This page last updated: 12 March 2016
Everyone who deals with personal information in a Member’s office has responsibility for the personal data that they handle for the Member, and must comply with the rules of the Data Protection Act 1998 (DPA). The majority of this personal information will relate to constituency casework, but it includes information about any identifiable individuals, such as staff and volunteers. Parliamentary privilege does not exempt Members of Parliament from complying with the DPA with respect to constituency casework, and the requirements of the Act must be observed.
The DPA lays down eight key principles for the handling of personal information, and outlines certain conditions that must be met before personal data can be processed. These conditions are even stricter if sensitive personal data (e.g. health information) is to be processed. However, the DPA is not there to add unnecessary bureaucracy or to prevent you from doing the right thing. It is a legal framework which can benefit you and constituents and facilitate effective and well-organised casework.
Useful guidance on data protection can be found in the booklet entitled ‘Advice for Members and their staff Data Protection Act 1998: Personal information about constituents and others’ . This booklet contains good office practice suggestions to assist in complying with the Data Protection Act and explains, in detail, the three key obligations:
- Registering with the Information Commissioner’s Office
- Abiding by the data protection principles
- Allowing people to exercise their rights.
NB: the first obligation which must be complied with is registering with the Information Commissioner’s Office. This should be done as soon as possible. See the guidance booklet above for a guide on how to do this.
Be careful how you use constituents’ email addresses for political campaigning. According to advice from the Information Commissioner, you need to gain their consent before contacting them with routine newsletters and offer them an opportunity to object. See the guidance link below:
Requests for access to information
If your Member receives a request from an individual for access to personal information about themselves, then you must consider the request under the DPA. Guidance on this is available in the booklet referred to above.
If the request is for any other information, you are not obliged to provide it.
The Freedom of Information Act 2000 (FOIA) only applies to public authorities, and Members of Parliament are not public authorities for the purposes of FOIA. The Member can choose to provide information voluntarily if it is felt that it is reasonable and appropriate to do so. You may also refer the requester to a public authority that does hold the information.
The House of Commons and the Independent Parliamentary Standards Authority (IPSA) are both public authorities for the purposes of the FOIA. This applies to information that they hold in their own right about Members. However, it does not apply to information held by Members regarding their Parliamentary and constituency capacities which is stored physically or electronically at the House of Commons.
Further guidance on the rights of access under FOIA and DPA can be found in section 3 of the booklet referred to above.
For general information and guidance on Freedom of Information, Data Protection and Information Security, see:
- http://www.parliament.uk/site_information/foi.cfm (external web-pages)
- http://intranet.parliament.uk/offices-departments/iris/ (internal web-pages)
For further Data Protection guidance for Members, see:
- http://www.parliament.uk/site_information/foi/data_protection/commons_data_protection.cfm (external web-pages)
- http://intranet.parliament.uk/legal-advice/data-protection (internal web-pages)
You might also find useful our guide ‘Protocol clarified on representing constituents‘.
If you spot things which need updating or amending anywhere in this new guide,
let us know by using the Feedback link at the bottom of this page.