Summary

  • Fujitsu did not act alone in the Horizon scandal, but its supplier position made its technical knowledge crucial: defect records, support interventions, remote-access evidence, and expert explanations could affect whether sub-postmasters were believed or accused.
  • The High Court Horizon Issues judgment, Court of Appeal criminal judgment, Post Office Horizon IT Inquiry evidence, Fujitsu statements, government redress data, and parliamentary scrutiny make the case a supplier-candor problem, not only a public-institution failure.
  • Supplier candor means more than answering questions truthfully when forced. It means escalating known uncertainty before customers, prosecutors, courts, or ministers rely on system output as decisive evidence.
  • Redress and restorative justice are necessary, but they cannot substitute for the earlier duty to disclose defects, limits, and remote access before technical data becomes coercive power.
  • The lasting control is a public-service supplier rule: when a vendor's system output can help accuse a person, the vendor's logs, caveats, and expert limits must travel with the evidence.

The supplier did not hold the prosecution pen, but it held system knowledge

The Fujitsu accountability question is easy to misstate. The Post Office made institutional decisions, brought prosecutions in relevant cases, pursued civil recovery, handled branch contracts, and controlled much of the public-facing process. Government oversight, legal advisers, investigators, auditors, courts, and ministers all sit in the wider record. Fujitsu should not be turned into the single actor responsible for every Horizon harm. That would be too simple.

But the opposite simplification is also wrong. A technology supplier can shape a public scandal without signing the prosecution paperwork. It designs, operates, supports, fixes, explains, and documents the system whose output others may treat as truth. If the supplier knows about bugs, errors, defects, remote interventions, support limitations, or evidential caveats, that knowledge is not ordinary back-office information. It may be the difference between a disputed balance and a life-changing allegation.

The public reference makes that clear. The Horizon Issues judgment, available as a Judiciary PDF and through BAILII, examined bugs, errors, defects, and remote access in detail. The Court of Appeal's Hamilton judgment later showed the criminal-justice consequence of unreliable or undisclosed Horizon evidence. Those judgments did not need to make Fujitsu the only responsible party to show why supplier knowledge mattered.

The supplier-candor standard starts there. If a public-service system produces evidence used against individuals, the supplier's technical uncertainty must be disclosed before the institution acts on certainty. Candor is not merely a courtroom virtue after years of litigation. It is an operational duty at the point where a system record begins to carry coercive power.

Defect logs should have been public-risk evidence

Software defects are not unusual. Complex systems have bugs. The accountability issue is what happens when known defects can affect balances, shortfalls, branch accounts, or explanations given to investigators and courts. A defect log in that setting is not only an engineering queue. It is public-risk evidence. It tells decision-makers whether a number is safe enough to support debt recovery, suspension, dismissal, civil claim, or criminal prosecution.

The Horizon record shows the danger of treating defect knowledge as internal technical material while users face external consequences. A branch operator does not have equal access to logs, code history, support records, remote-access events, and expert interpretation. The supplier and customer institution do. That asymmetry means the party with technical knowledge should not wait for the accused person to ask the perfect question. The system owner and supplier should disclose material uncertainty proactively.

The Post Office Horizon IT Inquiry's evidence portal makes visible how large the evidence architecture became after the fact. Witness statements, transcripts, exhibits, and reports were needed to reconstruct what technical and institutional actors knew. That public reconstruction is valuable, but it is also a warning. If the evidence only becomes visible after years of litigation, appeals, public pressure, and inquiry work, then the original system did not carry its own candor.

Fujitsu's own January 2024 statement acknowledged the seriousness of the matter and apologized. That matters, but the harder accountability question is earlier: what rules should have made defect knowledge impossible to under-disclose while people were being accused? The answer is not that every bug instantly proves every shortfall wrong. The answer is that defect relevance should be tested and disclosed before the institution demands trust.

Remote access was not a technical footnote

Remote access mattered because it challenged the practical meaning of branch-level accounting evidence. If a system can be changed, affected, or supported remotely, then a shortfall record cannot be treated as if it emerged only from the branch user's conduct. The key question is not whether every remote action was improper. The question is whether remote-access capability, logs, interventions, and limits were visible enough for fair challenge.

