Agency drivers blacklist-

Dear All

As security seems to be a consistant concern I would like you all to read the following extract from the de Poel IT security file. It does not include all information as this is sensitive however it does demonstrate that this system is as secure as is possible. Certainly ASsecure as on line banking etc.

With regard to ongoing concerns and additional questions please raise them on here again and any and all sensible questions posted by Friday that have not already been answered will be by Monday.

As a lot of people writting on here do clearly not know what the system does or what it is for I suggest they view our web site www.depoelconsulting.com and read about add prior to comenting. Alternatively please contact Kay Jones on 01565 682020 who will be happy to send you literature on the system.

Security Information

de Poel Agency Driver Database addTM

Background: The application developers have in place an extensive series of standard operating procedures to deal with security. These include

A set of procedures for:

Acceptable Use

Audit Policy

Information Sensitivity

Acceptable Encryption

Risk Assessment

Server Security

These policies cover:

the security of data held

the security of data applications that the company develop

the security of systems that the company maintain, build and establish

the security of electronic transmission of data

Application Design

Before building the application the developers completed a risk analysis of the project. This highlighted several areas of potential risk due to the sensitivity of the information that the application was storing. Data holding individuals personal details was considered to be ‘high risk’ information due to the possibility of this information falling into the wrong hands. The potential for using this data as a source for ‘identity theft’ was one of the primary concerns. An examination of the possible ways of this information being captured and then preventing its capture was an initial part of the projects design. As in all risk based analysis where the level of risk is judged to be high the requirement and specification process first and foremost addresses these issues.

During the design process the following topics were analysed:
Identification and Authentication - establishment of a claimed identity
Access Control - the control and authorisation of access to information by a user
Integrity — prevention of unauthorised amendment or deletion of information
Accounting - the recording of an account holder’s security related actions
Audit - the monitoring of security related events
Data Exchange - the protection of inter-communication.
Non-repudiation - to render an event undeniable

Identification and Authentication. Access to the system will be limited to known individuals who have a contractual agreement covering their use of the system.

Access Control. Access to information on the database will be filtered through a set of privileges that restrict users to viewing information they expressly have permission to see. This will be in accordance to Client policy and procedures. For example a user may only view information on a subject within the database if within normal circumstances they have the right to view that information as an express part of the duties they perform.

Integrity. Users will only be able to amend a record if within normal circumstances they have the right to amend that information as an express part of the duties they perform. For instance a manager who is authorised to record incidents that occur within their workplace, or their jurisdiction, as a normal part of their duties, such as accidents, will be the only level of user who can amend such records within the application.

Accounting. Clients will have in place policies to ensure that a user is accountable for the accuracy and validity of any information they enter on the system. The application records the user who entered this information and as a secondary check requires that when they confirm an item of information that is of a non factual nature, such as an incident, that the user re enters their password at the point of submitting that data.

Audit. All driver data entry is logged against the system user, further more records will not be deleted they can only be revoked. This enables the system to maintain a full audit trail of all user entered data and the exact nature of the data they entered. Incorrect data will be overlaid with corrected data.

Data Exchange. The first stage in securing any data that is transmitted is encryption. All data exchange between the system and any other system by any means will be encrypted to a minimum of 128 bit. This includes local and wide area data exchange through all protocols including the internet.

Non-repudiation. The audit logs and the retention of all user entry will ensure that users are not able to repudiate any entries they have made. No users records will be removed from the system, they will have a revoked status preventing them from gaining access, to ensure that historical data entry can be ascribed to the user who was responsible for entering it.

