Shell ethics boss
wants evidence
of data theft to
be destroyed
By John Donovan
Published below is more email correspondence with Richard Wiseman, Chief Ethics & Compliance Officer of Royal Dutch Shell Plc. It concerns the Shell Global Address Book containing company and personal contact information for over 100,000 employees. I will leave to readers to decide whether Mr Wiseman is fit for purpose in his current role.
Date: 5 February 2010 16:59:36 GMT
To: john@shellnews.net
Subject: Directory
Dear Mr. Donovan
I thought I ought to follow up on the issue of the disclosure of the Shell internal address book ("Shell Address Book") to you by certain Shell employees. As you are probably aware, the Shell Address Book contains personal data under UK data protection law. As I previously indicated, although the vast majority of information in the Address Book is largely business related, there may be cases where the security of an individual may be impacted by release of such information. You have already agreed not to publish the information. May I now ask you to delete/destroy the information that you have received and confirm this deletion/destruction to me.
While of course I cannot give you legal advice, and I am happy to rely on the assurance you have given about publication, I should tell you that I have been advised that disclosure of such information by you could itself constitute a breach of data protection laws and could be a criminal offence.
Regards
Richard Wiseman
Chief Ethics and Compliance Officer
Royal Dutch Shell plc
Shell Centre, London SE1 7NA
Registered in England and Wales number 4366849
Registered Office: Shell Centre, London, SE1
Headquarters: Carel van Bylandtlaan 30, 2596 HR
The Hague, The Netherlands
Email: richard.wiseman@shell.com
Internet: http://www.shell.com/
Date: 5 February 2010 17:51:21 GMT
To: richard.wiseman@shell.com
Subject: Re: Directory
Dear Mr Wiseman
Despite our offer…
Available FREE on application: Directory of 100,000 plus Shell employees
being a tease, we have in fact received applications, including from a former Royal Dutch Shell VP.
We realised from the outset that this is in fact a serious matter, which is why I contacted Shell.
We take particular note of the comments in your last paragraph and are grateful that you have shared the advice received.
I will reply on Monday and in the meantime, be assured that we will not disclose any of the data.
I assume that you have no such problem with the proposed publication of the information sent earlier today. We will not publish it all, but substantial extracts.
Regards
John Donovan
Date: 7 February 2010 11:59:24 GMT
To: richard.wiseman@shell.com
Cc: michiel.brandjes@shell.com, peter.p.voser@shell.com
Subject: Re: Directory
Dear Mr Wiseman
I promised to let you know whether we are prepared on a voluntary basis to delete/destroy the Shell Address Book that was supplied to us.
The is a classic example of shutting the stable door after the horse has bolted. The situation is already out of Shell's control.
Eight NGO's, not known for being well disposed towards Shell, already have copies of the Directory. Greenpeace for example, has multiple copies. I know that at least one NGO has already engaged in a distribution of the Shell Address Book via the internet. We all know how fast information can spread on the net, particularly if it causes significant embarrassment, in this case to a multinational giant with a controversial track record of exploitation and pollution, particularly in Nigeria.
We understand from our insider sources that various (former) members of Shell's HR department have set themselves up as recruitment agencies using not just the Shell Address Book, but also Shell's personnel files of which they have taken copies. We are informed that Shell knows this very well and some of Shell's JV partners even work with the agencies concerned.
Since the information is in the public domain already (as it obviously is), we understand that the further dissemination by third party recipients such as Greenpeace, would not contravene the Data Protection Act. The Shell Address Book is already available to any Shell employee (even when seconded to another company) around the world using any internet connection.
Many of the jurisdictions in which the data could have been copied have no data protection laws. Most countries with data protection laws prohibit the dissemination of personal data to countries with lower standards of data protection than their own. Personal data held in EU countries apparently cannot even be transferred to the USA. Our information output is made from the USA while we are resident in the UK.
It might therefore be said that Shell, by allowing the information to be distributed globally, is itself in breach of the Data Protection Act. It is plain that Shell internal security has been totally inadequate. Shell has failed in its duty to protect information which you have said in your current and previous emails potentially puts the safely of Shell employees at risk. This includes, as you have pointed out, "personal" information (entrusted to Shell not only by its own employees but also people employed by third parties). The accurate up to date information, including personal details, exposes everyone identified in the Shell Address Book to the risk of becoming victims of identity theft/cyber crime.
