Sunday 23 June 2019

My Response - UPA

Without Prejudice
23rd June 2019

To all:

THERE HAS BEEN NO DATA BREACH

I was hoping I wouldn’t have to respond but I feel compelled to do so. The circumstances and the facts
are being distorted and misrepresented and there is an awful lot of context missing.
As threats of legal action are being made, I will not be entering into any discussions.

Please note: I have not received a single communication from anyone at UPA about any of this to date.
My point of view has not been sought. No accusation has been made to me directly
(only on Facebook Public Forums and through 3rd parties) and I have been given no right of reply
so I am issuing this public statement.

Please rest assured that there has been no data breach, and nothing has been stolen.
Your data is and always has been completely safe and has never been shared with anyone other
than me.

Why me?

Because I did actually care about your data and had the skills and experience to look after it properly.
There was a complete lack of any data, password or account controls from anyone and since no one
had resolved these issues by the time I was designing, writing, getting academic support for the
2018 Survey, I researched and wrote the GDPR policy for UPA, got it checked over by a lawyer,
published it and implemented it.
At no point has anyone asked me or even expressed an interest in how I have managed this or any
other data at any point. I was left to deal with it alone. Since I also, personally paid for the marketing
and promotion, publicised and monitored the survey, collected the data, analysed the data and
published the final report, it was, of course, also up to me to manage this data, and I have.

Since 2014, I created the 2016 survey which I personally got into the APPG Inquiry and I have run most media inquiries, polls, shop queries, merchandising, CBD affiliates, events and worked with MPs in the name of UPA most of which, through my personal email address, since I could never get a working UPA one!

Over that 5 years up to and including the 2018 Survey and to this day, I have never shared any
personal information with anyone else without advanced permission. In fact, as I am sure that
every patient I have ever dealt will would testify to, even when you have given me your permission
to share your details with someone in the media, I ALWAYS double check that you are happy
before every submission. I treat personal data security very seriously. This behaviour and experience
comes from working as a professional in IT for 15 years.
The reason I still have possession of that data, is that since I resigned from the UPA Board
(not from UPA), an appropriate handover for the data has not taken place, even though I have offered
my time to do this on several occasions so far. I will not hand over any patient data unless it is done
in a secure and responsible way with assurances that it will be managed properly.
I do not currently have this confidence in UPA and since I have been locked out of the shared folder
it was stored in, I can only assume that UPA have a copy which concerns me.

Over that time, I have built a large personal contact list and whilst I did do all this work under the
banner of UPA, everything I do or have ever done is exclusively for the benefit of patients.
I believe I can stand by my public record of dedicating the last 5 years of my life to doing everything
you know that I have done and all absolutely free.
Besides my time and experience, I have invested over £20k of my own funds in doing it under the UPA
banner and I was happy and proud to. But I don’t do what I do for my personal benefit, or for UPAs,
but for patients.
Always have. Always will.

The MailShot

I don’t consider my new organisation to be either a threat nor a competitor to UPA.
I’d hoped and continue to hope that we can complement each other. In fact, with our set-up may well
become a useful source of funding for the great work UPA volunteers have done. I was hoping that
we could help each other succeed in what we wanted to achieve.
Different focuses. One goal. I feel very sad, that it appears to have gone a different way.

Was this wrong?
UPA was set up to be an umbrella organisation to welcome campaigners and activists, and a lobbyist,
to do what they do under a single banner. Not to own, exploit or take advantage of the work of others.

I have designed, instigated, created, increased and managed this data, alone, from the day I started
working as a volunteer for UPA. Literally none of it would even exist if I hadn't and I felt that as I was
still a legal director of UPA, a single communication to all the contacts I had made whilst doing what
I do for UPA and for patients, to let everyone know of something that I am doing to help more patients
would be fair.
The email was an "Opt-In" only, after which I would destroy all historical PII data I held.
I don’t “own” this data. Neither, despite their claims do UPA, patient data belongs to patients.
I believe I have managed that data responsibly.

Is there a chance that I captured email addresses for some reason and at some point in the last 5 years
that I did not cross reference with all the people who ticked “don’t use my email address” in the 2018
survey? I think I did this. Could I have made a mistake? Yes, its possible.

Did I ever make a copy paste error, whilst doing all the analysis of the 2018 Survey Results?
I don't believe so, but accept that it's possible.

Can I cross check to find out? No, because the survey permission said we would delete once the
survey was complete. Once I had completed my analysis of the results data – I deleted them!

So I openly apologise to anyone who was concerned or upset by having received this email from me
(please note, this was from my own personal email address) and am happy to be judged on that decision
and will accept any and all feedback or consequences but most importantly please rest assured that if
you have asked to be removed you have already been deleted, if you have complained to me,
you have been deleted, if you don’t respond affirmatively to the email, you will be deleted and all other
historical data will be deleted in accordance with good data policy as soon as I can hand it over securely
to UPA. Let me know, if you’d rather I didn’t?

I repeat – There has been NO DATA BREACH:
Whilst in my possession, your data has NEVER been shared with anyone, ever!

All this makes me so sad and has gotten so ridiculously out of hand. I’m nobody's enemy and I’m certain
that there are better things for us all to be spending our limited time, health and resources on?
I’ve never stopped supporting UPA. How can I? I have dedicated 5 years of my life to it and have been
instrumental in delivering pretty much everything significant that UPA have achieved in that time.
I’m sorry that the remaining team seem to have lost sight of that.

Making false accusations, jumping to the worst assumptions and even threatening legal action in public
forums without establishing the facts and without a single direct communication, to someone who has
done all this and so much more in good faith and friendship is hurtful and disappointing and this kind
of thing being dealt with in this way is not good for anyone or anything.

I feel I should also add that the lion's share of the UPA website content, all the patient guidance,
medical information and many other assets I have created and/or curated for patients and UPA over the last 5 years I was and continue to be happy for you to use for the benefit of patients.
I also hope you find the forthcoming publications from the Centre for Medicinal Cannabis,
citing UPA (for the work I did for UPA) to be of help.

Yours Faithfully
Jon Liebling