Menu
UK Parliament

Privacy notice for current and former Members

This privacy notice provides general information about how we collect and use the personal data of current and former Members of the House of Commons.

In this privacy notice, references to ‘we’, ‘our’ or ‘us’ are to the House of Commons Administration. Everything that we do with your personal data – for example, collecting, storing, using, sharing or deleting it – is referred to as ‘processing’. References to ‘you’ are to current and former Members of Parliament.

This notice will be reviewed periodically and, if necessary, updated.

Other privacy notices may also apply when you engage directly with certain services. These will be provided directly by the service area and will explain how personal data is used in relation to specific circumstances (e.g. in the cases of the Parliamentary Health and Wellbeing Service or the Independent Complaints and Grievance Scheme).

About us

The Corporate Officer of the House of Commons (who is the Clerk of the House) is the controller of any personal data processed as described in this privacy notice.

The House of Commons Data Protection Officer is the Head of Information Compliance. Contact details for them can be found at the end of this notice.

The personal data we process

We may process the following personal data of current and former Members:

  • names, addresses and personal contact details
  • bank account and credit card details
  • passport details and any related travel information
  • photographs, images, videos, voice recordings and CCTV
  • biographical information, and in some cases details of spouses and children
  • data concerning a Member’s health or personal circumstances
  • opinions about the services provided by the House, for engagement, training, feedback and survey purposes
  • personal data required to provide security measures
  • personal data relevant to registration of interests
  • personal data in relation to any complaints or investigation process
  • other personal data that you may share when you contact us by letter, email, phone or other means

How we collect your personal data

Your personal data is provided to us by:

  • You, when you contact us (online, by post, in person or by other means), or you access or use the parliamentary estate or parliamentary services
  • Members of your staff, when they contact us online, by post, in person or by other means
  • Third parties who may contact us about you
  • Sources in the public domain (for example, for the purposes of assessing security risks to current and former Members or for compiling biographical research)

Purposes of the processing

The processing of your personal data is necessary for the following purposes:

  • to enable the provision of services to current and former Members and for the improvement of those services
  • to support the functioning of Parliament and enable Members’ participation in proceedings
  • to identify, assess and mitigate security risks to current and former Members
  • to report and take remedial action in relation to health and safety incidents
  • to explain and promote the work of Members and of Parliament
  • to enable the House to fulfil its legal obligations to Members, House staff and others (for example in relation to health and safety)

Without your personal data, the extent to which each of these purposes can be fulfilled may be affected.

The lawful basis of the processing

In order to process your personal data, we must have a ‘lawful basis’. The lawful bases are set out in the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).

The lawful bases for processing your personal data will depend on the specific reason we have collected it. The relevant lawful bases for the processing of your personal data are:

  • UK GDPR Article 6(1)(a) – we have your consent
  • UK GDPR Article 6(1)(b) – the processing is necessary in relation to a contract we have with you (or are entering into)
  • UK GDPR Article 6(1)(c) – the processing is necessary for us to comply with the law
  • UK GDPR Article 6(1)(e) – the processing is necessary for the performance of a public task, which includes the exercise of a function of either House of Parliament (DPA 2018 Section 8), or where the processing is in the public interest
  • UK GDPR Article 6(1)(f) – the processing is necessary for the purposes of our legitimate interests or those of a third party, when balanced against your interests and rights

Our legitimate interest when processing your personal data under UK GDPR Article 6(1)(f) is in providing advice, assistance or services, which in turn supports you in your role as Members or employers. The following situations are examples in which the lawful basis for processing your personal data is this legitimate interest:

  • The Parliamentary Digital Service holds personal data about which Members have IT equipment they have issued
  • The House of Commons Library processes personal data about you in order to respond to enquiries you submit to them
  • The Accommodation team holds personal data about enquiries they receive relating to offices and other spaces on the estate
  • The Members' HR Advisory Service will process information you give them about HR cases in order to provide you with advice

A further ‘condition for processing’ is required when processing special categories of personal data. Special categories include racial or ethnic origin, religious or philosophical beliefs, trade union membership, genetic and biometric data, health data, and information about sex life or sexual orientation. The conditions for processing are set out in the UK GDPR and the DPA 2018.

