This is the unperfected transcript of the seventh day of the Horizon trial, held on 20 March 2019 in court 26 of the High Court Rolls Building.
The first witness is David Johnson for the Post Office, followed by Andy Dunks for Fujitsu and then Torstein Godeseth for Fujitsu.
The first witness is David Johnson for the Post Office, followed by Andy Dunks for Fujitsu and then Torstein Godeseth for Fujitsu.
Wednesday, 20 March 2019
(10.32 am)
Housekeeping
MR DE GARR ROBINSON: My Lord, good morning. Before I call
my next witness there is one small matter I should raise
with your Lordship. Your Lordship may recall that
I raised the question of disclosure from the claimants
in relation to the documents that were referred to by
the claimant witnesses who gave evidence last week.
MR JUSTICE FRASER: Yes.
MR DE GARR ROBINSON: Your Lordship will recall that
a letter was sent on Friday which sought a response from
Freeths by close of business on Monday.
MR JUSTICE FRASER: Yes.
MR DE GARR ROBINSON: I raised it with you on Tuesday. It
is now Wednesday morning. I simply wish to make
your Lordship aware that this is an issue and that the
point is fast approaching where I may have to ask
your Lordship to do something.
MR JUSTICE FRASER: Okay. Have I got a copy of that letter?
MR DE GARR ROBINSON: My Lord, I don't believe you have,
I will make sure --
MR JUSTICE FRASER: It is not on Magnum, is it?
MR DE GARR ROBINSON: That will need to be checked, my Lord.
MR JUSTICE FRASER: All right. I think the best thing is
have the letter put on Magnum, I'm just going to explore
the situation with Mr Green now and if we have to come
back to it, then obviously we will fit it in with the
trial timetable and if people have to be recalled, they
have to be recalled, but obviously I would like to avoid
that if possible.
MR DE GARR ROBINSON: Of course.
MR JUSTICE FRASER: Mr Green.
MR GREEN: My Lord, I'm afraid we have been working on
cross-examination and I just don't know what the
position is on it, but I'm sure it is being attended to.
I will find out and update your Lordship later in the
day. Obviously, any documents that they have referred
to need to be disclosed and that's obviously -- we must
do it, so I'm --
MR JUSTICE FRASER: We are in -- I suppose in a sense on the
basis that these might be -- or these would be documents
which Mr De Garr Robinson might want to put a point to
a factual witness, then the factual witness would have
to be recalled anyway, but just in terms of proper and
efficient trial management --
MR GREEN: Absolutely right.
MR JUSTICE FRASER: -- we've got a little bit of scope next
week, but I want all the factual evidence dealt with
before the experts are called.
MR GREEN: My Lord, yes.
MR JUSTICE FRASER: And one of the days next week has
already been set aside for a contested third party
disclosure application against Royal Mail which I think
has been moved by consent from tomorrow to next Tuesday.
MR GREEN: My Lord, yes.
MR JUSTICE FRASER: And I don't want to let sand run through
all our fingers unnecessarily. So we will revisit --
today is Wednesday, we will revisit this at the end of
today, please.
MR GREEN: I'm grateful, my Lord.
MR DE GARR ROBINSON: My Lord, I call David Johnson.
MR JUSTICE FRASER: Yes.
MR DAVID MALCOLM JOHNSON (affirmed)
MR JUSTICE FRASER: Thank you, Mr Johnson. Do have a seat.
Examination-in-chief by MR DE GARR ROBINSON
MR DE GARR ROBINSON: Mr Johnson, there should be a file of
documents in front of you. Can I ask you please to go
to tab 4 of that file {E2/4}. You will see there
I think a sheet of two corrections and then behind that
sheet there should be a witness statement which
describes itself as being of David Malcolm Johnson; do
you see that?
A. Yes.
Q. And is that your name and address there on the first
page?
A. Yes, it is.
Q. And could you go to the last page in that same tab
please {E2/4/20}.
A. Yes.
Q. Is that your signature on that page?
A. Yes, it is.
Q. And if you could look briefly at the corrections -- have
you seen those corrections before?
A. Have I seen them before?
Q. Yes.
A. Yes.
Q. Are they corrections you wish to make to this witness
statement?
A. Yes.
Q. And then if we go forward in the bundle could I ask you
to go to tab 6 please {E2/6}.
A. Okay.
Q. That's your name and address, I think I can take it from
you, on page 1 of that?
A. Yes.
Q. And on the back page, page 5 {E2/6/5}, is that your
signature?
A. Yes, it is.
Q. So these are two witness statements that you have made.
Subject to the two corrections that we have just
referred to, are those witness statements true to the
best of your knowledge, recollection and belief?
A. Yes, they are.
MR DE GARR ROBINSON: Thank you, Mr Johnson. If you wait
there there will be some questions for you.
Cross-examination by MR GREEN
MR GREEN: Mr Johnson, I think you may have been involved in
training some of the legal representatives.
A. I gave some demonstrations on how the Horizon system is
used in branch to various parties involved in this, yes.
Q. And I think one of the points you covered was how to
reverse a -- how to sell stock into the system, to
correct too much stock and how to enter a transaction --
A. Yes.
Q. -- that would then balance stock and cash?
A. Yes.
Q. Do you remember that?
A. Yes.
Q. And you are very familiar with how the system works?
A. Yes.
Q. You are a trainer?
A. (Nods).
Q. In your witness statement you say at paragraph 10, which
is on {E2/4/2}, which is page 2 of your first witness
statement, it will come up on the screen as well, you
say that:
"The screenshots that appear in this statement are
primarily taken from a document called Post Office
Onboarding Counter Guide ... where a screenshot has been
taken from another document I refer to that document."
Is that correct?
A. Yes.
Q. So what you have done is you have taken the screenshots
that we see in your witness statement from that guide
and if they're not from that guide, you have pointed
that out?
A. Yes.
Q. So when we look, for example, at the screenshot on
page 3 {E2/4/3}, that's come from the guide?
A. Yes.
Q. We can see a date in the top, Tuesday 2 December 2014?
A. Yes.
Q. And if we look over the page on page 5 please {E2/4/5},
similarly we see layouts there. There's a date
of October 2017 at the top.
A. Yes.
Q. And August 2017.
A. Yes.
Q. Can we just look over the page now at page 6, please
{E2/4/6}. Now, you haven't said there that those have
come from any other source, but they are not actually in
the guide, are they?
A. I don't know.
Q. Can you see they look a little bit different?
A. Yes.
Q. And if you have a look at the two examples we've got
there, in the travel line in the top one can you see
"Business Mails" is in italics?
A. Yes.
Q. And "Drop Mails Suite" is in italics?
MR JUSTICE FRASER: Sorry, which one are you looking at?
MR GREEN: I'm sorry, in the top box --
MR JUSTICE FRASER: On page 6.
MR GREEN: -- on page 6 on the travel line at F4, you go
across.
MR JUSTICE FRASER: I see, yes.
MR GREEN: "Business Mails 45" is in italics and the one
beneath it is in italics and "Returns" is in italics.
A. Yes.
Q. And if we go down to "Licences & Government", "Sell
Euros" and "Sell Dollars" are in italics, yes?
A. Yes.
Q. And we can also see "AP Manual Entry" and "Transcash" in
the "Retail F7" line are also in italics?
A. Yes.
Q. In the one below, none of those ones are in italics.
There's no system reason for that, is there?
A. Not that I know of.
Q. So do you know where these ones have come from?
A. No.
Q. Did you actually cut and paste these into the statement
yourself?
A. No, I did not.
MR JUSTICE FRASER: Who did?
A. The statement was provided to me by our solicitors based
on conversations and --
MR JUSTICE FRASER: You don't need to tell me about that.
I just wondered who had cut and paste these into the
statement.
A. I don't know who did that.
MR JUSTICE FRASER: You don't know. Right.
MR GREEN: Can we go back please to page 5 {E2/4/5}. Just
a couple of practical points. Could we very kindly
enlarge the bottom table please. Thank you very much.
So, Mr Johnson, just to understand how it works
practically, which is your area --
A. Mm-hm.
Q. -- this is a typical screen that an SPM might see --
A. Yes.
Q. -- when they're in the branch and they're serving
customers?
A. Yes.
Q. Now, a couple of quick points. When they press
"1st Stamp" in the F2 line, which is "Postal Services",
yes, what happens is that it registers that a first
class stamp is going to be purchased.
A. Yes.
Q. That's right. And the SPM doesn't need manually to
enter in the price of a first class stamp, do they?
A. No, they don't.
Q. And the reason for that is that there is a reference
data table from which that's populated?
A. As far as the technical aspects of it, I'm not familiar
with what goes on behind the scenes, what I know is when
you press that button --
Q. When you press it --
A. -- that's what comes up.
Q. -- the price of a first class stamp pops up?
A. Yes.
Q. So there are two aspects to what's happening: there's
a button press, which is the actual physical input by
the subpostmaster or subpostmistress?
A. Yes.
Q. And then there's what the -- the value of that
transaction, which is coming from the system --
A. Yes.
Q. -- back onto the screen?
A. Yes.
Q. So there are two elements of that interfacing together,
yes?
A. Mm-hm.
MR JUSTICE FRASER: Exotic though your hand gestures are,
they're not going to come out on the transcript.
MR GREEN: My Lord.
Mr Johnson, those are acting together to produce
what's going into the basket: two components --
A. As I understand it, yes.
Q. -- a button press -- it's practically what you would
see?
A. Yes.
Q. So the SPM presses a button and the item that they have
pressed and its value should appear in the basket?
A. Yes.
Q. If it is all working well?
A. Yes.
Q. Now, just looking at the layout of that table, there is
quite a lot of white space there, isn't there?
A. Yes.
Q. And the actual buttons are very cosy, they're all stuck
right together, aren't they, with no white space between
them: "1st Stamp", "1st Large Stamp", "1st x 12 Stamps",
they're all absolutely tight together, there's no white
space separating them?
A. Yes, the items in the middle of the screen correspond to
the -- in most -- in the vast majority of cases to the
most commonly used products.
Q. And the point I was just seeking to make to you is there
are a number of ways that screen could be laid out, and
on that screen we can see there would be plenty of room
to separate the buttons from each other more, wouldn't
there?
A. It would appear that way.
Q. Yes. And you are aware that sometimes SPMs have
problems with miskeying, don't they?
A. Yes.
Q. Can we look please at {F/932} on page 7 please
{F/932/7}. We can see here if we look at the -- sorry,
shall we start at the first page just to be fair to you,
so you can see what the document is.
A. Okay.
Q. This is a miskeying project feasibility study and you
can see that it is a document from May 2012, yes?
A. Yes.
Q. And if we go back please to page 7 of the document
{F/932/7}, there are a number of recommendations. I'm
just going to follow through one particular one. If we
look at the penultimate bullet point there.
A. Yes.
Q. "Look at the Buy and Sell icons on the travel home
screen are too close together and it becomes difficult
to isolate the correct icon. It would be useful to
clearly show which icon to press showing the Buy and
Sell icons more clearly."
Yes?
A. I can see that, yes.
Q. One of the features of the buy and sell icons, which
you, I think will know about, is that they are at the
end of the transaction, so if you press the wrong one,
the transaction has already gone?
A. No, that's not right.
Q. Let's have a look, if we may please, at page 14 of the
document {F/932/14}. Is what's said in the top line of
that correct? Let's just look at it together, if we
can:
"The Buy and Sell icons on the travel screen are too
close together."
And the second box says:
"Having these two icons next to each other many of
the Counter Colleague hit the wrong icon, which means
there is no way of reversing the transaction when
a mistake has been issued."
What is suggested is:
"Separate these two icons to a more logical location
on the screen."
And so forth. Can you see what's being meant by
that second box there?
A. I don't agree with the second part of that where it says
there is no way of reversing the transaction when
a mistake has been issued. The pressing of either the
buy or the sell icon is at the very start of the
transaction, so there are various opportunities before
the transaction is completed to recognise that the wrong
button may have been pressed.
Q. But if it is not recognised and the transaction is then
completed, it's correct, is it, there's no way of
reversing the transaction at that point?
A. No, to my knowledge a bureau de change buy or sell
transaction can be reversed.
Q. As the system is today?
A. As I understand, yes.
MR JUSTICE FRASER: Has it always been capable of being
reversed?
A. I believe so. It's almost nine years since I last
worked on Legacy Horizon. To my knowledge, yes, it has
always been possible to reverse a bureau de change
transaction.
MR GREEN: Let's look, if we may, at another facet of this.
We haven't got a screen for it, but there is on some
screens a zero and a double zero button, aren't there?
A. On the keyboard, there is a zero and a double zero
button, yes.
Q. Yes, and they're next to each other?
A. Yes.
Q. And we can see that that's got the potential for
miskeying?
A. I wouldn't say it has any more potential than any other
layout particularly.
Q. Well, if you put in -- I mean, we have seen some of the
examples of miskeys already during the trial and there
are things where items which should be perhaps 3,400 are
34,000, so quite a lot of them have got an extra nought
on the end. Can you understand from your knowledge of
the layout why that might sometimes occur, might feature
quite prominently?
A. Yes, it could happen because the buttons are next to
each other one might press the double zero rather than
the single zero, yes, I can see how that --
Q. But it's easy -- you can imagine someone not spotting
a double zero as easily as they might spot perhaps a 9
instead of a 4, or a 9 instead of a 2. It's more
striking, a 9 instead of a 2, isn't it?
A. A completely different number would be more striking,
however, if I were serving a customer and they were
paying a bill for, let's say, £350, I would check the
terminal after I had keyed the entry to make sure that
is the amount that's showing on the stack.
Q. Yes, but what we're talking about is the opportunity for
the system to minimise errors that are made in the
ordinary course by people who are just busily serving
customers, trying to be conscientious and deliver a good
service; that's all we're talking about.
A. Okay.
Q. And it's right, isn't it, that if you stop and
rigorously check and never make a mistake, which is
perhaps unusual for humans, that wouldn't happen, but
what this is focusing on is how to improve the system so
it is less easy for people to make understandable
mistakes. Yes?
A. Yes, I understand that.
Q. And that's a good idea in system design, isn't it?
A. I think so.
Q. Yes. And the screenshots that we've got have largely
maintained the same design since Horizon was brought in,
haven't they?
A. Since original Horizon or Horizon Online?
Q. Since original Horizon. They have broadly looked the
same since Horizon was brought in?
A. Legacy Horizon, the screen looked rather different
because there were kind of small pictures on the icons
rather than just -- there were visual representations of
it rather than just the written product, if you like.
Q. But the overall layout itself has stayed broadly the
same?
A. Yes.
Q. And so the icons were fitted into the little buttons
that we have seen here?
A. As far as I'm aware, yes.
Q. At paragraph 32 of your witness statement on page 8
{E2/4/8} you talk about the cash declarations having to
be made by 6.55 because polling takes place at 7.00 pm.
Is that something you know about in terms of what the
consequences are if, for whatever reason, the cash
declaration is made at 7.01?
A. Yes.
Q. What happens?
A. The reason we say to make a cash declaration by 6.55,
yes, as it states there, the cash declaration
information is sent to the cash management team, so they
are aware of what cash on hand is at the branch and to
my understanding -- I don't work in the cash management
team, but to my understanding, the cash management team
use that information to decide how much cash to send to
that branch on their next scheduled delivery, or if
they're holding extra then -- more than they need, how
much they need to return.
Q. Now, part of your witness statement has dealt with the
reports available to SPMs.
A. Yes.
Q. One of the things they can't do is export data to a CSV
file, can they?
A. I don't know what a CSV file is.
Q. Or an Excel spreadsheet?
A. No, they can't export that from Horizon, as far as
I know, no.
Q. And has any thought been given, as far as you know, to
allowing that to happen?
A. I don't know.
Q. The Post Office itself has Credence, doesn't it?
A. Yes.
Q. And that allows it to look at the transactions that have
happened in branch?
A. Yes, as far as I'm aware, yes.
Q. Do you know why the Post Office just doesn't use the
same reports as are available to the SPM? Why does it
need Credence?
A. I don't know.
Q. Because the Post Office could print-out the till rolls
and analyse it that way too, couldn't they?
A. As far as -- well, I don't know whether the Post Office
could print-out a transaction log as you would print-out
in branch. As far as I'm aware, that is only available
in branch.
Q. Oh, I see.
A. In that format.
Q. One of the things you have mentioned in your witness
statement -- it's actually in your second witness
statement, if we could kindly go to that, which is
{E2/6/1}. I will just show you the front page to
orientate yourself. This is your second witness
statement, yes?
A. Yes.
Q. And if we go to paragraph 21 on page 5 {E2/6/5}, you say
there:
"The transaction log is a list of all transactions
and transfers completed in the branch, in chronological
order.
"The transaction log can be used as a general
investigation of all transactions or it can be filtered
by time, value and product. The transaction log records
the transaction that has taken place and also shows how
it was settled, for example by cash, card or cheque. It
is therefore possible to see all the transactions where
customers have paid by debit or credit card."
Yes?
A. Yes.
Q. Now, let's say you're in a situation faced by one of the
lead claimants, Mr Bates, where he is worried that there
may be duplicate entries in his account, but he doesn't
know what they are; how does he use the Horizon
reporting system to find them? What does he do?
A. To my knowledge, the transaction log will produce what
I have said there.
Q. No, I understand. Mr Johnson, I'm not trying to be
unfair to you. Just practically, so we can look at
this, you suspect there may be some duplicate entries,
perhaps giving you a discrepancy that's unexplained.
Just practically, what do you do if you are Mr Bates in
your sub-post office in Craig-y-Don in Wales and you
want to try and find out what's going on?
A. Are we saying that these are transactions which don't
appear on the transaction log?
Q. Well, he doesn't know whether they will -- we will come
to that in a minute --
A. Okay.
Q. -- but let's just say -- what do you suggest that person
in that situation does?
A. I would advise a postmaster in that instance to first,
raise the issue with NBSC.
Q. Okay. But if they're told that it is their
responsibility to find discrepancies in the branch, what
can they do for themselves? Do they -- because we have
heard of SPMs printing out very long transaction
rolls --
A. Yes.
Q. -- we have actually got one, it's quite long. Is that
what they do if they're looking for possible duplicates,
they print out -- because they don't know what the value
is --
MR JUSTICE FRASER: You are rolling about two or three
questions into one again, Mr Green.
MR GREEN: Sorry.
MR JUSTICE FRASER: Why don't you just give me
a walk-through of the steps that you say hypothetically
someone in Mr Bates' position should take.
A. So if a postmaster wants to check what transactions have
gone through, they would go to the transaction log. If
they wanted to look at a particular -- as I have
suggested, it could be filtered in a number of ways: by
date, by product, by value, by stock unit, by user,
there are a number of ways it can be filtered, and
obviously the more you can filter it, the shorter the
report will be, and then it would be a question of, as
you say, printing the transaction log out and manually
checking each item.
MR GREEN: But if you're looking for duplicates, you would
have to try and remember the figures you have seen?
A. Yes, I mean if you're looking for a duplicate then
I'm -- I mean, I don't know, I'm -- I'm guessing here
that if there would be -- that there would already be
one transaction on the transaction log. I'm not quite
sure what you are getting at. Presumably we can see one
transaction on the transaction log and there's a thought
that that transaction may have been duplicated, is that
what we are ..?
Q. Well, you get an unexplained discrepancy of a figure you
don't recognise.
A. Right.
Q. Let's say £1,723.
A. Okay.
Q. And you don't understand how that can have happened.
You think "Well, maybe there's a duplicate entry of some
sort", just, you know, this is one example, or maybe
there's a number of duplicate entries. You can see it's
not very easy, is it?
A. It's not the most user-friendly way of investigating.
Q. That's all I was really asking.
MR JUSTICE FRASER: Can I just ask you a question. When you
say the filtering that it can be done, that can be done
in branch, can it?
A. Yes.
MR JUSTICE FRASER: Am I right that would only be of any --
that would only be of any assistance if you knew what
you were looking for already, wouldn't it?
A. Not necessarily. A postmaster may have come to the
conclusion that a discrepancy occurred on a particular
day by virtue of looking at his cash declaration for the
previous day and the current day, and the previous day
had no discrepancy, the current day does, so he may want
to filter then to that particular day when the
discrepancy occurred on his cash declaration.
MR JUSTICE FRASER: Mr Green.
MR GREEN: Could we look please at {F/1556} please. Now,
this it document is titled the "Network Development
Programme Operation Simplification", and if we go over
the page {F/1556/2}, you can see the sorts of things
that it is covering and can we go please to page 6,
which is the "Business Context" section {F/1556/6}, and
can I just invite you to look at this first paragraph:
"There are a number of branch operations processes,
especially around branch accounting and reconciliation,
which operate using legacy processes. They are
unnecessarily complex and detract Post Office branch
resources from serving customers. Stock Unit Management
and accountability is very poorly controlled and is
operated on very complex business rules. The lack of
accountability and visibility of cash and stock
transfers between Stock Units can lead to errors, rework
and provides opportunities for fraud."
Is that a statement that you disagree with, or agree
with?
A. I would agree with that.
Q. And then if we look just below:
"Similarly, Suspense Accounting is based upon legacy
cash accounting practices, ill-defined and out of date
processes. Inefficiencies lead to poor utilisation of
resources both in Post Office branches and Support
Services."
Is that something you would agree with or disagree
with? Is that fair?
A. My experience of the suspense accounts in branch is that
it works -- it does what it's supposed to do.
Q. Can you see why that might be a reasonable view, or is
it a completely unreasonable view?
A. I don't think it's completely unreasonable, no.
MR GREEN: Okay, I'm very grateful. My Lord, I have no
further questions for this witness.
MR JUSTICE FRASER: Can you just tell me what date this
document is, Mr Green?
MR GREEN: This is 21 October 2016.
MR JUSTICE FRASER: Mr De Garr Robinson?
Re-examination by MR DE GARR ROBINSON
MR DE GARR ROBINSON: Mr Johnson, you were asked some
questions about buttons being close together, but there
are some questions you weren't asked that I would like
to ask you now.
As I understand it, you have experience of working
in branch?
A. Yes.
Q. Do you have experience of working in a busy branch?
A. Yes.
Q. How much experience of that sort do you have?
A. I have -- before I started my current role in 2012 I had
worked in branches since 1984.
Q. So could you give the court some indication of how
much -- would you consider yourself very experienced,
not very experienced? I'm just trying to get a clear
answer from you.
A. I suppose you could say I am very experienced at working
in branches.
Q. Thank you. It was suggested to you that -- you were
shown one of the screenshots in your witness statement
and it was suggested to you that the buttons were close
together. What you weren't asked about is whether you
took the view that the buttons you saw, or the buttons
on the screen -- that their closeness together is
a cause of any difficulty in using the system. Would
you like to comment on that question?
A. The fact that buttons are close together can mean that
one does occasionally press the wrong one. However,
that is easily rectified.
Q. And when you say it is easily reconciled, why is it
easily reconciled?
A. Rectified.
Q. Rectified, I'm so sorry.
A. If one would notice that the wrong button had been
pressed -- for example, you may go to sell a first class
stamp and you know yourself that the cost of that stamp
is 67p. If you were to hit the first class large stamp,
which is next to it, in error, the amount on the stack
would be a different amount, so it would be easily
recognisable that you had then pressed the wrong button.
Q. And another question that you were asked is whether the
layout of the counter had been broadly consistent over
the period of operation of Horizon. Mr Johnson, you may
not be able to answer this question, but do you have
a view as to whether keeping the layout of the screen
consistent over time is a good thing or a bad thing?
A. That's -- my opinion on that is it is a good thing.
Q. Why do you say that?
A. Because one gets used to working on the system and the
buttons are where you would expect them to be.
MR DE GARR ROBINSON: My Lord, I have no further questions.
Thank you, Mr Johnson.
Questions by MR JUSTICE FRASER
MR JUSTICE FRASER: I just have a couple about your
experience. I know you have said in paragraphs 2 and 3
how you started as a counter clerk.
A. Yes.
MR JUSTICE FRASER: And that was in a Crown branch I think,
wasn't it?
A. Yes.
MR JUSTICE FRASER: And then you say you became the
assistant manager and worked in various branches as the
assistant manager. Were they all Crown branches?
A. Yes, they were.
MR JUSTICE FRASER: And your last role was the branch
manager at the Barry Crown office?
A. My last role prior to taking up my current role, yes.
MR JUSTICE FRASER: Which was in 2012?
A. Yes.
MR JUSTICE FRASER: I'm sure I can guess from the name, but
Barry Crown office is a Crown branch, isn't it?
A. Yes.
MR JUSTICE FRASER: All right, that's very helpful. Thank
you very much indeed for coming, and that's the end of
your evidence. I assume there are no follow-up
questions to that from either of you?
Further re-examination by MR DE GARR ROBINSON
MR DE GARR ROBINSON: Perhaps one question.
Does it make a difference whether you are working --
in terms of operating the system, is there a material
difference between operating the system from
a subpostmaster branch, an agency branch, or from
a Crown office?
A. No.
MR DE GARR ROBINSON: Thank you.
MR JUSTICE FRASER: Thank you very much.
MR DE GARR ROBINSON: My Lord, I call Andy Dunks.
MR ANDREW PAUL DUNKS (sworn)
Examination-in-chief by MR DE GARR ROBINSON
MR DE GARR ROBINSON: Mr Dunks, there should be a bundle of
documents in front of you. Can I ask you to go to
divider 10 of that bundle please {E2/10}. You will see
a witness statement that describes itself as being by
you. Is that your name and address on the first page?
A. That's the name of my -- where I work.
Q. Where you work, I see.
A. Yes.
Q. Thank you. And if you go to page 3 {E2/10/3}, is that
your signature?
A. Yes, it is.
Q. And do you confirm that this statement is true to the
best of your knowledge, recollection and belief?
A. Yes.
MR DE GARR ROBINSON: Thank you. If you could wait there
for a moment.
MR JUSTICE FRASER: Mr Miletic.
Cross-examination by MR MILETIC
MR MILETIC: Good morning, Mr Dunks.
A. Good morning.
Q. I would like to start with paragraph 3 of your witness
statement which is {E2/10/1}. There are you say:
"I have been employed by Fujitsu Services Limited,
on the ~... (Post Office Account), since 11 March 2002
as an ~... (IT) Security Analyst responsible for audit
data extractions and IT Security."
That's quite a long time, isn't it?
A. Yes.
Q. 17 years of experience you have in this particular area
of data extractions?
A. Yes.
Q. And over the course of that 17-year period, how many
extractions do you think you have carried out?
A. I couldn't tell you. Hundreds.
Q. Hundreds?
A. Yes.
Q. You have probably seen every issue that possibly could
arise with extraction of data, haven't you?
A. I would say so, yes.
Q. And how many others have a similar position to yours at
Fujitsu at any given time and carry out data
extractions?
A. Generally, there is a team of three or four people.
Q. And do they carry out a similar number of extractions
each year as you would?
A. Yes.
Q. Would that number vary from year to year, or would it be
fairly consistent?
A. No, it varies. It varies week by week.
Q. And you have experience of carrying out audit data
extractions both on Legacy Horizon and Horizon Online?
A. Yes.
Q. If we could please go to {E2/1/10}. This is
Mr Godeseth's witness statement, his first witness
statement, and he is a colleague of yours at Fujitsu,
correct?
A. Yes.
Q. Now, at paragraph 31 there he says that he has been
informed by a colleague that the number of ARQs issued
since 2014/15 are as follows, and then he sets some out
there at 31.1 to 31.4, do you see?
A. Yes.
Q. That suggests huge fluctuations over the years, doesn't
it?
A. Yes.
Q. 729 extractions in 2014/2015. Can you think of why that
would be?
A. I have no idea. It is what we would get supplied or
requests from the Post Office, so we don't control how
many we get.
Q. Would it make sense to you if that was during the period
when the mediation scheme was taking place and so maybe
you had more requests at that time?
A. Yes, it could quite well be, yes.
Q. And in 2016/2017 and 2017/2018, over 300 requests. Do
you think that these proceedings may have an impact on
that number and why it is a bit higher than for example
2015/2016?
A. It could well be, but I can't guarantee that.
Q. In 2015/2016, 103 without these two alternative events
going on. Is that perhaps more representative of what
you would get on a yearly basis, or do you not know?
A. I would be guessing if I said yes, without looking at
all the previous years and how it has incremented over
the years, I couldn't tell you.
Q. Sure. But in your experience that might be about right,
100 or so?
A. It could be, yes.
Q. And for 11,000 branches in a year, it's not a high
percentage of ARQs that were requested during that year?
A. I suppose so.
Q. Now, there are no figures there for pre-2014, and
the court has had had evidence from Mrs Mather -- and we
don't need to turn it up, but for his Lordship's note it
is paragraph 19 of her first witness statement which is
{E2/8/4}. There Mrs Mather says that there is
a contractual limit on the amount of data requests that
Post Office can ask for of 720. Is this a limit that
you're aware of?
A. Yes.
Q. If there's a contractual limit on the amount of ARQs
that can be requested, Fujitsu must be keeping a record
of how many requests are made each year?
A. Yes, we do.
Q. Why then are there no figures seemingly for prior to
2014?
A. I can't answer that.
MR JUSTICE FRASER: Have you been asked to get --
A. No.
MR JUSTICE FRASER: You haven't?
A. No.
MR MILETIC: But as far as you are aware, there would be
a record of those?
A. As far as I'm aware, there is, yes.
Q. There should be really?
A. Yes.
Q. The purpose of your witness statement is essentially to
talk about the process of audit extraction, audit data
extraction, and the integrity of data and how it is
maintained during that process, is that fair?
A. Yes.
Q. If we could go back to paragraph 4 of your witness
statement {E2/10/1}, you say:
"During 2009/2010 the Horizon system was upgraded to
Horizon HNGX [Horizon Online] and the detail contained
in this witness statement refers to audited transaction
records generated by this upgraded ... system."
I just want to be precise about the language there.
When you say "audited transaction records", you are
talking about transaction records generated from the
audit store; what you're not talking about -- it's not
the case that those records are actually audited prior
to going into the audit archive, correct?
A. No, it's just the extraction data that I'm taking out.
Q. Exactly. And so it's an important distinction because
really the only time when those records are audited is
when they are extracted and then someone uses them to
compare against different records. Does that sound
correct?
A. I think so. I don't think they are actually compared.
All the data that we extract is specific data from the
servers with all the transactions so it's not -- I think
the word "audit data" -- it's just we extract that data,
we don't then compare it. We then extract the data and
supply it to the Post Office.
Q. Yes, so where it says "audited transaction records" it
might be slightly misleading because it is not that they
are audited prior to going into the audit store; that's
correct, isn't it?
A. I don't know how it is put onto the audit store.
Q. And the second sentence there:
"Unless I state otherwise in this statement when
I subsequently refer to the 'Horizon System' I am
referring to the ~... system as upgraded by Horizon
HNGX."
Looking at your statement I have not seen somewhere
where you have stated otherwise, and so actually your
evidence is limited to the extraction process under
Horizon Online, correct?
A. It is probably misleading. As I have been doing it that
long, it is both Horizon and Horizon Online.
Q. But the specific content of your witness statement from
that point onwards only addresses Horizon Online?
A. I would say it's -- it's the data that I have extracted
for these proceedings.
Q. I see. And when you discuss controls, which we will get
on to in a little bit, is it your evidence that those
controls have always been the same and the same
processes have been followed both in Legacy and
Horizon Online?
A. I believe so. I don't know all the controls -- the
technical controls which are used for the storage of the
data.
Q. So when you provided your evidence here, you really were
talking about the controls as at effectively today's
date when you were making extractions for this trial?
A. Yes.
Q. And if we could go over the page please to paragraph 5
{E2/10/2}, the first sentence:
"When information relating to
individual transactions is requested, the data is
extracted from the audit archive media of the Horizon
System via the Audit Workstations."
And then this second sentence:
"Information is presented in exactly the same way as
the data held in the archive although it can be filtered
depending on the type of information requested."
Pausing there, do you always provide data that's
filtered, or do you sometimes provide data that's
unfiltered?
A. We supply data that's filtered.
Q. Are there any circumstances in which you provide
unfiltered data?
A. To the Post Office, I don't believe I have done.
Q. And then you go on to say:
"The integrity of data retrieved for audit purposes
is guaranteed at all times from the point of gathering,
storage and retrieval to subsequent despatch to the
person making the request."
Again, just in the interests of being precise, can
you explain exactly what you mean when you're saying
"data integrity"?
A. That's what I'm led to believe within the systems that
it is -- that hasn't -- the integrity is complete, it
hasn't been touched in any other way.
Q. So your definition of integrity of data is simply
whether it has been tampered with or not?
A. No, my definition of integrity is that the data I have
extracted and supplied to the Post Office my -- I'm
aware of is in -- its integrity is complete.
Q. And if I was to say the data integrity is the overall
completeness, accuracy and consistency of that data
which you can measure by comparing between sources,
would you agree with that as a definition of data
integrity?
A. Yes.
Q. And if we could please go to {D3/1/67}, this is from
Dr Worden's first expert report, and if we could look at
paragraph 238.6 and what he says there, which is:
"The audit system provides a highly secure and
tamper-proof record of what is entered into Horizon at
the counter, which can be used, in cases of any anomaly,
to provide a 'gold standard' for comparison with data
held in other parts of the Horizon estate, supporting
the diagnosis of software errors. This acts as a secure
kernel and redundant store of data (SEK and RDS)."
I'm not going to ask you about the second sentence
and those acronyms, but in terms of that first part, is
it your evidence as well that it is highly secure and
tamper-proof?
A. The -- where the data is stored, I'm not involved in, so
I can't answer that side of the question.
Q. But in terms of when it is extracted?
A. From my point of view, the processes that we follow and
extract them and supply them to the Post Office, that is
my belief.
Q. It is highly secure and tamper-proof?
A. Yes.
Q. And is it your evidence as well that it can be used in
cases of an anomaly as a gold standard for comparison?
A. They are -- they are words that I probably wouldn't use,
but I'm happy with the integrity of the data that I give
to the Post Office.
Q. But "gold standard" might be putting it a bit high for
your -- in your opinion?
A. Well, no, if you want to use "gold standard", yes,
I will agree with that.
Q. But in any event, you agree that the accuracy of that
audit data and maintaining the integrity upon extraction
is extremely important, particularly, if it is going to
be used in disputes with subpostmasters?
A. Yes.
Q. And if we could go back to {E2/10/2}. Paragraph 6 where
you set out what you say the following controls are that
apply. Did you look at any specific Fujitsu documents
when listing what amount to 12 controls there?
A. Where am I looking at here, sorry?
Q. So in paragraph 6 you say:
"During audit data extractions the following
controls apply ..."
A. Yes.
Q. And then you list out in subparagraphs, 12 specific
particular controls and I was just wondering whether you
looked at any specific Fujitsu documents when you set
out those controls?
A. No, this is the process -- there are security processes
and protocols in place within Fujitsu, but these are
basically the security controls that we have as a team
that we have to extract the data.
Q. My question might not have been entirely clear,
Mr Dunks, but when you set out these 12 controls, when
you were drafting this part of your statement, did you
look at any specific documents in order to think of
and write out these 12 controls?
A. No, this is my knowledge of the controls.
Q. So this is purely from your memory that you draft the 12
controls?
A. Yes.
Q. I see. And in terms of those 12 controls, have they
always been available throughout your time at Fujitsu,
or have some potentially changed?
A. No, that's basically as is the whole time I have been
there.
Q. As far as you can recall those are~...
A. Yes.
Q. Would you say that those are sort of the core controls,
or they just some that you thought of?
A. No, they are the core controls surrounding the audit
extraction.
Q. So at any point in time when we look we should probably
see the 12 same controls listed at other points in time?
A. Yes.
Q. And just over the page, please, {E2/10/3}, at
paragraph 7 you just describe the fact that you have
extracted data in relation to these proceedings. And
then paragraph 8, again, I just want to be very precise
and I want to make sure that I understand exactly what
is being said in this statement. Paragraph 8 begins:
"There is no reason to believe that the information
in this statement is inaccurate ..."
Pausing there, what is "this statement"? Do you
mean your witness statement?
A. Yes.
Q. Okay:
"There is no reason to believe that the information
in this [witness] statement is inaccurate because of the
improper use of the system."
What is the "system" there? Is that the system of
the process of extracting audit data, or is it something
else?
(Pause).
A. Good question. There's no -- I'm not sure what I was
meaning by that, "There is no reason to believe ..."
Q. We will take this step-by-step, but just looking at that
first sentence, you are not quite sure what you mean by
"system"?
A. I think I was meaning about the improper use of the
audit data extraction system.
Q. So when you say "system", you mean the process of
extracting audit data?
A. Yes, I do.
Q. I see, so:
"There is no reason to believe that the information
in this [witness] statement is inaccurate because of the
improper use of the system [in place for extracting
audit data]."
A. Yes.
Q. "To the best of my knowledge and belief at all material
times ..."
Pausing there, what are "all material times" in your
statement?
A. The whole time I had been using the workstations to
extract the data, as far as I'm concerned, there has
been no issues or faults with the workstations to
extract the data.
Q. So "at all material times" is actually the 17 years you
have been at Fujitsu?
A. Yes.
Q. I see, so:
"To the best of my knowledge and belief at all
material times the system ..."
Ie the process of extracting data:
"... was operating properly, or if not, any respect
in which it was not operating properly ..."
Again, pausing there, it is slightly confusing. Are
you aware or not aware of any instances where that
system was not operating properly?
A. No, not really, no.
Q. Okay. So you're not aware --
A. There may have been a few faults -- software faults --
I would say software faults -- where the system has
rebooted or whatever, but if that does, it interrupts
the data extraction which doesn't complete, so we will
then re-run the data extraction. So it's not affecting
any data that's been extracted.
Q. I see. And is that the only example that you can
provide his Lordship as to occasions when that system
wasn't operating properly?
A. Yes.
Q. So you say it was operating properly:
"... or if not, any respect in which it was not
operating properly, or was out of operation was not such
as to effect the information held within it."
What is "it"?
A. The data that I have extracted.
Q. I see, okay. So, Mr Dunks, how could you possibly say
that in any respect that the system wasn't operating
properly, it wouldn't affect the data that you have
extracted? Surely if that process isn't operating
properly, it must have an effect on the data that it
produces?
A. Well, no, because if it doesn't extract the data wholly,
or there is an issue with the PC at the time, it will --
it shows that there is an error, so we actually re-run
the data and there are some checksums within the data
which is a number for each day and if there's a gap
between -- and we check that there's no gaps between
those numbers, and on each report it states that there
are no gaps, which would show if it there were any
issues, but ...
Q. I see. And is it your case that there has never been
a circumstance where the data that's been produced
hasn't[sic] appeared inaccurate because of the process
used to extract it?
A. Not to the best of my knowledge, no.
Q. So now that we have deconstructed that paragraph
a little bit, it is a very specific and slightly hard to
follow choice of wording. Has that come from you, or
has that come from somebody else, Mr Dunks?
A. It -- I did produce the witness statement and then it
came back slightly altered to see if I was happy with
that and I read it and I was happy with it. Maybe
misunderstanding how it could be interpreted, but ...
Q. Yes, but paragraph 8, is that your choice of wording or
not?
A. I can't remember.
Q. Is it more of a Fujitsu party line when it comes to
providing statements on extracting data?
A. There is -- as far as witness statements, there are
no -- I'm not aware of any party line, no.
Q. Thank you. Can we please go to {E2/1/10} and we're back
in Mr Godeseth's witness statement here. We looked at
the ARQ extraction rates over the years. At
paragraph 32, Mr Godeseth says:
"I am not aware of any instances where data
retrieved from the Audit Store differs from other
sources of data, nor am I aware of any instances where
the integrity checks described in paragraph 30 have
revealed any issues."
Those integrity checks are broadly similar to the
ones that you have outlined, but are you aware of any
instances where data retrieved from the audit store has
differed from other sources of data?
A. No, because I'm not aware of any other forms -- I'm not
involved in any areas of data storage.
Q. So Fujitsu wouldn't know that anyway?
A. Well, I can't say that.
Q. Does Fujitsu keep a list of any times when that might
happen?
A. I don't know.
Q. It would be quite a useful thing to have though, for
Fujitsu's purposes, if they did have such a list,
wouldn't it?
A. Yes.
Q. And I guess my second question is a bit overlapping with
the first, but are you aware of any instances where
integrity checks have revealed issues?
A. No, I'm not aware, no.
Q. Not aware of any instances?
A. No.
Q. And again, Fujitsu don't keep a list of any of these
times when it might have revealed issues?
A. Again, I don't know.
Q. Can we please go to {F/1557}. Mr Dunks, this is
actually a Post Office document titled "Back Office
Transformation". It is dated 22 October 2016. The
context -- there's a little bit in that first part
there:
"This paper outlines the business case for the back
office transformation. An opportunity to significantly
improve our basic process and controls, whilst
simplifying the back office application landscape and
reducing our cost base."
If we could please go to page 4 of that document
{F/1557/4}. Have you seen this document before,
Mr Dunks?
A. No.
Q. Now, there it says "Why do we need to transform?":
"Transformation in the back office is required due
to unsuitable processes and significant operational
risk.
"The Post Office has been running the same
sub-optimal back office processes for many years."
If we go down a bit further:
"Industry best processes exist that can, and will be
adopted."
And then 14:
"The back office is currently operating with a far
higher operational risk profile than is accepted by the
Post Office when making investment or project decisions.
High proportion of manual accounting steps."
And then the first arrow bullet point there:
"Lack of system audit trail between transactions."
What do you think that means?
A. I have no idea, I would be guessing.
MR DE GARR ROBINSON: Is this a fair --
MR JUSTICE FRASER: Just -- Mr De Garr Robinson.
I'm not sure you can actually really pursue that
very much further with this witness given he has never
seen the document before.
MR MILETIC: I'm grateful, my Lord.
MR JUSTICE FRASER: Is it a phrase you have ever come across
before "lack of system audit trail"?
A. No.
MR MILETIC: I suppose the one question I would ask Mr Dunks
is: are you aware that Post Office had any concerns
regarding system audit trail as far back as 2016.
A. No, because I'm not involved in that area at all.
Q. I see. I will move on.
If we could please go to {F/1716}. This is the
audit extraction client user manual. Presumably you are
very familiar with this document?
A. I haven't read it for a long time, but I'm aware of it,
yes.
Q. So it's not something that you really look to on a daily
basis?
A. No, it's not.
Q. When do you think is the last time you would have looked
at it?
A. A few years.
Q. A few years?
A. Yes.
Q. The date of this document is 1 December 2017. It's the
most recent version, as far as we're aware, but you're
not sure either way probably whether it is or it isn't,
is that fair?
A. No, not -- no.
Q. If we could go please to page 9 of this document
{F/1716/9}, the introduction there:
"In addition to the historic data collected under
Horizon, the HNG-X system generates significant amounts
of data that is of interest to Post Office~... Internal
Audit ... and other groups.
"This document describes the Audit Extraction Client
application that is run on the Audit Workstations ...
the AE client provides functionality to manage [ARQs]
... and to retrieve and process audit data from the
audit archive."
It seems like an incredibly important document for
your job, doesn't it, Mr Dunks?
A. Yes.
Q. It is effectively a step-by-step guide on how to
contrary out data extraction?
A. I don't know. I can't remember reading it but --
Q. You can't remember reading. The definition there of
"filtering" under 3, do you see?
A. Mm-hm.
Q. "Filtering is the process of searching the retrieved
audit files for specified FAD codes or strings in order
to select a subset of data for further processing. The
user has the option of selecting the whole file in which
a match is found or of just selecting the matching
messages or records."
So filtering takes place obviously after you have
actually retrieved the files from the archive?
A. Yes, yes.
Q. Under 4, "Audit Data Integrity", the second paragraph
there:
"The integrity of audit data must be guaranteed at
all times and controls have been established to provide
assurances to Post Office Internal Audit that this
integrity is maintained."
That wording actually mirrors paragraph 5 of your
witness statement. Do you recognise that wording?