The Horizon Issues judgment treated remote access as part of the reliability record. That is exactly where it belongs. Remote access should travel with the evidence. If a branch balance is used against a person, the relevant period should include a remote-access disclosure: who had access, what activity occurred, what logs exist, what logs are missing, whether interventions could affect balances, and which expert can explain the implications. Without that package, the accused person may be fighting an invisible architecture.

This is a supplier-candor issue because remote access often lives in the supplier's operational knowledge. A customer institution may not fully understand every support pathway. A branch operator almost certainly will not. A court may assume the system record is more self-contained than it is unless the supplier and institution explain the support architecture clearly. Candor therefore means making the operational reality of the system visible before the number is used.

Remote access is not unique to Horizon. Modern public systems use managed services, support tools, cloud consoles, database administrators, remote monitoring, and emergency patches. Those arrangements can be legitimate and necessary. They become dangerous when the people affected by system output cannot see who else could touch, change, repair, or misinterpret the data. Horizon's lesson is that support architecture is evidence architecture.

Expert evidence needs limits, not only conclusions

Expert evidence carries special authority because courts and institutions often rely on technical specialists to translate complex systems. In a public-service technology dispute, the expert's duty is not to defend the system as a product. It is to explain what the system can and cannot prove. That includes known defects, search limits, missing logs, uncertainty about cause, and alternative explanations. A confident conclusion without a clear statement of limits can become a tool of institutional pressure.

General prosecution disclosure principles, such as the Crown Prosecution Service's disclosure guidance, are useful context because technical material can be unused, adverse, or explanatory. The specific Horizon record shows why that context matters. A system's apparent reliability cannot be separated from what the institution and supplier knew about its exceptions. If an expert's knowledge is filtered through contract loyalty or narrow instructions, the evidence can become incomplete even when individual statements are carefully worded.

The supplier-candor rule should therefore require an expert-evidence checklist for public-service systems. Before a technical statement is used in an enforcement, civil recovery, or prosecution context, it should identify the version of the system, known relevant bugs, defect searches performed, remote-access checks, support records reviewed, logs unavailable, assumptions made, and questions outside the expert's scope. If the expert cannot answer a question, that gap should be visible.

Such a rule protects both sides. If the system output is sound, a complete expert file helps prove it. If the output is uncertain, the file stops the institution from overstating the case. The goal is not to make public systems unusable as evidence. It is to make them usable only with their caveats attached.

Contract escalation should not wait for scandal

Supplier contracts often contain service levels, support obligations, confidentiality clauses, liability limits, change-control rules, and dispute procedures. Those terms are not enough when a system's output can be used against individuals. The contract should also specify escalation rules for evidential risk. If defects, remote access, or support interventions could affect user liability, the supplier should have a duty to escalate to independent governance, not only to account managers.

The National Audit Office's investigation into management of the Post Office Horizon IT system placed Horizon in a public governance context. That matters because supplier issues were not confined to a private software maintenance relationship. The system sat inside a public-service network with legal, financial, and human consequences. Contract management should have reflected that consequence.

Escalation should also survive customer reluctance. A supplier may face pressure not to undermine confidence in a flagship system. It may fear reputational damage or commercial consequences. It may believe the customer institution will handle disclosure. Horizon shows why that is limited public evidence. If the supplier's knowledge is material to justice, candor cannot depend entirely on the customer's appetite for awkward facts.

Future contracts for public-service systems should define "evidential defect" as a special category. It should trigger preservation of logs, disclosure to designated legal and governance contacts, independent review, affected-user notice where appropriate, and suspension of coercive reliance until the issue is resolved. That is stricter than ordinary incident management because the harm is stricter. A software defect can become a human accusation.

Public inquiry made delayed candor visible

The Post Office Horizon IT Inquiry's official site and Volume 1 report show how public inquiry can rebuild a record that was not adequately available when it mattered most. Inquiry work is necessary in a scandal of this scale, but it is also a sign of earlier failure. The evidence had to be gathered under public pressure because the original disclosure architecture did not protect the people affected.

