| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | AA | AB | AC | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | To make this huge amount of information digestible, the first sheet details only the most critical points and summarised the rest. CRITICAL items are detailed on the first sheet. SERIOUS items are summarised here, and detailed on subsequent sheets. SIGNIFICANT items are summarised only. We can produce supporting evidence if necessary. The whole thing in a paragraph: Adam Myers has deliberately subverted Failbetter's DSAR response mechanisms to pursue his personal grudge against LB and AK. As a result Failbetter's responses have repeatedly and fatally failed to comply with the GDPR and the process has been hopelessly tainted. Adam Myers must completely recuse himself from all deliberations and processes re: Failbetter's data protection obligations to us. Failbetter must make use of a third-party DSAR compliance service to revisit all our GDPR requests to date with the ICO's findings in mind. | ||||||||||||||||||||||||||||
2 | CATEGORY | LABEL | DETAILS | OUR ASK | NOTES | NOTES | |||||||||||||||||||||||
3 | ICO_C | Unaddressed complaint upheld by ICO | Child's image used without authorisation | In 2013, I was creative lead on a video game, Sunless Sea, made by my then employer, Failbetter Games. My mother asked for my daughter's (her granddaughter's) image to be included in the game as part of a promotional offer. I agreed, and I managed its inclusion as a digital art piece, in an accurate and respectful way. In 2021, I am in dispute with Failbetter Games, who have posted offensive and untrue statements about me and my family online. I made a data deletion request to Failbetter Games to have my daughter's image removed from the game, because I and my family found it distressing to have the company continue to profit from her image while posting this kind of material about us online. My daughter is twelve years old, but to the extent that I feel comfortable discussing this matter with her, I'm confident she understands and agrees. The request was also made with the knowledge and consent of my daughter's mother and grandmother (as above, her grandmother originally asked for the image to be included.) Failbetter Games Ltd have refused to delete my daughter's image. Instead, they have responded by (i) making further, and even more insulting, statements about me, including claims that I habitually pursue a sexual interest in children (ii) by sending the attached lawyer's letter refusing to have my daughter's image removed. The letter contains several statements which appear to be knowingly false. I've outlined these in the response to the data controller, which I will send immediately after submitting this complaint: https://docs.google.com/document/d/17uZGEJIZaiqpa2siKqI3O3TfxQshkl8z_aU2WgfOljo/edit I understand that normally I would make an additional complaint to the data controller before escalating to the ICO, but I and my family find it very difficult to keep communications open with them in these circumstances, and the data controller is clearly not engaging with us. All we want is for my daughter's image to be removed from their game." | "Delete my daughter's image from their game and marketing materials and provide evidence of the deletion." | The ICO requested, and received signed authorisation from [my daughter] (since she's now 12) before upholding the complaint. See also Appx B: Likeness Discussion | |||||||||||||||||||||||
4 | ICO_D | Unaddressed complaint upheld by ICO | False information provided by Adam Myers in response to DSAR | My partner and I had previously made a DSAR to Failbetter Games. The response was incomplete and inaccurate, so we sent a follow-up mail (A). In particular, in the follow-up mail, we pointed out that our names had been removed from blog posts written while we were at Failbetter Games, and attributed to the company instead. The follow-up highlighted two posts in particular which contained particularly personal data - a photograph of my leg and a discussion of my creative responses to my father's death. We asked for an explanation of the changes and for a transcript of any blog posts that contained our personal data. In their reply (B), Failbetter claimed: "You were not identified as the author of posts because all Wordpress posts must be associated with an account and, when employees leave, we remove their Wordpress accounts. In order for blog posts by departing employees to remain available, they are therefore associated with a general Failbetter account. " We later determined that this claim was false, and pointed it out in a subsequent DSAR asking for attribution on these two blog posts to be restored (C). Failbetter responded, through lawyers, refusing to reattribute the blog posts but offering to delete two of them. (D) They didn't address the false information they provided in the earlier message, however. I sent one more message - https://bit.ly/3bQAHf5 - asking them to address the matter. They haven't responded, so I'm now escalating to you. | "I would like the organisation to acknowledge that the information provided was false, and to provide a true and accurate explanation of how and why the personal blog posts were re-attributed. I have reasonable concerns that the re-attribution was an intentional and malicious act." | ||||||||||||||||||||||||