A. Yes.
Q. And then it says:
"During audit data extractions the following
controls apply ..."
Now, there are two there on that page which actually
mirror your 6.1 and 6.2 controls and then just over the
page please {F/1716/10}, the third one there matches
your paragraph 6.6.
If we could please move forward to page 42 of this
manual {F/1716/42}, the section begins with "Validation
and Query":
"This tab will only be available if the following
conditions have been met:
"1. The retrieved data consists exclusively of TMS
and/or BRDB messages.
"2. Filtering has been performed."
So this is now the data has been retrieved and now
we have been filtering, is that right?
A. Right, this is -- there would be two forms of data
retrieval, one is the fast and one is a slow one. This
is the historic one which I haven't used for quite
a while, but yes, I believe so.
Q. I see.
MR JUSTICE FRASER: Is this the slow one or the fast one?
A. It's the slower one.
MR JUSTICE FRASER: The slow one.
MR MILETIC: And if we could go over the page, please
{F/1716/43}, it says:
"TMS and BRDB messages are numbered in sequence for
each node. During filtering any retrieved audit message
data is analysed to determine what message sequences are
present in the data and whether there are any gaps or
duplicates in those sequences. A gap in a message
sequence may indicate that a message is missing from the
audit data. Duplicates may indicate that an audit file
has been gathered twice."
Taking those in turn, "a gap in a message sequence
may indicate that a message is missing from the audit
data"; that suggests that the underlying audit data is
incomplete, doesn't it, Mr Dunks?
A. I would say so, yes.
Q. But it uses the word "may", so actually it might be the
case that it is the retrieval process that has caused
the gap?
A. I don't -- no, I don't think -- I don't know.
Q. So the use of the word "may", may just be a slip in
language there?
A. Quite possibly.
MR JUSTICE FRASER: Well, it could be any one of a number of
reasons.
MR MILETIC: Precisely, my Lord.
MR JUSTICE FRASER: But on the basis that the witness didn't
draft it, I think he has agreed with your proposition to
the extent he can, but he also says he doesn't know.
MR MILETIC: I'm grateful, my Lord.
And the second part there "duplicates may indicate
that an audit file has been gathered twice", so that
would be an example of the processing -- the system you
were describing before, potentially causing duplicates
to be gathered?
A. Yes, possibly.
Q. And are you aware whether actually it might be the case
that duplicates were in the underlying data itself
rather than through the process?
A. I don't know, I can't -- I don't know.
Q. Well, the diagram there shows what would happen in the
event that gaps and duplicates are found, and do you see
it says gaps found shown in red, duplicates found shown
in blue and in block capitals "Seek assistance from
audit support". Now, on the face of that message --
first of all, have you seen messages like this before
when you have retrieved data?
A. If I have it was a long time ago. I'm not saying
I haven't, but it would have been a long time ago.
Q. You may have done? And on the face of it doesn't tell
you what the cause is of those gaps or duplicates, does
it?
A. No, I don't believe it does, no.
Q. And you wouldn't know what the cause was?
A. No, I wouldn't know, no.
Q. And in block capitals it says "Seek assistance from
audit support". Seek assistance from audit support, but
there's no explanation as to what audit support might
do. What do audit support do in that circumstance?
A. I'm assuming they would investigate the cause of the
gap.
Q. Do you have any experience of when you have called audit
support and they have come back to you?
A. Possibly. I think I possibly -- yes, I think we have
raised PEAKs, which is if this -- we would raise an
issue via a PEAK for the audit team to investigate.
Q. It's a problem, isn't it, if gaps and duplicates are
found upon the retrieval process?
A. Yes, I think so.
Q. And it's obviously very important what happens to the
data afterwards. Would you provide ARQs containing gaps
and duplicates, or would that go out of your hands and
then audit support gets involved?
A. Yes, the latter, yes.
Q. The latter?
A. Yes.
Q. And you're not quite aware of what they do. You say
they investigate?
A. Mm-hm.
Q. When the ARQ is ultimately provided, do they -- do you
know if they provide a version containing gaps and
duplicates, or if they provide a version without gaps
and duplicates because they have removed them?
A. I don't know.
Q. You don't know?
A. No.
MR MILETIC: My Lord, would it be a convenient moment for
a break?
MR JUSTICE FRASER: Yes, it would.
Mr Dunks, you are in the middle of giving your
evidence. We have a short break in the morning and
a short break in the afternoon for the shorthand
writers. Please don't talk to anyone about your
evidence or the case. We will have ten minutes, come
back in at 11.50, but please don't feel constrained to
stay in the box, you are allowed to go outside, stretch
your legs, even get some fresh air if you think you can
get down and get back up in time, but 11.50. Thank you
very much.
(11.41 am)
(Short Break)
(11.52 am)
MR MILETIC: Could Mr Dunks please be shown {F/676}. This
is a witness statement dated 8 July 2010 by
Gareth Jenkins. Do you know Gareth Jenkins?
A. Yes, I do.
Q. He was a colleague of yours, correct?
A. Yes, he worked on the same account.
Q. And he provided this witness statement in the trial of
Mrs Seema Misra. I assume you are familiar with
Mrs Misra's case?
A. Yes.
Q. In fact I understand, having seen a reference in
a transcript, that you in fact provided at least one
witness statement in that case?
A. I did.
Q. Do you remember what the content of that witness
statement, what it was dealing with?
A. That was around the help desk calls.
Q. I see. Now, Mrs Misra was a subpostmistress in
West Byfleet that was at the time being prosecuted on
charges of false accounting and theft and you recall
that?
A. Yes.
Q. Have you seen this witness statement of Gareth Jenkins
before?
A. No.
Q. Could we please go to page 2 of this statement
{F/676/2}. In the first full paragraph it says:
"With Horizon counters, the mechanism by which data
is audited has always worked on the principle that it is
acceptable to audit the same data more than once -- in
particular if in doubt as to whether or not it has been
previously audited successfully. The Mechanism used on
Horizon to retrieve the audit data took this into
account and only presented one instance of such
duplicate data in the ARQ extracts. The Audit Mechanism
cannot alter the base information and therefore
a re-running of the audit process will always produce
the same result."
Does that accord with your understanding of how the
process of retrieving audit data worked in
Legacy Horizon?
A. Yes.
Q. Are you sure or is it --
A. No, no, as far as I'm aware it extracts the data that's
there and if I extract it again, it will bring out the
same data.
Q. I see, so duplicates would not show up at that time?
A. When you say duplicates --
Q. Well, when it says:
"~... only presented one instance of such duplicate
data in the ARQ extracts."
A. As far as I'm concerned the data that -- it is very
process-driven, so we input the FAD code, the dates and
extract the data, and if I extracted it a second time,
it would bring back the same data, so I'm not aware, or
I don't know about duplicates it would bring back -- as
far as I'm concerned, it brings back the same data.
Q. I see. Mr Jenkins goes on to say:
"In January 2010 a new HNG-X application was
introduced to filter transaction records for
presentation to Post Office Limited. It has recently
been noticed that this HNG-X retrieval mechanism does
not remove such duplicates. An enhancement to the
extraction toolset will be developed, tested and
deployed and will remove such duplicate data in the
future. However until this enhancement is deployed,
there is a possibility that data is duplicated."
Pausing there, do you recall this being an issue at
the time?
A. I vaguely remember it, yes.
Q. And he goes on to say:
"The reliable way to identify a duplicate
transaction is to use the <Num> attribute that is used
to generate the unique sequence numbers. This will be
included in all future transaction record returns until
the retrieval mechanism is enhanced. A semi-automated
process to copy the returned data, and then to identify
and remove any duplicated records which may be present
from this copy by using the <NUM> attribute, has been
agreed with Post Office Limited for use in the interim
period."
What that suggests is there was a period of time
when there was -- it says semi-automated, a partly
manual process in removing duplicate records from ARQ
extracts. Does that accord with your memory?
A. It wasn't in the process that we did when extracting the
data. I'm aware of that happening, whether it went
on -- I don't know the process of it, but it wasn't in
our daily process for extracting and removing any
duplicates.
Q. So where it says that there is a process agreed with
Post Office in the interim period for removing those
duplicate records, that's not something that you were
involved in as the person extracting the data?
A. No.
Q. And not anyone in the similar role to yours was involved
in that?
A. I don't believe so, no.
Q. So there was effectively a separate department that was
taking care of that?
A. That was dealt with -- yes, not within our team.
Q. I see. And it says there:
"A transaction log data disc has been produced as
exhibit PT/02 in the trial of Seema Misra. The
transaction log data disc is made up of ARQs 436 to 448.
It should be noted that ARQ 447 which records the
transactions between 1 November 2007 to 30 November 2007
does contain some duplications of audited records."
But then Mr Jenkins says:
"It is emphasised that [it doesn't] ~... in any way
[affect] actual physical transactions recorded on the
counter~... The duplication of records has ..."
If we could turn the page:
"... occurred during the auditing process when
records were in the process of being recorded purely for
audit purposes from the correspondence servers to the
audit servers."
That final paragraph there, does that look familiar
to you?
A. Yes, it's the same as what's in my statement, yes.
Q. There's a slight difference in that it says improper use
of the computer rather than system, but the rest does
seem to match up?
A. Mm-hm.
Q. But you hadn't seen this witness statement before?
A. No.
Q. And you're not sure why it would largely replicate your
paragraph 8?
A. No, I mean, we do have a standard witness statement that
we produce for ARQs. When we supply ARQs we are
sometimes asked for a witness statement to go through
the process and verify as far as I'm aware that the data
I supplied is accurate. Now, we use that quite a lot
and it may actually be in that statement.
Q. I see. So when I asked you earlier whether it was
something of a Fujitsu party line you said you didn't
think it was, but actually it looks as though it is on
the basis of what you have just told me and on this
document as well.
A. It could be. It may be part of our standard witness
statement that we supply.
Q. And it's not something you think about too much, that
specific section?
A. No.
Q. It's just template. You don't think about it, and you
sign?
A. No.
Q. I see.
MR JUSTICE FRASER: Is that no, you are agreeing, or no, you
are disagreeing?
A. No, I agree.
MR MILETIC: I'm grateful, my Lord.
Now, if we could please go to {F/573/1}. This is
a witness statement of Penelope Anne Thomas. Do you
know Mrs Thomas?
A. Yes, she used to be a colleague.
Q. And have you seen this witness statement before?
A. No.
Q. This is a witness statement also in Mrs Misra's trial
and if you look at the first full paragraph, that
largely replicates your paragraph 3. She was
essentially performing the same role in terms of
providing evidence as you are here, is that fair?
A. Yes.
Q. And if we could turn to page 3 please {F/573/3}, and
just to say, the date of that statement -- it says
4 February on the front page and she describes a bit of
the process there in the second paragraph and in the
final two sentences, in discussing the transaction
records, she says:
"They therefore provide the ability to compare the
audit track record of the same transaction recorded in
two places to verify that systems were operating
correctly. Records of all transactions are written to
audit archive media."
Nothing controversial there, do you agree?
A. Yes.
Q. And just in passing, the two paragraphs below that where
it says:
"The Horizon system records time in GMT and takes no
account of Civil Time Displacements ..."
This is something we have actually heard some
evidence on earlier, but it's correct, isn't it, that
the audit data -- six months of the year the time stamp
will be off by an hour?
A. Yes.
Q. And at the bottom of that page, Penelope Thomas says:
"During audit data extraction the following controls
apply."
And then over the page {F/573/4}, and she too lists
12 controls that aren't entirely -- they don't entirely
match up to the controls that you have set out, for
example, one of the controls that I noted appears to be
missing is in your paragraph 6.9 where you said:
"Checks are made using the JSN that all audited
messages for each counter in the Branch ~..."
I will just let you find it if it would help?
A. Mm-hm.
Q. "Checks are made using the JSN that all audited messages
for each counter in the Branch have been retrieved and
that no messages are missing."
To your knowledge, was this an available control at
this time when Ms Thomas gave her statement?
A. I don't know. I don't know.
Q. So you don't know when that control came into play?
A. No, I don't.
Q. I see. Do you think if it was available it's quite an
important check that Ms Thomas would have mentioned it?
A. Possibly.
Q. But it is quite difficult because she hasn't listed
where she derives those controls from either and a point
that we made earlier when looking at your witness
statement -- you said that you had listed 12 controls
effectively from recollection, or what you understand
them to be, but we can't now verify that by looking at
any documents to see where those controls might appear
and when they were brought into force or not as the case
may be?
A. No -- well, I don't know. There may be ...
Q. I see. How did you satisfy yourself that the controls
you were speaking to in paragraph 6 of your witness
statement do actually apply as at today's date?
A. I -- on those checks -- those -- I was trying to imply
that the data as far as I was concerned, when extracted,
was true and accurate to my best knowledge.
Q. Well, stopping just there. You're trying to imply the
result which is that the data is accurate, but the
question is very specific as to the content, the
existence of the controls that are in place. How did
you verify to yourself that those controls are actually
in place? How did you know?
A. I was trying to imply that the data that I had extracted
hadn't -- from the date of -- from the time of being
extracted hadn't been manipulated or touched and when
you said before (inaudible) with the Post Office, and
controls to actually go in and log on and extract that
data, there were controls in place to do that.
Q. But can you actually be sure that the controls you
listed were in effect and were operating as at the time
you extracted the data?
A. To the best of my knowledge, yes. Yes.
Q. I see.
A. I had no reason to doubt it.
Q. Even though you didn't confirm it through any documents?
A. No.
Q. I see. And over the page, please, {F/573/5}. Ms Thomas
there just describes that she was in fact the one that
extracted the records in relation to Mrs Misra so we
see:
"ARQs 436 to 448 ... were received on
26 February 2010 ..."
It goes on to say:
"I produce a copy ... as exhibit PT/01. I undertook
extractions of data held on the Horizon system in
accordance with the requirements of ARQs 436 to 448 ...
and followed the procedure outlined above. I produce
the resultant CD as Exhibit PT/02. This CD, Exhibit
PT/02, was sent to the Post Office Investigation section
by Special Delivery on 4 March~..."
Do you recall that PT/02 was the exhibit that
Gareth Jenkins in his witness statement was talking
about?
A. I'm -- with it being called the same, I'm assuming it is
the same.
Q. Yes, and he, in that statement, referred to ARQ 447
containing duplicate records and then needing to be
removed. I can take you back if you would like to see
that section?
A. No, that's fine.
Q. So then Ms Thomas sets out:
"This report is formatted with the following
headings."
And then over the page, please {F/573/6}:
"The Event report is formatted with the following
headings."
Now she doesn't mention anywhere there that ARQ 447
contained duplicate records, does she? I can give you
a moment to look at that section.
A. No.
Q. And then the paragraph immediately below it, that again
is your paragraph 8 although this time word-for-word is
the same as your paragraph 8, isn't it?
A. Yes.
Q. And it is consistent with your answer earlier that this
is a sort of template Fujitsu witness statement document
that is provided and you sign --
A. Yes.
Q. -- just to show that the extraction has been okay?
Ms Thomas not identifying duplicates in ARQ 447,
that's slightly problematic, isn't it, to either
Post Office or an SPM that is trying to look at
anomalies and compare sources of data? That's not very
helpful, is it?
A. The statement again is to verify the integrity of the
data once extracted and given. We don't control what's
in the data. Our process is about extracting it and
securely passing it over to the Post Office. It's not
our concern of what's in the data.
Q. It's not your concern what's in the data?
A. No, it's what we're -- we're process-driven to extract
certain types of data for certain requests.
Q. And so whether or not that might match another record or
not, or replicate or duplicate or have gaps, that's not
part of your remit, that's not really part of your
concern?
A. No, it's not.
Q. I see. So reading that and reading the paragraph 8 as
it was in your witness statement, it doesn't give much
comfort to somebody that's then trying to rely on ARQ
data as being a gold standard to compare and investigate
anomalies, does it?
A. Possibly not.
Q. Are you aware, Mr Dunks, of any other specific issues
with the retrieval of audit data that may have impacted
disputes between Post Office and subpostmasters or
subpostmistresses?
A. Not that I can -- not that I can recall would cause
those issues, no.
Q. Could we please look at {F/829}. This is a PEAK,
PC0211833, and do you see under "Summary" it says:
"Audit Retrieval for ARQ Returns Missing Reversal
Indicator."
Do you see that field?
A. Yes.
Q. And then under "Impact Statement" in capitals:
"Service on stop ... ARQ returns for HNGX
transaction records must stop until resolution.
Analysis must identify returns which may require
re-retrieval."
Do you recall a particular issue in terms of
reversals and audit retrieval?
A. No. At that time, Penny managed the ARQ retrieval
process and she -- that was her main priority and her
main job, so I wasn't -- I wouldn't have been --
I wouldn't have seen this issue, or been made aware of
these issues.
Q. You would not have been made aware of this issue at all?
A. No.
Q. Even though you are the person that's extracting data?
A. No. With our team we had a number of different roles
and audit extraction is one of those roles, which is
process-driven, so -- and Penny would have managed that
via this PEAK. I wasn't aware of -- and if I was,
I certainly don't remember.
Q. And if we could go over to page 2 please {F/829/2}. Do
you see that bottom box there? If we look down at
"Impact on operations" -- well, if we start at the top
it says:
"Specify the HNG-X platforms impacted."
Do you see that?
A. Yes.
Q. And it says:
"The platform has been specified and it is the Audit
Server.
"Technical summary: the spreadsheets presented in
support of prosecution at court miss out an indication
as to whether or not a transaction is a reversal."
And then further down do you see "Impact on
operations".
A. Yes.
Q. There again it says:
"Spreadsheets supplied by the prosecution team miss
out an indication as to whether a transaction is
a reversal."
It says:
"The prosecution team are well aware of the
problems; we hope to have a release out in a few days;
a KEL is therefore not required."
Just over the page please {F/829/3}, and it says:
"Risks (of releasing and of not releasing proposed
fix):
"There are few risks with this fix. It must be got
out or prosecution evidence is incomplete."
And then there is a description there of queries
being changed in order to show reversals, and this is
taking place now this PEAK from -- August 2011 is when
this problem was identified, but you say you were never
made aware of it and presumably you weren't aware either
of queries being changed subsequently?
A. I don't recall this, no.
Q. And on the final page, please, of this document
{F/829/5}, there is a final message there saying:
"Fix deployed; all appears to be operating as
required. Closing call. Many thanks to all, Penny."
So it is fair to say that up until August 2011, the
data that you were retrieving did not have an indicator
as to whether or not reversals had taken place?
A. Correct, yes.
Q. Do you see that as detracting somewhat from this being
a secure gold standard record to be compared with other
sources?
A. I honestly can't say whether that has an implication on
that at all or -- that data missing has an implication
on that at all, I don't know.
Q. It's not in your remit, it's not in your concern?
A. No, no.
Q. Were you in court on Monday when Mrs van den Bogerd was
being cross-examined?
A. Yes.
Q. Did you hear a reference to something that was referred
to as the Helen Rose report?
A. I don't recall it but ...
Q. It's a very short point I was going to make, but
actually perhaps it is fair to take the witness to the
document very briefly.
MR JUSTICE FRASER: It depends what the point is, I suppose.
MR MILETIC: Well, the short point is this but actually it
might be, Mr Dunks, that you simply don't know the
answer to this either, so the point that I was going to
make is that it wasn't until the summer of 2013, at the
time of the Helen Rose report, that in actual fact it
was identified to be a problem that the reversal
indicator didn't show whether it was system or
user-generated, but is that something that is outside of
your knowledge?
A. Yes.
Q. Very well. I won't go to that point then.
So, Mr Dunks, having now canvassed through various
documents and looked at various problems that existed
with ARQ data when it was retrieved, can you just
explain to the court why those things, or a semblance of
those issues were not set out candidly in your witness
statement?
A. Sorry, I don't understand.
Q. So we have just been through several documents and
several issues in terms of when audit data is retrieved
and the problems in relying on that data, but none of
that is set out in your witness statement, and is there
a particular reason as to why that might be?
A. Again, the -- what I was trying to convey with our
witness statements, as I believe, is the integrity of
the data once we have extracted it, and then supplied it
to the Post Office, and the controls around the
extraction, not the data itself.
Q. I see, so what you are not saying in your witness
statement is that the data then is accurate and reliable
in terms of use for disputes between subpostmasters and
Post Office?
A. No, I can't say that at all.
MR MILETIC: You can't say that? That's fair.
My Lord, I have no further questions.
MR JUSTICE FRASER: Mr De Garr Robinson?
Re-examination by MR DE GARR ROBINSON
MR DE GARR ROBINSON: Mr Dunks, I would just like you to
look at your witness statement please, paragraph 8. You
were asked a question about this paragraph and you were
asked -- it was suggested to you that you didn't really
think about that paragraph much and I would just like to
take you through it {E2/10/3}. In the first sentence
you say:
"There is no reason to believe that the information
in this statement is inaccurate because of the improper
use of the system."
Mr Dunks, is that sentence true or is it not true?
A. It is -- well, it's true. I don't believe -- there's no
reason to believe that it is inaccurate at all.
Q. And did you think about that sentence when you signed
the statement?
A. It wasn't in the forefront of my mind when I was signing
the statement, no.
Q. The next sentence:
"To the best of my knowledge and belief at all
material times the system was operating properly, or if
not, any respect in which it was not operating properly,
or was out of operation was not such as to effect the
information held within it."
Is that sentence true?
A. Yes.
Q. Would you have signed this statement if either of those
sentences had not been true?
A. No.
MR DE GARR ROBINSON: Thank you.
Questions by MR JUSTICE FRASER
MR JUSTICE FRASER: I have just got a question.
You started doing your current role in 2002, is that
right? I think it is in paragraph 3, you say.
A. I have worked within this team since then, but the roles
have changed within that over that period of time.
MR JUSTICE FRASER: What were you doing before 2002?
A. I was -- there were different roles again within then
ICL, from desktop support, et cetera.
MR JUSTICE FRASER: And when did you start at ICL, do you
remember?
A. Good question. About 21 years ago.
MR JUSTICE FRASER: 1998?
A. Yes.
MR JUSTICE FRASER: You are trying to catch me out with some
mental maths.
I don't have any questions other than that.
I assume there's nothing arising out of that. Thank you
very much for coming, you can now leave the witness box.
MR DE GARR ROBINSON: My Lord, I call Torstein Godeseth.
MR TORSTEIN OLAV GODESETH (affirmed)
MR JUSTICE FRASER: Have a seat, Mr Godeseth.
Examination-in-chief by MR DE GARR ROBINSON
MR DE GARR ROBINSON: Mr Godeseth, there's a bundle of
documents in front of you. Could I ask you to go to
divider 1 of that bundle please {E2/1}. This is
a document that describes itself as a witness statement
by you. Is that your name and address on the first
page?
A. It is.
Q. And if you go to the last page, page 20 {E2/1/20}, is
that your signature?
A. It is, my Lord.
Q. If we could go on to tab 7 in the same bundle, please
{E2/7}. I believe you will see a page with two
corrections, is that right, at the front of that tab?
A. Yes.
Q. And then over the page, there is another witness
statement by you and again, there's your name and
address on the first page, isn't there?
A. That's right.
Q. And page 18 {E2/7/18}, that's your signature, is it?
A. It is.
Q. And then there's a third statement which should be
behind divider 14 of the bundle {E2/14}. Again, your
name and address on page 1, and on page 7, is that your
signature? {E2/14/7}
A. It is.
Q. Now, the later statements clarify and in some respects
correct matters that are set out in the earlier
statement. Subject to those clarifications and
corrections, and subject to the two corrections you saw
in the front sheet at tab 7, do you confirm that these
witness statements are true to the best of your
knowledge, recollection and belief?
A. I do.
Q. Now, Mr Godeseth, I've got a question I would like to
ask you arising from evidence that's just been given by
Mr Dunks, and with your Lordship's permission ...?
MR JUSTICE FRASER: Yes.
MR DE GARR ROBINSON: If we could go to {F/1716} please and
could we go to page 43 of that document {F/1716/43}.
This is a Fujitsu document. It's the Audit Extraction
Client User Manual. Do you see that?
A. Yes.
Q. Now, just remind me, how long have you been working for
Fujitsu?
A. Since 2010.
Q. And since that time, have you had any familiarity with
the audit extraction process and its reliability and so
on, and issues surrounding it?
A. I have clearly been aware that audit extracts have been
happening, but I have not been intimately involved in
that process until more recently.
Q. I see. I would like to ask you about -- at the top of
the page it says:
"TMS and BRDB messages are numbered in sequence for
each node. During filtering any retrieved audit message
data is analysed to determine what message sequences are
present in the data and whether there are any gaps or
duplicates in those sequences. A gap in a message
sequence may indicate that a message is missing from the
audit data. Duplicates may indicate that an audit file
has been gathered twice."
I would just like to ask you a couple of questions
about that. If there had been a gap in a message
sequence during the extraction process that's described
here, is that something that you would know about?
A. I believe so, yes, because it would be a highly serious
problem.
Q. And can I ask you whether there have been any such gaps
during the time that you have been at Fujitsu?
A. I'm certainly not aware of any, and I'm confident that
I would have been told.
Q. Very good. And then moving on to the next sentence, the
duplicates. Could I ask you the same question about
duplicates: what would have happened? Would you be
aware if there were any duplicates?
A. Having seen Gareth's statement, I would say that
duplicates are probably being misinterpreted here,
because if a record goes into the audit trail twice it's
simply two copies of the same record. As long as that's
dealt with, I don't think that's a problem.
MR JUSTICE FRASER: When you say duplicates are being
misinterpreted here, do you mean in this document, in
Mr Jenkins' document, or in what you are being asked?
A. I think here the issue is -- I clearly understand that
the claimants are interested, my Lord, in whether
transactions got duplicated, and I think what goes into
the audit is a record which has come from a counter,
different mechanisms in Riposte and also in the newer
Horizon system. I think what Mr Jenkins is referring to
is that a record can be written to an audit trial twice
and as long as you spot that and you deal with it,
that's fine, because it is simply saying, it is
simply: I wrote down the same thing twice. And the
circumstances in which I have some recollection of is
that the audit trail got written to Bootle and to Wigan,
our separate data centres in the days of Riposte, so
clearly I would have a copy of a record in both Bootle
and Wigan.
MR JUSTICE FRASER: I'm not sure that necessarily answers my
question.
A. Sorry, my Lord.
MR JUSTICE FRASER: When you said duplicates are being
misinterpreted, do you mean misinterpreted in this
Fujitsu document, interpreted insofar as you understand
what Mr Jenkins is saying, or misinterpreted in the
question that Mr De Garr Robinson asked you?
A. I think here I'm saying that duplicates may indicate
that an audit file has been gathered twice is --
MR JUSTICE FRASER: When "here" you mean the Fujitsu
document?
A. In this Fujitsu document. I think that is entirely
consistent with what Mr Jenkins said in his statement.
MR JUSTICE FRASER: I see.
MR DE GARR ROBINSON: "The suggestion here that duplicates
may indicate that an audit file has been gathered
twice" --
MR JUSTICE FRASER: That's what it says in the paragraph.
MR DE GARR ROBINSON: Yes, I have just read out the
paragraph, I don't know why I did that. If duplicates
were being produced in audit extractions, is that
something with which Fujitsu would be interested to
know?
A. I think it is important to go back to understand what
the audit trail is looking to do, and I think I would
like to start by describing the Horizon Online system
which I'm more familiar with, and the audit trail in my
book is I'm trying to write down, transaction by
transaction what is coming from a counter and I am
keeping a record of effectively the transaction as
entered at the counter as closely as I can possibly make
it.
In the Horizon Online, the big protection there is
a thing called the JSN which is the Journal Sequence
Number, and we use this to indicate that -- or to prove
that I have not missed any records and I haven't got any
duplicates. So built into the system at the BOWL(?), we
get a sequence of messages coming up from the counter to
the BOWL, and these all have a JSN in them, and these
are checked to make sure that they just increment by
one.
In the Riposte system, there was a very similar
concept, but this was the message number on the messages
coming from a particular counter, and again, by checking
that I've got a -- what we call a dense list which says
I've got every number accounted for, and I -- if I have
duplicates, and they both say the same thing, that is
just the fact that I have written something down twice
and I imagine from what I have read in Gareth's
statement that this obviously happened in Riposte days
when there were data centres in Wigan and Bootle and
I know that audit trails were written in both centres,
but I think by then saying "Okay, I have now written
some things down twice, but I can recognise those
because they have the same message number", they are
simply copies of the same thing.
MR DE GARR ROBINSON: My Lord, I'm at the margins of my own
understanding of the system and I think I had better
stop now.
MR JUSTICE FRASER: Well, I'm actually just go to pursue
this on your behalf, because your question was quite
simple and it has led to an answer of about a page and
a quarter, so I'm just going to ask the same question.
What Mr De Garr Robinson asked you was if duplicates
were being produced in audited extractions, is that
something that Fujitsu would be interested in knowing?
And I'm unclear as to what the answer is.
A. Yes. Sorry, yes, my Lord.
MR JUSTICE FRASER: The answer is yes?
A. Yes. We would be interested in knowing because we would
have to explain it.
MR JUSTICE FRASER: Right.
If you want to ask a follow-up question,
Mr De Garr Robinson, you can do so.
MR DE GARR ROBINSON: Are you aware of -- since your time at
Fujitsu -- I'm not asking you about Legacy Horizon now,
but since your time at Fujitsu, are you aware of this
issue having arisen in relation to extracting audit
data, duplicates?
A. No, my Lord.
MR JUSTICE FRASER: Mr Green, your turn.
Cross-examination by MR GREEN
MR GREEN: I will start at the beginning of your statement,
if I may, Mr Godeseth. If we can look at {E2/1/1}. You
explain in paragraph 1 that you are employed at Fujitsu
Services Limited as the chief architect on the
Post Office account.
A. I am, my Lord.
Q. And you say you are authorised to make this statement on
behalf of Post Office Limited in the proceedings. It is
right, isn't it, that you were first employed by
Post Office?
A. I was employed by Post Office from 1987 for a number of
years.
Q. Let's have a look at paragraph 5 of your witness
statement please. Sorry, I think we've got the wrong
one there. Can we get {E2/1/1}, please.
Just look at paragraph 5 on page 1 to start with
{E2/1/1}. You give your employment history there and at
the bottom of the page, after leaving the Royal Navy you
joined Forward Trust in November 1981 to work in systems
programming and technical support for their IT systems.
Then if we go over the page:
"I joined the Post Office IT department
in November 1987 to work on a project to introduce
technology into Post Office branches."
What project was that?
A. I know it as the Thames Valley pilot. It was a project
to introduce -- we supported three products in those
days, it was Girobank, DVLA and National Savings,
a pilot in the Thames Valley area which had about 250
offices.
Q. Then at paragraph 6 we see you worked as the technical
advisor to Post Office when they and the Benefits Agency
procured the Horizon system.
A. That's correct, my Lord.
Q. It was unusual as a project; it was being procured by
two different government bodies, wasn't it? There was
the Department for Social Security, Benefits Agency, on
the one side and then there was Post Office at that time
under Royal Mail on the other?
A. That's right, my Lord.
Q. And latterly you were then technical advisor to
Post Office when Legacy Horizon changed to
Horizon Online?
A. Correct.
Q. And then from 2010 you then moved from Post Office to
Fujitsu.
A. I did, yes.
Q. What occasioned that move?
A. I was working as a contractor for Post Office. My
contract came to an end, and I joined Fujitsu on
contract.
Q. But when you say "as a contractor", do you mean as an
independent contractor --
A. Yes.
Q. -- rather than employee?
A. I joined Fujitsu initially as a contractor and then
in November, I accepted a full-time role.
Q. And just so we have a vague idea, for what proportion of
your time with Post Office were you employed, and for
what proportion of the time were you an independent
contractor?
A. I became an independent contractor in 2005, just as
Impact Programme was going live.
Q. Just as ...?
A. The Impact Programme was going live.
Q. Can you explain to the court what the Impact Programme
was?
A. The impact -- the major change in the Impact Programme
delivered was to take out the old cash account and
replace it with branch trading statements, but there
were a few other changes implemented at the same time.
Q. Now, you effectively have worked for both Post Office
and Fujitsu and have been involved in pretty much the
entire history of the Horizon system in different ways,
haven't you?
A. I was -- pretty much, but I was not involved in the
early days of the roll-out of Horizon, so when
I finished my stint on the procurement, I worked
elsewhere in the Post Office, then came back to
Post Office counters to deal with banking and since then
I think my time has been pretty much with Post Office
counters. I had a break in 2009 before coming back for
a short contract with Post Office counters and then
joining Fujitsu.
Q. Right. We will come to the introduction of Horizon and
so forth in a minute, but just clarifying the
construction of your witness statement, your first
witness statement which we're looking at, which is the
one of 27 September 2018, broadly covers the accuracy of
audit data and the issue of remote access for both
Legacy Horizon and Horizon Online, is that fair?
A. It is, yes.
Q. And at paragraph 7 of that witness statement {E2/1/2},
if you just look at that for a moment, do you see at the
bottom of that paragraph it says:
"I therefore have consulted with colleagues who work
in the areas that are covered by this statement to
ensure that my understanding of them is correct."
Which were the areas that you were referring to
there?
A. Basically any area that I wanted to just double check,
so I don't see it as anything specific. I work with
a number of people and if I'm uncertain of anything, or
just want to check up, then I would talk to them.
Q. So you were sufficiently uncertain about certain things
to have to go and speak to a number of your colleagues?
A. I wouldn't say "uncertain". It is due diligence, double
checking.
Q. Who were the colleagues you spoke to?
A. Off the top of my head, I would say Steve Parker and
a couple of guys in his area; Pete Jobson,
Gareth Seemungal, Alan Holmes, Jon Hulme.
Q. Could you just help the court just in relation to each
of those, what were the aspects they were contributing
to your statement, could you just explain?
A. In Steve Parker's area, certainly there are people who
have longer -- or recollections of how Riposte actually
worked. Gareth Seemungal, I talked to about BRDB and
how Oracle works. Pete Jobson I talked to about how
batch systems work. Alan Holmes knows a fair amount
about audit. Jon Hulme, knows the counter pretty well.
Q. Right, that's helpful. Let's look at paragraph 34
please on page 11 {E2/1/11}. We see there "Audit data -
Legacy Horizon."
You say:
"In Legacy Horizon Riposte, a messaging system, was
responsible for storing all data in Post Office branches
and replicating it to data centres. As I was on 'the
other side of the fence' ..."
Because you were working with Post Office at the
time:
"... when Riposte was in use I have consulted with
my former colleague, Gareth Jenkins, to prepare this
section of my statement."
Yes?
A. Yes.
Q. And in fact we see Mr Jenkins' name in a number of other
paragraphs throughout your witness statement?
A. Yes.
Q. And it is fair to say that really the source of that
information that you're giving is Mr Jenkins, isn't it,
because you were working for Post Office at the time?
A. I feel I had a pretty good knowledge of how Riposte
works, since I needed it when I was working on Impact,
but it's absolutely the case that I would get more
detailed information from Gareth.
Q. Because in a number of paragraphs -- I mean, just give
us a couple of examples. At paragraph 38 you say:
"I understand from Gareth that each message included
three key pieces of information ..."
And if we go to paragraph 39, over the page
{E2/1/12}:
"I also understand from Gareth that messages also
had an associated 'Expiry Date' ..."
Paragraph 41:
"I understand from Gareth that due to the size of
the Post Office network [they] were split into four
separate clusters ...."
And so forth. Paragraph 43:
"I understand from Gareth that the audit application
read every record that was visible to the correspondence
server ..."
Paragraph 44 {E2/1/13}:
"I also understand from Gareth that once these files
had been written they became visible to the audit server
which would pick them up ..."
I'm obviously not going to keep going, but that's
information you have obtained from Mr Jenkins, isn't it?
A. It's difficult to judge how much I knew beforehand, but
certainly talking to Gareth has freshened up my
understanding of it.
Q. I suggest to you it is mostly Mr Jenkins' explanations
to you which you seem to think --
A. I would certainly regard Gareth as an expert on Riposte,
having far more knowledge about it at a practical level
than I have.
Q. He is the most obvious person to talk about it in
a sense, isn't he?
A. Yes.
Q. And let's look, if we may please, at page 16 of your
first witness statement {E2/1/16}. This falls under
a heading called "Balancing Transactions" which has been
given an acronym of "BTs".
A. Yes.
Q. We will come back to that. But just for the moment,
just to orientate you where you are in the statement, if
you look -- I'm sorry, Mr Godeseth, I didn't spot you
didn't have any water.
(Pause).
Just to orientate yourself in the witness statement,
you've got:
"A small group of Fujitsu users from the Software
Support Centre ... (30 users) have the ability to inject
additional transactions into a branch's accounts in
Horizon Online, using a designed piece of functionality
called a Balancing Transaction."
Now, pausing there, we heard Mr Roll being
cross-examined and it was suggested to him that within
SSC there were about 25 members who were -- whose
experience Mr De Garr Robinson went into with Mr Roll,
and then five sort of super elite members, as they were
described by Mr De Garr Robinson.
A. Mm-hm.
Q. That's a total of 30. Is that about the same size as
the department is now? Is 30 users the whole of SSC?
A. I wouldn't know. Steve would be able to give a far
better -- but I -- I think there was about that number
of people there, yes.
Q. So Mr Parker would be the person who knows, and you
think it's probably about the whole of SSC?
A. Yes.
Q. So when we just look at the words:
"A small group of Fujitsu users from the Software
Support Centre."
It's actually probably the whole or most of the
Software Support Centre?
A. Mm-hm.
Q. Everyone, it looks like?
A. Yes.
Q. If we come down to paragraph 58.9, just go over the page
{E2/1/17}, that's -- that all seems to be dealing with
Horizon Online and then at 58.10 you say:
"In Legacy Horizon, any transactions injected by SSC
would have used the computer server address as the
counter position which would be a number greater than
32, so it would be clear that a transaction had been
injected in this way."
Yes? That's what you said in that first witness
statement.
A. That's what I said in that statement, correct.
Q. Now, just pausing there, you don't say who you got that
from, but did that come from Mr Jenkins?
A. Yes. The greater than 32 came from Mr Jenkins, correct.
Q. So we could write in there "I understand from Gareth"?
A. Yes.
Q. And in fact if we go back to paragraph 36 on page 11
{E2/1/11}, it is effectively mirroring the overall
description that the node ID associated with an injected
message would be that of the correspondence server at
which the message had been injected, and not a normal
counter node ID, and therefore would have been clearly
visible in any audit data.
A. Yes.
Q. That's the same point but without using the number 32,
yes? It's a broader point, but it captures the point
that you're making in 58.10 and is consistent with it.
A. There were a number of mechanisms for the -- I think the
preferred route for injecting any transactions would
always be to do it at the correspondence server. There
were occasions where it was necessary to inject messages
at the counter. I think that was the point that Mr Roll
was making in identifying that messages had to be
inserted to correct problems at the counter, and there
are a few instances where clearly that happened.
Q. Yes. And so can I just ask you, did you get this
section in 36 also from Mr Jenkins, broadly?
A. Yes.
Q. And then just going forward in your third witness
statement at {E2/14/7}, paragraph 25 -- I'm so sorry.
If you look at paragraph 25 you say:
"In paragraph 58.10 of my first statement I stated
that any transactions injected by SSC in Legacy Horizon
would have used the computer server address as the
counter position which would be a number greater than
32. I have read Parker 2 and I am now aware that it was
also possible for SSC to insert transactions with
a counter position with a number less than 32. I did
not discuss this in my first statement because I was not
aware of it."
A. That's correct.
Q. So at what point did you realise that it was not
correct?
A. When it was brought to my attention at the time that
Steve was preparing his second statement.
Q. Were you a bit shocked about that, to find it was wrong?
A. "Shocked" would be too strong a word. It was -- I was
finding out a detail that I didn't know before.
Q. You were finding out a detail that you didn't know
before in quite a controversial area, weren't you?
A. It was clearly an area that was going to be of interest
because of the fact that we were inserting transactions
into Riposte. It was an operational necessity and it
was done in a controlled way. I had believed that the
way that transactions were being injected would give
them a counter position greater than 32 because the
correspondence servers basically had nodes or addresses
which were above 32, there was a special address for the
gateway server, there was a special address for the
extra disc in a single position branch and I had
basically expected messages to be introduced using
a different counter position and having read a whole
number of PEAKs, I can quite clearly see that the
standard practice in Fujitsu was to label something
which was being inserted into Riposte so as to make it
as clear as possible that it was not being done -- it
was being done as something out of the ordinary, it was
being inserted because of a problem.
So we had techniques for doing that. You could put
in an attribute because this wouldn't be visible to
a subpostmaster, I fully understand that, but it would
be visible in the audit trail, when you ever come back
to pull out the audit trail, you could put in an
attribute to say "This was done under PEAK 75".
Subpostmasters would never see that. They would not see
it in their account in their branches and I'm fully
aware that that is the case. It was a better audit than
Mr Roll was alluding to when he said that it was left in
a PINICL, because that would have been an audit which is
separate from the actual data that we would be looking
at should we ever need to pull stuff out of the audit
trail and the intention was always to make it as clear
as possible that this had been done under exceptional
circumstances.
The techniques used to make it as visible to the
subpostmaster as possible would be to put in references
which referred to a counter that didn't exist in the
branch, such as -- I saw a technique described in
a number of cases which said put in a -- you know, if
you are correcting something for counter 1, call it
counter 11; if you're correcting something for counter
2, call it counter 12. These things would have been
visible to a subpostmaster and the reason that you had
to do it that way was to make sure that these
transactions also got picked up and dealt with because
these were legitimate counter numbers.
If I start to put in data with a number which is not
a legitimate counter number then it's going to be
ignored by systems further down the track.
Q. So which were legitimate counter numbers?
A. Up to 32.
Q. Right, so you say less than 32 in your witness statement
at paragraph 25 --
A. Sorry, I may have got that -- the boundary was at 32;
whether 32 was a legitimate --
Q. Don't worry about that. That's not -- that's not --
A. -- counter or not, I don't know.
MR JUSTICE FRASER: Please don't talk over each other.
MR GREEN: I'm so sorry.
Don't worry about the boundary. So the short point
is that you learned, when Mr Parker was preparing his
second witness statement, that it was in fact possible
to inject transactions which a subpostmaster would not
know about at the counter rather than at the
correspondence server, you learned that for the first
time?
A. I cannot see how a subpostmaster would not have been
aware of these transactions being injected, because
there's a technical rationale why the subpostmaster had
to be in his branch -- sorry, it didn't necessarily have
to be the subpostmaster, it had to be somebody in the
branch who was logged on when these techniques were used
to inject transactions at the counter and the simple
reason is that if you didn't have somebody logged on,
then Riposte would have generated a message with a blank
user ID. Riposte was responsible for actually wrapping
the message that we were looking to insert at the
counter, and in doing that, Riposte will tell you the
counter ID, or technically it was a stream, it would
pick up the user ID, it would pick up the time, so this
was effectively the envelope which wrapped the payload
that we were looking to inject.
If there was no user logged on at the counter then
Riposte would introduce a blank user ID and that would
be picked up in later processing.
Q. But let's take it in stages, if we may.
MR JUSTICE FRASER: Just before you do.
Mr Green is going to be putting quite precise
questions to you. I know it's an understandable human
reaction to want to argue wider points, but I would like
you to listen to his questions and answer his questions
please.
A. Yes, my Lord.
MR JUSTICE FRASER: Right, Mr Green.
MR GREEN: Can we separate what you can do from what you
have inferred was done in many cases from PEAKs you have
looked at, and let's focus on what could be done.
You realised for the first time that it was possible
to inject or insert a transaction with a counter
position less than 32 when Mr Parker was preparing his
second statement?
A. Correct.
Q. And you knew that that was a contentious issue in this
litigation, yes?