The inquiry record is not finished as a public accountability entity. Its progress update shows that final-report work, Maxwellisation, and publication sequencing remained active. That continuing process should make current commentary careful. It should not freeze responsibility before all findings are published. It should also not delay the general control lesson: supplier candor must occur earlier than inquiry candor.

Public inquiry evidence changes incentives. Once transcripts, documents, and findings become public, suppliers and public bodies know that internal knowledge may eventually be exposed. That can improve future behavior, but only if translated into contractual and governance rules. Fear of later embarrassment is a weak control. A defined duty to disclose evidential uncertainty is stronger.

The inquiry also shows that redress and restorative justice need technical evidence. People harmed by system output do not only need money. They need recognition that the evidence used against them was unsafe or incomplete. Fujitsu's role in restorative statements, including the joint restorative justice statement, matters because supplier participation in repair is part of candor after the fact. The prevention lesson is to make that candor arrive before lives are damaged.

Redress data is evidence of lateness

Government redress data, including the Post Office Horizon financial redress and legal costs data for 2026, is necessary public accountability. It shows money moving, schemes operating, and administrative progress. It also shows lateness. Compensation after injustice is essential, but it is not the same as timely defect disclosure before injustice.

The House of Lords Library briefing on progress of compensation and the National Audit Office's compensation scheme lessons help frame the administrative challenge. Schemes have to identify people, assess claims, handle evidence, pay fairly, and avoid adding new procedural harm. But a supplier-candor analysis asks an earlier question: why did people have to become claimants at all?

The redress record should feed back into supplier governance. Each category of harm should be traced to the evidence failure that allowed it. Was a defect not disclosed? Was remote access misunderstood? Was expert evidence incomplete? Were branch complaints treated as isolated? Were logs unavailable? Were decision-makers too confident in system output? The compensation record should not only close claims; it should classify prevention failures.

That classification matters for other suppliers. If a vendor builds or operates a public system whose outputs affect benefits, tax, licensing, immigration, healthcare, education, policing, or justice, it should read Horizon as a warning. The harm is not limited to one legacy accounting platform. It is the general risk of supplier knowledge being trapped inside commercial and technical channels while public authorities use the system's output against people.

Replacement does not erase supplier debt

Computer Weekly's reporting on Horizon replacement deals is secondary, but it points to a wider issue: replacing a system or changing suppliers does not erase evidential debt. The old system's records, defects, support files, and explanations remain relevant to redress, appeals, inquiry findings, and public trust. Decommissioning a system should include an evidence-preservation plan.

That plan should be explicit. Which logs are preserved? Which defect databases remain searchable? Which support tickets are retained? Which staff or experts can explain historic behavior? Which remote-access records survive? Which contract provisions protect evidence after transition? Which data is needed for compensation schemes and legal review? If replacement proceeds without preserving the evidence record, the institution may reduce future operational dependence while weakening past accountability.

This is a supplier-candor issue because outgoing suppliers often retain technical knowledge. They may no longer run the system, but they may still hold or understand records that affected users need. A public-service buyer should not let transition become amnesia. The contract should require cooperation with redress, inquiry, litigation, and independent review after the operational relationship changes.

Replacement also creates a design opportunity. The next system should include challenge logs, audit exports, user-visible dispute records, independent evidence packages, remote-access transparency, and defect-notice workflows from the start. If those features are treated as optional, the new system may be more modern while repeating the old evidence imbalance.

Parliamentary scrutiny keeps supplier accountability current

Parliamentary scrutiny, including records such as the House of Lords debate on Fujitsu government contracts and committee activity like the Business and Trade Committee evidence session, keeps supplier accountability from becoming an archival issue. Public buyers still procure complex systems. Fujitsu and other suppliers still operate in government markets. The question is how past evidence failures affect future trust.

Procurement exclusion or contract caution may be politically tempting, but the deeper control is evidence duty. A government buyer should ask every major supplier: if your system output can affect a person's liability or entitlement, how will defects be disclosed? How will remote access be logged? How will expert evidence state limits? How will users challenge records? How will independent reviewers access technical material? How will you cooperate after contract exit?

