Category: Computer

Posted on April 8, 2025 by Eternity Lab

Microsoft restates commitment to OpenAI amid analyst note about datacentre expansion rollbacks

Microsoft has pushed back against claims its decision to cancel and defer at least 2GW of datacentre projects in the US and Europe is indicative of its “fraying relationship” with OpenAI.

US analyst TD Cowen published a research note on 26 March 2025 that suggested the public cloud giant had cancelled and deferred datacentre lease agreements in the US and Europe that would have increased its compute capacity by at least 2GW.

The reason for the rollback on its plans was, according to TD Cowen, due to Microsoft’s decision not to support OpenAI’s incremental training workloads.

TD Cowen had previously said the two companies were involved in a “fraying relationship”, after Microsoft confirmed in January 2025 that the exclusivity cloud hosting deal between the two firms had been rejigged.

A Microsoft blog post, dated 21 January 2025, confirmed OpenAI had made a “large Azure commitment” that included “changes to the exclusivity on new capacity, moving to a model where Microsoft has a right of first refusal”.

This means Microsoft gets first refusal on whether or not it wants to host OpenAI workloads, but OpenAI also reserves the right to build its own capacity with other partners if Microsoft cannot meet its needs.

Microsoft has now issued a statement to Computer Weekly, pushing back on TD Cowen’s take on the situation, while also restating the strength of the working relationship between the company and OpenAI.

In reference to its decision to scale back its datacentre expansion plans, Microsoft said it’s “well-positioned” to meet the current and increasing customer demand it’s seeing for its services thanks to the “significant investments” it’s made in its infrastructure to this point.

“Last year alone, we added more capacity than any prior year in history,” said a Microsoft spokesperson. “While we may strategically pace or adjust our infrastructure in some areas, we will continue to grow strongly in all regions.

“This allows us to invest and allocate resources to growth areas for our future. Our plans to spend over $80bn on infrastructure this financial year remain on track as we continue to grow at a record pace to meet customer demand.”

Microsoft has been a partner in OpenAI since 2019, with the two firms previously stating that they were working towards a shared goal to “responsibly advance artificial intelligence research” while democratising the technology and making it accessible to all.

Around the same time that Microsoft released details of its reworked cloud hosting arrangement with OpenAI, the latter released details of its $500bn effort to expand the infrastructure underpinning its services through the launch of the Stargate Project.

Softbank, Oracle, MGX and OpenAI are the equity funders for the initiative, while Microsoft is listed as a technology partner.

In reference to its ongoing partnership with OpenAI, the Microsoft spokesperson said: “OpenAI continues to be a great partner. We remain committed to pushing the frontier of AI forward, driving innovation, and making cutting-edge models accessible to our customers and partners.”

Source

Posted on April 7, 2025 by Eternity Lab

Reassessing UK law enforcement data adequacy

The UK government says reforms to police data protection rules will help simplify law enforcement data processing, but critics argue the changes will lower protection to the point where the UK risks losing its European data adequacy.

Currently going through the committee stage of Parliamentary scrutiny, the Data Use and Access Bill (DUAB) will amend the UK’s implementation of the European Union (EU) Law Enforcement Directive (LED), which is transposed into UK law via the Data Protection Act (DPA) 2018 and represented in Part Three of the act specifically.

In combination with the current data handling practices of UK law enforcement bodies, the bill’s proposed amendments to Part Three could present a challenge for UK data adequacy.

The DUAB changes the law to allow routine transfer of data to offshore cloud providers, remove the need for police to log justifications when accessing data, and enable police and intelligence services to share data outside of the LED rules.

In June 2021, the European Commission granted “data adequacy” to the UK following its exit from the EU, allowing the free flow of personal data to and from the bloc to continue, but warned the decision may yet be revoked if future data protection laws diverge significantly from those in Europe.

While the government argues that its reforms will simplify police data processing, critics say the proposals represent enough of a divergence from EU law that it will likely undermine the UK’s LED adequacy.

They add that many of the government’s changes to police data protection rules are a response to a widespread lack of compliance with key provisions in the DPA 2018, such as the need to log justifications when accessing data or implement controls that limit the offshoring of sensitive law enforcement data to non-law enforcement bodies, including cloud providers.

Computer Weekly contacted the Home Office about every concern raised, and the threat to the UK’s LED adequacy created by the government’s proposed changes to the law enforcement data protection regime.

“Any changes to our data protection regime must not come at the expense of security, and high standards of protection will continue to be applied.”

The adequacy process

In exiting the EU, the UK became a “third country” under the bloc’s rules, which means the European Commission (EC) will have to periodically assess whether the country’s data protection framework and practices provide an essentially equivalent level of protection for EU citizens’ data.

The EC will therefore have to make two separate adequacy determinations under both the General Data Protection Regulation (GDPR) and LED by the end of June 2025.

Data protection experts previously claimed to Computer Weekly in February 2021 that any adequacy decision made under the LED would be principally political in nature if it fails to directly address how the data practices of the UK’s criminal justice sector and intelligence services undermine the data and fundamental rights of EU citizens. If this is not addressed, they said a positive adequacy decision could be open to legal challenges in the European courts.

In October 2024, the UK Parliament’s European Affairs Committee (EAC) – in a warning about the risks of the UK losing its data adequacy – highlighted many of the same issues as the experts Computer Weekly spoke to, noting these would be of “interest and potential concern” to both the EC and European Court of Justice (CJEU) as they consider the UK’s adequacy statuses.

This includes potential divergence on data protection standards that would make it harder for people to exercise their data rights; the possibility that the UK government undermines end-to-end encryption; the independence and effectiveness of the Information Commissioner’s Office (ICO); aspects of the UK’s national security regime under the Investigatory Powers Act 2016, including data collection and retention, surveillance powers and practices, and the role of the Investigatory Powers Tribunal; and any legal cases which provide grounds for concern about UK data protection standards.

The EAC also highlighted potential risks posed by onward transfers of data from the UK to other third countries, including under the UK-US Cloud Agreement.

However, the EAC’s findings were published a day before the DUAB was announced, and two days before the text was published online, meaning its inquiry focused on the previous government’s Data Protection and Digital Information (DPDI) Bill – which was dropped from the legislative agenda during the UK’s pre-general election “wash up” period.

While the EC’s adequacy decision will rest on the exact contents of DUAB – for which there is still no official Keeling Schedule – it will be looking to assess whether the framework provides an essentially equivalent level of data protection for EU citizens’ data.

While some of the more controversial measures contained in the previous DPDI Bill – including removing the need for data protection impact assessments and abolishing the dual biometrics and surveillance camera commissioner role – have been dropped in the DUAB, many aspects of it have been carried over.

There are also a number of new measures that may create fresh adequacy-related problems, particularly changes to the international data transfer regime for police.

While an amendment to the DUAB was tabled by Liberal Democrat peer Lord Clement-Jones that would have required the secretary of state to carry out a formal impact assessment of the bill concerning the UK’s data adequacy, government ministers argued against it during the Lords first committee stage on 16 December 2024.

Responding to Clement-Jones during that debate, Baroness Jones, parliamentary under-secretary of state at the Department for Science, Innovation and Technology (DSIT), said maintaining adequacy was a priority for the government, noting that the free flow of personal data with the EU is vital to research, innovation and safety.

“For that reason, the government is doing all that it can to support its swift renewal. I reassure noble Lords that the bill has been designed with EU adequacy in mind,” she said.

“The government has incorporated robust safeguards and changed proposals that did not serve our priorities and were of concern to the EU. It is, though, for the EU to undertake its review of the UK, which we are entering into now. On that basis, I suggest to noble Lords that we should respect that process and provide discretion and not interfere while it is underway.”

A similar position has been adopted by information commissioner John Edwards, who in response to the DUAB said: “Whilst ultimately a decision for others, in my view the proposed changes in the bill strike a positive balance and should not present a risk to the UK’s adequacy status.”

However, the position of the UK government and ICO differs significantly from the views of a number of specialists familiar with both the EU LED and the UK DPA Part Three. Computer Weekly contacted the Home Office about what robust safeguards have been put in place, and which DUAB proposals have been changed that were of concern to the EU, but received no response on this point.

National security or law enforcement?