Server Security. Aside from a high level of physical security the servers that host the system will have in place the following measures.
System Access.
The system will support SSL at 128 bit and not permit any other kind of connection through any other protocol.
Login will require three pieces of information including a password.
Logins will not be sent in the clear.
Passwords will be stored in the authentication database in a one way hashed (encrypted) format preventing anyone else including system administrators from seeing them.
Initial password allocation will be in the form of a ‘one time password’, users must then reset their password to a new one of their choosing, preventing password sent in the clear from being used.
User selected passwords must contain a mixture of alphas and integers and must be 6 characters in length (e.g. 7Ghs9j1)
While we cannot publicise the exact steps taken to secure the server from malicious attacks the following steps have been taken.
The server will reside behind two firewall systems.
All ports not used by the system will be closed.
All services not used by the system will be disabled. (e.g. telnet, ftp)
The server will be subject to regular security scans, searching for over 6000 know vulnerabilities, the known vulnerability profile is updated prior to each scan.
The server architecture and OS has been determined by choosing the most resilient combination as evaluated by independent security analysts.
The application code will be employ Data Filtering
The application code will be designed to resist the following
Spoofed Form Submissions
Spoofed HTTP Requests
Cross-Site Scripting
Cross-Site Request Forgeries
Exposed Access Credentials
SQL Injection
Session Fixation
Session Hijacking
The application and all other security measures will be subject to ongoing review and assessment.

Kind Regards

Matthew Sanders
Director
de Poel Consulting Limited

As a lot of people writting on here do clearly not know what the system does or what it is for I suggest they view our web site www.depoelconsulting.com

I would suggest it is far more relevant to visit
dp-add.co.uk/

Which is the entry portal for the drivers database

I quote from that entry page

add is a revolutionary agency driver database designed to provide companies and agencies with easy access to essential driver information, enabling them to dramatically reduces the risks associated with using this resource.
add records and maintains information regarding drivers:
Qualifications
Inductions
Skills
Incidents
Accidents
And more

Automatic reminders and internal checks ensure that the information is kept up to date and relevant to your business.

The part highlighted in Red is the most disturbing, and it is this that we as drivers do not want on a file about us, especially when * most drivers are not aware they maybe on this system

• When most drivers will have to pay you to read this information

2. Notify all drivers in writing should a Considered blameworthy accident or incident be added to their record. Drivers will then be able to contest this if applicable.

When drivers cannot place a explanation or repudiation of any allegations on your system ( Who decides what is applicable/blameworthy, who decides wether a driver can actually ensure their point of view of an incident/accident is allowed… de Poel have told us their are NO FREE TEXT BOXES on the system, so how will a driver be able to contest the allegations?

• and when de Poel THEMSELVES

1. will not undertake to ensure that all drivers entered on this system are fully aware of the implications of being on it,
2. will not withold any entries on the system until de Poel have contacted the driver and ensured that they were aware that their information was being added and is correct
3. Will not send to all its clients a de Poel logo’d consent form and information sheet that ALL drivers to be entered onto the database will have to sign before information is added
4. Will not inform drivers which agencies use this system so that drivers can make informed choices about wether they wish to work for that agency

• Will de Poel REMOVE the employ YES/NO question from the system

I have a number of other issues, but my time is short this morning, I will follow these up later …

Accounting. Clients will have in place policies to ensure that a user is accountable for the accuracy and validity of any information they enter on the system. The application records the user who entered this information and as a secondary check requires that when they confirm an item of information that is of a non factual nature, such as an incident, that the user re enters their password at the point of submitting that data.

de Poel is holding this database on its servers…
de Poel should be man enough to take responsibility for the information held within.

de Poel should make a commitment to the drivers whose information they are using(abusing) that dePoel will reimburse them for any loss of income suffered due to incorrect information being held on de Poels system

De Poel(Matthew),

Thank you for another reply, you obviously fully realise the gravity of feeling against your system, However, The meaning of security in this instsance goes beyond the physical barriers that are in place. It is much more about how the information is collated and used. The information is entered onto your system BEFORE the driver is notified, Surley this should be reversed, once you have received the information you should contact the driver to get their expressed permission. I know this would increase the cost of running the system, But those costs would need to be passed onto the company using it.

You also mention the driver having a “PIN”, So what is the use of the “Pin”, Would it not be wise for all information on the driver to remain un-viewable until the driver had entered his pin infront of the customer? At least this way the information is only being released to people the driver is aware of. Under your current system any one who has the system can access anyone on the system if they know some of their basic details.

De Poel:
Integrity. Users will only be able to amend a record if within normal circumstances they have the right to amend that information as an express part of the duties they perform. For instance a manager who is authorised to record incidents that occur within their workplace, or their jurisdiction, as a normal part of their duties, such as accidents, will be the only level of user who can amend such records within the application.