Having considered the matter and taking into account some of the points set out above, we intend to keep the Shell Address Book for our personal use unless you inform us that Shell intends to institute legal proceedings, in which case we will reconsider the matter.
Regards
John Donovan
To: Wiseman, Richard RM SI-RDS-CCO
Cc: Brandjes, Michiel CM RDS-LC; Voser, Peter SI-GLOBAL
Sent: Tue Feb 09 14:37:36 2010
Subject: Shell Global Address Book
Dear Mr Wiseman
Since our last exchange on this matter, I have received and published a leaked copy of your reassuring message to employees listed in the Shell Global Address Book. In fact your message does not downplay any risk to personal safety, as I suggested in a related published comment. It does not mention that aspect at all. Logic therefore suggests that on further reflection, Shell decided that the employee personal safety risk aspect is so minimal that no warning at all on that score was needed.
A change of view by your risk analysis advisors would explain why Shell has not threatened to issue proceedings against us requiring destruction of the Shell Global Address Book in our possession. (I feel sure that if you had done so, we would have complied).
Since I am aware that a copy of the Shell Global Address Book is already in the hands of anti-Shell activists, including Nigerian activists, I question any such change of view on the personal safety issue. I am not a personal security expert, but plain commonsense suggests that would be kidnappers in Nigeria could use the listed contact information to locate and lure potential victims into traps, if the database falls into their hands.
As you will have realized, the leak of the entire global database was made by people highly sympathetic to Nigerian activist causes. There is evidence supplied with the database that Shell has been infiltrated as part of a long-term plot by Nigerian activists committed to peaceful campaigning against Shell's conduct in Nigeria. It is that insider group, claiming to be over 100 strong, which circulated the database.
Leaving that to one side, if you want us to enter into a formal agreement regarding the Global Address Book we received, this is fine in principle with us provided Shell pays all legal costs.
On the other hand, if Shell is still content with our assurance that we will not provide access to the Shell Global Address Book on the Internet and will act in a responsible way in relation to the copy in our possession, that is also okay with us. Obviously with the substantial job cutting in progress, the current contact information will, in any event, soon be out of date.
If I receive no response from you today, I will take it that the matter is concluded on the basis set out in the paragraph immediately preceding this one.
Regards
John Donovan
As always, do not take lack of legal action as acquiescence.
Your email suggests you are prepared to commit a criminal offence. I have already suggested you take legal advice for your own protection. That suggestion stands.
Regards
Richard Wiseman
Chief Ethics and Compliance Officer
Royal Dutch Shell plc
Shell Centre, London SE1 7NA
Date: 9 February 2010 15:37:54 GMT
To: richard.wiseman@shell.com
Cc: michiel.brandjes@shell.com, peter.p.voser@shell.com
Subject: Re: Shell Global Address Book
Dear Mr Wiseman
I have no idea on what basis you arrive at the conclusion that we are prepared to commit a criminal offence. We have no such intention.
Information and an attachment containing the database arrived by email on an unsolicited basis. If informed by any authority that the database should be deleted, we will do so immediately. Until such time, we retain the information and the attachment as evidence in what does appear to be a criminal matter. We have correspondence with other parties, as well as with Shell, which prove the responsible way we have handled this matter. I am surprised that you as a barrister and solicitor have suggested that we destroy evidence which may turn out to be vital in any prosecution.
I note there is no explanation for one statement being given to us highlighting the risk to employee safety and a different version spun to your employees, deleting that important aspect, despite the fact that their personal safety has been jeopardized.
Shell obviously did not want to come clean and admit its failure to safeguard data entrusted to you not only by your own employees, but employees of third parties.
Once again Shell has demonstrated its lack of integrity with a cover-up of the true situation caused by Shell negligence, intimidation designed to keep us quite and/or destroy evidence, coupled with the usual cavalier disregard for employee safety.
Regards
John Donovan
Date: 9 February 2010 16:27:35 GMT
To: john@shellnews.net
Cc: michiel.brandjes@shell.com, Peter.P.Voser@shell.com
Subject: RE: Shell Global Address Book
I may reply more comprehensively in due course if I judge that there is any purpose in doing so.
At this stage I can confirm that all those on the directory have been informed of the situation. We have also notified the appropriate regulators. There is no "cover up" as you put it.
Regards
Richard Wiseman
Chief Ethics and Compliance Officer
Royal Dutch Shell plc
Shell Centre, London SE1 7NA
Sent: 09 February 2010 16:41
To: Wiseman, Richard RM SI-RDS-CCO
Subject: Re: Shell Global Address Book
Mr Wiseman you have put pressure on me to destroy the stolen database.