Chris Pounder – director of data protection training firm Amberhawk – wrote in a blog post that the DUAB would allow the secretary of state to designate that certain police datasets can become subject to Part Four national security rules, rather than Part Three law enforcement rules, over which the ICO has limited enforcement powers.

“The proposal has the effect of taking large volumes of personal data out of the UK’s data protection regime,” he wrote.

Part Four processing is also completely separate from the LED or GDPR and has no equivalent in EU law, effectively lifting police data out of the scope of EU law in instances where the secretary of state decides police and intelligence bodies can share the data.

The [DUAB] proposal has the effect of taking large volumes of personal data out of the UK’s data protection regime Chris Pounder, Amberhawk

Computer Weekly contacted the Home Office about the removal of policing data from the data protection regime, but received no on-the-record response on this point.

Pounder further noted that while the ICO is being abolished in favour of the “Information Commission”, the problem remains in the DUAB that the secretary of state will be able to appoint the most important members of the Commission, which has the potential to give them undue influence over the new body’s decision-making processes.

“The Commission still has to have regard for: the desirability of promoting innovation and competition; the importance of the prevention, investigation, detection and prosecution of criminal offences; and the need to safeguard national security,” he wrote. “In other words, these ‘regards’ could fetter decisions to protect the privacy of data subjects.”

Pounder added the DUAB will also permit the secretary of state to apply a “data protection test” when considering whether a country, part of a country, or a controller located in a country offers an adequate level of protection.

He said the provisions will increase the risk of divergence from EU transfer standards if the EC and UK government have differing views on what “adequate” means here. “Also I don’t understand how a country is not deemed adequate, but a controller, processor, or recipient located in that country is,” Pounder added.

While the UK has already taken steps to award its own law enforcement adequacy to countries not recognised by the EU – including the Isle of Man, Jersey and Guernsey – the EU has not yet reacted to these changes.

Thomas Barrett, a partner at CyXcel who leads the organisation’s data protection and privacy practice, and has previously advised the Home Office and Ministry of Justice on compliance with the DPA 2018, said there are certain scenarios where specialist police units within forces may have to collaborate with intelligence services for particular operations – for example, in terrorism cases where intelligence services have information but no power of arrest as police do – adding while “it raises red flags … I would be surprised how many of these are made”.

He added that in cases where this power is used, it has the potential to be “more targeted, more proportionate, and safer,” because only one set of data protection requirements would apply to this processing, rather than potentially three currently.

As a result, Barrett said the changes being made to UK law via the DUAB are very unlikely to materially affect the country’s LED adequacy.

“It would be counter-productive to remove adequacy over such small changes … there’s so much [law enforcement] cooperation. … Looking at the detail, I struggle to see how you really make hay of a lot of it.”

He said the real risk to LED adequacy therefore lies at “the political level”, which will be decided between the EC and the UK government.

Law enforcement transfers

Independent privacy consultant Owen Sayers, a long-term commentator on DPA Part Three compliance issues with more than 25 years of experience in delivering secure solutions to policing and the wider criminal justice sector, said for the first time UK legislation would place individual data processors – such as cloud providers – on the same broad footing as overseas law enforcement organisations, exempting them from the list of mandatory transfer conditions outlined in Article 39 of the LED.

This includes that the transfers be strictly necessary, that no data subject rights override the public interest of the transfer, that transferring to another policing body – or “competent authority” in LED parlance – would be ineffective, and that the controller provides specific instructions of how to process the data in that particular case.

Under the UK’s current law enforcement-specific data protection rules, police data controllers are bound by the DPA 2018’s stringent transfer requirements, which fully mirror EU law.

This means that, as it stands, each individual law enforcement data controller must ensure that a contract in writing exists between itself and the data processor, which sets out details of the processing, including its duration, nature, and the type and categories of personal data involved. To be valid, the contract or terms of service must be explicit in how they meet the DPA requirements.

Police data controllers are also required to ensure the processor seeks and receives permission before transferring data to a third country, for each particular transfer made. This means each transfer must be assessed on a case-by-case basis.

Police data controllers are further required to perform a case-by-case analysis and justification for all personal data offshored to such processors, and to report this to the ICO. Although police forces have used Microsoft and Amazon Web Services services for the past six years – meaning millions of these transfers will have taken place – the ICO revealed in a Freedom of Information (FoI) response to Sayers that only 148 such notifications had been received up to June 2023.

As previously reported by Computer Weekly, the use of hyperscalers under current UK law presents a number of data protection concerns, including US government access via the country’s invasive surveillance laws, and an inability to comply with the strict transfer requirements contained within the DPA 2018.

In June 2024, Computer Weekly reported details of discussions between Microsoft and Scottish policing bodies – obtained via FoI rules – in which the tech giant admitted it could not guarantee the sovereignty of UK policing data hosted on its hyperscale public cloud infrastructure.

As a result of these FoI responses, Sayers said the law is breached far more often than it is adhered to: “The evidence to show that multiple parts of the Part Three legislation are consistently breached or simply ignored by policing and their justice partners is overwhelming. In truth, the number of organisations who do apply the law as it’s currently written is less than a handful, though those that do so do it very well.”

Mariano delli Santi, legal and policy officer at the Open Rights Group (ORG), said these issues mean it is an open question whether cloud providers can adhere to Part Three requirements in practice. “Given the issues around sovereignty, is a cloud provider able to enforce the contractual agreements entered into with the police? I think that’s an issue that would cause concern,” he said.

Since the re-election of Donald Trump, delli Santi pointed out that the US government has broken several adequacy-related commitments made to the EU around enhancing scrutiny and ensuring the proportionality of their intelligence services operations.

“The Trump Administration fired members of the Privacy and Civil Liberties Oversight Board, and then doubled down with the Federal Trade Commission. Both bodies were fundamental pieces of the EU-US Data Protection Framework [DPF] which, at this point, is quite certain to be struck down by the CJEU,” he said, adding the UK-US Data Bridge, which acts as an extension of the DPF, will also go down if the EU invalidates the framework.

“It has now become obvious that the EU-US DPF will not last for long, and it has just as obviously become unfeasible to rely on US cloud providers for storing personal data unless you are willing to compromise the security and sovereignty of the data you transfer. Indeed, European lawmakers have already started to discuss this.

“Based on all the above, it is now a fact that relying on US cloud services constitutes a threat to the sovereignty, security and autonomy of the UK. Until now, this has been treated as a risk-mitigation issue at best, or something to be swept under the carpet at worst.”

Highlighting the lack of clarity from the UK data regulator around cloud data sovereignty and the applicability of standard contractual clauses in this context, delli Santi said this has created a grey area in which transfers have been allowed to continue.

“The UK government, on their side, have tried to formalise this approach with the DUAB, which introduces a new data transfer regime specifically designed to accommodate the ICO’s ‘tolerant approach’ toward data transfers that lack effective safeguards, and allow data transfers to countries such as the United States by sidestepping human rights and data security concerns.

He added that “the UK needs an exit plan to progressively cut reliance on US digital infrastructure and services – and we need this plan fast”, which includes contingencies to move away holding companies or subsidiaries of US firms geographically based in Europe, which still fall under US jurisdiction.

Given the issues around sovereignty, is a cloud provider able to enforce the contractual agreements entered into with the police? I think that would cause concern Mariano delli Santi, Open Rights Group

“Any of these companies are under an obligation to cooperate with law enforcement and international security authorities in the United States, which can be ordered to hand over data without necessarily having to tell the contracting party,” said delli Santi.

According to the government’s explanatory notes published for the DUAB in October 2024 (paragraph 1022), Schedule 8 of the bill seeks to widen the transfer conditions “by expanding the list of intended recipients to specifically include processors acting on behalf of, and in accordance with a contract with, a controller”.

It added that while transfers to processors in third countries are currently permissible, “this amendment clarifies the existing law and provides legal certainty to UK controllers that they can transfer personal data to their processors operating outside of the UK”.

The explanatory notes also specify that the DUAB will no longer require “controllers to notify the commissioner on each occasion data is transferred; it simply requires notification of the categories of information” that will be transferred.

However, Sayers argued that even if the US government does utilise its various surveillance laws to gain access to UK data, the transfers would be unlawful anyway as UK law lays down a series of specific steps that must be followed for each and every transfer of a specific piece of personal data under Part Three.