Who decides if they would normally have those rights? Is it you or the agency signed up to the system? who is policing the agency’s use of it. and how?

I say yet again, before any information is entered onto a system such as this the default should be that the person in question has the right to veto such information being put on, it should not be the default that the information is avaliable first and then the driver has to request to look at the informaton, then make a formal request for it to be removed (which by your own admission it wont, just archived), Who has access to the revoked information? This info could still count against drivers if it fell into the wrong hands, If an employer was looking at 2 drivers and one had information showing as being revoked then the likelyhood is the employer would go for the other driver.

Your answers just raise more questions about the whole integrity of the system and how it can be used maliciously very easily without the driver having any knowledge.

As soon as any information is ammended or entered then that is the point letters showing all current and intended future information should be sent to the driver to verify. But I suspect this would make the system un-profitable.

(2) Without prejudice to the generality of paragraph (1), an agency shall not disclose information relating to a work-seeker to any current employer of that work-seeker without that work-seeker’s prior consent, which has not by the time of such disclosure been withdrawn, and shall not make the provision of any services to that work-seeker conditional upon such consent being given or not withdrawn.

Will de Poel inform all their agency clients who are registered with the Recruitment and Employment Confederation that the REC own code of conduct specifically states as above… that they CANNOT refuse to give them work if they choose NOT to have their details listed on your database

Dear All

I feel I should answer one point immediately:

NO Driver is added to add without firstly being informed by their agency, both verbally and in writting. The driver has to be present to be added; both to have a picture taken and to choose a pin.

Regards

Matthew

Is it time, and is there a a way or will to challenge this more formally through some machinery available to all.

Clearly no one individual could affords to mount any legal challenge, but collectively and with the assistance of say one of the Truck Media groups, the FTA, Unions, or similar, there may be a way to force this issue tot he fore and get some definitive ruling on what can and cannot be done.

Probably a non-starter and De Poel are aware of this. You only get what justice you can pay for!

Just a thought!

NO Driver is added to add without firstly being informed by their agency,

I am sorry that you still cannot see one of the fundemental points.
de Poel is operating this database, de Poel MUST take responsibility to ensure that drivers are aware of all the implications of being on your database. and de Poel MUST ensure THEMSELVES that all drivers whose details are held have freely given their permission.

This can only be done by all information being withheld by de Poel until a de Poel logo’d consent form has been recieved from the driver, along with a signature from the driver that they have read a information sheet detailing the full implications of being on your database.

With regard to the following:-

am sorry that you still cannot see one of the fundemental points.
de Poel is operating this database, de Poel MUST take responsibility to ensure that drivers are aware of all the implications of being on your database. and de Poel MUST ensure THEMSELVES that all drivers whose details are held have freely given their permission.

This can only be done by all information being withheld by de Poel until a de Poel logo’d consent form has been recieved from the driver, along with a signature from the driver that they have read a information sheet detailing the full implications of being on your database.

I am glad you have raised this point as this is what happens as previously explained.Upon registration all drivers are provided with written and verball information on the system which they sign for.

Can all commentors please read our responses and literature before incorectly stating various spurious information as facts! This is missleading and disruptive.

Kind Regards

Matthew Sanders
Director
de Poel Consulting Limited

de Poel Director:
With regard to the following:-

am sorry that you still cannot see one of the fundemental points.
de Poel is operating this database, de Poel MUST take responsibility to ensure that drivers are aware of all the implications of being on your database. and de Poel MUST ensure THEMSELVES that all drivers whose details are held have freely given their permission.

This can only be done by all information being withheld by de Poel until a de Poel logo’d consent form has been recieved from the driver, along with a signature from the driver that they have read a information sheet detailing the full implications of being on your database.

---

I am glad you have raised this point as this is what happens as previously explained.Upon registration all drivers are provided with written and verball information on the system which they sign for.

Can all commentors please read our responses and literature before incorectly stating various spurious information as facts! This is missleading and disruptive.
Kind Regards

Matthew Sanders
Director
de Poel Consulting Limited

Please can you show me where you have stated the first part highlighted in Red is the practice at the moment?

It has been stated time and time again in this thread that de Poel rely on the agency to get the drivers permission on their behalf.

