UK Members of Parliament (MPs) have come under fire this weekend for sharing their login details with staff members and interns, in apparent breach of the Data Protection Act (DPA) and Parliamentary guidelines.
Following the news that pornographic material was found on First Secretary of State Damien Green MP's work computer, fellow Conservative MP Nadine Dorries attempted to cast doubt on the material - should it exist - being in any way related to Green. 'My staff log onto my computer on my desk with my login everyday,' Dorries claimed via social media site Twitter. 'Including interns on exchange programmes. For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous!!'
Dorries' claims that the practice of password sharing was widespread was verified over the weekend by fellow MPs, including a supportive message by Nick Boles that 'I often forget my password and have to ask my staff what it is.'
The sharing of passwords, however, flies in the face of both the Data Protection Act and the Centre for the Protection of National Infrastructure's guidance (PDF warning), as well as the Parliamentary Network handbook (PDF warning) which clearly states that '[passwords] should not be disclosed to others.'
'On the face of it, Nadine Dorries is admitting to breaching basic data protection laws, [and not] making sure her constituents' emails and correspondence is kept confidential and secure. She should not be sharing her log in with interns,' said the Open Rights Group's Jim Killock of the news. 'More worryingly, it appears this practices of MPs sharing their log ins may be rather widespread. If so, we need to know. We are urging MPs staff and former staff to get in touch with us if they have knowledge about insecure data practices in MPs’ offices. Once we know more, we will consider complaining to the Information Commissioner and Parliamentary authorities.'
Both the Parliamentary ICT Security division and the Information Commissioner's Office (ICO) have excoriated the practice of sharing passwords in separate communications to MPs. In an email from the Parliamentary ICT Security arm, shared in part to Twitter, MPs are told 'Parliament's ICT Security Policy, which we all agree to comply with as a condition of using parliamentary digital services, clearly states: "Passwords must be considered as confidential and must be used only by the originator (and so not shared with other users)." If you share your password, or login as anyone other than yourself, you are in breach of this policy.'
ICO, meanwhile confirmed - again via Twitter - that the sharing of passwords is potentially in breach of the Data Protection Act, which calls for adequate safeguards for the protection of personally identifiable information. 'We're aware of reports that MPs share logins and passwords and are making enquiries of the relevant parliamentary authorities,' the watchdog has stated. 'We would remind MPs and others of their obligations under the Data Protection Act to keep personal data secure.'
None of the MPs who very publicly confessed to being in breach of the DPA and Parliament's ICT Security Policy have come forward to argue the toss with either group.
March 25 2020 | 14:00