“These steps are not being followed, and Microsoft has made clear that they cannot be followed – actually, they’ve said ‘impossible to operationalise’. Because the steps laid down in the DPA 2018 Part Three are not and cannot be followed, that is one of the main reasons why the processing being done on these clouds is in breach of UK law,” he said.

“It makes zero difference if the US government bogeyman tries to use the Cloud Act to look at the data or not, as the data was illegally transferred regardless of the Cloud Act.”

The steps laid down in the DPA 2018 Part Three are not and cannot be followed [which is] one of the main reasons why the processing being done on these clouds is in breach of UK law Owen Sayers, independent privacy consultant

He added: “The intention [of the new DUAB] is to put non-UK processors – principally hyperscalers – on the same broad legal footing as overseas law enforcement organisations.”

He pointed out that the bill would enable UK policing bodies to send data overseas to offshore processors with minimal restrictions. “The bill actually puts overseas processors above overseas law enforcement processors, in the respect that it completely removes obligations to record what data is transferred to them, inform the ICO or make any assessments as to whether a particular transfer is safe and consider the data subject’s rights in advance of sending the data.”

Sayers added that while these and other changes to Part Three would be directly contradictory to EU law, the most likely outcome would be the CJEU finding that the UK regime falls far below EU standards and thus moves to block UK data transfers.

He further added that individual member states may also deem UK laws to be too divergent from their domestic laws to continue to send data, noting the chance of this is high given there are 27 member states, each with their own implementation of the LED.

“You can 100% use cloud for law enforcement data, but it needs to be sovereign and fully conformant with the law. If you need to change the law to accommodate a specific provider, then you’ve picked the wrong supplier.”

Computer Weekly contacted the Home Office about the changes to the law enforcement data transfer regime, and UK policing’s track record of non-compliance with existing data rules via its use of hyperscalers.

A Home Office source told Computer Weekly that the use of cloud providers, in particular, has caused some confusion, and that measures contained within the bill are intended to give law enforcement the confidence to use cloud processors. However, they said the use of cloud services must not come at the expense of security, and high standards of protection will continue to be applied.

‘Systemic’ transfer issues

Clement-Jones highlighted how cloud service providers routinely process data outside the UK and are unable to provide necessary contractual guarantees to policing bodies, as required by Part Three. “As a result, their use for law enforcement data processing is, on the face of it, not lawful,” he told the House of Lords.

He added this non-compliance creates significant financial exposure for the UK, including potential compensation claims from data subjects for distress or loss, something that is exacerbated by the sheer volume of data pressed by law enforcement bodies: “If only a small percentage of cases result in claims, the compensation burden could reach hundreds of millions of pounds annually.”

Clement-Jones concluded that the government’s attempts to change the law suggest that past processing on cloud service providers has not been compliant with the relevant data protection laws.

As a result, he proposed an amendment “to bring attention to the fact that there are systemic issues with UK law enforcement’s new use of hyperscaler cloud service providers to process personal data”, which would strictly limit overseas transfers to law enforcement bodies with “a legitimate operating need” – that is, not cloud service providers.

While the Lords were not invited to take a decision on Clement-Jones’s hyperscaler amendment, government minister Baroness Jones said the DUAB’s “bespoke path for personal data transfers from UK controllers to international processors is crucial … [as] we need to ensure that law enforcement can make effective use of them to tackle crime and keep citizens safe”.

One of the biggest problems in data protection is a lack of understanding and clarity [so] anything that can make it clearer and easier to follow can only be a good fit Thomas Barrett, CyXcel

She added the aim of the DUAB’s reform around international law enforcement transfers “is to provide legal clarity in the bill to law enforcement agencies in the UK so that they can embrace the technology they need and make use of international processors with confidence”.

She added: “Such transfers are already permissible under the legislation, but we know that there is some ambiguity in how the law can be applied in practice. This reform intends to remove those obstacles. The noble Lord would like to refrain from divergence from EU law. I believe that in this bill we have drafted the provisions, including this one, with retaining adequacy in mind.”

Barrett said the DUAB will clarify the law in ways that make it easier to put in place contractual provisions and other measures that adequately protect the data: “One of the biggest problems in data protection generally, but particularly here, is a lack of understanding and a lack of clarity … anything that can make it clearer and easier to follow for individuals that have to apply this stuff can only be a good fit.”

Sayers made a similar argument, noting that while many data protection practitioners believe the EU or UK GDPR to be the gold standard of legislation, they “simply fail to recognise that GDPR has a sister piece of legislation in the LED that is sufficiently different that you cannot apply GDPR thinking to it”.

He added: “This is a problem I see day in, day out, where a GDPR hammer is used to try to fix an LED nail, and even the ICO is not immune to confusing the two different sets of laws.”

According to delli Santi, the approach to transfers under the DUAB as it stands is “formalising an approach that has already been changed”. He added that given the deep commercial, governmental and cultural ties between the UK and EU, “the impact of divergence is amplified significantly”.

Police data logging requirements

The DUAB as introduced will also seek to remove the statutory logging requirements of Part Three, which would allow police to access personal data from various police databases during investigations, without having to manually record the “justification” for the search.

The removal of police logging requirements, however, could represent a further divergence from the EU’s LED, which requires logs to be kept detailing how data is accessed and used.

“The logs of consultation and disclosure shall make it possible to establish the justification, date and time of such operations and, as far as possible, the identification of the person who consulted or disclosed personal data, and the identity of the recipients of such personal data,” says the LED.

Clement-Jones told Computer Weekly that if the law changes to allow police data transfers to, and processing in, infrastructure not owned or controlled by UK bodies, it could “absolutely” be a problem for the UK’s LED adequacy retention. He added that given these clear access and control issues, the potential removal of police logging requirements is “egregious”.

Computer Weekly contacted DSIT about the removal of the logging requirements and whether it believes this measure represents a risk to the UK being able to renew its LED adequacy decision in April 2025, but DSIT declined to comment on the record.

Speaking during the 16 December Lords debate on the bill against the removal of justification logging requirements, Clement-Jones said: “The public needs more, not less, transparency and accountability over how, why and when police staff and officers access and use records about them.”

He added that while policing systems typically capture when, how and by whom data has been accessed, they “very rarely” capture the justification. This is despite the fact that Article 63 of the LED provided a grace period from May 2018 to May 2023 for member states to implement justification recording mechanisms to bring their legacy systems into compliance with the directive – new systems procured from May 2016 onward were required to comply from the start.

To alleviate the issue, Clement-Jones tabled a further amendment to ensure the logging requirements remain, which would “prevent material divergence from the EU Law Enforcement Directive”; although this was also withdrawn.

He also highlighted that “many commodity IT solutions” procured by policing organisations do not capture justifications by default, noting that while a “transitional relief” period was put in place with the introduction of DPA 2018 to modify legacy systems installed before May 2016 – later extended to May 2023 – UK law enforcement bodies did not in general make the required changes.

“Nor, it seems, did it ensure that all IT systems procured after 6 May 2016 included a strict requirement for LED-aligned logging. By adopting and using commodity and hyperscaler cloud services, it has exacerbated this problem,” he said, noting the government now wishes to strike the justification requirements completely.

“This is a serious legislative issue on two counts: it removes important evidence that may identify whether a person was acting with malicious intent when accessing data, as well as removing any deterrent effect of them having to do so; and it directly deviates from a core part of the law enforcement directive and will clearly have an impact on UK data adequacy.”

DSIT claims that removing the logging obligation will save 1.5 million police officer hours a year and save £42.5m for the public purse, but Sayers pointed out that the published impact assessments don’t so far evidence these claims.

“The reality is that most police IT systems don’t have the means to capture the required data,” said Sayers, who was previously involved in the design and delivery of many UK national police systems.

“The factsheets identify this technology problem, which exists on cloud as well as legacy systems like the PNC [Police National Computer], but instead of addressing the issue the government simply want to strike the difficult bits out of the act.”

He added: “The real reason they don’t want to capture the information is they’ve failed to invest any money in upgrading the legacy IT, and the new systems they’ve adopted don’t capture that information by default – and can’t be made to do so.”

DSIT claims that capturing “justification is likely to be of little use in a misconduct investigation”, but Sayers poured cold water on this.

“Public trust, the safety of vulnerable people, as well as the protection of police staff from claims of improper conduct, all rest on being able to prove that access to data was legitimate,” he said.