· Are drivers informed that their details will be entered on the system?
A- Yes. Contractually agencies should do this. However as a safe guard de Poel guarantee to write to all drivers added to the system within 48 hours of them being added informing them that they are now on the system and what this entails. Should a driver demonstrate that his or her permission was not granted to do so, de Poel will remove any and all records held.

I have not seen anywhere in this thread where de Poel have said they supply a de Poel logo’d consent form to be sent to de Poel by the driver along with a signature that they have read and understood the implications of being on this database.

I have also not seen anywhere that de Poel will withhold all information enetered on your database about a particular driver until the above consent form is recieved

Just the opposite in fact…
de Poel have stated that Agencies, NOT de Poel, will be expected to ascertain wether drivers are happy to be on the system, and de Poel will allow details on the database BEFORE they inform the driver they are on it and verify that they have given their permission freely and with full knowledge of all the implications of doing so

I of course aplogise if I have missed a retraction by de Poel of the above

Can all commentors please read our responses and literature before incorectly stating various spurious information as facts! This is missleading and disruptive

of course reading the posts thoroughly including their own responses is the responsibilty of all participants in this thread, we would hate for anyone to be misled

De Poel,

You are still missing one fundamental point, that is, YOU should be responsible for all the data and it’s collection. At the moment you are relying on the agency’s submitting that information and informing the driver, I would be very surprised if the majority of the drivers on your database fully understand the visibility of the information, the likely hood is that they think it is only avaliable to their agency’s customer and not to all who subscribe to your system.

As for all posters reading the posts before adding, perhaps their is a lack of clarity and continuity within the answers from De Poel

You are still not acepting responsibility for the data, you are pushing the responsibility onto the agency’s, this is fundamentaly wrong, why will you not take responsibility for your own actions

The plot thickens

I have had an interesting conversation with a recruitment consultant for a franchisee of a major Driver Agency… I have promised not to reveal their identity or the agency involved.

A member here has drawn their attention to this thread, and asked them to confirm that they use de Poel.

This question was passed to the agencies head office and as a result the franchisee was told that involvement with de Poel is a matter of contract between the agency and one of its clients (a major logistic company) and in order to supply drivers they HAVE to submit the details to the database

They have been informed that due to this thread and therefore the possibility of drivers refusing to have their details entered on the database, thereby "reducing our available pool of drivers to ****** ( a major logistics company) "

They are to inform all new drivers that in order to process their timesheets they have to submit certain details to de Poel, with no mention of the add database.

The form drivers are to sign simply states they will let ******** (the agency) submit their details to de Poel.

They have no information sheets issued to them for giving to the prospective agency driver explaining the database. information held on it, or how they can view the information

This person has never been informed of any PIN system, and has certainly never supplied a driver with a PIN number

The person who phoned me told me as far as he understood, all they had to do was supply the client with the name and drivers licence number/NI number of the driver they were intending to place with the client, and the client would use this to confirm wether the driver was acceptable to them!

I have sent a e-mail to this establishment , informing them that I do
not give them perrmission to hold or procoure personnal DATA in my
name ,I would hope that they had by now accepted,that I do not wish to parcitipate in any part of this system,and as my e-mail has been
delivered and I trust also perhaps read by de poel personnel.
If this system were to be of any use it must havé in its possession
a very large DATA base and some how I think that this will be not
so feasible as may have been , if this post is showing the feelings
of many of the possible DATA providers, then I do belive that the amount
of DATA will be not the expected volume that might have been ,before
this information exchange through many persons involved asking
questions and showing what many think of this ill judged venture,
but that is only my personnal opinion and the future will prove
who is right,

,before
this information exchange through many persons involved asking
questions and showing what many think of this ill judged venture,
but that is only my personnal opinion and the future will prove
who is right,

Unfortunatly despite the undeniable popularity of this website most drivers do not utalise the internet for their job or even in their leisure time to look up transport related issue, we can only hope to get discussion started amongst a minority of drivers,

However 2 major transport magazines are taking a strong interest in this thread, as well as other drivers organisations who are not internet based.

