A Tory MP accidentally announces a ‘chronic security breach’ in her office…over Twitter

Conservative MP Nadine Dorries attempted to defend a beleaguered colleague on Twitter. But in doing so, accidentally revealed a chronic security breach in her own office.

Foot-in-mouth disease

Nadine Dorries is a bestselling author, and the Conservative MP for Mid Bedfordshire. On Saturday 2 December, she posted a tweet in a ham-fisted attempt to defend Conservative frontbencher Damian Green. The First Secretary of State risks losing his cabinet position over allegations of watching porn at work.

Attempting to argue someone else may have downloaded the images on Green’s computer, Dorries tweeted:

My staff log onto my computer on my desk with my login everyday. Including interns on exchange programmes. For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous !!

— Rt Hon Nadine Dorries (@NadineDorries) December 2, 2017

And fellow Conservative MP Nick Boles admitted he does the same thing.

BBC Technology Editor Rory Cellan-Jones and others were quick to point out that this could constitute a breach of data protection laws.

https://t.co/EkgFycLVAe Here are the data protection rules for HofC staff –
5.8 You MUST NOT:
– share your password.

But that's staff not MPs…

— Rory Cellan-Jones (@ruskin147) December 3, 2017

As above – this would be a sackable offence in any normal organisation, for exactly this reason.
How could you determine the source of a breach if 8 people are using the same login?
Do MPs operate on a different planet?https://t.co/pR6J0zXyQD

— tony nog (@tony_nog) December 2, 2017

Jim Killock, of the Open Rights campaign group, told the BBC:

On the face of it, Nadine Dorries is admitting to breaching basic data protection laws, making sure her constituents’ emails and correspondence is kept confidential and secure. She should not be sharing her login with interns.

More worryingly, it appears this practice of MPs sharing their logins may be rather widespread. If so, we need to know.

Despite this widespread concern, Dorries chose to hit back at critics rather than change her practices.

You don’t have a team of 4-6 staff answering the 300 emails you receive every day

— Rt Hon Nadine Dorries (@NadineDorries) December 2, 2017

I’m not the Gov. I’m an MP with a computer in a shared office upon which lives an email account. That’s as exciting as my computer gets

— Rt Hon Nadine Dorries (@NadineDorries) December 3, 2017

The experts say…

On Monday 4 December, the Information Commissioner’s Office (ICO) weighed in on the issue. The ICO warned MPs of their obligations under the Data Protection Act.

We’re aware of reports that MPs share logins and passwords and are making enquiries of the relevant parliamentary authorities. We would remind MPs and others of their obligations under the Data Protection Act to keep personal data secure. https://t.co/FLPeP8M7c8

— ICO – Information Commissioner's Office (@ICOnews) December 4, 2017

According to the ICO:

The Data Protection Act says that:

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

This is the seventh data protection principle. In practice, it means you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. In particular, you will need to:

• design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach;
• be clear about who in your organisation is responsible for ensuring information security;
• make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff; and
• be ready to respond to any breach of security swiftly and effectively.

While Dorries may argue that her office is too busy to uphold the Data Protection Act, a hectic schedule is no defence under the law.

Get Involved!

– If you are in the Mid Bedfordshire constituency, you can report your concern to the ICO here.

Featured image via YouTube screengrab/Pixabay