Home Office figures show police staff misuse of data to be a significant issue, with 1,630 recorded cases investigated in the year to March 2023, the last figures available.

However, Barrett said the removal of justification logging is not a problem, adding it’s more important to have the ability to track who accessed data and when, “because if you’re a bad actor you’re not going to put down the real reason … if you’ve already got access to these kinds of systems, you’re not an idiot, and so you’re going to put something like ‘routine checks’ or some other bland, uninteresting, non-determinative thing”.

He further added that inputting justifications only increases the administrative burden on police, and that while it is very common, even in much older computer systems, to be able to log time and dates, many systems are simply not architected to record justification.

He added: “We’d be much better off making sure that all the systems are really good at recording time and access, because the reality is, in your investigation, that’s going to be the thing that you’re looking at. Not whatever fanciful thing a bad actor has decided to enter as the fake justification for the access.”

During the DUAB debate, Baroness Jones insisted the removal of logging requirements “is not a watering down of provisions. We are just making sure that the safeguards are more appropriate for the sort of abuse that we think might happen in future from police misusing their records.”

While the DUAB has since progressed to readings in the House of Commons, the police data issues were not addressed – outside of vague references to reducing the administrative burden on police officers. It is currently in the committee stage, which will be followed by the report stage and a third reading.

So far, the police data issues have not been discussed during the committee stage.

Source

Posted on April 7, 2025 by Eternity Lab

UK law enforcement data adequacy at risk

The UK government has introduced its Data Use and Access Bill (DUAB) to Parliament, but proposed reforms to police data protection rules could undermine law enforcement data adequacy with the European Union (EU).

Currently going through the committee stage of Parliamentary scrutiny, the DUAB will amend the UK’s implementation of the EU Law Enforcement Directive (LED), which is transposed into UK law via the current Data Protection Act (DPA) 2018 and represented in Part Three of the DPA, specifically.

In combination with the current data handling practices of UK law enforcement bodies, the bill’s proposed amendments to Part Three – which include allowing routine transfer of data to offshore cloud providers, removing the need for police to log justifications when accessing data, and enabling police and intelligence services to share data outside of the LED rules – could present a challenge for UK data adequacy.

While Computer Weekly’s previous reporting on police hyperscale cloud use has identified major problems with the ability of these services to comply with Part Three, the government’s DUAB changes are seeking to solve the issue by simply removing the requirements that are not being complied with.

For example, while the DPA 2018 does allow for overseas transfers to “non-law enforcement recipients” – that is, cloud providers – this is only permissibleif the data controller can show it is strictly necessary to do so. This means information can only be sent on a case-by-case basis for specific, limited purposes when there is no other, less intrusive means of achieving the same goal.

However, in June 2024, Computer Weekly confirmed that UK policing data uploaded to Microsoft services is routinely sent offshore for some forms of processing, while IT support is provided on a global “follow-the-sun” model.

To circumvent the lack of compliance with these transfer requirements, the government has simply dropped them from the DUAB, meaning policing bodies will no longer be required to assess the suitability of the transfer or report it to the data regulator.

Commenting on the transfer issue during a DUAB debate in the House of Lords, Liberal Democrat peer Tim Clement-Jones highlighted how, as it stands, cloud service providers routinely process data outside the UK, and are unable to provide necessary contractual guarantees to policing bodies as required by Part Three: “As a result, their use for law enforcement data processing is, on the face of it, not lawful.”

He added: “The government’s attempts to change the law highlight the issue and suggest that past processing on cloud service providers has not been in conformity with the UK GDPR [General Data Protection Regulation] and the DPA.”

Through the DUAB, the government has also expanded the list of lawful recipients to now include “a processor whose processing … is governed by, or authorised in accordance with, a contract with the controller that complies with section 59”, which outlines key elements that must be contained in any contract between a law enforcement controller and processor.

This includes specific details of the exact types of data, the categories of data subjects and the specific purpose of the processing, as well as explicit guarantees from the processor about how it will comply with all the requirements of Part Three.

However, given the international nature of the data sharing that takes place on commodity hyperscale architecture, cloud providers are either unable or unwilling to make contractual guarantees that satisfy all aspects of Part Three.

As Microsoft told the Scottish Police Authority (SPA), in relation to its Azure-hosted Digital Evidence Sharing Capability, the company “cannot accept specific consent [to transfer data internationally] on a case-by-case basis as this would be impossible to operationalise”.

All of this effectively means that under the DUAB, the data can be routinely offshored to jurisdictions with lower data protection standards, without adherence to LED conditions around strict necessity.

Similarly, while the LED provided a five-year grace period to ensure all legacy police systems could record justification logs for why a particular piece of information has been accessed – with systems procured after May 2016 were required to have this capability from the start – most policing systems in the UK still do not have this capability.

Instead, the UK government has simply removed the requirement to record these justifications, arguing that the change will save police time and that the data has little evidentiary value because people are unlikely to record an honest justification anyway.

According to Owen Sayers – a long-term commentator on DPA Part Three compliance issues with more than 25 years of experience in delivering secure solutions to policing and the wider criminal justice sector – changing the law in this way will permanently diverge UK law from the LED requirements.

He added that while UK police have been breaking the law in practice since the DPA came into effect in May 2018, the law they were breaking was at least aligned to those in the European Union.

“Even though in practical terms the UK hasn’t actually been protecting personal data as they’re required to under the LED, their law did at least give recourse to a data subject to take action about this processing (even if no one actually did so),” he said.

“Once DUAB comes into force, however, the landscape has totally changed. Not only will UK law enforcement bodies be sending massive amounts of personal data (including a lot of data about EU citizens) offshore to a range of countries not deemed adequate by the EU, but UK law will have change to make it legal for them to do so.

“By making these changes under DUAB, the government have thrown into sharp relief that law enforcement bodies are breaching the law today – they’ve literally confirmed it by modifying the law to give Microsoft and AWS this special status.”

Computer Weekly contacted the Home Office about the threat to the UK’s LED adequacy created by the government’s proposed changes to the law enforcement data protection regime.

“We have introduced some targeted amendments in the Data Use and Access Bill to improve public trust and to drive up law enforcement efficiency by simplifying the legislation. We are committed to data adequacy and had the UK’s adequacy decisions in mind when producing this bill,” said a spokesperson. “Any changes to our data protection regime must not come at the expense of security, and high standards of protection will continue to be applied.”

A Home Office source told Computer Weekly that that the use of cloud providers in particular has caused some confusion, and that measures contained within the bill are intended to give law enforcement the confidence to use cloud processors. However, they said the use of cloud services must not come at the expense of security and high standards of protection will continue to be applied.

Source

Posted on April 6, 2025 by Eternity Lab

T-Levels not attracting as many students as hoped

Interest in T-level qualifications was overestimated by the Department for Education (DfE), according to a report by the National Audit Office (NAO).

In its Investigation into introducing T-levels report, the NAO claimed the DfE overestimated the number of students who would choose the T-level route post GCSE. Some 25,508 students started a T-level in September 2024, which – while a 59% year-on-year (YoY) increase – represents only 42% of the DfE’s estimate made in November of 2022.

Originally, the DfE had aimed to have 100,000 students starting a T-level in September of this year, though it has revised its numbers due to slower-than-expected uptake, with its latest model showing around 50,000 to 60,000 students will be taking T-levels by September 2027.

Gareth Davies, head of the NAO, said: “T-levels were developed to provide crucial qualifications and industry experience to students, allowing them to go on to further education or begin roles in skilled jobs.

“They have the potential to offer new opportunities for young people and address critical skills gaps across the economy. Although the Department for Education has made progress in delivering the wide range of courses available, efforts must be made to increase student numbers and realise all the potential benefits of T-levels.”

T-levels have been in the making since 2016, when the Independent Panel on Technical Education recommended more of a focus on technical skills development in the UK.

T-levels were pitched as qualifications which would provide these necessary skills for particular roles in line with what the UK needs for economic growth, particularly as the government has continually highlighted its ambitions of becoming a global “tech superpower”. But there are number of skills gaps across the UK, with concerns among employers there are not enough skilled workers to fill technical job roles – so, are T-levels the answer?

As of this year, there are 21 T-levels available to study, including in digital infrastructure and support services, digital production design and development, and engineering, with more expected in the future once some kinks have been worked out with the course content.

