem with that? 12 A. If there was a serious problem, then it would go 13 via problem managers to the Post Office. If it 14 was a minor issue, then the existence of the KEL 15 would be recognised by HSH when postmasters 16 called in and the guidance would be given 17 directly to them at that time. 18 Q. That's after the problem has occurred? 19 A. It is. Yes. 20 Q. That's no good, is it? 21 A. It is -- for minor incidents, I think it is 22 adequate. For major things, no, but it would 23 have then gone via problem managers. 24 Q. Where does this sit in your spectrum of minor to 25 major? 56 1 A. If -- and I don't remember whether the turn off 2 at counter advice was being given by HSH. If it 3 was being given by the Helpdesk then I would 4 consider it to be a major problem. 5 Q. Was there any record kept or system operated 6 that said "We've got a problem that we've 7 identified here in the SSC, there needs to be 8 the following contact with the following parts 9 of Fujitsu or the Post Office to ensure that the 10 right people know to cascade a message back to 11 subpostmasters. We are not going to do it on 12 this occasion because it's a minor problem. We 13 are going to do it on this occasion because it's 14 a major problem"? 15 A. That would go via service managers. 16 Q. The service manager here is somebody in the SSC? 17 A. No, it's an external group -- no, sorry, 18 external is wrong -- external to the SSC, 19 internal to Fujitsu, group of people who had 20 responsibility for various parts of the service. 21 Q. So to take this one as an example, which part of 22 the system or service did this concern and to 23 which service manager should this have gone? 24 A. This bit of advice concerns the counter. 25 I cannot remember which service manager that 57 1 was. 2 Q. So was there a record kept in the SSC to say, 3 "We've passed this on to service manager X or 4 service manager Y for cascading", as I call it? 5 A. That would be potentially recorded in SSC period 6 reporting. 7 Q. What is SSC period reporting? 8 A. That is reporting live generated on a monthly 9 basis to service managers and other parts of the 10 Horizon environment on the activities of the 11 SSC. 12 Q. So like a performance report? 13 A. There was performance data in there, yes. 14 Q. Can we move on, please, to FUJ00058645. You'll 15 see that this is a KEL and appears to be 16 concerning an early issue with a Riposte bug. 17 The KEL was raised by Bob Foster on 4 July 2000 18 and was last updated by you on 28 September 19 2000. 20 You'll see from the "Problem" that a person 21 called -- well, let's read it: 22 "This message relates to the Riposte 23 programs node identifier which identifies the 24 counter within that office ie node:1 for the 25 gateway node:2 for counter 2 and so on. The 58 1 Invalid Node ID event is caused from an incoming 2 message arriving from a neighbour and Riposte 3 detecting that node ID is invalid. The 4 subsequent event 'network message received from 5 an unknown source' is likely to refer to the 6 same message. Mark has spoken with Escher 7 regarding this problem." 8 Just stopping there, the "Mark" referred to 9 there, would that be Mark Jarosz? 10 A. I would think so. He was generally the person 11 who would speak directly with Escher at this 12 time, yes. 13 Q. "His understanding is that isolated occurrences 14 of this event (that is not once per message 15 received from the Correspondence server), are 16 likely to be caused by a bug in Riposte. 17 Unfortunately without a reproducible case it is 18 very difficult to progress this problem. His 19 ..." 20 Would that be Mark's recommendation? 21 A. That would be my assumption yes. 22 Q. Rather than Escher's? 23 "... is that we do not pursue any attempts 24 to reproduce this problem with Riposte 5.4 ..." 25 That is a release, is it? 59 1 A. It is. 2 Q. "... rather, we wait to see if it still happens 3 with Riposte 6 ..." 4 That's another release? 5 A. It is. 6 Q. "The two reasons for this recommendation are (1) 7 The connection protocol has changed 8 significantly at Riposte 6 and hence so has 9 maintenance of connection state. Therefore the 10 problem may have been solved. (2) The 11 relatively low frequency of an occurrence, [less 12 than] 10 per day, is mostly benign. Mark will 13 review the provision of additional diagnostics 14 information in Riposte 6 with Escher to 15 facilitate diagnosis of problems with connection 16 state." 17 So would it be right that the effect of this 18 bug was that messages could be discarded? 19 A. I don't remember enough about it. I was never 20 a counter specialist, so I can't really give you 21 any good technical detail on that. 22 Q. Reading or rereading the problem there, can you 23 tell from that that one of the consequences of 24 the bug appear to be the discarding of messages? 25 A. I can't be sure. 60 1 Q. Scrolling down to "Solution": 2 "These events" -- 3 A. (The witness laughed) 4 Q. -- "indicate that a message has been discarded." 5 A. Right. 6 Q. "Advice from Mark Jarosz is that given the small 7 number of messages are being discarded we should 8 treat this event in the same manner as the 9 'network message from an unknown source'. That 10 is relatively benign but we need to solve it 11 should it be seen at Riposte 6." 12 So, looking at that, it would seem that the 13 effect of the bug was the discarding of 14 messages; yes? 15 A. That's what it says indeed. 16 Q. It's described as relatively benign. Do you 17 know what that means? 18 A. I can only assume that -- my assumption from 19 that would be that, because of the -- that some 20 messages are just not important to the operation 21 of the system. So, therefore, some of them 22 being discarded may be relatively benign. 23 I can't really help you, like, any more than 24 that. 25 Q. The "Evidence" section at the foot of the page: 61 1 "None required for CI3 counters. Should 2 this occur in a data centre or CI4 counter then 3 please raise a call with the SSC and obtain 4 event logs from the system reporting the error." 5 So is that saying only raise calls in the 6 case of CI4 counters? 7 A. It is, yes. 8 Q. What would happen to the CI3 counters, then? 9 A. Then the inference here is that no calls would 10 be forwarded to us for seeing the same thing on 11 a CI3 counter. 12 Q. So it's telling the lower levels of support for 13 CI3 counters "Don't send them to us"? 14 A. Yes. 15 Q. Why was that? 16 A. From the previous advice from Mark, that it's 17 relatively benign, it's going to -- it's likely 18 to be fixed or at least the nature of it changed 19 in the next version of Riposte being delivered. 20 I have no way of knowing the proximity of that 21 delivery. If it was going to happen that week, 22 then probably you're just not going to see 23 a great deal of issues. If that release is not 24 being delivered for six months, then it would be 25 a -- I think it would be something which you 62 1 would see more issues from. 2 Q. So essentially a wait and see approach was being 3 taken. This was essentially a problem for 4 Escher, "Let's see whether their release fixes 5 it"? 6 A. That's my reading of it, yes. 7 Q. Was the SSC and Fujitsu, more generally, 8 significantly reliant on Escher? 9 A. For the Riposte messaging part of the service, 10 yes. 11 Q. Was the Riposte messaging service a critical 12 element of the system? 13 A. Yes. 14 Q. Was that a source of frustration? 15 A. No, I wouldn't -- I wouldn't describe it that 16 way. Any issues that needed to be communicated 17 to Escher would go via Mark to Escher and we 18 would get answers back. So I wouldn't describe 19 it as a -- something that was particularly 20 frustrating. 21 Q. Did it limit the ability of the SSC to 22 understand the root causes of any bugs because 23 such knowledge was vested in Escher? 24 A. No, Escher -- yes. Sorry, Escher would give us 25 information when requested, they gave us 63 1 training when requested. They were just another 2 supplier into the Horizon service, really. 3 Q. So were they, to your understanding, an open and 4 transparent subcontractor? 5 A. I didn't have enough dealings with them to make 6 that judgement. 7 Q. Were, to your knowledge in the 22 years that you 8 worked in the SSC, there ever any problems with 9 Escher or was it a smooth and harmonious 10 relationship? 11 A. I can't remember any particular -- any 12 particular issues. 13 Q. The Inquiry heard evidence last week from 14 Mrs Anne Chambers that a problem with the KEL 15 system was that service tickets would be passed 16 to the SSC with the wrong KEL quoted on them. 17 Was that a problem of which you were aware? 18 A. Yes. 19 Q. Was this escalated as a difficulty within 20 Fujitsu? 21 A. It wasn't escalated as a difficulty within 22 Fujitsu but, I mean, it would be the subject of 23 discussion between the SSC and the HSH, both to 24 point out to them where they may have found 25 an incorrect KEL and/or for us to improve KELs 64 1 to ensure that they were much easier for HSH to 2 find. 3 Q. So what was done to rectify the problem with the 4 use of the KEL system, then? 5 A. It was an ongoing process of discussion between 6 the various lines of support. 7 Q. Ongoing until you retired? 8 A. At various times, yes, I think that was probably 9 true. 10 Q. Did that indicate to you that there was 11 a structural or systemic problem here? 12 A. No. 13 Q. Why not? 14 A. Because -- 15 Q. The same problem comes up for 22 years? 16 A. It's the same category of problem, it's not the 17 same problem. I mean, the interpretation of the 18 information on a KEL is down to the person 19 reading it. If we found a situation where that 20 interpretation was consistently wrong, we would 21 fix it. We would change the KEL to ensure that 22 it was better understood by other support units. 23 Q. That assumes that the problem lies with the 24 content of the KEL? 25 A. It does. Correct. 65 1 Q. Was that always the problem -- 2 A. No, it -- 3 Q. -- the way that the SSC were writing their KELs? 4 A. No, that was not always the problem. It was 5 also true that sometimes the HSH technician 6 could be using search terms which were too broad 7 or were incorrect. 8 Q. Mrs Chambers also gave evidence that the SSC at 9 third line and Development at fourth line did 10 not always know how many branches had reported 11 a particular problem that was the same or 12 similar because tickets were not escalated up to 13 the SSC; they had been stopped, intercepted at 14 a lower level. Was that a known issue in your 15 time at the SSC? 16 A. It -- I wouldn't describe it as an issue. 17 I mean, that was a function of the problem 18 management part of the service. 19 Q. So it wasn't a problem that the SSC didn't know 20 the extent and severity of a problem because 21 calls were not being escalated to it? 22 A. The previous level of support, or the HSH, would 23 be recording on master calls the prevalence of 24 the same issue being logged and, if they deemed 25 that there was a significant problem there, then 66 1 they would escalate it through the problem 2 management process. 3 Q. How would they know, in HSH, the extent or 4 prevalence of an issue that was, in fact, 5 a system problem that was the same or similar? 6 A. From having knowledge of the KEL, associating it 7 with a master call, hearing the postmasters or 8 other source of information bringing up the same 9 issue again. 10 Q. What if all the subpostmaster could say is that 11 "I've got an unexplained discrepancy"? 12 A. That's such a wide explanation -- sorry, that's 13 such a wide description of the symptoms that we 14 would then have to go back to them and get them 15 to describe it in greater detail, or rather the 16 HSH or NBSC would. 17 Q. Can we turn to paragraph 57 of your statement, 18 please, which is on page 19. Paragraph 57, you 19 say: 20 "The 2nd line support groups were expected 21 to answer any incidents with their operating 22 remit (for example all user or known errors). 23 They were also expected to send only one example 24 of a suspected new software fault to 3rd line, 25 retaining any duplicates at 2nd line for closure 67 1 once the main incident was resolved." 2 Why was that the system? 3 A. Because you don't want to flood third line with 4 multiple incidents of the same sort. 5 Q. Even though the prevalence of the same fault 6 would be important information for the SSC to 7 have to ascribe a seriousness or criticality? 8 A. We could obtain that information from the line 9 of support, which was tasked with retaining that 10 particular type of incident. 11 Q. Did that happen? 12 A. Yes, it did. 13 Q. You would look back to second line and say, "How 14 many incidents of this nature have you got" -- 15 A. Yes. 16 Q. -- "so we can ascribe a value to how important 17 this is"? 18 A. Yes. It would -- or they would occasionally, 19 literally ring up saying, "Look, we've had now 20 75 of these things, we see it as a major issue". 21 Q. Wouldn't knowing the range of ways in which 22 a suspected new software fault had occurred be 23 relevant information? 24 A. It may be, depending upon the type of fault 25 being investigated, in which case we could go 68 1 back to SMC, HSH, and say "Right, give us all of 2 the references for duplicate calls so we can 3 have a look through them and get extra detail 4 from them". 5 Q. How would you know whether asking for sight of 6 the duplicates would assist you or wouldn't 7 assist you? If you didn't have -- 8 A. It would depend on the nature of the problem. 9 If we have analysed an incident and managed to 10 get to the root cause of it, then clearly there 11 is no usefulness in, like, analysing further. 12 If we have not got to the root cause of it, then 13 it would be worthwhile to gather details of 14 other incidents so that we could examine the 15 evidence on them to help us get to the root 16 cause. 17 Q. If we go forwards to paragraph 69 of your 18 statement, please, which is on page 22. Can we 19 scroll down. You say: 20 "When the root causes of problems were 21 identified, the SSC would check the Horizon 22 System for the fingerprint left by the problem 23 and identify which outlets were impacted." 24 Was that done in each and every case with 25 every bug? 69 1 A. It would depend upon the nature of the bug. For 2 anything -- certainly for any bug with 3 a financial impact, yes. 4 Q. How would you know whether a bug did or didn't 5 have a financial impact -- 6 A. By the -- 7 Q. -- in all cases? 8 A. By the root cause analysis of the bug, we would 9 know that this does or does not have a financial 10 impact. 11 Q. The first line of paragraph 69 reads as if, for 12 all cases in which a root cause was identified, 13 the SSC would check the system to see how 14 prevalent the fault was and how many branches it 15 impacted. Was that only done in cases where 16 there was an assessment that it had a financial 17 impact? 18 A. I would probably revise that to say "major 19 problems". So something with a significant 20 impact to service would always be traced back to 21 determine where that impact was. 22 Q. You just said something with a significant 23 impact to service would always be traced back to 24 determine where that impact was. The question 25 I'm asking is: did you determine how wide 70 1 an impact a fault had? How would you know how 2 wide an impact a fault had without looking? 3 A. You wouldn't know without looking that is true. 4 On the -- a root cause analysis would tell you 5 exactly which type of service would be impacted 6 by this. By the criticality of that service, 7 you could then understand how serious this was, 8 and you could then go back and search and find 9 where that impact had been seen. 10 Q. Who would make the decision on whether the 11 impact on the subpostmaster community was 12 significant enough or not to investigate the 13 impact on the subpostmaster community? 