Briefing note for Members’ Office Managers from the Cybersecurity Team 8/2/23

Standard

Please note that links to the old Parliamentary intranet have been removed as of October 2023. Please use search on ParliNet to find relevant current details, if available.

https://parlinet.parliament.uk/house-of-commons-members-staff/

Please note that you will need to have a Parliamentary Network Account in order to access some of the links on this page.

Last week the Speakers of both houses sent notices to members regarding spear-phishing attempts.

You may have seen in the news today that MP Stewart McDonald has been subject to a cyber attack on his personal emails.

In the media: SNP MP Stewart McDonald’s emails hacked by Russian group – BBC News

The source of the attack is thought to be a Russian based group called SEABORGIUM. We are briefing you to raise your awareness of the tactics used and the measures you should take to protect your personal accounts. It applies to both members and to members’ staff, so I ask that you to share the guidance with your teams. This is a quick briefing for now to update you and further more comprehensive communications issued in due course.

What you need to know:

  • Stewart McDonald’s personal email was compromised
  • The hackers achieved this by compromising the personal email account of one of his staff, who was locked out
  • The group sent Stewart an email from the staff account with a malicious password-protected attachment
  • The topic of the email was relevant to the member’s work and looked like a genuine message from his staff

Our advice:

  • Be sure that you are communicating with the individual you think you are – if possible, use a separate means of contact to validate this
  • Do not click on links or open files unless you are sure of their source
  • Secure your personal accounts – use strong, unique passwords and turn on multi-factor/2-factor authentication on your social media accounts and personal email
  • Use a different password for your Parliamentary account
  • Use Parliamentary devices for Parliamentary business whenever possible
  • Do not set up any automatic email-forwarding between your Parliamentary email and personal accounts
  • Protect and update your personal devices. Security tips for your mobile phone – intranet PDF
  • Book a cyber security briefing with your local engagement team
  • Report suspicious messages or activity to the Parliamentary Digital Support Desk by calling x2001

For more insight on phishing visit the cyber security intranet pages. The ‘Think Before You Link’ app, from the Centre for the Protection of National Infrastructure (CPNI) helps you identify malicious online profiles and reduce the risk of being targeted. For further information, visit Think before you link app – CPNI webpage.

Mailbox Full?

Standard

Your mailboxes have a maximum size limit of 80gb. If you go over this, then you will no longer be able to receive incoming messages and the senders will get bounce messages.

To prevent this from happening, PDS is asking MPs and their staff to either delete or archive old messages. If you choose to archive them, then they will still be accessible to you; the archive size is unlimited.

To see how much of your mailbox you have used, right-click on your inbox folder and select ‘properties.

When the properties box appears, click on ‘folder size’ and then wait a few moments to calculate it. Look at the total size including subfolders and divide it by 1,000,000 to get the size in gb.

Even if you are not nearing the 80gb limit, it is good practice to delete unwanted emails or archive older ones that you may wish to refer to in future – it makes searching your inbox quicker, and archived emails take up less space. If you get into the habit of regular housekeeping – deleting or archiving emails as you go along – it makes your inbox much easier to manage, so go on, give it a go!

Setting Up the Office

Standard

Setting up the Office

2.1  Choosing the right office(s)
2.2  Furniture, Equipment and Stationery
2.3  Computers
2.4  Email
2.5  Data Registration
2.6  Confidentiality
2.7  Involving Volunteers, Work Experience Students, Interns
2.8  Registering Interests
2.9  Health and Safety Policy for constituency offices
2.10 Dealing with post and deliveries


2.1 Choosing the right office(s)

The tasks performed by MPs’ staff include: research, providing briefings; drafting speeches and articles; casework, including handling letters, emails and calls; press and political work; diary and engagements; and keeping accounts.  Alright, so you do 101 other things as well, but the functions listed above, and who does them, will have a strong bearing on where any MP decides to locate his/her staff.

The choice is clearly between basing the office in Westminster or in the constituency – or a mixture of the two – and there are examples of every permutation.  Given the flexible tools of information technology, there are many tasks which could as well be done up a mountain as at Westminster, but the overriding considerations will be convenience and accessibility.  For example, having access to all the resources at Westminster and also having a visible presence in the constituency.