One of the common complaints made by employers about graduates of tech courses is that they don’t necessarily have the skills needed to fill the roles, with many stating that internal skills and talent development is a potential answer – something T-levels may address through the amount of hours participating students spend on placements gaining real-world skills.

So far, 98% of students who have taken part in a T-level have done an industry placement, though the Department for Education has been facing difficulties trying to raise awareness about T-level qualifications among students. Since the number of students who can take T-levels is dependent on industry placements, the DfE has concerns a lack of willing industry participants could have an impact on possible student uptake in the future.

Attainment is also something to note, with the percentage of students attaining their T-levels dropping as more subjects have been introduced, with 89% of students so far achieving at least a pass last year, a YoY drop from 94% in 2023, and a drop from 97% in 2022.

T-levels also typically cost more to run than other Level 3 qualifications – the DfE provides T-level providers with between £5,500 and £7000 per T-level student, compared with a maximum contribution of £4,800. By the end of this month, an estimated £1.25bn has been spent by the Department of Education on T-levels since their inception.

The NAO made a number of recommendations in its report to address the lack of student numbers, as well as delays in expanding the number of T-levels available. As industry placements are a vital part of offering T-levels, the NAO urged engagement between local education providers and employers to ensure the types of T-levels and the skills learned match the technical skills needs of that particular area.

It also recommended the DfE develop a system to ensure the impact on T-levels is considered as part of any strategic changes to the development of technical education.

But many in the industry are invested in the success of T-levels as a solution to the sector’s skills gaps. Bev White, CEO of recruiter Nash Squared, has reported on Computer Weekly that T-levels could be the answer to filling industry roles where skills may currently be lacking.

She said: “My message to employers is to be curious about T-levels, lean in. They could be a fantastic source of fresh new talent for your business. Hundreds of employers have already hosted T Level students on industry placements, and that number is set to grow.”

Source

Posted on April 6, 2025 by Eternity Lab

Understanding of ‘black box’ IT systems will reduce Post Office scandal-like risk

Another Post Office scandal could be avoided if leaders in public bodies understand the “black box” IT systems that run their organisations and encourage a “speak up” culture, according to a Parliamentary report.

In its latest report, Recognising and responding to early warning signs in public sector bodies, the Committee on Standards in Public Life cited the Post Office scandal, among others, to highlight failures in public bodies.

In his foreword, committee chair Doug Chalmers, a former British Army officer, said the Post Office Horizon, Grenfell, Windrush and infected blood scandals are “very different in nature” but all had “a catastrophic impact on human lives”.

“It isn’t hard to find common themes among these scandals – a failure to listen to and act on concerns raised, a failure to learn lessons from similar incidents, and a failure to identify and share emerging risks,” he wrote.

The Post Office scandal was fuelled by all of these failures and more. The Post Office management ignored subpostmaster pleas that the Horizon IT system was causing unexplained account shortfalls and failed to investigate them, choosing to blame the subpostmasters for discrepancies that didn’t exist outside the IT system.

The failures went way beyond the Post Office itself, with its government owner neglectful of the so-called “arms-length” body. Meanwhile, Fujitsu, the supplier of the controversial IT system, made the Post Office aware of problems with Horizon but did not make them public. The supplier’s staff even gave evidence during the trials of subpostmasters, who were charged with crimes of dishonesty, where they wrongly stated that Horizon could not have been responsible for the unexplained shortfalls in branch accounts.

The Committee on Standards in Public Life report said “black box” systems like Horizon, which not only ran the accounts of thousands of Post Office branches but also provided data to prosecute people, must be understood by leadership teams.

Systems like Horizon are described as black box because it is clear what is input and output, but not the workings in between.

“Leaders of organisations that use ‘black box’ systems should be asking themselves whether they are confident that they have sufficient understanding and oversight of how these systems operate or whether they need greater assurance about their use,” said the report.

Beyond the system itself, the report said people need to be empowered to “speak up” when they see failures. During the Horizon scandal, which began when the system was introduced in 1999/2000, dissenting voices were silenced and the Post Office managed to keep a lid on talk about Horizon problems until 2009, when Computer Weekly helped campaigning former subpostmasters make the Horizon problems public. In that time, huge suffering had been inflicted on subpostmasters, who were blamed and punished for unexplained accounting errors, including hundreds being wrongfully imprisoned.

Beyond the human suffering, the scandal, which could have been prevented following warnings in the late 1990s, is set to cost UK taxpayers billions of pounds.

The report foreword advised on what organisations can do to increase the “likelihood of risks and issues being uncovered”.

“Culture and leadership, at all levels, are central to ensuring that these processes are effective. And that building an organisation where it is second nature for people to speak up about concerns is an art and not a science,” it stated.

“It is not always easy to speak up – it requires moral courage to be the person who says, ‘I’m not sure this is going to plan’ or, ‘Is there a risk that if we do X, it will have these negative consequences?’”

According to Neil Gordon, a professor in computer science at Hull University and chair of the British Computer Societies Ethics group, the report also makes interesting reading for computing professionals beyond the public sector. “As professionals, we should be acutely aware of the impact of systems, whether safety-critical or apparently more mundane, such as accounting software.”

He added: “There is a need for those providing and supporting such systems to make sure our customers and users appreciate their limitations and deficiencies. Furthermore, this illustrates the need for all organisations – public or not – to consider their mechanisms for identifying risk and harm, and encouraging open dialogue with employees and others to address them.”

Gordon said IT experts can play a pivotal role in preventing organisational failure by analysing data to identify risks as early as possible and help in decision-making.

“Artificial intelligence [AI] may be an effective way to do that, provided the systems are themselves developed appropriately. Emerging technologies – from AI to quantum – will create new opportunities to promote human welfare, but equally, they can do harm,” he told Computer Weekly.

“Whilst the report presents a strong way forward, the need for different mechanisms – whistleblowing and scrutiny by the press – remains and we welcome progress of support for those who do raise valid concerns,” added Gordon. “This also highlights the importance of codes of conduct and that we all have a duty to take on responsibility so we can reduce the likelihood of the sorts of historical failures described in the report, and to minimise the damage where they occur by identifying the problems early and raising the alert.”

A Post Office spokesperson said: “We will examine the report and any learnings in detail. The Post Office has made a number of cultural changes in recent years, including the appointment of serving postmasters to the board, and we operate a ‘speak up’ whistleblowing service enabling our employees and postmasters to raise concerns in confidence and anonymously if preferred.”

Computer Weekly first exposed the scandal in 2009, revealing the stories of seven subpostmasters and the problems they suffered due to Horizon accounting software, which led to the most widespread miscarriage of justice in British history (see below timeline of Computer Weekly articles about the scandal since 2009).

Source

Posted on April 4, 2025 by Eternity Lab

Inside Amazon’s robot-powered warehouse

Thank you for joining!

Access your Pro+ Content below.

1 April 2025

Inside Amazon’s robot-powered warehouse

Share this item with your network:

In this week’s Computer Weekly, we go behind the scenes at Amazon’s robot-powered Swindon warehouse to see how AI and humans are working together. We examine the state of open source licensing and find out how it’s affecting datacentre operators. And we visit a 130-year-old wine and drinks company to find out how technology has brought operations into the modern age. Read the issue now.

Source

Posted on April 3, 2025 by Eternity Lab

Apple devices are at ‘most risk’ in UK following government ‘backdoor’ order

Users of Apple devices in the UK are “at the most risk in the world” of being hacked, following a secret government order requiring the tech company to allow ‘backdoor’ access to its users’ encrypted data, the House of Lords heard on Monday 31 March.

Liberal peer Paul Strasburger pressed the government to answer questions about a decision by the home secretary, Yvette Cooper, to issue a secret notice against Apple.

The order, first reported in the Wall Street Journal, extends law enforcement and intelligence services’ access to encrypted data stored on Apple’s iCloud to include users of Apple’s secure Advanced Data Protection (ADP) service.

In questions posed in the House of Lords on Monday, Strasburger said the government had “demonstrated its disdain for the privacy and digital security of British citizens and companies” by issuing the TCN against Apple.

The Liberal peer said the order would introduce weaknesses to encryption on Apple devices that could be exploited by criminals and hostile states.

“Strong encryption is essential to protect our data and our commerce from attack by organised crime and rogue states,” he said. “Any weakness inserted into encryption for the benefit of the authorities is also available to those who would do us harm – yet that is precisely what the government are demanding from Apple.”