14 A. Generally it would be a member of the SSC or 15 a service manager. 16 Q. Again, you referred to a service manager there. 17 That would be the person that was responsible 18 for the bit of the estate that had gone wrong? 19 A. Correct. And I would add that that -- I would 20 expect that service manager to be in contact 21 with and -- Post Office as well, over that 22 issue. I forgot to mention that in my previous 23 comment. 24 Q. Why would you expect the service manager to be 25 the person in contact with the Post Office to 71 1 make a decision on how wide an impact a fault 2 had on the live estate? 3 A. Because that was one of the responsibilities of 4 their role: to be liaison with a similar -- 5 similarly situated representative of the Post 6 Office. 7 Q. Can we go back to paragraph 60, please, which is 8 at the foot of page 20. You say, "The use of 9 response codes"; can you assist us with what 10 a response code was, please? 11 A. A response code was the numeric representation 12 of a particular response text. So you mentioned 13 earlier user error, that would have a particular 14 number. 15 Q. A closure code, like 4039, whatever? 16 A. Yeah. 17 Q. You say: 18 "The use of response codes as a measure of 19 support effectiveness could also lead to 20 inappropriate response codes being used in order 21 to be 'be kind' to, or prevent contention with, 22 other lines of support. For example, 'Advice 23 after investigation' being used in preference to 24 'No fault in product' or 'Advice and [advice] 25 given'." 72 1 Are you saying that people in SSC used 2 an incorrect response code in order to be 3 generous to their colleagues in first and second 4 line support? Have I read that right? 5 A. The use of a response code is always subjective 6 to the person but, yes, I mean, you are right. 7 Sometimes response codes would be used, 8 I believe, inappropriately in order to not cause 9 contention. 10 Q. What do you mean by "cause contention"? 11 A. The various lines of support would -- one of the 12 measures of their service would be what volume 13 of calls they managed to filter out and stop 14 going to the next line of support, and 15 a response code on a returning incident is part 16 of that measure. 17 Q. Were duplicates part of that measure, 18 ie inappropriately passing up duplicates? Were 19 they considered black marks and counted against 20 second line support? 21 A. Yes, they were. 22 Q. Can we turn to the issue of remote access and go 23 back to FUJ00120446. You remember we looked at 24 this earlier, the operations manual dated 25 29 January 2001. Can we go to page 14, please 73 1 and look at paragraph 4.3. Under "Operational 2 change", it records that: 3 "The SSC has access to the live system which 4 can be used to correct data on the system when 5 this has been corrupted in some way. The 6 procedure for doing this is as follows ..." 7 It then describes a process for authorising 8 a change, yes? 9 A. Yes, it does. 10 Q. If we can display that page and the next page, 11 please. Thank you. On the right-hand page 12 you'll see it goes up to 12. There is actually 13 a 13th but I don't want to display three pages 14 at once. It sets out a detailed process for 15 each stage in the process in order to make 16 an operational change, yes? 17 A. It does. 18 Q. One of the stages in the process is that at 19 least two people must be present when making 20 changes to the live system. Normally, these are 21 SSC staff but can be one staff member and one 22 person from the fourth line support unit 23 responsible for the area in which the data 24 change will take place, or one staff member and 25 one OSD staff member. What's OSD? 74 1 A. OSD was one of the acronyms which were used for 2 staff in Belfast who supported the service 3 systems and the operating systems running on 4 them. 5 Q. Looking at paragraph 5 -- sorry, I missed that 6 last answer. So it was somebody in Belfast? 7 A. That's correct, yes. 8 Q. How could somebody in Belfast be present when 9 somebody in the SSC was making a change? 10 A. They couldn't. Unless they happened to be 11 working over in the UK at the time. During the 12 early stages of Horizon, there were a lot of 13 people working in the UK from Belfast, setting 14 up server systems within the building, setting 15 up networking systems within the building or 16 maintaining them, so I assume that's why the 17 author mentioned them as a possibility. 18 Q. Fourth line support were in the same building, 19 were they? 20 A. For some of the time, yes. Later, yes. 21 Earlier, there was a period of time, I believe, 22 when fourth line were still located in Feltham, 23 when we were located in Bracknell, but that was 24 a relatively actively short period. 25 Q. What happened in practice? Was this, in fact, 75 1 the four-eyes procedure, always done with two 2 people from SSC? 3 A. Yes, it was. The only caveat that I haven't 4 read here is that this -- the four-eyes 5 procedure was used for a change that was going 6 to have a financial impact, which I don't 7 remember you reading out in this document. 8 Q. I don't think it does. If you look at 4.3, 9 "Operational change", we've got the whole of the 10 paragraph on the page there. Then if we go to 11 the top of the right-hand page, it just goes 12 straight into the procedure. 13 A. Yeah. In that case, I think that's misleading, 14 in that the four-eyes rule, two people observing 15 a change, was for financial changes. 16 Q. Whereas this describes it for any change? 17 A. Yes, which I think is misleading. 18 Q. Looking at number 5 on the right-hand page, it 19 says: 20 "The authoriser wherever possible produces 21 a script to make the data change and test the 22 script on the SSC reference rig prior to running 23 it on the live system." 24 That didn't happen, did it? 25 A. It did happen, yes. It would depend on the 76 1 nature of the problem and whether or not 2 a script was appropriate. 3 Q. What would determine whether a script was 4 appropriate? 5 A. What the actions are that are being taken, 6 whether it was possible to actually run them via 7 a script or not. 8 Q. Is that why it's written "wherever possible"? 9 A. I don't know. I mean, I would assume so. 10 Q. The procedure then suggests that the SSC manager 11 or SSC website controller would check 12 e-signatures and file the OCR. Was that process 13 honoured? 14 A. I believe so, yes. 15 Q. In your time -- 16 A. In my time -- 17 Q. -- was it honoured? 18 A. -- no. In my time as SSC manager, we had 19 stopped the use of e-signatures because they 20 weren't considered to be giving us any extra 21 accountability. So we were relying on the 22 username/password type access, guaranteeing that 23 it was the person who was entering a particular 24 approval. 25 Q. Looking at the left-hand side of the page, the 77 1 introductory paragraph: 2 "The SSC has access to the live system which 3 can be used to correct data when this has been 4 corrupted in some way." 5 Was this procedure used only when data had 6 been corrupted? 7 A. No. 8 Q. So that's slightly misleading too, then? 9 A. I think it is, yes. 10 Q. It was used for simple corrections? 11 A. Yes, it was. 12 Q. Do you know why that is, that this description 13 of this use of remote access to make changes to 14 data, it doesn't accurately reflect reality? 15 A. I don't know why the author phrased it in that 16 way, no. 17 Q. Who was Mr Burden, Peter Burden? 18 A. Pete Burden was Mik Peach's manager at the time 19 but also the manager of other the parts of what 20 was then Customer Service. 21 Q. Can we go to page 20 and look at paragraph 4.8., 22 which is a third of the way down -- thank you: 23 "All diagnostic staff in the SSC have access 24 to the live system via PCs that are connected to 25 a private Local Area Network. Branch panels 78 1 enable staff to use these PCs to access the test 2 rigs. 3 "The build script for these PCs was written 4 by OSD, but is held in the SSC. The PC build 5 was performed in accordance with the Access 6 Control Policy. 7 "Access from the PCs to the live system is 8 controlled by secure ID, uses firewalls, and 9 an encrypted link, and conforms to the Access 10 Control Policy. 11 "The SSC access to the system is for two 12 purposes: 13 "Assist in diagnosis of problems on the live 14 system 15 "Correct data which has become corrupted. 16 "In the second case, SSC staff may only 17 correct data in response to an authorised OCR 18 and only then when there are two or more people 19 present." 20 Again, this passage suffers from those, 21 I think, defects that you mentioned earlier? 22 A. I think so, yes. 23 Q. Both of them. What system was in place to 24 ensure that SSC staff in fact only accessed the 25 live estate to correct data in response to 79 1 an authorised OCR? 2 A. The -- it was enforced only by process. 3 Q. What does that mean? 4 A. I mean, everybody was aware that that was the 5 requirement and that whenever an OCR was 6 approved of that nature, then they knew that was 7 what they were required to do. 8 Q. People are aware of the speed limit. That 9 doesn't mean that they always abide by it, does 10 it? 11 A. I agree with you but I am not aware of any times 12 that members of the SSC did not abide by that 13 rule. 14 Q. How would you know if you weren't checking? 15 A. I would know by -- well, having seen the OCR and 16 talking to the person who actually executed it. 17 Q. No, that's a different issue. That's where they 18 have used the OCR system, you know that they've 19 used the OCR system. 20 A. Correct, yes. 21 Q. I'm talking about what audit or monitoring was 22 there to see whether people accessed the live 23 estate outside of the system that's described in 24 13 subparagraphs here? 25 A. Do you mean access the live system in order to 80 1 make a financial change? 2 Q. Yes. 3 A. Okay. There is -- there were certain audit 4 points in place, which should log most cases 5 where that may happen but, ultimately, you are 6 depending on the people concerned to understand 7 the requirements and the importance of not doing 8 it. 9 Q. So you've got to trust that they follow the 10 process? 11 A. You've got to trust that they follow the 12 process. 13 Q. Sometimes with access to systems, an employer 14 checks whether their trust in their employees is 15 well placed or not; was that done? 16 A. I don't know. 17 Q. In your 22 years, have you any evidence that it 18 was done? 19 A. I remember there were various audits of the 20 processes, procedures and access carried out by 21 external auditors. But that's the only thing 22 I can actually think of. 23 Q. I'm talking about not an audit of the written 24 documents; I'm talking about an audit of whether 25 access to the live estate, to correct or change, 81 1 in some way, financial data, occurred; in your 2 22 years, was that ever done? 3 A. I'm not aware of how it could be done but, no, 4 I don't recall it being done. 5 Q. Well, it could be done, couldn't it, just 6 outside of the process that's set out here? 7 A. Oh, sorry. You're saying that could a member of 8 the SSC make such a change without anybody's 9 knowledge? 10 Q. Yes. Answer to that, obviously yes? 11 A. The answer is yes, but I would caveat that by 12 saying I was never aware of any such thing 13 happening, and the nature of the people within 14 the SSC is that the chances of them being able 15 to achieve that without somebody else realising 16 there was something going on are almost nil. 17 Q. Why? 18 A. Because you're in a peer group of experienced 19 technicians who would recognise when something 20 wasn't being done. 21 Q. How would they see? 22 A. By traces within the system. 23 Q. What traces within what system? 24 A. I can't define those exactly to you because it 25 would depend upon the nature of the change being 82 1 made. 2 Q. If there was a trace left, it was therefore 3 auditable, wasn't it? 4 A. It would be capable of being audited. I don't 5 know, because we're talking on a hypothetical 6 thing here, whether such a thing would be in the 7 audit trail or not. 8 Q. In your time, were you ever aware of there being 9 an issue or concern over the extent of SSC's 10 access to the live estate? 11 A. There were a number of debates about access 12 rights that the SSC had at different times. 13 I think it's fair to say that it's fairly common 14 that there's an issue between what the ideal 15 security of a system is and what level of 16 security meets the actual operational needs of 17 that system. So -- and this was always ongoing 18 and it was an amicable discussion between SSC 19 and security people. 20 Q. Were you ever told that there was a concern that 21 SSC staff had unauditable and unrestricted 22 access to the live estate? 23 A. I wasn't aware of anything unauditable. I mean, 24 there was issues in the early days of Horizon 25 with the methods used to connect to counters, 83 1 because they weren't adequately auditable. But 2 that was worked upon and systems put in place by 3 the time network banking services came in as 4 part of Horizon. 5 Q. Can we look at page 31 of your witness 6 statement, please, and can we look at 7 paragraph 85 on page 31. You say in the first 8 line: 9 "One would have to concede that where the 10 SSC used Riposte tools and remote access to have 11 a positive effect on outlet information, the 12 opposite must also be possible." 13 What did you mean by that sentence? 14 A. What I go on to clarify in the following 15 sentence: that if some errors were made in the 16 replaying of message store transactions, then, 17 like, issues could come out of that. 18 Q. So you're talking there about innocent errors by 19 a diagnostician when seeking to correct a fault? 20 A. That's correct, yes. 21 Q. They themselves, in fact, creating new ones? 22 A. That's correct, yes. 23 Q. Not malign access? 24 A. Correct. 25 Q. Did the possibility of malign access ever occur 84 1 to you? 2 A. The possibility occurred to me, but that was 3 within the remit of the security staff. My 4 concern, as an SSC manager, was that we should 5 only have the level of access which was required 6 for our work because that protected staff as 7 much as it protected the service. 8 Q. Can we look back further up the page to 9 paragraph 84.2. You say: 10 "Remote counter access would be used when 11 Message Store intervention required that the 12 records being re-inserted originated from the 13 outlet counter. For context, records within the 14 Riposte message store included details of the 15 originating ..." 16 That's branch code; is that right? 17 A. That's correct, yes. 18 Q. "... and counter ID ..." 19 So that's which counter within the branch. 20 A. Within the branch, yes. 21 Q. "Some types of records (normally transactions) 22 could only be accepted by the system if they to 23 very originated from an ID within the outlet." 24 Do I understand from that that the SSC were, 25 in fact, using branch IDs in order to make 85 1 corrections. 2 A. No, they were not using branch IDs. They were 3 potentially replaying transactions from the 4 counter itself. 5 Q. But using a branch ID in order to do so? 6 A. That was an effect of it being run on 7 a particular counter, those replayed 8 transactions took on that counter's ID. 9 Q. So would the footprint that was left show only 10 the branch user ID? 11 A. Unless a member of the SSC -- yes. Sorry, yes. 12 Q. So anyone looking back afterwards would not be 13 able to see that this correction or this access 14 was by somebody from the SSC? 15 A. Unless the member of the SSC ensured that there 16 was an identifier within the messages going back 17 which indicated SSC activity, which was also 18 part of our process. 