1. The timeline below provides the necessary background to the reply of 23rd October 2008 by Cancer Research UK's Data Protection Supervisor to the author's recorded delivery letter of 29th September 2008, wherein are "protected disclosures" — as defined in the Public Interest Disclosure Act 1998 — regarding the multiple, prolonged, and recidivistic breaches of the Data Protection Act 1998 ("the Act").

{The Public Interest Disclosure Act 1998 states: "In this Act a "protected disclosure" means a qualifying disclosure [... which] means any disclosure of information which, in the reasonable belief of the worker making the disclosure, tends to show one or more of the following —

(b) that a person has failed, is failing or is likely to fail to comply with any legal obligation to which he is subject,"}

{Cancer Research UK's Volunteer Application Form (2007) states: "Cancer Research UK abides by the Data Protection Act."} 5th July 2007. Shop Manager (Ms. Amy Logan) in post 11 months. 5th July 2007. Area Manager (Ms. Trish McIlhoney) fails to notice, during a formal shop visit in concert with the Shop Manager [see FSR no. 41827], the non-implementation of the Act [‡]. [‡ Specifically: the failure to secure any personal data of past or present employees, of past or present volunteers (including, and in particular, legal minors), or of innumerable past customers; and the failure to destroy unnecessary personal data.] {Principle 5 of the Act requires that: "Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes." Principle 7 of the Act requires that: "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."} 12th July 2007. Legal Department and the Data Protection Supervisor (Ms. Diane Scott) — both from afar — fail to ensure that the Act is being implemented; and, indeed, fail each week after. {CR-UK's document entitled Our Approach to Discipline states: Misconduct: • lack of proper care and attention to work; [...]"} 10th Aug. 2007. Shop Manager starts two-week holiday. 11th Aug. 2007. New weekend Shop Assistant (Dr. Roger Peters), working alone, starts first day in post. 12th Aug. 2007 (Sunday; a.m.). Without prior warning, the Shop Assistant's duties unexpectedly include the sole supervision of a legal minor executing a Duke of Edinburgh Award — in a workplace wherein there is non-implementation of the Act. 12th Aug. 2007 (Sunday; p.m.). Shop Assistant identifies several systemic weaknesses [1] in CR-UK's implementation of diverse Internal Codes of Practice and Acts of Parliament — including, and in particular, this Act. 29th Jan. 2008. Area Manager fails to notice, during a formal shop visit in concert with the Shop Manager [see FSR no. 41828], the continuing non-implementation of the Act [‡]; and, indeed, fails each informal visit hereafter. 5th Feb. 2008. Legal Department and the Data Protection Supervisor — both continuing from afar — fail to ensure that the Act is being implemented; and, indeed, fail each week after. 2nd April 2008. Shop Assistant politely asks the Shop Manager to sit down at the desk and take written notes regarding some very serious matters regarding Data Protection: ... she does not accede to this request. 2nd April 2008. Subsequently, the Shop Assistant forcefully recommends to the Shop Manager, in the presence of an independent witness, and with reference to the Act, to adopt — in the first instance — the remedial measure of securing all personal data of past and present employees, past and present volunteers (including, and in particular, legal minors), and each individual who has submitted a completed Volunteer Application Form. 2nd April 2008. Subsequently, the Shop Manager obtains the necessary technical measure for the security of the aforementioned personal data. 3rd April 2008. Shop Manager fails to inform the Area Manager of either the prolonged breaches of the Act or the Shop Assistant's remedial measure; and, indeed, fails each week hereafter. 3rd April 2008. Shop Manager fails to acquire a copy of the eight principles of the Act; and, indeed, fails each week hereafter. 3rd April 2008. Shop Manager fails to seek advice from the Legal Department regarding either the security of the personal data of CR-UK's customers or the conscientious disposal of unnecessary personal data; and, indeed, fails each week hereafter. 7th April 2008. Shop Assistant first contact — in whatever form — from his Line-Manager (Area Manager Ms. McIlhoney) since before his interview in August 2007; ... i.e., 8 months after his appointment. 1st Aug. 2008. Area Manager fails to conduct a formal shop visit, despite more than 6 months elapsing since the previous one on 29th January; and, indeed, would not conduct one until 20th November. 5th Aug. 2008. Legal Department and the Data Protection Supervisor — both continuing from afar — fail to ensure that the Act is being implemented; and, indeed, fail each week hereafter. Summer 2008. Shop Manager fails to adhere to the Shop Assistant's aforementioned remedial measure of ensuring the security of personal data — including, and in particular, those of present and potential volunteers and supporters. 4th Sept. 2008. Training Development Officer (Ms. Debbie Bradley) signs the «perfect score» of the Shop Manager's Level Two Completion Review Form [see CRV]; ... the «topic» of Data Protection is distinguished by its absence on this form. 8th Sept. 2008. Shop Assistant, on his routine day of volunteering (Monday), politely asks the Shop Manager, in the presence of an independent witness, to sit down and take heed of some very serious matters regarding Data Protection: ... she reluctantly accedes to this request. 