5 | ICO_E | Unaddressed complaint upheld by ICO | Data breach: personal data either used by Adam Myers to send us threatening emails, or passed by Adam Myers to a third party who so used it. | "On 4th October 2021, Lottie Bevan and I made a DSAR (item A, attached) to Failbetter Games Ltd for any messages or other data created, sent or shared about a previous DSAR followup between Friday 12th June 2020 10:11 GMT and Monday 15th June 2020 05:02 GMT. The significance of this period, as we explained in subsequent correspondence with Failbetter Games Ltd and their lawyers, is that on 15th June 2020 at 05:02 GMT we both began to receive anonymous, threatening, violent, sexualized emails (item B, attached). These emails included clear references to information in our DSAR follow-up message. Failbetter Games responded to the DSAR by asserting (item B, attached) that the data had not been disclosed externally, and that only one message (which they supplied) had been created in reference to that data, and that sent only internally. We pointed out (https://docs.google.com/document/d/1GqZzaYdH7HpWPg35PV6SK3S4vWRwU2-mCqrzoPZpLpU/edit) that in this case there must have been a data breach, as a result of which our personal and sensitive data was used by a third party to send us these threatening emails. We asked that Failbetter Games Ltd notify us of that breach and provide the appropriate information re: resolution and mitigation. We asked for a response inside one week. We haven't received a response, so we're escalating the complaint to the ICO." | "The organisation should provide us with details of the breach and how it occurred. We'd also like to know the measures they've taken - and the measures they'll take - to deal with the breach, and to mitigate adverse effects. We would also like confirmation that they have so informed the ICO." | ||||||||||||||||||||||||
6 | ICO_Y | Unaddressed complaint upheld by ICO | Adam Myers published Lottie Bevan's personal and sensitive information in a blog post without her permission, and additionally published false information that purported to be her actual personal data. | "Alexis Kennedy and I both requested personal data from a former employer, Failbetter Games Ltd. We're dissatisfied with their response to our request and have submitted a complaint, but I would like to make an additional complaint about the handling of my personal data. In September 2019, Adam Myers, the CEO of Failbetter Games Ltd, published a blog attacking both me and Alexis. To support his attack, he included purported information about my HR records, and my personal and sexual life. Some of this information was false. The rest of it was used without my knowledge or permission. In the post, he said: "Sometimes I’ll refer, with permission, to Failbetter’s records. But I’m not speaking for or on behalf of Failbetter." In the course of our DSAR, I raised this point with Adam, who is handling the DSAR responses from Failbetter. I pointed out that this was an unnotified breach, and asked him to explain. I didn't find his response satisfactory, so I'm referring it to you." | The ICO upheld the complaint in which Lottie said that her complaints could be addressed as follows: "Remove my data from the web. Inform me of any other data breaches I'm unaware of. Take steps to ensure there are no further breaches, and describe those steps." Counsel advised us that Failbetter might reasonably say that the confidential data is out in the wild now; that they addressed our complaint, though not to our satisfaction; that there's nothing more to be done. If that's the case (and perhaps if it isn't) can we address a claim against Adam Myers directly? | ||||||||||||||||||||||||
7 | ICO_Z | Unaddressed complaint upheld by ICO, resolved to ICO's satisfaction | Adam Myers refused to provide copy of supposed contract or explain its absence. | "I'm in a dispute with a company, Failbetter Games Ltd, of which I was formerly a director. The company claims that I agreed and signed a severance contract whose terms would affect that dispute. I am reasonably confident I didn't. The company won't provide a copy of the executed contract but also won't acknowledge that it might not exist. We've made four requests for the data, over a seven-week period." | Acknowledge that the contract was never executed, or explain why no copy can be located. (Failbetter is legally required to keep a copy of a final share buyback contract available for inspection under the Companies Act 702 (3)) | Failbetter have repeatedly tried to fob us off with an unsigned draft Word document which contains unaddressed change requests. The ICO upheld the complaint and was satisfied that Failbetter later complied with its GDPR obligations by acknowledging that no executed final copy of the contract could be located. | |||||||||||||||||||||||