19 Q. But doesn't what you've written here mean that, 20 in these cases, the only visible record would be 21 the originating branch code and counter ID, that 22 the involvement of the SSC in the correction 23 would not be visible? 24 A. That was not my intention when writing it. That 25 inference could be taken but, as I've said, any 86 1 change being made where the SSC had to insert 2 data, we would attempt to market in such a way 3 that it was obvious that it was done by the SSC. 4 Q. When you say, "We would attempt to"? 5 A. It was process; it wasn't ... policed by the 6 system. 7 Q. Okay. So it was reliant on the operator and the 8 second pair of eyes -- 9 A. It was. 10 Q. -- to use some code that left their footprint? 11 A. That's correct, yes. 12 Q. Just going back, please, to FUJ00120446, and 13 look at page 14, please, and at the foot of the 14 page, 4.3. I just want to see the bit of the 15 process here which requires them to use an SSC 16 code in a way that leaves a footprint, so that 17 it doesn't appear, on the face of the record, to 18 have been a branch and branch counter ID. 19 I don't think that's in 1 or 2, is it? 20 A. It's not, no. 21 Q. If we just go over the page, I don't think it's 22 in 1 to 5 there, is it? 23 A. Not that I can see, no. 24 Q. Then if we look at the bottom part of the page, 25 I don't think it's in 6 to 12, is it? 87 1 A. No. 2 Q. Then if we go over the page to 13, it's not in 3 13, is it? 4 A. No. 5 Q. A policy that sets out, in rather elaborate 6 detail, the process by which changes were made 7 to the live estate, including where changes were 8 made to financial data, ought to set out the 9 requirement that you have just identified? 10 A. I would agree it should. I cannot explain why 11 it doesn't. But such requirements were in other 12 documents and, in particular, in the SSC work 13 instructions. 14 Q. The SSC work instructions -- 15 A. Yes. 16 Q. -- ie that you must always use an SSC ID to 17 leave a footprint, I'm calling it? 18 A. It must always be identifiable as an SSC change, 19 yes. 20 Q. Can we look, please, at FUJ00088036. 21 Remembering that the document that we were just 22 looking at was 29 January 2001, we've now moved 23 forwards to 2 August 2002. You can see from the 24 title of the document and the "Abstract" what it 25 is. It: 88 1 "... describes the requirements and outline 2 design for secure operational access to Counters 3 and Servers. The design is based on modifying 4 the OpenSSH product to provide a command logging 5 facility, these logs being maintained for audit 6 purposes." 7 If we scroll down, please, we can see who 8 originated the document, who contributed to it, 9 yes? 10 A. Indeed, yes. 11 Q. We can see at the foot of the page that Mr Peach 12 was an approval authority? 13 A. Yes. 14 Q. If we go over the page, please, and scroll down, 15 we can see that you're recorded as a reviewer of 16 it? 17 A. That's correct, yes. 18 Q. Would that be accurate if it's on here that 19 you've reviewed it, you would have reviewed it? 20 A. Yes, it would. 21 Q. Can we go to page 9, please, under the 22 "Introduction" at 1.1.1: 23 "SFS mandates the use of Tivoli Remote 24 Console for the remote administration of Data 25 Centre platforms. This records an auditable 89 1 trail of log-ins to all boxes accessed by the 2 user. It is a matter of considerable discussion 3 and correspondence that TRC is slow and 4 difficult to administer. This has lead over 5 time to BOC personnel ..." 6 That's people in Belfast? 7 A. I assume so. I must admit, I don't remember 8 them being called BOC but -- 9 Q. If you go back to page 4, please, and look at 10 the list of acronyms? 11 A. Belfast Operation Centre. 12 Q. Belfast Operation Centre. 13 A. Belfast Operation Centre, so, yes, it would have 14 been them, yes. 15 Q. Go back to page 9, please. I think I was up to: 16 "This has lead over time to BOC personnel 17 relying heavily on the use of unauthorised tools 18 (predominantly Rclient) to remotely administer 19 the live estate. Its use is fundamental for the 20 checking of errors. The tool does not however 21 record individual user access to systems but 22 simply records events on the remote box that 23 administrator access has been used. No other 24 information has been provided including 25 success/fail so it is not possible to simply 90 1 audit failures. The use of such techniques puts 2 Pathway in contravention of contractual 3 undertakings to the Post Office. After the 4 proposals in this [system outlying document] 5 have been implemented a CP ..." 6 Change process? 7 A. Yes, that's correct. 8 Q. "... will be raised to phase out TRC (or limit 9 its use to exceptional situations)." 10 Can you help us, what were the Belfast 11 Operations Centre using Rclient for. 12 A. My assumption would -- it's a method of logging 13 on to data centre servers or any other computer 14 within the system in order to perform 15 maintenance activities or diagnostic activities. 16 Q. Why were they using this unauthorised tool? 17 A. I believe it was primarily because there was no 18 approved and auditable tool that was 19 operationally good enough for them to use. 20 Q. Do you know why that was, almost two years into 21 the operation of the system? 22 A. I don't, no. 23 Q. Would you describe that as optimal or 24 suboptimal? 25 A. Suboptimal. 91 1 Q. The system didn't record individual user access. 2 So did that mean that what I've called 3 a footprint was not left? 4 A. Yes, it would. 5 Q. It meant that no audit was possible? 6 A. It would, yes. 7 Q. But why was it in contravention of contractual 8 undertakings to the Post Office? 9 A. I don't remember what was in the contract about 10 this kind of security. 11 Q. But would you presume that there was some 12 guarantee or undertaking or promise about the 13 security of the system. That's what's being 14 spoken of and this unauthorised and unauditable 15 approach was in breach of it? 16 A. That would be my reading of it but I don't know. 17 Q. Do you know whether the Post Office knew about 18 these breaches of contract by Fujitsu? 19 A. I don't know. 20 Q. Can we turn to the position with third line 21 support, please, and look at page 13. This is 22 under the heading "Requirements", subheading 23 "Areas of concern" and then 4.1.2, "Third line 24 support": 25 "Third line support staff receives repeat 92 1 instances of calls that should have been 2 filtered out by second line. Handling repeat 3 calls is not an effective use of third line 4 support resource. The current support practices 5 were developed on a needs must basis. Third 6 line support diagnosticians had no alternative 7 other than to adopt the approach taken, given 8 the need to support the deployed Horizon 9 solution. 10 "The consequences of limited audit and 11 system admin access afforded to third line 12 support staff provide the opportunity to: 13 "Commit fraudulent acts; 14 "Maliciously or inadvertently affect the 15 stability of the new network banking and Debit 16 Card online services; 17 "In addition a complete audit would allow 18 Pathway to defend the SSC against accusations of 19 fraud or misuse." 20 This is a very serious issue that's being 21 raised here, isn't it? 22 A. It is, yes. 23 Q. Why were the current support practices developed 24 on a needs must basis? 25 A. Because there was a necessity to support the 93 1 service as it was at that time. 2 Q. Why weren't they developed on a planned, 3 designed basis? 4 A. I don't know. I was nowhere near the design of 5 that part of the service. 6 Q. Can you recall what prompted the inclusion of 7 these paragraphs in this report? Why was it 8 being looked at now? Was it the rollout of 9 network banking? 10 A. I believe so, yes. 11 Q. Why was the rollout of network banking a trigger 12 or a catalyst to identify the possibility of 13 fraudulent acts, or malicious or inadvertent, 14 affecting the stability of the system? 15 A. I'm not sure. I remember it happening at that 16 time but I don't remember exactly why that was 17 necessary then, rather than not being done 18 previously. 19 Q. Who developed these ad hoc practices on a needs 20 must basis? Presumably that was you and your 21 colleagues within the SSC? 22 A. Within the SSC or within the support environment 23 in general. 24 Q. So who developed, then, within the SSC, these 25 ad hoc access practices? 94 1 A. I don't remember. 2 Q. Were you involved? 3 A. I don't believe so, no. As I say, I have no, 4 like, memory of that. 5 Q. But it would have been known about by the then 6 manager; would that be right? 7 A. Yes. 8 Q. Mr Peach? 9 A. Yes. 10 Q. The document that we've just looked at, the 11 January 2001 document with its 13 stages, it 12 might be read as saying, "We've got a detailed 13 and complex process that appropriately restricts 14 access to the live estate by SSC staff"? 15 A. It might be read that way, yes. 16 Q. Here, that process is being described as 17 problematic, isn't it? 18 A. The tools being used at the -- at that time, 19 yes. 20 Q. Was this information shared with the Post 21 Office, to your knowledge? 22 A. I don't know. 23 Q. In your view, ought it to have been shared with 24 the Post Office? 25 A. Not a decision for me to make, really. I'd go 95 1 no further than that. 2 Q. Can we go to page 15, please. At 4.3.2, under 3 the heading, "Third line and operational 4 support": 5 "All support access to the Horizon systems 6 is from physically secure [sites]. Individuals 7 involved in the support process undergo more 8 frequent security vetting checks." 9 Was that true? 10 A. I believe so. 11 Q. How frequent were your vetting checks? 12 A. I don't remember. I mean, I know I was 13 initially vetted on joining Pathway but 14 I wouldn't necessarily know if other vetting 15 checks had been done. 16 Q. To your knowledge, were you ever re-vetted? 17 A. To my knowledge, no. 18 Q. "Other than the above controls ..." 19 That's secure -- a secure site and 20 frequently vetted -- more frequently vetted 21 individuals: 22 "Other than the above controls are vested in 23 manual procedures, requiring managerial sign off 24 controlling access to post office counters where 25 update of data is required." 96 1 Is that essentially describing, in 2 a sentence, the 13 steps that we looked at in 3 the 2001 document? 4 A. I believe so. But not having written it, 5 I don't know what was on the author's mind, 6 really. 7 Q. No, that would be an unfair question to ask: 8 what was on the author's mind? But looking at 9 it, manual procedures requiring managerial 10 sign-off is essentially the steps that we looked 11 at, the 13 of them -- 12 A. Yes. 13 Q. -- in the previous document? 14 A. Yes. 15 Q. "Otherwise, third line support has: 16 "Unrestricted and unaudited privileged 17 access (system admin) to all systems including 18 post office counter PCs ..." 19 When I asked you earlier whether you were 20 ever made aware of a concern that SSC staff had 21 unrestricted and unaudited privileged access to 22 all systems, you said no. Presumably, you 23 hadn't remembered this. 24 A. Correct. 25 Q. Again, in the terms of level of seriousness of 97 1 concern, this ranks quite highly in the 2 spectrum, doesn't it? 3 A. It does, if you had no trust in the staff, yes. 4 Q. If you trust your staff, you don't need any 5 checks at all; is that what you're saying? 6 A. No. But the -- having trusted, vetted staff 7 mitigates that problem to an extent. 8 Q. You're focusing, are you not, on malicious or 9 malign access -- 10 A. I am, yes. 11 Q. -- as opposed to the leaving of a footprint for 12 audit purposes? 13 A. Yes, that's true. 14 Q. That could be examined and tested, for example, 15 in any court proceedings? 16 A. That's true and I would much prefer anything 17 that the SSC had to do to be auditable, yes. 18 Q. Does that reflect the reality in the SSC that, 19 other than locks and keys on the building and 20 what was said to be frequent or more frequent 21 security checks, other than that, the people in 22 third line support had unrestricted and 23 unaudited access to all systems, including post 24 office counter PCs? 25 A. I would certainly say that that applied to most 98 1 but there was audit for some things in place but 2 I can't define for you what they were. But, 3 certainly for the post office counter PCs, as 4 specified there, that is true. 5 Q. Skipping over the second bullet point: 6 "The current support practices were 7 developed on a needs must basis; third line 8 support diagnosticians had no alternative other 9 than to adopt the approach taken given the need 10 to support the deployed Horizon solution." 11 Remembering back, did that reflect the 12 position at the time that "We don't like this, 13 but we've got no option. We need this 14 privileged access in order to make the system 15 work"? 16 A. It does, yes. 17 Q. Did anyone ask the question, "Did anyone not 18 think of this when they were designing and 19 building the system"? 20 A. I don't remember such a comment, but I would 21 expect people to think, "Why?" I probably can't 22 say, like, any more. 23 Q. Did it, to your memory, consciously feel 24 uncomfortable? 25 A. No, it didn't feel uncomfortable. You got on 99 1 with the job with the tools you had. 2 Q. The document continues: 3 "There are however no automatic controls in 4 place to audit or restrict user access." 5 That, in a sentence, is describing what 6 should be in place, namely embedded automatic 7 system controls that, at the same time, restrict 8 access but also provide an audit trail 9 afterwards. 10 A. That would be my reading, yes. 11 Q. "This exposes Fujitsu ... to the following 12 potential risks: 13 "Opportunity for financial fraud; 14 "Operational risk -- errors as a result of 15 manual actions causing loss of service to 16 outlets; 17 "Infringements of the Data Protection Act." 18 Was this needs must third line support 19 access developed because of the number of bugs, 20 errors and defects in Horizon Legacy that became 21 apparent as it was rolled out? 22 A. No. I mean, as soon as you've got, what -- 23 you've got one error which needs you to access 24 a particular component of the system, you have 25 to find a way of accessing it. 100 1 Q. How many members of staff were in the SSC from, 2 say, mid-2000? 3 A. I can't remember exactly but I'd say about 4 mid-20s. 5 Q. Did that number remain static or did it grow? 6 A. It changed over time, up and down. 7 Q. There were turnovers of staff? 8 A. There were. We didn't have a massive staff, 9 massive staff turnover, but yes. 10 Q. This document, in terms of operational risks, 11 describes errors as a result of manual actions 12 causing loss of service to outlets. That's what 13 I described earlier as an inadvertent error, 14 rather then a malign or malicious conduct. Did 15 Fujitsu ever explore whether this unauthorised 16 access had destabilised the Horizon platform in 17 any way? 18 A. I don't know. 19 Q. To your knowledge, did it? 20 A. I don't remember it being done. 21 Q. Can we go over the page to page 16, please, and 22 paragraph 4.6, "Controlled access to sensitive 23 data": 24 "There are three categories of sensitive 25 data within the Pathway solution: 101 1 "Personal data -- subject to the rules of 2 the Data Protection Act regarding its storage, 3 confidentiality, accuracy and use; 4 "Business sensitive data; 5 "Cryptographic keys/data; 6 "None of the above sensitive data should be 7 made available outside of the Pathway secure 8 environment. Due to the potential sensitivity 9 of cryptographic keys/data there is a further 10 restriction that diagnostics can contain this 11 data; 12 "[Namely] It can only be reviewed by 13 a defined group -- initially the SSC third line 14 support group and development; 15 "[Secondly] In a secure location -- 16 currently 6th floor in Bracknell and the secure 17 room in FEL01." 