Morrisons Lose Data theft appeal

A recent ruling has made Morrisons vicariously liable for the rogue behaviour of an employee who stole over 100,000 employee payroll records.

Andrew Skelton was a senior auditor for Morrisons at the time of the data breach.  He had recently been officially warned about using corporate mailroom facilities for sending personal ebay packages. Mr Skelton was sentenced to eight years imprisonment in July of this year for the data breach.

A couple of interesting points stand out from this landmark judgement, which went all the way to the UK Court of Appeal, where the original ruling was upheld against Morrisons:

Firstly, the intent of the records theft was irrelevant – it didn’t matter whether the motive was personal gain for the data thief, or reputational damage caused to Morrisons.

Secondly, the Information Commissioners Office had originally found that no action was required under the Data Protection Act 1998 – the relevant legislation in force at the time of the offence: it took a class action under UK Common Law, brought by 5,000 of the impacted employees, to establish that Morrisons shared culpability with Mr Skelton.

Despite the fact that there was no commentary in the DPA for the specific circumstances of this case, the stricter definition of liability in the UK Common Law of Tort applied.  This suggests that there is still plenty of room for interpretation of data protection legislation – current and historical.

Remediation of the breach (including costs for the appeal) has cost Wm. Morrison £2,000,000 so far.  Damage to Morrisons reputation will be harder to quantify.

This case should concern organisations who’ve based their data governance purely around the specific requirements of recent data protection legislation.  This will raise serious concerns about data protection policies and controls for both employers and employees action as data controllers and processors.  It would not be unreasonable to foresee further rulings of this type, whether under previous DPA legislation or the current General Data Protection Regulation. Now, more than ever, it will be necessary for employers and employees to follow the spirit of the law, not just the letter…


With thanks to the Yorkshire Post and Herbert Smith Freehills for their research.



User-centricity; the new focus for IT service provision

We’ve spent the last couple of months exploring some of issues of concern to IT functions in the legal sector. Here are some of them:

Legal firms are very acquisitive, and usually expand through mergers or wholesale onboarding of another firms’ sector practice. This means that large cohorts of devices, networks, associated data and systems often need to be incorporated, merged, or at least coherently managed.

The lack of availability of a service or source of information can vary from the trivial/inconvenient, through to reputationally harmful and up to being critically damaging to the legal firm.

The move towards the cloud-like service provision is especially complex for legal IT service leaders: clients often mandate the collaborative systems to use, and have their own policies for data location, collaboration and access.

IT (especially the helpdesk) are often seen as a necessary evil, and not particularly helpful in resolving an IT issue. This is a painful fact to IT support managers, who may be incentivised through a bonus scheme based on their user feedback ratings (‘Net Promoter Scores’)… Of course, there is a counterargument: if the IT ticket raised by the managing partner simply says “Internet seems to be slow” then the user should not expect a particularly quick fix, notwithstanding their seniority or the importance of access to the required resource.

Legal firms are by nature risk-averse and are not often the adopters of leading-edge innovation. This seems to be generally true for associated IT functions in the legal firms, even when the technology, practice or service has been proven in other sectors.

In the last two months, we interviewed twenty three senior men and women responsible for IT service provision to some of the largest and most well-regarded legal practices. Our approach was based on their providing simple feedback to the products and services we socialised on the following page: Innovation for Legal IT

In virtually all cases, we received positive interest and follow up requests for nexthink – user-centric IT analytics: many scenarios were shared with us in which nexthink would be useful, ranging from the readiness of the IT infrastructure to cope with a Windows 10 upgrade, the reduction in use of expensive second and third line resources, reduced helpdesk tickets and reduction in resolution times, and reducing the chance of compliancy breaches.

Most often spoken about was the transformation of IT support from reactive to proactive in nature, and the potential for improved Net Promoter Scores and a correspondingly healthy bank balance.

Take a look at this nine minute video from Nexthink and tell us what you think!

nexthink “my internet is slow”

Your life in the ether…. Record Management Online

Memory is the treasury and guardian of all things.

Marcus Tullius Cicero

You may find some of the ideas suggested eight years ago interesting, and maybe still valid with the advent of GDPR. This was an idea for storing and managing all information – personal or corporate – in the cloud, using the very powerful HP RM (record manager) engine as a basis.

The original is here  – apologies for the loss of images, which used to be in there.