8th Sept. 2008. Subsequently, the Shop Assistant forcefully recommends to the Shop Manager, in the presence of the same independent witness, and with reference to the Act, to adopt the remedial measure of securing all personal data of present and potential volunteers and supporters (e.g., the shop's qualified, peripatetic Portable Appliance Tester). 8th Sept. 2008. Shop Manager, in the presence of the same independent witness, states: "I didn't think that Cancer Research had to follow the Data Protection Act." 8th Sept. 2008. Subsequently, this same independent witness shows the Shop Manager a copy of the Volunteer Application Form, repeatedly distributed by the Shop Manager since her appointment in late-July 2006, wherein is stated: "Cancer Research UK abides by the Data Protection Act." 9th Sept. and 5th Oct. 2008. Sometime between these dates — and in contrast to 2nd April — the Shop Manager informs the Area Manager of the Shop Assistant's «concerns» about the implementation of the Act. 9th Sept. and 5th Oct. 2008. Between these dates, the Area Manager fails to inform either the Legal Department or the Data Protection Supervisor of the Shop Assistant's «concerns». 12th Sept. 2008. Shop Manager starts one-week holiday. 19th Sept. 2008. Shop Manager's last formal day in post. September 2008. Promotion of the Shop Manager to Area Relief Manager recommended by the Area Manager and approved by the Regional Manager (Ms. Julie Byard), who — from afar — fails to seek any verifiable information on their managerial competence regarding the implementation of the Act. 29th Sept. 2008. Shop Assistant, continuing the fulfilment of his statutory and contractual obligations, sends letter — «bristling with red flags» — by recorded delivery to the Data Protection Supervisor. [Address & Telephone No.] rpeters@wissensdrang.com 29th September 2008. Data Protection Supervisor, Legal Services Department, Cancer Research UK, PO Box 123, London. WC2A 3PX Dear Sir [sic], Whilst I may be generalizing from the particular to the general, so to speak, I believe there is a serious flaw in CRUK's implementation of the Data Protection Act (1998): to wit, that relating to the voluminous quantity of unsecured personal data stored in the retail outlets (in particular CRUK's shops). Should such personal data come into the public domain, either by mischance or by foul play, one undesirable effect would be to decrease severely the confidence of CRUK's customers and supporters in the organization; the potentially deleterious impact on revenue streams, and thus CRUK's mission, is a truly disquieting prospect. Nevertheless, I suspect that a relatively small proportion of employees at every level within the CRUK's retail arm is aware of the eight principles of the Act, and that a vanishingly small proportion implement these rigorously. Given that these personal data are contained within a variety of sources — inter alia, Volunteer Application Forms, Refund Books, and Donation Books — some of which must be held for a considerable length of time to satisfy the requirements of financial auditing, may I be so bold as to suggest three interim measures which can be effected immediately and discreetly? First, each employee is personally provided with a copy of the aforementioned (common sense) principles. Second, each manager, whether they be shop-based or home-based, should identify a suitably-sized secure location for the deposition of such data (cf. principle 7). And third, each manager should acquire a cross-cutting shredder — so that all unnecessary data are thoroughly destroyed (cf. principle 5). Yours sincerely, [Signature etc.] 6th Oct. 2008. Line-Manager's first contact — in whatever form — with the Shop Assistant since 7th April; the former, Area Manager Ms. McIlhoney, conducts his first yearly Performance & Development Review (PDR). 6th Oct. 2008. During the course of this PDR, the Area Manager informs the Shop Assistant that the former Shop Manager had informed her of his «concerns» about the implementation of the Act. 6th Oct. 2008. During the course of this PDR, the part-time Shop Assistant provides the full-time Area Manager with her first copy of the eight principles of the Act. 7th Oct. 2008. Area Manager fails to inform either the Legal Department or the Data Protection Supervisor of the Shop Assistant's continuing «concerns»; and, indeed, fails each week hereafter. 17th Oct. 2008. Albeit unbeknownst to the Shop Assistant, the shop receives its first copy of CR-UK's (undated) document entitled Corporate Data Protection Policy [see CDPP] — from which the following is a verbatim extract. Corporate Data Protection Policy Approved by the Cancer Research UK Executive Board 8. In addition Cancer Research UK will ensure that: • There is someone with specific responsibility for data protection in the organisation. Currently, the designated 'Data Protection Co-ordinator' is the Director of Legal Services; • Everyone managing and handling personal information will be made aware of their responsibilities for following good data protection practice; • Any Cancer Research UK employee who fails to carry out their data management or handling responsibilities appropriately in accordance with Cancer Research UK policy and procedures may be subject to disciplinary proceedings; • Everyone managing and handling personal information will be appropriately supervised and/or trained to do so; • Anybody wanting to make enquiries about the handling of personal information will have clear guidance on what to do; • Queries about handling personal information are promptly and courteously dealt with; • Methods of handling personal information are clearly described and regularly assessed and evaluated; • Our policies and practises [sic] with regard to handling personal information are regularly reviewed and assessed. .

