Everyone who deals with personal information in a Member’s office has responsibility for the personal data that they handle for the Member, and must comply with the rules of the General Data Protection Regulation (GDPR) which is supplemented by the Data Protection Act 2018 (DPA). The majority of this personal information will relate to constituency casework, but it also includes information about any identifiable individuals, such as staff and volunteers. Parliamentary privilege does not exempt Members of Parliament from complying with the DPA with respect to constituency casework, and the requirements of the GDPR and the DPA must be observed.
The GDPR lays down seven key principles for the handling of personal information. The information must be:
- used fairly, lawfully and transparently
- used for specified, explicit purposes
- used in a way that is adequate, relevant and limited to only what is necessary
- accurate and, where necessary, kept up to date
- kept for no longer than is necessary
- handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage
- handled responsibly with appropriate measures and records in place to demonstrate your compliance.
Sharing personal data
In order to allow an MP to fulfil their role as an elected representative, there is a separate piece of legislation – The Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order 2002 that lays out the specifics around data sharing – for example, allowing Members to handle sensitive personal data (such as health information) in order to take action at the request of individuals, without having to obtain explicit, written consent from that individual. (although please note: if the wishes of the constituent are at all unclear, you should always discuss this with them!)
The order also allows third parties (such as Government Departments or local authorities) to disclose sensitive personal data to a Member acting on behalf of a constituent where the disclosure is necessary to assist the Member in responding to the individual’s request. The condition is permissive; it does not compel third parties to disclose information to a Member and other organisations may still ask you to demonstrate that you are acting on your constituent’s behalf.
Registration with the ICO
The rules around ICO registration have changed. Whereas previously all Members had to register with the ICO and pay a £40 fee, from 1 April 2019 Members were exempted from paying the fee as long as any processing of personal data is done so in relation to their role as an elected representative.
If the Member processes personal data for any purpose outside of this (for example if the Member runs a secondary business from their office) or if they use CCTV for business or crime prevention purposes in relation to their second business, then they would still be eligible to pay the fee.
You can find more information about paying the fee in the ICO’s data protection fee guidance
Data Protection and Casework
If you receive a casework request from a third party, perhaps a relative of your constituent, it is important to ensure that you have the consent of the constituent unless it is not reasonably possible to gain that consent. In order to safeguard an individual’s personal information and comply with the Data Protection Act 2018, many bodies will not respond if the request is made by someone other than the constituent without proof of their consent.
The House of Commons Library has a very useful briefing note on data protection and casework here: Data protection: constituency casework
Be careful how you use constituents’ email addresses for political campaigning. According to advice from the Information Commissioner, you need to gain their consent before contacting them with routine newsletters and offer them an opportunity to object. See the guidance link below:
Useful links relating to Data Protection:
On the Parliamentary intranet (network account required):
A letter dated 7 January 2020 from the Information Commissioner setting out MPs’ obligations under the Data Protection Act 2018.
Commons Library Briefing: Data protection: constituency casework
Requests for access to information
You may receive a request from a constituent asking for you to provide them with any personal data that you hold about them. This is known as a Data Subject Access Request (DSAR) and, under the GDPR you are legally obliged to provide this information (ensuring you redact any personal data that does not belong to the requester). More information about handling this type of request can be found here.
If the request is for any other information, you are not obliged to provide it.
The Freedom of Information Act 2000 (FOIA) only applies to public authorities, and Members of Parliament are not public authorities for the purposes of FOIA. The Member can choose to provide information voluntarily if it is felt that it is reasonable and appropriate to do so. You may also refer the requester to a public authority that does hold the information.
The House of Commons and the Independent Parliamentary Standards Authority (IPSA) are both public authorities for the purposes of the FOIA. This applies to information that they hold in their own right about Members. However, it does not apply to information held by Members regarding their Parliamentary and constituency capacities which is stored physically or electronically at the House of Commons.
For general information and guidance on Freedom of Information, Data Protection and Information Security, see here: https://www.parliament.uk/site-information/foi/
You might also find useful our guide ‘Protocol clarified on representing constituents‘.
This page was last updated on 20 August 2020