How We Risk Learning the Wrong Lessons from the Horizon IT Scandal

Published on
Product Minting
How to

Since the start of 2024; the Post Office Horizon IT Scandal has reached a new level of public interest in the UK. In the scandal, faulty accounting software has been blamed for multiple suicides and what has been described as “the most widespread miscarriage of justice in UK history”, with those wrongly imprisoned including a pregnant woman.

Since late last year, I have worked on addressing this scandal from multiple fronts. For example; in November 2023 research I led found that 75% of software engineers in the UK faced retaliation the last time they reported wrongdoing and also shed new light on gagging clauses used by the Post Office in the wake of the Horizon IT scandal amongst a myriad of other findings.

In this article, I want to explore how the British Computer Society, which presents itself as the voice of software engineers in addressing the scandal, may well be teaching the wrong lessons to society.

Regulatory Failings

In January 2024, I led a public interest investigation which found that the British Computer Society (BCS) failed to act when one of its members used their regulated status to convince courts to engage in miscarriages of justice; despite the status provided by the BCS was the only computer qualifications the individual presented to the court and the BCS being required by the Engineering Council UK to uphold the conduct of its members.

Following the BCS being asked for comment, the BCS were disingenuous with the media by claiming they would take action after the long-drawn-out legal processes were completed when the evidence I’d uncovered indicated that the key individual's BCS membership has likely already long lapsed through non-renewal. The individual concerned (Gareth Jenkins) is currently a person of interest to the Metropolitan Police in their investigations into the scandal and had requested criminal immunity so that his upcoming evidence to the public inquiry would not be used against him.

This information was obtained after I gained sight of part of a Post Office witness statement marked “confidential” and was corroborated by a report to Post Office Ltd marked “legally privileged and confidential” by a lawyer, Brian Altman KC:

Report by Brian Altman QC, on an engineer's witness statement.

Report by Brian Altman QC, on an engineer's witness statement.

Following a Freedom of Information Act request I made recently, Post Office Limited confirmed they held a copy of a witness statement from the individual concerned - further corroborating the information:

Extract from FOIA Response by Post Office Limited.

Extract from FOIA Response by Post Office Limited.

The BCS is far from the only regulator involved in this matter. Seldom mentioned in the media is the fact that the Post Office is regulated by the Financial Conduct Authority (FCA), who operate some bureaucratic rules to attempt to regulate the UK’s financial sector.

A recent investigation by Reuters which I contributed to found that the FCA had been assessing Freedom of Information Act requests differently when they came from journalists. It has also been reported the FCA "dismissed complaints from a whistleblower and allegedly left them open to a barrage of retaliation from their former employer after officials wrongly interpreted the law".

For the Post Office to bring their own prosecutions, they engaged the services of the highly-regulated legal field, where professionals are regulated by bodies like the Solicitors Regulation Authority and Bar Standards Board.

In all these instances, from the British Computer Society to the legal profession, the regulatory bodies failed. The victims of the Horizon IT scandal’s first taste of justice was when a journalist from ComputerWeekly began to cover their story as Alan Bates led a campaign to get justice for his colleagues.

Calls for Regulation by the BCS

Without shame; the British Computer Society is now calling for AI "to be regulated to avoid its own Post Office Horizon Scandal" by requiring practitioners to be licensed - seemingly an opportunistic attempt to capitalise on a scandal, when they regulated the professional qualifications used to convince courts to engage in this miscarriage of justice. It is additionally ironic that whilst the BCS refuse to commence disciplinary action against their members until the public inquiry is complete, they seem perfectly content to begin providing recommendations to society.

However, at its core, the calls for regulation fundamentally misunderstand how such disasters are prevented. This can be seen by the sheer weight of regulation the Post Office was under in these cases, yet miscarriages continued to occur.

Dr Ron Westrum wrote in the British Medical Journal’s Quality & Safety publication in 2004 a paper entitled The Three Typologies of Organisational Culture. The following table demonstrates these three organisational topologies, describing how different organisations process information:

Westrum Organizational Model

Westrum Organizational Model

Generative cultures are “psychologically safe” - they focus on outcomes and people are free to raise the alarm when things go wrong, rather than being shot. By contrast, pathological organisations are those where failure leads to scapegoating and messengers are shot. However - bureaucratic organisations are hardly desirable either. Messengers are neglected and rules take priority over addressing the causes of failure. For poor leaders, bureaucratic management is the easiest - instead of changing culture they pull the lever of more rules rather than addressing the issues.

From my experience of looking at the Horizon IT Scandal and other catastrophic software failures - many of the organisations or regulators involved either were pathological organisations or bureaucratic. However, a generative culture would have allowed one of the insiders who raised concerns about the Horizon IT problems (like David McDonnel did) to have their voices listened to and their concerns investigated.

Regulation of software engineers may help gatekeep some from the software engineering profession, but to address the real issues of the Horizon IT Scandal - we need to develop more generative culture organisations.

Legislation must be part of the answer in strengthening protection for software engineer whistleblowers who raise the alarm to serious issues (as protections in the UK must be strengthened) and some form of regulation may be part of the answer to addressing some of the issues, however, we should not pretend that rule-oriented cultures will suddenly lead to the psychological safety needed to stop these scandals - history, indeed in this very case, has proven that it does not.

Discussion (20)

Not yet any reply