Here are some questions MPs will wish to answer before choosing the location(s) of their office(s):

  • Do you want constituents to have walk-in access to your staff?  (NB: please consider the security of you and your staff – see our brief comments on security in Section 3.9 on Advice Surgeries in our Everyday Tasks Guide)
  • Do you want to locate your staff in the office of your local constituency party?
  • Do you want to share with a neighbouring MP?
  • Is it most convenient to have a researcher at Westminster?  What happens to this role during parliamentary recesses?
  • Can all press contacts be adequately handled in the constituency?
  • Where is the most efficient place to locate your diary-keeper?
  • Is it possible to handle casework satisfactorily at Westminster?

In your office on the Parliamentary estate at Westminster, phone calls, rent, furniture, cleaning, photocopying costs are not charged to your Office Costs Budget; but you will have to pay for them all (and more) in your constituency office.

New MPs are entitled to a start-up budget, to enable them, amongst other things, to set up a constituency office.

Before you can claim any costs associated with your constituency office, including rent, you must register that property with IPSA.  Further details can be found in the ‘Guidance for MPs’ Business Costs’, the latest version of which can be found on the IPSA website.

2.2 Furniture and Equipment and Stationery

At Westminster, standard furniture is provided at no cost.  In the constituency, however, you will have to buy it, although you can use the start-up budget for this.

Once upon a time, many offices would be full of filing cabinets full of paper – usually casework.  However, now that almost all casework is stored online, thankfully, you no longer need to squeeze filing cabinets into every available space.  Try to resist the temptation to provide a home for every single scrap of paper that enters your office on the grounds that “it-might-come-in-useful-one-day”.  With most information available online now, the ability to scan documents, and the wonderful backup from the Commons Library, you can confidently consign 99% of all that bumph to your paper recycling box.  So buy as few good quality filing cabinets as possible and consider looking for bargains in second-hand furniture warehouses.

Desks, chairs, lamps, phones, filing trays, shelving, and all the other bits and pieces you will need can also be found in second-hand places but it’s worth comparing prices with those in the House of Commons preferred stationery supplier’s catalogue which can be found online here: https://b2b.bbanner.co.uk/  Your Member should have been sent login details already.  If not, please give their helpdesk a call.  Most items are delivered next-day, so there’s no need to fill your office to the ceiling with stock.

If you need any workplace adjustments, please see this guide: https://w4mp.org/w4mp/w4mp-guides/workplace-adjustments/

USE OF HOUSE STATIONERY AND POST PAID ENVELOPES (Serjeant at Arms)

There are very strict rules on how you may use House stationery and the Parliamentary post-paid enveloples.  They may only be used in connection with Parliamentary duties and must not be used for anything which could be considered to be business use or political campaigning in any form.  Please see here for the current rules on the use of House stationery and post-paid envelopes.

2.3 Computers

Each Member is entitled to loan computers, laptops, mobile devices and printers from Parliament, sufficient for every member of staff who is on an IPSA contract.  The catalogue can be found on ParliNet, or you can ask for advice by ringing the Parliamentary Digital Service helpdesk on x2001.

You will need to set up your own broadband for your constituency office.  Parliament will no longer provide this for you.

Please note that computers supplied by Parliament are only accessible by people who have security clearance.  Without security clearance, you cannot even log onto a machine.  Therefore, it is very important that new staff apply for their security clearance as soon as possible, in order to avoid delays in getting network access.  Notes that security clearance must be completed before a contract of employment can be offered, so applicants are advised not to hand in their notice with their current employer until confirmation of security clearance has been received.

Don’t forget to purchase a television licence for your constituency office.  Even if you don’t have a television in your constituency office, you will still need a licence if you watch live TV on your computer or any mobile devices, or download any programmes from BBC iPlayer.  You can find further information here: https://www.tvlicensing.co.uk/check-if-you-need-one and purchase a licence here: https://www.tvlicensing.co.uk/cs/pay-for-your-tv-licence/index.app  You can pay for it on your Member’s or their proxy’s IPSA card.  You do not need to purchase a television licence for your Westminster office as this is covered by the House authorities.