Tribunal held closed-door hearing

Apple is challenging the legality of the government’s order in the Investigatory Powers Tribunal (IPT), which discussed arguments in a closed-door hearing on 14 March.

Civil society groups Privacy International and Liberty, along with two individuals whose security has been impacted by the government’s order against Apple, have filed separate legal interventions.

Ten newspapers, publishers and broadcasters – including Computer Weekly – have also filed legal submissions calling for Apple’s appeal against the widely publicised order to be heard in open court on public interest grounds.

Non-affiliated peer Claire Fox said it was not possible for Apple to open doors to its customers’ data in a way that would ensure that only the police and intelligence services would have access to its users’ encrypted data.

“It is obvious that criminals, foreign adversaries and others would exploit that weakness,” she said.

Fox said it was baffling if the Home Office was choosing to “bully tech companies into undermining their users’ privacy, security, civil liberties and free speech” while at the same time seeking to establish the UK as a leading hub for innovation and technology.

Liberal democrat peer Tim Clement Jones told the Lords that the government could be in breach of the European Court of Human Rights following a key judgment by the court last year.

In the case of Podchasov v Russia, the European Court of Human Rights found that weakening end-to-end encryption or creating backdoors could not be justified under human rights law.

Labour peer Toby Harris asked what consideration had been given to the trade-off between the “general weakening of security and confidentiality” compared with the gains made by the security services in being able to decrypt data stored by Apple.

Home Office minister and Labour peer David Hanson repeatedly declined to answer questions from peers, citing national security reasons.

“We have a long-standing position of protecting privacy while ensuring that action can be taken against child sexual abusers and terrorists,” he said.

“I cannot comment on operational matters today, including neither confirming nor denying the existence of any notices. This has been the long-standing position of successive UK governments for reasons of national security.”

Conservative peer Daniel Moylan pressed Hanson to comment on Apple’s decision to publicly withdraw its ADP encryption service from the UK, even if he could not comment on whether a notice had been issued.

He also asked the home office minister whether the US and UK governments had any high-level discussions about the order against Apple.

Bloomberg reported on 13 March that the US and UK governments were holding private talks in an attempt to resolve US concerns that the UK was trying to force Apple to create a backdoor that would allow the UK access to encrypted data belonging to US citizens.

Hanson said he could not comment on the matter.

“Decisions made by Apple are a matter for Apple, and the removal of any features is a matter for Apple. Again, for reasons of national security I cannot confirm or deny any conversations that we have had or any issues that are undertaken,” he said

The Investigatory Powers Act contained “robust safeguards” and “oversight to protect privacy and ensure that data is obtained only on an exceptional basis and only when necessary and proportionate to do so”, he added.

A Home Office spokesperson said: “We do not comment on operational matters, including, for example, confirming or denying the existence of any such notices.”

Media companies have asked the Investigatory Powers Tribunal to hold hearings into Apple’s appeal against the technical capability notice in open court.

Separately, Big Brother Watch, Index on Censorship and the Open Rights Group have written an open letter to the tribunal calling for an open court hearing.

The media companies challenging the secrecy of Apple’s appeal in the Investigatory Powers Tribunal are Associated Newspapers Ltd, the British Broadcasting Corporation, Computer Weekly, Financial Times Group, Guardian News & Media, News Group Newspapers, Reuters News and Media, Sky News, Telegraph Media Group and Times Media.

Source

Posted on April 3, 2025 by Eternity Lab

Scottish support group for Post Office scandal victims launched

A newly launched campaign group is calling on former subpostmasters in Scotland to come forward if they were affected by the Post Office’s Horizon scandal.

The group, known as the Scottish Postmasters for Justice and Redress, will be officially launch on 2 April 2025 at the Scottish Parliament by former subpostmaster Rab Thomson, who had a wrongful conviction for theft overturned last year after 22 years.

And it is not just former Horizon users in Scotland being invited to come for support, but also those who used Capture and ECCO+ who may have suffered due to their flaws.

The group has the support of former Scottish Nationalist Party MP Marion Fellows, who was chair of the All-Party Post Office Parliamentary Group (APPG), and Calum Greenhow, the current CEO of the National Federation of Subpostmasters (NFSP). It will offer support to encourage people affected to come forward, including all those that suffered as a result of unexplained losses in their branches.

Thomson, who ran a Post Office near Alloa before his wrongful conviction, said he and his fellow group members want to support subpostmasters making claims. This will not be just for convicted subpostmasters, but for those who have suffered in other ways too, including those who paid money to the Post Office to cover unexplained losses.

Thomson originally set up a WhatsApp group to bring victims together, but trauma makes it difficult for them to come forward and tell their stories, he said, adding: “We managed to get nine people but couldn’t get anyone to talk. They just don’t want to be seen. I totally understand this, and the reason we are setting this up is so we can stand for them in the background. We will do our best for them.”

Former MP Fellows and NFSP CEO Greenhow, along with Thomson, promise to represent victims who want to come forward. Fellows said that she is frustrated with the slow progress in seeking justice and redress for Post Office scandal victims in Scotland.

“The group was set up to offer peer support and encourage people to come forward,” Fellows told Computer Weekly. “There are still subpostmasters who were prosecuted who should come forward, but there are also hundreds who were not prosecuted but had their lives turned over.”

Greenhow added: “Rab Thomson really felt there wasn’t any support groups within Scotland for victims and he wanted to pick that up. We want to make sure that everybody that was affected by the Post Office Horizon, Capture and ECCO+ systems can not only have their reputations restored but also financial redress.”

In May last year, the Scottish Parliament announced its own legislation to exonerate subpostmasters with convictions based on evidence from the Horizon system. This followed a similar law introduced for England and Wales in March last year which saw more than 700 former subpostmasters exonerated.

As the Scottish legal system is different to that in England and Wales, it was not the Post Office that prosecuted but the Procurator Fiscal, the public prosecutor, using evidence from the Post Office.

A total of 64 former subpostmasters in Scotland have now had their convictions overturned through the legislation brought through the Scottish Parliament. So far, 97 convicted subpostmasters have come forward and 86 have been assessed, out of which 64 have been overturned. Some 22 have been rejected and another 11 are still to be assessed.

Scotland’s cabinet secretary for justice and home affairs Angela Constance submitted the legislation, known as The Post Office (Horizon System) Offences (Scotland) Bill, and the Scottish Parliament agreed that the bill should be treated as an emergency at the meeting of the Parliament on 15 May 2024.

Speaking about the launch of Scottish Subpostmasters for Justice and Redress, which will take place 2 April from 12–2pm in Scottish Parliament Room P1.02, Constance said: “I very much welcome this event and the continuing need to raise awareness of the UK government redress schemes for victims of the Post Office miscarriages of justice scandal.

“The Scottish government continues to encourage anyone who considers they suffered an injustice to come forward. There is no time limit under the legislation and the Scottish government will always look into any cases where people give their name as a possible miscarriage of justice case.

“Redress is the responsibility of the UK government, and I am keen everyone who is entitled to it can access it. This event is a reminder of the need to help victims navigate through what has been and remains a traumatic experience, and I pay tribute to the work of all those involved in establishing the Scottish Postmasters for Justice and Redress Group.”

Group members are encouraging interested parties to attend the event.

Computer Weekly first exposed the scandal in 2009, revealing the stories of seven subpostmasters and the problems they suffered due to Horizon accounting software, which led to the most widespread miscarriage of justice in British history (see below timeline of Computer Weekly articles about the scandal since 2009).

Source

Posted on April 2, 2025 by Eternity Lab

Interview: Ray McCann, Loan Charge independent review lead

The government set out plans in the Autumn Budget 2024 to commission another independent review of the Loan Charge policy that – in its words – will “help bring the matter to a close for those affected whilst ensuring fairness for all taxpayers”. This description was seized on by contractors in scope of the policy as a positive sign.

It’s not hard to see why. The policy is a mechanism for HM Revenue & Customs (HMRC) and HM Treasury to recoup tax that government estimates suggest around 50,000 contractors avoided paying by enrolling in loan-based remuneration schemes between 9 December 2010 and 6 April 2019.

Computer Weekly has heard and published numerous accounts from IT contractors who participated in these schemes and have been saddled with life-changing tax bills they claim to have no hope or means of paying, since the policy came into effect in April 2019.

