Information Commissioner’s Office warns MPs of dangers of sharing passwords
Several Conservative parliamentarians appeared to suggest that they let members of their staff log into their computers or email accounts - something that could mean they have fallen foul of data protection laws
A privacy watchdog has warned MPs not to share their computer login details or email inbox passwords with anyone after several parliamentarians made comments suggesting that they allow their staff this access.
The Information Commissioner’s Office (ICO) said in a statement: “We’re aware of reports that MPs share logins and passwords and are making enquiries of the relevant parliamentary authorities.
“We would remind MPs and others of their obligations under the Data Protection Act to keep personal data secure.”
Conservative MPs Nadine Dorries, Crispin Blunt and Nick Boles all appeared to suggest that they let members of their staff log into their computers or email accounts in order to deal with high volumes of constituency casework and other inquiries.
This has sparked horror among cybersecurity professionals, who highlighted superior ways of allowing collaborative working, including using forwarding services or having multiple accounts with different passwords but access to the same folders.
The current edition of the handbook for parliamentary staff stipulates that they should not share passwords, but it is not clear if this applies to MPs themselves.
Some commentators have suggested that those who do not adhere to proper cybersecurity practices could leave themselves vulnerable to punishment under the Data Protection Act or the General Data Protection Regulation, another piece of privacy legislation that is set to come into force next year.
The row erupted after a retired police officer claimed large amounts of legal pornography was found on a computer in the parliamentary office of Damian Green, Theresa May’s de facto deputy, nine years ago. Green denies the accusation but has faced calls for his resignation.
Ethar Alali, director of IT firm Axelisys, said: "GDPR and the ICO are especially clear and unambiguous on the matter. An MP is considered a data controller. No exceptions. This, in turn, means they are mandated by law to…protect constituency information the same way lawyers and doctors are. This places these MPs concerned at substantial risk of breach. Indeed, for all we know a breach could have already occurred.”