18 Is it right that the policy document appears 19 to be addressing the issue of access to 20 sensitive data by limiting the access of it to 21 those who were within a secure room in 22 Bracknell? 23 A. Yes. 24 Q. If one of the unauthorised tools, whether that's 25 Rclient or one of the others, was being used by 102 1 Fujitsu staff, could that only be used in the 2 secure space at Bracknell or could it be used 3 elsewhere? 4 A. It could only be used within secure spaces in -- 5 around Horizon. I mean, the SSC in itself had 6 a secure floor. I believe, but I don't know, 7 the Belfast Operations had similar. 8 MR BEER: Thank you. 9 Sir, I'm about to move to a different 10 subtopic. I wonder whether that would be 11 an appropriate moment to break until 2.00. 12 SIR WYN WILLIAMS: Yes, by all means. 13 So we'll convene again at 2.00. 14 MR BEER: Thank you very much, sir. 15 (12.57 pm) 16 (The Short Adjournment) 17 (2.00 pm) 18 MR BEER: Good afternoon, sir. Can you see and hear 19 me? 20 SIR WYN WILLIAMS: Yes, I can, thank you. 21 MR BEER: Thank you very much. 22 Mr Parker, can we pick up where we left off 23 by looking at POL00029282. You recall we've 24 looked at some documents on remote access from 25 2001, 2002 and we're now moved to 2004. Can you 103 1 see that this document is entitled "Customer 2 Service Operational Change Procedure". The 3 abstract of it says that it: 4 "... describes the procedure for Operational 5 Changes where the changes are made to the live 6 operation." 7 It's dated 18 March 2004 as version 1. The 8 contributors to it are you and Mr Peach, yes? 9 A. Yes. 10 Q. Does that mean that you wrote it or did Mike 11 Stewart and/or Mik Peach write it? 12 A. I think it was the latter, Mike and Mik would 13 have written it. I would have just contributed 14 ideas or suggestions. 15 Q. I see. Can you remember what the reason for -- 16 the necessity for this document was? 17 A. Other than ensuring that the process was 18 correctly documented, no. 19 Q. Did this represent a change in process or was 20 this recording what happened? 21 A. Without rereading the whole document, I'm not 22 sure whether it was a change or not. 23 Q. Can we look, maybe to help you answer that 24 question, at page 6. Can you see from the 25 introduction it appears to be a description of 104 1 existing process rather than highlighting change 2 to a process? 3 A. I think that's right, yes. 4 Q. Then can we go to page 7, please. You'll see 5 that it says, in the first line: 6 "Anyone can raise an OCP, except those who 7 have logged onto the SSC website using the 8 'OCPview' user." 9 What does that mean, please? Can you 10 remember now? 11 A. When logging on to the SSC website you needed to 12 supply a username/password and OCPview was 13 I believe one of those usernames. 14 Q. Why couldn't you raise one if you'd logged on 15 using OCPview? 16 A. My assumption is from this sentence was that it 17 was a read-only user so that you couldn't 18 interfere or change OCPs. I would also say that 19 when we said earlier this is not a changed 20 document or from the previous one, my memory of 21 the previous one was that OCRs were raised on 22 paper at that time, whereas this reflects the 23 fact that they were being raised via the SSC 24 website. 25 Q. I see. I understand. 105 1 A. Apart from that, I doubt there's a great deal of 2 difference. 3 Q. Then if we can go to page 9, please. At the end 4 of this section on generating an OCP, it says: 5 "NOTE -- an OCP is raised in order to make 6 a change to the live system. If the change is 7 likely to affect a system build, then the 8 relevant part of the form must be set to YES. 9 If the change is being made to the system in 10 order to overcome an operational deficiency 11 which should be permanently fixed in the system 12 code, then there MUST be a call raised to report 13 the problem, and the call reference added to the 14 OCP." 15 Was there any monitoring in place at Fujitsu 16 to ensure that those who had power to access the 17 live system acted in accordance with this 18 policy? 19 A. There was no constraint. It was just you were 20 expected, and to use the process. I don't know 21 of any way that you could stop people from not 22 using that process. 23 Q. What about retrospectively? Was any audit done 24 to ensure that any changes that were made, 25 whether using this OCP system or not, were 106 1 monitored for errors, regression or unintended 2 consequences? 3 A. Certainly after making any change, you would be 4 looking at the system carefully to make sure, as 5 you say, there's no regression or adverse impact 6 to the system. That would be standard process. 7 That would just be due diligence, really. 8 Q. That's on an individual basis? 9 A. Mm. 10 Q. I'm looking at -- or I'm asking about more 11 a system-wide approach. 12 A. I don't think I was aware of a system-wide 13 approach, no. 14 Q. Can we turn, please, to FUJ00138355. 15 SIR WYN WILLIAMS: Mr Beer, before we do that, could 16 we just go back to the first page, please? 17 MR BEER: Yes, of course. 18 SIR WYN WILLIAMS: I don't want to make any point 19 that you're going to cover but unless -- 20 Mr Parker, if you see, just below your name and 21 Mr Peach's, there's the heading "External 22 distribution" and we have the name "John Bruce 23 (Post Office Limited)". Now, I may have missed 24 it but I don't think in the last document we 25 looked at about these processes there was 107 1 an external distribution at the Post Office. 2 Have I got that right? 3 A. I'm sorry I don't remember. 4 SIR WYN WILLIAMS: All right, that's fine. But on 5 this occasion, clearly there was. So that from 6 this moment on, the Post Office were aware of 7 this document, on the face of it? 8 A. Yes. 9 SIR WYN WILLIAMS: Do you know who Mr Bruce was? 10 A. I remember the name but I don't know his 11 position within the Post Office. 12 SIR WYN WILLIAMS: All right. Thank you. 13 Sorry, Mr Beer. I just wanted to follow 14 that up slightly. 15 MR BEER: Sir, yes. Can I follow up your follow-up 16 and look at page 2 of the document, please. 17 Scroll down, please. 18 We can see maybe the purpose for which the 19 document may have been shared with the Post 20 Office, because under the bottom section of that 21 table it says "Optional Review/Issued for 22 Information", and, again, the name of Mr Bruce 23 from the Post Office Limited. Can you help us, 24 what does that "optional review" mean? 25 A. When the document went out for optional review, 108 1 the person may or may not return comments on it. 2 If you were a reviewer, you had to return a no 3 comments document. 4 Q. I see. Was that a mandatory review? 5 A. For a mandatory review of the document, yes, you 6 had to return no comments. 7 Q. So an optional reviewer, here Mr Bruce, would be 8 sent the document but it wasn't mandatory for 9 him to make a return? 10 A. Correct. 11 Q. The optional doesn't apply to whether or not the 12 document was sent to him? 13 A. That's correct, yes. 14 Q. "Issued for information", is that 15 self-explanatory, ie you're just getting this 16 after we have written it? 17 A. Yes. 18 Q. Okay, thank you. Can we go, please, to 19 FUJ00138355. This is a new species of document 20 that we're looking at with you, it's called 21 a WI. Can you recall what those are? 22 A. Those are work instructions which were entered 23 and maintained on the SSC website. 24 Q. Can you briefly explain what the purpose and 25 function of a work instruction is, please? 109 1 A. It was there to provide information to 2 diagnosticians on how a particular task should 3 be achieved or what the expectations were for 4 standards of use. 5 Q. Was it an internal SSC document, then? 6 A. I think -- they were only ever raised by SSC 7 members. I don't remember whether people 8 outside the SSC could see them. I suspect they 9 could. 10 Q. But the target audience were SSC diagnosticians? 11 A. Yes, indeed. 12 Q. If we just read it, the title is "Data 13 correction". It was authored, in its first 14 version, by you. This is version 18 we're 15 looking at. The details are: 16 "GDPR regulations require that access to 17 personal data remains within the European Union 18 and PCI data security standards mandate physical 19 security restrictions must be applied where 20 update access is allowed to user data." 21 Presumably you wouldn't have been writing 22 that, is that right, in 2011? 23 A. Yeah, don't believe those are my words. They're 24 not my style. I probably -- I may have lifted 25 those from a security document. 110 1 Q. I was thinking more about whether, in 2011, you 2 would have been referencing the GDPR at all? 3 A. Quite true, yes. I mean, that would have been 4 too early for that, yes. 5 Q. So we can't tell from this, the 18th edition of 6 this document, what is your text, what is the 7 text of those between versions 2 to 17, and that 8 which is Mr Woodley's text in version 18? 9 A. Yes. 10 Q. Is that right? 11 A. That's correct, yes. 12 Q. Moving on a paragraph, just at the end of the 13 first paragraph: 14 "The responsibility for data correction is 15 vested with the SSC although ISD sometimes act 16 under SSC authorisation." 17 What was the ISD? 18 A. That was the Belfast Operations. That was 19 another acronym used for them later on. 20 Q. "Corrections to live system data must be 21 authorised via account change control and 22 auditable. Any correction requiring APPSUP role 23 is to be witnessed by a second member of the 24 SSC. Both names must be recorded on the change 25 control for audit purposes." 111 1 Given the documents we've looked at to date, 2 why was this work instruction necessary? 3 A. I think the idea was just to clarify for SSC 4 members to make it clearer to them so that they 5 didn't have to look at various disparate 6 documents. 7 Q. What would they have done between 2000, then, 8 and September 2011 when this document was first 9 created? 10 A. They would have had to refer to various 11 documents to get the overall picture, as it 12 pertained to the SSC. 13 Q. You see at the top it says that: 14 "This [work instruction] is waiting for 15 approval by Mark Wright and should not be used." 16 A. Mm-hm. 17 Q. Why was it, still in February 2021, waiting 18 approval by Mark Wright and shouldn't be used? 19 A. I don't know. 20 Q. If you just read through it to yourself, just to 21 refamiliarise yourself with it. (Pause) 22 A. Okay, yes, got that. 23 Q. If you scroll down to "Change Control". Thank 24 you. (Pause) 25 A. Yeah, okay. 112 1 Q. Is there anything in there that you can read 2 that might explain or justify why the work 3 instruction was "awaiting approval by Mark 4 Wright"? 5 A. No. Nothing there is obvious to me, no. 6 Q. Going back to the top of the page in the second 7 paragraph under "Details": 8 "Corrections to live system data must be 9 authorised via Account change control and 10 auditable." 11 Does that suggest that still at this date, 12 when you wrote it in 2011 and when Mr Woodley 13 last updated it in 2021, that there wasn't any 14 automated system of secure access and auditing? 15 A. No, I don't remember whether I wrote that 16 sentence or not. But I mean, any change of that 17 type to the system we would want to be auditable 18 in some way. I don't think that says that 19 changes were not actually auditable previously. 20 Q. It continues: 21 "Any correction requiring APPSUP role ..." 22 What was the APPSUP role, please? 23 A. The APPSUP role was an elevated permission that 24 members of the SSC could invoke in order to view 25 or change certain information within a database. 113 1 So it was more than our standard permissions. 2 Q. Was it up to them to determine whether they used 3 that enhanced facility? 4 A. It was, yes. 5 Q. Was there any restriction on them using that 6 enhanced facility? 7 A. No, there wasn't, to my knowledge. 8 Q. It says that: 9 "Any correction requiring APPSUP is to be 10 witnessed by a second member of the SSC." 11 The four-eyes approach that we had seen in 12 the earlier documents didn't restrict that 13 requirement to the used to of the APPSUP 14 facility, did they? 15 A. No, they didn't. 16 Q. Was it the four-eyes approach, restricted only 17 to the APPSUP facility, or not? 18 A. The four-eyes approach would be expected for any 19 financial change. 20 Q. Do you know why this puts a different 21 requirement or restriction on it, namely it's 22 the use of the APPSUP -- 23 A. Um -- 24 Q. -- that triggers the four eyes requirement? 25 A. I think that's probably more bad writing than 114 1 requirement because I hope further down in the 2 financial data bit it does say -- yes, it 3 does -- of the two-man rule is used. 4 Q. You're looking under the heading "Financial 5 data" -- 6 A. I am indeed, yes. 7 Q. -- two sentences in? 8 A. Yes, correct. 9 Q. Thank you. Can we move on still further, 10 please, and look at FUJ00087154. This is 11 a document which is described as a "Statement on 12 Fujitsu remote support access to Post Office 13 branch counters", written by Dave Haywood, 14 a security architect within Fujitsu. Do you 15 recall Mr Haywood? 16 A. I do, yes. 17 Q. Where did he work within the company? 18 A. In terms of division or location? 19 Q. Both, please. 20 A. He was part of the architectural team. I think 21 Dave was one of the exceptions who tended to 22 work offsite. I don't remember him being in the 23 Bracknell building, apart from coming down for 24 meetings. 25 Q. So he's neither third or fourth line? 115 1 A. No. 2 Q. He's architecture? 3 A. Architectural, yeah. 4 Q. You'll see from the bottom half of the page the 5 distribution list. It includes you and you're 6 described the "Strategic Support Lead". What 7 does that mean? 8 A. I think it's just indicative of the fact that 9 our titles meant that -- meant very little and 10 were sometimes interchangeable. I don't know 11 why Dave used that in that particular document. 12 Q. It should say "SSC Manager"? 13 A. It would be better defined that way, I think, 14 yes. 15 Q. Anyway, if we go over the page, please. The 16 document says that: 17 "In the event that this document is shared 18 outside of [Fujitsu] it should be noted that 19 whilst Fujitsu endeavours to ensure that the 20 information contained in this document is 21 accurate ... it accepts no liability ..." 22 It sets out the "Scope" as being remote 23 support access to branch post office counters 24 under both Horizon Online and Legacy Horizon; is 25 that correct? 116 1 A. Yes. 2 Q. It starts with HNG-X. If we just scroll down, 3 please. 4 A. Sorry, may I go back to where we were briefly? 5 Q. Yes, of course. 6 A. You said it referred to HNG-X and Legacy 7 Horizon. 8 Q. HNG-X and HNG-A? 9 A. Ah, right, I thought I heard Legacy but, yes, 10 HNG-X and HNG-A were later systems, yes. 11 Q. Can we just then scroll down and look at HNG-X. 12 Do you see that it sets out a process that is 13 used to access branch counters? 14 A. Indeed, yes. 15 Q. It says that the method is Secure Shell. 16 A. Yes. 17 Q. Can you describe, please, to a lay audience what 18 Secure Shell was? 19 A. It enabled a technician to connect to and 20 execute commands on a remote system over 21 a secure encrypted connection. 22 Q. It says that: 23 "The server component resides on the branch 24 counter and is provided by the Cygwin OpenSSH 25 server package." 117 1 What does that mean, please? 2 A. Cygwin was a package that could be used on 3 Windows' platforms to enable Unix-like commands 4 to be executed so Windows and Unix being two 5 different flavours of operating system. It then 6 sets out requirements, if we skip on a couple of 7 paragraphs to "To gain access to the branch 8 counter". It says: 9 "... using the remote support capability the 10 member of staff must ..." 11 Then there are a number of requirements set 12 out: 13 "Be a Fujitsu employee 14 "Have been security and financially vetted 15 ..." 