That act on my part might amount to a criminal offence as it is important evidence in a crime which could potentially cost the lives of Shell employees.
I am in the process of notifying Chief Superintendent Tim Newcomb of Essex Police. I had previously brought to his attention Shell's "invisible investigations" directed against us and your global spying against Shell employees visiting or posting comments on our humble website.
I can well understand why you might now be hopping around contemplating a more comprehensive reply.
Are you still suggesting that I destroy the database evidence?
Regards
John Donovan
Date: 9 February 2010 16:57:27 GMT
To: john@shellnews.net
Subject: RE: Shell Global Address Book
Yes I think you should destroy it. As I have explained, we have already notified the relevant authorities, and all relevant individuals. The data has no evidential value in your hands.
You have already said that you intend to keep the Shell Address Book for your personal use, so the "evidence" excuse just doesn't hold water.
Regards
Richard Wiseman
Chief Ethics and Compliance Officer
Royal Dutch Shell plc
Shell Centre, London SE1 7NA
Date: 9 February 2010 18:29:47 GMT
To: richard.wiseman@shell.com
Subject: Re: Shell Global Address Book
Although originally circulated to a number of parties by Shell insiders, and by them onwards, I know of only one copy of the attachment information which definitely still exists. That is the one in our possession and it will remain so until the Police or other relevant authority without an axe to grind advises if it should be deleted or supplied to them. I am not in as much of a rush to destroy potentially incriminating evidence as you self-evidently are for some reason. As for notifying all relevant individuals, unless there is a later notification than the one leaked to us, you failed to warn of a risk to personal safety.
Regards
John Donovan
Published below is more email correspondence with Richard Wiseman, Chief Ethics & Compliance Officer of Royal Dutch Shell Plc. It concerns the Shell Global Address Book containing company and personal contact information for over 100,000 employees. I will leave to readers to decide whether Mr Wiseman is fit for purpose in his current role.
EMAIL FROM RICHARD WISEMAN TO JOHN DONOVAN
From: richard.wiseman@shell.comDate: 5 February 2010 16:59:36 GMT
To: john@shellnews.net
Subject: Directory
Dear Mr. Donovan
I thought I ought to follow up on the issue of the disclosure of the Shell internal address book ("Shell Address Book") to you by certain Shell employees. As you are probably aware, the Shell Address Book contains personal data under UK data protection law. As I previously indicated, although the vast majority of information in the Address Book is largely business related, there may be cases where the security of an individual may be impacted by release of such information. You have already agreed not to publish the information. May I now ask you to delete/destroy the information that you have received and confirm this deletion/destruction to me.
While of course I cannot give you legal advice, and I am happy to rely on the assurance you have given about publication, I should tell you that I have been advised that disclosure of such information by you could itself constitute a breach of data protection laws and could be a criminal offence.
Regards
Richard Wiseman
Chief Ethics and Compliance Officer
Royal Dutch Shell plc
Shell Centre, London SE1 7NA
Registered in England and Wales number 4366849
Registered Office: Shell Centre, London, SE1
Headquarters: Carel van Bylandtlaan 30, 2596 HR
The Hague, The Netherlands
Email: richard.wiseman@shell.com
Internet: http://www.shell.com/
EMAIL FROM JOHN DONOVAN TO RICHARD WISEMAN: 5 FEBRUARY 2010
From: John Donovan <john@shellnews.net>Date: 5 February 2010 17:51:21 GMT
To: richard.wiseman@shell.com
Subject: Re: Directory
Dear Mr Wiseman
Despite our offer…
Available FREE on application: Directory of 100,000 plus Shell employees
being a tease, we have in fact received applications, including from a former Royal Dutch Shell VP.
We realised from the outset that this is in fact a serious matter, which is why I contacted Shell.
We take particular note of the comments in your last paragraph and are grateful that you have shared the advice received.
I will reply on Monday and in the meantime, be assured that we will not disclose any of the data.
I assume that you have no such problem with the proposed publication of the information sent earlier today. We will not publish it all, but substantial extracts.
Regards
John Donovan
EMAIL FROM JOHN DONOVAN TO RICHARD WISEMAN: 7 FEBRUARY 2010
From: John Donovan <john@shellnews.net>Date: 7 February 2010 11:59:24 GMT
To: richard.wiseman@shell.com
Cc: michiel.brandjes@shell.com, peter.p.voser@shell.com
Subject: Re: Directory
Dear Mr Wiseman
I promised to let you know whether we are prepared on a voluntary basis to delete/destroy the Shell Address Book that was supplied to us.
