We’ve all been there. It’s Saturday night, “The Masked Singer” has long finished, and there seems to be nothing else to do but reveal Dominic Cummings’ mobile number on the internet.

Award-winning journalist Carole Cadwalladr took to Twitter to either announce that she had invited Cummings to join flavour of the month social media site Clubhouse, or to pretend that she had done so. Whichever it is (and as so often with Cadwalladr, the truth is not easy to work out), she demonstrated this by tweeting a picture of the message she was sending to Dom, revealing his number in the process.

I’m not sure what Cadwalladr was up to: the pictured text had a cursor in it, suggesting that she was tweeting a screenshot of an unsent message, and she subsequently claimed that she isn’t even on Clubhouse, making the whole thing fake news. Several of her followers pointed out that she had revealed Cummings’ number, and she deleted it, though not before several people screen-shotted it.

This isn’t the first time that Cadwalladr’s carelessness has been revealed on Twitter. She has already had to apologise to her nemesis Arron Banks for falsely claiming he had been found guilty of breaking the law, and last August she was keen to amplify the entirely false claim that Michael Gove is Elizabeth Denham’s boss (Denham doesn’t have a boss, and the ICO’s sponsor department is the DCMS, not Gove’s Cabinet Office). This is an easy fact to check, but to do so would get in the way of Cadwalladr’s conspiracy theory that the ICO was leant on by Gove to cover up the “truth” about Cambridge Analytica’s role in Brexit.

There are some serious issues here. As an independent journalist using Twitter for the purposes of reporting and commenting, Cadwalladr is a data controller. Though there is a significant journalism exemption in the Data Protection Act 2018, it applies only when compliance with normal data protection requirements comes into conflict with the public interest in publication. In any case, the exemption never removes the controller’s obligations under the security principle.

As someone who routinely works with personal data relating to both the people she is writing about and those she claims are whistleblowers, Cadwalladr’s security and data handling standards need to be very high in order to meet the UK GDPR’s demand for data to be “processed in a manner that ensures appropriate security“. Whatever you think of Cummings (and I think he’s a gobshite), anyone processing his data in a professional context is obliged to ensure that it is processed with appropriate technical and organisational measures, not posted on the internet for a laugh. It’s obvious that Cadwalladr didn’t think through the consequences of her tweet, hence its quick deletion, but her responsibilities as a controller do not diminish because of the lateness of the hour.

This episode also reveals the inherent flaw in the Clubhouse business model. If I was to believe Cadwalladr’s initial claim that she had invited Cummings to join Clubhouse, this would be unlawful in a number of different ways. She presumably obtained Cummings’ number in a journalistic context, so to reuse it for a prank would be incompatible with the original purpose, thus breaching the second GDPR principle. The wording of the invite she tweeted states “I added you“, meaning she gave Cummings’ number to Clubhouse. Although Clubhouse users may defend their use of other people’s data because the purpose is purely domestic, much of the uses I have seen described are in a professional context.

This isn’t just a criticism of Cadwalladr – anyone passing personal data to a site like Clubhouse in a professional context would need a lawful basis (the only possible options would be consent or legitimate interest), and a clear, justifiable purpose. The message Cadwalladr claimed to have sent would be a marketing text on behalf of Clubhouse, and both it and any subsequent message sent by Clubhouse would be unlawful marketing messages in breach of the Privacy and Electronic Communications Regulations 2003 (also known as PECR).

There is an irony in all this – one of the chief complaints in Cadwalladr’s stories about Facebook and Cambridge Analytica was the claim that friends’ data was harvested and passed to companies in the US and used for targeted ads (a claim that for UK Facebook users, the ICO has debunked). By passing Cummings’ data to Clubhouse, Cadwalladr would have disclosed personal data with a site based in the US. Clubhouse’s privacy policy states that “we may share Identification Data and Internet Activity Data with social media platforms and other advertising partners that will use that information to serve you targeted advertisements on social media platforms and other third party websites“. The only opt-out rights mentioned are under the California Consumer Privacy Act and so only apply to California residents. If this was not a joke, Cadwalladr did to Cummings what she claims Dr Kogan did to Facebook users. But if it was a joke, it’s incredibly thoughtless handling of personal data for a really cheap purpose.

Cadwalladr would now presumably claim she never sent the message or shared the data, and it was a joke that went wrong. Cummings mobile was online for a few minutes, and she cannot be held responsible for a simple mistake, or for others choosing to screenshot her tweet. I know for certain that some won’t care because the victim here is Cummings and however small a breach it might be, it doesn’t matter. Anyone making these arguments doesn’t care about Data Protection; rights and protections don’t only apply to people you like, and responsibilities apply to all, even to journalists who appeal to your politics.

Twitter is the real world, and the law applies to it. The material you post online is subject to the same protections and standards as anywhere else. If Cummings posted Cadwalladr’s mobile number on the internet by mistake, there would be a cyclone of outrage, not least from herself and demands for the ICO to take action. As someone who has set themselves up as a doughty defender of Data Protection, Cadwalladr should do better, and be a lot more careful in the way she handles personal data with which she has been entrusted. This is no less true for everyone else. Posting data, sharing it with social media sites, recommending others for marketing or services that they haven’t asked for – all of this needs to be done with care and with respect, or not at all.