With their assistance and exposure in those magazines of this database hopefully many more drivers will question as to wether they wish to be on this database as it stands at present, and even if it does undertake changes to allay some of the fears/expressions of concern stated here wether even then they would be happy to be on it.

It is to the credit of at least one agency (1st class drivers) that they have stood up and stated they want nothing to do with this database, hopefully many others will follow. I know that I will not work for any agency that is registered with the add database unless major changes are made too it

Of the two agency’s I have spoken to today about this issue, One has never heard of De Poel and the other has said they know of them but would have nothing to do with them as they gain contracts by undercutting rates and then insist the agency’s do things in a way that makes it unprofitable unless the hourly rate is cut!!! I will not name the agency’s as I have not asked for their permission, suffice to say they are National, Maybe it is just the small one man band agencys that use De Poel?

Thank you Rikki, for bringing this very important point to the forefront
we ,that is every one who disagrees whith this system,should by word of mouth inform other members in our circle of our trade and employment
that they must read and digest andmake there own conculsions as to
what they think of the proposal of the forming and building a DATA—
—BASE of information which is up and running and planned expansion
in volume of DATA ,Which may or may not be completely100% based on
true and proved DATA,also with the many other options which may
occur with this DATA–BASE, I find this sytem offensive and obnoxious,
and my observations of the exchange of information have not proved to
me ,that they are what I wish to be a part of !!!

we must tell as many truckers as possible,the best may to stop this is to say no

we are still in a strong position as agency’s cant get enough drivers 8 months of the year.

i think the quickest way of doing this is the tabloids, and others.one wright up in the sun or mirror,and half the battle is won

click on a link below,mention this thread,and post if you get a reply, if enough of us do it they will take notice.

mack
sorry if Ive upset any other members diplomats don’t have to get up at 3.30 am

dailystarnewsdesk@dailystar.co.uk
news@the-sun.co.uk
letters@dailymail.co.uk
investigate@mirror.co.uk
mirrornews@mgn.co.uk
editorial@londonmetro.co.uk

I do a bit of agency driving and I’m following this thread because I’m greatly concerned that anyone other than a government office would wish to maintain a detailed record of my work history.

I’m very proud of the fact that I have a clean driving license, I accept and welcome the fact that the DVLA in conjunction with the law, monitor and record what I’m allowed to drive and how I drive it.

The image I’m forming, based upon the impression given by De Poel of itself, is that all De Poel seek to do is mimic what a potential employer should be able to deduce from my driving licence and following up any referances I choose to give.

I fail to see a commercial market for this service given that any employer or ageny with its wits about it could gain the same information for little effort and minimal cost.

If an agency needs confirmation that I’m experienced in Tipper work then it would ask for a referance from a company that I have done Tipper work for, if a potential employer was worried that I’d jump straight into their wagon and speed off up the road, bouncing off kerbs and knocking mirrors off parked cars then surely such behaviour would be reflected on the number of endorsements on my licence.

I’m a very cynical person by nature and please do not confuse that with being a pessimist, the more I hear about De Poel and more importantly, what I’m not hearing, the more cynical I’m becoming about this so called data base of agency drivers.

de Poel Director:
··

What information is stored on the system?
· A- Upon Registration
§ Name
§ Address
§ Photograph
§ Drivers licence number
§ DOB
§ NI Number
§ Individual PIN (Chosen by driver)
§ Next of Kin (For use in case of emergency)
§ Contact phone numbers
§ CRB Check carried out (if required and signed for by driver)
§ Licences held
§ Experience gained i.e. rope and sheet, refrigeration unit etc
Upon start of each assignment
§ Details of any Manual handling training
§ Details of any client assessment
§ Drivers declaration re: hours worked

So, as and when someone manages to crack the security systems in place on the website they will be able to commit large scale identity theft? In fact, forget cracking the security, all it would take is for a criminally minded agency employee to access that site and away they go. Not good.

I’ll add my name to the list of TNT agency drivers who haven’t received any notification or request for my name and info to be added to the site.

Qhunter:
So, as and when someone manages to crack the security systems in place on the website they will be able to commit large scale identity theft?

You mean when they guess the imbecilical password that’ll be inevitably used…

I can imagine some twit from Driver Hire using Driver as the logon and Hire as the password. Seen it all too often before…