Your life in the ether…. Record Management Online

HP Records – Record Management in the Cloud
Record Management for the home, for small business, and the enterprise
idea qualification
Reach: How many people would this idea affect? – all those who, in their professional and personal lives, have a need for long term organisation, management, and eventual disposal of their critical personal or corporate information In other words, simply put – records.
Depth: How deeply are people impacted? How urgent is the need? – nearly everyone has struggled to find a piece of vital information they know they have, but can’t find. This can be from the mundane (a password, utility bill, or old address) to the life threatening or life-changing ( a medical file, or a lost case file relating to a crime).
Attainability: Can this idea be implemented within a year or two? Yes – easily
Efficiency: How simple and cost-effective is your idea? It’s a fusion of record management practices, a cloud based infrastructure, existing and development expertise.
Longevity: How long will the idea’s impact last? Potentially, decades.
As a child of the sixties, I grew up at the crossroads between paper records and newly-arriving electronic content. Today, with the advent of web-based billing, electronic payslips, online tax and accounting, and the growing number of instant communication streams, there has never been a more critical time to manage important records – both in a domestic and a corporate environment.
In the business world, a typical knowledge worker receives streams of information which are then stored in multiple ad-hoc ways, including:
  • Local drives
  • File shares
  • Line of business databases
  • Email systems – central or local (in PST archive files)
  • Web pages – internal and external to the business
  • Physical documents (the classic file)
  • Samples in physical form, or objects that cannot be digitized
  • Increasingly, cloud-based document hostinging environments (Google Docs as an example)
  • Collaborative environments – current – such as Instant Messenger, Wikis, Blogs, Twitter, – and forthcoming – such as Google Wave.
Unfortunately, the ability to manage these records seems to have been lost over the past 15 or so years..
Usually this content is stored indefinitely, at great expense in terms of physical storage, management, time and risk. The risk accrues since the information under ownership by an organisation is not managed, categorised, or disposed of – it’s simply backed up slavishly in ever-decreasing available time slots. The data is therefore not understood and becomes a risk for large organisations unaware of what information they may or may not have, who are then prey to legal forensic experts familiar with e-discovery and the practice of billing multiple thousands of dollars per gigabyte they examine. Users often create content and store it in proprietary ways, unknown or inaccessible to other potential collaborators. Email can actually prevent collaboration by becoming a limited silo of unmanaged content, as can newer technologies like Microsoft SharePoint.
This growing stream of information is paralleled in a domestic environment, with service providers tempting us (with discounts) to adopt electronic billing and online ways of getting assistance.
The advent of electronic document and content management systems were a first pass at managing at least some of these corporate information management systems, allowing document collaboration and versioning to be managed, and a degree of compliance with external drivers and internal governance to be achieved. However, this falls short of meeting todays record keeping requirements.
In parallel, Electronic Record Management developed, emphasizing the inter-relationship of all the information management streams to allow knowledge workers to have an understanding of a business decision and how that decision was arrived at. This was achieved through complex configuration, and integration with all the information streams (bulleted above) to allow easy transferral of key documents into a contextual classification based on record management best practice and tailored for the business. This in effect became the classic “filing system”, transferred to the digital age. These RM systems are able to manage both electronic and physical forms of information, as well as their transformation from one to the other. RM systems can ingest any form of electronic document, and typically support the view or transformation of that file type to allow for format obsolescence of the originating application (WordStar, WordPerfect, Visicalc). This last point is increasingly critical:

In a survey, conducted in early 2006 by the Digital Preservation Coalition,

  • 36% of respondents said that their organisation had inaccesible data;
  • 28% said some of the main type of data had been lost
  • 48% said some of the data was in danger of becoming in accessible
  • 38% said file formats had been used that were now obsolete.
Record Management (as opposed to content or document management) placed great emphasis on the reliability, usability, integrity, and authenticity of the data captured within its framework. This framework gave these records long term trustworthiness, and allowed them to be the basis of a “corporate memory”, adding efficiency to the list of benefits achieved by organisations that adopted record management. The price to pay was predominantly change management – persuading the user community to actually adopt the systems and accept a degree of initial overhead in adding the information into the record structure. Retraining was involved (mostly in record-keeping best practice, as opposed to the use of the record management system), and record-keeping corporate policies had to be created usually on a per-organisation basis. There is also an additional overhead in IT equipment required to establish and support the record management framework.
My proposal is to make available a cloud-based record management repository encompassing all of the benefits of using record management systems, with far fewer of the overheads: in this way, a workable Home or Corporate Memory would not have to be reinvented many thousands of times in corporate environments, or many millions of times in domestic scenarios.

Idea – cloud based domestic and corporate memory
What I envisage is a development of the Google Docs engine, with the addition of record management functionality. In my proposed scenario, more emphasis is placed on the inter-relationship of documents with each other (the context, if you will); the fundamental differences between document and record management are well-defined and laid out in an ISO Standard – ISO 15489. There are several key elements that make a record management system more valuable than simple document management, but the key one is the fact that a record is usually a collection of documents, made up of many interlinked documents or objects that together form the record. In this way, an understanding of the whole process that went into a decision can be understood. A good analogy is to consider a traditional medical record ; In it, a clear chronological picture is given as to history, events and decisions – because all the information that went to form that decision are reliably present, authentic, usable and possess integrity.