A. Yes.
Q. And if we can go back please to paragraph 58.10 of
{E2/1/16}. Go over the page please to 10 {E2/1/17}
there it says:
"In Legacy Horizon, any transactions injected by SSC
would have used the computer server address as the
counter position which would be a number greater than
32, so it would be clear that a transaction had been
injected in this way."
Can we go back to the previous page just to get the
introduction to that {E2/1/16}. It's not immediately
clear from this part of your statement that you got that
information from Mr Jenkins, is it, 58.10?
A. Sorry, I'm looking at 58.7 here?
Q. Yes, I'm just showing you --
A. I agree, yes.
Q. So what had actually happened to you is that you had had
a conversation with Mr Jenkins, he had given you the
information on a contentious point in the litigation,
and you had repeated it in a way that could be read as
sounding as if you knew about it yourself?
A. That was certainly not deliberate.
Q. No, but I'm just saying that is what had happened?
A. I can accept that.
Q. And then you found out that was wrong. Did you go back
and talk to Mr Jenkins about it?
A. I don't think I have, no.
Q. Were you not interested to find out from him directly
whether they always used counter numbers other than
those in use by the SPM, rather than inferring matters
from PEAKs as you have suggested?
A. I have not discussed it further with Gareth.
Q. So you are not in a position to comment on that beyond
what you have inferred from the PEAKs?
A. I think that's fair, yes.
Q. Now, it would be possible, would it not, to use
a counter number of 1, or 2, or 3?
A. It would.
Q. And if that counter number was a counter number actually
in use by the SPM, it would appear to the SPM, from the
records they could see, that it was a transaction which
had been done in their branch, by them or their
assistants?
A. Yes.
Q. Now, you were at Post Office at the time that
Legacy Horizon was in use, weren't you?
A. I was certainly at the Post Office when Legacy Horizon
was in use.
Q. You had a break, I think you mentioned earlier. Was
that around 2009?
A. In 2009 I finished my contract with Post Office counters
in roughly June, and went back to Post Office counters
in the following January, so I had a six-month gap.
Q. And apart from that were you continuously working for
Post Office from 1987 to when you left and joined
Fujitsu?
A. No. I think it's covered in my opening statement, that
I was -- from Post Office I was outsourced to a company
called Xansa, and then after a couple of years --
probably two and a half years at Xansa, I decided to go
independent.
Q. So when you were outsourced to Xansa --
A. I continued in roughly the same role.
Q. -- you continued -- did you remain an employee of
Royal Mail IT department outsourced, or were you
outsourced so that you went and worked for someone else
with a direct relationship with them?
A. I was outsourced from Royal Mail to Xansa as part of
a rationalisation programme, so therefore I was employed
by Xansa, I was paid by Xansa.
Q. I understand. So apart from that period and the short
break you had in 2009 that you have described, the
six-month break which began in 2009, you were at
Post Office effectively throughout the period from 1987?
A. I was at Post Office, I was working actively on the
Post Office account for most of that time, but, as
I say, once the procurement of Horizon with ICL Pathway
had come to a sensible juncture, I did spend some time
working with other parts of Post Office, Parcelforce,
the Television Licence Agency and such. So there was
a gap in my time alongside Post Office counters.
Q. In the light of your time and position and role within
Post Office, would you have been regarded as
a knowledgeable person within Post Office about whether
remote access of the type we're talking about was
possible?
A. I believe I would have been regarded as a knowledgeable
person.
Q. Very knowledgeable?
A. Yes, I would like to think so.
Q. And it is your evidence to the court that you were
completely unaware that inserting transactions in this
way was possible throughout your time at Post Office?
A. To be honest, I wouldn't have actually thought about it.
If you are looking to support a large system, then
I think the logical conclusion is it's inevitable that
you have to do this sort of thing on occasion.
Q. So if you had been asked whether it was likely that it
would be possible, you would have said --
A. Yes.
Q. -- it's inevitable because it's a large system?
A. I think so, yes.
Q. So were you a bit surprised when Mr Jenkins told you
when you were preparing your first witness statement
that it would not be possible to do it unless it was
done just to the correspondence server?
A. I don't think he told me that. I think that is his --
his description to me was a far more generic one rather
than going into that level of detail.
Q. But wasn't the key point that you were giving evidence
about whether or not it would be identifiable as not
having been done by the subpostmaster?
A. I think we were really talking about messages coming in
at the correspondence server which would therefore be
very different from the ones coming from the counter
which would have the lower counter numbers or node
numbers.
Q. The short point is, Mr Godeseth, that your original
witness statement was -- paragraph 58.10, if we can just
look at that finally {E2/1/17}. Paragraph 58.10 was
clearly designed to suggest that it would not be
possible to insert transactions as Mr Roll was
suggesting, wasn't it?
A. I don't see that as the intention at all. I think there
I was looking to describe -- I think the intention was
to describe that transactions injected by the SSC would
be different from transactions done by the counter.
Q. Well, that's not quite what you say. This is my last
question on this, I think. You say:
"In Legacy Horizon, any transactions injected by SSC
would have used the computer server address as the
counter position which would be a number greater than
32, so it would be clear that a transaction had been
injected in this way."
A. Yes.
Q. You were specifically ruling out injection of
transactions in a way that the subpostmaster could see,
weren't you?
A. Sorry, could you repeat the question?
Q. That form of words you have used was specifically ruling
out the injection of transactions in a way that
a subpostmaster could not see?
A. I think there are too many negatives in this.
Q. The effect of what you were saying there was that any --
we can read "all" -- transactions injected by SSC would
have had a number greater than 32?
A. Yes.
Q. And that would make it clear that a transaction had been
injected?
A. Yes.
Q. What you were trying to say by that was it was not
possible for transactions to be injected which would not
be clear that they had been injected?
A. I would still say that transactions that have been
injected are clearly identifiable, albeit there may be a
convoluted route to identifying them.
MR GREEN: My Lord, is that a convenient moment?
MR JUSTICE FRASER: I think it probably is. We will come
back at 2 o'clock.
Mr Godeseth, you are in the middle of giving your
evidence so you're not allowed to talk to anybody about
the case over the short adjournment. Come back at
2 o'clock.
(1.03 pm)
(The luncheon adjournment)
(2.01 pm)
MR GREEN: Mr Godeseth, can we look at the introduction of
Horizon itself, paragraph 6 of your witness statement at
{E2/1/2}. We have mentioned already you were technical
advisor in the procurement of the Horizon system and
touched on the fact that it was unusual because it was
two different government entities.
It was not uncontroversial, this project, at the
time, was it?
A. Sorry, it was -- certainly it was an interesting project
to be working on, so I'm not sure ...
Q. Well, let's take it in stages. It encountered quite
a lot of difficulties as a project, didn't it?
A. Yes.
Q. And its sort of birth as a system was not entirely easy,
is that fair?
A. I think that probably the relationship between Post
Office, Benefits Agency and the contractual situation is
fairly well-known, yes.
Q. And if you can very kindly look at {F/70} as an example.
This is a Computer Weekly article, 1 November 2000, and
you will see there it says:
"The infamous 1996-1999 Pathway project aimed to
computerise the nation's post offices and tackle benefit
fraud. But 18 months later, after losing millions and
destroying reputations a credible IT project has
emerged."
So although, as we will see, the problems were
well-known, as you have fairly accepted, a credible IT
project did emerge from it?
A. Mm-hm.
Q. Which was what we now know as Horizon?
A. Yes.
Q. And the article then, in paragraph 2, notes:
"It was one of the largest roll outs in Europe~...
despite its complexities, it is now running smoothly, on
time and to budget."
That was the impression they had. And the NAO had
had some concerns about money wasted on the aborted
attempt for the swipe card system, yes?
A. I must admit I have no recollection of what the swipe
card system would have been, but ...
Q. Do you remember that the focus of the project changed as
it went along? It was originally going to be very high
levels of security for the direct payment of Social
Security benefits through the system and then in the end
the DSS pulled out and --
A. I certainly recall that the Benefits Agency pulled out.
Q. And a deal was done with Fujitsu to carry on with just
the Post Office --
A. Yes.
Q. -- as a contracting party. If we look at the reason
that the Select Committee on Trade & Industry was
looking at it in July 1999, if we look halfway down the
page you will see:
"At a hearing of the Select Committee on Trade &
Industry in July 1999, two months after deciding to
cancel the swipe card, and causing massive monetary
loss, three cabinet ministers leaned heavily towards
blaming the supplier, ICL Pathway, for the disaster."
Now, there was -- I think you have hinted at it,
that the relationships were not very easy, is that
a ...?
A. There were some very fascinating tensions going on, yes.
Q. Yes. And there was some dispute over the terms on which
Fujitsu would carry on with a project that they had
anticipated and agreed would be both for two clients
essentially, with just one?
A. Yes.
Q. And so the deal that was done with Fujitsu at that stage
was one which in some senses compensated Fujitsu for
losing the DSS?
A. I can't comment on that. I didn't know about the
contractual situation at that point.
Q. Now, in your paragraph 12 you say Fujitsu began a pilot
of the system in 1996 and it was rolled out across the
Post Office network between 1999 and 2000. At that
stage, the pilot was still for the Post Office and the
Benefits Agency, wasn't it?
A. I honestly don't know. The objective of the original
Horizon system was very much to replace what was then
the mechanism for issuing pensions and such-like, which
was an order book, you would get 13 slips in it and --
so my recollection is that this was what we were looking
to replace.
Q. And if we go to {F/3} please. That is the ICL Pathway
Technical Environment Description, do you see that?
A. Yes.
Q. At that stage I think ICL -- Fujitsu had a majority
shareholding in ICL, but only became a 100% shareholder
in 1998, is that right?
A. I honestly don't know.
Q. You're not sure, no. If we look at page 9 of that
document please {F/3/9}, we can see references there.
A. Sorry, I'm looking at page 8 at the moment.
Q. Oh, you should have page 9.
MR JUSTICE FRASER: I think you are looking at page 9.
A. Okay, at the bottom it says --
MR GREEN: Internal page 8 at the bottom, but at the top,
electronic page 8 --
MR JUSTICE FRASER: No, electronic page 9.
MR GREEN: I'm sorry, electronic page 9.
"References", you can see who was involved there.
If you look at the bottom of the references you see
"Agent Architecture - Gareth Jenkins."
A. Yes.
Q. Is that the same Gareth Jenkins we have been mentioning?
A. Yes.
Q. And if we look at page 92 please {F/3/92}, you will see
under the heading "Migration":
"This section describes the mechanism by which the
Outlets that take part in the Limited Go Live will be
integrated into the Pilot Roll-out."
So there were two sort of phases of that, weren't
there?
A. Again, I don't have any personal recollection of this
because I wasn't involved at that time.
Q. You didn't have any involvement in this bit?
A. No, no, no, for the actual roll-out of it, I was not --
I was off doing other things.
Q. What were you doing at that time?
A. Parcelforce, SSL, as they were known, who were the TV
licence guys in Bristol, Post Office Group.
Q. Okay. Let's just look under "Background" you will see:
"The 10 Outlets that take part in the~... Go Live
use early versions of the solution. This includes the
counter PC ..."
Which we now know as the Horizon terminal?
A. Yes.
Q. "... the BPS application suite ..."
What's that?
A. I don't know.
Q. Might it be business process systems? You don't know?
A. It could be, but I --
Q. "Riposte etc"?
A. Riposte I recognise, the rest I don't.
Q. Okay. And if we go please to {F/3/92} -- sorry, I think
we may have a misreference there.
Let's go to {F/299} please. Now, this is a document
that begins the migration to Horizon Online --
A. Yes.
Q. -- and what's contemplated. Pausing there, by the time
you were advising in relation to this, you were aware
that there had been a number of problems with the old
legacy system that we have seen in many of the PEAKs.
A. HNG-X was very much geared -- or HNG as it started
off -- was geared at refreshing the solution. I don't
remember it being seen as fixing a whole load of PEAKs,
it was simply seen as refreshing the system.
Q. Yes, but pausing there, I -- my question is quite
specific.
A. Sorry.
Q. Did you have any awareness of any problems that had been
encountered with Legacy Horizon by the time that you
were advising in relation to migration to
Horizon Online?
A. I will have been aware of some at the time but
I honestly cannot remember any major issues that I was
dealing with, but because of the work I was doing,
because I was having to ensure that Post Office could
continue to deliver change and whatever, I would have
been aware of it, yes, certainly.
Q. Okay. So important PEAKs would have been drawn to your
attention under Legacy Horizon, you think?
A. I believe so, yes.
Q. And when we look at the aims of the HNG-X plan, this is
dated 21 September 2005?
A. Yes.
Q. Can we look at page 10 please {F/299/10}. This is
a document that you would have known about, isn't it, in
all likelihood?
A. I was certainly involved at this stage, yes.
Q. And you will see that the -- under 1.4 you will see:
"While Post Office has considerably increased
expectations on cost reductions, the organisation has
also become substantially more open to operational
changes. Post Office has clearly indicated that
aspirations to a more retail-type IT spending are
matched with the acceptance of more retail-type
operational practices."
And then:
"The original business case for HNG within
Post Office was based on a balance of cost reductions
and improved capabilities. The new business case is
almost entirely based on cost reductions".
Now, that was accurate at the time, wasn't it?
A. I didn't write it, but I'm not going to argue the case.
Q. And if we look at page 13, paragraph 3.1.1 {F/299/13} we
see under "Assumptions":
"The fundamental assumes is that Post Office will
accept a solution based on the business capabilities
that the solution provides and will not insist on being
involved in the technical and technology aspects. This
will require Post Office to fully engage with suitable
empowered personnel in these initial stages and to have
in place assurance and decision-making processes that
align with the time/cost boxed programme milestones."
Now, just pausing there, effectively what is being
said is that Post Office was not insisting on being
involved in the technical and technology aspects, is
that correct?
A. Certainly it was looking for a more arm's length
relationship, sir, yes.
Q. A more ..?
A. Arm's length, I think.
Q. Arm's length?
A. Yes.
Q. If we look at page 16 of this document please
{F/299/16}, do you see under 4.0 "Business
Applications".
A. Mm-hm.
Q. "In order to reduce the overall application development
costs within HNG-X, substantial reuse of data centre
application components is proposed."
A. Yes.
Q. That's correct, isn't it?
A. Yes.
Q. That's what was proposed and what was done:
"The Legacy Host database applications (TPS, APS,
LFS, DRS and TES) are to remain largely intact."
Can you remember what they were?
A. TPS is transaction processing system, AP is automatic
payment system, LFS is logistics feeder system or
service, DRS is data reconciliation service, TES is
transaction enquiry service.
Q. Thank you. And they were remaining largely intact:
"The online interfaces (~... Banking Streamline and
ETU)~..."
What was ETU?
A. ETU is electronic top-up. It's paying for your mobile
phone.
Q. "... will be modified to provide a Web Service interface
in place of Riposte messaging together with
a simplification of the security mechanisms."
A. Yes.
Q. That's a fair summary of the matters that it deals with
there?
A. Yes, I think so.
Q. Now, that was recycling quite a lot of application
components, wasn't it?
A. Yes.
Q. And if we look at page 23 of this document {F/299/23}
you see in the second paragraph:
"There will be minimal change to legacy
applications. LFS, DRS and TPS will incorporate new
harvesters that will extract transactions from the
Branch database rather than the message store."
And that reflected the change that was going to be
made because the data would no longer be held in the
message store in branch, it would be held in the branch
database, the BRDB?
A. That's right.
Q. "APS will be modified such that it extracts
transactional data directly from the TPS stream and this
reduces the need for much of the AP-TP reconciliation."
Can you just tell the court what the AP-TP
reconciliation is?
A. AP is responsible for sending transactions off to
clients; TP is responsible for sending transactions to
basically Post Office back-end systems. The
reconciliation was there to make sure that if you sent
something to the back -- to a client, it was also being
sent through to the Post Office back-end systems.
Q. Okay. Then it says:
"No other rationalisation is proposed to the data
centre applications as part of HNG. A phase II
rationalisation programme is not deemed to be part of
the HNG-X project and must be separately justified at
a later stage."
What was phase II, do you know?
A. I don't think there ever has been a phase II. We're
currently making changes which will probably get rid of
things like -- or certainly reengineer things like DRS
and LFS. TPS is still there, but pretty nearly
redundant, so nothing that I would recognise as
a phase II rationalisation process.
Q. Okay. And if we look at {F/451} please, this is the
HNG-X testing strategy. The document is dated
10 April 2008 and can we just go to page 10 please
{F/451/10}. Now, if you look at the third paragraph
down:
"It has been recognised for some time that this
architecture, whilst providing an extremely robust
operational solution, was not ideally suited to the very
different business and technology drivers that prevail
today."
Now, we see "robust" as a description of the
solution in lots of places in lots of documents, both at
PO and Fujitsu, and it's a term that you're very
familiar with, isn't it?
A. Yes.
Q. The latter part of that sentence is saying it is not
ideally suited to the very different business and
technology drivers that prevail today and it goes on and
says:
"In addition, in common with many elderly systems
that have been subjected to a succession of major
changes, it has become increasingly difficult to make
those changes, and expensive to operate."
Now, that's a fair description of how the system
originally was perhaps designed jointly with the DSS at
the beginning and launched and then over the years,
between then and 2008, there have been lots of sort of
bolt-ons and additional things that have been changed on
the system, haven't there?
A. Yes, I think that's fair. The major one probably in my
mind would be banking.
Q. And if we look at the fourth paragraph down, three lines
down please:
"The main drivers were to create a solution that was
more responsive to business change (faster time to
market), and more efficient to operate, maintain, and
enhance, thus providing lower Total Cost of Ownership
(TCO). However, HNG was ambitious, projected costs were
high, and the benefit realisation profile was unclear.
In particular, HNG had been predicated on expecting
a high rate of future business change for the system.
Emerging business strategy in the Post Office indicated
that this was uncertain and could not be relied upon
sufficiently to support the proposed business case. As
a result HNG was suspended in the summer 2005."
Yes? Can you remember that happening, the project
being suspended at that point?
A. Yes.
Q. And if we now look at what is being proposed, the bottom
paragraph of section 1.1 on {F/451/10}:
"The HNG-X programme proposes a somewhat less
ambitious re-engineering of Horizon, without the branch
network hardware refresh ..."
A. Yes.
Q. "... and with the focus squarely on reduction of the TCO
[total cost of ownership]. The principal drivers for
the HNG-X programme are to deliver a solution that
significantly reduces the TCO, whilst maintaining
'Business Equivalence' (ie the HNG-X solution is to
provide effectively the same business capability as the
existing Horizon solution, but cost less to operate and
maintain)."
Now, is that a fair summary?
A. I can't argue with it, certainly.
Q. Can we look, please, at {F/555}. This is a Post Office
online induction training presentation. Can we go to
the next page of that please {F/555/2} and the course
aims are to:
"... give you all the information and skills that
you will need to successfully support a branch from
Horizon to Horizon Online."
So this is actually an internal Post Office
document, it appears, and if we look at page 10 please
{F/555/10}. This is Horizon's current state:
"13 year old design and technology to satisfy
a different business.
"Slow and expensive to use.
"Evolved rather than designed - a consequence of
which is a robust service but complicated to change."
Do you see that?
A. Yes.
Q. Now, the comment on it being a 13-year-old design and
technology is fair, isn't it?
A. Yes.
Q. The comment on it being slow and expensive to use is
fair, as at that date, or do you feel a bit conflicted
because you now work for Fujitsu?
A. I know that Post Office regarded this as expensive and
they also regarded it as slow to change. I personally
didn't necessarily go along with that because there was
a -- there's an AP-ADC product which since I was
involved in Post Office at this time, AP-ADC was my way
of being able to carry on making business changes whilst
we were going through this particular phase, so yes,
I feel slightly conflicted because I know that the
Post Office high-level view was that you couldn't make
changes to Horizon, whereas I was busy -- you could
do -- there were certainly changes you certainly could
not do, but my feeling was that we could continue to
support the business, they could continue to take on new
clients using this facility, AP-ADC.
Q. Okay, well, have a look at the four lines at the bottom
of the page if you would and see whether you think this
is fair:
"Horizon is also a system that's wrapped up in
'barbed wire' -- making changes difficult and costly --
test everything!"
Is that an understandable observation?
A. I think that I would see that from Post Office
perspective but, as I say, my personal view on this was
that I could still make changes by getting AP-ADC
scripts through, but there were certainly some things
that yes, if -- there were some things that would have
been very difficult to change at that time.
Q. If we look at -- if we just go back if we may please to
{F/451} which is the HNG-X testing strategy of
10 April 2008. If we look at page 33 of that document
please {F/451/33}, paragraph 2.2.6, "Migration Complex
and Critical":
"The system and data migrations required for HNG-X,
both at the Data Centres, and at the branches (which
continues branch by branch throughout the roll-out
period), are absolutely fundamental to the success of
the deployment. It is a complex area requiring careful
and detailed planning. Thorough verification and
validation will be essential."
Now, that's fair, isn't it? I mean, that's what you
would expect to see, yes?
A. Yes.
Q. And if we look at the bottom two paragraphs of that
section:
"Migrated data should be introduced into the
mainstream tests as soon as practicable, interleaving
migration tests with functional test cycles."
And then:
"Full-blown rehearsals of the detailed migration
plans must be completed prior to Pilot."
Yes?
A. Yes.
Q. So what this envisages is that before the pilot is done,
there must be full-blown rehearsals of detailed
migration plans to try and see if there are any problems
or difficulties.
A. Yes.
Q. Now, in fact, the pilot had to be stopped, didn't it?
Do you remember that?
A. Yes.
Q. Let's have a look, please, at {F/588}. This is PEAK
PC0195380 and you can see it is created apparently on
2 March in the top box under "Progress Narrative",
and --
A. This is which year, sorry? This is 2010, yes. Yes.
Q. Sorry, I think I've got the wrong reference there, wait
a minute. Just give me one second.
I will come back to that in a second, if I may.
I think we may not have the correct reference.
Let's go forward, if we may, to {F/614} and this is
the Horizon Online Programme Update. Who was
Mark Burley?
A. Mark Burley was my boss whilst I was working on the
preparation for HNG-X.
Q. And how long had you worked with him?
A. On this -- I knew him way before I started working with
him. On this project I guess I was working for him for
a year, a year and a half.
Q. And if we look, please, on that document at page 4
{F/614/4}, we can see Horizon Online status:
"614 branches live on Horizon Online (plus 8 Model
Offices)."
A. Yes.
Q. And then do you see:
"High Volume Pilot suspended."
A. Yes.
Q. And:
"NFSP raised concerns but remain supportive."
A. Yes.
Q. And can you remember that the NFSP had raised concerns
about the problems that people were having in the pilot?
A. No, I can't, because at this stage -- this is early
2010 -- at that time I was actually -- I was back in the
Post Office working on a different project and so this
was happening around me, but I was concentrating on
something which was called SMTS.
Q. Okay, so you weren't in touch because you had only just
come back I think, hadn't you?
A. I had just come back into the Post Office to work on
this specific --
Q. In March?
A. No, sorry, I came back in January.
Q. Came back in January?
A. I came back to the Post Office in January to work on
small money transfer service.
Q. Okay, at the bottom of that slide we see:
"Fujitsu initiated 'red Alert' and independent
reviews."
A. Yes.
Q. What did you -- did you know what a red alert from
Fujitsu meant at the time?
A. I certainly would have done and when I moved across to
Fujitsu, we were in red alert.
Q. So when you moved to Fujitsu they were in a state of red
alert on this project?
A. Yes.
Q. And were there different codes for the colours of alert?
Were there other alerts, amber alert?
A. You have got me on that one, but I'm sure there were.
Q. Can we infer from "red alert" that it is quite serious?
A. Oh, it was very serious.
Q. And can you tell his Lordship why it was serious?
A. There was an issue with Oracle which was the biggest
problem, but clearly there were other problems going on
at the same time because it was a brand new system, but
the big one was an Oracle issue which I got involved in.
Q. Can you remember some of the other problems that were
happening at the time?
A. I have to admit, I was focused on the Oracle problem.
I was new into Fujitsu. In that sense I was finding my
feet and trying to work on the big one.
Q. Fair enough. Can we go back to {F/588} please. This is
the same PEAK I think I identified, PC0195380, and can
we go to page 4 of that PEAK please {F/588/4}. Now, can
you see in the box under 5 March 2010 at 08.03.08,
second box down?
A. Yes.
Q. Under -- it says:
"We have received notification from POL regarding
the problems at this office. PSB ..."
Do you know who PSB was, or what it was?
A. No, I don't think it's a person. I don't know what PSB
means. It is possibly "Please see below" but ...
Q. Okay:
"On the 1st of March at the close of business we
found that on node 5 the cash was short of £1,000. All
of the figures for that day match the figures presented
at the time of each transactions. An instant saver
withdrawal of £1,000 was transacted that day, but I was
unable to find this transaction using the online report
facility. I feel very anxious as I believe a system
error has occurred at the time of this transaction."
So this seems to be being relayed from what the SPM
has rung up about:
"On the 2nd of March a transaction for a cash
withdrawal was completed where the system commanded
a member of staff to issue the money to the customer on
screen but the receipt printed for that transaction
printed out a decline slip. The customer was honest
enough to bring back the decline receipt a day later
with the money."
Then:
"On the 2nd of March on node 5 a £220 cash deposit
was authorised on screen but twenty minutes later the
customer brought back a receipt that stated the
transaction had declined. We contacted the NBSC as and
when the customer produced the receipt. The NBSC stated
that the transaction approved on the system and had no
idea why the money was not deposited and why the decline
slip was printed."
Now, pausing there, was this something that you
would have been aware of in March 2010 or not?
A. No, I was in the Post Office at that time and so
I wasn't involved in this bit.
Q. What were you -- you were in the Post Office at that
time ...?
A. I was working in the Post Office on a separate project.
I had just come back in on a new project, on a new
contract.
Q. But you were someone who had been working a lot in
relation -- was very knowledgeable about Horizon?
A. Yes.
Q. Did any of this come to your knowledge?
A. No.
Q. And if we see then:
"A rem was scanned in our system and all figures had
doubled up. The helpline team was notified at the time
to which they seemed more confused as to why it happened
than me!"
In your time prior to going off in 2009, had you
sort of encountered difficulties of this sort in other
PEAKs?
A. No, this is a problem with Horizon Online, so this is
a problem with the new system. I had -- at the time
that I finished my contract with Post Office, we were
gearing up for starting the migration process but the
big bit that concerned me most was the moving stuff
across from one data centre to another. This bit, the
counter migrations, was just kicking off in May 2010, so
okay, the figures there say that we had 600 branches,
I think you said there. So in May 2010 when I was back
on the scene but this time on the Fujitsu side, we were
in red alert, we did have a big problem with Oracle, we
were having to recover the situation so as to get ready
to carry on with the counter roll-out.
Q. Now if we look -- I apologise, I haven't got time to
take you to all of it, but there are quite a number of
apparent problems that they are wishing to raise, aren't
there?
A. I think this is the BT one, isn't it? Does this one end
up with the branch transaction -- or the balancing
transaction, sorry? This looks to me as though the
dates are about right for the balancing transaction,
but -- yes, I think there were -- there certainly were
issues with the software in the early days of HNG-X.
Q. Yes. And that doesn't come leaping out of your witness
statement, does it?
A. No.
Q. And you know that his Lordship is trying to determine
how well the system worked over this period, don't you?
A. Yes, that's fair enough.
Q. And is there a reason why there isn't really any
reference to the problems with the system in your
witness statement?
A. I was looking to give an overall explanation as to how
Horizon works. Obviously I was asked to pick up on
a number of specific problems that have been experienced
in the life of Horizon. There certainly were problems
to be dealt with in the early days of Horizon Online.
Q. Now, at paragraph 13 of your witness statement you say
horizon Online was the biggest overhaul. That's at
{E2/1/3}, but:
"~... continuous and iterative updates to the system
over its life."
You mention those as well, yes?
A. Sorry, could you remind me where we are?
Q. Sorry. If you look at paragraph 13 of your witness
statement, you talk about the migration to HNG-X --
A. Yes.
Q. -- or Horizon Online, that's the same thing?
A. Yes.
Q. And you say this:
"This was the biggest overhaul in the Horizon
infrastructure that I can recall, although there have
been continuous and iterative updates to the system over
its life."
Now, pausing there, we have seen that quite a number
of the system components remained the same, didn't they,
from legacy days?
A. Yes.
Q. And we have also -- you have very fairly accepted that
there were lots of additions made to the system over its
life; yes?
A. Yes.
Q. Now, isn't HNG-X, or Horizon Online, an end of life
version of the Horizon system rather than
a reinvigorated and rejuvenated version? Is that fair?
A. No. Horizon Online is -- the components that were
introduced by Horizon Online is the branch database, new
technology for communication between the branches and
data centres, so that was moving to an online system
which is a radical change to the -- it's a radical
change to the architecture compared to Riposte and there
are -- the communications technology change was pretty
dramatic in terms of moving from ISDN to what we have
now -- or, sorry, to ADSL, which is -- so it was a big
overhaul.
Q. Can I pause there. The communications changes that you
mention are significant, aren't they, because there have
been quite a lot of communications problems with the
legacy version of Horizon?
A. Yes.
Q. And --
A. Sorry, the legacy version of Horizon was far more
susceptible to communication glitches.
Q. Exactly. And so there were two improvements in that
respect: the susceptibility to communication glitches
was reduced, and also the quality of the communications
infrastructure was improved, is that fair?
A. Yes.
Q. Can we now look please at {F/1663}. This is an IT risk
management document from Post Office and it is dated
20 July 2017. Now, can we look at page 6 of this please
{F/1663/6}. Can you see under the "Where we are now"
heading:
"There is increased risk in our Branch technology
environment:
"The ~... (HNG-X) platform is end of life ..."
A. Yes.
Q. "... and is running on unsupported Windows software,
therefore needs replacing ..."
A. Yes.
Q. This is 2017?
A. Yes.
Q. Is it fair to describe it in these terms as at the date
of this document?
A. Absolutely.
Q. "Branch counter technology is aged and unreliable, with
frequent hardware failures, resulting in branch
disruptions."
Is that fair?
A. Yes, I think so.
Q. "The branch IT network service (ISDN) provided by
Vodafone will be switched off on 30 September 2017 and
therefore needs transitioning."
That's a different observation relating to an
external comms change.
A. The ISDN bit was a small number of branches where -- and
I can't remember the numbers, but there was a relatively
small number of branches that were still running on ISDN
because you could not get ASDL there.
Q. Yes. So that's in the -- in the hierarchy of those
points, that's the least important, isn't it?
A. Indeed. The straight case is that the platform was
running on NT 4 and any technologist would tell you that
that was too old, but it continued to work surprisingly
well.
MR JUSTICE FRASER: That's the Windows NT 4?
A. Yes.
MR GREEN: And under the "Mitigation" heading we see:
"Accelerated plans to transition from HNG-X to
updated HNGA ..."
And that's going to run basically on Windows 10, it
doesn't say it there, but that was the plan, wasn't it?
A. Well, HNGA has now been installed and it is, as you say,
running on Windows 10. At this stage I suspect the
target was Windows 8, but that's irrelevant.
Q. Yes. In fact, you mention on page 4 of your witness
statement, if we can go to {E2/1/4} -- you mention in
the footnote there:
"HNG-X is being replaced by HNG-A. There is no
functional difference between the two: HNG-A refers to
an implementation of the same counter code as is used in
HNG-X to run on a Windows 10 device (whereas HNG-X
counters are NT4 devices)."
A. Yes.
Q. Yes? But there's not an explanation to anyone reading
this witness statement of the sort of state of the
technology in the terms that we have just seen in your
witness statement?
A. That's a fair point.
Q. And in terms of the roll-out, did the first wave begin
in about February 2017, is that right?
A. For HNG-A?
Q. Yes.
A. I can't really remember. The roll-out of HNG-A was not
really a Fujitsu problem.
Q. Who was handling that?
A. There were two aspects to the roll-out of -- there were
two aspects of roll-out. The network was moved from
Fujitsu to Horizon and then the counters -- the actual
hardware running HNG-A is supported by Computer Centre,
so the software that runs in the counter is still
Fujitsu's and so that's -- so we provide the software to
Computer Centre, they wrap it up, they send it to the
branches now.
Q. Can you remember roughly when that handover started, or
took place? When did Computer Centre become responsible
for it?
A. You mentioned the date in 2017, that rings true.
Q. If we have a look -- we don't necessarily know the
answer at all, but {F/1710.1}. Let's look at the front
first, "Post Office Limited audit planning report"; do
you see that? And if we go to page 24 of that report
{F/1710.1/24}, you can see -- it is quite small writing,
but under the first yellow bullet point:
"Branch tech refresh - HNG-X in branches will be
replaced by HNG-A in phases, the first wave started
in February 2017."
A. I'm --
Q. You may not know.
A. I'm certainly not disputing that.
Q. Thank you.
Can we now turn please to paragraph 17.1 of your
witness statement in relation to data sources, that's at
{E2/1/4}. You have identified what the sources of
transaction data are and can we just identify this in
a little bit more detail please:
"The vast majority of transactions are manually
entered by user in branch at the counter, by pressing
icons on the touchscreen, keying in the transaction on
the keyboard, scanning a barcode, scanning a magnetic
card or some other manual interaction with the system.
These are referred to as 'counter transactions'."
Yes?
A. Mm-hm.
Q. Then transaction corrections, as you understand it:
"... they are produced when Post Office compares the
data entered into Horizon by branches with data
generated from other sources in order to identify any
discrepancies."
You say there "as I understand it", that's because
it's not something that you knew that much about when
you were at Post Office?
A. I know the general principles of it, but I certainly
wouldn't know the detail of how TCs are generated.
Q. And it says:
"TCs are sent to the branch via Horizon."
And there is a footnote:
"TCs are incepted in Post Office's POLSAP system
before being communicated to Horizon, via TPS to the
BRDB."
Was that something you knew yourself or something
somebody assisted you with?
A. Sorry, where are we now?
Q. Footnote 2, explaining how they are generated.
A. I'm only seeing footnote 1.
Q. If we go over the page, sorry. {E2/1/5}.
A. I know that they come from POLSAP.
Q. And how they are communicated via TPS to the BRDB, did
you pick that up from someone else or ...?
A. I could work that out for myself.
Q. Did you, or did someone else tell you?
A. In this case I would have checked it, yes, so ...
Q. With Gareth or ...?
A. No, this would be more a Pete Jobson one.
Q. Okay. And you say "then accepted by a user in branch".
You don't know what's involved in that, do you?
A. I understand the principle because TCs were first
introduced in Impact, which I was involved with, and
I remember we had the conversations as to how TCs would
go into the branch and we were very clear that the
postmaster had to be aware, hence the mechanism that
I have seen described, which is they are presented with
the TC, they have to settle, they are given various
options on how to settle.
Q. Yes. So why did -- you were involved in that design?
A. Yes.
Q. Why was there no dispute button?
A. That was a Post Office decision.
Q. Can you remember what the pros and cons that they had in
mind were when they made the decision?
A. I think the basic argument was that disputes -- we
wanted the flow of data through the system as quickly as
possible because that keeps our books tidy and it was an
inference that there was always the -- you had to press
a button to take things through, but then you would pick
up the phone to NBSC and say that wasn't right.
MR JUSTICE FRASER: Were you involved in the discussion
about that, or were you just told there wasn't going to
be a dispute button?
A. I would say that I was aware. I wasn't particularly
engaged in the conversation. I regarded that as
business processing, my Lord. There is a precedent to
this which is technically very similar, which is
auto-rems, which I was also involved in, where the whole
process changed so to save the subpostmaster having to
key in the amounts in each pouch, they were presented
with a screen which said "The amounts coming in are
this, press this button." I would like to remember, but
I can't be certain, that at that point there was
a message to say "If you disagree, phone up the help
desk", but again the principle was there to say "This is
the right figure, accept it and then argue the case
outside."
Q. Then we look at "Equipment located in a branch other
than a Horizon terminal." You say it:
"... is required for some transactions, such as
a Camelot terminal for lottery products and a Paystation
terminal for some bill payments."
And the point you make there is that these bits of
equipment communicate information direct to a client or
other supplier, who relays that information to
Post Office, or Fujitsu on Post Office's behalf, who
then send a transaction acknowledgement to the branch
via Horizon.
So can we just pause there. Can we trace how
a piece of information gets from a scratchcard
activation into the various repositories of information,
so tracing it through in accordance with what you have
said there, there's a piece of equipment, namely the
lottery terminal, and the SPM activates some cards on
the lottery terminal, yes?
A. Yes.
Q. That information is then relayed directly to Camelot,
the client?
A. Yes.
Q. And Camelot then in turn relay that to the Post Office,
or Fujitsu on the Post Office's behalf, just following
your witness statement.
A. My apologies -- well, apologies for that being unclear.
In the case of Camelot, the data goes to the Credence
system.
Q. Okay. So the Camelot data goes to Post Office's
Credence system?
A. Correct.
Q. And then that then automatically engages with Horizon to
send through a transaction acknowledgement to the branch
via Horizon?
A. Yes. We receive a file from Credence which then gets
loaded into the branch database, then makes its way down
to the counters.
Q. Yes. So the information going into the branch database
is in fact in this case information that has come via
a third party and back in?
A. I don't see it in quite those terms. I see it as we
have received data which goes into the branch database,
so we -- the Horizon system knows absolutely nothing
about it until this file appears.
MR GREEN: Precisely. So just reputting that question --
MR JUSTICE FRASER: It might be because you said "via".
A. Sorry, I think that's probably the case, my Lord.
MR JUSTICE FRASER: Is that the part of it --
A. I think so, my Lord, yes.
MR GREEN: That's my fault.
MR JUSTICE FRASER: Do you want to just clear it up?
MR GREEN: Yes. So the journey that immediately is seen by
Horizon is information coming in from Camelot --
A. Yes.
Q. -- via Credence, is that fair?
A. It comes in and we know it is coming from Credence, yes.
MR JUSTICE FRASER: So it goes: Camelot terminal in the
branch, to Camelot, to Credence, to Horizon?
A. Correct.
MR GREEN: And because it has come into Credence, it then
goes into the branch database?
A. The branch database is the holding place where we put
this data so that it is -- it's not technically sent to
the branches but -- well, I suppose it is, because at
the appropriate point the data comes from the branch
database to the counters.
Q. Yes. So when someone turns on their terminal in the
morning and logs on, they have some TAs on the screen?
A. Yes.
Q. And they have no choice but to accept those?
A. I don't know whether they have the option to stop them,
but I think the principle is certainly right, that the
TAs are going down there with the expectation that they
have to be -- that they will be accepted.
Q. Just so you know, it is not controversial that they
don't have a --
A. No, that's fine. Thank you.
Q. It's at that point that they enter the branch accounts?
A. Yes.
Q. And that is the data that is then captured by the audit
system?
A. Yes.
Q. And that's true -- with minor differences but
substantially correct -- for the other items of
equipment that you have in mind in paragraph (c)?
A. Yes, the difference is that the Paystation data comes
from Ingenico to us. We load it into the branch
database in separate tables and we generate the TA, but
then you are onto a common stream.
Q. And then again, that is the data that then goes into the
audit store?
A. Yes, it's the action at the counter which then contains
data which comes up into the branch database and that is
the bit that goes into the audit store.
Q. What is the action that you are talking about there at
the counter?
A. Pressing the "Accept" button.
Q. On the TA?
A. Yes.
Q. And then at (d) you say:
"In Horizon Online it is possible for Fujitsu to
insert a balancing transaction - see paragraph 58
below."
A. Yes.
Q. We will come back to that later. We have already dealt
with it, at least in part. Just focusing on (a), (b)
and (c) for a moment, when we look at the data that
we're concerned about in paragraph 17.2(a), you point
out, quite rightly, that:
"The vast majority of transactions are manually
entered by a user in branch at the counter ..."
And then importantly "... by pressing icons on the
touchscreen", yes?
A. Yes.
Q. So the significance of that is that the transaction data
comprises the fact of a press -- one press by an SPM on
a particular icon, yes, and the significance of that in
the reference data table being put together so that
something pops up in the basket, as I mentioned to
Mr Johnson when he was giving evidence, yes? You don't
type in the price of a first class stamp?
A. No, absolutely not. The price of something would be
calculated for the majority of products.
Q. Yes, and that data is in the reference data table,
isn't it?
A. Yes.
Q. So in the transaction data there are two elements.
There is what the SPM has in fact done in terms of
a keystroke.
A. I don't see it in those terms.
Q. I understand.
A. We see the result of actions at the counter as a basket
and I think -- so we see the outcome from the counter
application putting together a basket and it is that
basket that we then put into the audit trail.
Q. Totally understand. I was just trying to be precise
about the result that we see, which is the fruit of two
different pieces of data: there is which icon the SPM
has pressed on the screen and the relevant reference
data in the reference data table for that icon.
A. If you're looking at something such as a first class
stamp then yes, I agree. If you're looking at other
things then it could be much more complicated.
Q. Of course, but for many many things there are --
A. Yes.
Q. The reason you say "by pressing icons on the
touchscreen" in paragraph 17.2(a) of your statement, is
because for quite a lot of transactions that's how it is
done?
A. Yes.
Q. There are some where the SPM has to actually manually
enter in what's happening.
A. There are some where the subpostmaster has to enter far
more data, such as on an AP-ADC transaction. There are
some where data will come from a PIN pad, there are some
where data will come from a barcode, weigh scales.
Q. Indeed. And that is the data -- the result of that,
what's shown in the basket, in the transaction if you
like, is what's then captured in the BRDB and in due
course in the audit store.
A. Simultaneously. The first part of that is actually --
the audit store at that stage is actually simply a table
in the branch database.
MR GREEN: Okay.
My Lord, would that be a convenient moment for
a break?
MR JUSTICE FRASER: I dare say. Are you going to be dealing
with Mr Godeseth for the whole of the afternoon?
MR GREEN: I am.
MR JUSTICE FRASER: We're going to have a short break,
Mr Godeseth. Ten minutes -- or do you want five?
MR GREEN: That's fine.
MR JUSTICE FRASER: Ten minutes. We will have a ten minute
break for the shorthand writers. If you could come back
at 10 past. Same score as before, don't talk to anyone
about the case.
A. Understood, my Lord, thank you.
(3.00 pm)
(Short Break)
(3.10 pm)
MR GREEN: Can we just touch on a couple of brief points in
relation to transferring and storage of data. At
paragraph 19 of your statement at {E2/1/6} you say:
"Due to the different ways that Legacy Horizon and
Horizon Online transfer and store data, I address them
separately below when dealing with integrity of data
being transferred through Horizon."
We touched on the information flows in relation to
third parties already, but that was in the context of
the BRDB, wasn't it, our discussion we just had before
the break?
A. Yes.
Q. And under Legacy Horizon you were on the other side of
the fence, as it were, to where you are now?
A. Yes.
Q. Legacy Horizon days.
If we look at paragraph 34 of your witness statement
at {E2/1/11}, you make the point that the messaging
system was responsible for storing all the data in the
Post Office branch and replicating it to data centres.
The basic set up is that the counters held data in
a message store.
A. Yes.
Q. And the correspondence server also had a message store?
A. Yes.
Q. And the data inserted at the counter would be replicated
in the correspondence server message store?
A. Correct.
Q. And vice versa if there was a --
A. If you needed to push data -- Riposte was responsible
for replicating data to wherever you told it to.
Q. Indeed. At paragraph 43 of your witness statement
{E2/1/12}, you have mentioned that:
"[You] understand from Gareth that the audit
application read every record that was visible to the
correspondence server ... and wrote a text copy of that
data to a text file."
Do you know whether the audit server was hosted by
Riposte or not?
A. The audit server is definitely outside of Riposte.
Q. Let's look at the Horizon Next Generation plan X
document again please, at page 28 {F/299/28}. Do you
see under "Audit" at paragraph 4.3.2.7 it says:
"The audit application remains largely unchanged
apart from various modifications to the configuration of
audit collection points throughout the estate.
"An audit conversion tool will be required to
convert existing audit data from Riposte to another
readable/searchable format."
What is that referring to?