When the government publicly committed to taking actions to “help bring the matter to a close for those affected”, there was an expectation among some of those affected that this might result in the Loan Charge being repealed and their tax bills cancelled.

That notion was firmly put to bed on 23 January 2025, when the government issued confirmation that the review had been commissioned and that repealing the policy in totality was not what it meant about wanting to bring the matter to a close.

Instead, the government said the review would focus on investigating the factors stopping people from settling their Loan Charge liabilities with HMRC – and finding ways to help them do so.

It also confirmed that HM Treasury had appointed former HMRC assistant director Ray McCann to oversee it. He has also previously served as president of the Chartered Institute of Taxation and has been in private practice for almost 20 years.

“The reviewer [McCann] is being asked to draw on the available evidence and expertise, engaging with stakeholders as appropriate, to consider in detail the settlement terms available [to those] who have not yet settled and paid their tax liabilities in full to HMRC, and whether HMRC’s settlement and debt management processes sufficiently take into account their ability to pay and behaviours,” said the government statement.

“[It will also look into] how that population could now be encouraged to reach a resolution with HMRC; and what decisions would be required to ensure that, as far as possible, any new settlement proposals were properly targeted whilst not imposing significant additional administrative burdens upon HMRC.”

Contractors revolt

Once the information about what the review would entail entered the public domain, a wave of criticism was directed at the government from those affected by the policy, with many accusing the government of offering false hope with its promise the review would bring the Loan Charge matter to a close for them.

Campaign groups have also claimed the review is too narrow in scope, given its focus on what can be done to encourage people to settle their Loan Charge liabilities, rather than examining the reasons why tens of thousands of people joined loan schemes in the first place.

During a sit-down with Computer Weekly to discuss his plans for the review in more detail, McCann says the terms of the review are wider than many people suggest.

“Everything of any significance, so far as the Loan Charge is concerned, happens in the period post-2010, so that means it’s open to me to look at anything that happens in that period, including the behaviour of the promoters and the behaviour of HMRC,” he says.

The “call for evidence” period of the review started on 28 March 2025, with McCann urging those in the policy’s scope to send him evidence covering three topics: what contractors were told by promoters of these schemes, their experience of dealing with HMRC, and details about how the policy has personally affected them.

The rationale behind that, as McCann sees it, is that it would be difficult to see how the Loan Charge can be resolved without having a detailed understanding of how so many people ended up embroiled in loan schemes and why they are finding it so difficult to reach a settlement with HMRC.

Another area that McCann plans to explore during his review is HMRC’s 2017 assessment of the impact the Loan Charge would have, in which the government tax collection agency stated that it did not foresee the policy having any “material impact” on the families of those in scope of it.

[Repealing the Loan Charge] would be a bad move because – whether people realise it or not – many individuals have got millions out of loan schemes and paid little or no tax on it Ray McCann, independent Loan Charge review

This statement has been openly criticised during the intervening years, as anecdotal accounts from contractors discussing the mental anguish of living with a sizeable Loan Charge-related tax bill hanging over them have emerged. The policy has also been linked to at least 10 suicides to date.

“I’ve been critical of [the HMRC assessment] in the past. I’ve criticised that in various formats: on Twitter, in various tax journals, publicly, and so on,” says McCann.

What is not open to McCann is to make a recommendation in his final report to repeal the Loan Charge policy. And that’s not because the contents of it are pre-determined, as some critics of the process have claimed, but because doing so would not be fair to other taxpayers.

After all, the government has previously and repeatedly stated that resolving the Loan Charge is a priority, but doing so must happen in a way that ensures fairness for all taxpayers.

“It’s not open to me to recommend that the Loan Charge be repealed, and the government has made clear from the start that repeal was not an option, and equally I don’t think it should be. It would be a bad move because – whether people realise it or not – there are many individuals who have got millions out of loan schemes and paid little or no tax on it,” says McCann.

“Government has a responsibility to the many millions who pay tax and national insurance contributions [NIC] on all of their earnings, and unless this is resolved in a way that is fair to both those affected by the loan charge and the millions of other taxpayers, many would no doubt ask why you and I should pay our tax and national insurance?”

Criticism of HMRC

As previously alluded to, McCann has proven to be a vocal critic of HMRC’s handling of the Loan Charge over the years, and was – during his time working at the government agency – closely involved in its enforcement activities against similar disguised remuneration schemes.

“I’ve been involved in [enforcement action against] loan schemes in one capacity or another for a quarter of a century. When I was in the Revenue [HMRC] in the 1990s, I was one of the first inspectors to take on one of the big employee benefit trusts [EBTs],” he says.

These trusts are the entities that pay out loans to contractors. In the late 1990s and early 2000s, many large employers in the banking and financial sector used EBTs as a mechanism to pay their employees in loans.

“One of the last things I did before I left HMRC in 2006 was pre-empt the settlement with several banks in late 2005. One of the banks that I had challenged had put a billion pounds into an employee benefit trust,” he says.

“They had claimed the corporate tax deduction for it, [but] they hadn’t deducted PAYE [Pay As You Earn] or NIC, so all told, that group of banks had avoided hundreds of millions in tax and NIC.”

During the intervening years, the profile of organisations and individuals involved in loan-based remuneration schemes has markedly changed, says McCann, to include “white collar” workers, such as financial services and IT contractors, before moving down to far lower-paid individuals, such as social workers and NHS staff.

“The thing that shocks me is how low down the income scale these things have reached. They’re like a virus. They have gone from the large corporates to the big banks to the middle-sized companies, and then down to various people working offshore, putting together schemes that are ensnaring people who are on just everyday wages,” he says.

“And that’s why successive governments have treated this as such a priority – because of the threat that they see it being towards the entire PAYE and NIC system.”

How did we get here?

Loan-based remuneration schemes enable individuals to artificially minimise the amount of employment tax they pay.

However, many of the contractors in scope of the Loan Charge policy claim the schemes were marketed as an HMRC-compliant way of bolstering their take-home pay, and that they were assured by respected tax barristers that – in the eyes of HMRC – they were doing nothing wrong.

The way McCann sees it, that explanation only goes so far. “Many people will have concerns, even if they get assurance from the promoter. And most of them did get assurances from promoters saying, ‘It’s all fine. It’s all tried and tested, and HMRC don’t mind’,” he says.

“But I think there is only so far you can believe that to be the case without evidence, and some of that has already come into the review mailbox.”

Meanwhile, HMRC maintains that its position on the use of loan remuneration schemes has always been clear, and that it has never given its seal of approval to any such setup.

“Even if you go back to 2010 and before, HMRC’s position on [the use of EBTs] was all over the internet,” says McCann. “If you did a Google search at the time on EBTs, you might get millions of hits – and most of them were about HMRC’s view on them.”

And what this serves to highlight is one of the major difficulties McCann will face in his review: uncovering evidence that supports the argument that contractors are victims of mis-selling when so much time has passed since these schemes were originally being marketed to people.

“That’s the task before me – getting sufficient reliable evidence to show that the promoters are the bad guys that I can put in my review, so I’m in a position to put forward the argument that these are the people HMRC should have been clamping down on and – where appropriate – criticising them for not doing it,” he says.

This is why it is so important that contractors engage with the review process during the call for evidence period, so their side of the story can be fully put across, he continues.

Meanwhile, McCann has been reaching out to contacts he made during his time investigating loan schemes while at HMRC, some of whom used to “sell or market these kinds of ideas”, to engage in the review too.

“I don’t need everybody to send me details in, because if all 50,000 people in scope of the Loan Charge send me their evidence, this review would take 10 years to complete. But what I do need is enough to get involved that I can sensibly make a case that this is representative of what happened,” he says.

“What I want to be able to do [with this review] is say this is representative of what happened, and it’s reasonable to conclude that within these types of industries, this is the behaviour [of] the promoters. And up to a point, it’s reasonable to conclude that the individuals involved, who often did not have independent professional help, were persuaded that this was okay.”

He also needs contractors to engage in the review by supplying a “substantial and significant” amount of evidence that proves their claims that their treatment at the hands of HMRC has been “unreasonably and manifestly unfair” in the eyes of the average person in the street who pays tax and national insurance.

