Data Protection and Coronavirus


***Data Protection and Coronavirus***

At this unusual time, it is likely that Members’ offices will be receiving a higher number of calls and emails and you may have some questions around communicating with your constituents during this unprecedented health crisis. The ICO have released some guidance which you may find it useful to refer to at this time:

ICO: Data Protectiona and Coronavirus

If you have questions that are not answered in this document, please contact Emma Fyles (Members’ Support Officer, IRIS team) on x2580 or at

There is also a wealth of data protection guidance available here:

Data Protection for Commons Members and their Staff

Alternatively you can contact the ICO by calling their helpline on 0303 123 1113.

New MP? Make sure you register with the Information Commissioner.


Congratulations on being elected/re-elected to Parliament!

One of the most important things you must do right away is to register with the Information Commissioner.

It’s really easy to do, by going to their website here: and select ‘Elected representative’ from the drop-down list.  Registration is free for Members of Parliament unless they process personal data for any purpose outside of their role as an MP.  You can find further information about this here:

You can find lots of useful information about your rights and obligations under the Data Protection Act on the intranet here:


Data Protection and Freedom of Information


Data Protection 

Everyone who deals with personal information in a Member’s office has responsibility for the personal data that they handle for the Member, and must comply with the rules of the General Data Protection Regulation (GDPR) which is supplemented by the Data Protection Act 2018 (DPA).  The majority of this personal information will relate to constituency casework, but it also includes information about any identifiable individuals, such as staff and volunteers.  Parliamentary privilege does not exempt Members of Parliament from complying with the DPA with respect to constituency casework, and the requirements of the GDPR and the DPA must be observed. 

The GDPR lays down seven key principles for the handling of personal information.  The information must be: 

  1. used fairly, lawfully and transparently 
  2. used for specified, explicit purposes 
  3. used in a way that is adequate, relevant and limited to only what is necessary 
  4. accurate and, where necessary, kept up to date 
  5. kept for no longer than is necessary 
  6. handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage 
  7. handled responsibly with appropriate measures and records in place to demonstrate your compliance. 


Sharing personal data  

In order to allow an MP to fulfil their role as an elected representative, there is a separate piece of legislation – The Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order 2002 that lays out the specifics around data sharing – for example, allowing Members to handle sensitive personal data (such as health information) in order to take action at the request of individuals, without having to obtain explicit, written consent from that individual. (although please note: if the wishes of the constituent are at all unclear, you should always discuss this with them!)  

The order also allows third parties (such as Government Departments or local authorities) to disclose sensitive personal data to a Member acting on behalf of a constituent where the disclosure is necessary to assist the Member in responding to the individual’s request. The condition is permissive; it does not compel third parties to disclose information to a Member and other organisations may still ask you to demonstrate that you are acting on your constituent’s behalf. 

More information about sharing personal data can be found here. 


Registration with the ICO 

The rules around ICO registration have changed. Whereas previously all Members had to register with the ICO and pay a £40 fee, from 1 April 2019 Members were exempted from paying the fee as long as any processing of personal data is done so in relation to their role as an elected representative. 

If the Member processes personal data for any purpose outside of this (for example if the Member runs a secondary business from their office) or if they use CCTV for business or crime prevention purposes in relation to their second business, then they would still be eligible to pay the fee. 

You can find more information about paying the fee in the ICO’s data protection fee guidance 


Data Protection and Casework

If you receive a casework request from a third party, perhaps a relative of your constituent, it is important to ensure that you have the consent of the constituent unless it is not reasonably possible to gain that consent.  In order to safeguard an individual’s personal information and comply with the Data Protection Act 2018, many bodies will not respond if the request is made by someone other than the constituent without proof of their consent.

The House of Commons Library has a very useful briefing note on data protection and casework here: Data protection: constituency casework 


Political campaigning

Be careful how you use constituents’ email addresses for political campaigning.  According to advice from the Information Commissioner, you need to gain their consent before contacting them with routine newsletters and offer them an opportunity to object. See the guidance link below: 


Useful links relating to Data Protection: 

On the Parliamentary intranet (network account required): 

Online training 

Introduction to General Data Protection Regulation (GDPR) for Members and their staff 

Data Protection for Members and their Staff 


Data Protection for Commons Members and their staff 

Members’ Frequently Asked Questions 

Working at home guidance for Members and their staff 

A letter dated 7 January 2020 from the Information Commissioner setting out MPs’ obligations under the Data Protection Act 2018. 

Commons Library Briefing: Data protection: constituency casework 

Guidance on writing a Privacy Notice 

Guidance on how to deal with a Subject Access Request 

Guidance on Data Storage 

External links: 

ICO: Data Protection and Coronavirus 

Data Protection – 

Guidance on political campaigning 


Requests for access to information 

You may receive a request from a constituent asking for you to provide them with any personal data that you hold about them. This is known as a Data Subject Access Request (DSAR) and, under the GDPR you are legally obliged to provide this information (ensuring you redact any personal data that does not belong to the requester). More information about handling this type of request can be found here.

If the request is for any other information, you are not obliged to provide it. 

The Freedom of Information Act 2000 (FOIA) only applies to public authorities, and Members of Parliament are not public authorities for the purposes of FOIA. The Member can choose to provide information voluntarily if it is felt that it is reasonable and appropriate to do so. You may also refer the requester to a public authority that does hold the information. 

The House of Commons and the Independent Parliamentary Standards Authority (IPSA) are both public authorities for the purposes of the FOIA. This applies to information that they hold in their own right about Members. However, it does not apply to information held by Members regarding their Parliamentary and constituency capacities which is stored physically or electronically at the House of Commons. 

Further guidance on Freedom of Information requests can be found here.

For general information and guidance on Freedom of Information, Data Protection and Information Security, see here:

You might also find useful our guide ‘Protocol clarified on representing constituents‘. 



This page was last updated on 20 August 2020