The Post Office recklessly published the names and addresses of 550 wrongfully convicted postmasters. But it takes a very different attitude to its own data privacy, running frivolous GDPR arguments to cover up its corporate failings.
This is how the Post Office protected the data privacy of the 550 wrongfully convicted postmasters:

But the Post Office was extremely protective of data privacy when I asked it how many personnel had been working on sorting out the tax mess it created for thousands of postmasters.
The Post Office took months to fix that mess and send out letters and “top-up” payments to postmasters… a task that a small team of competent accountants could have accomplished in weeks. That meant thousands of postmasters had to complete tax returns, and pay tax, entirely unnecessarily.
This was the Post Office’s reply to me:

That’s nonsensical: knowing the number of staff cannot lead to identification of the individuals. I asked the Post Office for a review, and said that if they disagreed they needed to explain how such an identification could be made.
The review just came back (delayed by months) and taking an entirely different line:

They claim that the number of people working on a project is “personal data” because it “relates to” the individuals:

That is a frivolous reading of the legislation. Almost everything to do with an organisation “relates to” the people who work there – that doesn’t mean that almost everything is “personal data”. It’s only if the information relates to and concerns an identifiable individual – that’s clear on general rules of legal interpretation, and basic common sense. It’s also clear in the Information Commissioner’s guidance.
The legislation tells us that the key question is: can the individual be identified, directly or indirectly:

And the obvious is that, even if the answer is that only one person was on the project, that answer wouldn’t able their identification.
When we first revealed that the Post Office had failed to do as it promised, and help the postmasters resolve the Post Office’s tax mess, there was a flurry of internal Post Office communications. Not to fix the problem, or work out what had gone wrong, but to manage the PR.
It’s pretty obvious that’s the real reason the Post Office refuses to tell me how many people were trying to fix its tax mess. The Post Office knows it insufficiently staffed the project, and is covering that up.
We’ll be referring this to the Information Commissioner’s Office.
Photo by Markus Spiske on Unsplash
10 responses to “The Post Office – reckless with postmasters’ personal data; abusing data privacy to protect itself”
This is complete rubbish from the Post Office (not that we should be surprised) – I have never seen anyone else in business make the argument that simply reporting how many people ‘do’ something is a potential breach of GDPR. I have seen (rightly) small numbers not reported where – for example – we are talking about am ability to work out from that small population which staff have a particular protected characteristic – but that is not remotely relevant here.
Keep up the good work – oh, and thanks for the piece on marginal tax rates – it continues to surprise me how few people seem to understand tax rates and how ‘at the margin’ a crazy tax rate can have massive behavioural implications. A family member is in that ‘bind’ of potential income just above £100k (with a small child, so impacted by the receipt of certain child support payments as well as the loss of personal allowances) – and the mental gymnastics required to work out salary sacrifice etc to avoid net income going above £100,000 is immense
THanks again
Simon
I suspect the answer is actually significantly less than one if we are talking full time equivalents. I am absolutely sure that I could have done the job in a matter of weeks given that the assumptions underlying the top up payments make the calculation utterly trivial. And that is what POL is trying to keep out of the limelight – understandably so. In fact with a spreadsheet and a list of HSS payments, I reckon my staff of 3 part-timers could knock this out in a week. Which we would gladly do at no charge. And this goes on, as HSS payments continue to be made even now. Not sure whether payments made now have the top up included or whether we will face the same charade again in January 2025 & 2026.
Incredibly Roderic Williams is still there as a lawyer which is mindboggling – he’s probably signing this stuff off!
You’re absolutely right to keep pushing this, Dan, because the Post Office is clearly just trying any old desperate tactic to avoid having to give out an embarrassing answer. Their handling of your FOI request is so transparently self-serving. Brazen, even. Despite the full glare of the inquiry into the scandal, the organisation has plainly learned nothing.
The did actually manage to disclose that the number of people working on the issue was fewer than 10 but the various reasons for not giving more accurate numbers are entirely nonsensical.
There are sometimes situations where disclosing an accurate number that is very small can lead to identifying people but this definitely isn’t one of them.
It seems increasingly clear the senior management of Post Office is wholly unfit to lead the company.
I suspect the answer is one and is therefore identifiable.
but how would knowing it was one make them identifiable?
My recent corporate training has been very clear that anonymised data is not restricted by GDPR.
If you are discussing fulltime equivalents, the number cannot possibly identify even the number involved. Just a theoretical minimum if they all actually worked fulltime and without any breaks/holidays, sickness, team changes, etc.