Core features

Long –term Access
Another key aspect of record management is the durability of a record: in 20 years time, although the original document is still stored, the original application used to create the content may no longer be available to support opening the document and viewing/editing its content. Traditionally, record management has a three-fold approach to solving this: the use of so-called “universal viewers” and the ability to create a viewable “rendition” of the original document without altering the original, which is still the record. Separately, the IT infrastructure has to be periodically refreshed, to ensure hardware, media formats and operating system longevity. As a trusted provider of centrally hosted and managed applications, HP would be well placed to manage the search for and rendering of outdated document/content types into formats with long-term viewability and integrity (such as PDF/A or equivalent).
This is the file structure – predefined as a template appropriate to the environment in which it will be used: – HP records for home, HP records for legal, HP records for local government, HP records for health and so on. These are based on known templates that exist for many or most corporate environments. The home environment classification would need definition, as no standard exists here.
This structure provides the “memory”, creating a logical and maintainable structure to which household records are attached. The templates (home, legal, health, local govt) provide a sound basis for classification, but this could be tailored by the record owner as required.
By using a filing structure, very detailed security can be applied in terms of file visibility, access and permissions to carry out tasks. Rules for disposal can also be applied at this level. Disposal of content, as content volumes continue to grow, will be just as important as keeping the content.
HP records for the home – aimed at domestic users, HP would provide a standard classification structure template based on the usual functions within a household. Within this standard classification, records can be added.

View of the classification structure – the customizable framework provided to the consumer as a structure for their records. Detail shows a standard 3-tier classification loosely based on “Function – Activity – Task”; the yellow folder icon (“HR53 JWT) is the record object with contained documents within it
Granular security
Very detailed security model defining who can see and do what, where. Areas of the classification (such as utility bills, genealogy) can be shared with specified users or groups.
Tied to this is a full audit trail of who has viewed, downloaded, amended, and deleted records within the system.
A configurable degree of access to a subset of the classification and its contents could be granted to trusted third parties (such as your utility provider, or employer, or accountant, family member and so on), to enable enhanced service levels and communication. For example, bills could be automatically posted to a unique URL representing the classification, and record type. The user could be notified of the bills arrival by email, with a link to the document.
The standard template used by different categories of user could allow for a degree of global standardization of intercommunication.
Scanning – ad-hoc and as a service
Your organisation could make available cheap but powerful scanning devices allowing for local paper records to be converted to electronic format and uploaded. These would incorporate an Automatic Document Feeder, and support for colour TIFF or PDF scanning of at least legal, letter and A4 paper sizes. Third party bureaux could also scan these files, and optionally post then to the customers record set (either in a queue, or direct to the appropriate area of the classification).

Support for physical records and those that don’t support scanning or conversion to electronic format
Record management can support tracking and management of objects in physical space. These spaces could be user defined such as: “my house – loft – box1”, or a location such as “H Pringle – Solicitors”. This functionality is extended to the concept of physical documents having owners, home locations and assignees. In this way the movement of documents can be tracked and managed.

The ability to store any electronic format
Web 2.0 content should be capable of being stored at the time it was referenced, to support how a decision was made.
One of the most exciting elements of this idea is the breadth of its applicability: Classifications can be designed for domestic, SME, and large enterprises; zero capital cost in infrastructure set up for the customer, long-term access to records from a trusted provider like HP. Technology and file format refresh would no longer be an issue, with centrally managed services.

Microsoft have just awoken to the importance of record management (as opposed to document management), and have gradually enhanced the functionality of the SharePoint platform from versions 2003 through to 2007, to the extent that now with 2010, they appear to have realistic Record Management functionality – albeit grudgingly. They will be heavily promoting this platform as a cloud-based service on a subscription basis in the coming years.
Many small ad-hoc scanning bureau provide a central scanning service with hosting of the scanned files. These provide a useful, but limited service.
Documentum/OpenText/IBM – the enterprise level providers typically aim their offerings at the larger enterprises, but do not yet have a coherent offering for cloud-based record management.
There are probably as many questions as there are answers in this document which I have considered, but left unanswered at this stage. The proliferation of information, and the need to sort that information into the items of value, mean that now is the perfect time to provide long term record management for all. It requires a combination of (mostly) existing technologies, record management best practices, and intelligent marketing to succeed. It is a perfect complement to the new ways of communication, offering context, longevity, security, and finally disposition and destruction of content when no longer needed.
I believe my experiences over the last 20 years in the corporate document and record management, and my good technical and commercial grounding, would help an organisation like HP continue to win hearts and minds by resolving one of the main concerns we have to resolve domestically and professionally.
About myself
For approaching 20 years I have worked in the field of Electronic Document and Record Management – as a project manager, marketer, in sales and presales, and as a trainer – helping large organisations derive the maximum benefit from their information assets.

“Zap My Data” …A $5000 dollar browser app that could break the internet?

A $5000 dollar browser app that could break the internet?

What if, as part of the GDPR process currently generating so many dramatic headlines, someone developed a browser app that could automatically send a request for the return of all your personally identifiable information held by a site owner at the press of an orange button?

Mock up showing request, delete buttons.. other websites are available!

Behind the red button would be a request to be forgotten by the data owner and all associated information processors. I’ll bet not many of these data aggregators would be geared up to handle that… Google are though

Embellishments could include a dashboard showing non-respondents in order of delinquency, with the option to alert the appropriate Data Protection Authority.  Robotic Process Automation (RPA) could be used to harvest the database of email contacts for each site, as well as storing the text content for the equiry/delete orders.

Of course someone may have already developed this – if so, let me know!

Thoughts? Comments?