A. I think it's just wrong.
MR JUSTICE FRASER: You think that's wrong?
A. Yes. Yes, my Lord, because I have seen audit data from
Riposte days and it is in Riposte attribute language, so
I -- I can't see how that's right because the audit data
that I have seen is in Riposte attribute language.
MR GREEN: So the audit data that was stored was in Riposte
attribute language?
A. Correct. It was basically the message store -- it's
pretty much as simple as a copy of the message store.
Q. And in relation to who was managing the Riposte system,
what was Escher's role?
A. Escher provided Riposte software, so they provided the
software in which Fujitsu deployed applications.
Q. And did they provide support for the Riposte software as
well, or not?
A. Yes, they did, but I honestly don't know what the
contractual relationships were, so I can't really
comment in any detail on that.
Q. You wouldn't have known at the time what the
arrangements between Escher and Fujitsu were if there
were problems with Riposte?
A. I certainly don't know. I'm obviously conscious, having
looked at PEAKs, that there were issues, but I was not
aware of those at the time.
Q. I understand. You deal with Horizon Online from
paragraph 20 {E2/1/6} in relation to the accuracy of
transaction data. Is it fair to say this is more within
your own knowledge, this bit of your statement?
A. I feel that I know this pretty well, yes.
Q. So back on home turf in a sense?
A. In that sense, yes.
Q. And in paragraph 26 {E2/1/7} you mention the controls
that were in place. Do you know whether those controls
ever failed? Take the first one, "A basket must balance
to zero."
A. We have checked this. If you do something on a test
system to cause a basket not to balance to zero, it
shows an error.
Q. And you mentioned the Journal Sequence Number. It's
impossible, isn't it, for the database to accept two
items with the same JSN number?
A. Correct.
Q. Can we look please at {F/590/7}. Just to orientate you
in this, perhaps we can go to the first page, I'm sorry
{F/590}. You will see that this is PEAK PC0195561. Do
you see that?
A. Yes.
Q. And if we go to page 7 {F/590/7} and we look at
24 March 2010 at 14.45.49, which is the middle one, do
you see there:
"Time-outs were the underlying cause of the issue
and that there were long delays waiting on the DB ..."
That's the database, yes?
"... to process the 4 requests."
A. Mm-hm.
Q. "In this case two of the requests were committed and two
correctly detected that the transaction had already
succeeded. There is an issue with the 2 commits because
this shouldn't have happened. However the behaviour of
the OSR from CTR 25.07 onwards is to roll the
transaction back on a time-out. In this scenario all
the requests would have failed and no reconciliation is
required.
"We would like to find the root cause of the issue
as to how the duplicate entry was committed in the DB."
Now, I know you were working on other things
in March 2010, but were you aware of any problems with
items with a duplicate JSN number, Journal Sequence
Number, being committed to the database?
A. I'm not sure this is saying we had duplicate JSNs, but
I would obviously have to check the detail and no,
I wasn't aware.
Q. You weren't aware of that problem generally?
A. No.
Q. Okay. And you were here I think for Mr Dunks' evidence
this morning.
A. Mm-hm.
Q. Paragraph 32 of your witness statement {E2/1/10} says:
"I am not aware of any instances where data
retrieved from the audit store differs from other
sources of data, nor am I aware of any instances where
the integrity checks described in paragraph 30 have
revealed any issues."
Yes?
A. Yes.
Q. Were you aware that there had been duplication of data
identified in Seema Misra's case?
A. Misra I believe was on the old system.
Q. Yes, legacy.
A. Yes. So no, I was not aware of that.
Q. In terms of ARQ figures, can we look at paragraph 31 of
your witness statement please {E2/1/10}. You say there:
"I have been informed by my colleague Jason Muir
(Operational Security Manager in Security Operations
Team) that the number of ARQs issued since the 2014/15
financial year is as follows ..."
And you then say one ARQ equals one month of an
individual branch data so one Post Office request for
data could have multiple ARQs, yes?
A. Yes.
Q. Just to explain what the figures are. And you have
a footnote to that which says:
"These figures do not include the ARQs that Fujitsu
has issued in relation to these proceedings."
So is it actually -- where did you get that
information from?
A. From Jason.
Q. So what did you ask him?
A. Personally I didn't ask him anything. This was
information that was being requested to go into the
witness statement, so I'm confident that it is correct.
I have no particular motive in providing that
information.
Q. I'm just trying to -- I'm not talking about motive, I'm
just trying to identify how it has ended up in your
witness statement.
A. I was effectively asked to put it in.
Q. So did Jason Muir actually inform you of this in
response to any requests from you?
A. No.
Q. Because that saves me asking the next question which was
why didn't you ask him for earlier years.
Now, can we just look at the years that we've got
there, 31.1 to 31.4. When you were shown the
information that you were to put into your witness
statement you must have noticed that it only went from
the 14/15 year to the 17/18 year.
A. I didn't pay it any particular attention.
Q. But you have been dealing with Legacy Horizon which
pre-dates 2010 --
A. That's true.
Q. -- in the same witness statement, so you must have had
in mind what the chronological sweep of this witness
statement was supposed to deal with, mustn't you?
A. I'm afraid I didn't do my job in that case.
MR GREEN: Can we move now to --
MR JUSTICE FRASER: Just before you move off that, can you
think of any reason why there should be a cut off at the
beginning of 2014, in terms of the system, or the way it
worked, or anything?
A. I can't think of any reason why that information would
not be available further back.
MR JUSTICE FRASER: Mr Green.
MR GREEN: Can we deal with the problem management procedure
now. Can we look please at {F/1692}. This appears to
be a Fujitsu document. We see at the bottom "Fujitsu
restricted" and "Copyright Fujitsu Limited 2017". The
title of the document is "Post Office Account - Customer
service problem management procedure" and can we please
go -- if you note the "abstract" there:
"To describe and document the customer service
problem management process."
Now, you are the chief architect, aren't you, in
relation to the responsibility for changes being made to
the system being implemented without prejudicing the
continued operation of the system? That's what you say
in your witness statement?
A. Yes, that's right.
Q. And this is a recent document which relates specifically
to the Post Office account. Is this a document you have
seen before?
A. I can't honestly say. It's certainly not one that I'm
particularly familiar with.
Q. Okay. Let's have a look, if we may please, at page 8
{F/1692/8}. You will see just under 1.1 "Process
objective and scope":
"The objective of this document is to define the
process for problem management in the POA environment to
support the contracted infrastructure and application
services described in the HNG-X contract. Other
infrastructure and services used by POA to provide and
support delivery of the HNG-X contract are also in scope
of the process."
Now, just pausing there for a second, POA is the
Post Office account team at Fujitsu, isn't it?
A. Correct.
Q. Then it says:
"For the purpose of this document a problem is
defined as the unknown underlying root cause of one or
more incidents."
Yes?
A. Yes.
Q. "The problem management process covers both reactive and
proactive functions of problem management."
A. Yes.
Q. Now, if one is to have a robust system it's important,
isn't it, to make informed assessments of where problems
lie based on the relevant information that was
available?
A. Yes.
Q. And it's important to capture and track that in a way
that can readily be analysed, is that fair?
A. Yes.
Q. And that seems to be at least consistent, if not the aim
of this procedure, yes?
A. Agreed, yes.
Q. Let's look please at the document history on page 4
please {F/1692/4}. We can see that the draft document
was updated in 2007 and we can see various changes going
in and out and various revisions going forward on that
basis. If we go over the page {F/1692/5}, we can see up
to a date in September 2017, yes?
A. Yes.
Q. Now, can I just give you the context in which this
document has come to the fore, so that you can see it
clearly. The two experts both comment on it. If we go
please to {D2/1/96}, this is Mr Coyne's report. We get
to paragraph 5.156 there and it is clear from that
paragraph that Mr Coyne was working on the basis that
the problem management procedure had actually been acted
upon and you can see there, at 5.156, he says:
"The Post Office account customer service problem
management procedure document ..."
Which he footnotes:
"... identifies the process metrics and key
performance indicators required for measuring the
effectiveness of the process and service specifically in
relation to problem management. The problem management
procedure is set out in more detail at appendix E ...
relevant to this section and issue 6 are the metrics and
KPIs to measure/control and reduce the risk of failure
to detect, correct and remedy Horizon errors and bugs."
Yes?
Now, if we go please to page 97 over the page
{D2/1/97} and we look at 5.157, he says:
"From the above, it is my opinion that Post Office
should be aware of all recorded bugs/errors/defects in
addition to those previously acknowledged by them, from
the process metrics compiled above."
So what Mr Coyne seems to have inferred is that the
problem management process had been implemented and
there would be feedback from Fujitsu to Post Office
about what errors and bugs -- that seems to be the basis
he is proceeding on, doesn't it, on the face of it?
A. On the face of it, certainly.
Q. And if we go now to {D3/7/81} we can see Dr Worden --
this is his second report and he appears to be working
on the basis also that the problem management procedure
had been brought in. If we look at the third column he
says -- so it is row 21, it relates to 5.156, which is
Mr Coyne's paragraph I just showed you, the extract of
Mr Coyne's paragraph is there, and then if you look on
the right-hand side under "Commentary" you will see:
"This document is a rather high level and generic
description of the problem management process.
"It is difficult to extract a clear picture from
this document of how the process works in practice.
For instance, there are listed about 20 types of process
input and 20 types of process output. It is hard to
discern from these long lists which inputs and outputs
were most important.
"As another indication of its generic nature, the
words 'bug', 'defect', 'software' and 'reference data'
never occur in the document. The word 'error' does
occur. Errors are discussed generically not as specific
types of error such as errors in Horizon."
So both experts appear to be approaching it on the
basis that it had been acted upon.
Now, if we look at {F/1692/10}, going back to the
problem management document at page 10, we can see what
the relevant metrics are. Now, those are competent
professional metrics that you would expect to see in
a policy of this sort, aren't they?
A. Yes.
Q. You can see that what's proposed there is:
"The following metrics, to be reported monthly, will
be used to measure effectiveness of the process and
drive performance of the process and overall service in
general."
That's the way it is going to work?
A. Yes.
Q. And were you aware, as you are one of the key people at
Fujitsu, that Mr Coyne had asked for documents to be
provided which he thought should exist based on the
problem management procedure? Did you know -- did that
come to your attention at all?
A. It has not come to my attention.
Q. Well, I will take it quite quickly. Let's have a look
at {D2/5/22}. This is a request for information and
a response and you can see that in relation to this --
in the Post Office response to requests for information,
if we go down to page 26 {D2/5/26} you will see in the
left-hand column at the bottom:
"Please provide how many times (and over what
period) the 'problem management process' has recorded
the potential for a system or software error?"
And then in the column with Post Office's response:
"Post Office objects to this request. Fujitsu
believes that it does not record problems in such a way
that would allow this to be determined without
retrospectively carrying out detailed analyses."
And so forth. Over the page:
"This would require a disproportionate effort and
cost."
You have addressed this issue at paragraph 63 of
your witness statement at {E2/7/16}, haven't you?
A. I have.
Q. And what you have explained there -- in your second
witness statement this is. What you say there is:
"I have spoken to my colleague Steve Bansal,
Fujitsu's senior service delivery manager, who has
informed me that the Post Office account customer
service problem management procedure document was
introduced by Saheed Salawu, Fujitsu's former Horizon
lead service delivery manager and that Saheed Salawu
left the Fujitsu Post Office account in
around February 2013, before the new procedure had been
implemented. I understand from Steve that
Saheed Salawu's replacement did not wish to implement
the changes and therefore the records referred to by
Mr Coyne in paragraphs 5.157 to 5.159 of his report do
not exist, as we continued to follow the previous
existing reporting methodology."
Now, can we just unpack that slowly. Who was
Saheed Salawu's replacement?
A. I don't know. As you can tell I'm a bit vague on this
area. I remember Saheed, I don't know whether it was
Tony Wicks who took over from him or somebody else.
Q. Because when we go back to the document itself, at
{F/1692/4}, here is the "Summary of changes and reason
for issue". The document's history goes back to 2007,
doesn't it?
A. Yes.
Q. And it looks like it was issued for approval in 2014,
doesn't it?
A. Well, it was issued for approval on 9 December 2013,
yes.
MR JUSTICE FRASER: "Issued for approval" appears in
a number of places I think.
A. Yes and the convention is that when you go to a ".0"
version then that's one that is being issued for
approval.
MR JUSTICE FRASER: Hence 2.0, April 2008;
3.0, December 2013; 4.0, July 2014?
A. Yes.
MR JUSTICE FRASER: And that's why they are all ".0" because
they are all issued for approval?
A. They should all be issued for approval, yes.
MR GREEN: And that is after the date when you say Mr Salawu
left.
A. I think so because I think Saheed left in 2013, so it
looks as though it was Tony Wicks who came in to take
on -- take up from him.
Q. So can you explain to his Lordship what the procedure
for adopting a policy or procedure of this sort is?
A. I'm afraid not. It's governance within the account
team. I am certainly no expert on that aspect of it.
Q. Okay, because when we go over the page {F/1692/5} in
2017 we see no comments from review cycle. It is still
being dealt with in 2017 and we can see the name of
Tony Wicks for review comments, can't we?
A. Yes.
Q. Requested by 14 December 2017. Is he the person we
would really have to ask about this?
A. If my suppositions are correct then it looks as though
Tony Wicks is the man who has driven this.
MR JUSTICE FRASER: He is the what, sorry?
A. He would be the man who has driven this.
MR GREEN: And he is the person we would really have to ask
about what happened after February 2013?
A. Yes, if my suppositions are right that he took over from
Saheed.
MR JUSTICE FRASER: Well, would you like to look at page 1
{F/1692}. What does "Approval authorities" mean?
A. Approval -- sorry, that would be Steve Bansal who would
sign it off.
MR GREEN: Let's look at the Legacy Horizon reporting system
because in your paragraph 63 -- if we can just go back
to that {E2/7/16} -- you say there in the last line of
that:
"... we continued to follow the previous existing
reporting methodology."
Is that a reporting methodology with which you're
familiar?
A. No.
Q. So that's what he -- you've got all of that from Steve?
A. I got -- basically I got this from Steve.
Q. And you don't really know what the reporting methodology
is?
A. Not in any detail at all.
Q. Do you imagine it ought to be documentary, or would it
be oral, or ...?
A. I imagine it happening via the service review meetings
that Steve chairs. We have regular sessions with ATOS,
with other suppliers, but I have not -- I can't remember
actually going to one. I'm aware that there are
meetings with Post Office and ATOS to talk about service
issues.
Q. Okay. Let's look in paragraph 64 where you are dealing
with the service review book. You say:
"When Legacy Horizon was in place problem management
was reported in a specific section within the service
review book (SRB)."
Is that something you also got from Steve or
something that you knew about yourself?
A. No, that is from Steve. I have probably seen service
review book outputs in the past but ...
Q. That was a fairly high level review of problem
management and (inaudible) main problems, was it?
A. Very high level, yes.
Q. If we look please at your paragraph 65 {E2/7/16}, is
this still Steve Bansal?
A. Yes.
Q. So how far down does that go? Is this all -- just give
us a feel for how far down we go.
A. I think to the bottom of the page.
Q. To the bottom of the page, I see.
In paragraph 65 you say that:
"From September 2010 these SRBs reported metrics
only against contractual service level agreements ...
and as there are no contractual SLAs for problem
management, it is not covered in the SRB reports
between ... 2010 and 2014."
That's right, is it? That's what you understand
from Steve?
A. That's certainly what I understand from Steve.
Q. Okay. I mean wouldn't Post Office want to know the sort
of information that would be conveyed from that sort of
reporting procedure?
A. I would imagine so and I did not attend the meetings
with Post Office and ATOS so ...
Q. There's only so far we can take it?
A. Yes.
Q. And you say at paragraph 66 {E2/7/16} -- and
I appreciate this is also from Steve Bansal:
"For the years 2014 to 2017 there are annual problem
review reports ..."
Yes?
A. Yes.
Q. Is that system still in place in 2018?
A. I just do not know.
MR JUSTICE FRASER: I'm having grave difficulty with
following this at what might be called face value, which
is why I'm just interrupting. Is the import or the
summary of your paragraph 63 to 66 that these types of
metrics are only available between the years you have
identified in those paragraphs and that Fujitsu doesn't
keep them, or hasn't kept them for years outside the
ones identified in those paragraphs?
A. I don't know the answer to that, my Lord. I don't know
whether there were records available. I would have to
speak in far more detail to Steve and others to
ascertain that.
MR JUSTICE FRASER: But I thought you had already spoken to
Steve about this?
A. I was looking for a high level response on a specific
issue that was being requested.
MR JUSTICE FRASER: And what specific issue was that?
A. I think it was raised by Mr Coyne.
MR JUSTICE FRASER: Insofar as you can remember, do you
remember what it was?
A. It was simply looking for -- my recollection of it was
that he was concerned that Saheed had suggested an
improvement to problem management and was looking for
the evidence that that had been implemented and when
I spoke to Steve and said "Did we implement this?" he
said no.
MR JUSTICE FRASER: All right. Mr Green.
MR GREEN: If we look at {F/1420}, this is headed "2014 POA
problem management - problem review", do you see that?
A. I do.
Q. It is called version 1.0, at the bottom right-hand side,
which suggests it has been issued for approval and we
see "Document status: for approval".
A. Yes.
Q. Again Mr Bansal's name under "Approval authorities".
Was this one actually implemented, or do you not know?
A. I don't know.
Q. Have a quick look at page 6 {F/1420/6}. I'm going to
have to take this quite quickly, Mr Godeseth, because
it's obviously not something you're familiar with, but
this appears to contemplate undertaking a trend analysis
and so forth to review the knowledge database, review
problems and so forth, and if we go to page 7
{F/1420/7}, on the face of it looks as if there are
considerations, for example, of specific problems that
have in fact occurred. Do you see that?
A. Yes.
Q. So on the face of it it does look from this document as
if there is a problem management review document with
some actual problems in it, although it seems to be
issued for approval. Is this something you know
anything about?
A. No.
Q. Just quickly then, very briefly, if you look at page 13
please {F/1420/13}. If we look in the middle stripe,
A1939577. Do you see that?
A. Yes.
Q. It mentions First Rate. Who are First Rate?
A. First Rate Exchange Services are, I believe, a joint
venture owned by Post Office and Bank of Ireland, but
they provide foreign -- they provide bureau services.
Q. And they say:
"First Rate has identified an anomaly over the way
Horizon reversed transactions are recorded and polled
through to them."
Is this something that came to your attention at
all?
A. No.
Q. Because it does seem to have been fixed in counter
release for R9.
A. Yes.
Q. Release 9?
A. I don't remember what date release 9 was. It would have
been on my watch, but ...
Q. It's not something you remember particularly?
A. No.
Q. And you don't remember having seen this document either?
A. No.
Q. If we look at {F/1497}, this one is the "2015 POA
problem management - problem review" and if we look at
page 7 there {F/1497/7}, do you recognise this one at
all or not?
A. I think I do from the recent review, but I couldn't be
certain without checking it in more detail.
Q. Because it is in the same format as the previous one,
isn't it?
A. Yes.
Q. And in the bottom stripe we see A10821106:
"Transaction discrepancies can occur during the
rem-in process especially when transferring cash from
one branch to another (eg between their main branch to
their outreach branch)."
Can we go back up very kindly. And then under
"Description":
"The underlying cause of this problem is that
a logout before a user has fully logged on, then
subsequently a pouch is rem-in manually, then after the
rem-in slip has been printed, the same screen is
redisplayed and if the user press enter again,
a duplicate will occur. A code fix has been developed
and is in release 12.88 hot fix."
Does that ring any bells?
A. That sounds like Dalmellington -- is it Dalmellington?
Q. Yes, it is the Dalmellington bug, isn't it?
And it doesn't capture how many branches were
affected, does it, that report?
A. That's true.
Q. It doesn't capture how long it took to find?
A. No.
Q. It doesn't capture the financial amounts involved?
A. No.
Q. So is it fair to say that that report is not
a particularly rigorous or robust treatment of recording
the problem, its extent and duration and effect?
A. I think that's a fair comment.
Q. Can we turn now please to understand a little bit better
the issues around balancing transactions that we touched
on earlier and can we first look please at {F/1692}.
This is another Tony Wicks Post Office account customer
service problem management procedure document. Now --
we will perhaps come back to that.
Let me take you forward, if I may -- or back in the
bundle to {F/425} and just show you this to get the
chronology. If you see at the top, the title on the top
is, "Host BRDB transaction correction tool low level
design." Do you see that?
A. Yes.
Q. And this is the low level design document, isn't it, for
the branch database transaction correction tool?
A. Yes.
Q. And it says "Document status: draft" and the "Approval
authorities" is Graham Allen. Do you know Graham Allen?
A. I do.
Q. Do you work with him?
A. Yes.
Q. And the author and department it says Rajesh Shastri.
Do you work with him?
A. I don't recognise his name.
Q. And if we just go forward to page 5 {F/425/5} we can see
that the document history shows the draft version being
produced in October 2007 and then, 29 September 2009,
"Add transaction correction journal auditing". Do you
know what transaction correction journal auditing is?
A. Sorry, where are we?
Q. Sorry, bottom of the 0.2 table.
A. 29 September 2009, yes.
Q. Now, this was a tool that was being developed for
Horizon Online, wasn't it?
A. Yes.
Q. And if we go to page 8 {F/425/8}, under "Overview" it
explains that:
"This document provides the low level design for the
branch database transaction correction tool module. The
utility will allow SSC to correct transactions by
inserting balancing records to
transactional/accounting/stock tables in the BRDB
system. It will also audit the changes made. There
will be no updating/deleting of records in the branch
database."
And then it says:
"Warning: the use of this powerful tool has inherent
risks. If the SQL statement is incorrect or badly
written, it is possible to cause unintended
consequences, some of which may cause serious problems
to the branch database. It is expected that only
a small number of skilled staff will run this tool and
that they will have detailed guidance as to when and how
to use the tool."
Now, are you familiar personally with the use of
this tool in Horizon Online?
A. I've never seen it used because I was -- the one time it
was used, as we have already established, I was
elsewhere. I have had pretty lengthy conversations with
Gareth Seemungal about how this tool is put together, so
I feel that I understand how it works.
Q. Pretty lengthy conversations with ..?
A. Gareth Seemungal.
Q. Let's look at the "Solution components". It says there
are five main components to the solution. There is the
UNIX shell script. There is the PL/SQL package.
There's:
"A set of template files, one for each transaction
table for which balancing transactions are allowed to be
inserted. Each file contains a template for an SQL
insert statement for the table in question. This makes
it easier for users to produce new transaction files by
basing them on the template files."
And then there is the possibility for branch
seeding, new branches to be processed by the tool, and
the bottom one:
"Transaction correction journal auditing - a new
process generates audit files for the input day's
audible transaction correction records. See section 5
for details."
Now, just taking this in stages, the seed records,
in the penultimate bullet point there in red, last
line -- do you see that?
A. Yes.
Q. The seed records have a node ID of 99?
A. Yes.
Q. Now, that's like having a branch ID number -- a counter
number of greater than 32, isn't it?
A. That is the counter number that this transaction would
be recorded against because the node ID is the counter.
Q. Exactly. Now, just clarifying where we are, we have
seen what you will and will not be able to do in 1.1, so
it will allow SSC to correct transactions by inserting
balancing records to transactional/accounting or stock
tables in the BRDB system, also audit the changes made,
"There will be no updating/deleting of records in the
branch database." So this is the design for the tool?
A. Yes.
Q. So insertions of balancing records, yes; auditing, yes;
no updating or deleting of records.
A. Correct.
Q. And that's actually reflected, at least to some extent
we will see -- just trace it through. Let's look at the
objects because identifying the permitted database
objects is important to identifying the scope of
potential application of the tool with this design,
isn't it?
A. Absolutely.
Q. So we look at paragraph 2.4.1 on page {F/425/9}, the
next page, and we see there's a table there. 2.4 is the
objects used. We will just go through these carefully.
2.4.1, "Database objects used", so in the database
objects tables, these are the object names to which the
specific functions that we are concerned with have
access, yes?
A. Yes.
Q. Okay, let's have a look. You can see there's the BRDB
operational exceptions table?
A. Yes.
Q. The system parameters table?
A. Yes.
Q. FAD hash outlet mapping table?
A. Yes.
Q. The process audit table?
A. Yes.
Q. Process audit sequence table?
A. Yes.
Q. Transaction correction tool journal table -- sorry,
"process audit sequence" was a sequence.
MR JUSTICE FRASER: Yes, I don't think that's a table.
MR GREEN: Yes, that's actually a sequence, which we will
come back to. My mistake.
The transaction correction tool journal table, the
FAD hash current instance table, transaction correction
tool control table, branch info table and then -- branch
operators exception sequence, is that?
MR JUSTICE FRASER: "Operational" I imagine.
MR GREEN: Or "operational".
MR JUSTICE FRASER: Is that right, Mr Godeseth, do you
think?
MR GREEN: Something like that.
A. I --
MR JUSTICE FRASER: Or you don't know?
A. I don't know to that level.
MR GREEN: Okay. And then we see what the privileges
granted are:
"The following transaction tables have been granted
INSERT privileges ..."
Yes?
"... to OPS$SUPPORTTOOLUSER. The transaction
correction statement is only allowed to insert into
these tables."
A. Yes.
Q. And it identifies effectively all the important
transactions tables and --
A. I think there are probably another two or three on the
next page.
Q. On the next page, exactly, I was just going to take you
there {F/425/10}. Plus the events table.
A. Yes.
Q. Session data, you see that as well?
A. Yes.
Q. And at 2.4.2, the files used, it says:
"The process uses the following files:
"Transaction file containing an SQL INSERT statement
that creates the required balancing transaction."
So this would be where there is one half of
a transaction missing another half of a transaction?
A. Yes.
Q. And the insert statement, the "SQL INSERT" statement
effectively goes in and puts in the missing other side
of that transaction?
A. Yes.
Q. And the method on the next page, page 11 {F/425/11}:
"Having logged into their own UNIX user, the SSC
team members will change directory ... and place their
transaction file in the ... subdirectory. They will
then invoke BRDBX015 manually. The shell script module
will be owned by the UNIX user 'supporttooluser'."
And then it explains what the module will do and the
insert statement and so forth and you see that set out
at 3.1 in the method.
A. Yes.
Q. Now can we go forward please from there to look at
{H/218} please. This is a letter from Wombles to
Freeths about the request for disclosure of the audit
records for the use of the tool and it says:
"This log is produced in relation to the use of
balancing transactions via the transaction correction
tool as described in paragraph 58 of Mr Godeseth's first
witness statement."
And you were describing in your paragraph 58 the
tool we have just been looking at, weren't you?
A. Yes.
Q. And let's look at what the audit table shows in terms of
number of non-zero audit files. We can see there 2010,
46,000 files -- 47,000 nearly, and one file with more
than zero content and then you can see 322, 553, 122,
129, 228, 420, so in total -- over the page -- over the
period: 2,297 {H/218/2}.
Now, just to give you the context of what's being
said, if you go back a page what's said in the middle of
that letter there is:
"Fujitsu have extracted the data from 2010 to 2019
and provided the following explanation for the
documents. It should be noted that Relativity is not
able to recognise 0KB documents since these do not
contain any data and therefore disclosure can only be
provided of the 2,297 files which contain data. We
understand from Fujitsu that a 0KB file is produced
where there was no logged activity. A disclosure list
is enclosed."
So that's the explanation for the difference between
46,976 and 1, yes?
A. Yes.
Q. And when we go over the page please {H/218/2}, it says:
"Each document is associated with a single SQL
statement which made a database correction. There are
two different types of correction shown in the
files - the SQL statements for each are of the form:
"1. Update OPS$BRDB.brdb_rx_recovery_transactions
SET settlement_complete_time stamp = ..."
And then the "INSERT INTO" command.
It says:
"Type 1 reflects the action taken to reset the
recovery flag on a transaction. This will have no
effect on branch accounts (see footnote 58 in our letter
of response ...)"
Which says:
"Several hundred other balancing transactions have
been used but not in a manner that would affect branch
accounting. These were generally used to 'unlock'
a stock unit within a branch."
Do you see that?
A. Yes.
Q. Were you asked about the explanations that are being
given here, or would it be someone else at Fujitsu who
would know about this?
A. This would have been written by others but I'm fully
aware of it.
Q. And then it says:
"Type 2 reflects the action taken to insert
a Balancing Transaction ..."
It has a big "B" and a big "T", "Balancing
Transaction":
"... where it changes transaction data in the main
transactional tables. This will affect branch
accounts."
Yes?
A. Yes.
Q. So what is being said there in relation to type 1 is
that the 2,296 other uses of the tool have been used
mostly to unlock a stock unit within a branch and not in
a way which would affect branch accounts.
A. Correct.
Q. And then there is one which it is accepted did accept
a branch account and that's the first one.
A. Yes.
Q. And that's your understanding too?
A. That is absolutely my understanding. The only way you
would be allowed to write into those tables listed is
using this tool and that would be listed as a balancing
transaction.
Q. Just looking at the command that's being used for
number 1, it's not an insert command, is it?
A. I'm not sufficiently au fait with Oracle to -- sorry,
the first one, no, it says it is an update so ...
Q. Yes, and the point is, if we go back please to the low
level design which I took you to with some care at
{F/425/8}, it is clear, isn't it, from this design
that -- if we look at the last part of 1.1, the last
sentence of that first paragraph:
"There will be no updating/deleting of records in
the branch database."
A. Yes, it says that.
Q. If we look on the next page, page 9 {F/425/9}, you can
see in-between the two tables:
"The following transaction tables have been granted
insert privileges ..."
A. Yes.
MR JUSTICE FRASER: Where are you reading?
MR GREEN: Between the two tables, my Lord, at the bottom,
"The following transaction tables have been granted
insert privileges ..."
MR JUSTICE FRASER: Yes.
MR GREEN: And that means that people who have the
privileges of the "OPS$SUPPORTTOOLUSER" are allowed to
run SQL insert commands, aren't they?
A. The intention of this tool is to allow a set of people
to run a transaction which will insert records into one
or more of those tables and it will be audited.
MR GREEN: Well, that's not an answer to my question.
MR JUSTICE FRASER: I don't think it's even vaguely in the
field of answering the question, with respect. Do you
want to put it again, Mr Green?
MR GREEN: This tool is confined to a privilege to insert,
isn't it, as described here?
A. I think so, yes.
Q. And we don't see the necessary database object fields
table for correcting in the manner suggested --
A. For the locks.
Q. For the locks, do we?
A. I can't contradict you on that, so no.
Q. So it is clear, isn't it, that the use of the tool has
now gone way beyond what we find in this low level
design document, is that fair?
A. Certainly there are -- there is tooling which is based
on this which has two aspects to it, certainly, so
I think I'm agreeing with you.
MR GREEN: Yes. Now, if we look at {H/2/25} --
MR JUSTICE FRASER: Just before you move off, just to clear
it up for me, can we look at page 11 {F/425/11}. Now,
I accept that this is in Oracle, I think, these
commands, and if you don't -- I'm sure you've got at
least a basic knowledge of some Oracle --
A. I hope so but ...
MR JUSTICE FRASER: I'm sure your knowledge of Oracle is far
wider than mine, but I do understand it a little bit,
but if you look at the second paragraph under "Method"
do you see it says:
"The module will read the contents of the input
transaction file, which will be in the form of an SQL
insert statement."
A. Yes.
MR JUSTICE FRASER: "Only a single insert statement is
allowed and (after an optional introductory comment) it
must start with the 'insert into' clause."
A. Yes.
MR JUSTICE FRASER: Am I right that you would then expect to
see the block capitals command at the beginning of the
insert?
A. I think it is telling me that I would see an "insert
into" one of those tables and then whatever data had to
be inserted into that table.
MR JUSTICE FRASER: Yes and the insert would be part of the
command, wouldn't it?
A. The insert would be in the SQL script because what I'm
trying to do is to get a record into that table.
MR JUSTICE FRASER: Thank you very much. That's how
I understood it but I just wanted to check it.
Right, Mr Green, over to your H reference.
MR GREEN: I'm very grateful.
If we look at {H/2/25}. Now, at 5.16.3 you will
see:
"Fujitsu (not Post Office) has the capability to
inject a new 'transaction' into a branch's accounts.
This is called a balancing transaction. The balancing
transaction was principally designed to allow errors
caused by a technical issue in Horizon to be corrected:
an accounting or operational error would typically be
corrected by way of a transaction correction.
A balancing transaction can add a transaction to the
branch's accounts but it cannot edit or delete other
data in those accounts. Balancing transactions only
exist within Horizon Online ... and so have only been in
use since around 2010. Their use is logged within the
system and is extremely rare. As far as Post Office is
currently aware a balancing transaction has only been
used once to correct a single branch's accounts (not
being a branch operated by one of the claimants)."
Then 5.16.4:
"Database and server access and edit permission is
provided, within strict controls ... to a small,
controlled number of specialist Fujitsu ...
administrators. As far as we are currently aware,
privileged administrator access has not been used to
alter branch transaction data. We are seeking further
assurance from Fujitsu on this point."
Now, this letter was in 2016. Can you remember
being asked about these matters in 2016 at all, or was
it not directed to you?
A. I don't remember any specific requests, but I have been
working in this sort of area for a long time so -- yes.
Q. Okay. And in your witness statement you have also
referred to only one use of the tool, the point you have
made orally as well.
A. Correct.
Q. For a balancing transaction purpose.
A. For a balancing transaction.
Q. Can we please look now at {F/590}. 7 March 2010 is the
target date. We're looking at PEAK 0195561, which we
have already identified, and you will see this relates
to 4 March 2010 and this time we're going to look on the
first page, at the second box down, and you will see
there call 2083169:
"PM was trying to transfer out 4,000 pds. The
system crashed. PM was issued with 2 x 4,000 pds
receipts."
Do you see that?
A. Yes.
Q. And that's repeated at the bottom of that page.
If we go forward please to page 3 {F/590/3},
10 March 2010 at 8.51, which is the third box down,
Cheryl Card:
"After discussion with Gareth Jenkins, the suggested
correction is to negate the duplicate transfer out by
writing 2 lines to the BRDB_RX_REP_SESSION and
BRDB_RX_EPOSS_TRANSACTIONS tables, with:
"1) Product 1, Quantity 1, Amount 4,000.00, Counter
mode ID 7 ... 2), Product 6276, Quantity -1, Amount
4,000.00 ... This should be done using the transaction
correction tool. An OCP approved by POL will be
needed."
Now, just focusing on your time at Post Office,
I think at this time you're not really working on
Horizon any more, are you?
A. Correct.
Q. Did you hear on the grapevine of anyone at Post Office
being asked for authorisation for this sort of thing to
be done?
A. No.
Q. Once you arrived at Fujitsu did you have any involvement
in seeking approval, or discussions with Gareth Jenkins
about anything like this being done?
A. No.
Q. Did you know that Post Office's approval had been sought
for this particular transaction?
A. No.
Q. If we go forward please to page 9 {F/590/9},
22 April 2010:
"I have gone through the counter logs, OSR logs and
the DB dumps provided in the PEAK. Let's analyse this
from scratch."
Pausing here, you have acknowledged under legacy
there were sometimes problems with duplications within
the Riposte system, yes?
A. Yes.
Q. But we're not dealing with that system here, we're
dealing with Horizon Online, aren't we?
A. Yes. If it mentions OSR, certainly.
Q. Okay. The second paragraph of that says:
"PEAK has been raised when a clerk attempted to
transfer out of 4,000.00 from stock unit BB to MS. Due
to a system problem the transfer out doubled up, so when
the transfer in was done on counter 1 at 16.15, it was
for 8,000.00. The branch now has a lot of [£4,000]."
Do you see that?
A. Yes.
Q. And there's then some discussion and then if we come
down to:
"But, I have noticed that the retried request [with
an ID] ... was ignored by time out monitor in the
[Branch Access Layer] side and continued to execute.
But from the OSR.log file and OSR message log,
I couldn't find this request was failed due to the
duplicate JSN record in the journal table (which was
expected and the normal behaviour of OSR), didn't happen
in this case.
"I have requested for the journal table dump to
check whether duplicate JSN entries exists in the table.
But from the DB dump I couldn't find any duplicates."
Now, the whole point of JSN entries is that they
should not duplicate and if they are duplicates they
should not be committed to the database; that's right,
isn't it?
A. Yes. And I think you will see there that the retried
requests failed because there was already a journal
record in the database with that JSN.
Q. Well, let's just follow this through, if we may. If we
look now please at {F/594}, you will see that this is
PEAK 0195962. Do you see that? This is Cheryl Card
again.
A. Yes.
Q. And if we just go down to the yellow bar it says:
"The transaction correction tool has now been used
in live. The templates for use with this tool need to
be updated to correct some details."
Yes?
A. Yes.
Q. So the idea was to have templates so that the scripts
wouldn't have too many errors in them when they were
deployed.
A. Yes.
Q. And that PEAK refers in turn, we can see -- if we look
at {F/1095} please. We can see this is the OCP 25882.
Can you just tell his Lordship what an OCP is?
A. Operational Change Process I believe.
Q. And there's also an OCR, isn't there?
A. Yes, that is Operational Change Request, as I understand
it.
Q. And one is for the change to the front end and one is to
change the back-end. The OCP is for the front end and
the OCR is --
A. I don't know.
Q. You don't know. If we look at this document at
{F/1095}, the branch 226542 transfer out doubled up. We
can see:
"Due to a system fault, the branch did
a transfer out of £4,000 and a corresponding transfer in
of £8,000.
"Justification: correct a loss of £4,000 at the
branch due to a system fault ... extra detail: the
transfer in details were incorrectly doubled up when
they were written to the BRDB. This needs to be
corrected using the transaction correction tool."
Do you see that?
A. Yes.
Q. Now, on the face of it this appears to be consistent
with at least one use of the transaction correction tool
for one balancing transaction, yes?
A. Yes.
Q. And are you aware of any reason why Post Office couldn't
have just used a transaction correction for £4,000 to
correct the SPM's position?
A. If we -- the only reason that we would need to use the
branch transaction tool is if I got a one-sided
transaction.
Q. If you got a one-sided transaction?
A. Yes.
Q. Let's look, if we may please, at {F/485/1}. This is
PEAK PC0175821. Do you see that?
A. Yes.
Q. And the call status on the right is "Closed - solicited
known error." Do you know when that code is used or
not?
A. No.
Q. If you look down on 19 February 2009 at 17.39.40, can
you see:
"There are two sides to the problem relating to
these transactions. The first is where all five SC
transactions missing core data as described in the
above-mentioned KEL."
A. Yes.
Q. That's one aspect of the problem in this PEAK:
"Second is absence of equal but opposite
(ie settlement) lines. See PC0152014 for a similar
problem and how problem was resolved."
A. Yes.
Q. "For the first problem, I have used the TRT to insert
the missing data ie Region, Margin, Margin Product and
EffectiveExRate."
Now, pausing there, what does it look to you is
going on here?
A. It looks to me as though we are inserting into a totally
different database because it is TMS_RX so this is
the -- this is not the branch database.
Q. No. And also they seem to be using the transaction
repair tool.
A. Yes.
Q. Rather than the transaction correction tool.
A. Which I think would be what I have referred to as the
TIP(?) repair tool.
Q. Yes?
A. And TMS is -- yes, it's not part of the BRDB.
Q. But what we do see -- and this is in February 2009, so
this is Horizon Online, isn't it?
A. It could be ... 2009 was migration, so I don't for
certain know without looking further at whether this was
old or new.
Q. Would they be using the TIP repair tool with
Legacy Horizon?
A. Yes, the TIP repair tool has been used -- it was
basically moved across from legacy onto BRDB. It
fulfils the same function. It sits inside the -- I'm
sorry, I have forgotten the name of the database, but it
sits inside -- yes, TPS.
MR GREEN: Okay. Let's just take it --
MR JUSTICE FRASER: Do you want to continue with this one
now to the end?
MR GREEN: My Lord, if I may. I will try and take it
quickly.
MR JUSTICE FRASER: Well, yes, but don't take it quickly as
in speaking so quickly the witness can't really follow
you.
MR GREEN: I'm grateful.
MR JUSTICE FRASER: I don't want you to feel under pressure
of time at all on this, Mr Godeseth, so ...
A. Thank you, my Lord.
MR GREEN: If we look at 19 February 2009, 17.39.40, which
is the line we were looking at, do you see the two sides
of the problem relating to these transactions and we
just read this text?
A. Yes.
Q. "The first is where all five SC transactions missing
core data as described in the above-mentioned KEL."
A. Yes.
Q. And that appears to be the KEL reference at the top of
the page, "KEL obengc3120K", yes?
A. Yes.
Q. And the second point is the absence of equal but
opposite settlement lines. So what you've got there in
the data is not a zero sum basket, in the data. There's
half of it missing, isn't there?
A. That's what it appears to be saying, so to do it full
justice I would want to spend more time looking at it
but I ...
MR GREEN: I understand. Well, perhaps -- I don't know
whether it would be --
MR JUSTICE FRASER: How many pages are there in this PEAK?
MR GREEN: There are only three, my Lord, but you do have to
look at the KEL. I wonder if it would be fair to the
witness if he could be provided with a copy of this and
a copy of the PEAK 0152014 and KEL 017510 overnight so
he can consider those.
MR JUSTICE FRASER: Well, rather than just grandly say "Yes
he shall be provided", let's work out who is going to
provide it to him.
MR GREEN: He is not our witness, but we would be happy to
do anything we can.
MR JUSTICE FRASER: You are cross-examining him.
MR GREEN: Of course.
MR JUSTICE FRASER: Just pause one second.
Mr De Garr Robinson, it seems to me the witness
ought to be allowed to see those documents.
MR DE GARR ROBINSON: Absolutely, my Lord. This illustrates
the difficulty, particularly with using Magnum for this
kind of cross-examination.
MR JUSTICE FRASER: Well ...
MR DE GARR ROBINSON: I'm not complaining, but it would be
helpful and, my Lord, it would also be helpful it seems
to me if the witness is also given a copy of PC0175821.
MR JUSTICE FRASER: That's exactly what I was then about to
suggest because they are linked and the same problem has
arisen in that PEAK as well.
Mr Green, is the quickest and easiest way for you --
have you got unmarked copies?
MR GREEN: I don't, my Lord. I have only got mine marked
up.
MR JUSTICE FRASER: Have either of you got the facility to
print those documents relatively promptly?
MR GREEN: We can go back to chambers and print them off.
MR DE GARR ROBINSON: My Lord, we might be able to print
them off in a room we have just around --
MR JUSTICE FRASER: Perfect. I'm going to leave it to your
two joint good offices.
Mr Godeseth, unlike the usual warning "don't talk to
anyone about the case", you are allowed to talk to each
of these two gentlemen who are going to give you the
documents to look at.
A. Thank you, my Lord.
MR JUSTICE FRASER: I'm in no way limiting the time that you
look at them, it is completely up to you, you're going
to resume at 10.30 tomorrow, but just in terms of common
sense I wouldn't sit and stare at them every minute
between now and 10.30 tomorrow morning and that's not me
being flippant, everyone reacts differently when they
are presented with documents in the middle of their
evidence and I don't really want you to come back in the
morning having spent however many hours there are
between now and then just staring at endless PEAKs.
A. Thank you, my Lord.
MR JUSTICE FRASER: But other than that, please don't talk
to anyone about the case.
A. Understood.
MR JUSTICE FRASER: Does that deal with that issue?
MR GREEN: My Lord, yes.
MR JUSTICE FRASER: I don't think there is anything else?
No. So far as tomorrow is concerned ..?
MR GREEN: We are going to be finishing with Mr Godeseth in
the morning and then we don't know the position in
relation to Mr Membery and then we will finish with
Mr Parker.
MR JUSTICE FRASER: I will leave you to discuss that between
yourselves. Just let me know in the morning.
MR GREEN: Most grateful.