8 | N/A | [Other ICO requests] | For context, we've made eight complaints about Failbetter to the ICO in all. Five (above) were upheld. Two more (referenced elsewhere as ICO_A and ICO_B) form part of our complaint about Adam's Medium post in ICO_Y - we understand the ICO to have upheld them, but they weren't specifically referenced in the ICO's email to Failbetter. One (referenced elsewhere as ICO_X) was not addressed by the ICO because we'd waited more than three months to pursue it. The ICO has rejected none of our eight complaints on any other grounds than timeliness, although Adam constantly tries to characterise our requests as vexatious and unreasonable. | According to the ICO's investigations, Failbetter has repeatedly failed to meet its obligations under the GDPR. They should acknowledge this failure and (i) commit to addressing outstanding and future requests with appropriate diligence (ii) stop trying to paint our requests (including those upheld by the ICO) as vexatious (iii) pay appropriate compensation | Adam Myers, 13th July 2020: "We will be more than happy to explain our position to the ICO and to fully cooperate with any enquiries it makes" "We think it is important to put on record that we have not committed a criminal offence under section 173 of the Data Protection Act 2018. Where we have not provided you with access to personal data, this is because, for the various reasons we have indicated, it is not personal data you are entitled to receive under the GDPR." | ||||||||||||||||||||||||
9 | AM_1 | Adam Myers' compromised status | Unsatisfactory GDPR responses have all been through Adam Myers, despite a clear and overwhelming conflict of interest. | We've made all these requests to Failbetter. Adam Myers has replied personally to every email from us - GDPR and otherwise - over the last two years (until we started getting emails via Wiggin). No-one else at Failbetter has ever responded. This although we have - cc:ed other directors; - mailed the public / support email addresses for the company; - in Lottie's case, specifically asked for him to stop emailing her in isolation because his personal involvement (particularly ICO_Y above) makes her uncomfortable. -- We complained about Adam Myers' misuse of Lottie's and my data in his personal medium post in our DSAR follow-up of 12th June 2020. The email response to this was a PDF sent from adam@failbettergames.com but signed 'Failbetter Games'. The PDF purported to be a statement by the board of directors about, among other things, Adam Myers' use of our data, but it was clearly written by Adam himself. Sometimes he slips up and makes this explicit. In the following excerpts, Adam explains that - he is the author of the Medium which used our data; - he gave permission to the author of the Medium post to use our data; - he is not the controller of the data in the Medium post. p.5, "I described some of these in the Medium article to which you alluded." p.17, "The author decided to write a piece on Alexis’s behaviour in order to refute his assertions and to support the women who had come forward to challenge his behaviour. The author asked us to provide some limited information to provide a factual evidence base for the points in the article. " p.18, "You have requested all the personal data referenced in the article. We are not the controller of personal data referenced in the article, but we can point out that the limited and redacted personal data we disclosed for the purposes of the article are contained within the article and readily available to you here – https://medium.com/@wastebooks/alexis-kennedy-71044efc0ecf. -- In this and several other cases detailed here, Adam Myers is making decisions about whether Failbetter should divulge information that would be disadvantageous to Adam Myers. He claims to be acting as the company when that's to his advantage, and to be acting personally when he needs the company not to be implicated. | Adam must completely recuse himself from all deliberations and processes re: Failbetter's data protection obligations to us. Failbetter must make use of a third-party DSAR compliance service to revisit all our GDPR requests to date with the ICO's findings in mind. | ||||||||||||||||||||||||
10 | AM_1 | Adam Myers' compromised status cont. | Additional | Adam appears to have purchased shares in Failbetter at a low price from AK's (elderly war widow) mother, while finance director of the company, without declaring a conflict of interest. There is also a question mark over his apparent unsanctioned appropriation of AK's shares at the time of AK's departure. | In 20201 AK's mother emailed Paul Arendt, the most senior director at Failbetter Games, specifically raising this as a concern. She never heard back from anyone. | ||||||||||||||||||||||||
11 | |||||||||||||||||||||||||||||
