Data Protection for House of Commons Members and their Staff

Standard

This short online course is designed to give learners an overview of the General Data Protection Regulation (GDPR). 

  • What General Data Protection Regulation (GDPR) is and why you need to know about it
  • What the principles of GDPR are
  • Differences between GDPR and the Data Protection Act (DPA)
  • Penalties and exceptions to the GDPR

To find out more and enrol, please go here: https://parliament.learningpool.com/course/view.php?id=1344

Data Protection

Standard

Data Protection 

Everyone who deals with personal information in a Member’s office has responsibility for the personal data that they handle for the Member, and must comply with the rules of the General Data Protection Regulation (GDPR) which is supplemented by the Data Protection Act 2018 (DPA).  The majority of this personal information will relate to constituency casework, but it also includes information about any identifiable individuals, such as staff and volunteers.  Parliamentary privilege does not exempt Members of Parliament from complying with the DPA with respect to constituency casework, and the requirements of the GDPR and the DPA must be observed. 

The GDPR lays down seven key principles for the handling of personal information.  The information must be: 

  1. used fairly, lawfully and transparently 
  2. used for specified, explicit purposes 
  3. used in a way that is adequate, relevant and limited to only what is necessary 
  4. accurate and, where necessary, kept up to date 
  5. kept for no longer than is necessary 
  6. handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage 
  7. handled responsibly with appropriate measures and records in place to demonstrate your compliance. 

Sharing personal data  

In order to allow an MP to fulfil their role as an elected representative, there is a separate piece of legislation – The Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order 2002 that lays out the specifics around data sharing – for example, allowing Members to handle sensitive personal data (such as health information) in order to take action at the request of individuals, without having to obtain explicit, written consent from that individual. (although please note: if the wishes of the constituent are at all unclear, you should always discuss this with them!)  

The order also allows third parties (such as Government Departments or local authorities) to disclose sensitive personal data to a Member acting on behalf of a constituent where the disclosure is necessary to assist the Member in responding to the individual’s request. The condition is permissive; it does not compel third parties to disclose information to a Member and other organisations may still ask you to demonstrate that you are acting on your constituent’s behalf. 

When processing non-sensitive personal data, Members can usually rely on the consent of the constituent as providing the necessary condition (i.e. if a constituent has contacted the Member asking them to pursue a case on their behalf, it is reasonable to take this as confirmation that they are happy for their personal data to be processed as necessary to progress the case).  It is important to keep a record of any correspondence from the constituent that the Member is relying on as evidence of a request to act on their behalf.  Please note, consent can also be withdrawn; you must make it easy for individuals to withdraw their consent at any time.  You can read more about sharing data here: https://parlinet.parliament.uk/information-resources/data-protection-freedom-of-information-and-information-security/data-protection/data-protection-for-commons-members-and-their-offices/sharing-constituents-personal-data/

Registration with the ICO 

From 1 April 2019, Members of Parliament do not need to register with the ICO, including if they are using CCTV in relation to their functions as an elected representative, e.g. a video entry doorbell or CCTV for safety and security purposes.  

However, if the Member processes personal data for any purpose outside of their role as an elected representative, (for example if the Member runs a secondary business from their office) or if they use CCTV for business or crime prevention purposes in relation to their second business, then they would still be required to pay the fee. 

You can find this on the ICO website here: https://ico.org.uk/for-organisations/data-protection-fee/data-protection-fee/exemptions/

You can find more information about paying the fee in the ICO’s data protection fee guidance 

FAQs for Parliamentarians – https://ico.org.uk/for-organisations/in-your-sector/political/new-data-protection-regime-faqs-for-parliamentarians/

Data Protection and Casework

If you receive a casework request from a third party, perhaps a relative of your constituent, it is important to ensure that you have the consent of the constituent unless it is not reasonably possible to gain that consent.  In order to safeguard an individual’s personal information and comply with the Data Protection Act 2018, many bodies will not respond if the request is made by someone other than the constituent without proof of their consent.

The House of Commons Library has a very useful briefing note on data protection and casework here: Data protection: constituency casework 

Immigration Casework

The Home Office will require the MP to provide a ‘wet-signed’ letter of consent from the applicant, where it is someone other than the applicant who has contacted the MP.  The Home Office will not accept a consent form when the signature field has been typed or has an e-signature.  If the applicant would like a third party such as a friend or relative to act on their behalf, then they will need explicitly to state this person’s name and details on the consent form.

