Everyone who deals with personal information in a Member’s office has responsibility for the personal data that they handle for the Member, and must comply with the rules of the General Data Protection Regulation (GDPR) which is supplemented by the Data Protection Act 2018 (DPA). The majority of this personal information will relate to constituency casework, but it also includes information about any identifiable individuals, such as staff and volunteers. Parliamentary privilege does not exempt Members of Parliament from complying with the DPA with respect to constituency casework, and the requirements of the GDPR and the DPA must be observed.
The GDPR lays down seven key principles for the handling of personal information. The information must be:
- used fairly, lawfully and transparently
- used for specified, explicit purposes
- used in a way that is adequate, relevant and limited to only what is necessary
- accurate and, where necessary, kept up to date
- kept for no longer than is necessary
- handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage
- handled responsibly with appropriate measures and records in place to demonstrate your compliance.
Sharing personal data
In order to allow an MP to fulfil their role as an elected representative, there is a separate piece of legislation – The Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order 2002 that lays out the specifics around data sharing – for example, allowing Members to handle sensitive personal data (such as health information) in order to take action at the request of individuals, without having to obtain explicit, written consent from that individual. (although please note: if the wishes of the constituent are at all unclear, you should always discuss this with them!)
The order also allows third parties (such as Government Departments or local authorities) to disclose sensitive personal data to a Member acting on behalf of a constituent where the disclosure is necessary to assist the Member in responding to the individual’s request. The condition is permissive; it does not compel third parties to disclose information to a Member and other organisations may still ask you to demonstrate that you are acting on your constituent’s behalf.
When processing non-sensitive personal data, Members can usually rely on the consent of the constituent as providing the necessary condition (i.e. if a constituent has contacted the Member asking them to pursue a case on their behalf, it is reasonable to take this as confirmation that they are happy for their personal data to be processed as necessary to progress the case). I t is important to keep a record of any correspondence from the constituent that the Member is relying on as evidence of a request to act on their behalf. Please note, consent can also be withdrawn; you must make it easy for individuals to withdraw their consent at any time. You can read more about sharing data here: https://parlinet.parliament.uk/information-resources/data-protection-freedom-of-information-and-information-security/data-protection/data-protection-for-commons-members-and-their-offices/sharing-constituents-personal-data/
Registration with the ICO
From 1 April 2019, Members of Parliament do not need to register with the ICO, including if they are using CCTV in relation to their functions as an elected representative, e.g. a video entry doorbell or CCTV for safety and security purposes.
However, if the Member processes personal data for any purpose outside of their role as an elected representative, (for example if the Member runs a secondary business from their office) or if they use CCTV for business or crime prevention purposes in relation to their second business, then they would still be required to pay the fee.
You can find this on the ICO website here: https://ico.org.uk/for-organisations/data-protection-fee/data-protection-fee/exemptions/
You can find more information about paying the fee in the ICO’s data protection fee guidance
Data Protection and Casework
If you receive a casework request from a third party, perhaps a relative of your constituent, it is important to ensure that you have the consent of the constituent unless it is not reasonably possible to gain that consent. In order to safeguard an individual’s personal information and comply with the Data Protection Act 2018, many bodies will not respond if the request is made by someone other than the constituent without proof of their consent.
The House of Commons Library has a very useful briefing note on data protection and casework here: Data protection: constituency casework
When a Member retires or loses their seat, it is good practice for them to contact those constituents who have open cases, to ask them what they would like to happen to their file. Options include:
- destroying the file
- passing the file to the new Member (the constituent MUST sign a letter of authority to do this)
- passing the file to the constituent themselves
If your office has a robust data retention policy, then hopefully you should not have too many files to deal with. Please note that it is not permitted to use Parliamentary stationery for this purpose once the Member has ceased to be an MP. If the Member knows that they are retiring, letters asking for the constituents’ preference could be sent out several months before the election, so that the staff have plenty of time to prepare for any file transfers or destruction required.
When someone ceases to be a Member of Parliament, they have only four days in which to stop handling sensitive data
Principle 5 of the Data Protection Act states that information should be kept ‘no longer than necessary’. However, it does not define what that time period should be. Some MPs like to keep files for the length of a Parliament, some even like to keep them for the whole of their Parliamentary career, but it really isn’t a good idea to keep them this long. Do you really need to keep a file on Jane Smith’s housing issue from ten or twenty years ago? We are certain that the ICO would say that this is ‘longer than necessary’. Once a case is closed, there really shouldn’t be any need to keep it longer than one year. If you use casework management software, you can set a review date, so that it will flag up on the designated date, and you can review the file and decide whether to destroy it, or retain it if it looks like the issue might return. When deleting a case on your casework management software, it is a good idea to add a note to the constituent’s profile stating the case number, a brief description of the nature of the case (one sentence, not an essay!), the date of the last action on the case and what date it was destroyed. Then, if a constituent puts in a subject access request, you can tell them that you no longer hold that file, and on what date it was destroyed.
Guidance on the Information Commissioner’s Website also counsels against keeping data for too long:
“If you are not re-elected, it is important to be aware that you only have a condition for using special category data for four days after the election”
“If you no longer have a condition for processing and you continue to do so then you are very likely be in breach of UK GDPR.
“As four days is such a short time frame, it is sensible to review your records containing special category data in advance where practical and not to keep casework records for longer than is necessary. This will give you time to consider what to do with each case file and consult constituents, as necessary. This is particularly sensible if you are standing down at the election.”
Be careful how you use constituents’ email addresses for political campaigning. According to advice from the Information Commissioner, you need to gain their consent before contacting them with routine newsletters and offer them an opportunity to object. See the guidance link below:
Useful links relating to Data Protection:
On the Parliamentary intranet (network account required):
Consult ParliNet for further information about data protection.
Guidance for the use of personal data by elected representatives in carrying out constituency casework
Updated 18 September 2023 to include information about changes in constituency boundaries.
Subject Access Requests
You may receive a request from a constituent asking for you to provide them with any personal data that you hold about them. This is known as a Data Subject Access Request (DSAR) or a Subject Access Request (SAR) (they are the same thing) and, under the GDPR you are legally obliged to provide this information (ensuring you redact any personal data that does not belong to the requester). Details are on ParliNet.
If the request is for any other information, you are not obliged to provide it.
You might also find useful our guide ‘Protocol clarified on representing constituents‘.
This page was last updated on 22 October 2023