2.4 Email

The vast majority of MPs’ correspondence comes in by email, and you may be surprised at just how many emails arrive every day – it can often be in the hundreds, so it is important that you agree with your Member how you are going to deal with them.  Some MPs give their staff ‘delegated access’ to their inboxes, which allows staff to monitor and respond to emails on their behalf.  Some MPs have two mailboxes, one of which is accessible by their staff, and one which remains private.  Having a second mailbox can be very useful, for example, if you want to use one specifically for casework.  It is very easy to drag and drop emails between the two mailboxes, if required.

Many Government departments and agencies also have special MP ‘hotline’ email addresses, which are extremely useful.  There is a list of hotlines on the Parliamentary intranet.

2.5 Data Protection Registration

Members of Parliament do not need to register with the Information Commissioner, even if they have CCTV or video doorbells, unless they are also running a business from the same premises as their constituency office.  For further information on this, please see our guide to Data Protection here: https://w4mp.org/w4mp/w4mp-guides/your-office/freedom-of-information-and-data-protection-issues/

2.6 Confidentiality

Working for an MP involves daily access to confidential information, both political and private.  It should be treated as such and protected from unauthorised disclosure.  Your constituents expect you to deal sensitively and appropriately with any personal information they give you.  Being given confidential information about a constituent can sometimes put you in a tricky situation.  Let’s look at three examples.

A constituent has asked you to contact the Home Office to speed up an application for his wife to join him in this country.  After interminable and inexplicable delays, an Immigration Officer reveals to you over the phone that the reason for the delay is that the wife is being investigated for deception.  This will involve an investigative trip to a remote part of her home country and there will be further delays; he asks you not to reveal this to your constituent.  Meanwhile, your constituent is ringing you three times a week to check progress.

Another example: your MP has written to Social Services on behalf of constituents who say they are being unfairly prevented from having reasonable access to their children who are in a foster home at present.  You receive two replies: one repeating the line that there is an agreement, made in court, that access is only allowed in tightly supervised conditions.  The other reply, marked “Confidential”, informs you that the children have made allegations of sexual abuse against one of their parents, which are currently being investigated.

A third example: you receive an anonymous email (so you can reply to it but you have no idea of the name or postal address of the sender) claiming that a named person is defrauding the Benefits Agency and asking you to pass on this information.

You need to discuss with your MP how you deal with these situations.  It is also important that, despite the pressures on your time, you read all letters from constituents and replies from agencies carefully before forwarding them.  Sometimes you will get what appears to be a very forthright or stark response for forwarding to a constituent.  Don’t underestimate the value of your role in achieving clarity (light but not sweetness, perhaps) for constituents; the unvarnished truth can sometimes help them to move on.

Only in exceptional circumstances should you pursue an issue for a constituent if it has been brought to your attention by someone else: a neighbour or a relative, for example.  Always get the permission (preferably in writing) of the person whose problem you are being asked to help resolve.  Here’s an example of a permission form.

Permission Form

NAME [Please print]________________________________________________________

National Insurance No: _____________________________________________________

ADDRESS _________________________________________________________________

I have instructed my Member of Parliament [NAME] to act on my behalf in this matter and would be grateful if any correspondence or documents could be sent to the address of my MP.
I confirm that I have given my MP permission to pursue these matters and to use all information I have provided, whether written or spoken, and including sensitive personal information.
I understand that this will be done in line with the requirements of the Data Protection Act 2018.

SIGNED___________________________________________________________________

DATE_____________________________________________________________________

2.7 Involving Volunteers, Work Experience Students and Interns

Given that anyone wishing to use a computer must have security clearance, this means that any short-term volunteers or work experience students must not be allowed to use them.  You need to consider this requirement when agreeing to any such positions, and you should never share log in details.  Additionally, anyone who will be working on the Parliamentary Estate must get a Parliamentary pass, even if they’ll only be there for a day or two.   At normal times, most pass applications are processed within a week or two, so get the application in as early as you can, but a few weeks in advance should be fine.  Obviously, the waiting time may be considerably longer immediately after a General Election as there are likely to be a lot of new staff being taken on.

