All MP staff virtual Q&A – Data Protection and GDPR


Time: 12:00 – 13:00
Date: Friday 26 March 2021
Where: Online – MS Teams

Stacey Pereira from the Information Rights and Information Security (IRIS) service team will speak at the March All MP staff Q&A session, taking place Friday 26 March 12-1pm.

There will also be talks from the Education and Engagement Outreach team to let you know what they can offer to you, and the R&R team will be providing an update on the upcoming works and moves on the Parliamentary estate.

If you would like to register a question ahead of the event, please email You will also be given the opportunity to ask questions during the session.

To book to join this session, please click here:

Data Protection


Data Protection 

Everyone who deals with personal information in a Member’s office has responsibility for the personal data that they handle for the Member, and must comply with the rules of the General Data Protection Regulation (GDPR) which is supplemented by the Data Protection Act 2018 (DPA).  The majority of this personal information will relate to constituency casework, but it also includes information about any identifiable individuals, such as staff and volunteers.  Parliamentary privilege does not exempt Members of Parliament from complying with the DPA with respect to constituency casework, and the requirements of the GDPR and the DPA must be observed. 

The GDPR lays down seven key principles for the handling of personal information.  The information must be: 

  1. used fairly, lawfully and transparently 
  2. used for specified, explicit purposes 
  3. used in a way that is adequate, relevant and limited to only what is necessary 
  4. accurate and, where necessary, kept up to date 
  5. kept for no longer than is necessary 
  6. handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage 
  7. handled responsibly with appropriate measures and records in place to demonstrate your compliance. 


Sharing personal data  

In order to allow an MP to fulfil their role as an elected representative, there is a separate piece of legislation – The Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order 2002 that lays out the specifics around data sharing – for example, allowing Members to handle sensitive personal data (such as health information) in order to take action at the request of individuals, without having to obtain explicit, written consent from that individual. (although please note: if the wishes of the constituent are at all unclear, you should always discuss this with them!)  

The order also allows third parties (such as Government Departments or local authorities) to disclose sensitive personal data to a Member acting on behalf of a constituent where the disclosure is necessary to assist the Member in responding to the individual’s request. The condition is permissive; it does not compel third parties to disclose information to a Member and other organisations may still ask you to demonstrate that you are acting on your constituent’s behalf. 

More information about sharing personal data can be found here. 


Registration with the ICO 

From 1 April 2019, Members of Parliament do not need to register with the ICO, including if they are using CCTV in relation to their functions as an elected representative, e.g. a video entry doorbell or CCTV for safety and security purposes.  

However, if the Member processes personal data for any purpose outside of their role as an elected representative, (for example if the Member runs a secondary business from their office) or if they use CCTV for business or crime prevention purposes in relation to their second business, then they would still be required to pay the fee. 

You can find this on the ICO website here:

You can find more information about paying the fee in the ICO’s data protection fee guidance 

FAQs for Parliamentarians –


Data Protection and Casework

If you receive a casework request from a third party, perhaps a relative of your constituent, it is important to ensure that you have the consent of the constituent unless it is not reasonably possible to gain that consent.  In order to safeguard an individual’s personal information and comply with the Data Protection Act 2018, many bodies will not respond if the request is made by someone other than the constituent without proof of their consent.

The House of Commons Library has a very useful briefing note on data protection and casework here: Data protection: constituency casework 

When a Member retires or loses their seat, it is good practice for them to contact those constituents who have open cases, to ask them what they would like to happen to their file.  Options include:

  • destroying the file
  • passing the file to the new Member (the constituent MUST sign a letter of authority to do this)
  • passing the file to the constituent themselves 

If your office has a robust data retention policy, then hopefully you should not have too many files to deal with.  Please note that it is not permitted to use Parliamentary stationery for this purpose once the Member has ceased to be an MP.  If the Member knows that they are retiring, letters asking for the constituents’ preference could be sent out several months before the election, so that the staff have plenty of time to prepare for any file transfers or destruction required.

When someone ceases to be a Member of Parliament, they have only four days in which to stop handling sensitive data


Data Retention

Principle 5 of the Data Protection Act states that information should be kept ‘no longer than necessary’.  However, it does not define what that time period should be.  Some MPs like to keep files for the length of a Parliament, some even like to keep them for the whole of their Parliamentary career, but it really isn’t a good idea to keep them this long.  Do you really need to keep a file on Jane Smith’s housing issue from ten or twenty years ago?  We are certain that the ICO would say that this is ‘longer than necessary’.  Once a case is closed, there really shouldn’t be any need to keep it longer than one year.  If you use casework management software, you can set a review date, so that it will flag up on the designated date, and you can review the file and decide whether to destroy it, or retain it if it looks like the issue might return.  When deleting a case on your casework management software, it is a good idea to add a note to the constituent’s profile stating the case number, a brief description of the nature of the case (one sentence, not an essay!), the date of the last action on the case and what date it was destroyed.  Then, if a constituent puts in a subject access request, you can tell them that you no longer hold that file, and on what date it was destroyed.


Political campaigning

Be careful how you use constituents’ email addresses for political campaigning.  According to advice from the Information Commissioner, you need to gain their consent before contacting them with routine newsletters and offer them an opportunity to object. See the guidance link below:


Useful links relating to Data Protection: 

On the Parliamentary intranet (network account required): 

Online training 

Introduction to General Data Protection Regulation (GDPR) for Members and their staff 

Data Protection for Members and their Staff 


Data Protection for Commons Members and their staff 

Members’ Frequently Asked Questions 

Frequently Asked Questions (different page)

Working at home guidance for Members and their staff 

A letter dated 7 January 2020 from the Information Commissioner setting out MPs’ obligations under the Data Protection Act 2018. 

Commons Library Briefing: Data protection: constituency casework 

Guidance on writing a Privacy Notice 

Guidance on how to deal with a Subject Access Request 

Guidance on Data Storage 

External links: 

IPSA – Information Commissioner’s Fee

ICO: Data Protection and Coronavirus 

Data Protection – 

Guidance on political campaigning 


Subject Access Requests

You may receive a request from a constituent asking for you to provide them with any personal data that you hold about them. This is known as a Data Subject Access Request (DSAR) and, under the GDPR you are legally obliged to provide this information (ensuring you redact any personal data that does not belong to the requester). More information about handling this type of request can be found here.

If the request is for any other information, you are not obliged to provide it. 

Further Information

You might also find useful our guide ‘Protocol clarified on representing constituents‘. 

This page was last updated on 14 February 2021