This week, an MP brazenly told the internet that she gleefully shares her government computer login details with her staff – to which much of the internet responded ‘wtf?!’. Here, Annie Heath, Digital Product Manager of the Digital First Team at Brighton & Hove City Council, expands on the general feeling of disbelief in public sector IT.
Nadine Dorries MP tweeted recently to inform us all that knowing who was logged in to a PC does not in any way prove who was using it. If someone is sending emails from their personal account and in between viewing and downloading porn, it could be ANY of the staff or interns allowed to use the username and password!
Other MPs replied, backing her comments up, as if it was us who were ridiculous to be horrified at this, rather than them being horrified as they realised they just proved exactly why data protection laws exist.
Doesn’t it just beggar belief? I was both flabbergasted and furious, and it would appear from the likes and RTs of my response that I was far from alone.
I'm both flabbergasted and furious at this. The fear localgov has, the hoops we have to jump through and central gov, who want us to modernise with one hand tied behind our back , have got MPs sharing logins
— Annie Heath (@Annie3H) December 2, 2017
I work in the digital transformation team at Brighton & Hove City Council. Our product releases must meet strict criteria to get approved because the Information Governance team have to make sure we meet all the legislation requirements.
Does it meet ISO27001? How will you keep passwords safe? Where is the server based? Who will have access? How sensitive is the data? Is the browser locked down? Plus, we now have to adapt to the changes coming with the GDPR: we have less resources, more cuts to council funding, less time for Data Privacy Impact Assessment meetings and more demand to have them.
We can’t go full steam ahead with our truly transformative projects as we have to divert resources to reworking existing customer forms and functionality to be GDPR compliant. And who demands that we modernise and reduce duplication with less staff whilst stymying that work with restrictive legislation and the threat of massive fines? Parliament, ultimately. And where is it apparently fine to just share your personal login with all your staff? Parliament!
This shocking security set-up cannot be a surprise to IT professionals in Westminster. Are MPs above the laws and legislation that they themselves pass? Does the set up at Westminster mean that security professionals don’t feel they have the necessary authority and oversight to clamp down on this?
And whilst we are on security, or the lack of it in central and local government, do they not have web filtering security like Bluecoat in Parliament? Gmail is apparently too much of a threat to allow access to in local government; I can’t browse online at Pepperberry at lunchtime (because – for shame! – they also sell “intimate apparel”) but anyone who has anyone else’s login can access anything on the internet of an MP’s computer in Parliament?
If we were to share our login with someone here it would be a disciplinary matter. If an MP does it, she boasts about it on Twitter. We are at two extremes of the spectrum: one shut down too much; one too little. The lawmakers clearly have no idea of the reality of our day to day experience and how much we are slowed down by data security requirements.
It is time, surely, to look at the legislation again and find a middle ground that works well for all.