Those questions should sit beside price, delivery, security, and uptime. A system can meet uptime targets and still be dangerous if its evidence is unchallengeable. It can deliver the contracted functionality and still fail public accountability if known uncertainty is not escalated. Horizon's supplier lesson is therefore not only "choose better technology." It is "buy candor as a required feature."

Parliamentary scrutiny can also protect civil servants and procurement teams from narrow commercial pressure. If evidence duties are publicly expected, buyers have stronger grounds to demand them. If suppliers know that disclosure architecture will be examined, they have stronger incentives to design it. Public accountability becomes a procurement requirement rather than a scandal response.

Trustworthy systems require social evidence, not only engineering

NIST SP 800-160 on systems security engineering is general guidance, but it helps explain the broader principle: trustworthiness is engineered across requirements, architecture, assurance, and lifecycle. Horizon adds a social evidence dimension. A public system is not trustworthy only because its code runs. It is trustworthy when people affected by its output can understand, challenge, and correct the record.

That requires design features. Every material output should have provenance. Every manual or remote intervention should leave a visible trace. Every defect relevant to a disputed period should be linkable to affected records. Every expert statement should include scope and limits. Every enforcement use should package caveats with the number. Every supplier escalation should be preserved. These are not decorative audit features. They are safeguards for people who otherwise face an institution with better access to evidence.

Data sovereignty and locality appear in the topic list because evidential location matters. It is not enough to say data exists somewhere in a supplier environment. The affected person and decision-maker need to know where relevant records are, who can access them, which jurisdiction and contract terms govern them, and whether they can be produced before harm occurs. Evidence that cannot be reached in time is weak evidence.

SME service continuity also matters because sub-postmasters were small operators inside a public-service network. They depended on the system to run branches and defend themselves when accused. A technology failure that a large institution can absorb may destroy a small operator. Supplier candor should be calibrated to that imbalance.

The accountable question is whether supplier knowledge could escape

The residual unknowns remain. The full final inquiry record is not yet complete in every volume. Individual responsibility across Post Office, Fujitsu, government, lawyers, auditors, and prosecutors is complex. Some processes continue. Compensation, restorative justice, contract consequences, and public procurement choices will keep evolving. A careful article should not claim final allocation beyond the sources.

But the supplier-candor test is already clear. Who had practical control over technical knowledge, and could that knowledge escape into the justice record before harm hardened? Fujitsu controlled or helped control system knowledge, support records, defect understanding, remote-access explanation, and expert evidence. The Post Office controlled much of the institutional use of that evidence. Government and courts controlled oversight and correction at different stages. Sub-postmasters controlled very little of the technical record but carried the most personal risk.

For Fujitsu, credible repair means more than apology. It means cooperation with inquiry, redress, restorative justice, evidence preservation, and future procurement rules that make defect disclosure unavoidable. For public buyers, credible repair means contracts that require candor, not only delivery. For courts and prosecutors, credible repair means demanding technical caveats before relying on system output. For future suppliers, credible repair means designing systems whose outputs can be challenged by the people affected.

The Horizon scandal made visible a supplier duty that should have been obvious earlier: when public power relies on a vendor's system, vendor knowledge becomes public accountability evidence. If that knowledge stays trapped in logs, support desks, contract channels, and defensive expert statements, the system may look authoritative while justice is already failing.

A supplier-candor register should be independent of delivery management

One practical reform is a supplier-candor register for public systems whose outputs can affect individual rights, debt, liberty, or livelihood. The register should not be owned only by the delivery team trying to keep the project stable. It should sit with governance, legal, risk, and independent assurance. It would record defects with potential evidential effect, remote-access capabilities, missing logs, expert-evidence caveats, disputed user patterns, support interventions, and escalation decisions. It would also record whether affected users, courts, investigators, or scheme administrators were told.

This register would not publish sensitive technical detail by default. It would create a disciplined route for deciding what must be disclosed when system output is used against a person. The test should be materiality to fairness, not embarrassment to the supplier or customer. If a known defect could plausibly affect the period or account in dispute, it should be reviewed and disclosed in a usable form. If a remote intervention occurred, the record should say so. If logs are missing, the absence should be visible.