The conditions for processing your special category personal data are:

  • you have provided your explicit consent (UK GDPR Article 9(2)(a))
    processing relates to personal data which are manifestly made public by the data subject (UK GDPR Article 9(2)(e))
  • processing is necessary for the establishment, exercise or defence of legal claims (UK GDPR Article 9(2)(f))
  • processing is necessary for reasons of substantial public interest (UK GDPR Article 9(2)(g)) including the conditions set out in Schedule 1, Part 2 of the DPA 2018
  • processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis or the provision of health care or treatment (UK GDPR Article 9(2)(h) and Schedule 1 of the DPA 2018)

In accordance with the DPA 2018, our policy for processing special category data can be found on our website: https://www.parliament.uk/site-information/data-protection/commons-data-protection-information.

Other lawful bases and conditions for processing may apply if the processing of personal data is necessary in emergency circumstances, for example, to protect an individual’s vital interests or for the provision of health or medical services.

Who we share your personal data with

Where necessary, we may share your personal data with or disclose it to:

  • the general public, for example via the internet or in a media notice, about a Member’s participation in the work of the House of Commons.
  • providers of goods and services contracted by the House. For example, for the provision of security services, health and wellbeing and training services.
  • the Police, in order to assess and mitigate security risks to current and former Members and to co-operate with enquiries.
  • other organisations, such as the House of Lords Administration, the Independent Parliamentary Standards Authority (IPSA), the Restoration and Renewal Delivery Authority, and government departments or agencies. For example, to facilitate the provision of services to current and former Members.
  • other organisations where there is a legal obligation to do so.

We may also disclose personal data of yours to the general public where there is a legal requirement to do so under the Freedom of Information Act 2000 or the Environmental Information Regulations 2004. Where appropriate, we will notify you of the disclosure before it takes place.

We will never share or sell your personal data to other organisations for direct marketing purposes.

Storage of your personal data

We will retain your personal data for as long as is necessary for the purpose it was collected. The length of time personal data is retained for differs depending on the purpose of their collection as well as any relevant legal requirements. The applicable retention period can be found in the Authorised Retention and Disposal Policy (ARDP), which is Parliament’s information disposal policy. The ARDP can be found on our website: https://www.parliament.uk/business/publications/parliamentary-archives/who-we-are/information-records-management-service/.

We take the security of your data seriously. All personal data you provide to us, whether electronically or in paper form, will be stored securely in accordance with our policies. We have information security measures in place to oversee the effective and secure processing of it.

Some personal data controlled by us is held outside the UK, including on data servers in the European Economic Area (EEA). For the purposes of the UK GDPR and the DPA 2018, all countries within the EEA are regarded as providing an adequate level of data protection. We would not transfer personal data to a person in a country outside the UK or EEA unless satisfied that that person and country had safeguards in place to protect personal data.

Your rights

Data protection laws provide you with rights over the personal data we hold about you. Subject to limited exceptions, these are:

  • Where we are relying on your consent to process your personal data, you can withdraw that consent or unsubscribe from our services
  • The right to access your personal data
  • The right to rectification of your personal data
  • The right to erasure of your personal data
  • The right to restrict the processing of your personal data if you have an objection to us doing so
  • The right to object to the processing of your personal data
  • The right to portability of your personal data
  • Rights in relation to automated decision-making and profiling

You can contact us if you wish to exercise any of these rights. Contact details can be found at the end of this notice.

Please note that formal individual rights requests are managed by the House of Commons Information Compliance Service. They will retain your request, including any relevant personal data, to demonstrate that we have met our legal obligations under the data protection laws. These records are kept securely for two years.

Contact details

If you have any concerns relating to the use of your personal data please contact the relevant service area in the first instance.

If you have any further questions about the use of your personal data, please contact the Data Protection Officer:

You also have the right to complain to the Information Commissioner’s Office, the supervisory authority, by contacting them: www.ico.org.uk/global/contact-us/.

Further information about data protection in Parliament can be found on our website: https://www.parliament.uk/site-information/data-protection/.

Version 5.0 – applies from 16/02/2024