Ex-Harrods IT man cleared of stealing company issued laptop The former Harrods IT worker accused of stealing a laptop from the luxury department store in the UK capital has been cleared of theft – but was fined for trying to remove it from the department store's domain. Pardeep Parmar, of Grove Road, Hitchin, Hertfordshire, previously pleaded guilty to causing a computer to perform a …
A complete waste of time and tax-payers money then.
The number of people I've had over the years that have wanted me to remove their personal stuff from company owned laptops before they've handed them back. Now because of an over zealous prosecutor, it's established as being illegal. The shop that er, shopped him deserves to be social media shamed. Did they contact the police, or contact Harrods first?
Now because of an over zealous prosecutor, it's established as being illegal.
No; the case has simply confirmed that it was already illegal.
Not sure why you feel we should be naming and shaming those who let the authorities know there has potentially been a crime committed. I think there would be a better argument for that if they were ignoring potential crimes.
According to FAST software piracy is a crime. Are you happy for your local IT shop to go scouring through your laptop for unlicenced software so they can report it.
I'll clarify my point. I asked if the shop called Harrods or if they called the police. I would guess that most likely they called Harrods. If this is what they did, then this is a huge breach of privacy, and also illegal.
But they didn't go scouring through his laptop, they inadvertently encountered proof that it wasn't his laptop to begin with when the big HARRODS logo appeared when they booted up. That, coupled with his request, would have made them suspicious enough. So not illegal.
It's the same debate with Gary Glitter's laptop - could have been illegal but then again they stated that as part of their diagnostics (i.e. testing to make sure Windows was working again and files could be launched) they came across the dodgy images. There wouldn't have been a high-enough burden of proof to prove that they went further i.e. blatantly scoured through the HDD for things they could find.
Same with this one.
On the face of it, the employee was a bit silly about how he went about things. He should really have asked Harrods to erase the personal data for him (say in his presence), at which point he hands it back. As a data subject, he has the right for it to be deleted unless they can show a valid business reason for keeping it there, which sounds unlikely.
Given they didn't know he had the laptop, that's a pretty poor state of affairs for Harrods as well. The shop was certainly being somewhat over zealous and actually acting wrongly. They suspected a criminal offence was being committed, which means they should have secured the laptop and contacted the police. That ensures the evidential chain. If they suspected something that wasn't criminal, they could contact Harrods. After all, the police investigate criminal matters and pass files to the DPP, not Harrods.
You can quite easily ask a shop to perform actions on a laptop that isn't yours (say a company one). There's nothing wrong with that at all. After all, businesses need work done and sometimes local shops can be as good a route as anyone.
The theft charge simply seems to be an extrapolation of the attempt to access, with the assumption being he wanted to retain use of the laptop and not just delete the personal data. That's one hell of an extrapolation unless there was additional evidence showing motivation. Having just been made redundant isn't evidence of this at all. So, no party really comes out of this well. The employee was somewhat stupid in his actions, Harrods have shown a lamentable grasp on who has their kit and the prosecutor seems to be into knee jerk overreactions.
Hence, we end up wasting god knows how much time all round (police, DPP, courts etc.) for something really trivial. Guess it's easier than persuing real, personal crime though........
So, someone comes in off the street with a corporate laptop, and asks you to break in to it for them ? That's a potential case for "handling stolen goods" before you even get to any privacy or computer misuse offences.
(The device was issued to him by an employer for work purposes, and they subsequently terminated his contract)
I asked if the shop called Harrods or if they called the police. I would guess that most likely they called Harrods. If this is what they did, then this is a huge breach of privacy, and also illegal.
If they acted illegally then let's hope they get prosecuted, but there is no evidence presented that they have, nor for your "most likely" claim.
I think it is actually more likely they called the police, like Cash Converters and their ilk likely would (or should) when someone comes in wanting to exchange 'a mini van's worth of DJ gear' for cash. It's really not worth it for legitimate businesses to be seen as potential fences for stolen goods or facilitating crime.
But all our company PCs and laptops do have a "please call our number if this ends up in your hands" sticker and pop-ups and I would like to think anyone who came into contact with anything potentially stolen from us would, rather than help some ejit gain access to what's on it.
I think you would be hard pushed to say that was illegal when the kit itself is telling them to do that.