MR JUSTICE FRASER: So there's no housekeeping or anything
of that nature and I shall see everyone and you as well,
Mr Godeseth, at 10.30 tomorrow.
A. Thank you very much.
(4.33 pm)
(The court adjourned until 10.30 am on Thursday,
21 March 2019)
(10.32 am)
Housekeeping
MR DE GARR ROBINSON: My Lord, good morning. Before I call
my next witness there is one small matter I should raise
with your Lordship. Your Lordship may recall that
I raised the question of disclosure from the claimants
in relation to the documents that were referred to by
the claimant witnesses who gave evidence last week.
MR JUSTICE FRASER: Yes.
MR DE GARR ROBINSON: Your Lordship will recall that
a letter was sent on Friday which sought a response from
Freeths by close of business on Monday.
MR JUSTICE FRASER: Yes.
MR DE GARR ROBINSON: I raised it with you on Tuesday. It
is now Wednesday morning. I simply wish to make
your Lordship aware that this is an issue and that the
point is fast approaching where I may have to ask
your Lordship to do something.
MR JUSTICE FRASER: Okay. Have I got a copy of that letter?
MR DE GARR ROBINSON: My Lord, I don't believe you have,
I will make sure --
MR JUSTICE FRASER: It is not on Magnum, is it?
MR DE GARR ROBINSON: That will need to be checked, my Lord.
MR JUSTICE FRASER: All right. I think the best thing is
have the letter put on Magnum, I'm just going to explore
the situation with Mr Green now and if we have to come
back to it, then obviously we will fit it in with the
trial timetable and if people have to be recalled, they
have to be recalled, but obviously I would like to avoid
that if possible.
MR DE GARR ROBINSON: Of course.
MR JUSTICE FRASER: Mr Green.
MR GREEN: My Lord, I'm afraid we have been working on
cross-examination and I just don't know what the
position is on it, but I'm sure it is being attended to.
I will find out and update your Lordship later in the
day. Obviously, any documents that they have referred
to need to be disclosed and that's obviously -- we must
do it, so I'm --
MR JUSTICE FRASER: We are in -- I suppose in a sense on the
basis that these might be -- or these would be documents
which Mr De Garr Robinson might want to put a point to
a factual witness, then the factual witness would have
to be recalled anyway, but just in terms of proper and
efficient trial management --
MR GREEN: Absolutely right.
MR JUSTICE FRASER: -- we've got a little bit of scope next
week, but I want all the factual evidence dealt with
before the experts are called.
MR GREEN: My Lord, yes.
MR JUSTICE FRASER: And one of the days next week has
already been set aside for a contested third party
disclosure application against Royal Mail which I think
has been moved by consent from tomorrow to next Tuesday.
MR GREEN: My Lord, yes.
MR JUSTICE FRASER: And I don't want to let sand run through
all our fingers unnecessarily. So we will revisit --
today is Wednesday, we will revisit this at the end of
today, please.
MR GREEN: I'm grateful, my Lord.
MR DE GARR ROBINSON: My Lord, I call David Johnson.
MR JUSTICE FRASER: Yes.
MR DAVID MALCOLM JOHNSON (affirmed)
MR JUSTICE FRASER: Thank you, Mr Johnson. Do have a seat.
Examination-in-chief by MR DE GARR ROBINSON
MR DE GARR ROBINSON: Mr Johnson, there should be a file of
documents in front of you. Can I ask you please to go
to tab 4 of that file {E2/4}. You will see there
I think a sheet of two corrections and then behind that
sheet there should be a witness statement which
describes itself as being of David Malcolm Johnson; do
you see that?
A. Yes.
Q. And is that your name and address there on the first
page?
A. Yes, it is.
Q. And could you go to the last page in that same tab
please {E2/4/20}.
A. Yes.
Q. Is that your signature on that page?
A. Yes, it is.
Q. And if you could look briefly at the corrections -- have
you seen those corrections before?
A. Have I seen them before?
Q. Yes.
A. Yes.
Q. Are they corrections you wish to make to this witness
statement?
A. Yes.
Q. And then if we go forward in the bundle could I ask you
to go to tab 6 please {E2/6}.
A. Okay.
Q. That's your name and address, I think I can take it from
you, on page 1 of that?
A. Yes.
Q. And on the back page, page 5 {E2/6/5}, is that your
signature?
A. Yes, it is.
Q. So these are two witness statements that you have made.
Subject to the two corrections that we have just
referred to, are those witness statements true to the
best of your knowledge, recollection and belief?
A. Yes, they are.
MR DE GARR ROBINSON: Thank you, Mr Johnson. If you wait
there there will be some questions for you.
Cross-examination by MR GREEN
MR GREEN: Mr Johnson, I think you may have been involved in
training some of the legal representatives.
A. I gave some demonstrations on how the Horizon system is
used in branch to various parties involved in this, yes.
Q. And I think one of the points you covered was how to
reverse a -- how to sell stock into the system, to
correct too much stock and how to enter a transaction --
A. Yes.
Q. -- that would then balance stock and cash?
A. Yes.
Q. Do you remember that?
A. Yes.
Q. And you are very familiar with how the system works?
A. Yes.
Q. You are a trainer?
A. (Nods).
Q. In your witness statement you say at paragraph 10, which
is on {E2/4/2}, which is page 2 of your first witness
statement, it will come up on the screen as well, you
say that:
"The screenshots that appear in this statement are
primarily taken from a document called Post Office
Onboarding Counter Guide ... where a screenshot has been
taken from another document I refer to that document."
Is that correct?
A. Yes.
Q. So what you have done is you have taken the screenshots
that we see in your witness statement from that guide
and if they're not from that guide, you have pointed
that out?
A. Yes.
Q. So when we look, for example, at the screenshot on
page 3 {E2/4/3}, that's come from the guide?
A. Yes.
Q. We can see a date in the top, Tuesday 2 December 2014?
A. Yes.
Q. And if we look over the page on page 5 please {E2/4/5},
similarly we see layouts there. There's a date
of October 2017 at the top.
A. Yes.
Q. And August 2017.
A. Yes.
Q. Can we just look over the page now at page 6, please
{E2/4/6}. Now, you haven't said there that those have
come from any other source, but they are not actually in
the guide, are they?
A. I don't know.
Q. Can you see they look a little bit different?
A. Yes.
Q. And if you have a look at the two examples we've got
there, in the travel line in the top one can you see
"Business Mails" is in italics?
A. Yes.
Q. And "Drop Mails Suite" is in italics?
MR JUSTICE FRASER: Sorry, which one are you looking at?
MR GREEN: I'm sorry, in the top box --
MR JUSTICE FRASER: On page 6.
MR GREEN: -- on page 6 on the travel line at F4, you go
across.
MR JUSTICE FRASER: I see, yes.
MR GREEN: "Business Mails 45" is in italics and the one
beneath it is in italics and "Returns" is in italics.
A. Yes.
Q. And if we go down to "Licences & Government", "Sell
Euros" and "Sell Dollars" are in italics, yes?
A. Yes.
Q. And we can also see "AP Manual Entry" and "Transcash" in
the "Retail F7" line are also in italics?
A. Yes.
Q. In the one below, none of those ones are in italics.
There's no system reason for that, is there?
A. Not that I know of.
Q. So do you know where these ones have come from?
A. No.
Q. Did you actually cut and paste these into the statement
yourself?
A. No, I did not.
MR JUSTICE FRASER: Who did?
A. The statement was provided to me by our solicitors based
on conversations and --
MR JUSTICE FRASER: You don't need to tell me about that.
I just wondered who had cut and paste these into the
statement.
A. I don't know who did that.
MR JUSTICE FRASER: You don't know. Right.
MR GREEN: Can we go back please to page 5 {E2/4/5}. Just
a couple of practical points. Could we very kindly
enlarge the bottom table please. Thank you very much.
So, Mr Johnson, just to understand how it works
practically, which is your area --
A. Mm-hm.
Q. -- this is a typical screen that an SPM might see --
A. Yes.
Q. -- when they're in the branch and they're serving
customers?
A. Yes.
Q. Now, a couple of quick points. When they press
"1st Stamp" in the F2 line, which is "Postal Services",
yes, what happens is that it registers that a first
class stamp is going to be purchased.
A. Yes.
Q. That's right. And the SPM doesn't need manually to
enter in the price of a first class stamp, do they?
A. No, they don't.
Q. And the reason for that is that there is a reference
data table from which that's populated?
A. As far as the technical aspects of it, I'm not familiar
with what goes on behind the scenes, what I know is when
you press that button --
Q. When you press it --
A. -- that's what comes up.
Q. -- the price of a first class stamp pops up?
A. Yes.
Q. So there are two aspects to what's happening: there's
a button press, which is the actual physical input by
the subpostmaster or subpostmistress?
A. Yes.
Q. And then there's what the -- the value of that
transaction, which is coming from the system --
A. Yes.
Q. -- back onto the screen?
A. Yes.
Q. So there are two elements of that interfacing together,
yes?
A. Mm-hm.
MR JUSTICE FRASER: Exotic though your hand gestures are,
they're not going to come out on the transcript.
MR GREEN: My Lord.
Mr Johnson, those are acting together to produce
what's going into the basket: two components --
A. As I understand it, yes.
Q. -- a button press -- it's practically what you would
see?
A. Yes.
Q. So the SPM presses a button and the item that they have
pressed and its value should appear in the basket?
A. Yes.
Q. If it is all working well?
A. Yes.
Q. Now, just looking at the layout of that table, there is
quite a lot of white space there, isn't there?
A. Yes.
Q. And the actual buttons are very cosy, they're all stuck
right together, aren't they, with no white space between
them: "1st Stamp", "1st Large Stamp", "1st x 12 Stamps",
they're all absolutely tight together, there's no white
space separating them?
A. Yes, the items in the middle of the screen correspond to
the -- in most -- in the vast majority of cases to the
most commonly used products.
Q. And the point I was just seeking to make to you is there
are a number of ways that screen could be laid out, and
on that screen we can see there would be plenty of room
to separate the buttons from each other more, wouldn't
there?
A. It would appear that way.
Q. Yes. And you are aware that sometimes SPMs have
problems with miskeying, don't they?
A. Yes.
Q. Can we look please at {F/932} on page 7 please
{F/932/7}. We can see here if we look at the -- sorry,
shall we start at the first page just to be fair to you,
so you can see what the document is.
A. Okay.
Q. This is a miskeying project feasibility study and you
can see that it is a document from May 2012, yes?
A. Yes.
Q. And if we go back please to page 7 of the document
{F/932/7}, there are a number of recommendations. I'm
just going to follow through one particular one. If we
look at the penultimate bullet point there.
A. Yes.
Q. "Look at the Buy and Sell icons on the travel home
screen are too close together and it becomes difficult
to isolate the correct icon. It would be useful to
clearly show which icon to press showing the Buy and
Sell icons more clearly."
Yes?
A. I can see that, yes.
Q. One of the features of the buy and sell icons, which
you, I think will know about, is that they are at the
end of the transaction, so if you press the wrong one,
the transaction has already gone?
A. No, that's not right.
Q. Let's have a look, if we may please, at page 14 of the
document {F/932/14}. Is what's said in the top line of
that correct? Let's just look at it together, if we
can:
"The Buy and Sell icons on the travel screen are too
close together."
And the second box says:
"Having these two icons next to each other many of
the Counter Colleague hit the wrong icon, which means
there is no way of reversing the transaction when
a mistake has been issued."
What is suggested is:
"Separate these two icons to a more logical location
on the screen."
And so forth. Can you see what's being meant by
that second box there?
A. I don't agree with the second part of that where it says
there is no way of reversing the transaction when
a mistake has been issued. The pressing of either the
buy or the sell icon is at the very start of the
transaction, so there are various opportunities before
the transaction is completed to recognise that the wrong
button may have been pressed.
Q. But if it is not recognised and the transaction is then
completed, it's correct, is it, there's no way of
reversing the transaction at that point?
A. No, to my knowledge a bureau de change buy or sell
transaction can be reversed.
Q. As the system is today?
A. As I understand, yes.
MR JUSTICE FRASER: Has it always been capable of being
reversed?
A. I believe so. It's almost nine years since I last
worked on Legacy Horizon. To my knowledge, yes, it has
always been possible to reverse a bureau de change
transaction.
MR GREEN: Let's look, if we may, at another facet of this.
We haven't got a screen for it, but there is on some
screens a zero and a double zero button, aren't there?
A. On the keyboard, there is a zero and a double zero
button, yes.
Q. Yes, and they're next to each other?
A. Yes.
Q. And we can see that that's got the potential for
miskeying?
A. I wouldn't say it has any more potential than any other
layout particularly.
Q. Well, if you put in -- I mean, we have seen some of the
examples of miskeys already during the trial and there
are things where items which should be perhaps 3,400 are
34,000, so quite a lot of them have got an extra nought
on the end. Can you understand from your knowledge of
the layout why that might sometimes occur, might feature
quite prominently?
A. Yes, it could happen because the buttons are next to
each other one might press the double zero rather than
the single zero, yes, I can see how that --
Q. But it's easy -- you can imagine someone not spotting
a double zero as easily as they might spot perhaps a 9
instead of a 4, or a 9 instead of a 2. It's more
striking, a 9 instead of a 2, isn't it?
A. A completely different number would be more striking,
however, if I were serving a customer and they were
paying a bill for, let's say, £350, I would check the
terminal after I had keyed the entry to make sure that
is the amount that's showing on the stack.
Q. Yes, but what we're talking about is the opportunity for
the system to minimise errors that are made in the
ordinary course by people who are just busily serving
customers, trying to be conscientious and deliver a good
service; that's all we're talking about.
A. Okay.
Q. And it's right, isn't it, that if you stop and
rigorously check and never make a mistake, which is
perhaps unusual for humans, that wouldn't happen, but
what this is focusing on is how to improve the system so
it is less easy for people to make understandable
mistakes. Yes?
A. Yes, I understand that.
Q. And that's a good idea in system design, isn't it?
A. I think so.
Q. Yes. And the screenshots that we've got have largely
maintained the same design since Horizon was brought in,
haven't they?
A. Since original Horizon or Horizon Online?
Q. Since original Horizon. They have broadly looked the
same since Horizon was brought in?
A. Legacy Horizon, the screen looked rather different
because there were kind of small pictures on the icons
rather than just -- there were visual representations of
it rather than just the written product, if you like.
Q. But the overall layout itself has stayed broadly the
same?
A. Yes.
Q. And so the icons were fitted into the little buttons
that we have seen here?
A. As far as I'm aware, yes.
Q. At paragraph 32 of your witness statement on page 8
{E2/4/8} you talk about the cash declarations having to
be made by 6.55 because polling takes place at 7.00 pm.
Is that something you know about in terms of what the
consequences are if, for whatever reason, the cash
declaration is made at 7.01?
A. Yes.
Q. What happens?
A. The reason we say to make a cash declaration by 6.55,
yes, as it states there, the cash declaration
information is sent to the cash management team, so they
are aware of what cash on hand is at the branch and to
my understanding -- I don't work in the cash management
team, but to my understanding, the cash management team
use that information to decide how much cash to send to
that branch on their next scheduled delivery, or if
they're holding extra then -- more than they need, how
much they need to return.
Q. Now, part of your witness statement has dealt with the
reports available to SPMs.
A. Yes.
Q. One of the things they can't do is export data to a CSV
file, can they?
A. I don't know what a CSV file is.
Q. Or an Excel spreadsheet?
A. No, they can't export that from Horizon, as far as
I know, no.
Q. And has any thought been given, as far as you know, to
allowing that to happen?
A. I don't know.
Q. The Post Office itself has Credence, doesn't it?
A. Yes.
Q. And that allows it to look at the transactions that have
happened in branch?
A. Yes, as far as I'm aware, yes.
Q. Do you know why the Post Office just doesn't use the
same reports as are available to the SPM? Why does it
need Credence?
A. I don't know.
Q. Because the Post Office could print-out the till rolls
and analyse it that way too, couldn't they?
A. As far as -- well, I don't know whether the Post Office
could print-out a transaction log as you would print-out
in branch. As far as I'm aware, that is only available
in branch.
Q. Oh, I see.
A. In that format.
Q. One of the things you have mentioned in your witness
statement -- it's actually in your second witness
statement, if we could kindly go to that, which is
{E2/6/1}. I will just show you the front page to
orientate yourself. This is your second witness
statement, yes?
A. Yes.
Q. And if we go to paragraph 21 on page 5 {E2/6/5}, you say
there:
"The transaction log is a list of all transactions
and transfers completed in the branch, in chronological
order.
"The transaction log can be used as a general
investigation of all transactions or it can be filtered
by time, value and product. The transaction log records
the transaction that has taken place and also shows how
it was settled, for example by cash, card or cheque. It
is therefore possible to see all the transactions where
customers have paid by debit or credit card."
Yes?
A. Yes.
Q. Now, let's say you're in a situation faced by one of the
lead claimants, Mr Bates, where he is worried that there
may be duplicate entries in his account, but he doesn't
know what they are; how does he use the Horizon
reporting system to find them? What does he do?
A. To my knowledge, the transaction log will produce what
I have said there.
Q. No, I understand. Mr Johnson, I'm not trying to be
unfair to you. Just practically, so we can look at
this, you suspect there may be some duplicate entries,
perhaps giving you a discrepancy that's unexplained.
Just practically, what do you do if you are Mr Bates in
your sub-post office in Craig-y-Don in Wales and you
want to try and find out what's going on?
A. Are we saying that these are transactions which don't
appear on the transaction log?
Q. Well, he doesn't know whether they will -- we will come
to that in a minute --
A. Okay.
Q. -- but let's just say -- what do you suggest that person
in that situation does?
A. I would advise a postmaster in that instance to first,
raise the issue with NBSC.
Q. Okay. But if they're told that it is their
responsibility to find discrepancies in the branch, what
can they do for themselves? Do they -- because we have
heard of SPMs printing out very long transaction
rolls --
A. Yes.
Q. -- we have actually got one, it's quite long. Is that
what they do if they're looking for possible duplicates,
they print out -- because they don't know what the value
is --
MR JUSTICE FRASER: You are rolling about two or three
questions into one again, Mr Green.
MR GREEN: Sorry.
MR JUSTICE FRASER: Why don't you just give me
a walk-through of the steps that you say hypothetically
someone in Mr Bates' position should take.
A. So if a postmaster wants to check what transactions have
gone through, they would go to the transaction log. If
they wanted to look at a particular -- as I have
suggested, it could be filtered in a number of ways: by
date, by product, by value, by stock unit, by user,
there are a number of ways it can be filtered, and
obviously the more you can filter it, the shorter the
report will be, and then it would be a question of, as
you say, printing the transaction log out and manually
checking each item.
MR GREEN: But if you're looking for duplicates, you would
have to try and remember the figures you have seen?
A. Yes, I mean if you're looking for a duplicate then
I'm -- I mean, I don't know, I'm -- I'm guessing here
that if there would be -- that there would already be
one transaction on the transaction log. I'm not quite
sure what you are getting at. Presumably we can see one
transaction on the transaction log and there's a thought
that that transaction may have been duplicated, is that
what we are ..?
Q. Well, you get an unexplained discrepancy of a figure you
don't recognise.
A. Right.
Q. Let's say £1,723.
A. Okay.
Q. And you don't understand how that can have happened.
You think "Well, maybe there's a duplicate entry of some
sort", just, you know, this is one example, or maybe
there's a number of duplicate entries. You can see it's
not very easy, is it?
A. It's not the most user-friendly way of investigating.
Q. That's all I was really asking.
MR JUSTICE FRASER: Can I just ask you a question. When you
say the filtering that it can be done, that can be done
in branch, can it?
A. Yes.
MR JUSTICE FRASER: Am I right that would only be of any --
that would only be of any assistance if you knew what
you were looking for already, wouldn't it?
A. Not necessarily. A postmaster may have come to the
conclusion that a discrepancy occurred on a particular
day by virtue of looking at his cash declaration for the
previous day and the current day, and the previous day
had no discrepancy, the current day does, so he may want
to filter then to that particular day when the
discrepancy occurred on his cash declaration.
MR JUSTICE FRASER: Mr Green.
MR GREEN: Could we look please at {F/1556} please. Now,
this it document is titled the "Network Development
Programme Operation Simplification", and if we go over
the page {F/1556/2}, you can see the sorts of things
that it is covering and can we go please to page 6,
which is the "Business Context" section {F/1556/6}, and
can I just invite you to look at this first paragraph:
"There are a number of branch operations processes,
especially around branch accounting and reconciliation,
which operate using legacy processes. They are
unnecessarily complex and detract Post Office branch
resources from serving customers. Stock Unit Management
and accountability is very poorly controlled and is
operated on very complex business rules. The lack of
accountability and visibility of cash and stock
transfers between Stock Units can lead to errors, rework
and provides opportunities for fraud."
Is that a statement that you disagree with, or agree
with?
A. I would agree with that.
Q. And then if we look just below:
"Similarly, Suspense Accounting is based upon legacy
cash accounting practices, ill-defined and out of date
processes. Inefficiencies lead to poor utilisation of
resources both in Post Office branches and Support
Services."
Is that something you would agree with or disagree
with? Is that fair?
A. My experience of the suspense accounts in branch is that
it works -- it does what it's supposed to do.
Q. Can you see why that might be a reasonable view, or is
it a completely unreasonable view?
A. I don't think it's completely unreasonable, no.
MR GREEN: Okay, I'm very grateful. My Lord, I have no
further questions for this witness.
MR JUSTICE FRASER: Can you just tell me what date this
document is, Mr Green?
MR GREEN: This is 21 October 2016.
MR JUSTICE FRASER: Mr De Garr Robinson?
Re-examination by MR DE GARR ROBINSON
MR DE GARR ROBINSON: Mr Johnson, you were asked some
questions about buttons being close together, but there
are some questions you weren't asked that I would like
to ask you now.
As I understand it, you have experience of working
in branch?
A. Yes.
Q. Do you have experience of working in a busy branch?
A. Yes.
Q. How much experience of that sort do you have?
A. I have -- before I started my current role in 2012 I had
worked in branches since 1984.
Q. So could you give the court some indication of how
much -- would you consider yourself very experienced,
not very experienced? I'm just trying to get a clear
answer from you.
A. I suppose you could say I am very experienced at working
in branches.
Q. Thank you. It was suggested to you that -- you were
shown one of the screenshots in your witness statement
and it was suggested to you that the buttons were close
together. What you weren't asked about is whether you
took the view that the buttons you saw, or the buttons
on the screen -- that their closeness together is
a cause of any difficulty in using the system. Would
you like to comment on that question?
A. The fact that buttons are close together can mean that
one does occasionally press the wrong one. However,
that is easily rectified.
Q. And when you say it is easily reconciled, why is it
easily reconciled?
A. Rectified.
Q. Rectified, I'm so sorry.
A. If one would notice that the wrong button had been
pressed -- for example, you may go to sell a first class
stamp and you know yourself that the cost of that stamp
is 67p. If you were to hit the first class large stamp,
which is next to it, in error, the amount on the stack
would be a different amount, so it would be easily
recognisable that you had then pressed the wrong button.
Q. And another question that you were asked is whether the
layout of the counter had been broadly consistent over
the period of operation of Horizon. Mr Johnson, you may
not be able to answer this question, but do you have
a view as to whether keeping the layout of the screen
consistent over time is a good thing or a bad thing?
A. That's -- my opinion on that is it is a good thing.
Q. Why do you say that?
A. Because one gets used to working on the system and the
buttons are where you would expect them to be.
MR DE GARR ROBINSON: My Lord, I have no further questions.
Thank you, Mr Johnson.
Questions by MR JUSTICE FRASER
MR JUSTICE FRASER: I just have a couple about your
experience. I know you have said in paragraphs 2 and 3
how you started as a counter clerk.
A. Yes.
MR JUSTICE FRASER: And that was in a Crown branch I think,
wasn't it?
A. Yes.
MR JUSTICE FRASER: And then you say you became the
assistant manager and worked in various branches as the
assistant manager. Were they all Crown branches?
A. Yes, they were.
MR JUSTICE FRASER: And your last role was the branch
manager at the Barry Crown office?
A. My last role prior to taking up my current role, yes.
MR JUSTICE FRASER: Which was in 2012?
A. Yes.
MR JUSTICE FRASER: I'm sure I can guess from the name, but
Barry Crown office is a Crown branch, isn't it?
A. Yes.
MR JUSTICE FRASER: All right, that's very helpful. Thank
you very much indeed for coming, and that's the end of
your evidence. I assume there are no follow-up
questions to that from either of you?
Further re-examination by MR DE GARR ROBINSON
MR DE GARR ROBINSON: Perhaps one question.
Does it make a difference whether you are working --
in terms of operating the system, is there a material
difference between operating the system from
a subpostmaster branch, an agency branch, or from
a Crown office?
A. No.
MR DE GARR ROBINSON: Thank you.
MR JUSTICE FRASER: Thank you very much.
MR DE GARR ROBINSON: My Lord, I call Andy Dunks.
MR ANDREW PAUL DUNKS (sworn)
Examination-in-chief by MR DE GARR ROBINSON
MR DE GARR ROBINSON: Mr Dunks, there should be a bundle of
documents in front of you. Can I ask you to go to
divider 10 of that bundle please {E2/10}. You will see
a witness statement that describes itself as being by
you. Is that your name and address on the first page?
A. That's the name of my -- where I work.
Q. Where you work, I see.
A. Yes.
Q. Thank you. And if you go to page 3 {E2/10/3}, is that
your signature?
A. Yes, it is.
Q. And do you confirm that this statement is true to the
best of your knowledge, recollection and belief?
A. Yes.
MR DE GARR ROBINSON: Thank you. If you could wait there
for a moment.
MR JUSTICE FRASER: Mr Miletic.
Cross-examination by MR MILETIC
MR MILETIC: Good morning, Mr Dunks.
A. Good morning.
Q. I would like to start with paragraph 3 of your witness
statement which is {E2/10/1}. There are you say:
"I have been employed by Fujitsu Services Limited,
on the ~... (Post Office Account), since 11 March 2002
as an ~... (IT) Security Analyst responsible for audit
data extractions and IT Security."
That's quite a long time, isn't it?
A. Yes.
Q. 17 years of experience you have in this particular area
of data extractions?
A. Yes.
Q. And over the course of that 17-year period, how many
extractions do you think you have carried out?
A. I couldn't tell you. Hundreds.
Q. Hundreds?
A. Yes.
Q. You have probably seen every issue that possibly could
arise with extraction of data, haven't you?
A. I would say so, yes.
Q. And how many others have a similar position to yours at
Fujitsu at any given time and carry out data
extractions?
A. Generally, there is a team of three or four people.
Q. And do they carry out a similar number of extractions
each year as you would?
A. Yes.
Q. Would that number vary from year to year, or would it be
fairly consistent?
A. No, it varies. It varies week by week.
Q. And you have experience of carrying out audit data
extractions both on Legacy Horizon and Horizon Online?
A. Yes.
Q. If we could please go to {E2/1/10}. This is
Mr Godeseth's witness statement, his first witness
statement, and he is a colleague of yours at Fujitsu,
correct?
A. Yes.
Q. Now, at paragraph 31 there he says that he has been
informed by a colleague that the number of ARQs issued
since 2014/15 are as follows, and then he sets some out
there at 31.1 to 31.4, do you see?
A. Yes.
Q. That suggests huge fluctuations over the years, doesn't
it?
A. Yes.
Q. 729 extractions in 2014/2015. Can you think of why that
would be?
A. I have no idea. It is what we would get supplied or
requests from the Post Office, so we don't control how
many we get.
Q. Would it make sense to you if that was during the period
when the mediation scheme was taking place and so maybe
you had more requests at that time?
A. Yes, it could quite well be, yes.
Q. And in 2016/2017 and 2017/2018, over 300 requests. Do
you think that these proceedings may have an impact on
that number and why it is a bit higher than for example
2015/2016?
A. It could well be, but I can't guarantee that.
Q. In 2015/2016, 103 without these two alternative events
going on. Is that perhaps more representative of what
you would get on a yearly basis, or do you not know?
A. I would be guessing if I said yes, without looking at
all the previous years and how it has incremented over
the years, I couldn't tell you.
Q. Sure. But in your experience that might be about right,
100 or so?
A. It could be, yes.
Q. And for 11,000 branches in a year, it's not a high
percentage of ARQs that were requested during that year?
A. I suppose so.
Q. Now, there are no figures there for pre-2014, and
the court has had had evidence from Mrs Mather -- and we
don't need to turn it up, but for his Lordship's note it
is paragraph 19 of her first witness statement which is
{E2/8/4}. There Mrs Mather says that there is
a contractual limit on the amount of data requests that
Post Office can ask for of 720. Is this a limit that
you're aware of?
A. Yes.
Q. If there's a contractual limit on the amount of ARQs
that can be requested, Fujitsu must be keeping a record
of how many requests are made each year?
A. Yes, we do.
Q. Why then are there no figures seemingly for prior to
2014?
A. I can't answer that.
MR JUSTICE FRASER: Have you been asked to get --
A. No.
MR JUSTICE FRASER: You haven't?
A. No.
MR MILETIC: But as far as you are aware, there would be
a record of those?
A. As far as I'm aware, there is, yes.
Q. There should be really?
A. Yes.
Q. The purpose of your witness statement is essentially to
talk about the process of audit extraction, audit data
extraction, and the integrity of data and how it is
maintained during that process, is that fair?
A. Yes.
Q. If we could go back to paragraph 4 of your witness
statement {E2/10/1}, you say:
"During 2009/2010 the Horizon system was upgraded to
Horizon HNGX [Horizon Online] and the detail contained
in this witness statement refers to audited transaction
records generated by this upgraded ... system."
I just want to be precise about the language there.
When you say "audited transaction records", you are
talking about transaction records generated from the
audit store; what you're not talking about -- it's not
the case that those records are actually audited prior
to going into the audit archive, correct?
A. No, it's just the extraction data that I'm taking out.
Q. Exactly. And so it's an important distinction because
really the only time when those records are audited is
when they are extracted and then someone uses them to
compare against different records. Does that sound
correct?
A. I think so. I don't think they are actually compared.
All the data that we extract is specific data from the
servers with all the transactions so it's not -- I think
the word "audit data" -- it's just we extract that data,
we don't then compare it. We then extract the data and
supply it to the Post Office.
Q. Yes, so where it says "audited transaction records" it
might be slightly misleading because it is not that they
are audited prior to going into the audit store; that's
correct, isn't it?
A. I don't know how it is put onto the audit store.
Q. And the second sentence there:
"Unless I state otherwise in this statement when
I subsequently refer to the 'Horizon System' I am
referring to the ~... system as upgraded by Horizon
HNGX."
Looking at your statement I have not seen somewhere
where you have stated otherwise, and so actually your
evidence is limited to the extraction process under
Horizon Online, correct?
A. It is probably misleading. As I have been doing it that
long, it is both Horizon and Horizon Online.
Q. But the specific content of your witness statement from
that point onwards only addresses Horizon Online?
A. I would say it's -- it's the data that I have extracted
for these proceedings.
Q. I see. And when you discuss controls, which we will get
on to in a little bit, is it your evidence that those
controls have always been the same and the same
processes have been followed both in Legacy and
Horizon Online?
A. I believe so. I don't know all the controls -- the
technical controls which are used for the storage of the
data.
Q. So when you provided your evidence here, you really were
talking about the controls as at effectively today's
date when you were making extractions for this trial?
A. Yes.
Q. And if we could go over the page please to paragraph 5
{E2/10/2}, the first sentence:
"When information relating to
individual transactions is requested, the data is
extracted from the audit archive media of the Horizon
System via the Audit Workstations."
And then this second sentence:
"Information is presented in exactly the same way as
the data held in the archive although it can be filtered
depending on the type of information requested."
Pausing there, do you always provide data that's
filtered, or do you sometimes provide data that's
unfiltered?
A. We supply data that's filtered.
Q. Are there any circumstances in which you provide
unfiltered data?
A. To the Post Office, I don't believe I have done.
Q. And then you go on to say:
"The integrity of data retrieved for audit purposes
is guaranteed at all times from the point of gathering,
storage and retrieval to subsequent despatch to the
person making the request."
Again, just in the interests of being precise, can
you explain exactly what you mean when you're saying
"data integrity"?
A. That's what I'm led to believe within the systems that
it is -- that hasn't -- the integrity is complete, it
hasn't been touched in any other way.
Q. So your definition of integrity of data is simply
whether it has been tampered with or not?
A. No, my definition of integrity is that the data I have
extracted and supplied to the Post Office my -- I'm
aware of is in -- its integrity is complete.
Q. And if I was to say the data integrity is the overall
completeness, accuracy and consistency of that data
which you can measure by comparing between sources,
would you agree with that as a definition of data
integrity?
A. Yes.
Q. And if we could please go to {D3/1/67}, this is from
Dr Worden's first expert report, and if we could look at
paragraph 238.6 and what he says there, which is:
"The audit system provides a highly secure and
tamper-proof record of what is entered into Horizon at
the counter, which can be used, in cases of any anomaly,
to provide a 'gold standard' for comparison with data
held in other parts of the Horizon estate, supporting
the diagnosis of software errors. This acts as a secure
kernel and redundant store of data (SEK and RDS)."
I'm not going to ask you about the second sentence
and those acronyms, but in terms of that first part, is
it your evidence as well that it is highly secure and
tamper-proof?
A. The -- where the data is stored, I'm not involved in, so
I can't answer that side of the question.
Q. But in terms of when it is extracted?
A. From my point of view, the processes that we follow and
extract them and supply them to the Post Office, that is
my belief.
Q. It is highly secure and tamper-proof?
A. Yes.
Q. And is it your evidence as well that it can be used in
cases of an anomaly as a gold standard for comparison?
A. They are -- they are words that I probably wouldn't use,
but I'm happy with the integrity of the data that I give
to the Post Office.
Q. But "gold standard" might be putting it a bit high for
your -- in your opinion?
A. Well, no, if you want to use "gold standard", yes,
I will agree with that.
Q. But in any event, you agree that the accuracy of that
audit data and maintaining the integrity upon extraction
is extremely important, particularly, if it is going to
be used in disputes with subpostmasters?
A. Yes.
Q. And if we could go back to {E2/10/2}. Paragraph 6 where
you set out what you say the following controls are that
apply. Did you look at any specific Fujitsu documents
when listing what amount to 12 controls there?
A. Where am I looking at here, sorry?
Q. So in paragraph 6 you say:
"During audit data extractions the following
controls apply ..."
A. Yes.
Q. And then you list out in subparagraphs, 12 specific
particular controls and I was just wondering whether you
looked at any specific Fujitsu documents when you set
out those controls?
A. No, this is the process -- there are security processes
and protocols in place within Fujitsu, but these are
basically the security controls that we have as a team
that we have to extract the data.
Q. My question might not have been entirely clear,
Mr Dunks, but when you set out these 12 controls, when
you were drafting this part of your statement, did you
look at any specific documents in order to think of
and write out these 12 controls?
A. No, this is my knowledge of the controls.
Q. So this is purely from your memory that you draft the 12
controls?
A. Yes.
Q. I see. And in terms of those 12 controls, have they
always been available throughout your time at Fujitsu,
or have some potentially changed?
A. No, that's basically as is the whole time I have been
there.
Q. As far as you can recall those are~...
A. Yes.
Q. Would you say that those are sort of the core controls,
or they just some that you thought of?
A. No, they are the core controls surrounding the audit
extraction.
Q. So at any point in time when we look we should probably
see the 12 same controls listed at other points in time?
A. Yes.
Q. And just over the page, please, {E2/10/3}, at
paragraph 7 you just describe the fact that you have
extracted data in relation to these proceedings. And
then paragraph 8, again, I just want to be very precise
and I want to make sure that I understand exactly what
is being said in this statement. Paragraph 8 begins:
"There is no reason to believe that the information
in this statement is inaccurate ..."
Pausing there, what is "this statement"? Do you
mean your witness statement?
A. Yes.
Q. Okay:
"There is no reason to believe that the information
in this [witness] statement is inaccurate because of the
improper use of the system."
What is the "system" there? Is that the system of
the process of extracting audit data, or is it something
else?
(Pause).
A. Good question. There's no -- I'm not sure what I was
meaning by that, "There is no reason to believe ..."
Q. We will take this step-by-step, but just looking at that
first sentence, you are not quite sure what you mean by
"system"?
A. I think I was meaning about the improper use of the
audit data extraction system.
Q. So when you say "system", you mean the process of
extracting audit data?
A. Yes, I do.
Q. I see, so:
"There is no reason to believe that the information
in this [witness] statement is inaccurate because of the
improper use of the system [in place for extracting
audit data]."
A. Yes.
Q. "To the best of my knowledge and belief at all material
times ..."
Pausing there, what are "all material times" in your
statement?
A. The whole time I had been using the workstations to
extract the data, as far as I'm concerned, there has
been no issues or faults with the workstations to
extract the data.
Q. So "at all material times" is actually the 17 years you
have been at Fujitsu?
A. Yes.
Q. I see, so:
"To the best of my knowledge and belief at all
material times the system ..."
Ie the process of extracting data:
"... was operating properly, or if not, any respect
in which it was not operating properly ..."
Again, pausing there, it is slightly confusing. Are
you aware or not aware of any instances where that
system was not operating properly?
A. No, not really, no.
Q. Okay. So you're not aware --
A. There may have been a few faults -- software faults --
I would say software faults -- where the system has
rebooted or whatever, but if that does, it interrupts
the data extraction which doesn't complete, so we will
then re-run the data extraction. So it's not affecting
any data that's been extracted.
Q. I see. And is that the only example that you can
provide his Lordship as to occasions when that system
wasn't operating properly?
A. Yes.
Q. So you say it was operating properly:
"... or if not, any respect in which it was not
operating properly, or was out of operation was not such
as to effect the information held within it."
What is "it"?
A. The data that I have extracted.
Q. I see, okay. So, Mr Dunks, how could you possibly say
that in any respect that the system wasn't operating
properly, it wouldn't affect the data that you have
extracted? Surely if that process isn't operating
properly, it must have an effect on the data that it
produces?
A. Well, no, because if it doesn't extract the data wholly,
or there is an issue with the PC at the time, it will --
it shows that there is an error, so we actually re-run
the data and there are some checksums within the data
which is a number for each day and if there's a gap
between -- and we check that there's no gaps between
those numbers, and on each report it states that there
are no gaps, which would show if it there were any
issues, but ...
Q. I see. And is it your case that there has never been
a circumstance where the data that's been produced
hasn't[sic] appeared inaccurate because of the process
used to extract it?
A. Not to the best of my knowledge, no.
Q. So now that we have deconstructed that paragraph
a little bit, it is a very specific and slightly hard to
follow choice of wording. Has that come from you, or
has that come from somebody else, Mr Dunks?
A. It -- I did produce the witness statement and then it
came back slightly altered to see if I was happy with
that and I read it and I was happy with it. Maybe
misunderstanding how it could be interpreted, but ...
Q. Yes, but paragraph 8, is that your choice of wording or
not?
A. I can't remember.
Q. Is it more of a Fujitsu party line when it comes to
providing statements on extracting data?
A. There is -- as far as witness statements, there are
no -- I'm not aware of any party line, no.
Q. Thank you. Can we please go to {E2/1/10} and we're back
in Mr Godeseth's witness statement here. We looked at
the ARQ extraction rates over the years. At
paragraph 32, Mr Godeseth says:
"I am not aware of any instances where data
retrieved from the Audit Store differs from other
sources of data, nor am I aware of any instances where
the integrity checks described in paragraph 30 have
revealed any issues."
Those integrity checks are broadly similar to the
ones that you have outlined, but are you aware of any
instances where data retrieved from the audit store has
differed from other sources of data?
A. No, because I'm not aware of any other forms -- I'm not
involved in any areas of data storage.
Q. So Fujitsu wouldn't know that anyway?
A. Well, I can't say that.
Q. Does Fujitsu keep a list of any times when that might
happen?
A. I don't know.
Q. It would be quite a useful thing to have though, for
Fujitsu's purposes, if they did have such a list,
wouldn't it?
A. Yes.
Q. And I guess my second question is a bit overlapping with
the first, but are you aware of any instances where
integrity checks have revealed issues?
A. No, I'm not aware, no.
Q. Not aware of any instances?
A. No.
Q. And again, Fujitsu don't keep a list of any of these
times when it might have revealed issues?
A. Again, I don't know.
Q. Can we please go to {F/1557}. Mr Dunks, this is
actually a Post Office document titled "Back Office
Transformation". It is dated 22 October 2016. The
context -- there's a little bit in that first part
there:
"This paper outlines the business case for the back
office transformation. An opportunity to significantly
improve our basic process and controls, whilst
simplifying the back office application landscape and
reducing our cost base."
If we could please go to page 4 of that document
{F/1557/4}. Have you seen this document before,
Mr Dunks?
A. No.
Q. Now, there it says "Why do we need to transform?":
"Transformation in the back office is required due
to unsuitable processes and significant operational
risk.
"The Post Office has been running the same
sub-optimal back office processes for many years."
If we go down a bit further:
"Industry best processes exist that can, and will be
adopted."
And then 14:
"The back office is currently operating with a far
higher operational risk profile than is accepted by the
Post Office when making investment or project decisions.
High proportion of manual accounting steps."
And then the first arrow bullet point there:
"Lack of system audit trail between transactions."
What do you think that means?
A. I have no idea, I would be guessing.
MR DE GARR ROBINSON: Is this a fair --
MR JUSTICE FRASER: Just -- Mr De Garr Robinson.
I'm not sure you can actually really pursue that
very much further with this witness given he has never
seen the document before.
MR MILETIC: I'm grateful, my Lord.
MR JUSTICE FRASER: Is it a phrase you have ever come across
before "lack of system audit trail"?
A. No.
MR MILETIC: I suppose the one question I would ask Mr Dunks
is: are you aware that Post Office had any concerns
regarding system audit trail as far back as 2016.
A. No, because I'm not involved in that area at all.
Q. I see. I will move on.
If we could please go to {F/1716}. This is the
audit extraction client user manual. Presumably you are
very familiar with this document?
A. I haven't read it for a long time, but I'm aware of it,
yes.
Q. So it's not something that you really look to on a daily
basis?
A. No, it's not.
Q. When do you think is the last time you would have looked
at it?
A. A few years.
Q. A few years?
A. Yes.
Q. The date of this document is 1 December 2017. It's the
most recent version, as far as we're aware, but you're
not sure either way probably whether it is or it isn't,
is that fair?
A. No, not -- no.
Q. If we could go please to page 9 of this document
{F/1716/9}, the introduction there:
"In addition to the historic data collected under
Horizon, the HNG-X system generates significant amounts
of data that is of interest to Post Office~... Internal
Audit ... and other groups.
"This document describes the Audit Extraction Client
application that is run on the Audit Workstations ...
the AE client provides functionality to manage [ARQs]
... and to retrieve and process audit data from the
audit archive."
It seems like an incredibly important document for
your job, doesn't it, Mr Dunks?
A. Yes.
Q. It is effectively a step-by-step guide on how to
contrary out data extraction?
A. I don't know. I can't remember reading it but --
Q. You can't remember reading. The definition there of
"filtering" under 3, do you see?
A. Mm-hm.
Q. "Filtering is the process of searching the retrieved
audit files for specified FAD codes or strings in order
to select a subset of data for further processing. The
user has the option of selecting the whole file in which
a match is found or of just selecting the matching
messages or records."
So filtering takes place obviously after you have
actually retrieved the files from the archive?
A. Yes, yes.
Q. Under 4, "Audit Data Integrity", the second paragraph
there:
"The integrity of audit data must be guaranteed at
all times and controls have been established to provide
assurances to Post Office Internal Audit that this
integrity is maintained."
That wording actually mirrors paragraph 5 of your
witness statement. Do you recognise that wording?
A. Yes.
Q. And then it says:
"During audit data extractions the following
controls apply ..."
Now, there are two there on that page which actually
mirror your 6.1 and 6.2 controls and then just over the
page please {F/1716/10}, the third one there matches
your paragraph 6.6.