16 Was that a new requirement, to be 17 financially vetted? 18 A. No, I think the financial vetting was the 19 original level of vetting. No, I can't help 20 with that. I'm struggling there. 21 Q. Okay: 22 "Possess a 2 factor authentication token 23 issued by the Security Operations team ..." 24 Can you remember when that was introduced? 25 A. Two-factor authentication tokens were around 118 1 from the very early days of Horizon. We used to 2 use a token called a secure ID, right back -- 3 I can't give you a date but it was early in 4 Legacy Horizon and, in HNG-X terms, there was 5 a separate secure -- a different secure token 6 that was connected to the PC in order to 7 generate a security token number. 8 Q. Just to be clear, the two-factor authentication 9 token, was that just to get access to the system 10 generally or was a special token required to be 11 issued by the security operations team, if you 12 were going to make changes to branch counters? 13 A. Yeah, a token was required for any secure system 14 access. So that would be anybody in the third 15 line support group, anybody in Belfast or 16 Operations, people in other units would also 17 have had secure tokens if they needed to access 18 the system in something other than a read-only 19 fashion. 20 Q. But there wasn't a special token issued -- 21 A. Not for this purpose. 22 Q. -- for the purposes of making alterations, I'm 23 going to call it? 24 A. No. 25 Q. Okay. 119 1 Skipping a couple of paragraphs: 2 "Have access to a branch support access 3 private key." 4 What does that mean? 5 A. I don't know. I don't know, sorry. 6 Q. Just going back to page 1, and looking back at 7 the distribution list, the second person to whom 8 the document is said to have been distributed 9 was Chris Jay, who was described as "Defence 10 Legal". Can you remember who that was and what 11 Defence Legal was? 12 A. I remember there was a period when there was 13 some sort of legal oversight going on. I mean, 14 Chris Jay was part of the Fujitsu legal 15 department, as I remember it. I can't remember 16 when his involvement started or why his 17 involvement was on there. 18 Q. You said that you remember a period when there 19 was some sort of legal oversight going on. 20 A. Mm-hm. 21 Q. Legal oversight of what? 22 A. I'm not sure. I just remember occasionally 23 having to pass documents past Chris Jay. 24 Q. Documents about the Horizon System? 25 A. Yes, indeed, yeah. 120 1 Q. What was the purpose of having to pass them past 2 Chris Jay? 3 A. Some kind of review. I unfortunately just don't 4 remember precisely why he was, in the loop for 5 something. 6 Q. You said that you remember that being at some 7 period? 8 A. Yes. 9 Q. Can you remember when that was? 10 A. Unfortunately, no. 11 Q. Can we move on, please, to FUJ00087187. We were 12 previously looking at a document dated 13 August 2015, we're now moving, if we look at the 14 foot of this page, to 12 August 2016. Yes? 15 A. Indeed. 16 Q. If we go to the top of the page, the heading is 17 "Transaction Corrections within Riposte based 18 Horizon": 19 "The 'Old' Horizon System (pre-HNG-X) was 20 based upon a product called Riposte. The basic 21 architecture was that each counter had a local 22 database known as the Message store. The data 23 centre had a number of servers known as 24 correspondence servers, each instance of which 25 managed a subset of the live branch estate." 121 1 All accurate? 2 A. Yes. 3 Q. "Correspondence servers contained large Message 4 stores which replicated to and from the set of 5 counters that correspondence server managed. 6 Thus collectively the central Message stores 7 would contain detail of all branch 8 transactions." 9 Correct. 10 A. All correct, yes. 11 Q. "The old audit system harvested branch 12 transaction data from the correspondence servers 13 giving it an audit trail of all branch 14 transactions." 15 Is that accurate? 16 A. I was never supporting the audit part of the 17 service, so I can't say for sure that it gave 18 an audit trail of all branch transactions but 19 I know that was its purpose. 20 Q. "The replication process between the 21 correspondence server message stores and counter 22 message stores was two way. So it was possible 23 to inject messages into the central message 24 stores and these would be transmitted to the 25 relevant counter message store. This was the 122 1 process that was used to effect the equivalent 2 of transaction corrections in old Horizon." 3 Does that match your understanding? 4 A. It does, yes. 5 Q. "Any such correction entered this would be 6 recorded with a node ID of the central 7 correspondence server ([greater than] 32) ..." 8 Can you explain what that means, please? 9 A. Yes. As we saw earlier, where the IDs and nodes 10 within the branches would be 1 upwards, 11 correspondence servers were 32 upwards just to 12 separate them from the branch estate -- or, 13 sorry, make it clear that it was 14 a correspondence server rather than a branch 15 counter. 16 Q. "... and would be included in the standard 17 branch audit trail. Thus they were readily 18 identifiable. The same technique was used to 19 transmit other data ... from the centre to the 20 branch. 21 "Any such correction would have been subject 22 to an ... (Operational change process pre-dating 23 MSCs). Need to find some examples of some old 24 OCPs and some view on how often it happened -- 25 Steve Parker?" 123 1 Now, presumably you won't have seen this 2 document, other than for preparing for today? 3 A. That is correct, yeah. 4 Q. Can you remember the context, why in August 2016 5 you would have been being asked for examples of 6 OCPs, old ones, and a view on how often the 7 process described there happened? 8 A. I have to suspect in my mind that this was all 9 to do with legal/litigation issues, but I don't 10 remember the exact -- exact context of this 11 document. 12 Q. The sentence "All such corrections would be 13 recorded with a node ID of the central 14 correspondence server [of greater than 32]", 15 didn't we establish earlier that some 16 corrections would have to be made using the 17 branch counter ID? 18 A. That's correct, yes, a limited, very limited 19 number had to be entered as if they had 20 originated at the branch. Most would be able to 21 be executed at the correspondence server but I 22 can't remember or give you examples of which 23 ones were which. 24 Q. So this is inaccurate to say that any such 25 correction would be recorded with a node ID that 124 1 would leave a footprint to make it readily 2 identifiable as coming from the SSC? 3 A. If it -- I think that depends on your reading. 4 My reading of it was that, as it said, it was 5 possible to inject messages into the central 6 message stores. That sentence was referring to 7 messages injected into the central message 8 stores, but I agree it could be read either way. 9 Q. Can we move on, please, to FUJ00087220. We were 10 previously in August 2016, we're now in October 11 2016 and this is an email chain in which you 12 were involved. It's in relation to a Deloitte 13 audit report, an audit, I think, in which you 14 were also involved? 15 A. I believe I took part in it, yes. 16 Q. Yes. I think I've got a record of you being 17 interviewed before it. 18 A. Yes. 19 Q. Can we go to page 5, please. We can see that 20 this is an email from Stuart Honey to Russell 21 Norman, Dave Haywood and you? 22 A. Yes. 23 Q. Can you help us with who Mr Honey was? 24 A. Stuart was involved in the security of the 25 system as well. I can't remember, I think 125 1 Stuart was more on the development side than -- 2 as opposed to Dave Haywood being on the 3 architectural side. 4 Q. In any event, the email that's sent to you and 5 others says: 6 "Hi Russell, 7 "I sent some information to Stuart Honey 8 regarding this ..." 9 Then that's repeated. 10 "... and I was not sure of the outcome after 11 that point. Was this linked to the info Paul 12 has collated for data flows -- Paul/Dave/Stuart 13 APPSUP -- Steve raised the point about whether 14 the process should be changed to match the 15 designs or the designs changed to match the 16 process as in the attached?" 17 Doing the best we can of reading this email, 18 you're reported -- I think you're the Steve 19 here -- as saying, "Should we" -- is this right 20 -- "write documents that match the process that 21 we currently operate or should we change our 22 processes to match designs in documents that we 23 are to write?" Is that right? 24 A. Yes, except the documents are already written, 25 I believe. 126 1 Q. Ah, so some documents had already been 2 written -- 3 A. I believe so, yes. 4 Q. -- that didn't match the process? 5 A. Yes, I believe so. 6 Q. Can you recall in what respect they didn't match 7 the process? 8 A. I mean, I looked at the information in my 9 bundles on this whole APPSUP issue. I don't 10 remember exactly how they didn't correspond to 11 the actual process but I know that the way that 12 the SSC used APPSUP at this time allowed any 13 member of the SSC to escalate privilege, in 14 order to make -- in order to work on the system 15 in a privileged fashion. 16 I believe the documentation said that any 17 such changes in HNG-X would only be done via 18 a development provided script. It was around 19 that area. I mean, the whole thing got 20 extremely complicated and went backwards and 21 forwards for sometime. 22 Q. So there's a debate really here whether the SSC 23 should do what's in a written policy or whether 24 the written policy should, in effect, be a piece 25 of reverse engineering -- 127 1 A. Sure. 2 Q. -- to reflect what it does in practice? 3 A. Indeed. 4 Q. What was the outcome? 5 A. As I remember, the outcome was that, in order 6 to -- in order for the development group to 7 provide scripted -- the ability for scripted 8 changes for everything the SSC did, it became 9 too difficult to implement for reasons of the 10 logistics of people being available out of hours 11 to approve SSC access and then make changes to 12 the system in order to allow a member of the SSC 13 to elevate access or use scripts. It was -- 14 there was -- it was more to do with "We can't 15 get the right people on call to do this", and 16 a pragmatic view was taken that, since all SSC 17 access via APPSUP in HNG-X was audited anyway, 18 the existing methods would continue to be used. 19 Q. I think we can see your reply on page 4, if we 20 scroll down. We can see that is from you to 21 Stuart Honey and others? 22 A. Yes. This was an earlier stage in that process, 23 yes. 24 Q. You say: 25 "In principle ... I would prefer that we 128 1 have this removed ..." 2 That was the-- the "this" here was 3 essentially the APPSUP access -- 4 A. The ability to raise our privilege to APPSUP 5 level without any -- 6 Q. Auditable oversight? 7 A. Thank you, yes. 8 Q. You said in principle you would prefer that you 9 had that privileged access removed so that you 10 could go back to the security model as 11 documented. You wanted to do what the policy 12 said ought to be done, rather than what was in 13 fact being done? 14 A. Correct, yes. 15 Q. But for pragmatic reasons that was not possible? 16 A. I do outline some of those, the issues that were 17 going to be experienced further on there. 18 Q. How significant an issue was this? 19 A. It went backwards and forwards for sometime. 20 But it was -- it's a reasonable example of the 21 pure security view which says "You just don't do 22 this" and the pragmatic view which says that was 23 the only way we could logistically manage the 24 process. 25 Q. Can we go forwards, please, to a little later in 129 1 October 2016. Sorry, this is August 2016 to 2 October 2016, to FUJ00089535. You'll see that 3 this is a formal policy document setting out the 4 high level design for the remote access secure 5 access server, written by Mr John Bradley. If 6 we turn to page 4, at the foot of the page, 7 I think we can see that you're a reviewer? 8 A. Yes. Whether I reviewed or not is debatable. 9 That form of entry with my name and the name of 10 a member of the SSC afterwards, I was sent every 11 document for review and I would farm those out 12 to individual members of the SSC who would 13 respond for me. 14 Q. I see. We can see that the mark in brackets 15 afterwards takes us to -- underneath "0.3 Review 16 Details", it shows that it was somebody that 17 actually returned a comment? 18 A. Yes. 19 Q. Does that mean it was Mr Breakspear that did 20 so -- 21 A. Yes. 22 Q. -- or does it mean that either of you and 23 Mr Breakspear did? 24 A. I would expect that to mean Phil did. By that 25 time, I was getting less and less technically 130 1 proficient, having been in a management role for 2 longer, and I didn't feel competent to actually 3 comment on this kind of a document. 4 Q. Can we look at what it says is the formal policy 5 by October 2016, at page 13, please. Scroll 6 down to 4.1.2 "Audit", it states: 7 "Although no active command logging or 8 keystroke logging is done, we are keeping 9 a record of people logged on to SAS Server 10 through double authentication and OS security 11 policies for state servers." 12 Firstly, the things that aren't being done, 13 active command logging, what's that? 14 A. Believe that refers to logging the commands 15 being executed. Why that's been distinguished 16 from keystroke logging, I'm not clear, really. 17 Q. Are they essentially the same thing? 18 A. Actually, probably not, thinking about it. 19 Keystroke logging, if you were entering data 20 into a field in a form on a screen, then 21 keystroke logging would detect as you enter keys 22 5, 4, 3, 2, et cetera. Whereas command logging 23 would log the whole string that you put in after 24 any corrections have been done. 25 Q. So on that example -- 131 1 A. So, thinking about it, I can see why there is 2 a difference there, yes. 3 Q. So, in your example, command logging would just 4 record that you had committed to whatever 5 process you were undertaking, the digits 5, 4, 6 3, 2, 1. It wouldn't record that you initially 7 typed 7, 8, 9, 10, deleted them and then wrote 8 5, 4, 3, 2, 1 and then committed them to the 9 process? 10 A. That's correct, yes. 11 Q. Why would command logging or keystroke logging 12 be contemplated for secure access to the live 13 estate? 14 A. It gives an irrefutable record of precisely what 15 was being -- was being executed. 16 Q. In that way, it is entirely auditable after the 17 event? 18 A. It would be, yes. 19 Q. In what sense is that a normal standard for the 20 kind of remote access to financial data that we 21 are speaking about here, or to what extent is it 22 a gold standard that's never achieved? 23 A. I don't know what the documented standards are, 24 industry standards are, in this area. So 25 I can't be sure. 132 1 Q. Can you recall discussion across the ages as to 2 whether or not active command logging and/or 3 keystroke logging ought to have been the 4 standard that should be achieved? 5 A. I don't remember discussions. It would be my 6 preference, for the reasons we have stated 7 previously, that it gives an irrefutable record 8 of what's been done. 9 Q. So it was that, even by 2016, despite the 10 documents we've previously seen as to what had 11 been proposed, that this still that not been 12 introduced? 13 A. Yes, that would have been my reading. 14 Q. Had that been the subject of discussion and 15 debate? 16 A. No. But if I may, I will rewind slightly. 17 There was keystroke logging introduced as part 18 of the SSH implementation that we've been 19 looking at here, and I know for a period 20 keystroke logging did take place because 21 I remember there being servers that contained 22 the log data. 23 At some stage, and I don't remember when, it 24 must have come out of the system again for some 25 reason. I have no recollection of when it came 133 1 out or why. 2 Q. Who would have put it in and who would have 3 taken it out? 4 A. It was put in as part of the version of Horizon 5 that we saw earlier when we were talking about 6 this was about the time of network banking. 