The is a classic example of shutting the stable door after the horse has bolted. The situation is already out of Shell's control.
Eight NGO's, not known for being well disposed towards Shell, already have copies of the Directory. Greenpeace for example, has multiple copies. I know that at least one NGO has already engaged in a distribution of the Shell Address Book via the internet. We all know how fast information can spread on the net, particularly if it causes significant embarrassment, in this case to a multinational giant with a controversial track record of exploitation and pollution, particularly in Nigeria.
We understand from our insider sources that various (former) members of Shell's HR department have set themselves up as recruitment agencies using not just the Shell Address Book, but also Shell's personnel files of which they have taken copies. We are informed that Shell knows this very well and some of Shell's JV partners even work with the agencies concerned.
Since the information is in the public domain already (as it obviously is), we understand that the further dissemination by third party recipients such as Greenpeace, would not contravene the Data Protection Act. The Shell Address Book is already available to any Shell employee (even when seconded to another company) around the world using any internet connection.
Many of the jurisdictions in which the data could have been copied have no data protection laws. Most countries with data protection laws prohibit the dissemination of personal data to countries with lower standards of data protection than their own. Personal data held in EU countries apparently cannot even be transferred to the USA. Our information output is made from the USA while we are resident in the UK.
It might therefore be said that Shell, by allowing the information to be distributed globally, is itself in breach of the Data Protection Act. It is plain that Shell internal security has been totally inadequate. Shell has failed in its duty to protect information which you have said in your current and previous emails potentially puts the safely of Shell employees at risk. This includes, as you have pointed out, "personal" information (entrusted to Shell not only by its own employees but also people employed by third parties). The accurate up to date information, including personal details, exposes everyone identified in the Shell Address Book to the risk of becoming victims of identity theft/cyber crime.
Having considered the matter and taking into account some of the points set out above, we intend to keep the Shell Address Book for our personal use unless you inform us that Shell intends to institute legal proceedings, in which case we will reconsider the matter.
Regards
John Donovan
FURTHER EMAIL FROM JOHN DONOVAN TO RICHARD WISEMAN
From: John Donovan <john@shellnews.net>To: Wiseman, Richard RM SI-RDS-CCO
Cc: Brandjes, Michiel CM RDS-LC; Voser, Peter SI-GLOBAL
Sent: Tue Feb 09 14:37:36 2010
Subject: Shell Global Address Book
Dear Mr Wiseman
Since our last exchange on this matter, I have received and published a leaked copy of your reassuring message to employees listed in the Shell Global Address Book. In fact your message does not downplay any risk to personal safety, as I suggested in a related published comment. It does not mention that aspect at all. Logic therefore suggests that on further reflection, Shell decided that the employee personal safety risk aspect is so minimal that no warning at all on that score was needed.
A change of view by your risk analysis advisors would explain why Shell has not threatened to issue proceedings against us requiring destruction of the Shell Global Address Book in our possession. (I feel sure that if you had done so, we would have complied).
Since I am aware that a copy of the Shell Global Address Book is already in the hands of anti-Shell activists, including Nigerian activists, I question any such change of view on the personal safety issue. I am not a personal security expert, but plain commonsense suggests that would be kidnappers in Nigeria could use the listed contact information to locate and lure potential victims into traps, if the database falls into their hands.
As you will have realized, the leak of the entire global database was made by people highly sympathetic to Nigerian activist causes. There is evidence supplied with the database that Shell has been infiltrated as part of a long-term plot by Nigerian activists committed to peaceful campaigning against Shell's conduct in Nigeria. It is that insider group, claiming to be over 100 strong, which circulated the database.
Leaving that to one side, if you want us to enter into a formal agreement regarding the Global Address Book we received, this is fine in principle with us provided Shell pays all legal costs.
On the other hand, if Shell is still content with our assurance that we will not provide access to the Shell Global Address Book on the Internet and will act in a responsible way in relation to the copy in our possession, that is also okay with us. Obviously with the substantial job cutting in progress, the current contact information will, in any event, soon be out of date.
If I receive no response from you today, I will take it that the matter is concluded on the basis set out in the paragraph immediately preceding this one.
Regards
John Donovan
EMAIL REPLY FROM RICHARD WISEMAN
On 9 Feb 2010, at 14:15, richard.wiseman@shell.com wrote:As always, do not take lack of legal action as acquiescence.