When our home working staff have to take kit to a local repair shop they can either take evidence with them or ask the staff to call us up and we'll say it's okay, legitimate. It hasn't happened but, if a repair shop ever did call the police and it led to an investigation, it would be easy to resolve that.
"then this is a huge breach of privacy, and also illegal."
Someone goes into a computer repair place and asks them to get into a computer which displays the logo of a well-known company on startup. The repair places calls the company and says "is this legit"? What "huge breach of privacy" do you think has been committed? What law do you think has been broken?
A couple of weeks ago I bought an audiobook on eBay. When it arrived, it had a library bar code on it and nothing to say it had been withdrawn. I contacted the library to ask if they wanted it back. Was I committing a huge breach of privacy? Was I breaking the law?
"it has his National Insurance number on it"
So friggin' what? As if that's any more secret than his mother's maiden name. Was he concerned Harrods would get hold of his National Insurance number? Cos guess what, they already had it.
And what kind of "IT worker" can't even figure out how to wipe a hard disk?
Quite a lot of this story doesn't make sense.
"And what kind of "IT worker" can't even figure out how to wipe a hard disk?"
A salesperson?
And regarding "it has his National Insurance number on it", in the same paragraph the article refers to "personal files". Such personal files could include scans of his passport/driving license, list of passwords used in several sites, bank account data, list of favourite porn sites, "naughty pictures" pictures of his wife, "naughty pictures" of his sister in law or any other thing you can think of that could cause him to have his identity stolen, suffer emotional stress, suffer a traumatic divorce or...
In normal conditions, he could have talked to a friendly Harrods IT guy, asked him to erase or recover the files and fix the issue easily and legally. Unless, of course, the working environment was very "toxic", or the IT support was outsourced to some Third or Second World country where Privacy Protection laws are not all they should be. If any of this was the case, asking the Harrods IT bod would be like walking nude at 3 A.M. in a marginal neighbourhood with a big bullseye painted in the arse*.
*:Can't end well! 8^)
"And what kind of "IT worker" can't even figure out how to wipe a hard disk?"
And every company policy on issued phones, laptops or whatever say's
"any information put on this device becomes subject to the DPA that this company follows"
In other words, their property as it's on their property
Simple for us IT people to understand, like a company issued car is not "your car"
That was my feeling as well. What kind of IT worker:
1) Stores his personal data on a work laptop?
I did at one point. Of course, it was just after our house fire so I didn't have a machine (or place to set it up). But I always had backups.
These days I'm very thorough about keeping everything separate, even so far as to avoid personal web browsing and such (ephemeral activities that wouldn't require recovering/deleting files) on company kit. Just as I won't do any of their work on my own (sort of having documentation on my tablet for convenience sake).
The thing I don't get is, as you can log onto any machine using cached credentials if you are not on the domain\connected to the network (& can recall the PW used last time) & this machine was at his home, therefore presumably OFF the corporate network why was he not able to log into it as a IT Tech Guy (or did he just believe his access to it was revoked & didn't bother trying).
& why no copy of Hirens or DBAN to solve either of his two issues as a IT worker?
I'm surprised that an "IT worker" took his laptop to a computer shop rather than just booting Linux from a USB drive and accessing the hard drive to remove his personal information.
That was *exactly* my first thought, but then I started wondering if Harrods actually did the right thing and used full disk encryption or a boot inhibitor. Given their customer base they should, but let's just say that I deem that less likely than user ineptitude.
Depending on the age of the laptop it could even have been possible to take the HDD out and hook it up to another machine - all the fun stuff you can no longer do with machines that are glued together and use SSD chips rather than disks.
However, the correct process is to let that data be extracted by the employer and have it signed off. That's just safer for all involved. As for his NI number, the employer already has that :).
"However, the correct process is to let that data be extracted by the employer and have it signed off. That's just safer for all involved".
Or even safer, not putting any personal stuff on a work-supplied device in the first place. If you don't control the device, you've no idea where your data could end up, assuming someone doesn't accidentally remote-wipe the kit with a fat-fingered typo.
Or even safer, not putting any personal stuff on a work-supplied device in the first place.
Sure, but depending on the kind of work you do, that machine may be the only link between home and where you work because few people I know will carry along two separate laptops for long. It's not that easy sometimes, which is why I always ensure that personal use is covered and protected in contracts and work instruction.