If we could please move forward to page 42 of this
manual {F/1716/42}, the section begins with "Validation
and Query":
"This tab will only be available if the following
conditions have been met:
"1. The retrieved data consists exclusively of TMS
and/or BRDB messages.
"2. Filtering has been performed."
So this is now the data has been retrieved and now
we have been filtering, is that right?
A. Right, this is -- there would be two forms of data
retrieval, one is the fast and one is a slow one. This
is the historic one which I haven't used for quite
a while, but yes, I believe so.
Q. I see.
MR JUSTICE FRASER: Is this the slow one or the fast one?
A. It's the slower one.
MR JUSTICE FRASER: The slow one.
MR MILETIC: And if we could go over the page, please
{F/1716/43}, it says:
"TMS and BRDB messages are numbered in sequence for
each node. During filtering any retrieved audit message
data is analysed to determine what message sequences are
present in the data and whether there are any gaps or
duplicates in those sequences. A gap in a message
sequence may indicate that a message is missing from the
audit data. Duplicates may indicate that an audit file
has been gathered twice."
Taking those in turn, "a gap in a message sequence
may indicate that a message is missing from the audit
data"; that suggests that the underlying audit data is
incomplete, doesn't it, Mr Dunks?
A. I would say so, yes.
Q. But it uses the word "may", so actually it might be the
case that it is the retrieval process that has caused
the gap?
A. I don't -- no, I don't think -- I don't know.
Q. So the use of the word "may", may just be a slip in
language there?
A. Quite possibly.
MR JUSTICE FRASER: Well, it could be any one of a number of
reasons.
MR MILETIC: Precisely, my Lord.
MR JUSTICE FRASER: But on the basis that the witness didn't
draft it, I think he has agreed with your proposition to
the extent he can, but he also says he doesn't know.
MR MILETIC: I'm grateful, my Lord.
And the second part there "duplicates may indicate
that an audit file has been gathered twice", so that
would be an example of the processing -- the system you
were describing before, potentially causing duplicates
to be gathered?
A. Yes, possibly.
Q. And are you aware whether actually it might be the case
that duplicates were in the underlying data itself
rather than through the process?
A. I don't know, I can't -- I don't know.
Q. Well, the diagram there shows what would happen in the
event that gaps and duplicates are found, and do you see
it says gaps found shown in red, duplicates found shown
in blue and in block capitals "Seek assistance from
audit support". Now, on the face of that message --
first of all, have you seen messages like this before
when you have retrieved data?
A. If I have it was a long time ago. I'm not saying
I haven't, but it would have been a long time ago.
Q. You may have done? And on the face of it doesn't tell
you what the cause is of those gaps or duplicates, does
it?
A. No, I don't believe it does, no.
Q. And you wouldn't know what the cause was?
A. No, I wouldn't know, no.
Q. And in block capitals it says "Seek assistance from
audit support". Seek assistance from audit support, but
there's no explanation as to what audit support might
do. What do audit support do in that circumstance?
A. I'm assuming they would investigate the cause of the
gap.
Q. Do you have any experience of when you have called audit
support and they have come back to you?
A. Possibly. I think I possibly -- yes, I think we have
raised PEAKs, which is if this -- we would raise an
issue via a PEAK for the audit team to investigate.
Q. It's a problem, isn't it, if gaps and duplicates are
found upon the retrieval process?
A. Yes, I think so.
Q. And it's obviously very important what happens to the
data afterwards. Would you provide ARQs containing gaps
and duplicates, or would that go out of your hands and
then audit support gets involved?
A. Yes, the latter, yes.
Q. The latter?
A. Yes.
Q. And you're not quite aware of what they do. You say
they investigate?
A. Mm-hm.
Q. When the ARQ is ultimately provided, do they -- do you
know if they provide a version containing gaps and
duplicates, or if they provide a version without gaps
and duplicates because they have removed them?
A. I don't know.
Q. You don't know?
A. No.
MR MILETIC: My Lord, would it be a convenient moment for
a break?
MR JUSTICE FRASER: Yes, it would.
Mr Dunks, you are in the middle of giving your
evidence. We have a short break in the morning and
a short break in the afternoon for the shorthand
writers. Please don't talk to anyone about your
evidence or the case. We will have ten minutes, come
back in at 11.50, but please don't feel constrained to
stay in the box, you are allowed to go outside, stretch
your legs, even get some fresh air if you think you can
get down and get back up in time, but 11.50. Thank you
very much.
(11.41 am)
(Short Break)
(11.52 am)
MR MILETIC: Could Mr Dunks please be shown {F/676}. This
is a witness statement dated 8 July 2010 by
Gareth Jenkins. Do you know Gareth Jenkins?
A. Yes, I do.
Q. He was a colleague of yours, correct?
A. Yes, he worked on the same account.
Q. And he provided this witness statement in the trial of
Mrs Seema Misra. I assume you are familiar with
Mrs Misra's case?
A. Yes.
Q. In fact I understand, having seen a reference in
a transcript, that you in fact provided at least one
witness statement in that case?
A. I did.
Q. Do you remember what the content of that witness
statement, what it was dealing with?
A. That was around the help desk calls.
Q. I see. Now, Mrs Misra was a subpostmistress in
West Byfleet that was at the time being prosecuted on
charges of false accounting and theft and you recall
that?
A. Yes.
Q. Have you seen this witness statement of Gareth Jenkins
before?
A. No.
Q. Could we please go to page 2 of this statement
{F/676/2}. In the first full paragraph it says:
"With Horizon counters, the mechanism by which data
is audited has always worked on the principle that it is
acceptable to audit the same data more than once -- in
particular if in doubt as to whether or not it has been
previously audited successfully. The Mechanism used on
Horizon to retrieve the audit data took this into
account and only presented one instance of such
duplicate data in the ARQ extracts. The Audit Mechanism
cannot alter the base information and therefore
a re-running of the audit process will always produce
the same result."
Does that accord with your understanding of how the
process of retrieving audit data worked in
Legacy Horizon?
A. Yes.
Q. Are you sure or is it --
A. No, no, as far as I'm aware it extracts the data that's
there and if I extract it again, it will bring out the
same data.
Q. I see, so duplicates would not show up at that time?
A. When you say duplicates --
Q. Well, when it says:
"~... only presented one instance of such duplicate
data in the ARQ extracts."
A. As far as I'm concerned the data that -- it is very
process-driven, so we input the FAD code, the dates and
extract the data, and if I extracted it a second time,
it would bring back the same data, so I'm not aware, or
I don't know about duplicates it would bring back -- as
far as I'm concerned, it brings back the same data.
Q. I see. Mr Jenkins goes on to say:
"In January 2010 a new HNG-X application was
introduced to filter transaction records for
presentation to Post Office Limited. It has recently
been noticed that this HNG-X retrieval mechanism does
not remove such duplicates. An enhancement to the
extraction toolset will be developed, tested and
deployed and will remove such duplicate data in the
future. However until this enhancement is deployed,
there is a possibility that data is duplicated."
Pausing there, do you recall this being an issue at
the time?
A. I vaguely remember it, yes.
Q. And he goes on to say:
"The reliable way to identify a duplicate
transaction is to use the <Num> attribute that is used
to generate the unique sequence numbers. This will be
included in all future transaction record returns until
the retrieval mechanism is enhanced. A semi-automated
process to copy the returned data, and then to identify
and remove any duplicated records which may be present
from this copy by using the <NUM> attribute, has been
agreed with Post Office Limited for use in the interim
period."
What that suggests is there was a period of time
when there was -- it says semi-automated, a partly
manual process in removing duplicate records from ARQ
extracts. Does that accord with your memory?
A. It wasn't in the process that we did when extracting the
data. I'm aware of that happening, whether it went
on -- I don't know the process of it, but it wasn't in
our daily process for extracting and removing any
duplicates.
Q. So where it says that there is a process agreed with
Post Office in the interim period for removing those
duplicate records, that's not something that you were
involved in as the person extracting the data?
A. No.
Q. And not anyone in the similar role to yours was involved
in that?
A. I don't believe so, no.
Q. So there was effectively a separate department that was
taking care of that?
A. That was dealt with -- yes, not within our team.
Q. I see. And it says there:
"A transaction log data disc has been produced as
exhibit PT/02 in the trial of Seema Misra. The
transaction log data disc is made up of ARQs 436 to 448.
It should be noted that ARQ 447 which records the
transactions between 1 November 2007 to 30 November 2007
does contain some duplications of audited records."
But then Mr Jenkins says:
"It is emphasised that [it doesn't] ~... in any way
[affect] actual physical transactions recorded on the
counter~... The duplication of records has ..."
If we could turn the page:
"... occurred during the auditing process when
records were in the process of being recorded purely for
audit purposes from the correspondence servers to the
audit servers."
That final paragraph there, does that look familiar
to you?
A. Yes, it's the same as what's in my statement, yes.
Q. There's a slight difference in that it says improper use
of the computer rather than system, but the rest does
seem to match up?
A. Mm-hm.
Q. But you hadn't seen this witness statement before?
A. No.
Q. And you're not sure why it would largely replicate your
paragraph 8?
A. No, I mean, we do have a standard witness statement that
we produce for ARQs. When we supply ARQs we are
sometimes asked for a witness statement to go through
the process and verify as far as I'm aware that the data
I supplied is accurate. Now, we use that quite a lot
and it may actually be in that statement.
Q. I see. So when I asked you earlier whether it was
something of a Fujitsu party line you said you didn't
think it was, but actually it looks as though it is on
the basis of what you have just told me and on this
document as well.
A. It could be. It may be part of our standard witness
statement that we supply.
Q. And it's not something you think about too much, that
specific section?
A. No.
Q. It's just template. You don't think about it, and you
sign?
A. No.
Q. I see.
MR JUSTICE FRASER: Is that no, you are agreeing, or no, you
are disagreeing?
A. No, I agree.
MR MILETIC: I'm grateful, my Lord.
Now, if we could please go to {F/573/1}. This is
a witness statement of Penelope Anne Thomas. Do you
know Mrs Thomas?
A. Yes, she used to be a colleague.
Q. And have you seen this witness statement before?
A. No.
Q. This is a witness statement also in Mrs Misra's trial
and if you look at the first full paragraph, that
largely replicates your paragraph 3. She was
essentially performing the same role in terms of
providing evidence as you are here, is that fair?
A. Yes.
Q. And if we could turn to page 3 please {F/573/3}, and
just to say, the date of that statement -- it says
4 February on the front page and she describes a bit of
the process there in the second paragraph and in the
final two sentences, in discussing the transaction
records, she says:
"They therefore provide the ability to compare the
audit track record of the same transaction recorded in
two places to verify that systems were operating
correctly. Records of all transactions are written to
audit archive media."
Nothing controversial there, do you agree?
A. Yes.
Q. And just in passing, the two paragraphs below that where
it says:
"The Horizon system records time in GMT and takes no
account of Civil Time Displacements ..."
This is something we have actually heard some
evidence on earlier, but it's correct, isn't it, that
the audit data -- six months of the year the time stamp
will be off by an hour?
A. Yes.
Q. And at the bottom of that page, Penelope Thomas says:
"During audit data extraction the following controls
apply."
And then over the page {F/573/4}, and she too lists
12 controls that aren't entirely -- they don't entirely
match up to the controls that you have set out, for
example, one of the controls that I noted appears to be
missing is in your paragraph 6.9 where you said:
"Checks are made using the JSN that all audited
messages for each counter in the Branch ~..."
I will just let you find it if it would help?
A. Mm-hm.
Q. "Checks are made using the JSN that all audited messages
for each counter in the Branch have been retrieved and
that no messages are missing."
To your knowledge, was this an available control at
this time when Ms Thomas gave her statement?
A. I don't know. I don't know.
Q. So you don't know when that control came into play?
A. No, I don't.
Q. I see. Do you think if it was available it's quite an
important check that Ms Thomas would have mentioned it?
A. Possibly.
Q. But it is quite difficult because she hasn't listed
where she derives those controls from either and a point
that we made earlier when looking at your witness
statement -- you said that you had listed 12 controls
effectively from recollection, or what you understand
them to be, but we can't now verify that by looking at
any documents to see where those controls might appear
and when they were brought into force or not as the case
may be?
A. No -- well, I don't know. There may be ...
Q. I see. How did you satisfy yourself that the controls
you were speaking to in paragraph 6 of your witness
statement do actually apply as at today's date?
A. I -- on those checks -- those -- I was trying to imply
that the data as far as I was concerned, when extracted,
was true and accurate to my best knowledge.
Q. Well, stopping just there. You're trying to imply the
result which is that the data is accurate, but the
question is very specific as to the content, the
existence of the controls that are in place. How did
you verify to yourself that those controls are actually
in place? How did you know?
A. I was trying to imply that the data that I had extracted
hadn't -- from the date of -- from the time of being
extracted hadn't been manipulated or touched and when
you said before (inaudible) with the Post Office, and
controls to actually go in and log on and extract that
data, there were controls in place to do that.
Q. But can you actually be sure that the controls you
listed were in effect and were operating as at the time
you extracted the data?
A. To the best of my knowledge, yes. Yes.
Q. I see.
A. I had no reason to doubt it.
Q. Even though you didn't confirm it through any documents?
A. No.
Q. I see. And over the page, please, {F/573/5}. Ms Thomas
there just describes that she was in fact the one that
extracted the records in relation to Mrs Misra so we
see:
"ARQs 436 to 448 ... were received on
26 February 2010 ..."
It goes on to say:
"I produce a copy ... as exhibit PT/01. I undertook
extractions of data held on the Horizon system in
accordance with the requirements of ARQs 436 to 448 ...
and followed the procedure outlined above. I produce
the resultant CD as Exhibit PT/02. This CD, Exhibit
PT/02, was sent to the Post Office Investigation section
by Special Delivery on 4 March~..."
Do you recall that PT/02 was the exhibit that
Gareth Jenkins in his witness statement was talking
about?
A. I'm -- with it being called the same, I'm assuming it is
the same.
Q. Yes, and he, in that statement, referred to ARQ 447
containing duplicate records and then needing to be
removed. I can take you back if you would like to see
that section?
A. No, that's fine.
Q. So then Ms Thomas sets out:
"This report is formatted with the following
headings."
And then over the page, please {F/573/6}:
"The Event report is formatted with the following
headings."
Now she doesn't mention anywhere there that ARQ 447
contained duplicate records, does she? I can give you
a moment to look at that section.
A. No.
Q. And then the paragraph immediately below it, that again
is your paragraph 8 although this time word-for-word is
the same as your paragraph 8, isn't it?
A. Yes.
Q. And it is consistent with your answer earlier that this
is a sort of template Fujitsu witness statement document
that is provided and you sign --
A. Yes.
Q. -- just to show that the extraction has been okay?
Ms Thomas not identifying duplicates in ARQ 447,
that's slightly problematic, isn't it, to either
Post Office or an SPM that is trying to look at
anomalies and compare sources of data? That's not very
helpful, is it?
A. The statement again is to verify the integrity of the
data once extracted and given. We don't control what's
in the data. Our process is about extracting it and
securely passing it over to the Post Office. It's not
our concern of what's in the data.
Q. It's not your concern what's in the data?
A. No, it's what we're -- we're process-driven to extract
certain types of data for certain requests.
Q. And so whether or not that might match another record or
not, or replicate or duplicate or have gaps, that's not
part of your remit, that's not really part of your
concern?
A. No, it's not.
Q. I see. So reading that and reading the paragraph 8 as
it was in your witness statement, it doesn't give much
comfort to somebody that's then trying to rely on ARQ
data as being a gold standard to compare and investigate
anomalies, does it?
A. Possibly not.
Q. Are you aware, Mr Dunks, of any other specific issues
with the retrieval of audit data that may have impacted
disputes between Post Office and subpostmasters or
subpostmistresses?
A. Not that I can -- not that I can recall would cause
those issues, no.
Q. Could we please look at {F/829}. This is a PEAK,
PC0211833, and do you see under "Summary" it says:
"Audit Retrieval for ARQ Returns Missing Reversal
Indicator."
Do you see that field?
A. Yes.
Q. And then under "Impact Statement" in capitals:
"Service on stop ... ARQ returns for HNGX
transaction records must stop until resolution.
Analysis must identify returns which may require
re-retrieval."
Do you recall a particular issue in terms of
reversals and audit retrieval?
A. No. At that time, Penny managed the ARQ retrieval
process and she -- that was her main priority and her
main job, so I wasn't -- I wouldn't have been --
I wouldn't have seen this issue, or been made aware of
these issues.
Q. You would not have been made aware of this issue at all?
A. No.
Q. Even though you are the person that's extracting data?
A. No. With our team we had a number of different roles
and audit extraction is one of those roles, which is
process-driven, so -- and Penny would have managed that
via this PEAK. I wasn't aware of -- and if I was,
I certainly don't remember.
Q. And if we could go over to page 2 please {F/829/2}. Do
you see that bottom box there? If we look down at
"Impact on operations" -- well, if we start at the top
it says:
"Specify the HNG-X platforms impacted."
Do you see that?
A. Yes.
Q. And it says:
"The platform has been specified and it is the Audit
Server.
"Technical summary: the spreadsheets presented in
support of prosecution at court miss out an indication
as to whether or not a transaction is a reversal."
And then further down do you see "Impact on
operations".
A. Yes.
Q. There again it says:
"Spreadsheets supplied by the prosecution team miss
out an indication as to whether a transaction is
a reversal."
It says:
"The prosecution team are well aware of the
problems; we hope to have a release out in a few days;
a KEL is therefore not required."
Just over the page please {F/829/3}, and it says:
"Risks (of releasing and of not releasing proposed
fix):
"There are few risks with this fix. It must be got
out or prosecution evidence is incomplete."
And then there is a description there of queries
being changed in order to show reversals, and this is
taking place now this PEAK from -- August 2011 is when
this problem was identified, but you say you were never
made aware of it and presumably you weren't aware either
of queries being changed subsequently?
A. I don't recall this, no.
Q. And on the final page, please, of this document
{F/829/5}, there is a final message there saying:
"Fix deployed; all appears to be operating as
required. Closing call. Many thanks to all, Penny."
So it is fair to say that up until August 2011, the
data that you were retrieving did not have an indicator
as to whether or not reversals had taken place?
A. Correct, yes.
Q. Do you see that as detracting somewhat from this being
a secure gold standard record to be compared with other
sources?
A. I honestly can't say whether that has an implication on
that at all or -- that data missing has an implication
on that at all, I don't know.
Q. It's not in your remit, it's not in your concern?
A. No, no.
Q. Were you in court on Monday when Mrs van den Bogerd was
being cross-examined?
A. Yes.
Q. Did you hear a reference to something that was referred
to as the Helen Rose report?
A. I don't recall it but ...
Q. It's a very short point I was going to make, but
actually perhaps it is fair to take the witness to the
document very briefly.
MR JUSTICE FRASER: It depends what the point is, I suppose.
MR MILETIC: Well, the short point is this but actually it
might be, Mr Dunks, that you simply don't know the
answer to this either, so the point that I was going to
make is that it wasn't until the summer of 2013, at the
time of the Helen Rose report, that in actual fact it
was identified to be a problem that the reversal
indicator didn't show whether it was system or
user-generated, but is that something that is outside of
your knowledge?
A. Yes.
Q. Very well. I won't go to that point then.
So, Mr Dunks, having now canvassed through various
documents and looked at various problems that existed
with ARQ data when it was retrieved, can you just
explain to the court why those things, or a semblance of
those issues were not set out candidly in your witness
statement?
A. Sorry, I don't understand.
Q. So we have just been through several documents and
several issues in terms of when audit data is retrieved
and the problems in relying on that data, but none of
that is set out in your witness statement, and is there
a particular reason as to why that might be?
A. Again, the -- what I was trying to convey with our
witness statements, as I believe, is the integrity of
the data once we have extracted it, and then supplied it
to the Post Office, and the controls around the
extraction, not the data itself.
Q. I see, so what you are not saying in your witness
statement is that the data then is accurate and reliable
in terms of use for disputes between subpostmasters and
Post Office?
A. No, I can't say that at all.
MR MILETIC: You can't say that? That's fair.
My Lord, I have no further questions.
MR JUSTICE FRASER: Mr De Garr Robinson?
Re-examination by MR DE GARR ROBINSON
MR DE GARR ROBINSON: Mr Dunks, I would just like you to
look at your witness statement please, paragraph 8. You
were asked a question about this paragraph and you were
asked -- it was suggested to you that you didn't really
think about that paragraph much and I would just like to
take you through it {E2/10/3}. In the first sentence
you say:
"There is no reason to believe that the information
in this statement is inaccurate because of the improper
use of the system."
Mr Dunks, is that sentence true or is it not true?
A. It is -- well, it's true. I don't believe -- there's no
reason to believe that it is inaccurate at all.
Q. And did you think about that sentence when you signed
the statement?
A. It wasn't in the forefront of my mind when I was signing
the statement, no.
Q. The next sentence:
"To the best of my knowledge and belief at all
material times the system was operating properly, or if
not, any respect in which it was not operating properly,
or was out of operation was not such as to effect the
information held within it."
Is that sentence true?
A. Yes.
Q. Would you have signed this statement if either of those
sentences had not been true?
A. No.
MR DE GARR ROBINSON: Thank you.
Questions by MR JUSTICE FRASER
MR JUSTICE FRASER: I have just got a question.
You started doing your current role in 2002, is that
right? I think it is in paragraph 3, you say.
A. I have worked within this team since then, but the roles
have changed within that over that period of time.
MR JUSTICE FRASER: What were you doing before 2002?
A. I was -- there were different roles again within then
ICL, from desktop support, et cetera.
MR JUSTICE FRASER: And when did you start at ICL, do you
remember?
A. Good question. About 21 years ago.
MR JUSTICE FRASER: 1998?
A. Yes.
MR JUSTICE FRASER: You are trying to catch me out with some
mental maths.
I don't have any questions other than that.
I assume there's nothing arising out of that. Thank you
very much for coming, you can now leave the witness box.
MR DE GARR ROBINSON: My Lord, I call Torstein Godeseth.
MR TORSTEIN OLAV GODESETH (affirmed)
MR JUSTICE FRASER: Have a seat, Mr Godeseth.
Examination-in-chief by MR DE GARR ROBINSON
MR DE GARR ROBINSON: Mr Godeseth, there's a bundle of
documents in front of you. Could I ask you to go to
divider 1 of that bundle please {E2/1}. This is
a document that describes itself as a witness statement
by you. Is that your name and address on the first
page?
A. It is.
Q. And if you go to the last page, page 20 {E2/1/20}, is
that your signature?
A. It is, my Lord.
Q. If we could go on to tab 7 in the same bundle, please
{E2/7}. I believe you will see a page with two
corrections, is that right, at the front of that tab?
A. Yes.
Q. And then over the page, there is another witness
statement by you and again, there's your name and
address on the first page, isn't there?
A. That's right.
Q. And page 18 {E2/7/18}, that's your signature, is it?
A. It is.
Q. And then there's a third statement which should be
behind divider 14 of the bundle {E2/14}. Again, your
name and address on page 1, and on page 7, is that your
signature? {E2/14/7}
A. It is.
Q. Now, the later statements clarify and in some respects
correct matters that are set out in the earlier
statement. Subject to those clarifications and
corrections, and subject to the two corrections you saw
in the front sheet at tab 7, do you confirm that these
witness statements are true to the best of your
knowledge, recollection and belief?
A. I do.
Q. Now, Mr Godeseth, I've got a question I would like to
ask you arising from evidence that's just been given by
Mr Dunks, and with your Lordship's permission ...?
MR JUSTICE FRASER: Yes.
MR DE GARR ROBINSON: If we could go to {F/1716} please and
could we go to page 43 of that document {F/1716/43}.
This is a Fujitsu document. It's the Audit Extraction
Client User Manual. Do you see that?
A. Yes.
Q. Now, just remind me, how long have you been working for
Fujitsu?
A. Since 2010.
Q. And since that time, have you had any familiarity with
the audit extraction process and its reliability and so
on, and issues surrounding it?
A. I have clearly been aware that audit extracts have been
happening, but I have not been intimately involved in
that process until more recently.
Q. I see. I would like to ask you about -- at the top of
the page it says:
"TMS and BRDB messages are numbered in sequence for
each node. During filtering any retrieved audit message
data is analysed to determine what message sequences are
present in the data and whether there are any gaps or
duplicates in those sequences. A gap in a message
sequence may indicate that a message is missing from the
audit data. Duplicates may indicate that an audit file
has been gathered twice."
I would just like to ask you a couple of questions
about that. If there had been a gap in a message
sequence during the extraction process that's described
here, is that something that you would know about?
A. I believe so, yes, because it would be a highly serious
problem.
Q. And can I ask you whether there have been any such gaps
during the time that you have been at Fujitsu?
A. I'm certainly not aware of any, and I'm confident that
I would have been told.
Q. Very good. And then moving on to the next sentence, the
duplicates. Could I ask you the same question about
duplicates: what would have happened? Would you be
aware if there were any duplicates?
A. Having seen Gareth's statement, I would say that
duplicates are probably being misinterpreted here,
because if a record goes into the audit trail twice it's
simply two copies of the same record. As long as that's
dealt with, I don't think that's a problem.
MR JUSTICE FRASER: When you say duplicates are being
misinterpreted here, do you mean in this document, in
Mr Jenkins' document, or in what you are being asked?
A. I think here the issue is -- I clearly understand that
the claimants are interested, my Lord, in whether
transactions got duplicated, and I think what goes into
the audit is a record which has come from a counter,
different mechanisms in Riposte and also in the newer
Horizon system. I think what Mr Jenkins is referring to
is that a record can be written to an audit trial twice
and as long as you spot that and you deal with it,
that's fine, because it is simply saying, it is
simply: I wrote down the same thing twice. And the
circumstances in which I have some recollection of is
that the audit trail got written to Bootle and to Wigan,
our separate data centres in the days of Riposte, so
clearly I would have a copy of a record in both Bootle
and Wigan.
MR JUSTICE FRASER: I'm not sure that necessarily answers my
question.
A. Sorry, my Lord.
MR JUSTICE FRASER: When you said duplicates are being
misinterpreted, do you mean misinterpreted in this
Fujitsu document, interpreted insofar as you understand
what Mr Jenkins is saying, or misinterpreted in the
question that Mr De Garr Robinson asked you?
A. I think here I'm saying that duplicates may indicate
that an audit file has been gathered twice is --
MR JUSTICE FRASER: When "here" you mean the Fujitsu
document?
A. In this Fujitsu document. I think that is entirely
consistent with what Mr Jenkins said in his statement.
MR JUSTICE FRASER: I see.
MR DE GARR ROBINSON: "The suggestion here that duplicates
may indicate that an audit file has been gathered
twice" --
MR JUSTICE FRASER: That's what it says in the paragraph.
MR DE GARR ROBINSON: Yes, I have just read out the
paragraph, I don't know why I did that. If duplicates
were being produced in audit extractions, is that
something with which Fujitsu would be interested to
know?
A. I think it is important to go back to understand what
the audit trail is looking to do, and I think I would
like to start by describing the Horizon Online system
which I'm more familiar with, and the audit trail in my
book is I'm trying to write down, transaction by
transaction what is coming from a counter and I am
keeping a record of effectively the transaction as
entered at the counter as closely as I can possibly make
it.
In the Horizon Online, the big protection there is
a thing called the JSN which is the Journal Sequence
Number, and we use this to indicate that -- or to prove
that I have not missed any records and I haven't got any
duplicates. So built into the system at the BOWL(?), we
get a sequence of messages coming up from the counter to
the BOWL, and these all have a JSN in them, and these
are checked to make sure that they just increment by
one.
In the Riposte system, there was a very similar
concept, but this was the message number on the messages
coming from a particular counter, and again, by checking
that I've got a -- what we call a dense list which says
I've got every number accounted for, and I -- if I have
duplicates, and they both say the same thing, that is
just the fact that I have written something down twice
and I imagine from what I have read in Gareth's
statement that this obviously happened in Riposte days
when there were data centres in Wigan and Bootle and
I know that audit trails were written in both centres,
but I think by then saying "Okay, I have now written
some things down twice, but I can recognise those
because they have the same message number", they are
simply copies of the same thing.
MR DE GARR ROBINSON: My Lord, I'm at the margins of my own
understanding of the system and I think I had better
stop now.
MR JUSTICE FRASER: Well, I'm actually just go to pursue
this on your behalf, because your question was quite
simple and it has led to an answer of about a page and
a quarter, so I'm just going to ask the same question.
What Mr De Garr Robinson asked you was if duplicates
were being produced in audited extractions, is that
something that Fujitsu would be interested in knowing?
And I'm unclear as to what the answer is.
A. Yes. Sorry, yes, my Lord.
MR JUSTICE FRASER: The answer is yes?
A. Yes. We would be interested in knowing because we would
have to explain it.
MR JUSTICE FRASER: Right.
If you want to ask a follow-up question,
Mr De Garr Robinson, you can do so.
MR DE GARR ROBINSON: Are you aware of -- since your time at
Fujitsu -- I'm not asking you about Legacy Horizon now,
but since your time at Fujitsu, are you aware of this
issue having arisen in relation to extracting audit
data, duplicates?
A. No, my Lord.
MR JUSTICE FRASER: Mr Green, your turn.
Cross-examination by MR GREEN
MR GREEN: I will start at the beginning of your statement,
if I may, Mr Godeseth. If we can look at {E2/1/1}. You
explain in paragraph 1 that you are employed at Fujitsu
Services Limited as the chief architect on the
Post Office account.
A. I am, my Lord.
Q. And you say you are authorised to make this statement on
behalf of Post Office Limited in the proceedings. It is
right, isn't it, that you were first employed by
Post Office?
A. I was employed by Post Office from 1987 for a number of
years.
Q. Let's have a look at paragraph 5 of your witness
statement please. Sorry, I think we've got the wrong
one there. Can we get {E2/1/1}, please.
Just look at paragraph 5 on page 1 to start with
{E2/1/1}. You give your employment history there and at
the bottom of the page, after leaving the Royal Navy you
joined Forward Trust in November 1981 to work in systems
programming and technical support for their IT systems.
Then if we go over the page:
"I joined the Post Office IT department
in November 1987 to work on a project to introduce
technology into Post Office branches."
What project was that?
A. I know it as the Thames Valley pilot. It was a project
to introduce -- we supported three products in those
days, it was Girobank, DVLA and National Savings,
a pilot in the Thames Valley area which had about 250
offices.
Q. Then at paragraph 6 we see you worked as the technical
advisor to Post Office when they and the Benefits Agency
procured the Horizon system.
A. That's correct, my Lord.
Q. It was unusual as a project; it was being procured by
two different government bodies, wasn't it? There was
the Department for Social Security, Benefits Agency, on
the one side and then there was Post Office at that time
under Royal Mail on the other?
A. That's right, my Lord.
Q. And latterly you were then technical advisor to
Post Office when Legacy Horizon changed to
Horizon Online?
A. Correct.
Q. And then from 2010 you then moved from Post Office to
Fujitsu.
A. I did, yes.
Q. What occasioned that move?
A. I was working as a contractor for Post Office. My
contract came to an end, and I joined Fujitsu on
contract.
Q. But when you say "as a contractor", do you mean as an
independent contractor --
A. Yes.
Q. -- rather than employee?
A. I joined Fujitsu initially as a contractor and then
in November, I accepted a full-time role.
Q. And just so we have a vague idea, for what proportion of
your time with Post Office were you employed, and for
what proportion of the time were you an independent
contractor?
A. I became an independent contractor in 2005, just as
Impact Programme was going live.
Q. Just as ...?
A. The Impact Programme was going live.
Q. Can you explain to the court what the Impact Programme
was?
A. The impact -- the major change in the Impact Programme
delivered was to take out the old cash account and
replace it with branch trading statements, but there
were a few other changes implemented at the same time.
Q. Now, you effectively have worked for both Post Office
and Fujitsu and have been involved in pretty much the
entire history of the Horizon system in different ways,
haven't you?
A. I was -- pretty much, but I was not involved in the
early days of the roll-out of Horizon, so when
I finished my stint on the procurement, I worked
elsewhere in the Post Office, then came back to
Post Office counters to deal with banking and since then
I think my time has been pretty much with Post Office
counters. I had a break in 2009 before coming back for
a short contract with Post Office counters and then
joining Fujitsu.
Q. Right. We will come to the introduction of Horizon and
so forth in a minute, but just clarifying the
construction of your witness statement, your first
witness statement which we're looking at, which is the
one of 27 September 2018, broadly covers the accuracy of
audit data and the issue of remote access for both
Legacy Horizon and Horizon Online, is that fair?
A. It is, yes.
Q. And at paragraph 7 of that witness statement {E2/1/2},
if you just look at that for a moment, do you see at the
bottom of that paragraph it says:
"I therefore have consulted with colleagues who work
in the areas that are covered by this statement to
ensure that my understanding of them is correct."
Which were the areas that you were referring to
there?
A. Basically any area that I wanted to just double check,
so I don't see it as anything specific. I work with
a number of people and if I'm uncertain of anything, or
just want to check up, then I would talk to them.
Q. So you were sufficiently uncertain about certain things
to have to go and speak to a number of your colleagues?
A. I wouldn't say "uncertain". It is due diligence, double
checking.
Q. Who were the colleagues you spoke to?
A. Off the top of my head, I would say Steve Parker and
a couple of guys in his area; Pete Jobson,
Gareth Seemungal, Alan Holmes, Jon Hulme.
Q. Could you just help the court just in relation to each
of those, what were the aspects they were contributing
to your statement, could you just explain?
A. In Steve Parker's area, certainly there are people who
have longer -- or recollections of how Riposte actually
worked. Gareth Seemungal, I talked to about BRDB and
how Oracle works. Pete Jobson I talked to about how
batch systems work. Alan Holmes knows a fair amount
about audit. Jon Hulme, knows the counter pretty well.
Q. Right, that's helpful. Let's look at paragraph 34
please on page 11 {E2/1/11}. We see there "Audit data -
Legacy Horizon."
You say:
"In Legacy Horizon Riposte, a messaging system, was
responsible for storing all data in Post Office branches
and replicating it to data centres. As I was on 'the
other side of the fence' ..."
Because you were working with Post Office at the
time:
"... when Riposte was in use I have consulted with
my former colleague, Gareth Jenkins, to prepare this
section of my statement."
Yes?
A. Yes.
Q. And in fact we see Mr Jenkins' name in a number of other
paragraphs throughout your witness statement?
A. Yes.
Q. And it is fair to say that really the source of that
information that you're giving is Mr Jenkins, isn't it,
because you were working for Post Office at the time?
A. I feel I had a pretty good knowledge of how Riposte
works, since I needed it when I was working on Impact,
but it's absolutely the case that I would get more
detailed information from Gareth.
Q. Because in a number of paragraphs -- I mean, just give
us a couple of examples. At paragraph 38 you say:
"I understand from Gareth that each message included
three key pieces of information ..."
And if we go to paragraph 39, over the page
{E2/1/12}:
"I also understand from Gareth that messages also
had an associated 'Expiry Date' ..."
Paragraph 41:
"I understand from Gareth that due to the size of
the Post Office network [they] were split into four
separate clusters ...."
And so forth. Paragraph 43:
"I understand from Gareth that the audit application
read every record that was visible to the correspondence
server ..."
Paragraph 44 {E2/1/13}:
"I also understand from Gareth that once these files
had been written they became visible to the audit server
which would pick them up ..."
I'm obviously not going to keep going, but that's
information you have obtained from Mr Jenkins, isn't it?
A. It's difficult to judge how much I knew beforehand, but
certainly talking to Gareth has freshened up my
understanding of it.
Q. I suggest to you it is mostly Mr Jenkins' explanations
to you which you seem to think --
A. I would certainly regard Gareth as an expert on Riposte,
having far more knowledge about it at a practical level
than I have.
Q. He is the most obvious person to talk about it in
a sense, isn't he?
A. Yes.
Q. And let's look, if we may please, at page 16 of your
first witness statement {E2/1/16}. This falls under
a heading called "Balancing Transactions" which has been
given an acronym of "BTs".
A. Yes.
Q. We will come back to that. But just for the moment,
just to orientate you where you are in the statement, if
you look -- I'm sorry, Mr Godeseth, I didn't spot you
didn't have any water.
(Pause).
Just to orientate yourself in the witness statement,
you've got:
"A small group of Fujitsu users from the Software
Support Centre ... (30 users) have the ability to inject
additional transactions into a branch's accounts in
Horizon Online, using a designed piece of functionality
called a Balancing Transaction."
Now, pausing there, we heard Mr Roll being
cross-examined and it was suggested to him that within
SSC there were about 25 members who were -- whose
experience Mr De Garr Robinson went into with Mr Roll,
and then five sort of super elite members, as they were
described by Mr De Garr Robinson.
A. Mm-hm.
Q. That's a total of 30. Is that about the same size as
the department is now? Is 30 users the whole of SSC?
A. I wouldn't know. Steve would be able to give a far
better -- but I -- I think there was about that number
of people there, yes.
Q. So Mr Parker would be the person who knows, and you
think it's probably about the whole of SSC?
A. Yes.
Q. So when we just look at the words:
"A small group of Fujitsu users from the Software
Support Centre."
It's actually probably the whole or most of the
Software Support Centre?
A. Mm-hm.
Q. Everyone, it looks like?
A. Yes.
Q. If we come down to paragraph 58.9, just go over the page
{E2/1/17}, that's -- that all seems to be dealing with
Horizon Online and then at 58.10 you say:
"In Legacy Horizon, any transactions injected by SSC
would have used the computer server address as the
counter position which would be a number greater than
32, so it would be clear that a transaction had been
injected in this way."
Yes? That's what you said in that first witness
statement.
A. That's what I said in that statement, correct.
Q. Now, just pausing there, you don't say who you got that
from, but did that come from Mr Jenkins?
A. Yes. The greater than 32 came from Mr Jenkins, correct.
Q. So we could write in there "I understand from Gareth"?
A. Yes.
Q. And in fact if we go back to paragraph 36 on page 11
{E2/1/11}, it is effectively mirroring the overall
description that the node ID associated with an injected
message would be that of the correspondence server at
which the message had been injected, and not a normal
counter node ID, and therefore would have been clearly
visible in any audit data.
A. Yes.
Q. That's the same point but without using the number 32,
yes? It's a broader point, but it captures the point
that you're making in 58.10 and is consistent with it.
A. There were a number of mechanisms for the -- I think the
preferred route for injecting any transactions would
always be to do it at the correspondence server. There
were occasions where it was necessary to inject messages
at the counter. I think that was the point that Mr Roll
was making in identifying that messages had to be
inserted to correct problems at the counter, and there
are a few instances where clearly that happened.
Q. Yes. And so can I just ask you, did you get this
section in 36 also from Mr Jenkins, broadly?
A. Yes.
Q. And then just going forward in your third witness
statement at {E2/14/7}, paragraph 25 -- I'm so sorry.
If you look at paragraph 25 you say:
"In paragraph 58.10 of my first statement I stated
that any transactions injected by SSC in Legacy Horizon
would have used the computer server address as the
counter position which would be a number greater than
32. I have read Parker 2 and I am now aware that it was
also possible for SSC to insert transactions with
a counter position with a number less than 32. I did
not discuss this in my first statement because I was not
aware of it."
A. That's correct.
Q. So at what point did you realise that it was not
correct?
A. When it was brought to my attention at the time that
Steve was preparing his second statement.
Q. Were you a bit shocked about that, to find it was wrong?
A. "Shocked" would be too strong a word. It was -- I was
finding out a detail that I didn't know before.
Q. You were finding out a detail that you didn't know
before in quite a controversial area, weren't you?
A. It was clearly an area that was going to be of interest
because of the fact that we were inserting transactions
into Riposte. It was an operational necessity and it
was done in a controlled way. I had believed that the
way that transactions were being injected would give
them a counter position greater than 32 because the
correspondence servers basically had nodes or addresses
which were above 32, there was a special address for the
gateway server, there was a special address for the
extra disc in a single position branch and I had
basically expected messages to be introduced using
a different counter position and having read a whole
number of PEAKs, I can quite clearly see that the
standard practice in Fujitsu was to label something
which was being inserted into Riposte so as to make it
as clear as possible that it was not being done -- it
was being done as something out of the ordinary, it was
being inserted because of a problem.
So we had techniques for doing that. You could put
in an attribute because this wouldn't be visible to
a subpostmaster, I fully understand that, but it would
be visible in the audit trail, when you ever come back
to pull out the audit trail, you could put in an
attribute to say "This was done under PEAK 75".
Subpostmasters would never see that. They would not see
it in their account in their branches and I'm fully
aware that that is the case. It was a better audit than
Mr Roll was alluding to when he said that it was left in
a PINICL, because that would have been an audit which is
separate from the actual data that we would be looking
at should we ever need to pull stuff out of the audit
trail and the intention was always to make it as clear
as possible that this had been done under exceptional
circumstances.
The techniques used to make it as visible to the
subpostmaster as possible would be to put in references
which referred to a counter that didn't exist in the
branch, such as -- I saw a technique described in
a number of cases which said put in a -- you know, if
you are correcting something for counter 1, call it
counter 11; if you're correcting something for counter
2, call it counter 12. These things would have been
visible to a subpostmaster and the reason that you had
to do it that way was to make sure that these
transactions also got picked up and dealt with because
these were legitimate counter numbers.
If I start to put in data with a number which is not
a legitimate counter number then it's going to be
ignored by systems further down the track.
Q. So which were legitimate counter numbers?
A. Up to 32.
Q. Right, so you say less than 32 in your witness statement
at paragraph 25 --
A. Sorry, I may have got that -- the boundary was at 32;
whether 32 was a legitimate --
Q. Don't worry about that. That's not -- that's not --
A. -- counter or not, I don't know.
MR JUSTICE FRASER: Please don't talk over each other.
MR GREEN: I'm so sorry.
Don't worry about the boundary. So the short point
is that you learned, when Mr Parker was preparing his
second witness statement, that it was in fact possible
to inject transactions which a subpostmaster would not
know about at the counter rather than at the
correspondence server, you learned that for the first
time?
A. I cannot see how a subpostmaster would not have been
aware of these transactions being injected, because
there's a technical rationale why the subpostmaster had
to be in his branch -- sorry, it didn't necessarily have
to be the subpostmaster, it had to be somebody in the
branch who was logged on when these techniques were used
to inject transactions at the counter and the simple
reason is that if you didn't have somebody logged on,
then Riposte would have generated a message with a blank
user ID. Riposte was responsible for actually wrapping
the message that we were looking to insert at the
counter, and in doing that, Riposte will tell you the
counter ID, or technically it was a stream, it would
pick up the user ID, it would pick up the time, so this
was effectively the envelope which wrapped the payload
that we were looking to inject.
If there was no user logged on at the counter then
Riposte would introduce a blank user ID and that would
be picked up in later processing.
Q. But let's take it in stages, if we may.
MR JUSTICE FRASER: Just before you do.
Mr Green is going to be putting quite precise
questions to you. I know it's an understandable human
reaction to want to argue wider points, but I would like
you to listen to his questions and answer his questions
please.
A. Yes, my Lord.
MR JUSTICE FRASER: Right, Mr Green.
MR GREEN: Can we separate what you can do from what you
have inferred was done in many cases from PEAKs you have
looked at, and let's focus on what could be done.
You realised for the first time that it was possible
to inject or insert a transaction with a counter
position less than 32 when Mr Parker was preparing his
second statement?
A. Correct.
Q. And you knew that that was a contentious issue in this
litigation, yes?
A. Yes.
Q. And if we can go back please to paragraph 58.10 of
{E2/1/16}. Go over the page please to 10 {E2/1/17}
there it says:
"In Legacy Horizon, any transactions injected by SSC
would have used the computer server address as the
counter position which would be a number greater than
32, so it would be clear that a transaction had been
injected in this way."