7 That's when it would have gone in. I believe, 8 the more I think about it, it probably came out 9 at HNG-X but I'm not positive of that. 10 Q. Your best memory is between about 2006 and 2010? 11 A. Correct. 12 Q. Can you recall, in general terms, the reason 13 why, despite it being so obviously desirable 14 that it was not done? 15 A. I can't remember why now, no. 16 Q. Thank you. 17 Can we go to FUJ00138382. This is 18 exceptionally difficult to read, so I'll take it 19 slowly. It's another work instruction; can you 20 see that? 21 A. Yes, I can. 22 Q. Its title is the "APPSUP role". 23 A. Yes. 24 Q. Why was it described as a role? 25 A. That was the term used within the Oracle 134 1 software that ran the database services. You 2 literally called a command "set role APPSUP". 3 Q. Okay, so it's not speaking but person's role; 4 it's speaking about a role in terms of 5 a function that a system performs? 6 A. It is, yes. 7 Q. Okay. You'll see that you created this on 8 31 October. Again, it had a later update, last 9 by Mr Gelder, and we're looking by version 21? 10 A. Yes. 11 Q. So, again, we should bear in mind that not every 12 word will be yours and maybe none of them are 13 yours. Can we see under heading "Below is the 14 Historic Process", it says: 15 "The Horizon security design has two main 16 groups with privileged access to the system. 17 Belfast Operations for operational purposes and 18 SSC for data correction and support." 19 Is that accurate, that there were two main 20 groups within Fujitsu who had privileged access 21 to the system? 22 A. Yes. 23 Q. "This privilege was deliberately split between 24 the two units to separate the roles for security 25 purposes and prevent a single point of failure." 135 1 Can you explain how splitting, as it's 2 described, operational purposes and data 3 correction and support, prevents a single point 4 of failure? 5 A. If for some reason there was a disaster which 6 rendered the SSC inoperable or there are network 7 connections in to the service that make it 8 inoperable, then Belfast Operations could carry 9 out commands on our behalf or vice versa. 10 Q. It continues: 11 "In each case the requirement is for 12 a distinct privileged role that would only be 13 used when suitable change control has been 14 raised for audit trail, not authorisation 15 purposes." 16 Can you explain what that means? It tends 17 to suggest, does it, that the audit trail is the 18 desired focus for the change control process, 19 rather than actually being for authorising the 20 change? Sorry, that's a terrible question. 21 A. No, I understand what you're saying. I think 22 you're right. Because the SSC were capable of 23 doing a set role APPSUP without authorisation, 24 then that sentence, in some ways, makes sense. 25 The statement is being made that you should 136 1 raise the change control to make sure a record 2 is being kept. 3 Q. Does it follow that the Operational Change 4 Process was all about creating an audit trail 5 and not about actually seeking authorisation in 6 each case? 7 A. No. No. I mean, the change control process was 8 as much -- for most purposes, was as much about 9 the approval as about ensuring whatever was 10 being affected wasn't documented. 11 Q. Can you help us, this is within seven days, this 12 work instruction was raised, of the formal 13 policy setting out high-level design for remote 14 access to the secure access server. Remember, 15 that one was dated 24 October 2016 and we're now 16 on the 31 October 2016. 17 A. Right, yes. 18 Q. Why was it necessary, in October 2016, to set 19 out in a work instruction the historic process 20 that had been followed years before but was now 21 no longer followed? 22 A. I don't know. I have no recollection of it. 23 Q. At this stage, can you remember, were complaints 24 being made and litigation contemplated? 25 A. Timing wise, I would say that's possible but 137 1 I don't remember that being the case here, or 2 a motivation here. I don't remember enough 3 about it to tie that in. 4 Q. Can you think of a reason why a work instruction 5 would be written in October 2016 that set out, 6 not a work instruction, but an historic process 7 in the past? 8 A. Not really, no, because, I mean, I would have 9 expected that kind of thing to have already 10 existed. So I'm not clear why this is here in 11 this form. 12 Q. You wrote the document? 13 A. Yeah, and I just -- unfortunately just don't 14 remember what I was trying to achieve at that 15 time. 16 Q. You think it was "We've got a new document dated 17 24 October setting out what we're going to do in 18 the future, we need to reduce to writing" -- 19 A. What we did in the past. 20 Q. -- "what we did in the past, so that it's 21 accurately recorded because we now know it's 22 going to be the subject of questions"? 23 A. It's the sort of thing I can see myself doing 24 I just don't remember it. 25 Q. Can we go to your witness statement, please, at 138 1 paragraph 72, which is on page 23. If we scroll 2 down, thank you. You say: 3 "The SSC was hugely reluctant to change 4 transaction data as that was not our job and we 5 recognised the seriousness of doing so." 6 Why were you being requiring to change 7 transaction data when it wasn't your job? 8 A. If there was a situation where it was impossible 9 for a change to be effected by the Post Office, 10 in order -- via a transaction correction or 11 whatever other mechanisms they used, then, in 12 rare circumstances, it may be necessary for us 13 to effect a financial change. I mean, the 14 comment that it is not our job was -- you know, 15 we would much prefer in all cases that financial 16 information was rectified by the Post Office and 17 not us. 18 Q. Did you say you would much prefer in "court 19 cases"? 20 A. No, in all cases. 21 Q. In all cases, thank you. 22 A. Yes, yes. 23 Q. Why would you much prefer that? 24 A. Because I don't believe that people who were 25 supporting a system should be responsible for 139 1 making financial changes. That is a business 2 position. 3 Q. So whose job was it? 4 A. I would argue that POL should be issuing some 5 form of transaction correction for 6 a postmaster's account. 7 Q. Why weren't they doing it? 8 A. I believe there were some circumstances where it 9 just couldn't be effected with the tools they 10 had. 11 Q. Is that because you controlled access to the 12 dominion that required changing and that they 13 simply physically could not do it? 14 A. I believe so, yes. Yes. 15 Q. At the time, did you express your concern that 16 you were being required to change transaction 17 data that wasn't your job? 18 A. That comment would be made with the caveat that 19 sometimes we just had to do it. There was no 20 choice. But the circumstances were rare. 21 Q. You say in paragraph 72.4 over the page that -- 22 the lead-up to this paragraph is: 23 "In the rare circumstances where it was 24 necessary to correct financial information on 25 the system we would ... 140 1 "72.4. Ensure POL and/or the subpostmasters 2 were informed (... via the Service Delivery 3 Team)." 4 A. Yes. 5 Q. How would you ensure that POL and/or the 6 subpostmasters were informed? 7 A. By giving the necessary information to the 8 Service Delivery Team for onward routing to the 9 Post Office or onward discussion with the Post 10 Office. 11 Q. Where you're referring here to the Service 12 Delivery Team, who are you referring to within 13 Fujitsu? 14 A. People's names or roles? 15 Q. Roles, please. 16 A. It's the team I was referring to earlier in our 17 discussion, who had various service managers who 18 would be responsible for different parts of the 19 system and that could collectively be termed the 20 Service Delivery Team. 21 Q. Did you expect subpostmasters therefore to be 22 informed on each occasion that changes were made 23 to financial data concerning their counters and 24 their branches to be informed that that had 25 happened? 141 1 A. Oh, yes. 2 MR BEER: Sir, I wonder whether we could take the 3 break now, please, until, say, 3.15. 4 SIR WYN WILLIAMS: Yes, and how do you predict the 5 remaining afternoon going? 6 MR BEER: Sir, I've got another topic, which is 7 about 20 minutes, to cover. Then I think -- 8 SIR WYN WILLIAMS: Are there many CP questions? 9 MR BEER: Five minutes and two minutes, I've been 10 told, sir. 11 SIR WYN WILLIAMS: Right. So we're well on track to 12 finish Mr Parker this afternoon, that's what it 13 boils down to? 14 MR BEER: Yes, sir. 15 SIR WYN WILLIAMS: Fine. What time again, sorry? 16 MR BEER: 3.15, please. 17 SIR WYN WILLIAMS: Fine. 18 (3.02 pm) 19 (A short break) 20 (3.15 pm) 21 MR BEER: Good afternoon again, sir. Can you see 22 and hear me? 23 SIR WYN WILLIAMS: Yes, I can. 24 MR BEER: Before we move to the topic that I said 25 I was going to move to, can I just ask you some 142 1 supplemental questions on the issue we were just 2 addressing and go back to paragraph 85 of your 3 witness statement on page 31, please. So it's 4 paragraph 85. 5 You'll remember the "One would have to 6 concede" sentence, and then you set out some 7 controls that give protection against the errors 8 or similar that you have identified as 9 a possible consequence of remote access. I just 10 want to ask you about the one you identify in 11 85.2 and so you say: 12 "Controls offered some protection here ..." 13 Then 85.2: 14 "Any such intervention would be with the 15 subpostmaster's consent and the subpostmaster 16 would use system reporting to check that the 17 results of SSC work were as expected." 18 Dealing with the first part of the sentence 19 first, any such intervention would be with the 20 subpostmaster's consent. Are you saying that 21 before the SSC made any changes to data, any 22 alterations or inserted messages, that was 23 always done with the subpostmaster's consent? 24 A. I would probably have to amend that to say where 25 the incident to originated from the 143 1 subpostmaster, then clearly we would be in 2 contact with him or her and would be discussing 3 and telling them we are effecting something for 4 them. I think that I should probably caveat it 5 in just that way. 6 Q. Just dealing with that caveatted way first, 7 being in contact with a subpostmaster doesn't 8 necessarily mean that you have their consent to 9 make alterations to their financial data, 10 agreed? 11 A. Yes, yes. 12 Q. So, even in the cases where you were in contact 13 in the SSC with a subpostmaster, it was not the 14 case that you always obtained their consent 15 before alterations to financial data were made; 16 is that right? 17 A. I want to say that it's not right and that we 18 would always discuss with the subpostmaster but 19 there was no controls to ensure that was the 20 case. 21 Q. Why were there no controls to ensure that that 22 was the case? 23 A. Again, change control would always be used, but 24 that was effectively the only control in that 25 process. 144 1 Q. Change control was focused on the Post Office as 2 an institution, rather than the individual 3 subpostmaster knowing, less still consenting, to 4 the change? 5 A. That is true. That is true. But I would expect 6 that, whenever a member of the SSC was working 7 on a subpostmaster call, they would be talking 8 to them as necessary and helpful to them. 9 Q. Let's deal with the sentence without the caveat. 10 In a case where SSC was talking with one 11 subpostmaster but on examination it was found 12 that the problem affected the financial data of 13 100 subpostmasters, those other 100 14 subpostmasters were not contacted, and -- 15 A. Well -- 16 Q. -- said that there will be a correction made to 17 their data? 18 A. They wouldn't be by the SSC, no. 19 Q. Were they contacted by anyone, to your 20 knowledge? 21 A. In the case of a change to that scale, ie 100 22 subpostmasters, I mean, that would have gone -- 23 been part of the problem management process, it 24 would have gone through service managers it 25 would have gone through POL. 145 1 Q. Yes. Were you personally involved in carrying 2 out any of the communications back down to the 3 subpostmaster -- 4 A. I very rarely -- 5 Q. -- in that kind of incidence? 6 A. In that kind of incident I was not personally. 7 Q. Were any of your staff in the SSC involved, 8 "We're talking with one subpostmaster, we've 9 discovered that the bug affects 100 others, 10 let's, in the SSC, contact the other 100"? 11 A. No. No. 12 Q. That wasn't part of the SSC's function? 13 A. No, it wasn't. 14 Q. What do you know about the process by which 15 those other 100 would be contacted? 16 A. Very little. I would have expected it to have 17 gone through the Post Office in -- I think, in 18 all cases. We wouldn't phone up a large number 19 of subpostmasters ourselves. 20 Q. Do you know anything about a process by which 21 such subpostmasters would be contacted by the 22 Post Office -- 23 A. No. 24 Q. -- to say "A bug has been discovered, it's 25 affected your data without your knowledge. A 146 1 correction has been made without your 2 knowledge"? 3 A. No, I don't know about that sort of process, no. 4 Q. Thank you, that can come down. 5 Can we turn to the topic I wanted to ask 6 about which is the process by which Anne 7 Chambers came to give evidence in the Lee 8 Castleton case. 9 A. Right, yes. 10 Q. You know that Mrs Chambers gave evidence in the 11 Lee Castleton trial in 2006? 12 A. I do, yes. 13 Q. What was your involvement in the process that 14 led to her giving evidence? 15 A. I don't remember being involved in the process 16 that led to her giving evidence in any 17 substantive way. I may have helped in the 18 provision of some information. 19 Q. Information to who? 20 A. To either Anne or the Post Office. But -- 21 Q. Information about what? 22 A. About the issue. 23 Q. What was the issue? 24 A. I don't remember exactly the history of that 25 particular incident. 147 1 Q. So when you say you may have been involved in 2 giving information about the issue concerning 3 the incident, do you mean information about the 4 subpostmaster, Lee Castleton, and the Marine 5 Drive branch? 6 A. Yes, I recollect vaguely being asked a few 7 questions about it and filtering those -- some 8 of Anne's answers back. 9 Q. Why was Anne Chambers selected to give evidence? 10 A. Because she was the person who had worked on the 11 problem. 12 Q. Was she content to give evidence? 13 A. No. I mean, she -- as I remember, she wasn't 14 particularly happy about the idea of giving 15 evidence and the situation was somewhat forced 16 on her. 17 Q. Who forced it on her? 18 A. It was internal Fujitsu politics. 19 Q. Who were the internal Fujitsu politicians? 20 A. I would have to refer you to Mik Peach for that. 21 He was manager then and, like, would have been 22 the person who was directly involved in it. 23 Q. Why did she not want to give evidence or why was 24 she not content that she should give evidence? 25 A. My impression, when I had the opportunity to 148 1 talk to her, was that it was the environment and 2 the stressful nature of the questioning process. 3 Q. So was it after the event that you learned that 4 she was unhappy -- 5 A. Yes. 6 Q. -- rather than beforehand? 7 A. Fairly sure it was, yes. 8 Q. Can we look at a couple of documents, please. 9 POL00070133. Can we look at the foot of the 10 page, please. There's an email from Mandy 11 Talbot in Royal Mail to Gary Blackburn and 12 others in Royal Mail, and a copy to Stephen 13 Dilley: 14 "Lynne, further to our chat can you advise 15 what are the names of the postmasters and 16 addresses of the branches if possible of the 17 following FAD codes ... 