The price you pay for that is that it may not be that private because the company controls the device.
It's not always possible to separate personal stuff from work. If you get asked to travel abroad by your company then you may have to submit all sorts of personal data regarding you and your family to get a travel visa. Many companies will force you to use a visa processing agency and at some point you will have all that information on your company hard drive. Some people won't care about it at all, some will know how to delete it so it cannot be recovered, some will decide that they need external help to delete it.
"I'm surprised that an "IT worker" took his laptop to a computer shop rather than just booting Linux from a USB drive and accessing the hard drive to remove his personal information."
I'm surprised you think that would work as all Laptop hard drives are encrypted now. Well, most . Those whose's I.T. depts are competant , which we dont know thats the case here.
The best the shop could do was wipe it for him
Totally explains why he was RIF'd - not too smart.
Yeah, grab a Ghost image so you can go back later to retrieve any files. Then wipe the disk (not just FDISK). Hand it back completely sanitized.
At the end of the day physical security is still king. As long as he had physical control of the system he could do what he wanted to it.
As for an encrypted hard disk.... As long as he didn't put it on a network, the machine has no idea the access was revoked and should have let him in with his existing cached credentials.
...a project manager/business analyst/scrum master who understands fuck all about IT and yet makes the IT decisions.
Clearly anyone who's used a computer for more than Excel and Project and actually works in IT would have just wiped the HD from a live CD if they were genuinely worried about the stored data, or swapped in a fresh SSD if they just wanted to steal the thing.
Because it doesn't matter how often you tell people that it's a work laptop, they still think it's theirs, just like my work desktop is "mine".
Generally though, people think that they're going to have time to clear it down before they have to hand it back.
They're not always right...
Generally though, people think that they're going to have time to clear it down before they have to hand it back.
They're not always right...
Years before full-disk encryption was a thing (or even HDD passwords) I had set up my work machine (DR-DOS & MSWin 3.11) with a boot password, so when I inevitably left that shithole, no one would be able to access the drive. Yeah, years later I found it was simple to circumvent, but none of the dimwits there would have been able to do it even if the information had been available.
The illegal part was trying to access the laptop, when obviously his network access was removed.
Theft charge was a dodgy one, as they would have to prove he had no entention of returning the laptop at any time.
He should have returned it to Harrods IT and just nicely ask if somebody could login and then delete his personal information, save it to a USB or email it.
I've found over the years that when someone is in the process of being fired, asking nicely gets completely ignored and laptops are examined with a fine tooth comb over for evidence of anything that will support the firing.
I think all this will change with the introduction of the GDPR laws next year where privacy trumps everything. A user returning a laptop should also in writing inform the company that the laptop contains personal information, and that by denying him the access to remove the data, they have become the defacto guardian of said data and have a legal responsibility to treat it in complete confidence. Going further to that if my reading of the law is correct, he could further insist that they delete, and provide evidence of the deletion of such data. And they would have to comply.
I think all this will change with the introduction of the GDPR laws next year where privacy trumps everything.
I don't think that will make a difference. It has already been long established that an employee has no right on privacy on a company resource if (and only if) he has been notified of that at the time of joining and it's in the contract of employment. Companies who do NOT explicitly stipulate this up front must be very careful, because then the member of staff is indeed entitled to the privacy of their information, even though they use a corporate laptop.
That battle was fought and decided a long time ago in a manner I actually find quite reasonable.
I am afraid you are wrong. Post 25/5/18 the company will have to treat the data securely and the employee will be able to contact his employer and ask for ALL personally identifiable data (which include NI numbers) that they hold about him, hard and soft copy, and then ask for proof that all of this information be deleted shd he request this course of action. And they have 30 days to comply.
Just how is anyone supposed to prove that they've deleted the data off of said laptop, short of mailing it back to him and letting him browse through it after fixing it so he can log onto it without accessing the company network?
Or inviting him in to delete it himself (a sticky and potentially unpleasant situation for all involved when dealing with a fired employee)?
Others have pointed out that the company already has his personal information, but that's irrelevant. The laptop will probably be re-assigned to someone who won't have the right to that information, and it's not like every company re-images every computer before handing it out to the next user.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