Can we go back to the previous page just to get the
introduction to that {E2/1/16}. It's not immediately
clear from this part of your statement that you got that
information from Mr Jenkins, is it, 58.10?
A. Sorry, I'm looking at 58.7 here?
Q. Yes, I'm just showing you --
A. I agree, yes.
Q. So what had actually happened to you is that you had had
a conversation with Mr Jenkins, he had given you the
information on a contentious point in the litigation,
and you had repeated it in a way that could be read as
sounding as if you knew about it yourself?
A. That was certainly not deliberate.
Q. No, but I'm just saying that is what had happened?
A. I can accept that.
Q. And then you found out that was wrong. Did you go back
and talk to Mr Jenkins about it?
A. I don't think I have, no.
Q. Were you not interested to find out from him directly
whether they always used counter numbers other than
those in use by the SPM, rather than inferring matters
from PEAKs as you have suggested?
A. I have not discussed it further with Gareth.
Q. So you are not in a position to comment on that beyond
what you have inferred from the PEAKs?
A. I think that's fair, yes.
Q. Now, it would be possible, would it not, to use
a counter number of 1, or 2, or 3?
A. It would.
Q. And if that counter number was a counter number actually
in use by the SPM, it would appear to the SPM, from the
records they could see, that it was a transaction which
had been done in their branch, by them or their
assistants?
A. Yes.
Q. Now, you were at Post Office at the time that
Legacy Horizon was in use, weren't you?
A. I was certainly at the Post Office when Legacy Horizon
was in use.
Q. You had a break, I think you mentioned earlier. Was
that around 2009?
A. In 2009 I finished my contract with Post Office counters
in roughly June, and went back to Post Office counters
in the following January, so I had a six-month gap.
Q. And apart from that were you continuously working for
Post Office from 1987 to when you left and joined
Fujitsu?
A. No. I think it's covered in my opening statement, that
I was -- from Post Office I was outsourced to a company
called Xansa, and then after a couple of years --
probably two and a half years at Xansa, I decided to go
independent.
Q. So when you were outsourced to Xansa --
A. I continued in roughly the same role.
Q. -- you continued -- did you remain an employee of
Royal Mail IT department outsourced, or were you
outsourced so that you went and worked for someone else
with a direct relationship with them?
A. I was outsourced from Royal Mail to Xansa as part of
a rationalisation programme, so therefore I was employed
by Xansa, I was paid by Xansa.
Q. I understand. So apart from that period and the short
break you had in 2009 that you have described, the
six-month break which began in 2009, you were at
Post Office effectively throughout the period from 1987?
A. I was at Post Office, I was working actively on the
Post Office account for most of that time, but, as
I say, once the procurement of Horizon with ICL Pathway
had come to a sensible juncture, I did spend some time
working with other parts of Post Office, Parcelforce,
the Television Licence Agency and such. So there was
a gap in my time alongside Post Office counters.
Q. In the light of your time and position and role within
Post Office, would you have been regarded as
a knowledgeable person within Post Office about whether
remote access of the type we're talking about was
possible?
A. I believe I would have been regarded as a knowledgeable
person.
Q. Very knowledgeable?
A. Yes, I would like to think so.
Q. And it is your evidence to the court that you were
completely unaware that inserting transactions in this
way was possible throughout your time at Post Office?
A. To be honest, I wouldn't have actually thought about it.
If you are looking to support a large system, then
I think the logical conclusion is it's inevitable that
you have to do this sort of thing on occasion.
Q. So if you had been asked whether it was likely that it
would be possible, you would have said --
A. Yes.
Q. -- it's inevitable because it's a large system?
A. I think so, yes.
Q. So were you a bit surprised when Mr Jenkins told you
when you were preparing your first witness statement
that it would not be possible to do it unless it was
done just to the correspondence server?
A. I don't think he told me that. I think that is his --
his description to me was a far more generic one rather
than going into that level of detail.
Q. But wasn't the key point that you were giving evidence
about whether or not it would be identifiable as not
having been done by the subpostmaster?
A. I think we were really talking about messages coming in
at the correspondence server which would therefore be
very different from the ones coming from the counter
which would have the lower counter numbers or node
numbers.
Q. The short point is, Mr Godeseth, that your original
witness statement was -- paragraph 58.10, if we can just
look at that finally {E2/1/17}. Paragraph 58.10 was
clearly designed to suggest that it would not be
possible to insert transactions as Mr Roll was
suggesting, wasn't it?
A. I don't see that as the intention at all. I think there
I was looking to describe -- I think the intention was
to describe that transactions injected by the SSC would
be different from transactions done by the counter.
Q. Well, that's not quite what you say. This is my last
question on this, I think. You say:
"In Legacy Horizon, any transactions injected by SSC
would have used the computer server address as the
counter position which would be a number greater than
32, so it would be clear that a transaction had been
injected in this way."
A. Yes.
Q. You were specifically ruling out injection of
transactions in a way that the subpostmaster could see,
weren't you?
A. Sorry, could you repeat the question?
Q. That form of words you have used was specifically ruling
out the injection of transactions in a way that
a subpostmaster could not see?
A. I think there are too many negatives in this.
Q. The effect of what you were saying there was that any --
we can read "all" -- transactions injected by SSC would
have had a number greater than 32?
A. Yes.
Q. And that would make it clear that a transaction had been
injected?
A. Yes.
Q. What you were trying to say by that was it was not
possible for transactions to be injected which would not
be clear that they had been injected?
A. I would still say that transactions that have been
injected are clearly identifiable, albeit there may be a
convoluted route to identifying them.
MR GREEN: My Lord, is that a convenient moment?
MR JUSTICE FRASER: I think it probably is. We will come
back at 2 o'clock.
Mr Godeseth, you are in the middle of giving your
evidence so you're not allowed to talk to anybody about
the case over the short adjournment. Come back at
2 o'clock.
(1.03 pm)
(The luncheon adjournment)
(2.01 pm)
MR GREEN: Mr Godeseth, can we look at the introduction of
Horizon itself, paragraph 6 of your witness statement at
{E2/1/2}. We have mentioned already you were technical
advisor in the procurement of the Horizon system and
touched on the fact that it was unusual because it was
two different government entities.
It was not uncontroversial, this project, at the
time, was it?
A. Sorry, it was -- certainly it was an interesting project
to be working on, so I'm not sure ...
Q. Well, let's take it in stages. It encountered quite
a lot of difficulties as a project, didn't it?
A. Yes.
Q. And its sort of birth as a system was not entirely easy,
is that fair?
A. I think that probably the relationship between Post
Office, Benefits Agency and the contractual situation is
fairly well-known, yes.
Q. And if you can very kindly look at {F/70} as an example.
This is a Computer Weekly article, 1 November 2000, and
you will see there it says:
"The infamous 1996-1999 Pathway project aimed to
computerise the nation's post offices and tackle benefit
fraud. But 18 months later, after losing millions and
destroying reputations a credible IT project has
emerged."
So although, as we will see, the problems were
well-known, as you have fairly accepted, a credible IT
project did emerge from it?
A. Mm-hm.
Q. Which was what we now know as Horizon?
A. Yes.
Q. And the article then, in paragraph 2, notes:
"It was one of the largest roll outs in Europe~...
despite its complexities, it is now running smoothly, on
time and to budget."
That was the impression they had. And the NAO had
had some concerns about money wasted on the aborted
attempt for the swipe card system, yes?
A. I must admit I have no recollection of what the swipe
card system would have been, but ...
Q. Do you remember that the focus of the project changed as
it went along? It was originally going to be very high
levels of security for the direct payment of Social
Security benefits through the system and then in the end
the DSS pulled out and --
A. I certainly recall that the Benefits Agency pulled out.
Q. And a deal was done with Fujitsu to carry on with just
the Post Office --
A. Yes.
Q. -- as a contracting party. If we look at the reason
that the Select Committee on Trade & Industry was
looking at it in July 1999, if we look halfway down the
page you will see:
"At a hearing of the Select Committee on Trade &
Industry in July 1999, two months after deciding to
cancel the swipe card, and causing massive monetary
loss, three cabinet ministers leaned heavily towards
blaming the supplier, ICL Pathway, for the disaster."
Now, there was -- I think you have hinted at it,
that the relationships were not very easy, is that
a ...?
A. There were some very fascinating tensions going on, yes.
Q. Yes. And there was some dispute over the terms on which
Fujitsu would carry on with a project that they had
anticipated and agreed would be both for two clients
essentially, with just one?
A. Yes.
Q. And so the deal that was done with Fujitsu at that stage
was one which in some senses compensated Fujitsu for
losing the DSS?
A. I can't comment on that. I didn't know about the
contractual situation at that point.
Q. Now, in your paragraph 12 you say Fujitsu began a pilot
of the system in 1996 and it was rolled out across the
Post Office network between 1999 and 2000. At that
stage, the pilot was still for the Post Office and the
Benefits Agency, wasn't it?
A. I honestly don't know. The objective of the original
Horizon system was very much to replace what was then
the mechanism for issuing pensions and such-like, which
was an order book, you would get 13 slips in it and --
so my recollection is that this was what we were looking
to replace.
Q. And if we go to {F/3} please. That is the ICL Pathway
Technical Environment Description, do you see that?
A. Yes.
Q. At that stage I think ICL -- Fujitsu had a majority
shareholding in ICL, but only became a 100% shareholder
in 1998, is that right?
A. I honestly don't know.
Q. You're not sure, no. If we look at page 9 of that
document please {F/3/9}, we can see references there.
A. Sorry, I'm looking at page 8 at the moment.
Q. Oh, you should have page 9.
MR JUSTICE FRASER: I think you are looking at page 9.
A. Okay, at the bottom it says --
MR GREEN: Internal page 8 at the bottom, but at the top,
electronic page 8 --
MR JUSTICE FRASER: No, electronic page 9.
MR GREEN: I'm sorry, electronic page 9.
"References", you can see who was involved there.
If you look at the bottom of the references you see
"Agent Architecture - Gareth Jenkins."
A. Yes.
Q. Is that the same Gareth Jenkins we have been mentioning?
A. Yes.
Q. And if we look at page 92 please {F/3/92}, you will see
under the heading "Migration":
"This section describes the mechanism by which the
Outlets that take part in the Limited Go Live will be
integrated into the Pilot Roll-out."
So there were two sort of phases of that, weren't
there?
A. Again, I don't have any personal recollection of this
because I wasn't involved at that time.
Q. You didn't have any involvement in this bit?
A. No, no, no, for the actual roll-out of it, I was not --
I was off doing other things.
Q. What were you doing at that time?
A. Parcelforce, SSL, as they were known, who were the TV
licence guys in Bristol, Post Office Group.
Q. Okay. Let's just look under "Background" you will see:
"The 10 Outlets that take part in the~... Go Live
use early versions of the solution. This includes the
counter PC ..."
Which we now know as the Horizon terminal?
A. Yes.
Q. "... the BPS application suite ..."
What's that?
A. I don't know.
Q. Might it be business process systems? You don't know?
A. It could be, but I --
Q. "Riposte etc"?
A. Riposte I recognise, the rest I don't.
Q. Okay. And if we go please to {F/3/92} -- sorry, I think
we may have a misreference there.
Let's go to {F/299} please. Now, this is a document
that begins the migration to Horizon Online --
A. Yes.
Q. -- and what's contemplated. Pausing there, by the time
you were advising in relation to this, you were aware
that there had been a number of problems with the old
legacy system that we have seen in many of the PEAKs.
A. HNG-X was very much geared -- or HNG as it started
off -- was geared at refreshing the solution. I don't
remember it being seen as fixing a whole load of PEAKs,
it was simply seen as refreshing the system.
Q. Yes, but pausing there, I -- my question is quite
specific.
A. Sorry.
Q. Did you have any awareness of any problems that had been
encountered with Legacy Horizon by the time that you
were advising in relation to migration to
Horizon Online?
A. I will have been aware of some at the time but
I honestly cannot remember any major issues that I was
dealing with, but because of the work I was doing,
because I was having to ensure that Post Office could
continue to deliver change and whatever, I would have
been aware of it, yes, certainly.
Q. Okay. So important PEAKs would have been drawn to your
attention under Legacy Horizon, you think?
A. I believe so, yes.
Q. And when we look at the aims of the HNG-X plan, this is
dated 21 September 2005?
A. Yes.
Q. Can we look at page 10 please {F/299/10}. This is
a document that you would have known about, isn't it, in
all likelihood?
A. I was certainly involved at this stage, yes.
Q. And you will see that the -- under 1.4 you will see:
"While Post Office has considerably increased
expectations on cost reductions, the organisation has
also become substantially more open to operational
changes. Post Office has clearly indicated that
aspirations to a more retail-type IT spending are
matched with the acceptance of more retail-type
operational practices."
And then:
"The original business case for HNG within
Post Office was based on a balance of cost reductions
and improved capabilities. The new business case is
almost entirely based on cost reductions".
Now, that was accurate at the time, wasn't it?
A. I didn't write it, but I'm not going to argue the case.
Q. And if we look at page 13, paragraph 3.1.1 {F/299/13} we
see under "Assumptions":
"The fundamental assumes is that Post Office will
accept a solution based on the business capabilities
that the solution provides and will not insist on being
involved in the technical and technology aspects. This
will require Post Office to fully engage with suitable
empowered personnel in these initial stages and to have
in place assurance and decision-making processes that
align with the time/cost boxed programme milestones."
Now, just pausing there, effectively what is being
said is that Post Office was not insisting on being
involved in the technical and technology aspects, is
that correct?
A. Certainly it was looking for a more arm's length
relationship, sir, yes.
Q. A more ..?
A. Arm's length, I think.
Q. Arm's length?
A. Yes.
Q. If we look at page 16 of this document please
{F/299/16}, do you see under 4.0 "Business
Applications".
A. Mm-hm.
Q. "In order to reduce the overall application development
costs within HNG-X, substantial reuse of data centre
application components is proposed."
A. Yes.
Q. That's correct, isn't it?
A. Yes.
Q. That's what was proposed and what was done:
"The Legacy Host database applications (TPS, APS,
LFS, DRS and TES) are to remain largely intact."
Can you remember what they were?
A. TPS is transaction processing system, AP is automatic
payment system, LFS is logistics feeder system or
service, DRS is data reconciliation service, TES is
transaction enquiry service.
Q. Thank you. And they were remaining largely intact:
"The online interfaces (~... Banking Streamline and
ETU)~..."
What was ETU?
A. ETU is electronic top-up. It's paying for your mobile
phone.
Q. "... will be modified to provide a Web Service interface
in place of Riposte messaging together with
a simplification of the security mechanisms."
A. Yes.
Q. That's a fair summary of the matters that it deals with
there?
A. Yes, I think so.
Q. Now, that was recycling quite a lot of application
components, wasn't it?
A. Yes.
Q. And if we look at page 23 of this document {F/299/23}
you see in the second paragraph:
"There will be minimal change to legacy
applications. LFS, DRS and TPS will incorporate new
harvesters that will extract transactions from the
Branch database rather than the message store."
And that reflected the change that was going to be
made because the data would no longer be held in the
message store in branch, it would be held in the branch
database, the BRDB?
A. That's right.
Q. "APS will be modified such that it extracts
transactional data directly from the TPS stream and this
reduces the need for much of the AP-TP reconciliation."
Can you just tell the court what the AP-TP
reconciliation is?
A. AP is responsible for sending transactions off to
clients; TP is responsible for sending transactions to
basically Post Office back-end systems. The
reconciliation was there to make sure that if you sent
something to the back -- to a client, it was also being
sent through to the Post Office back-end systems.
Q. Okay. Then it says:
"No other rationalisation is proposed to the data
centre applications as part of HNG. A phase II
rationalisation programme is not deemed to be part of
the HNG-X project and must be separately justified at
a later stage."
What was phase II, do you know?
A. I don't think there ever has been a phase II. We're
currently making changes which will probably get rid of
things like -- or certainly reengineer things like DRS
and LFS. TPS is still there, but pretty nearly
redundant, so nothing that I would recognise as
a phase II rationalisation process.
Q. Okay. And if we look at {F/451} please, this is the
HNG-X testing strategy. The document is dated
10 April 2008 and can we just go to page 10 please
{F/451/10}. Now, if you look at the third paragraph
down:
"It has been recognised for some time that this
architecture, whilst providing an extremely robust
operational solution, was not ideally suited to the very
different business and technology drivers that prevail
today."
Now, we see "robust" as a description of the
solution in lots of places in lots of documents, both at
PO and Fujitsu, and it's a term that you're very
familiar with, isn't it?
A. Yes.
Q. The latter part of that sentence is saying it is not
ideally suited to the very different business and
technology drivers that prevail today and it goes on and
says:
"In addition, in common with many elderly systems
that have been subjected to a succession of major
changes, it has become increasingly difficult to make
those changes, and expensive to operate."
Now, that's a fair description of how the system
originally was perhaps designed jointly with the DSS at
the beginning and launched and then over the years,
between then and 2008, there have been lots of sort of
bolt-ons and additional things that have been changed on
the system, haven't there?
A. Yes, I think that's fair. The major one probably in my
mind would be banking.
Q. And if we look at the fourth paragraph down, three lines
down please:
"The main drivers were to create a solution that was
more responsive to business change (faster time to
market), and more efficient to operate, maintain, and
enhance, thus providing lower Total Cost of Ownership
(TCO). However, HNG was ambitious, projected costs were
high, and the benefit realisation profile was unclear.
In particular, HNG had been predicated on expecting
a high rate of future business change for the system.
Emerging business strategy in the Post Office indicated
that this was uncertain and could not be relied upon
sufficiently to support the proposed business case. As
a result HNG was suspended in the summer 2005."
Yes? Can you remember that happening, the project
being suspended at that point?
A. Yes.
Q. And if we now look at what is being proposed, the bottom
paragraph of section 1.1 on {F/451/10}:
"The HNG-X programme proposes a somewhat less
ambitious re-engineering of Horizon, without the branch
network hardware refresh ..."
A. Yes.
Q. "... and with the focus squarely on reduction of the TCO
[total cost of ownership]. The principal drivers for
the HNG-X programme are to deliver a solution that
significantly reduces the TCO, whilst maintaining
'Business Equivalence' (ie the HNG-X solution is to
provide effectively the same business capability as the
existing Horizon solution, but cost less to operate and
maintain)."
Now, is that a fair summary?
A. I can't argue with it, certainly.
Q. Can we look, please, at {F/555}. This is a Post Office
online induction training presentation. Can we go to
the next page of that please {F/555/2} and the course
aims are to:
"... give you all the information and skills that
you will need to successfully support a branch from
Horizon to Horizon Online."
So this is actually an internal Post Office
document, it appears, and if we look at page 10 please
{F/555/10}. This is Horizon's current state:
"13 year old design and technology to satisfy
a different business.
"Slow and expensive to use.
"Evolved rather than designed - a consequence of
which is a robust service but complicated to change."
Do you see that?
A. Yes.
Q. Now, the comment on it being a 13-year-old design and
technology is fair, isn't it?
A. Yes.
Q. The comment on it being slow and expensive to use is
fair, as at that date, or do you feel a bit conflicted
because you now work for Fujitsu?
A. I know that Post Office regarded this as expensive and
they also regarded it as slow to change. I personally
didn't necessarily go along with that because there was
a -- there's an AP-ADC product which since I was
involved in Post Office at this time, AP-ADC was my way
of being able to carry on making business changes whilst
we were going through this particular phase, so yes,
I feel slightly conflicted because I know that the
Post Office high-level view was that you couldn't make
changes to Horizon, whereas I was busy -- you could
do -- there were certainly changes you certainly could
not do, but my feeling was that we could continue to
support the business, they could continue to take on new
clients using this facility, AP-ADC.
Q. Okay, well, have a look at the four lines at the bottom
of the page if you would and see whether you think this
is fair:
"Horizon is also a system that's wrapped up in
'barbed wire' -- making changes difficult and costly --
test everything!"
Is that an understandable observation?
A. I think that I would see that from Post Office
perspective but, as I say, my personal view on this was
that I could still make changes by getting AP-ADC
scripts through, but there were certainly some things
that yes, if -- there were some things that would have
been very difficult to change at that time.
Q. If we look at -- if we just go back if we may please to
{F/451} which is the HNG-X testing strategy of
10 April 2008. If we look at page 33 of that document
please {F/451/33}, paragraph 2.2.6, "Migration Complex
and Critical":
"The system and data migrations required for HNG-X,
both at the Data Centres, and at the branches (which
continues branch by branch throughout the roll-out
period), are absolutely fundamental to the success of
the deployment. It is a complex area requiring careful
and detailed planning. Thorough verification and
validation will be essential."
Now, that's fair, isn't it? I mean, that's what you
would expect to see, yes?
A. Yes.
Q. And if we look at the bottom two paragraphs of that
section:
"Migrated data should be introduced into the
mainstream tests as soon as practicable, interleaving
migration tests with functional test cycles."
And then:
"Full-blown rehearsals of the detailed migration
plans must be completed prior to Pilot."
Yes?
A. Yes.
Q. So what this envisages is that before the pilot is done,
there must be full-blown rehearsals of detailed
migration plans to try and see if there are any problems
or difficulties.
A. Yes.
Q. Now, in fact, the pilot had to be stopped, didn't it?
Do you remember that?
A. Yes.
Q. Let's have a look, please, at {F/588}. This is PEAK
PC0195380 and you can see it is created apparently on
2 March in the top box under "Progress Narrative",
and --
A. This is which year, sorry? This is 2010, yes. Yes.
Q. Sorry, I think I've got the wrong reference there, wait
a minute. Just give me one second.
I will come back to that in a second, if I may.
I think we may not have the correct reference.
Let's go forward, if we may, to {F/614} and this is
the Horizon Online Programme Update. Who was
Mark Burley?
A. Mark Burley was my boss whilst I was working on the
preparation for HNG-X.
Q. And how long had you worked with him?
A. On this -- I knew him way before I started working with
him. On this project I guess I was working for him for
a year, a year and a half.
Q. And if we look, please, on that document at page 4
{F/614/4}, we can see Horizon Online status:
"614 branches live on Horizon Online (plus 8 Model
Offices)."
A. Yes.
Q. And then do you see:
"High Volume Pilot suspended."
A. Yes.
Q. And:
"NFSP raised concerns but remain supportive."
A. Yes.
Q. And can you remember that the NFSP had raised concerns
about the problems that people were having in the pilot?
A. No, I can't, because at this stage -- this is early
2010 -- at that time I was actually -- I was back in the
Post Office working on a different project and so this
was happening around me, but I was concentrating on
something which was called SMTS.
Q. Okay, so you weren't in touch because you had only just
come back I think, hadn't you?
A. I had just come back into the Post Office to work on
this specific --
Q. In March?
A. No, sorry, I came back in January.
Q. Came back in January?
A. I came back to the Post Office in January to work on
small money transfer service.
Q. Okay, at the bottom of that slide we see:
"Fujitsu initiated 'red Alert' and independent
reviews."
A. Yes.
Q. What did you -- did you know what a red alert from
Fujitsu meant at the time?
A. I certainly would have done and when I moved across to
Fujitsu, we were in red alert.
Q. So when you moved to Fujitsu they were in a state of red
alert on this project?
A. Yes.
Q. And were there different codes for the colours of alert?
Were there other alerts, amber alert?
A. You have got me on that one, but I'm sure there were.
Q. Can we infer from "red alert" that it is quite serious?
A. Oh, it was very serious.
Q. And can you tell his Lordship why it was serious?
A. There was an issue with Oracle which was the biggest
problem, but clearly there were other problems going on
at the same time because it was a brand new system, but
the big one was an Oracle issue which I got involved in.
Q. Can you remember some of the other problems that were
happening at the time?
A. I have to admit, I was focused on the Oracle problem.
I was new into Fujitsu. In that sense I was finding my
feet and trying to work on the big one.
Q. Fair enough. Can we go back to {F/588} please. This is
the same PEAK I think I identified, PC0195380, and can
we go to page 4 of that PEAK please {F/588/4}. Now, can
you see in the box under 5 March 2010 at 08.03.08,
second box down?
A. Yes.
Q. Under -- it says:
"We have received notification from POL regarding
the problems at this office. PSB ..."
Do you know who PSB was, or what it was?
A. No, I don't think it's a person. I don't know what PSB
means. It is possibly "Please see below" but ...
Q. Okay:
"On the 1st of March at the close of business we
found that on node 5 the cash was short of £1,000. All
of the figures for that day match the figures presented
at the time of each transactions. An instant saver
withdrawal of £1,000 was transacted that day, but I was
unable to find this transaction using the online report
facility. I feel very anxious as I believe a system
error has occurred at the time of this transaction."
So this seems to be being relayed from what the SPM
has rung up about:
"On the 2nd of March a transaction for a cash
withdrawal was completed where the system commanded
a member of staff to issue the money to the customer on
screen but the receipt printed for that transaction
printed out a decline slip. The customer was honest
enough to bring back the decline receipt a day later
with the money."
Then:
"On the 2nd of March on node 5 a £220 cash deposit
was authorised on screen but twenty minutes later the
customer brought back a receipt that stated the
transaction had declined. We contacted the NBSC as and
when the customer produced the receipt. The NBSC stated
that the transaction approved on the system and had no
idea why the money was not deposited and why the decline
slip was printed."
Now, pausing there, was this something that you
would have been aware of in March 2010 or not?
A. No, I was in the Post Office at that time and so
I wasn't involved in this bit.
Q. What were you -- you were in the Post Office at that
time ...?
A. I was working in the Post Office on a separate project.
I had just come back in on a new project, on a new
contract.
Q. But you were someone who had been working a lot in
relation -- was very knowledgeable about Horizon?
A. Yes.
Q. Did any of this come to your knowledge?
A. No.
Q. And if we see then:
"A rem was scanned in our system and all figures had
doubled up. The helpline team was notified at the time
to which they seemed more confused as to why it happened
than me!"
In your time prior to going off in 2009, had you
sort of encountered difficulties of this sort in other
PEAKs?
A. No, this is a problem with Horizon Online, so this is
a problem with the new system. I had -- at the time
that I finished my contract with Post Office, we were
gearing up for starting the migration process but the
big bit that concerned me most was the moving stuff
across from one data centre to another. This bit, the
counter migrations, was just kicking off in May 2010, so
okay, the figures there say that we had 600 branches,
I think you said there. So in May 2010 when I was back
on the scene but this time on the Fujitsu side, we were
in red alert, we did have a big problem with Oracle, we
were having to recover the situation so as to get ready
to carry on with the counter roll-out.
Q. Now if we look -- I apologise, I haven't got time to
take you to all of it, but there are quite a number of
apparent problems that they are wishing to raise, aren't
there?
A. I think this is the BT one, isn't it? Does this one end
up with the branch transaction -- or the balancing
transaction, sorry? This looks to me as though the
dates are about right for the balancing transaction,
but -- yes, I think there were -- there certainly were
issues with the software in the early days of HNG-X.
Q. Yes. And that doesn't come leaping out of your witness
statement, does it?
A. No.
Q. And you know that his Lordship is trying to determine
how well the system worked over this period, don't you?
A. Yes, that's fair enough.
Q. And is there a reason why there isn't really any
reference to the problems with the system in your
witness statement?
A. I was looking to give an overall explanation as to how
Horizon works. Obviously I was asked to pick up on
a number of specific problems that have been experienced
in the life of Horizon. There certainly were problems
to be dealt with in the early days of Horizon Online.
Q. Now, at paragraph 13 of your witness statement you say
horizon Online was the biggest overhaul. That's at
{E2/1/3}, but:
"~... continuous and iterative updates to the system
over its life."
You mention those as well, yes?
A. Sorry, could you remind me where we are?
Q. Sorry. If you look at paragraph 13 of your witness
statement, you talk about the migration to HNG-X --
A. Yes.
Q. -- or Horizon Online, that's the same thing?
A. Yes.
Q. And you say this:
"This was the biggest overhaul in the Horizon
infrastructure that I can recall, although there have
been continuous and iterative updates to the system over
its life."
Now, pausing there, we have seen that quite a number
of the system components remained the same, didn't they,
from legacy days?
A. Yes.
Q. And we have also -- you have very fairly accepted that
there were lots of additions made to the system over its
life; yes?
A. Yes.
Q. Now, isn't HNG-X, or Horizon Online, an end of life
version of the Horizon system rather than
a reinvigorated and rejuvenated version? Is that fair?
A. No. Horizon Online is -- the components that were
introduced by Horizon Online is the branch database, new
technology for communication between the branches and
data centres, so that was moving to an online system
which is a radical change to the -- it's a radical
change to the architecture compared to Riposte and there
are -- the communications technology change was pretty
dramatic in terms of moving from ISDN to what we have
now -- or, sorry, to ADSL, which is -- so it was a big
overhaul.
Q. Can I pause there. The communications changes that you
mention are significant, aren't they, because there have
been quite a lot of communications problems with the
legacy version of Horizon?
A. Yes.
Q. And --
A. Sorry, the legacy version of Horizon was far more
susceptible to communication glitches.
Q. Exactly. And so there were two improvements in that
respect: the susceptibility to communication glitches
was reduced, and also the quality of the communications
infrastructure was improved, is that fair?
A. Yes.
Q. Can we now look please at {F/1663}. This is an IT risk
management document from Post Office and it is dated
20 July 2017. Now, can we look at page 6 of this please
{F/1663/6}. Can you see under the "Where we are now"
heading:
"There is increased risk in our Branch technology
environment:
"The ~... (HNG-X) platform is end of life ..."
A. Yes.
Q. "... and is running on unsupported Windows software,
therefore needs replacing ..."
A. Yes.
Q. This is 2017?
A. Yes.
Q. Is it fair to describe it in these terms as at the date
of this document?
A. Absolutely.
Q. "Branch counter technology is aged and unreliable, with
frequent hardware failures, resulting in branch
disruptions."
Is that fair?
A. Yes, I think so.
Q. "The branch IT network service (ISDN) provided by
Vodafone will be switched off on 30 September 2017 and
therefore needs transitioning."
That's a different observation relating to an
external comms change.
A. The ISDN bit was a small number of branches where -- and
I can't remember the numbers, but there was a relatively
small number of branches that were still running on ISDN
because you could not get ASDL there.
Q. Yes. So that's in the -- in the hierarchy of those
points, that's the least important, isn't it?
A. Indeed. The straight case is that the platform was
running on NT 4 and any technologist would tell you that
that was too old, but it continued to work surprisingly
well.
MR JUSTICE FRASER: That's the Windows NT 4?
A. Yes.
MR GREEN: And under the "Mitigation" heading we see:
"Accelerated plans to transition from HNG-X to
updated HNGA ..."
And that's going to run basically on Windows 10, it
doesn't say it there, but that was the plan, wasn't it?
A. Well, HNGA has now been installed and it is, as you say,
running on Windows 10. At this stage I suspect the
target was Windows 8, but that's irrelevant.
Q. Yes. In fact, you mention on page 4 of your witness
statement, if we can go to {E2/1/4} -- you mention in
the footnote there:
"HNG-X is being replaced by HNG-A. There is no
functional difference between the two: HNG-A refers to
an implementation of the same counter code as is used in
HNG-X to run on a Windows 10 device (whereas HNG-X
counters are NT4 devices)."
A. Yes.
Q. Yes? But there's not an explanation to anyone reading
this witness statement of the sort of state of the
technology in the terms that we have just seen in your
witness statement?
A. That's a fair point.
Q. And in terms of the roll-out, did the first wave begin
in about February 2017, is that right?
A. For HNG-A?
Q. Yes.
A. I can't really remember. The roll-out of HNG-A was not
really a Fujitsu problem.
Q. Who was handling that?
A. There were two aspects to the roll-out of -- there were
two aspects of roll-out. The network was moved from
Fujitsu to Horizon and then the counters -- the actual
hardware running HNG-A is supported by Computer Centre,
so the software that runs in the counter is still
Fujitsu's and so that's -- so we provide the software to
Computer Centre, they wrap it up, they send it to the
branches now.
Q. Can you remember roughly when that handover started, or
took place? When did Computer Centre become responsible
for it?
A. You mentioned the date in 2017, that rings true.
Q. If we have a look -- we don't necessarily know the
answer at all, but {F/1710.1}. Let's look at the front
first, "Post Office Limited audit planning report"; do
you see that? And if we go to page 24 of that report
{F/1710.1/24}, you can see -- it is quite small writing,
but under the first yellow bullet point:
"Branch tech refresh - HNG-X in branches will be
replaced by HNG-A in phases, the first wave started
in February 2017."
A. I'm --
Q. You may not know.
A. I'm certainly not disputing that.
Q. Thank you.
Can we now turn please to paragraph 17.1 of your
witness statement in relation to data sources, that's at
{E2/1/4}. You have identified what the sources of
transaction data are and can we just identify this in
a little bit more detail please:
"The vast majority of transactions are manually
entered by user in branch at the counter, by pressing
icons on the touchscreen, keying in the transaction on
the keyboard, scanning a barcode, scanning a magnetic
card or some other manual interaction with the system.
These are referred to as 'counter transactions'."
Yes?
A. Mm-hm.
Q. Then transaction corrections, as you understand it:
"... they are produced when Post Office compares the
data entered into Horizon by branches with data
generated from other sources in order to identify any
discrepancies."
You say there "as I understand it", that's because
it's not something that you knew that much about when
you were at Post Office?
A. I know the general principles of it, but I certainly
wouldn't know the detail of how TCs are generated.
Q. And it says:
"TCs are sent to the branch via Horizon."
And there is a footnote:
"TCs are incepted in Post Office's POLSAP system
before being communicated to Horizon, via TPS to the
BRDB."
Was that something you knew yourself or something
somebody assisted you with?
A. Sorry, where are we now?
Q. Footnote 2, explaining how they are generated.
A. I'm only seeing footnote 1.
Q. If we go over the page, sorry. {E2/1/5}.
A. I know that they come from POLSAP.
Q. And how they are communicated via TPS to the BRDB, did
you pick that up from someone else or ...?
A. I could work that out for myself.
Q. Did you, or did someone else tell you?
A. In this case I would have checked it, yes, so ...
Q. With Gareth or ...?
A. No, this would be more a Pete Jobson one.
Q. Okay. And you say "then accepted by a user in branch".
You don't know what's involved in that, do you?
A. I understand the principle because TCs were first
introduced in Impact, which I was involved with, and
I remember we had the conversations as to how TCs would
go into the branch and we were very clear that the
postmaster had to be aware, hence the mechanism that
I have seen described, which is they are presented with
the TC, they have to settle, they are given various
options on how to settle.
Q. Yes. So why did -- you were involved in that design?
A. Yes.
Q. Why was there no dispute button?
A. That was a Post Office decision.
Q. Can you remember what the pros and cons that they had in
mind were when they made the decision?
A. I think the basic argument was that disputes -- we
wanted the flow of data through the system as quickly as
possible because that keeps our books tidy and it was an
inference that there was always the -- you had to press
a button to take things through, but then you would pick
up the phone to NBSC and say that wasn't right.
MR JUSTICE FRASER: Were you involved in the discussion
about that, or were you just told there wasn't going to
be a dispute button?
A. I would say that I was aware. I wasn't particularly
engaged in the conversation. I regarded that as
business processing, my Lord. There is a precedent to
this which is technically very similar, which is
auto-rems, which I was also involved in, where the whole
process changed so to save the subpostmaster having to
key in the amounts in each pouch, they were presented
with a screen which said "The amounts coming in are
this, press this button." I would like to remember, but
I can't be certain, that at that point there was
a message to say "If you disagree, phone up the help
desk", but again the principle was there to say "This is
the right figure, accept it and then argue the case
outside."
Q. Then we look at "Equipment located in a branch other
than a Horizon terminal." You say it:
"... is required for some transactions, such as
a Camelot terminal for lottery products and a Paystation
terminal for some bill payments."
And the point you make there is that these bits of
equipment communicate information direct to a client or
other supplier, who relays that information to
Post Office, or Fujitsu on Post Office's behalf, who
then send a transaction acknowledgement to the branch
via Horizon.
So can we just pause there. Can we trace how
a piece of information gets from a scratchcard
activation into the various repositories of information,
so tracing it through in accordance with what you have
said there, there's a piece of equipment, namely the
lottery terminal, and the SPM activates some cards on
the lottery terminal, yes?
A. Yes.
Q. That information is then relayed directly to Camelot,
the client?
A. Yes.
Q. And Camelot then in turn relay that to the Post Office,
or Fujitsu on the Post Office's behalf, just following
your witness statement.
A. My apologies -- well, apologies for that being unclear.
In the case of Camelot, the data goes to the Credence
system.
Q. Okay. So the Camelot data goes to Post Office's
Credence system?
A. Correct.
Q. And then that then automatically engages with Horizon to
send through a transaction acknowledgement to the branch
via Horizon?
A. Yes. We receive a file from Credence which then gets
loaded into the branch database, then makes its way down
to the counters.
Q. Yes. So the information going into the branch database
is in fact in this case information that has come via
a third party and back in?
A. I don't see it in quite those terms. I see it as we
have received data which goes into the branch database,
so we -- the Horizon system knows absolutely nothing
about it until this file appears.
MR GREEN: Precisely. So just reputting that question --
MR JUSTICE FRASER: It might be because you said "via".
A. Sorry, I think that's probably the case, my Lord.
MR JUSTICE FRASER: Is that the part of it --
A. I think so, my Lord, yes.
MR GREEN: That's my fault.
MR JUSTICE FRASER: Do you want to just clear it up?
MR GREEN: Yes. So the journey that immediately is seen by
Horizon is information coming in from Camelot --
A. Yes.
Q. -- via Credence, is that fair?
A. It comes in and we know it is coming from Credence, yes.
MR JUSTICE FRASER: So it goes: Camelot terminal in the
branch, to Camelot, to Credence, to Horizon?
A. Correct.
MR GREEN: And because it has come into Credence, it then
goes into the branch database?
A. The branch database is the holding place where we put
this data so that it is -- it's not technically sent to
the branches but -- well, I suppose it is, because at
the appropriate point the data comes from the branch
database to the counters.
Q. Yes. So when someone turns on their terminal in the
morning and logs on, they have some TAs on the screen?
A. Yes.
Q. And they have no choice but to accept those?
A. I don't know whether they have the option to stop them,
but I think the principle is certainly right, that the
TAs are going down there with the expectation that they
have to be -- that they will be accepted.
Q. Just so you know, it is not controversial that they
don't have a --
A. No, that's fine. Thank you.
Q. It's at that point that they enter the branch accounts?
A. Yes.
Q. And that is the data that is then captured by the audit
system?
A. Yes.
Q. And that's true -- with minor differences but
substantially correct -- for the other items of
equipment that you have in mind in paragraph (c)?
A. Yes, the difference is that the Paystation data comes
from Ingenico to us. We load it into the branch
database in separate tables and we generate the TA, but
then you are onto a common stream.
Q. And then again, that is the data that then goes into the
audit store?
A. Yes, it's the action at the counter which then contains
data which comes up into the branch database and that is
the bit that goes into the audit store.
Q. What is the action that you are talking about there at
the counter?
A. Pressing the "Accept" button.
Q. On the TA?
A. Yes.
Q. And then at (d) you say:
"In Horizon Online it is possible for Fujitsu to
insert a balancing transaction - see paragraph 58
below."
A. Yes.
Q. We will come back to that later. We have already dealt
with it, at least in part. Just focusing on (a), (b)
and (c) for a moment, when we look at the data that
we're concerned about in paragraph 17.2(a), you point
out, quite rightly, that:
"The vast majority of transactions are manually
entered by a user in branch at the counter ..."
And then importantly "... by pressing icons on the
touchscreen", yes?
A. Yes.
Q. So the significance of that is that the transaction data
comprises the fact of a press -- one press by an SPM on
a particular icon, yes, and the significance of that in
the reference data table being put together so that
something pops up in the basket, as I mentioned to
Mr Johnson when he was giving evidence, yes? You don't
type in the price of a first class stamp?
A. No, absolutely not. The price of something would be
calculated for the majority of products.
Q. Yes, and that data is in the reference data table,
isn't it?
A. Yes.
Q. So in the transaction data there are two elements.
There is what the SPM has in fact done in terms of
a keystroke.
A. I don't see it in those terms.
Q. I understand.
A. We see the result of actions at the counter as a basket
and I think -- so we see the outcome from the counter
application putting together a basket and it is that
basket that we then put into the audit trail.
Q. Totally understand. I was just trying to be precise
about the result that we see, which is the fruit of two
different pieces of data: there is which icon the SPM
has pressed on the screen and the relevant reference
data in the reference data table for that icon.
A. If you're looking at something such as a first class
stamp then yes, I agree. If you're looking at other
things then it could be much more complicated.
Q. Of course, but for many many things there are --
A. Yes.
Q. The reason you say "by pressing icons on the
touchscreen" in paragraph 17.2(a) of your statement, is
because for quite a lot of transactions that's how it is
done?
A. Yes.
Q. There are some where the SPM has to actually manually
enter in what's happening.
A. There are some where the subpostmaster has to enter far
more data, such as on an AP-ADC transaction. There are
some where data will come from a PIN pad, there are some
where data will come from a barcode, weigh scales.
Q. Indeed. And that is the data -- the result of that,
what's shown in the basket, in the transaction if you
like, is what's then captured in the BRDB and in due
course in the audit store.
A. Simultaneously. The first part of that is actually --
the audit store at that stage is actually simply a table
in the branch database.
MR GREEN: Okay.
My Lord, would that be a convenient moment for
a break?
MR JUSTICE FRASER: I dare say. Are you going to be dealing
with Mr Godeseth for the whole of the afternoon?
MR GREEN: I am.
MR JUSTICE FRASER: We're going to have a short break,
Mr Godeseth. Ten minutes -- or do you want five?
MR GREEN: That's fine.
MR JUSTICE FRASER: Ten minutes. We will have a ten minute
break for the shorthand writers. If you could come back
at 10 past. Same score as before, don't talk to anyone
about the case.
A. Understood, my Lord, thank you.
(3.00 pm)
(Short Break)
(3.10 pm)
MR GREEN: Can we just touch on a couple of brief points in
relation to transferring and storage of data. At
paragraph 19 of your statement at {E2/1/6} you say:
"Due to the different ways that Legacy Horizon and
Horizon Online transfer and store data, I address them
separately below when dealing with integrity of data
being transferred through Horizon."
We touched on the information flows in relation to
third parties already, but that was in the context of
the BRDB, wasn't it, our discussion we just had before
the break?
A. Yes.
Q. And under Legacy Horizon you were on the other side of
the fence, as it were, to where you are now?
A. Yes.
Q. Legacy Horizon days.
If we look at paragraph 34 of your witness statement
at {E2/1/11}, you make the point that the messaging
system was responsible for storing all the data in the
Post Office branch and replicating it to data centres.
The basic set up is that the counters held data in
a message store.
A. Yes.
Q. And the correspondence server also had a message store?
A. Yes.
Q. And the data inserted at the counter would be replicated
in the correspondence server message store?
A. Correct.
Q. And vice versa if there was a --
A. If you needed to push data -- Riposte was responsible
for replicating data to wherever you told it to.
Q. Indeed. At paragraph 43 of your witness statement
{E2/1/12}, you have mentioned that:
"[You] understand from Gareth that the audit
application read every record that was visible to the
correspondence server ... and wrote a text copy of that
data to a text file."
Do you know whether the audit server was hosted by
Riposte or not?
A. The audit server is definitely outside of Riposte.
Q. Let's look at the Horizon Next Generation plan X
document again please, at page 28 {F/299/28}. Do you
see under "Audit" at paragraph 4.3.2.7 it says:
"The audit application remains largely unchanged
apart from various modifications to the configuration of
audit collection points throughout the estate.
"An audit conversion tool will be required to
convert existing audit data from Riposte to another
readable/searchable format."
What is that referring to?
A. I think it's just wrong.
MR JUSTICE FRASER: You think that's wrong?
A. Yes. Yes, my Lord, because I have seen audit data from
Riposte days and it is in Riposte attribute language, so
I -- I can't see how that's right because the audit data
that I have seen is in Riposte attribute language.