“The argument you’ve got to make is that they’re being treated in a way that’s unreasonably unfair, and in a way you and I don’t support,” McCann adds.

Stakeholder engagement

When the government set out the review’s terms of reference, a group of cross-party MPs – who make up the Loan Charge and Taxpayer Fairness All Party Parliamentary Group (APPG) – issued a statement brandishing the exercise a “farce” while calling into question how truly independent the end product would be.

This was on the basis that a former HMRC director had been appointed to oversee the review, and – as confirmed by the government – HMRC and HM Treasury would be permitted to review its contents ahead of publication.

“It will not change the position people are in, nor review the legislation and whether it was fair and justified. … This is not the review that was promised nor the review that is so desperately needed, and the APPG will continue to push for a genuine inquiry into this scandal,” said the APPG.

Despite the group’s vocal critique, McCann says he has been liaising with the APPG in the wake of its statement and has found its members are broadly supportive of what it is he is trying to achieve.

He has also been engaging with various stakeholders – including noted tax barristers and accounting firms who represent large numbers of the contractors affected by the Loan Charge – to compile evidence for the review, including impact statements.

“I’ve got a big data request that I’m drafting at the moment to send to HMRC so that I can get proper data – the numbers involved, the income spread, how long people have been under inquiry for, and that kind of thing,” he says.

“I had to delay things a bit because the need to be independent means I couldn’t use HMRC and Treasury people for support, and there had to be a recruitment process across the whole of the civil service [for people to assist].”

McCann is acutely aware that the decision to appoint him, a former HMRC inspector, to oversee the review has not gone down well with everyone.

There is no way I’m going to take instruction from HMRC or the Treasury on how to conduct the review – and they have done nothing that could be taken as trying to control the review or its direction Ray McCann, independent Loan Charge review

“Some people have said that I’m under the control of the Treasury … but there is no way I’m going to take instruction from HMRC or the Treasury on how to conduct the review – and to be fair to the Treasury and HMRC, they have done nothing that could be taken as trying to control the review or its direction,” he says.

“I obviously must comply with the law on data protection and so on, but I’m going to carry out the review as I believe it needs to be done. The minister made clear that my conclusions and recommendations must be made within the constraints of the current fiscal situation, but otherwise it’s up to me.”

And for those who have taken issue with an ex-HMRC director conducting a review into an HMRC-backed government policy, McCann says his employment history and experiences should be viewed positively.

“On the point of independence, I initially thought that should be more of a concern for HMRC than people on the other side of the inquiry, because for eight years I’ve been consistently critical of their handling of the Loan Charge,” he says.

One area that McCann has been particularly and publicly critical about HMRC over is the organisation’s approach to Loan Charge settlements.

“I have been pressurising ministers and HMRC for years to develop a better approach to settlements, and I got frustrated with the fact that it never appeared, so I started to publicly criticise them through Twitter and LinkedIn, and in various things I was writing,” adds McCann.

“Almost every article I’ve written in the last eight years mentions the Loan Charge to some extent or another, and it’s always been critical of HMRC’s approach to settlements. I’ve been consistently critical on that front, [and] I’ve made it clear to Parliament, and I’ve made it clear to government, that HMRC should have been more realistic when it came to the settlement terms.”

In terms of what he thinks HMRC should have done differently, McCann says: “I have said in the past that HMRC should have offered settlement terms that were sufficiently attractive that it made people want to settle, but what HMRC did was only give the slightest of discounts [to people who wanted to settle] and left them in a position where they did not know how they would pay.”

It is McCann’s hope that when the review concludes – which is expected to be later this summer – and its contents have been mulled over by the government, contractors will end up with a far more attainable settlement figure.

“I want to end up with a situation where people get a settlement figure from HMRC that they can look at and say, ‘Well, okay, even if I’d rather not pay it, I can pay it, within a reasonable period if necessary’. Whereas, presently, people are saying, ‘I’d rather not pay it, but even if I did want to pay it, I can’t afford to’. I want to change that dynamic,” says McCann.

And in doing that, he hopes this will finally help bring a resolution for the tens of thousands of people who have been living under the shadow of the Loan Charge for the past eight or so years.

“We can argue that HMRC should have gone after this promoter or that promoter, and all manner of other things to do with the Loan Charge, but that doesn’t help someone who is sitting at home worried about the bailiffs coming round,” he says.

“If someone’s drowning in a river, they’re not going to be helped if people are just standing on the shore arguing about how they got in the river in the first place. They just want someone to rescue them.”

In the meantime, McCann’s priority is getting people affected by the Loan Charge to contribute to the review.

“I know people are mistrusting [after past reviews]. Whether that mistrust is justified or not, I want them to take a deep breath and engage with this review because something has to come out of it as we all need this resolved,” he concludes.

Source

Posted on April 1, 2025 by Eternity Lab

Post Office Capture and Ecco+ users asked to make contact with Scottish statutory body

The Scottish Criminal Cases Review Commission (SCCRC) is attempting to contact any former subpostmasters that could have been prosecuted for unexplained losses on the Post Office’s pre-Horizon Capture software.

There are former subpostmasters that, like Horizon users, could have been convicted of crimes based on data from these systems.

Since the Post Office Horizon scandal hit the mainstream in January 2024 – revealing to a wide audience the suffering experienced by subpostmasters who were blamed for errors in the Horizon accounting system – users of Post Office software that predated Horizon have come forward, supported by campaigning peer Kevan Jones, to tell their stories, which echoed those of victims of the Horizon scandal.

The Criminal Cases Review Commission for England and Wales is now reviewing 21 cases of potential wrongful conviction, put forward by law firm Hudgell Solicitors, where the Capture IT system could be a factor.

Capture was a PC-based application developed by the Post Office and uploaded onto a personal computer to carry out branch accounts.

The software was a standalone system, unlike Horizon, which is a complex, networked system connected to centralised services (see below for timeline of Capture developments since January 2024).

The SCCRC is now calling on people that might have been convicted based on Capture accounts to come forward. “The commission encourages anyone who believes that their criminal conviction, or that of a relative, might have been affected by the Capture system to make contact with it,” it said.

Third system

The statutory body is also investigating a third Post Office system, known as Ecco+, which was also error-prone. It was thought this system was only used in Crown branches (directly managed by the Post Office) and Crown branches that were taken over by subpostmasters. But Computer Weekly has discovered that Ecco+ could actually be bought by subpostmasters for use in their branches.

“We are currently investigating possible miscarriages of justice relating to problems with various computer systems used in Post Office branches in the 1990s (Capture, Ecco+),” the SCCRC said.

Read the SCCRC’s related information sheet.

In May 2024, Scottish Parliament announced its own legislation to exonerate subpostmasters with convictions based on evidence from the Horizon system.

This followed a similar law introduced for England and Wales in March last year that saw over 700 former subpostmasters exonerated.

A total of 64 former subpostmasters in Scotland have now had their convictions overturned through the legislation brought through Scottish Parliament.

So far, 97 convicted subpostmasters have come forward, and 86 have been assessed, out of which the 64 have been overturned. However, 22 have been rejected and another 11 are still to be assessed.

An independent group, fronted by a former Scottish subpostmaster, is also calling on users of any of the Post Office systems to come forward to tell their stories, and for support in seeking justice and redress.

The Scottish Postmasters for Justice and Redress, as the group is known, will officially launch tomorrow at Scottish Parliament. It was set up by Rab Thomson, a former subpostmaster of a branch near Alloa, who had a wrongful theft conviction overturned last year.

The group has the support of former Scottish Nationalist Party MP Marion Fellows, who was chair of the All-Party Post Office Parliamentary Group, and Calum Greenhow, the current CEO of the National Federation of Subpostmasters.

Source

Category: Computer

Microsoft restates commitment to OpenAI amid analyst note about datacentre expansion rollbacks

T-Levels not attracting as many students as hoped

Understanding of ‘black box’ IT systems will reduce Post Office scandal-like risk

Inside Amazon’s robot-powered warehouse

Access your Pro+ Content below.

Inside Amazon’s robot-powered warehouse

Scottish support group for Post Office scandal victims launched

Interview: Ray McCann, Loan Charge independent review lead

Contractors revolt

Criticism of HMRC

How did we get here?

Stakeholder engagement

Post Office Capture and Ecco+ users asked to make contact with Scottish statutory body

Third system

Filter by price

Latest Posts