My guess is that they're monitoring web activity on DCSF computers. The alternative -- getting hold of They Work For You's server logs -- is too horrible to contemplate.

She would have been logged on at a DCSF workstation. All it requires then is cross referencing who is logged into which machine and the originating IP of the traffic. A log of an http post to that site at the time the message appears is pretty undeniable evidence.

What's it got to do with her email account?

We can not tolerate people using Civil Service computers to criticise members of government.

"They Work for You" does not, so far as I can see accept "postings". They do refer you to "Write to Them" so you can send an email. Maybe that's what Lisa Greenwood did.

If so, the next thing that happens is that WriteToThem emails the address you gave them to confirm that you want to send the email. If Lisa used her work address that would give her away. It's trivial to scan email logs by sender. Also, the subject would have been "Please confirm that you want to send a message to Hazel Blears MP". She'd then have to click on the confirmation link.

If this is what happened it explains how her work email was involved. Never use your work email for this sort of thing. Or for managing your bank account. Or your PayPal account. Or to buy things with your credit card. I've seen all of these in email logs. Don't do it.

theyworkforyou allows annotations on debates for example, I would wonder if it was something like that?

Having worked for a big company that did it I would expect all government internet traffic to be logged and checked for things like this. I bet they have filters set up specifically for sites like "They Work for You" to see what employees are posting. Using a work email account or work computer for anything your employer might not like is I'm afraid, very stupid.