There may be problems about the use of volunteers in any office where paid staff are working, but most of us reckon that, despite some of the drawbacks, there’s a net gain from involving volunteers in our work.

For information on the logistics of having for work experience students in your office, have a look at this guidance note.  It includes information on security and health and safety.  You can also read the information on safeguarding.  You may also find w4mp’s guide to Organising Work Experience in an MP’s Office useful.

There are a host of jobs which suit the skills and time availability of volunteers. Bear in mind a few principles and the arrangement can be mutually beneficial.

  • Manageable Tasks. Most volunteers come in for just a few hours a week so you need to give them manageable tasks which can be completed in that time.  Although some jobs – like culling the archived case files – are endless, make sure that volunteers don’t bite off more than they can chew and leave stacks of un-shredded papers lying around when they go.  You don’t want to have to finish the job when they’ve gone home.
  • Check Reliability. Say, for example you have given your volunteer the job of opening and sorting the post.  As you well know, it’s not just a simple job of opening envelopes and stamping the date received on it.  Sheets need to be fastened together, replies must be linked to existing files, invitations checked against the diary, stacks of unwanted bumph separated from letters you must answer, etc.  That’s a skill it takes time to develop so it will pay you to tell them how you want it done and check it has been done correctly.  Otherwise, their work will be a drain on your time rather than a bonus.

Make sure volunteers know that their time is valued and that you expect to rely on them being there when they said they would.

  • Silence Please!  Make it clear, right from the start, that there’s work to be done and you don’t have time to sit and chat.  OK, be kind to yourself (and them) and do the chatting during a tea break!
  • What’s in it for the Volunteer?  Well, plenty actually.  A sense of involvement, achievement or helping out; perhaps some experience to be included on their CV (so get them to keep a running list of the tasks they undertake in case you need to write a reference later); and, hopefully, some genuine appreciation from you!
  • Confidentiality Agreement.  However well known the volunteer may be to you, he or she should sign a confidentiality agreement before starting work in your office.  It’s not just about guarding Party strategy.  You will inevitably handle very sensitive material about constituents from time to time and anyone working in the office will fall under the provisions of Data Protection Act 2018.  Here’s an example of a confidentiality agreement which you can use or adapt for your own office.  Let us know if you have an alternative agreement: use the Feedback Form.

Confidentiality Agreement

To be signed by all staff, volunteers, interns, secondees etc.

  1. Work undertaken in the office of _____________ MP involves access to information which is confidential. It should be treated as such and protected from unauthorised disclosure. It is an express condition of your relationship with ________________ MP that you should not divulge to any person outside the office of the MP any confidential information or aid the outward transmission of any such information or data.
  2. This undertaking continues after you cease to work for the MP.
  3. This undertaking applies to all material, including constituents’ casework, research, party political material, statistics, data, reports, etc.
  4. In the case of constituency casework, where it is necessary to relay information, letters, records of telephone conversations etc to third parties, this will always be done only in accordance with the interests of the constituent.

I have read this agreement and I understand and accept the above.

NAME _________________________________________________________

SIGNED  _______________________________________________________

WITNESS * _____________________________________________________

DATE __________________________________________________________

* line manager

Internships:  click here for all you need to know about a) becoming an Intern, and b) finding and looking after an Intern.

2.8 Registering Interests

When you first apply for a parliamentary pass, renew your pass, or change your sponsor you will be given a registration form to complete by the Pass Office.  A Resolution of the House requires that you register:
(1)  any relevant paid employment you are engaged in outside Parliament (remuneration amounts will not be published); and
(2)  gifts or other benefits which relate to your work in Parliament.

The Pass Office forwards the form to the Office of the Parliamentary Commissioner for Standards, where your details are added to the Register of Interests of Members’ Secretaries and Research Assistants.  You will be sent a copy of your entry then and whenever the entry is subsequently amended.  The Register is available for public inspection and is on the internet.  Members’ staff who are not issued with a parliamentary pass are not included on the Register, so if you have security clearance for access to the Parliamentary Network only, then you do not need to register.