18 "In February of this year you wrote to Gary 19 Blackburn and he wrote to Shaun Turner and then 20 Sandra MacKay about these branches which had 21 apparently registered complaints about the 22 Horizon System. Fujitsu have told us that in 23 respect of Callendar Square that there was 24 a problem when stock was transferred from one 25 stock unit to another but this would only apply 149 1 when there was more than one stock unit, ie more 2 than one position at the counter. 3 "Did any of you find out what the problems 4 were at the other branches and what did POL and 5 Fujitsu do to correct them?" 6 Can you recall your involvement in the 7 Callendar Square bug? 8 A. I don't recall. It was very little. 9 Q. Can you recall whether that suggestion there, 10 that the bug would only apply where there was 11 more than one stock unit, ie more than one 12 position at the counter, is accurate or not? 13 A. No, but I watched Anne's testimony so I saw what 14 she said about it but that's why I can recall 15 something now, but only what she said then. 16 Q. Okay, and so if I ask you questions about that 17 you'd be replaying to us what you saw Anne say 18 last week? 19 A. I would, yeah. 20 Q. Okay. Can we go to the top of the page, please. 21 It is sent on to you, can you see -- 22 A. I do. 23 Q. -- by Mandy Talbot on 6 December: 24 "Steve I have copied you into this email to 25 POL because it may be that you might have to do 150 1 a repeat performance tomorrow once the FAD codes 2 have been identified and the name of the 3 branches revealed. Incidentally can you 4 identify branches from FAD codes? As, if so, 5 this might give you a head start?" 6 Can you recall what the repeat performance 7 she was talking about was? 8 A. I don't, no. 9 Q. Can you recall the context of this, namely 10 Mr Castleton raising the existence of the 11 Callendar Square bug and you and Fujitsu being 12 asked to investigate its extent and the branch 13 that it was said to have affected? 14 A. Not really, no. No. 15 Q. "Stephen and Richard our legal team at the Court 16 will be doing their best to persuade the Court 17 not to allow Castleton [I think that's 18 Mr Castleton] to call this evidence because it 19 is filed late and does not relate to the 20 problems at his branch office. If they are 21 successful there will be no need to progress any 22 further with these investigations but as 23 Castleton is a litigant in person it is common 24 for Judges to be sympathetic and may allow him 25 to rely on his evidence. If so you will have to 151 1 pull out all the stops to investigate what, if 2 anything, went wrong at these branches and why 3 we can distinguish them from Mr Castleton at 4 Marine Drive." 5 Can you recall what work you did, in fact, 6 do to seek to distinguish what had gone wrong at 7 these other branches and why those problems had 8 not afflicted Mr Castleton at Marine Drive? 9 A. No, I mean, I suspect that from the date while 10 this was going on, I was acting in some reason 11 as sort of deputy manager while Mik may not have 12 been there and I would have farmed that job out 13 to somebody else to actually do, so I don't 14 remember what was done. 15 Q. Can we see what I think is your reply at 16 POL00070135. If we just look at the foot of the 17 first page and then a bit of the second page, we 18 can see that this is your email, yes? 19 A. Yes. 20 Q. So this is a reply on 6 December. You say: 21 "Mandy, 22 "As discussed on the phone today: 23 "Callendar Square demonstrated a software 24 problem within Horizon. The problem has been 25 present prior to 2004. For an unidentified 152 1 reason Callendar Square was badly hit by it from 2 September '05. Problem was fixed during release 3 S90 of the Horizon software. 4 "The incidents at Marine Drive show no 5 symptoms of this problem. In particular: 6 "1) Problem occurred when transferring stock 7 between stock opportunities. Marine Drive had 8 any one stock unit so couldn't do transfers." 9 That's the point that Mrs Chambers corrected 10 last week. 11 A. Yes. 12 Q. "2) Problem caused an event storm ... with 13 specific details. There were none of these at 14 Marine Drive. 15 "3) Problem caused a receipts and payments 16 mismatch which showed on the cash account. This 17 didn't happen on Marine Drive." 18 For these, did you conduct the investigation 19 to highlight those three points? 20 A. No. 21 Q. Where did you get the information from? 22 A. I don't remember who I asked to do it. I would 23 have expected, if Anne was about, I would have 24 probably asked her because of her experience 25 previously with that, with Callendar Square. 153 1 But I can't be sure. 2 Q. Can we go to the top of the page, please. 3 You're not copied in on this but Mandy Talbot 4 forwards your email to Stephen Dilley, the Bond 5 Dickinson solicitor; Richard Morgan, Post Office 6 counsel; Dave Hulbert, who I don't know; and 7 then two others within the Post Office. She 8 says: 9 "Anne Chambers conducted the analysis for 10 Fujitsu." 11 Does that help you recall what the content 12 of your telephone conversation may have been 13 with Mandy Talbot or might she have been talking 14 directly to Anne Chambers? 15 A. It's quite possible she was talking directly, 16 but I'm not sure. 17 Q. Ms Talbot continues: 18 "She can give evidence on this. She will 19 not say that no problem has arisen with the 20 Horizon System since Castleton was sacked but 21 will say that no serious problem have been 22 elevated to their team to deal with." 23 Dealing with those, was it the case that no 24 serious problems had been elevated to the SSC? 25 A. I'm assuming that was what was meant there, yes. 154 1 Q. Was it true? 2 A. I don't remember. 3 Q. "Fujitsu say that this particular software 4 glitch was known about in 2004 and the initial 5 response to a problem by the Helpdesk would 6 usually be to suggest user error ..." 7 Is that correct, the initial response of the 8 Helpdesk was usually to suggest user error? 9 A. I don't know what the Helpdesk was saying to the 10 subpostmasters on this issue, unfortunately, 11 sir. 12 Q. "... but that if it continued the problem had 13 a pretty firm footprint which could be picked up 14 by Fujitsu. Further that this glitch is limited 15 to counters which have more than one stock unit 16 and as Marine Drive had only one stock unit and 17 the footprint did not appear it cannot explain 18 Castleton's problems. The glitch would also be 19 observed as a mismatch in the receipts and 20 payments records. 21 "This particular glitch was known to Fujitsu 22 prior to 2004 and as such it is one of the 23 things which would automatically have been 24 checked for by Fujitsu when conducting their 25 analysis." 155 1 Is that right, when individuals were being 2 either prosecuted or civil proceedings were 3 being taken against them or civil proceedings 4 were being defended, Fujitsu would conduct 5 a series of checks as part of an analysis to see 6 whether that branch was afflicted by known bugs. 7 A. I believe it was but I didn't conduct -- 8 I didn't request any of those such things 9 myself. 10 Q. Why do you believe that it was? 11 A. Only because of my experience with what I've 12 seen during the High Court cases and things. 13 Q. People in your department, would they be 14 involved in conducting this analysis to see 15 whether the branch or the subpostmaster, against 16 whom action was being taken, whether they or 17 their branch were afflicted by any of the known 18 bugs in the system? 19 A. I believe the process was by then that it would 20 be Gareth Jenkins who was actually presenting 21 the information to court. So we would be in the 22 SSC providing him with the information he 23 required. It would be him who did the analysis, 24 witness statement, et cetera. 25 Q. But people in your team would be providing him 156 1 with the evidence that he would give? 2 A. We would be providing him with the raw data he 3 asked for, yes. 4 Q. Was there a written process which said, "In the 5 event of a criminal investigation, a prosecution 6 or civil proceedings, these are the checks that 7 the SSC must perform"? 8 A. I wasn't aware -- no, I wasn't aware of any such 9 documents. I also think it's worth mentioning 10 at this stage that the data as used in court 11 would have actually come from the audit system 12 via an ARQ request. When the SSC was providing 13 data, this would be for initial analysis 14 purposes. 15 Q. So the data that the SSC provided to Mr Jenkins, 16 was that for information only and he wasn't to 17 use it as the basis to form conclusions -- 18 evidential conclusions? 19 A. Not for evidential conclusions. There was 20 something around the fact that all data that was 21 to be provided for court cases had to come via 22 an ARQ request and audit because there was 23 certain evidential change of evidence rules. 24 I don't remember the exact details. 25 Q. This email continues, skipping a paragraph: 157 1 "Steve Parker who conducted the 2 investigation with Anne ..." 3 Did you conduct the investigation with Anne? 4 A. No, I just think that was Mandy Talbot's 5 impression because I was involved in the phone 6 calls and things. 7 Q. So that's incorrect? 8 A. I would say so, yes. 9 Q. Was it only Anne Chambers that conducted the 10 investigation? 11 A. I don't remember any substantive input on my 12 part, no. So, yes, it would have been Anne. 13 Q. To your knowledge, was anyone else involved in 14 the investigation of Lee Castleton and the 15 Marine Drive branch, within the SSC? 16 A. I don't remember. 17 Q. Can we move forwards, please, to FUJ00138386. 18 Thank you. We'll see this is another work 19 instruction. 20 Can I just check the reference, please? 21 That's 8367. I'm looking for 8386. 22 Okay, that doesn't appear to have been 23 uploaded. I'll have to skip over those 24 questions. 25 Can we move, please, to POL00099397. 158 1 POL00099397. 2 Sir, those two document are unavailable. 3 I will therefore have to ask any questions of 4 Mr Parker about them if and when he returns on 5 the next occasion to give evidence. 6 SIR WYN WILLIAMS: All right. 7 MR BEER: Sir, those are the only questions I ask. 8 Thank you, Mr Parker. 9 I think it's Mr Jacobs first. 10 Questioned by MR JACOBS 11 MR JACOBS: Hello, good afternoon, Mr Parker. 12 I represent 156 subpostmasters who instruct 13 Howe+Co and I have two questions for you. 14 Firstly, this morning, Mr Beer asked you about 15 Helpdesk scripts. 16 A. Mm-hm. 17 Q. You said they were written by senior 18 technicians. 19 A. Correct, yes. 20 Q. What we're interested to know is are you able to 21 provide the names of those technicians who wrote 22 the scripts? 23 A. Unfortunately, no. I mean there was number of 24 people within the HSD who were considered more 25 senior that but I very rarely met them so 159 1 I don't remember those names, sorry. 2 Q. Are you able to tell us perhaps someone who 3 might know, so we can ask someone else? 4 A. The only suggestion I would have on that is the 5 current -- well, current -- when I was last 6 working for Fujitsu, the service manager for 7 that area at the time was Sandie Bothick. 8 Q. Sandie? 9 A. Bothick. 10 Q. Bothick. Okay, thank you. 11 A. So she would have been around the HSD at that 12 time. 13 Q. That's very helpful, thank you. 14 The second question is a question you may 15 already have heard because it was a question 16 that Mr Stein put to Mrs Chambers last week -- 17 A. Okay. 18 Q. -- at the end of her evidence and I want to ask 19 you the same question. So the question is: 20 during the evidence of this Inquiry, many of our 21 clients, subpostmasters and subpostmistresses, 22 said that their accounts, their branch accounts 23 never seemed to balance. 24 Examples are Janice Adams said that her 25 branch accounts didn't balance and shortfalls 160 1 occurred on a weekly basis, and the weekly 2 deficit was usually about £50 but higher on 3 occasions, and she said she used to put these 4 accounts routinely into the system in cash in 5 order to continue to trade the next day. 6 Mujahid Faisal Aziz says similarly that 7 there were many small shortfalls. He would 8 estimate on average £50 to £80 shortfalls per 9 week, which they always made good straightaway, 10 again by paying cash. Edward Brown said that 11 similar matters occurred to him and it wasn't 12 always a large shortfall but sometimes it could 13 be in the thousands. Gary Brown reported that 14 the shortfalls happened so often that it was 15 hard to keep track. 16 Now a question for you is: can you help us 17 understand how it was that the subpostmasters 18 and mistresses experienced so many shortfalls? 19 A. No, I'm afraid I can't, without an investigation 20 of each of their issues, because there were 21 a number of different possibilities there. So 22 no, I mean, I can't explain why a large number 23 of your clients have those issues. 24 Q. Again, looking at the same point, would there be 25 anybody else who you worked with who might be 161 1 able to throw some light on this, if you can't 2 answer the question? 3 A. I can't think of anybody relevant for that 4 particular thing, sorry. 5 MR JACOBS: That's fine. Thank you very much. 6 I haven't any more questions. 7 Questioned by MS PAGE 8 MS PAGE: Hello, I'd like to ask some questions 9 about the overnight processes for checking for 10 system errors. 11 A. Okay, yes. 12 Q. I understand that the program Tiscali was 13 involved in that, is that right? 14 A. Not aware of that name. 15 Q. No? Is it right that there were automated 16 processes that checked across the estate for 17 system problems? 18 A. Yes. 19 Q. Would some of the system events appear on what's 20 called the NT Event Log? 21 A. Yes, that would be one place where problems or 22 notable events would be written, yes. 23 Q. Is it right that some of them were particularly 24 on the radar, as it were? At any given time, 25 there might be a reason why you'd be looking out 162 1 for particular system events that might have 2 come up overnight? 3 A. Yes, that would be true, yes. 4 Q. Is it right that you'd look on the event logs 5 for that, perhaps the NT Event Log, but perhaps 6 there were other ones as well? 7 A. That wouldn't be a function the SSC would have 8 performed, but yes. I mean, probably the name 9 we were trying to get to earlier was Tivoli, and 10 that would have been a function performed by the 11 estate management team. So they would have been 12 looking out for events of a certain nature and, 13 if necessary, then raising incidents. 14 Q. So if they raised an incident that meant it 15 would come through to SSC; is that right? 16 A. Potentially, but it may have been an event which 17 indicated something which a different team 18 needed to see. So it wouldn't necessarily 19 always be SSC. 20 Q. If it was one that they knew was on the SSC 21 radar -- 22 A. Yes. 23 Q. -- then it would come through to you; is that 24 right? 25 A. It would do, yeah. 163 1 Q. This may or may not still ring a bell -- but 2 does an event which said the hard disk has a bad 3 block, does that ring a bell? 4 A. It does. That would be in the Legacy days 5 generally because that was when incidents of 6 hard disk error actually caused problems with 7 the Riposte messaging software. 8 Q. Right. So if you got that, it might mean that 9 there was problems with the messages? 10 A. It might do, yes. I mean, it wouldn't always do 11 but it's one of those -- 12 Q. Would that mean that would be a reason to flag 13 it for the SSC? 14 A. It would, yes. 15 Q. Yes, I see. If we see that and we then see the 16 SSC doing a remote reboot, would that be to try 17 to fix that? 18 A. I would have thought a remote reboot would have 19 been done by the event management team rather 20 than us but that would be an attempt to fix 21 that, yes. 22 Q. How did SSC go about doing a remote reboot, if 23 I can just try to understand that? 24 A. This is why I said it would be the event 25 management team. I believe a remote reboot was 164 1 effected by a Tivoli script being fired at the 2 counter. So the SSC didn't use Tivoli scripts. 