Nadine Dorries MP and Crispin Blunt MP leapt to the defence of Damian Green this weekend, saying he may not have been watching porn, on the basis that staff and even interns use their personal logins to access their email and do their work in Parliament.
On Friday on Channel 4 News, Mr Blunt explained that:
“My staff have access to my computer, because if an email needs to be sent out in my name from my account they need to be able to do that because much of the time one is away from the office. I imagine most of my colleagues do operate in that way because we don’t live a life where we are actually able to spend lots of time sitting in our office browsing our computers. Parliamentary life simply isn’t like that and it certainly is not like that for leaders of shadow ministerial teams or ministers plainly.”
On Sunday, Ms Dorries stated that:
“My staff log onto my computer on my desk with my login everyday. Including interns on exchange programmes. For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous !!”
Just one problem, Mr Blunt and Ms Dorries: that’s probably a breach of data protection law.
While sharing their login, for Blunt and Dorries, appears to be commonplace, and unremarkable enough to feel it is uncontentious and unproblematic to advertise this behaviour, this may not be the view of many constituents who have emailed them in confidence, to explain traumatic personal situations, or perhaps expose corruption or malpractice.
Once using Nadine Dorries’ computer, her interns can of course read this correspondence. These are temporary staff with potentially little loyalty to her. They could be open to temptation, or gossip about what they have read. A constituent may simply feel that they did not want their personal trauma read about by a temp.
Of course MPs’ emails will need to be shared with key staff, who are trained and contractually allowed to see confidential material. There are mechanisms like shared inboxes that allow this to happen without further sharing taking place.
Data protection law is pretty clear about confidentiality and data security. You’re meant to do it. You share information you need to share, and you don’t share what you don’t need to. What you don’t do is leave all the doors open and hope for the best.
This ought not to be news to anyone. That’s maybe what is so shocking: here are MPs, who are currently legislating for our privacy and security, allegedly behaving as if the law does not apply to them; and endangering the people who vote for them in the process.
Here’s the guidance for MPs’ staff. It doesn’t apply to MPs, as they have to decide for themselves how to apply the law. It includes an instruction that:
5.8 You must not: … Share your password
A login or password, we should remember, also allows a user to get into other accounts and services that the computer has normal access to, or stored passwords for. Other security breaches could follow, that could lead to embarrassment or worse for an MP. From any angle it is a bad idea, which is why you, dear reader, are not allowed to do it at work.
If you have experienced bad data practices in Parliament, please get in touch. We will forward information to the Parliamentary Standards Authority IPSA and the Information Commissioner.
Jim Killock is the executive director of the Open Rights Group