Members’ staff may also be asked to assist their sponsoring Member in completing and maintaining his or her correct and up-to-date entry in the Register of Members’ Interests.  This is now done easily through an online portal.  If you are not already designated as a proxy for MemberHub, your Member will need to email the Table Office to ask for you to be added.  The Parliamentary Commissioner for Standards and Registrar of Members’ Interests are available to offer advice to Members and their staff on any aspect of registering and declaring interests.

The relevant telephone numbers are as follows:

Parliamentary Commissioner for Standards: 020 7219 0320
(Personal Assistant): 020 7219 0311
Registrar of Members’ Interests: 020 7219 3277
Assistant Registrar (for Members’ staff): 020 7219 0401

2.9 Health and Safety policy for constituency offices

There is an intranet page dedicated to Safety at Parliament, which may not be directly relevant to constituency offices but still contains some useful information.  There is also a page dedicated to Health and Wellbeing.

 2.10 Dealing with post and deliveries

Courier deliveries (e.g. Amazon, ASOS etc) cannot be made directly to the Parliamentary Estate, nor must passholders meet deliveries outside the Estate and then bring them in.  Deliveries present a huge security risk and these rules must be adhered to at all times.  If you must have items delivered to Parliament, please read the guidance here.

Email etiquette

Standard

Isn’t it annoying when people send you e-mails that don’t contain any punctuation?  Or when you are sent an e-mail which has 300 recipients, and you scroll down through all the names to find a one-line message at the bottom?  Honestly, some people should use a bit of Netiquette!

What is Netiquette? 

Internet Etiquette, or ‘Netiquette’ is the unofficial ‘code of conduct’ for Internet users; a guide to avoiding inadvertently offending those with whom you communicate by e-mail and other electronic means such as chat rooms, instant messengers and message boards.

Blind Copying

Blind copying, or ‘BCC’ is a useful way of hiding the names of the recipients of an e-mail.  There are three main reasons for using the ‘BCC field’:

  1. to keep e-mail addresses private (so that the recipients aren’t able to copy the e-mail addresses of everyone else on the list)
  2. to prevent long lists of names appearing when printing or forwarding messages – some recipients get so irritated by long recipient lists, that they just delete the message without reading it.
  3. To prevent accidental clicking ‘Reply to All’ occurring.

If you can’t see the BCC field when you open up a new message in Outlook, simply click VIEW > BCC field and it will appear.  It will then show up on all new messages, unless you choose to hide it again.

Shouting

When people type messages which are all in capital letters, e.g. with the Caps Lock on, it is referred to as ‘shouting’ and is considered very rude indeed.

Use Appropriate Language

Just as in face-to-face communication, adjust your language according to your audience.  Avoid swearing or using abusive language, don’t write anything which could be construed as sexist, racist, homophobic or comments which could incite arguments (flaming)

Punctuation

Rules of punctuation still exist in e-mails.  When it comes to punctuation, you should treat an e-mail in the same manner as a formal written letter.  Lack of punctuation not only makes a message very difficult to read, but also makes the writer look very unprofessional and, on occasion, a bit of an idiot.

Emoticons

An emoticon is a graphical representation of an emotion.  The most common of these is a ‘smiley’  –   :o)   When looked at sideways, it looks like a smiley face.  These should not be used in formal communication, but are sometimes useful in very informal chat situations where a message you mean as a joke may be misunderstood, or otherwise be deemed rather impolite.  There are many different emoticons and many  lists of them can be found on the Internet, simply by searching on the word “emoticons”.

Post in Haste, Repent at Leisure

If you receive an e-mail which annoys or upsets you, don’t respond to it immediately.  Print it out and keep it for a while.  With e-mail, it’s too easy to whip off a tart response in seconds, hit the ‘send’ button and…..”damn, I got it wrong, I didn’t mean that”.  Too late.  It’s gone, and it’s almost certain you can’t get it back.  Always think before you reply.