2. Please note: firstly, that the number of Cancer Research UK customers dwarfs that of volunteers; secondly, that the number of CR-UK volunteers dwarfs that of full-time and part-time employees in the organisation; and thirdly, that, by 2008, the duty of data protection — throughout an organisation — had been enshrined in law for ten years.


3. The Data Protection Supervisor's reply to the Shop Assistant's recorded delivery letter of 29th September.

Cancer Research UK PO Box 123 London WC2A 3PX United Kingdom T 020 7242 0200 www.cancerresearchuk.org [Recipient's address] 23rd October 2008 Dear Dr Peters Thank you for your letter dated 29th September 2008. Cancer Research UK recognises the need to ensure personal data is dealt with properly and in accordance with the requirements of the Data Protection Act. The lawful and appropriate treatment of personal data is essential to successful operations and to maintaining the confidence of those persons whose personal data we process, whether they be staff, volunteers or other supporters. I have therefore given consideration to the matters you raise. We are currently undertaking a cross CR-UK Data Protection Audit to ascertain compliance with the Data Protection Act and identify any key areas where improvements are required. Our retail shop operations are within that compliance review and we will take account of your specific comments and suggestions within that general audit. Meanwhile, we are exploring the particular issues and measures you raised with Retail. Once again, thank you for bringing these matters to my attention. Yours sincerely, [Signature] Diane Scott Director of Legal and Data Protection Officer

4. Here follows a deconstruction of the above reply. [... ...]

[Document in progress.]

________________________________________________________________________________

1. ACCESS & EGRESS : 4pp.

2. ELECTRICAL & FIRE SAFETY : 4pp.

3. DIVERSE SAFETY : 10pp.

4. DATA PROTECTION & HUMAN RIGHTS : 6pp.

5. VOLUNTEER CARE : 7pp.

6. HIERARCHAL BREACHES OF CONFIDENTIALITY : 11pp.

7. HIERARCHAL MISINFORMATION, DISINFORMATION & PARALOGISMS: Introduction : 12pp.

[Deconstructions — in progress (*) or in preparation.]

7a. Ms. T. McIlhoney (Area Manager; & Line-Manager, from 11th August 2007 to 1st December 2008) : 6pp.* 7b. Ms. D. Scott (Data Protection Supervisor) : 5pp.* 7c. Mr. S. Learmouth (Retail Health & Safety Manager) : 6 pp.* 7d. Mr. David Newbigging (Chairman of the Council of Trustees) and Mr. Harpal Kumar (Chief Executive). 7e. Mr. Bhavani Jois (Interim Director of Internal Audit). 7f. Mr. Simon Ledsham (Trading Director), Mr. Kevin Thurlow (Head of Safety), and Mr. Bob Marston (Property Manager). 7g. Ms. Caroline Knight (Regional Human Resources Advisor). 7h. Ms. A. Logan (Area Relief Manager; & Shop Manager, from late-July 2006 to mid-September 2008) : 10 pp. 7i. Ms. Meta Lear (An Area Manager). 7j. Ms. Julie Byard (Regional Manager). 7k. Ms. Hannah Newton (Human Resources Business Partner). 7l. Ms. Jenny White (Associate Head of Retail Finance) and Ms. Hazel Bedford (LSF Regional Manager). 7m. Mr. John Macey (Human Resources Director) and Dr. Caragh Dewis (Organisational Development Practitioner).

8. PROFLIGACY : 13pp.; document in progress.

________________________________________________________________________________