12 | W_ | Data intentionally withheld | Adam has repeatedly refused to provide data, often claiming 'reasonable and proportionate' limits on effort, even when it's more effort to withhold the data than to provide it. Overwhelmingly this happens when it would be to Failbetter's disadvantage to provide the data, and usually when it's specifically to Adam's disadvantage. e.g. W_1: Adam will not provide details of his claims of unethical behaviour by AK and implied unethical behaviour by LB, despite repeated requests by us and claims of evidence by him. He provides as rationale for this refusal further claims of unethical behaviour, of which he then again refuses to provide any details. e.g. W_3: our 2020 DSAR unearthed PowerPoint presentations from nine different talks AK had given over the years, but the content had been removed from all nine, leaving only images of the final slide with AK's name and Twitter account. The material removed includes biographical data, and photographs of us both. This is bizarre and must have taken some effort, but makes sense in terms of a larger effort to remove AK's and LB's credits and attributions from games and other material. The material also conflicts with the narrative in Adam's Medium post. e.g. W_4: Failbetter agreed to make a charity donation of monies owed to AK. Failbetter failed to make the donation and Adam now claims the debt was an accounting error, but refuses to explain. e.g. W_5: there is an unaccountable gap in the emails provided from Adam Myers' correspondence with Alexis Kennedy. Some of these missing emails are available from other sources, and suggest errors and misconduct on Adam's part. | [supports AM_1] | Contrary to FBG's claims that AK/LB weren't entitled to much of their personal data because it was shared with third parties and could be used to identify third parties even if redacted, FBG also shared a number of totally unredacted photos of people, including a woman AK had supposedly abused. See 'U4' in 'Consistently unsatisfactory response' tab | ||||||||||||||||||||||||
13 | F_ | False information provided | Adam has in some cases provided verifiably false information. Again overwhelmingly this happens when it would be to Failbetter's disadvantage to provide correct data, and usually when it would be specifically to Adam's disadvantage. e.g. F_1: in our June 2020 DSAR follow-up, we gave an example of a document that Adam had provided. Adam responded by falsely claiming that AK had "improperly granted himself access to this and other documents from his own personal Google accounts", and accused him of criminal behaviour. However the document in question was created and shared with AK in 2009 by another director (Paul Arendt), and remains available to AK now, two years later, despite our explicit request that his access be removed. eg ICO_D: above, as a complaint upheld by the ICO. | [supports AM_1] | |||||||||||||||||||||||||
14 | M_ | Malicious responses | In many cases, Adam has refused to provide any of the information we want, citing his need to carry out only 'reasonable and proportionate' searches, strict tests on what constitutes our personal data, and the need to protect the rights and freedoms of other individuals and organisations. However in three cases he has ignored all these tests while providing information we had no interest in and hadn't specifically asked for. In all these cases, the clear intention is to use this information to distress or intimidate us. e.g M_3: 98 screenshots of messages from the company's Discord, insulting / defaming AK/LB. We did not ask for this and a sampling would have sufficed. In contrast, LB received just 2 emails from her over 2 years of employment at FBG as her personal data. | [supports AM_1] | |||||||||||||||||||||||||
15 | U_ | Consistently unsatisfactory response | We pointed out examples in our June 2020 where Adam simply failed in due diligence in disclosing data - where it was probably an honest accident, but he has responded aggressively and refused to revisit the issue. e.g. U_1: the May 2020 DSAR response didn't include AK's shareholder dividend vouchers. We pointed this out and asked Adam to revisit that and related data. Adam responded with several paragraphs asserting that Failbetter didn't process that data and explaining why. AK later provided a Dropbox link to a folder with his dividend vouchers, on Failbetter's systems. After two more months, Wiggin responded on Adam's behalf with a less than convincing explanation, asserted again that the search had been reasonable and proportionate and that the request had been vexatious. e.g. U_4: Adam disclosed photographs of AK and LB kept by Failbetter. Many of these photographs included other Failbetter employees in a clear and identifiable way. No attempt at redaction was made. LB specifically asked Adam about the status of this data and these images. He ignored the question in his reply. Of note: these included totally unredacted photos of literally every woman who had been employed by Failbetter to that point, past and present, without apparently asking the consent of any of these women. We repeat that Adam has claimed repeatedly and vociferously that AK is an 'abuser' of women. e.g. F_1 above. The repeated pattern is that Adam asserts that all data has been provided. We point out specific data that hasn't been provided, as evidence that some parts are missing. He insists that the data in question has been provided. We provide proof. He then characterises the data as trivial, or occasionally accuses us of improper access to sensitive data. | [supports AM_1] | |||||||||||||||||||||||||