Flaming

Flaming is where people make personal (written) attacks, especially in chat rooms, rather than sticking to the topic of conversation.  Flaming should be avoided at all costs, because it spoils the conversation for other members of the group.  Sometimes, flaming occurs because of a misunderstanding, for example when someone has been SHOUTING in their messages.

Beware of ‘Reply All’

Beware of defaulting to use the ‘reply all’ button all the time. Only use ‘reply all’ if your reply is important to all the recipients. Also, using it too often can lead to automatically replying all with an email not intended for all recipients – very embarrassing and a sticky situation to have to escape from.

Avoid Embarrassing Emails

It’s easy to accidentally hit ‘send’ when a message was not yet ready to go. This can be quite embarrassing, especially if you’d intended to change the text later before sending the mail. Since it’s difficult to disable the ‘send’ button, you should make sure the message does no harm even if you hit that button accidentally.

Either:

  • leave the address field empty, or
  • address the message to yourself while you are still composing it.

Only enter the final recipient when you are absolutely ready to send the mail.

Safety Online

Spam

Spam is, quite simply, unsolicited junk mail.  The name ‘spam’ comes from a Monty Python sketch where, on the menu in a cafe, everything comes with spam.

Some people are lucky enough not to get any spam at all, others may get hundreds of unwanted messages a day. Users of the Parliamentary Network benefit from a spam filter, which does catch most of the rubbish before it gets to your inbox.

Spam does not necessarily have to come from unknown sources, a lot of spam comes from friends in the form of jokes and ‘sillies’, which they send to all of their friends, who in turn send it to all of their friends. Before you know it, your e-mail is full of the stuff and you’ve got no work done. If a friend starts sending you unwanted e-mails, ask them to stop.

However, you must never click on an ‘unsubscribe’ link (or any other links) in messages from unknown sources, as you are just confirming to the spammer that you exist, and you’ll probably end up on even more junk mailing lists.

If you receive spam of a racist or obscene nature, especially if it involves children, you can report it (anonymously, if you prefer) to the Internet Watch Foundation (www.iwf.org.uk) who will investigate and take appropriate action.

Personal Information

There is a famous cartoon from the New York Times, showing two dogs at a computer, and one says “On the Internet, no-one knows you’re a dog”.  We can’t reproduce the picture here, for copyright reasons, but you can find it easily enough by searching on the Internet.  Although it’s funny, it’s also a very serious warning.

People you may chat with by e-mail or in chat rooms may not always be who they seem.  Anyone can be nice in such an anonymous setting, but how would you like it if those people started knocking on your door, or phoning you?  Don’t ever give out personal details such as phone numbers, e-mail addresses, or information about your family, school or workplace.  There have been many cases of personal details being abused, causing great distress to the victims.

Office Email Policy

You may find it useful to establish an office email policy, which can incorporate the above and any other rules for using email you think appropriate for your office and staff (seek colleagues’ opinions first of course). All employees should sign off on having received the information once it is finalised.

You might consider:

  • how restrictive you should be on the use of email for personal reasons at work. Your policy may like to emphasise that the use of the domain name (@parliament.uk) should be reserved for work-related emails and emails to colleagues only.
  • whether you will require all employees to have an email signature.
  • whether to establish a policy for deleting messages.
  • when to use email and when to use post – is your MP happy for you to contact constituents via email if they have emailed you, or should a letter always be sent?
  • When sending emails outside of the Parliamentary Network, a disclaimer is added automatically, which reads:

“UK Parliament Disclaimer: This e-mail is confidential to the intended recipient. If you have received it in error, please notify the sender and delete it from your system. Any unauthorised use, disclosure, or copying is not permitted. This e-mail has been checked for viruses, but no liability is accepted for any damage caused by any virus transmitted by this e-mail. This e-mail address is not secure, is not encrypted and should not be used for sensitive data.”

  • Do not allow the employee to pass off personal views as representing those of the party or Parliament – you should add your own disclaimer, along the lines of:

“Views expressed in personal emails do not necessarily reflect the position or opinion of the Labour Party/Conservative Party/Liberal Democrats.”

Further reading : The Core Rules of Netiquette, by Virginia Shea