MR GREEN: So the audit data that was stored was in Riposte
attribute language?
A. Correct. It was basically the message store -- it's
pretty much as simple as a copy of the message store.
Q. And in relation to who was managing the Riposte system,
what was Escher's role?
A. Escher provided Riposte software, so they provided the
software in which Fujitsu deployed applications.
Q. And did they provide support for the Riposte software as
well, or not?
A. Yes, they did, but I honestly don't know what the
contractual relationships were, so I can't really
comment in any detail on that.
Q. You wouldn't have known at the time what the
arrangements between Escher and Fujitsu were if there
were problems with Riposte?
A. I certainly don't know. I'm obviously conscious, having
looked at PEAKs, that there were issues, but I was not
aware of those at the time.
Q. I understand. You deal with Horizon Online from
paragraph 20 {E2/1/6} in relation to the accuracy of
transaction data. Is it fair to say this is more within
your own knowledge, this bit of your statement?
A. I feel that I know this pretty well, yes.
Q. So back on home turf in a sense?
A. In that sense, yes.
Q. And in paragraph 26 {E2/1/7} you mention the controls
that were in place. Do you know whether those controls
ever failed? Take the first one, "A basket must balance
to zero."
A. We have checked this. If you do something on a test
system to cause a basket not to balance to zero, it
shows an error.
Q. And you mentioned the Journal Sequence Number. It's
impossible, isn't it, for the database to accept two
items with the same JSN number?
A. Correct.
Q. Can we look please at {F/590/7}. Just to orientate you
in this, perhaps we can go to the first page, I'm sorry
{F/590}. You will see that this is PEAK PC0195561. Do
you see that?
A. Yes.
Q. And if we go to page 7 {F/590/7} and we look at
24 March 2010 at 14.45.49, which is the middle one, do
you see there:
"Time-outs were the underlying cause of the issue
and that there were long delays waiting on the DB ..."
That's the database, yes?
"... to process the 4 requests."
A. Mm-hm.
Q. "In this case two of the requests were committed and two
correctly detected that the transaction had already
succeeded. There is an issue with the 2 commits because
this shouldn't have happened. However the behaviour of
the OSR from CTR 25.07 onwards is to roll the
transaction back on a time-out. In this scenario all
the requests would have failed and no reconciliation is
required.
"We would like to find the root cause of the issue
as to how the duplicate entry was committed in the DB."
Now, I know you were working on other things
in March 2010, but were you aware of any problems with
items with a duplicate JSN number, Journal Sequence
Number, being committed to the database?
A. I'm not sure this is saying we had duplicate JSNs, but
I would obviously have to check the detail and no,
I wasn't aware.
Q. You weren't aware of that problem generally?
A. No.
Q. Okay. And you were here I think for Mr Dunks' evidence
this morning.
A. Mm-hm.
Q. Paragraph 32 of your witness statement {E2/1/10} says:
"I am not aware of any instances where data
retrieved from the audit store differs from other
sources of data, nor am I aware of any instances where
the integrity checks described in paragraph 30 have
revealed any issues."
Yes?
A. Yes.
Q. Were you aware that there had been duplication of data
identified in Seema Misra's case?
A. Misra I believe was on the old system.
Q. Yes, legacy.
A. Yes. So no, I was not aware of that.
Q. In terms of ARQ figures, can we look at paragraph 31 of
your witness statement please {E2/1/10}. You say there:
"I have been informed by my colleague Jason Muir
(Operational Security Manager in Security Operations
Team) that the number of ARQs issued since the 2014/15
financial year is as follows ..."
And you then say one ARQ equals one month of an
individual branch data so one Post Office request for
data could have multiple ARQs, yes?
A. Yes.
Q. Just to explain what the figures are. And you have
a footnote to that which says:
"These figures do not include the ARQs that Fujitsu
has issued in relation to these proceedings."
So is it actually -- where did you get that
information from?
A. From Jason.
Q. So what did you ask him?
A. Personally I didn't ask him anything. This was
information that was being requested to go into the
witness statement, so I'm confident that it is correct.
I have no particular motive in providing that
information.
Q. I'm just trying to -- I'm not talking about motive, I'm
just trying to identify how it has ended up in your
witness statement.
A. I was effectively asked to put it in.
Q. So did Jason Muir actually inform you of this in
response to any requests from you?
A. No.
Q. Because that saves me asking the next question which was
why didn't you ask him for earlier years.
Now, can we just look at the years that we've got
there, 31.1 to 31.4. When you were shown the
information that you were to put into your witness
statement you must have noticed that it only went from
the 14/15 year to the 17/18 year.
A. I didn't pay it any particular attention.
Q. But you have been dealing with Legacy Horizon which
pre-dates 2010 --
A. That's true.
Q. -- in the same witness statement, so you must have had
in mind what the chronological sweep of this witness
statement was supposed to deal with, mustn't you?
A. I'm afraid I didn't do my job in that case.
MR GREEN: Can we move now to --
MR JUSTICE FRASER: Just before you move off that, can you
think of any reason why there should be a cut off at the
beginning of 2014, in terms of the system, or the way it
worked, or anything?
A. I can't think of any reason why that information would
not be available further back.
MR JUSTICE FRASER: Mr Green.
MR GREEN: Can we deal with the problem management procedure
now. Can we look please at {F/1692}. This appears to
be a Fujitsu document. We see at the bottom "Fujitsu
restricted" and "Copyright Fujitsu Limited 2017". The
title of the document is "Post Office Account - Customer
service problem management procedure" and can we please
go -- if you note the "abstract" there:
"To describe and document the customer service
problem management process."
Now, you are the chief architect, aren't you, in
relation to the responsibility for changes being made to
the system being implemented without prejudicing the
continued operation of the system? That's what you say
in your witness statement?
A. Yes, that's right.
Q. And this is a recent document which relates specifically
to the Post Office account. Is this a document you have
seen before?
A. I can't honestly say. It's certainly not one that I'm
particularly familiar with.
Q. Okay. Let's have a look, if we may please, at page 8
{F/1692/8}. You will see just under 1.1 "Process
objective and scope":
"The objective of this document is to define the
process for problem management in the POA environment to
support the contracted infrastructure and application
services described in the HNG-X contract. Other
infrastructure and services used by POA to provide and
support delivery of the HNG-X contract are also in scope
of the process."
Now, just pausing there for a second, POA is the
Post Office account team at Fujitsu, isn't it?
A. Correct.
Q. Then it says:
"For the purpose of this document a problem is
defined as the unknown underlying root cause of one or
more incidents."
Yes?
A. Yes.
Q. "The problem management process covers both reactive and
proactive functions of problem management."
A. Yes.
Q. Now, if one is to have a robust system it's important,
isn't it, to make informed assessments of where problems
lie based on the relevant information that was
available?
A. Yes.
Q. And it's important to capture and track that in a way
that can readily be analysed, is that fair?
A. Yes.
Q. And that seems to be at least consistent, if not the aim
of this procedure, yes?
A. Agreed, yes.
Q. Let's look please at the document history on page 4
please {F/1692/4}. We can see that the draft document
was updated in 2007 and we can see various changes going
in and out and various revisions going forward on that
basis. If we go over the page {F/1692/5}, we can see up
to a date in September 2017, yes?
A. Yes.
Q. Now, can I just give you the context in which this
document has come to the fore, so that you can see it
clearly. The two experts both comment on it. If we go
please to {D2/1/96}, this is Mr Coyne's report. We get
to paragraph 5.156 there and it is clear from that
paragraph that Mr Coyne was working on the basis that
the problem management procedure had actually been acted
upon and you can see there, at 5.156, he says:
"The Post Office account customer service problem
management procedure document ..."
Which he footnotes:
"... identifies the process metrics and key
performance indicators required for measuring the
effectiveness of the process and service specifically in
relation to problem management. The problem management
procedure is set out in more detail at appendix E ...
relevant to this section and issue 6 are the metrics and
KPIs to measure/control and reduce the risk of failure
to detect, correct and remedy Horizon errors and bugs."
Yes?
Now, if we go please to page 97 over the page
{D2/1/97} and we look at 5.157, he says:
"From the above, it is my opinion that Post Office
should be aware of all recorded bugs/errors/defects in
addition to those previously acknowledged by them, from
the process metrics compiled above."
So what Mr Coyne seems to have inferred is that the
problem management process had been implemented and
there would be feedback from Fujitsu to Post Office
about what errors and bugs -- that seems to be the basis
he is proceeding on, doesn't it, on the face of it?
A. On the face of it, certainly.
Q. And if we go now to {D3/7/81} we can see Dr Worden --
this is his second report and he appears to be working
on the basis also that the problem management procedure
had been brought in. If we look at the third column he
says -- so it is row 21, it relates to 5.156, which is
Mr Coyne's paragraph I just showed you, the extract of
Mr Coyne's paragraph is there, and then if you look on
the right-hand side under "Commentary" you will see:
"This document is a rather high level and generic
description of the problem management process.
"It is difficult to extract a clear picture from
this document of how the process works in practice.
For instance, there are listed about 20 types of process
input and 20 types of process output. It is hard to
discern from these long lists which inputs and outputs
were most important.
"As another indication of its generic nature, the
words 'bug', 'defect', 'software' and 'reference data'
never occur in the document. The word 'error' does
occur. Errors are discussed generically not as specific
types of error such as errors in Horizon."
So both experts appear to be approaching it on the
basis that it had been acted upon.
Now, if we look at {F/1692/10}, going back to the
problem management document at page 10, we can see what
the relevant metrics are. Now, those are competent
professional metrics that you would expect to see in
a policy of this sort, aren't they?
A. Yes.
Q. You can see that what's proposed there is:
"The following metrics, to be reported monthly, will
be used to measure effectiveness of the process and
drive performance of the process and overall service in
general."
That's the way it is going to work?
A. Yes.
Q. And were you aware, as you are one of the key people at
Fujitsu, that Mr Coyne had asked for documents to be
provided which he thought should exist based on the
problem management procedure? Did you know -- did that
come to your attention at all?
A. It has not come to my attention.
Q. Well, I will take it quite quickly. Let's have a look
at {D2/5/22}. This is a request for information and
a response and you can see that in relation to this --
in the Post Office response to requests for information,
if we go down to page 26 {D2/5/26} you will see in the
left-hand column at the bottom:
"Please provide how many times (and over what
period) the 'problem management process' has recorded
the potential for a system or software error?"
And then in the column with Post Office's response:
"Post Office objects to this request. Fujitsu
believes that it does not record problems in such a way
that would allow this to be determined without
retrospectively carrying out detailed analyses."
And so forth. Over the page:
"This would require a disproportionate effort and
cost."
You have addressed this issue at paragraph 63 of
your witness statement at {E2/7/16}, haven't you?
A. I have.
Q. And what you have explained there -- in your second
witness statement this is. What you say there is:
"I have spoken to my colleague Steve Bansal,
Fujitsu's senior service delivery manager, who has
informed me that the Post Office account customer
service problem management procedure document was
introduced by Saheed Salawu, Fujitsu's former Horizon
lead service delivery manager and that Saheed Salawu
left the Fujitsu Post Office account in
around February 2013, before the new procedure had been
implemented. I understand from Steve that
Saheed Salawu's replacement did not wish to implement
the changes and therefore the records referred to by
Mr Coyne in paragraphs 5.157 to 5.159 of his report do
not exist, as we continued to follow the previous
existing reporting methodology."
Now, can we just unpack that slowly. Who was
Saheed Salawu's replacement?
A. I don't know. As you can tell I'm a bit vague on this
area. I remember Saheed, I don't know whether it was
Tony Wicks who took over from him or somebody else.
Q. Because when we go back to the document itself, at
{F/1692/4}, here is the "Summary of changes and reason
for issue". The document's history goes back to 2007,
doesn't it?
A. Yes.
Q. And it looks like it was issued for approval in 2014,
doesn't it?
A. Well, it was issued for approval on 9 December 2013,
yes.
MR JUSTICE FRASER: "Issued for approval" appears in
a number of places I think.
A. Yes and the convention is that when you go to a ".0"
version then that's one that is being issued for
approval.
MR JUSTICE FRASER: Hence 2.0, April 2008;
3.0, December 2013; 4.0, July 2014?
A. Yes.
MR JUSTICE FRASER: And that's why they are all ".0" because
they are all issued for approval?
A. They should all be issued for approval, yes.
MR GREEN: And that is after the date when you say Mr Salawu
left.
A. I think so because I think Saheed left in 2013, so it
looks as though it was Tony Wicks who came in to take
on -- take up from him.
Q. So can you explain to his Lordship what the procedure
for adopting a policy or procedure of this sort is?
A. I'm afraid not. It's governance within the account
team. I am certainly no expert on that aspect of it.
Q. Okay, because when we go over the page {F/1692/5} in
2017 we see no comments from review cycle. It is still
being dealt with in 2017 and we can see the name of
Tony Wicks for review comments, can't we?
A. Yes.
Q. Requested by 14 December 2017. Is he the person we
would really have to ask about this?
A. If my suppositions are correct then it looks as though
Tony Wicks is the man who has driven this.
MR JUSTICE FRASER: He is the what, sorry?
A. He would be the man who has driven this.
MR GREEN: And he is the person we would really have to ask
about what happened after February 2013?
A. Yes, if my suppositions are right that he took over from
Saheed.
MR JUSTICE FRASER: Well, would you like to look at page 1
{F/1692}. What does "Approval authorities" mean?
A. Approval -- sorry, that would be Steve Bansal who would
sign it off.
MR GREEN: Let's look at the Legacy Horizon reporting system
because in your paragraph 63 -- if we can just go back
to that {E2/7/16} -- you say there in the last line of
that:
"... we continued to follow the previous existing
reporting methodology."
Is that a reporting methodology with which you're
familiar?
A. No.
Q. So that's what he -- you've got all of that from Steve?
A. I got -- basically I got this from Steve.
Q. And you don't really know what the reporting methodology
is?
A. Not in any detail at all.
Q. Do you imagine it ought to be documentary, or would it
be oral, or ...?
A. I imagine it happening via the service review meetings
that Steve chairs. We have regular sessions with ATOS,
with other suppliers, but I have not -- I can't remember
actually going to one. I'm aware that there are
meetings with Post Office and ATOS to talk about service
issues.
Q. Okay. Let's look in paragraph 64 where you are dealing
with the service review book. You say:
"When Legacy Horizon was in place problem management
was reported in a specific section within the service
review book (SRB)."
Is that something you also got from Steve or
something that you knew about yourself?
A. No, that is from Steve. I have probably seen service
review book outputs in the past but ...
Q. That was a fairly high level review of problem
management and (inaudible) main problems, was it?
A. Very high level, yes.
Q. If we look please at your paragraph 65 {E2/7/16}, is
this still Steve Bansal?
A. Yes.
Q. So how far down does that go? Is this all -- just give
us a feel for how far down we go.
A. I think to the bottom of the page.
Q. To the bottom of the page, I see.
In paragraph 65 you say that:
"From September 2010 these SRBs reported metrics
only against contractual service level agreements ...
and as there are no contractual SLAs for problem
management, it is not covered in the SRB reports
between ... 2010 and 2014."
That's right, is it? That's what you understand
from Steve?
A. That's certainly what I understand from Steve.
Q. Okay. I mean wouldn't Post Office want to know the sort
of information that would be conveyed from that sort of
reporting procedure?
A. I would imagine so and I did not attend the meetings
with Post Office and ATOS so ...
Q. There's only so far we can take it?
A. Yes.
Q. And you say at paragraph 66 {E2/7/16} -- and
I appreciate this is also from Steve Bansal:
"For the years 2014 to 2017 there are annual problem
review reports ..."
Yes?
A. Yes.
Q. Is that system still in place in 2018?
A. I just do not know.
MR JUSTICE FRASER: I'm having grave difficulty with
following this at what might be called face value, which
is why I'm just interrupting. Is the import or the
summary of your paragraph 63 to 66 that these types of
metrics are only available between the years you have
identified in those paragraphs and that Fujitsu doesn't
keep them, or hasn't kept them for years outside the
ones identified in those paragraphs?
A. I don't know the answer to that, my Lord. I don't know
whether there were records available. I would have to
speak in far more detail to Steve and others to
ascertain that.
MR JUSTICE FRASER: But I thought you had already spoken to
Steve about this?
A. I was looking for a high level response on a specific
issue that was being requested.
MR JUSTICE FRASER: And what specific issue was that?
A. I think it was raised by Mr Coyne.
MR JUSTICE FRASER: Insofar as you can remember, do you
remember what it was?
A. It was simply looking for -- my recollection of it was
that he was concerned that Saheed had suggested an
improvement to problem management and was looking for
the evidence that that had been implemented and when
I spoke to Steve and said "Did we implement this?" he
said no.
MR JUSTICE FRASER: All right. Mr Green.
MR GREEN: If we look at {F/1420}, this is headed "2014 POA
problem management - problem review", do you see that?
A. I do.
Q. It is called version 1.0, at the bottom right-hand side,
which suggests it has been issued for approval and we
see "Document status: for approval".
A. Yes.
Q. Again Mr Bansal's name under "Approval authorities".
Was this one actually implemented, or do you not know?
A. I don't know.
Q. Have a quick look at page 6 {F/1420/6}. I'm going to
have to take this quite quickly, Mr Godeseth, because
it's obviously not something you're familiar with, but
this appears to contemplate undertaking a trend analysis
and so forth to review the knowledge database, review
problems and so forth, and if we go to page 7
{F/1420/7}, on the face of it looks as if there are
considerations, for example, of specific problems that
have in fact occurred. Do you see that?
A. Yes.
Q. So on the face of it it does look from this document as
if there is a problem management review document with
some actual problems in it, although it seems to be
issued for approval. Is this something you know
anything about?
A. No.
Q. Just quickly then, very briefly, if you look at page 13
please {F/1420/13}. If we look in the middle stripe,
A1939577. Do you see that?
A. Yes.
Q. It mentions First Rate. Who are First Rate?
A. First Rate Exchange Services are, I believe, a joint
venture owned by Post Office and Bank of Ireland, but
they provide foreign -- they provide bureau services.
Q. And they say:
"First Rate has identified an anomaly over the way
Horizon reversed transactions are recorded and polled
through to them."
Is this something that came to your attention at
all?
A. No.
Q. Because it does seem to have been fixed in counter
release for R9.
A. Yes.
Q. Release 9?
A. I don't remember what date release 9 was. It would have
been on my watch, but ...
Q. It's not something you remember particularly?
A. No.
Q. And you don't remember having seen this document either?
A. No.
Q. If we look at {F/1497}, this one is the "2015 POA
problem management - problem review" and if we look at
page 7 there {F/1497/7}, do you recognise this one at
all or not?
A. I think I do from the recent review, but I couldn't be
certain without checking it in more detail.
Q. Because it is in the same format as the previous one,
isn't it?
A. Yes.
Q. And in the bottom stripe we see A10821106:
"Transaction discrepancies can occur during the
rem-in process especially when transferring cash from
one branch to another (eg between their main branch to
their outreach branch)."
Can we go back up very kindly. And then under
"Description":
"The underlying cause of this problem is that
a logout before a user has fully logged on, then
subsequently a pouch is rem-in manually, then after the
rem-in slip has been printed, the same screen is
redisplayed and if the user press enter again,
a duplicate will occur. A code fix has been developed
and is in release 12.88 hot fix."
Does that ring any bells?
A. That sounds like Dalmellington -- is it Dalmellington?
Q. Yes, it is the Dalmellington bug, isn't it?
And it doesn't capture how many branches were
affected, does it, that report?
A. That's true.
Q. It doesn't capture how long it took to find?
A. No.
Q. It doesn't capture the financial amounts involved?
A. No.
Q. So is it fair to say that that report is not
a particularly rigorous or robust treatment of recording
the problem, its extent and duration and effect?
A. I think that's a fair comment.
Q. Can we turn now please to understand a little bit better
the issues around balancing transactions that we touched
on earlier and can we first look please at {F/1692}.
This is another Tony Wicks Post Office account customer
service problem management procedure document. Now --
we will perhaps come back to that.
Let me take you forward, if I may -- or back in the
bundle to {F/425} and just show you this to get the
chronology. If you see at the top, the title on the top
is, "Host BRDB transaction correction tool low level
design." Do you see that?
A. Yes.
Q. And this is the low level design document, isn't it, for
the branch database transaction correction tool?
A. Yes.
Q. And it says "Document status: draft" and the "Approval
authorities" is Graham Allen. Do you know Graham Allen?
A. I do.
Q. Do you work with him?
A. Yes.
Q. And the author and department it says Rajesh Shastri.
Do you work with him?
A. I don't recognise his name.
Q. And if we just go forward to page 5 {F/425/5} we can see
that the document history shows the draft version being
produced in October 2007 and then, 29 September 2009,
"Add transaction correction journal auditing". Do you
know what transaction correction journal auditing is?
A. Sorry, where are we?
Q. Sorry, bottom of the 0.2 table.
A. 29 September 2009, yes.
Q. Now, this was a tool that was being developed for
Horizon Online, wasn't it?
A. Yes.
Q. And if we go to page 8 {F/425/8}, under "Overview" it
explains that:
"This document provides the low level design for the
branch database transaction correction tool module. The
utility will allow SSC to correct transactions by
inserting balancing records to
transactional/accounting/stock tables in the BRDB
system. It will also audit the changes made. There
will be no updating/deleting of records in the branch
database."
And then it says:
"Warning: the use of this powerful tool has inherent
risks. If the SQL statement is incorrect or badly
written, it is possible to cause unintended
consequences, some of which may cause serious problems
to the branch database. It is expected that only
a small number of skilled staff will run this tool and
that they will have detailed guidance as to when and how
to use the tool."
Now, are you familiar personally with the use of
this tool in Horizon Online?
A. I've never seen it used because I was -- the one time it
was used, as we have already established, I was
elsewhere. I have had pretty lengthy conversations with
Gareth Seemungal about how this tool is put together, so
I feel that I understand how it works.
Q. Pretty lengthy conversations with ..?
A. Gareth Seemungal.
Q. Let's look at the "Solution components". It says there
are five main components to the solution. There is the
UNIX shell script. There is the PL/SQL package.
There's:
"A set of template files, one for each transaction
table for which balancing transactions are allowed to be
inserted. Each file contains a template for an SQL
insert statement for the table in question. This makes
it easier for users to produce new transaction files by
basing them on the template files."
And then there is the possibility for branch
seeding, new branches to be processed by the tool, and
the bottom one:
"Transaction correction journal auditing - a new
process generates audit files for the input day's
audible transaction correction records. See section 5
for details."
Now, just taking this in stages, the seed records,
in the penultimate bullet point there in red, last
line -- do you see that?
A. Yes.
Q. The seed records have a node ID of 99?
A. Yes.
Q. Now, that's like having a branch ID number -- a counter
number of greater than 32, isn't it?
A. That is the counter number that this transaction would
be recorded against because the node ID is the counter.
Q. Exactly. Now, just clarifying where we are, we have
seen what you will and will not be able to do in 1.1, so
it will allow SSC to correct transactions by inserting
balancing records to transactional/accounting or stock
tables in the BRDB system, also audit the changes made,
"There will be no updating/deleting of records in the
branch database." So this is the design for the tool?
A. Yes.
Q. So insertions of balancing records, yes; auditing, yes;
no updating or deleting of records.
A. Correct.
Q. And that's actually reflected, at least to some extent
we will see -- just trace it through. Let's look at the
objects because identifying the permitted database
objects is important to identifying the scope of
potential application of the tool with this design,
isn't it?
A. Absolutely.
Q. So we look at paragraph 2.4.1 on page {F/425/9}, the
next page, and we see there's a table there. 2.4 is the
objects used. We will just go through these carefully.
2.4.1, "Database objects used", so in the database
objects tables, these are the object names to which the
specific functions that we are concerned with have
access, yes?
A. Yes.
Q. Okay, let's have a look. You can see there's the BRDB
operational exceptions table?
A. Yes.
Q. The system parameters table?
A. Yes.
Q. FAD hash outlet mapping table?
A. Yes.
Q. The process audit table?
A. Yes.
Q. Process audit sequence table?
A. Yes.
Q. Transaction correction tool journal table -- sorry,
"process audit sequence" was a sequence.
MR JUSTICE FRASER: Yes, I don't think that's a table.
MR GREEN: Yes, that's actually a sequence, which we will
come back to. My mistake.
The transaction correction tool journal table, the
FAD hash current instance table, transaction correction
tool control table, branch info table and then -- branch
operators exception sequence, is that?
MR JUSTICE FRASER: "Operational" I imagine.
MR GREEN: Or "operational".
MR JUSTICE FRASER: Is that right, Mr Godeseth, do you
think?
MR GREEN: Something like that.
A. I --
MR JUSTICE FRASER: Or you don't know?
A. I don't know to that level.
MR GREEN: Okay. And then we see what the privileges
granted are:
"The following transaction tables have been granted
INSERT privileges ..."
Yes?
"... to OPS$SUPPORTTOOLUSER. The transaction
correction statement is only allowed to insert into
these tables."
A. Yes.
Q. And it identifies effectively all the important
transactions tables and --
A. I think there are probably another two or three on the
next page.
Q. On the next page, exactly, I was just going to take you
there {F/425/10}. Plus the events table.
A. Yes.
Q. Session data, you see that as well?
A. Yes.
Q. And at 2.4.2, the files used, it says:
"The process uses the following files:
"Transaction file containing an SQL INSERT statement
that creates the required balancing transaction."
So this would be where there is one half of
a transaction missing another half of a transaction?
A. Yes.
Q. And the insert statement, the "SQL INSERT" statement
effectively goes in and puts in the missing other side
of that transaction?
A. Yes.
Q. And the method on the next page, page 11 {F/425/11}:
"Having logged into their own UNIX user, the SSC
team members will change directory ... and place their
transaction file in the ... subdirectory. They will
then invoke BRDBX015 manually. The shell script module
will be owned by the UNIX user 'supporttooluser'."
And then it explains what the module will do and the
insert statement and so forth and you see that set out
at 3.1 in the method.
A. Yes.
Q. Now can we go forward please from there to look at
{H/218} please. This is a letter from Wombles to
Freeths about the request for disclosure of the audit
records for the use of the tool and it says:
"This log is produced in relation to the use of
balancing transactions via the transaction correction
tool as described in paragraph 58 of Mr Godeseth's first
witness statement."
And you were describing in your paragraph 58 the
tool we have just been looking at, weren't you?
A. Yes.
Q. And let's look at what the audit table shows in terms of
number of non-zero audit files. We can see there 2010,
46,000 files -- 47,000 nearly, and one file with more
than zero content and then you can see 322, 553, 122,
129, 228, 420, so in total -- over the page -- over the
period: 2,297 {H/218/2}.
Now, just to give you the context of what's being
said, if you go back a page what's said in the middle of
that letter there is:
"Fujitsu have extracted the data from 2010 to 2019
and provided the following explanation for the
documents. It should be noted that Relativity is not
able to recognise 0KB documents since these do not
contain any data and therefore disclosure can only be
provided of the 2,297 files which contain data. We
understand from Fujitsu that a 0KB file is produced
where there was no logged activity. A disclosure list
is enclosed."
So that's the explanation for the difference between
46,976 and 1, yes?
A. Yes.
Q. And when we go over the page please {H/218/2}, it says:
"Each document is associated with a single SQL
statement which made a database correction. There are
two different types of correction shown in the
files - the SQL statements for each are of the form:
"1. Update OPS$BRDB.brdb_rx_recovery_transactions
SET settlement_complete_time stamp = ..."
And then the "INSERT INTO" command.
It says:
"Type 1 reflects the action taken to reset the
recovery flag on a transaction. This will have no
effect on branch accounts (see footnote 58 in our letter
of response ...)"
Which says:
"Several hundred other balancing transactions have
been used but not in a manner that would affect branch
accounting. These were generally used to 'unlock'
a stock unit within a branch."
Do you see that?
A. Yes.
Q. Were you asked about the explanations that are being
given here, or would it be someone else at Fujitsu who
would know about this?
A. This would have been written by others but I'm fully
aware of it.
Q. And then it says:
"Type 2 reflects the action taken to insert
a Balancing Transaction ..."
It has a big "B" and a big "T", "Balancing
Transaction":
"... where it changes transaction data in the main
transactional tables. This will affect branch
accounts."
Yes?
A. Yes.
Q. So what is being said there in relation to type 1 is
that the 2,296 other uses of the tool have been used
mostly to unlock a stock unit within a branch and not in
a way which would affect branch accounts.
A. Correct.
Q. And then there is one which it is accepted did accept
a branch account and that's the first one.
A. Yes.
Q. And that's your understanding too?
A. That is absolutely my understanding. The only way you
would be allowed to write into those tables listed is
using this tool and that would be listed as a balancing
transaction.
Q. Just looking at the command that's being used for
number 1, it's not an insert command, is it?
A. I'm not sufficiently au fait with Oracle to -- sorry,
the first one, no, it says it is an update so ...
Q. Yes, and the point is, if we go back please to the low
level design which I took you to with some care at
{F/425/8}, it is clear, isn't it, from this design
that -- if we look at the last part of 1.1, the last
sentence of that first paragraph:
"There will be no updating/deleting of records in
the branch database."
A. Yes, it says that.
Q. If we look on the next page, page 9 {F/425/9}, you can
see in-between the two tables:
"The following transaction tables have been granted
insert privileges ..."
A. Yes.
MR JUSTICE FRASER: Where are you reading?
MR GREEN: Between the two tables, my Lord, at the bottom,
"The following transaction tables have been granted
insert privileges ..."
MR JUSTICE FRASER: Yes.
MR GREEN: And that means that people who have the
privileges of the "OPS$SUPPORTTOOLUSER" are allowed to
run SQL insert commands, aren't they?
A. The intention of this tool is to allow a set of people
to run a transaction which will insert records into one
or more of those tables and it will be audited.
MR GREEN: Well, that's not an answer to my question.
MR JUSTICE FRASER: I don't think it's even vaguely in the
field of answering the question, with respect. Do you
want to put it again, Mr Green?
MR GREEN: This tool is confined to a privilege to insert,
isn't it, as described here?
A. I think so, yes.
Q. And we don't see the necessary database object fields
table for correcting in the manner suggested --
A. For the locks.
Q. For the locks, do we?
A. I can't contradict you on that, so no.
Q. So it is clear, isn't it, that the use of the tool has
now gone way beyond what we find in this low level
design document, is that fair?
A. Certainly there are -- there is tooling which is based
on this which has two aspects to it, certainly, so
I think I'm agreeing with you.
MR GREEN: Yes. Now, if we look at {H/2/25} --
MR JUSTICE FRASER: Just before you move off, just to clear
it up for me, can we look at page 11 {F/425/11}. Now,
I accept that this is in Oracle, I think, these
commands, and if you don't -- I'm sure you've got at
least a basic knowledge of some Oracle --
A. I hope so but ...
MR JUSTICE FRASER: I'm sure your knowledge of Oracle is far
wider than mine, but I do understand it a little bit,
but if you look at the second paragraph under "Method"
do you see it says:
"The module will read the contents of the input
transaction file, which will be in the form of an SQL
insert statement."
A. Yes.
MR JUSTICE FRASER: "Only a single insert statement is
allowed and (after an optional introductory comment) it
must start with the 'insert into' clause."
A. Yes.
MR JUSTICE FRASER: Am I right that you would then expect to
see the block capitals command at the beginning of the
insert?
A. I think it is telling me that I would see an "insert
into" one of those tables and then whatever data had to
be inserted into that table.
MR JUSTICE FRASER: Yes and the insert would be part of the
command, wouldn't it?
A. The insert would be in the SQL script because what I'm
trying to do is to get a record into that table.
MR JUSTICE FRASER: Thank you very much. That's how
I understood it but I just wanted to check it.
Right, Mr Green, over to your H reference.
MR GREEN: I'm very grateful.
If we look at {H/2/25}. Now, at 5.16.3 you will
see:
"Fujitsu (not Post Office) has the capability to
inject a new 'transaction' into a branch's accounts.
This is called a balancing transaction. The balancing
transaction was principally designed to allow errors
caused by a technical issue in Horizon to be corrected:
an accounting or operational error would typically be
corrected by way of a transaction correction.
A balancing transaction can add a transaction to the
branch's accounts but it cannot edit or delete other
data in those accounts. Balancing transactions only
exist within Horizon Online ... and so have only been in
use since around 2010. Their use is logged within the
system and is extremely rare. As far as Post Office is
currently aware a balancing transaction has only been
used once to correct a single branch's accounts (not
being a branch operated by one of the claimants)."
Then 5.16.4:
"Database and server access and edit permission is
provided, within strict controls ... to a small,
controlled number of specialist Fujitsu ...
administrators. As far as we are currently aware,
privileged administrator access has not been used to
alter branch transaction data. We are seeking further
assurance from Fujitsu on this point."
Now, this letter was in 2016. Can you remember
being asked about these matters in 2016 at all, or was
it not directed to you?
A. I don't remember any specific requests, but I have been
working in this sort of area for a long time so -- yes.
Q. Okay. And in your witness statement you have also
referred to only one use of the tool, the point you have
made orally as well.
A. Correct.
Q. For a balancing transaction purpose.
A. For a balancing transaction.
Q. Can we please look now at {F/590}. 7 March 2010 is the
target date. We're looking at PEAK 0195561, which we
have already identified, and you will see this relates
to 4 March 2010 and this time we're going to look on the
first page, at the second box down, and you will see
there call 2083169:
"PM was trying to transfer out 4,000 pds. The
system crashed. PM was issued with 2 x 4,000 pds
receipts."
Do you see that?
A. Yes.
Q. And that's repeated at the bottom of that page.
If we go forward please to page 3 {F/590/3},
10 March 2010 at 8.51, which is the third box down,
Cheryl Card:
"After discussion with Gareth Jenkins, the suggested
correction is to negate the duplicate transfer out by
writing 2 lines to the BRDB_RX_REP_SESSION and
BRDB_RX_EPOSS_TRANSACTIONS tables, with:
"1) Product 1, Quantity 1, Amount 4,000.00, Counter
mode ID 7 ... 2), Product 6276, Quantity -1, Amount
4,000.00 ... This should be done using the transaction
correction tool. An OCP approved by POL will be
needed."
Now, just focusing on your time at Post Office,
I think at this time you're not really working on
Horizon any more, are you?
A. Correct.
Q. Did you hear on the grapevine of anyone at Post Office
being asked for authorisation for this sort of thing to
be done?
A. No.
Q. Once you arrived at Fujitsu did you have any involvement
in seeking approval, or discussions with Gareth Jenkins
about anything like this being done?
A. No.
Q. Did you know that Post Office's approval had been sought
for this particular transaction?
A. No.
Q. If we go forward please to page 9 {F/590/9},
22 April 2010:
"I have gone through the counter logs, OSR logs and
the DB dumps provided in the PEAK. Let's analyse this
from scratch."
Pausing here, you have acknowledged under legacy
there were sometimes problems with duplications within
the Riposte system, yes?
A. Yes.
Q. But we're not dealing with that system here, we're
dealing with Horizon Online, aren't we?
A. Yes. If it mentions OSR, certainly.
Q. Okay. The second paragraph of that says:
"PEAK has been raised when a clerk attempted to
transfer out of 4,000.00 from stock unit BB to MS. Due
to a system problem the transfer out doubled up, so when
the transfer in was done on counter 1 at 16.15, it was
for 8,000.00. The branch now has a lot of [£4,000]."
Do you see that?
A. Yes.
Q. And there's then some discussion and then if we come
down to:
"But, I have noticed that the retried request [with
an ID] ... was ignored by time out monitor in the
[Branch Access Layer] side and continued to execute.
But from the OSR.log file and OSR message log,
I couldn't find this request was failed due to the
duplicate JSN record in the journal table (which was
expected and the normal behaviour of OSR), didn't happen
in this case.
"I have requested for the journal table dump to
check whether duplicate JSN entries exists in the table.
But from the DB dump I couldn't find any duplicates."
Now, the whole point of JSN entries is that they
should not duplicate and if they are duplicates they
should not be committed to the database; that's right,
isn't it?
A. Yes. And I think you will see there that the retried
requests failed because there was already a journal
record in the database with that JSN.
Q. Well, let's just follow this through, if we may. If we
look now please at {F/594}, you will see that this is
PEAK 0195962. Do you see that? This is Cheryl Card
again.
A. Yes.
Q. And if we just go down to the yellow bar it says:
"The transaction correction tool has now been used
in live. The templates for use with this tool need to
be updated to correct some details."
Yes?
A. Yes.
Q. So the idea was to have templates so that the scripts
wouldn't have too many errors in them when they were
deployed.
A. Yes.
Q. And that PEAK refers in turn, we can see -- if we look
at {F/1095} please. We can see this is the OCP 25882.
Can you just tell his Lordship what an OCP is?
A. Operational Change Process I believe.
Q. And there's also an OCR, isn't there?
A. Yes, that is Operational Change Request, as I understand
it.
Q. And one is for the change to the front end and one is to
change the back-end. The OCP is for the front end and
the OCR is --
A. I don't know.
Q. You don't know. If we look at this document at
{F/1095}, the branch 226542 transfer out doubled up. We
can see:
"Due to a system fault, the branch did
a transfer out of £4,000 and a corresponding transfer in
of £8,000.
"Justification: correct a loss of £4,000 at the
branch due to a system fault ... extra detail: the
transfer in details were incorrectly doubled up when
they were written to the BRDB. This needs to be
corrected using the transaction correction tool."
Do you see that?
A. Yes.
Q. Now, on the face of it this appears to be consistent
with at least one use of the transaction correction tool
for one balancing transaction, yes?
A. Yes.
Q. And are you aware of any reason why Post Office couldn't
have just used a transaction correction for £4,000 to
correct the SPM's position?
A. If we -- the only reason that we would need to use the
branch transaction tool is if I got a one-sided
transaction.
Q. If you got a one-sided transaction?
A. Yes.
Q. Let's look, if we may please, at {F/485/1}. This is
PEAK PC0175821. Do you see that?
A. Yes.
Q. And the call status on the right is "Closed - solicited
known error." Do you know when that code is used or
not?
A. No.
Q. If you look down on 19 February 2009 at 17.39.40, can
you see:
"There are two sides to the problem relating to
these transactions. The first is where all five SC
transactions missing core data as described in the
above-mentioned KEL."
A. Yes.
Q. That's one aspect of the problem in this PEAK:
"Second is absence of equal but opposite
(ie settlement) lines. See PC0152014 for a similar
problem and how problem was resolved."
A. Yes.
Q. "For the first problem, I have used the TRT to insert
the missing data ie Region, Margin, Margin Product and
EffectiveExRate."
Now, pausing there, what does it look to you is
going on here?
A. It looks to me as though we are inserting into a totally
different database because it is TMS_RX so this is
the -- this is not the branch database.
Q. No. And also they seem to be using the transaction
repair tool.
A. Yes.
Q. Rather than the transaction correction tool.
A. Which I think would be what I have referred to as the
TIP(?) repair tool.
Q. Yes?
A. And TMS is -- yes, it's not part of the BRDB.
Q. But what we do see -- and this is in February 2009, so
this is Horizon Online, isn't it?
A. It could be ... 2009 was migration, so I don't for
certain know without looking further at whether this was
old or new.
Q. Would they be using the TIP repair tool with
Legacy Horizon?
A. Yes, the TIP repair tool has been used -- it was
basically moved across from legacy onto BRDB. It
fulfils the same function. It sits inside the -- I'm
sorry, I have forgotten the name of the database, but it
sits inside -- yes, TPS.
MR GREEN: Okay. Let's just take it --
MR JUSTICE FRASER: Do you want to continue with this one
now to the end?
MR GREEN: My Lord, if I may. I will try and take it
quickly.
MR JUSTICE FRASER: Well, yes, but don't take it quickly as
in speaking so quickly the witness can't really follow
you.
MR GREEN: I'm grateful.
MR JUSTICE FRASER: I don't want you to feel under pressure
of time at all on this, Mr Godeseth, so ...
A. Thank you, my Lord.
MR GREEN: If we look at 19 February 2009, 17.39.40, which
is the line we were looking at, do you see the two sides
of the problem relating to these transactions and we
just read this text?
A. Yes.
Q. "The first is where all five SC transactions missing
core data as described in the above-mentioned KEL."
A. Yes.
Q. And that appears to be the KEL reference at the top of
the page, "KEL obengc3120K", yes?
A. Yes.
Q. And the second point is the absence of equal but
opposite settlement lines. So what you've got there in
the data is not a zero sum basket, in the data. There's
half of it missing, isn't there?
A. That's what it appears to be saying, so to do it full
justice I would want to spend more time looking at it
but I ...
MR GREEN: I understand. Well, perhaps -- I don't know
whether it would be --
MR JUSTICE FRASER: How many pages are there in this PEAK?
MR GREEN: There are only three, my Lord, but you do have to
look at the KEL. I wonder if it would be fair to the
witness if he could be provided with a copy of this and
a copy of the PEAK 0152014 and KEL 017510 overnight so
he can consider those.
MR JUSTICE FRASER: Well, rather than just grandly say "Yes
he shall be provided", let's work out who is going to
provide it to him.
MR GREEN: He is not our witness, but we would be happy to
do anything we can.
MR JUSTICE FRASER: You are cross-examining him.
MR GREEN: Of course.
MR JUSTICE FRASER: Just pause one second.
Mr De Garr Robinson, it seems to me the witness
ought to be allowed to see those documents.
MR DE GARR ROBINSON: Absolutely, my Lord. This illustrates
the difficulty, particularly with using Magnum for this
kind of cross-examination.
MR JUSTICE FRASER: Well ...
MR DE GARR ROBINSON: I'm not complaining, but it would be
helpful and, my Lord, it would also be helpful it seems
to me if the witness is also given a copy of PC0175821.
MR JUSTICE FRASER: That's exactly what I was then about to
suggest because they are linked and the same problem has
arisen in that PEAK as well.
Mr Green, is the quickest and easiest way for you --
have you got unmarked copies?
MR GREEN: I don't, my Lord. I have only got mine marked
up.
MR JUSTICE FRASER: Have either of you got the facility to
print those documents relatively promptly?
MR GREEN: We can go back to chambers and print them off.
MR DE GARR ROBINSON: My Lord, we might be able to print
them off in a room we have just around --
MR JUSTICE FRASER: Perfect. I'm going to leave it to your
two joint good offices.
Mr Godeseth, unlike the usual warning "don't talk to
anyone about the case", you are allowed to talk to each
of these two gentlemen who are going to give you the
documents to look at.
A. Thank you, my Lord.
MR JUSTICE FRASER: I'm in no way limiting the time that you
look at them, it is completely up to you, you're going
to resume at 10.30 tomorrow, but just in terms of common
sense I wouldn't sit and stare at them every minute
between now and 10.30 tomorrow morning and that's not me
being flippant, everyone reacts differently when they
are presented with documents in the middle of their
evidence and I don't really want you to come back in the
morning having spent however many hours there are
between now and then just staring at endless PEAKs.
A. Thank you, my Lord.
MR JUSTICE FRASER: But other than that, please don't talk
to anyone about the case.
A. Understood.
MR JUSTICE FRASER: Does that deal with that issue?
MR GREEN: My Lord, yes.
MR JUSTICE FRASER: I don't think there is anything else?
No. So far as tomorrow is concerned ..?
MR GREEN: We are going to be finishing with Mr Godeseth in
the morning and then we don't know the position in
relation to Mr Membery and then we will finish with
Mr Parker.
MR JUSTICE FRASER: I will leave you to discuss that between
yourselves. Just let me know in the morning.
MR GREEN: Most grateful.
MR JUSTICE FRASER: So there's no housekeeping or anything
of that nature and I shall see everyone and you as well,
Mr Godeseth, at 10.30 tomorrow.
A. Thank you very much.
(4.33 pm)
(The court adjourned until 10.30 am on Thursday,
21 March 2019)