16 | U_ | Consistently unsatisfactory response cont. | Additional | Another repeated pattern from all the above is this. In a dozen or more cases, the justifications for Adam's decisions are much lengthier than the actual data disclosed. | [supports AM_1] | ||||||||||||||||||||||||
17 | |||||||||||||||||||||||||||||
18 | N/A | Data breach concerns | In at least three other instances, AK's personal data was leaked or misused after he left the company in 2016: B_1 In 2022, two debt collection agencies pursuing Failbetter for unpaid debts to HMRC started messaging AK's personal mobile. (Failbetter later acknowledged responsibility and paid the debt.) B_2 In 2019, a Twitter account belonging to AK was either hacked *or* transferred to Failbetter after they made false representations to Twitter - it's still not clear which. B_3 In 2017 and 2018, AK was pursued by Amazon for unpaid debts to Amazon Web Services. (Failbetter later acknowledged responsibility and paid the debt.) None of these were serious, although B_1 was briefly distressing, but taken as a whole they suggest poor stewardship of sensitive data, especially since Failbetter insisted on retaining copies of both LB's and AK's passports. | [supports AM_1] | |||||||||||||||||||||||||
19 | N/A | Unprofessional, aggressive, inappropriate tone | Adam has fought us every step of the way. All DSAR requests are fulfilled or, more often, refused at the last legally plausible moment, exactly 28 days after we make them. Latterly, Adam has spent considerable resources on high-end lawyer responses even to very reasonable GDPR requests. The tone has to be read to be believed. It's sarcastic and aggressive, shrouded in expensive and inaccessible case law arguments, and repeatedly makes weird, irrelevant accusations about AK in particular ("tweeting menacing poetry at our narrative director", "publicly outing a prominent industry writer in 2019 as polyamorous"). Alone this would be trivial, but it dovetails with all the other evidence of bad faith and is contemptuous of the spirit and letter of the GDPR. Appx C compares Failbetter's responses with the responses of the twenty-four other organisations to which we made DSARs. | [supports AM_1] | |||||||||||||||||||||||||
20 | |||||||||||||||||||||||||||||
21 | |||||||||||||||||||||||||||||
22 | |||||||||||||||||||||||||||||
23 | |||||||||||||||||||||||||||||
24 | |||||||||||||||||||||||||||||
25 | |||||||||||||||||||||||||||||
26 | |||||||||||||||||||||||||||||
27 | |||||||||||||||||||||||||||||
28 | |||||||||||||||||||||||||||||
29 | |||||||||||||||||||||||||||||
30 | |||||||||||||||||||||||||||||
31 | |||||||||||||||||||||||||||||
32 | |||||||||||||||||||||||||||||
33 | |||||||||||||||||||||||||||||
34 | |||||||||||||||||||||||||||||
35 | |||||||||||||||||||||||||||||
36 | |||||||||||||||||||||||||||||
37 | |||||||||||||||||||||||||||||
38 | |||||||||||||||||||||||||||||
39 | |||||||||||||||||||||||||||||
40 | |||||||||||||||||||||||||||||
41 | |||||||||||||||||||||||||||||
42 | |||||||||||||||||||||||||||||
43 | |||||||||||||||||||||||||||||
44 | |||||||||||||||||||||||||||||
45 | |||||||||||||||||||||||||||||
46 | |||||||||||||||||||||||||||||
47 | |||||||||||||||||||||||||||||
48 | |||||||||||||||||||||||||||||
49 | |||||||||||||||||||||||||||||
50 | |||||||||||||||||||||||||||||
51 | |||||||||||||||||||||||||||||
52 | |||||||||||||||||||||||||||||
53 | |||||||||||||||||||||||||||||
54 | |||||||||||||||||||||||||||||
55 | |||||||||||||||||||||||||||||
56 | |||||||||||||||||||||||||||||
57 | |||||||||||||||||||||||||||||
58 | |||||||||||||||||||||||||||||
59 | |||||||||||||||||||||||||||||
60 | |||||||||||||||||||||||||||||
61 | |||||||||||||||||||||||||||||
62 | |||||||||||||||||||||||||||||
63 | |||||||||||||||||||||||||||||
64 | |||||||||||||||||||||||||||||
65 | |||||||||||||||||||||||||||||
66 | |||||||||||||||||||||||||||||
67 | |||||||||||||||||||||||||||||
68 | |||||||||||||||||||||||||||||
69 | |||||||||||||||||||||||||||||
70 | |||||||||||||||||||||||||||||
71 | |||||||||||||||||||||||||||||
72 | |||||||||||||||||||||||||||||
73 | |||||||||||||||||||||||||||||
74 | |||||||||||||||||||||||||||||
75 | |||||||||||||||||||||||||||||
76 | |||||||||||||||||||||||||||||
77 | |||||||||||||||||||||||||||||
78 | |||||||||||||||||||||||||||||
79 | |||||||||||||||||||||||||||||
80 | |||||||||||||||||||||||||||||
81 | |||||||||||||||||||||||||||||
82 | |||||||||||||||||||||||||||||
83 | |||||||||||||||||||||||||||||
84 | |||||||||||||||||||||||||||||
85 | |||||||||||||||||||||||||||||
86 | |||||||||||||||||||||||||||||
87 | |||||||||||||||||||||||||||||
88 | |||||||||||||||||||||||||||||
89 | |||||||||||||||||||||||||||||
90 | |||||||||||||||||||||||||||||
91 | |||||||||||||||||||||||||||||
92 | |||||||||||||||||||||||||||||
93 | |||||||||||||||||||||||||||||
94 | |||||||||||||||||||||||||||||
95 | |||||||||||||||||||||||||||||
96 | |||||||||||||||||||||||||||||
97 | |||||||||||||||||||||||||||||
98 | |||||||||||||||||||||||||||||
99 | |||||||||||||||||||||||||||||
100 | |||||||||||||||||||||||||||||