The register should also protect staff inside suppliers. Engineers and support workers may see problems before executives or customers want to discuss them. A clear candor path gives those workers a legitimate channel for escalation. It reduces the chance that warnings are softened, lost, or treated as ordinary ticket noise. It also gives responsible suppliers evidence that they did escalate when public harm was possible.

Public procurement should score challengeability

Public buyers routinely score functionality, cost, security, implementation risk, service levels, and support. Horizon suggests another score: challengeability. Can a person affected by a system output obtain the evidence needed to challenge it? Can the buyer explain the provenance of a record? Can remote interventions be surfaced? Can known defects be linked to affected transactions? Can independent experts inspect the relevant material? Can the supplier continue to support evidence requests after contract exit?

Challengeability should be designed into the system and contract. It is much cheaper to create audit exports, defect-linking tools, and evidence packages before a scandal than to reconstruct them afterward. It also changes supplier incentives. A vendor that knows challengeability will be scored has reason to build transparency into architecture rather than treat it as a legal burden after harm occurs.

This is not anti-supplier. It is pro-trust. A supplier whose system is accurate should want the evidence package to prove accuracy. A supplier whose system has a defect should want the defect disclosed before it causes irreparable harm. A buyer whose public authority depends on the system should want both outcomes. The only actor served by low challengeability is the institution that prefers short-term certainty over fair evidence.

Restorative justice needs technical memory

Restorative justice in a technology scandal cannot rely only on apology and listening, although both matter. It also needs technical memory. People harmed by Horizon often need to know why they were accused, what the system could not prove, what records were withheld or misunderstood, and how the institution will prevent repetition. A supplier's role in restorative work should therefore include helping translate technical history into humanly understandable answers.

That is difficult because technical memory is messy. Old systems change. Staff leave. Logs may be incomplete. Tickets may be ambiguous. Defects may have multiple names. Remote-access records may be stored in separate places. But difficulty is not a reason to avoid the work. It is the reason the work should start early and be funded properly. Every year of delay makes technical memory weaker and human repair harder.

The Fujitsu lesson for future suppliers is to preserve memory when a system becomes contested. Do not wait for inquiry subpoenas, litigation disclosure, or media attention. Preserve defect databases, support records, expert drafts, access logs, and escalation messages when public harm is plausible. The cost of preservation is small compared with the cost of trying to rebuild trust after people have been disbelieved for years.

Supplier candor should survive corporate reputation management

Corporate reputation teams naturally want careful language. That is understandable, especially when legal processes continue. But supplier candor cannot be reduced to reputation management. Public systems require plain acknowledgement of technical limits. A supplier can avoid overclaiming liability while still stating what is known, what was wrong, what evidence exists, what remains uncertain, and what cooperation it will provide.

The distinction matters because defensive language can re-harm people. If public statements minimize the technical record or imply that the scandal is only a customer-institution problem, the supplier may appear to be protecting itself at the expense of those who need answers. A better posture is bounded candor: no unsupported admissions, no speculation, but no hiding the fact that supplier knowledge mattered.

Bounded candor should also appear in future customer relationships. Suppliers should tell public buyers that evidential uncertainty will be escalated even if the buyer prefers silence. That condition may be commercially uncomfortable. It is also what makes the supplier fit to operate systems that can affect rights and livelihoods. Horizon shows that silence can become part of the harm chain.

The candor duty should attach to the output, not the institution

One reason Horizon is so important is that responsibility traveled through many hands. A supplier built and supported the system. The Post Office used the outputs. Lawyers framed cases. Courts heard evidence. Government oversaw at a distance. People harmed by the system faced the combined authority of all those actors. If candor attaches only to the institution bringing the case, supplier knowledge can remain trapped one step away from the person who needs it.

The better rule attaches candor to the output. If a system output is used to demand money, discipline a worker, remove a licence, or support a prosecution, any party with material knowledge about the reliability of that output has a duty to surface it through defined channels. That does not mean every engineer becomes a witness. It means the organization must maintain a route by which technical uncertainty reaches the evidential file.

This rule would also help public buyers govern suppliers. The buyer would not need to prove bad faith before demanding disclosure of relevant uncertainty. The contract would already say that evidential use triggers heightened candor. The supplier would know that ordinary commercial escalation is not enough. The user would benefit because the evidence package would include the system's limits, not only the system's conclusion.

