Damien Green: Stuck Between a Rock and a GDPR Hard Place
It's been a turbulent few weeks for Conservative MP Damian Green. He faces accusations of sexual misconduct towards a young Tory activist, which triggered an enquiry by Theresa May into his conduct and the allegations. This week, further allegations surfaced from retired Police Detective Neil Lewis, alleging that Damian Green had pornographic material on his office computer.
As if last week's leaks surrounding Damian Green's alleged digital pornography content wasn't enough, he went on to claim that he didn't put that material on the computer. Some MPs corroborated his story, including Nadine Dorries, Member of Parliament for mid Bedfordshire, claiming their staff have the MP's logins to access emails .(https://twitter.com/NadineDorries/status/937019367572803590).
"My staff log onto my computer on my desk with my login everyday. Including interns on exchange programmes. For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous !!"
Yet, this has the potential to put MP's in breach of the upcoming General Data Protection Regulations otherwise known as GDPR, which the UK is in the midst of transitioning to. Experts in data protection were less than impressed.
"I literally couldn't believe my eyes when I saw the tweet. I nearly ruined a perfectly good keyboard by spilling my coffee all over it as my hands made their way to my head" exclaimed Ethar Alali, Director of Axelisys, an ICO registered company.
"MP's have access to very sensitive information about constituents. MP's are Data Controllers by defaults. MP consultations are conducted privately and both the Data Protection Act '98 and the newer GDPR mandate that MP's protect confidential and sensitive personal information obtained relating to those consultations. Consent must always be sought to discuss the information in a public forum like the two Parliamentary Houses.
"One thing you cannot do, is provide your login details to any other member of staff. Indeed, Parliament published guidelines on the Data Protection Act to protect information. On page 23, point 5.2.2, clearly requires MP's employ access controls to control access to information, password protect files saved on portable storage devices, encrypting laptops and memory sticks and crucially, not share passwords! That latter point has to have happened to allow access to the machine. Every user can be given completely segregated credentials. Something the private sector has been doing for over 30 years from the days of mainframe systems. There literally is no excuse for it."
Ethar goes on to open the Parliamentary guidelines [https://www.parliament.uk/documents/upload/advice-for-members-offices.pdf] and points to a section of advice on page 23. Tapping his monitor twice.
"The tacit admission by Nadine Dorries that her staff have access to her login, which requires the sharing of passwords, does not make the situation any better for either MP. The fact Ms Dorries' parliamentary office has a policy of open access to all staff, is damaging and impossible to reconcile. Regardless of the position of Mr Lewis' disclosure about Green, both Green and Dorries are in unambiguous breach of the UK's transitioning data protection legislation.
"GDPR and the ICO, are especially clear and unambiguous on the matter. An MP is considered a Data Controller. No exceptions. This in turn, means they are mandated by law to ensure and protect constituency information the same way lawyers and doctors are. This places these MPs concerned at substantial risk of breach. Indeed, for all we know, a breach could have already occurred."
With fines of up to €20 million, Damien Green appears to have jumped out of the frying pan and straight into a fire. Ethar explains that it's easy to find a GDPR consultant to help or even seek the help of the ICO.
"The irony is that all they had to do was ask the ICO. As data controllers like us, they have access to a lot of support. Which makes this even more perplexing. It's free. The ICO even publish their own guidance on this specific issue https://ico.org.uk/for-organisations/political/ . Of course, MPs can also ask ICO registered consultancies to help evaluate their GDPR readiness. This doesn't take long and can easily identify both technical and procedural risks."
UK Government Suppliers on the Government's Digital Outcomes and Specialists Framework (DOS2 for short) are easier than ever to produce services from. Axelisys successfully joined the framework in late 2016. Ethar considers there to be no excuse.
"MPs cannot afford to gamble with such sensitive information. Yet, their access to Crown Commercial Services suppliers has never been easier. Our elected representatives really should not be risking our data, nor casually admitting they are in breach of data protection legislation on such a public forum like twitter. All-in, I consider the intense focus on Mr Lewis to be at least partially misplaced. There is clearly a much wider problem here, that some MP's appear oblivious to. Data controllers should definitely deal with it."
This has the potential to turn into a much wider scandal. With foreign hackers and bots currently in the spotlight, the National Cyber Security Center have a big enough job dealing with external influences, without the additional overhead of having to manage domestic MP's. This is especially important if a data breach or harvest has already happened. The information is then out on the web somewhere and there's no getting it back.
Citizens can only hope UK ministers improve their data protection practice. Only time will tell if that becomes the case.