3 This was departments like VSMC who would have 4 effected that. 5 Q. So a Tivoli script can be used to do that and, 6 in the case of a bad block, that would be 7 an attempt to restore messages on the hard 8 drive? 9 A. It wouldn't be an attempt to restore messages. 10 Generally, if I remember correctly, if you -- to 11 reboot -- if you rebooted after a bad block, it 12 would trigger part of the Windows NT operating 13 system to actually try to repair the disk and 14 I believe that was why it was done but we are 15 out of my technical expertise, there, really. 16 Q. Well, that's very helpful. Is that likely, 17 then, it might well tie in to SMC doing 18 something with replacing hardware if it failed? 19 A. Yes, it would, yeah. 20 MS PAGE: Thank you, those are my questions. 21 MR BEER: Sir, just before you release Mr Parker, 22 I wonder whether I could ask for your 23 indulgence. The error in the two documents not 24 being available to display is entirely my fault, 25 and nothing to do with the hardworking team that 165 1 sits behind me. Could I ask you just to rise 2 for five minutes, please. We might be able to 3 sort it out. 4 The questions that I have to ask are less 5 than ten minutes and, just in case we don't call 6 Mr Parker back in Phase 5, it would be 7 an advantage to him and to us if we got the 8 questions out of the way now. 9 SIR BRIAN LANGSTAFF: Yes, by all means. Certainly. 10 MR BEER: We'll let you know when we're ready, but 11 I imagine it'll be five minutes. 12 SIR WYN WILLIAMS: What I'll do is I'll stay close 13 to my monitor. I'll actually switch the video 14 off but I won't leave the room, so that you can 15 just speak to me and I'll come back to life 16 immediately. 17 MR BEER: Thank you, sir. 18 SIR WYN WILLIAMS: Fine. 19 (3.52 pm) 20 (A short break) 21 (3.55 pm) 22 MR BEER: Can you see and hear us? 23 SIR WYN WILLIAMS: Yes, I can. 24 MR BEER: Thank you very much. Apologies for that 25 once more, and apologies to you, Mr Parker. 166 1 Further questioned by MR BEER 2 MR BEER: Can we look at FUJ0013186, which is on the 3 screen. 4 You'll see that it's a work instruction 5 written by you on 8 September 2011. The title 6 of it is "Providing evidence for police or 7 litigation enquiries". It's version 11, and was 8 last updated by Mr Woodley in August 2021. 9 Details: 10 "Any request for evidence supporting any 11 form of litigation must be made via a defined 12 route. That route is from the security 13 department in POL to the Fraud and Litigation 14 service within the CSPOA Security team. This is 15 the only route that can be used for evidential 16 purposes because the data handling conforms to 17 the required legal rules for evidence. 18 "CSPOA Security will make contact with the 19 police and if necessary with POL lawyers. CSPOA 20 Security team may request that SSC staff provide 21 some technical input to the process. CSPOA 22 Security do not notify POL as to who provides 23 input into their general processes. They have 24 confirmed that no member of SSC will be required 25 to raise and sign any statements of witness as 167 1 to their activity in such matters and nor will 2 any pressure be brought to bear on SSC staff to 3 do so. If a request is made for a statement of 4 witness you should immediately inform the SSC 5 duty manager." 6 Then there's something about physical 7 hardware that I'm not going to read. 8 Why were you writing a work instruction in 9 September 2011 about the provision of evidence 10 to the police, or to POL? 11 A. It must have been because it became clear to me 12 that requests of this sort were being made 13 without coming from the CS security team and, as 14 I say there, that was the approved route and the 15 only one which should be used for those 16 purposes. 17 Q. Can you recall what had happened, what event 18 justified the writing of this work instruction? 19 A. No. Only that some sort of event of that type 20 must have happened to trigger me to make things 21 hopefully crystal clear. 22 Q. You see it refers in its body to the CSPOA 23 Security team, and CSPOA Security, yes? 24 A. Yes, indeed. 25 Q. And that it refers to the Fraud and Litigation 168 1 service within the CSPOA Security team. For how 2 long had the Fraud and Litigation service within 3 the CSPOA existed at the time that you wrote 4 this, or is that a later author's work? 5 A. I think the Fraud and Litigation service 6 responsibility that the CSPOA Security team had 7 always been there. I don't remember it being 8 something new. It was the means by which 9 evidence could be obtained and that was going on 10 while I was both the SSC manager and previously. 11 Q. You see it's got a capital "F" and capital 12 "L" -- 13 A. Yes, indeed. 14 Q. -- on "Fraud and Litigation", which might 15 suggest a title to a suborganisation within 16 CSPOA Security team. Am I right to draw that 17 from it or is that just a function that's being 18 described, namely Fraud and Litigation service 19 provision? 20 A. I can't be sure if somebody has changed it 21 afterwards. During my time, it was a function 22 rather than a separate service. 23 Q. We've heard from somebody called Andy Dunks. 24 Did he work in that team? 25 A. He did, yes. 169 1 Q. The work instruction says: 2 "This is the only route that can be used for 3 evidential purposes because the data handling 4 conforms to the required legal rules for 5 evidence." 6 Can you explain what that sentence is meant 7 to mean? 8 A. Only the face value that it gives you there. 9 I mean, I'm not -- I wasn't in any way involved 10 with that process from -- for the CSPOA Security 11 team. I was just aware that it had to be done 12 that way. 13 Q. What had the requirement that there be a single 14 route got to do with what are described as the 15 "legal rules of evidence"? 16 A. That was a -- those words would have -- or that 17 requirement would have been given to me, rather 18 than me understanding it and making it up. 19 Q. Was the concern about exhibit or physical 20 security of evidence being passed from one 21 person to another to ensure continuity, for 22 example? 23 A. I remember brief discussions about continuity of 24 evidence and evidential requirements and just 25 being told, "Look, this is the way it has to 170 1 happen". 2 Q. Or was it because the maker of the request from 3 within the security team would know what those 4 legal rules of evidence were? 5 A. I would expect them to, yes. 6 Q. But I'm trying to discover what the requirement 7 that this single route had as its raison d'etre; 8 would it be because you needed to secure 9 continuity or was it because the person making 10 the request is in the know on legal rules of 11 evidence and therefore any requests should come 12 from them? 13 A. It was the former in that we were -- I was 14 trying to ensure that the correct evidential 15 rules were followed by the team who actually 16 knew what those rules were. 17 Q. Was there any document that you were aware of in 18 your time in the SSC that set out the legal 19 rules for evidence to guide the SSC in the 20 provision of evidence? 21 A. No. 22 Q. The document continues: 23 "They [that's Security] have confirmed that 24 no member of SSC will be required to raise and 25 sign any statement as to their activity in such 171 1 matters, and nor will any pressure be brought to 2 bear on SSC staff to do so." 3 In the past, had the security team required 4 SSC staff to provide a witness statement? 5 A. That was -- this was a reflection on the 6 situation for Anne Chambers, where she was 7 required to provide a witness statement, and 8 that resulted in a court appearance which she 9 found stressful, and this was a way of trying to 10 alleviate the fears of other SSC staff that they 11 would be put into the same position. 12 Q. But five years had elapsed -- 13 A. Mm. 14 Q. -- between the Castleton case and this work 15 instruction. What prompted, after that 16 five-year period passing, you to return to this 17 issue? 18 A. There must have been a litigation query or 19 something which came in via the wrong route. 20 Q. I mean, presumably the security team had 21 required SSC staff to provide a witness 22 statement, otherwise the record of a guarantee 23 that they wouldn't would be unnecessary? 24 A. That may have been the case. All I can remember 25 is something definitely happened to trigger me 172 1 actually writing it, to attempt to (a) define 2 the route clearly and (b) put SSC staff's mind 3 at rest that they wouldn't find themselves in 4 a courtroom for just helping the security team 5 with a few bits of advice and guidance. 6 Q. I'm trying to discover what the trigger was, 7 given the only one we've identified happened 8 five years before this document was written. 9 A. Sorry, I don't know. 10 Q. In the past, had the security team brought 11 pressure to bear on SSC staff to provide 12 a witness statement? 13 A. Not during my tenure. I don't remember that 14 going on. I do remember the situation with Anne 15 Chambers and Mik but that's the only one 16 I clearly remember. 17 Q. Thank you. Can we move to the second document, 18 please. POL00099397. This is an email exchange 19 involving you in 2013. Can we pick it up at the 20 bottom of page 3, please. 21 If we look at the bottom of this page, 22 please, we can see an email from Andrew Winn to 23 you of 16 July 2013 at 16.01: 24 "Hi Steve 25 "Would you be able to assist with this one? 173 1 I've been trying for months to get the referral 2 info from the raw logs as per Gareth's advice 3 without success. 4 "Ironically I have had a subsequent 5 challenge from [some details are given]. Is 6 this something that can be relatively easily 7 pulled within the 6 month window when detailed 8 data moves into archive? 9 "Appreciate any help." 10 Then you reply at the bottom of page 2, 11 please: 12 "Andy, 13 "Initial information on Gilmerton ... shows 14 that the transaction was a referral. Still 15 working." 16 Then you put a note. 17 "NOTE: not trying to teach you to suck eggs 18 but thought I'd remind you that none of the 19 information we dig out for you like this can be 20 used in litigation. Anything required for 21 evidential purposes MUST come from the 22 litigation support team." 23 So does that reflect the work instruction 24 that you had raised a couple of years earlier? 25 A. It does, yes. 174 1 Q. Why were you including that warning to Mr Winn? 2 A. Reminder only. I mean, I wasn't sure how Andy 3 intended to use the information he was asking me 4 for. 5 Q. Then if we scroll up, please. 6 "I think that is all I need. It is all 7 I would pull if it was within 3 months. 8 "Good point about litigation. I am aware 9 that any evidence we put in front of a court 10 must come through the right channel. I am 11 dealing well before this point but have to be 12 aware that any case may end up in court. I will 13 typically say something like 'I've asked Fujitsu 14 to investigate and they have confirmed that 15 a referral was made to your Horizon System ...' 16 So something like that might get waved around in 17 court but the transactional data presented would 18 need to come through approved channels." 19 Then if we look at your reply at the foot of 20 page 1. It's at the foot of the page now, "The 21 litigation bit", thank you: 22 "The litigation bit is all to do with chain 23 of evidence for prosecutions and delivery in 24 court. I'm sensitive about it because in the 25 distant past one of my [colleagues] was 175 1 'persuaded' (by our side, not yours) to write 2 an evidence statement without fully 3 understanding the implications. As you know, 4 our 'professional witness' for these types of 5 cases is Gareth Jenkins but in this case, 6 because process was not followed, Gareth 7 couldn't do it and preparation for court became 8 very difficult." 9 Is that paragraph a reference to Anne 10 Chambers and the Lee Castleton case? 11 A. It is, yes. 12 Q. You say: 13 "In the distant past one of my team was 14 'persuaded' (by our side, not yours) ..." 15 You're here corresponding with Andy Winn of 16 the Post Office? 17 A. Correct. 18 Q. So "our side" means Fujitsu, "your side" means 19 Post Office? 20 A. It does, yes. 21 Q. Who in your side had persuaded Anne Chambers to 22 give evidence? 23 A. I don't remember the name. It was the -- 24 somebody in the security team but, again, you'd 25 have to ask Mik Peach. I mean, he was privy to 176 1 that. I wasn't. 2 Q. You say that: 3 "[She was persuaded] to write an evidence 4 statement without fully understanding the 5 implications." 6 What were the implications that she didn't 7 fully understand, to your knowledge? 8 A. That was the implication of having to actually 9 stand up in court and face some questioning. 10 Q. So your understanding was she didn't know that 11 if you provided a witness statement, you might 12 have to come along in court and speak to it? 13 A. I don't think that was made clear. That was my 14 understanding but my knowledge of this is coming 15 secondhand from Mik in majority, apart from the 16 odd time that I talked to Anne about it at the 17 time. 18 Q. You continue: 19 "As you know our 'professional witness' for 20 these types of cases is Gareth Jenkins but in 21 this case, because process was not followed, 22 Gareth couldn't do it and preparation for court 23 became very difficult." 24 What was the process that ought to have been 25 followed but which was not followed? 177 1 A. I don't remember and I find that sentence 2 strange because my recollection is that Gareth 3 Jenkins started fulfilling that role after Anne 4 Chambers found herself having to give a witness 5 statement. So I can't think now why I made that 6 statement. 7 Q. That's what I'm exploring with you. Why was it 8 that in the Lee Castleton case Mr Jenkins 9 couldn't do it because process wasn't followed? 10 A. I don't remember, and that would have been, as 11 I say, Mik, I should think, doing that at that 12 time. 13 Q. In what way did preparation for court become 14 very difficult? 15 A. I don't remember. 16 Q. Can you think back and try to assist us? 17 A. Yeah, I'd like to but most of my knowledge about 18 what happened in that situation came either from 19 Mik or Anne, in conversations I had with them. 20 I didn't actually -- I wasn't actually there, 21 taking part. So sorry, I just don't remember. 22 MR BEER: Thank you very much, Mr Parker. 23 Sir, those are all the questions that I ask. 24 SIR WYN WILLIAMS: Right. 25 Well, thank you, Mr Parker, for coming to 178 1 give evidence and thank you for making a witness 2 statement. It's possible, as you've heard, that 3 you'll be asked to return, probably in some 4 months' time, if you are asked to return and, if 5 you are asked to return, a request for 6 information, a Rule 9 Request, will be sent to 7 you so that you know what it is that you have to 8 address your mind to. All right? 9 THE WITNESS: Understood, yes. 10 SIR WYN WILLIAMS: So thank you again. 11 MR BEER: 10.00 am tomorrow for Mr Ismay. 12 SIR WYN WILLIAMS: Fine. 10.00 tomorrow. 13 (4.14 pm) 14 (The hearing adjourned until 15 10.00 am the following day) 16 17 18 19 20 21 22 23 24 25 179 1 I N D E X 2 STEPHEN PARKER (affirmed) ............................1 3 4 Questioned by MR BEER .........................1 5 6 Questioned by MR JACOBS .....................159 7 8 Questioned by MS PAGE .......................162 9 10 Further questioned by MR BEER ...............166 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 180