Department for Work and Pensions Casework

If the DWP refuses to respond to the MP without a consent for, please refer them to this:

The DWP ‘Working with Representatives’ Guide states “Note that customers’ own MPs are assumed to have authority to act and information can be disclosed in response to their enquiries.  Please refer to the ‘Disclosure to MPs or other elected representatives guidance’ (DWP Staff intranet only) for more information.”

Ceasing to be a Member of Parliament

When a Member retires or loses their seat, it is good practice for them to contact those constituents who have open cases, to ask them what they would like to happen to their file.  Options include:

  • destroying the file
  • passing the file to the new Member (the constituent MUST sign a letter of authority to do this)
  • passing the file to the constituent themselves 

If your office has a robust data retention policy, then hopefully you should not have too many files to deal with.  Please note that it is not permitted to use Parliamentary stationery for this purpose once the Member has ceased to be an MP.  If the Member knows that they are retiring, letters asking for the constituents’ preference could be sent out several months before the election, so that the staff have plenty of time to prepare for any file transfers or destruction required.

When someone ceases to be a Member of Parliament, they have only four days in which to stop handling sensitive data.

Data Retention

Principle 5 of the Data Protection Act states that information should be kept ‘no longer than necessary’.  However, it does not define what that time period should be.  Some MPs like to keep files for the length of a Parliament, some even like to keep them for the whole of their Parliamentary career, but it really isn’t a good idea to keep them this long.  Do you really need to keep a file on Jane Smith’s housing issue from ten or twenty years ago?  We are certain that the ICO would say that this is ‘longer than necessary’.  Once a case is closed, there really shouldn’t be any need to keep it longer than one year.  If you use casework management software, you can set a review date, so that it will flag up on the designated date, and you can review the file and decide whether to destroy it, or retain it if it looks like the issue might return.  When deleting a case on your casework management software, it is a good idea to add a note to the constituent’s profile stating the case number, a brief description of the nature of the case (one sentence, not an essay!), the date of the last action on the case and what date it was destroyed.  Then, if a constituent puts in a subject access request, you can tell them that you no longer hold that file, and on what date it was destroyed.

Guidance on the Information Commissioner’s Website also counsels against keeping data for too long:

“If you are not re-elected, it is important to be aware that you only have a condition for using special category data for four days after the election”

and

“If you no longer have a condition for processing and you continue to do so then you are very likely be in breach of UK GDPR.

“As four days is such a short time frame, it is sensible to review your records containing special category data in advance where practical and not to keep casework records for longer than is necessary. This will give you time to consider what to do with each case file and consult constituents, as necessary. This is particularly sensible if you are standing down at the election.”

Political campaigning

Be careful how you use constituents’ email addresses for political campaigning.  According to advice from the Information Commissioner, you need to gain their consent before contacting them with routine newsletters and offer them an opportunity to object. See the guidance link below: 

https://ico.org.uk/for-organisations/guidance-for-the-use-of-personal-data-in-political-campaigning/

 

Useful links relating to Data Protection: 

On the Parliamentary intranet (network account required): 

Online training 

Introduction to General Data Protection Regulation (GDPR) for Members and their staff 

Data Protection for Members and their Staff 

Information 

Consult ParliNet for further information about data protection.

External links: 

Guidance for the use of personal data by elected representatives in carrying out constituency casework
Updated 18 September 2023 to include information about changes in constituency boundaries.

IPSA – Information Commissioner’s Fee

Data Protection – gov.uk 

Guidance on political campaigning 

 

Subject Access Requests

You may receive a request from a constituent asking for you to provide them with any personal data that you hold about them. This is known as a Data Subject Access Request (DSAR) or a Subject Access Request (SAR) (they are the same thing) and, under the GDPR you are legally obliged to provide this information (ensuring you redact any personal data that does not belong to the requester). Details are on ParliNet.

If the request is for any other information, you are not obliged to provide it.  Members of Parliament are not subject to Freedom of Information (FOI) requests.

Further Information

You might also find useful our guide ‘Protocol clarified on representing constituents‘. 

This page was last updated on 25 November 2024