Independent review should be available before the point of no return

Horizon shows that independent review after scandal is too late for many people. Future systems need independent review before the point of no return. That could mean a technical panel, independent assurance office, specialist court adviser, ombuds route, or statutory reviewer depending on the setting. The key is access: the reviewer must be able to see defect logs, remote-access records, support history, expert assumptions, and relevant transaction data.

The review should be triggered by patterns as well as individual complaints. Repeated unexplained shortfalls, clusters of support tickets, recurring defect categories, or disputes with similar facts should trigger escalation. A public system should not treat every user as isolated when the evidence suggests a common mechanism. Pattern detection is a supplier-candor issue because the supplier often sees cross-case technical signals before any individual user can.

Independent review also protects public institutions from overconfidence. It gives decision-makers a way to pause without admitting final error. It can say, "the system output may still be correct, but current evidence is limited public evidence for coercive action." That sentence, if available early, can prevent years of harm.

Evidence packages should be designed for ordinary users

A supplier can technically disclose a large volume of logs and still fail candor if the material is unusable. The evidence package should be understandable to a branch operator, local adviser, investigator, prosecutor, judge, or compensation assessor. It should identify the disputed output, the period, known relevant defects, support interventions, remote-access events, missing records, and expert caveats in plain language. Technical appendices can sit behind that summary.

This design choice matters because power often hides in complexity. If the affected person needs expensive experts just to discover whether a defect might matter, the challenge route is not fair. A public-service system should produce a first-level explanation that lets non-specialists see why the institution believes the record and what uncertainty remains. That is not oversimplification. It is accessibility for justice.

The package should also be versioned. If new defect information emerges after a decision, the people affected by earlier decisions should be notified. Horizon's history shows the danger of knowledge arriving too late and staying too local. A defect discovered in one dispute may matter to another. Supplier candor includes the duty to connect those dots.

Exit plans should preserve the evidential record

Public technology contracts often focus on service transition when a supplier exits: data migration, replacement systems, staff handover, licence closure, and continuity of support. Horizon adds another exit requirement. The evidential record must survive the commercial relationship. If a system has been used to support enforcement, debt recovery, employment decisions, prosecution, compensation, or public-service decisions, the supplier and buyer should preserve enough technical memory to answer later challenges.

That record should include defect histories, relevant support tickets, remote-access logs, expert-evidence materials, known limitations, migration notes, and the mapping between old and new data structures. It should also identify who can explain those materials after contract exit. A public buyer should not discover during a later review that nobody can interpret the records because the project team has dispersed and the supplier relationship has changed.

Exit evidence is not only a litigation concern. It is a fairness concern. People affected by historical system output may need answers years later, especially when harm was slow to surface or institutions resisted challenge. If the records are incomplete, the burden again falls on the person with the least power. An accountable supplier and buyer should plan for that imbalance before a system is retired or replaced.

The same principle should apply to future public procurement. A vendor that wants to operate consequential systems should be able to say how long evidential records will be kept, how they will be searched, how defects will be linked to affected users, and how independent reviewers can access material under proper safeguards. That makes candor durable. It prevents accountability from expiring when the contract changes.

Supplier staff need protected candor routes

Supplier candor is often discussed as a corporate duty, but the first warning may come from an engineer, support analyst, tester, service manager, or field specialist who sees a pattern before executives do. If those workers do not have a protected route to escalate evidential risk, the organization may convert warning signals into ordinary service noise. A consequential public system should therefore have a formal route for staff to raise concerns about reliability, remote access, logging gaps, expert evidence, or user harm.

The route should be separate from day-to-day delivery pressure. Project teams are often rewarded for keeping the service stable, meeting milestones, and protecting the client relationship. Those incentives can make uncertainty feel inconvenient. A protected candor route gives staff permission to say that a defect has legal or fairness significance, even if the operational workaround appears manageable.

Public buyers should ask suppliers how that route works. Who can escalate? Who reviews the concern? How is the buyer told? How are affected users considered? How are records preserved? How is retaliation prevented? These questions are not administrative extras. They decide whether technical knowledge can escape the organization before public harm becomes irreversible.