Your email suggests you are prepared to commit a criminal offence. I have already suggested you take legal advice for your own protection. That suggestion stands.
Regards
Richard Wiseman
Chief Ethics and Compliance Officer
Royal Dutch Shell plc
Shell Centre, London SE1 7NA
REPLY BY JOHN DONOVAN
From: John Donovan <john@shellnews.net>Date: 9 February 2010 15:37:54 GMT
To: richard.wiseman@shell.com
Cc: michiel.brandjes@shell.com, peter.p.voser@shell.com
Subject: Re: Shell Global Address Book
Dear Mr Wiseman
I have no idea on what basis you arrive at the conclusion that we are prepared to commit a criminal offence. We have no such intention.
Information and an attachment containing the database arrived by email on an unsolicited basis. If informed by any authority that the database should be deleted, we will do so immediately. Until such time, we retain the information and the attachment as evidence in what does appear to be a criminal matter. We have correspondence with other parties, as well as with Shell, which prove the responsible way we have handled this matter. I am surprised that you as a barrister and solicitor have suggested that we destroy evidence which may turn out to be vital in any prosecution.
I note there is no explanation for one statement being given to us highlighting the risk to employee safety and a different version spun to your employees, deleting that important aspect, despite the fact that their personal safety has been jeopardized.
Shell obviously did not want to come clean and admit its failure to safeguard data entrusted to you not only by your own employees, but employees of third parties.
Once again Shell has demonstrated its lack of integrity with a cover-up of the true situation caused by Shell negligence, intimidation designed to keep us quite and/or destroy evidence, coupled with the usual cavalier disregard for employee safety.
Regards
John Donovan
REPLY BY RICHARD WISEMAN
From: richard.wiseman@shell.comDate: 9 February 2010 16:27:35 GMT
To: john@shellnews.net
Cc: michiel.brandjes@shell.com, Peter.P.Voser@shell.com
Subject: RE: Shell Global Address Book
I may reply more comprehensively in due course if I judge that there is any purpose in doing so.
At this stage I can confirm that all those on the directory have been informed of the situation. We have also notified the appropriate regulators. There is no "cover up" as you put it.
Regards
Richard Wiseman
Chief Ethics and Compliance Officer
Royal Dutch Shell plc
Shell Centre, London SE1 7NA
RESPONSE FROM JOHN DONOVAN
From: John Donovan [mailto:john@shellnews.net]Sent: 09 February 2010 16:41
To: Wiseman, Richard RM SI-RDS-CCO
Subject: Re: Shell Global Address Book
Mr Wiseman you have put pressure on me to destroy the stolen database.
That act on my part might amount to a criminal offence as it is important evidence in a crime which could potentially cost the lives of Shell employees.
I am in the process of notifying Chief Superintendent Tim Newcomb of Essex Police. I had previously brought to his attention Shell's "invisible investigations" directed against us and your global spying against Shell employees visiting or posting comments on our humble website.
I can well understand why you might now be hopping around contemplating a more comprehensive reply.
Are you still suggesting that I destroy the database evidence?
Regards
John Donovan
REPLY FROM RICHARD WISEMAN
From: richard.wiseman@shell.comDate: 9 February 2010 16:57:27 GMT
To: john@shellnews.net
Subject: RE: Shell Global Address Book
Yes I think you should destroy it. As I have explained, we have already notified the relevant authorities, and all relevant individuals. The data has no evidential value in your hands.
You have already said that you intend to keep the Shell Address Book for your personal use, so the "evidence" excuse just doesn't hold water.
Regards
Richard Wiseman
Chief Ethics and Compliance Officer
Royal Dutch Shell plc
Shell Centre, London SE1 7NA
RELY FROM JOHN DONOVAN
From: John Donovan <john@shellnews.net>Date: 9 February 2010 18:29:47 GMT
To: richard.wiseman@shell.com
Subject: Re: Shell Global Address Book
Although originally circulated to a number of parties by Shell insiders, and by them onwards, I know of only one copy of the attachment information which definitely still exists. That is the one in our possession and it will remain so until the Police or other relevant authority without an axe to grind advises if it should be deleted or supplied to them. I am not in as much of a rush to destroy potentially incriminating evidence as you self-evidently are for some reason. As for notifying all relevant individuals, unless there is a later notification than the one leaked to us, you failed to warn of a risk to personal safety.
Regards
John Donovan