Menu
UK Parliament

Privacy notice for current and former staff of Members of Parliament

This privacy notice provides general information about how we collect and use the personal data of current and former staff of Members (and former Members) of Parliament.

In this privacy notice, references to ‘us’, ‘our’ or ‘we’ are to the House of Commons Administration. References to ‘you’ are to current and former staff of Members (and former Members) of Parliament. Everything that we do with your data – for example, collecting, storing, sharing or deleting it – is referred to as ‘processing’.

This notice will be reviewed periodically and, if necessary, updated.

Other privacy notices may also apply when you engage directly with certain services. These will be provided directly by the service area and will explain how personal data is used in relation to specific circumstances (e.g. in the cases of Parliamentary Security Vetting or the Independent Complaints and Grievance Scheme).

About us

The Corporate Officer of the House of Commons (who is the Clerk of the House) is the controller of any personal data processed as described in this privacy notice.

The House of Commons Data Protection Officer is the Head of Information Compliance. Contact details for them can be found at the end of this notice.

The personal data we process

We may process the following personal data of current and former staff of Members (and former Members) of Parliament:

  • names, addresses and personal contact details
  • passport details and any related travel information
  • personal data you have provided for the purpose of obtaining guidance and support on employment matters
  • information about medical conditions, your health or wellbeing
  • payment card details
  • photographs, images, videos, voice recordings and CCTV, including recordings of meetings, training or briefings you attend (in which case you will be informed prior to the start of recording)
  • opinions about the services provided by the House
  • personal data in relation to any complaints and investigations process
  • personal data relevant to registration of interests
  • personal data required to provide security measures, such as your access and use of the facilities on the parliamentary estate and/or systems on the parliamentary network
  • if you require a parliamentary pass, personal data required for security vetting

How we collect your personal data

Your personal data is provided to us by:

  • You, when you contact us (online, by post, in person or by other means), or you access or use the parliamentary estate or parliamentary services
  • The Member of Parliament who employs you, when they contact us online, by post, in person or by other means
  • Third parties who may contact us about you, such as the Independent Parliamentary Standards Authority (IPSA)
  • Sources in the public domain (for example, from social media)

Purposes of the processing

The processing of your personal data is necessary for the following purposes:

  • to enable the provision of services to you
  • to enable the provision of services to the Member of Parliament who employs you (or formerly employed you)
  • to enable the provision of services to any former Member of Parliament who employed you
  • to collect feedback, process complaints about and make improvements to those services
  • to run surveys about the experiences of Members’ staff
  • to support the functioning of Parliament and enable Members’ participation in proceedings
  • to register your interests and those of the Member who employs you
  • to help ensure the security of the parliamentary estate and people on it
  • to implement security measures to help protect you and the Member who employs you, away from the estate, where they have been requested
  • to report and take remedial action in relation to health and safety incidents
  • to enable business continuity activities
  • to enable us to fulfil our legal obligations

Without your personal data, the extent to which each of these purposes can be fulfilled may be affected.

The lawful basis of the processing

In order to process your personal data, we must have a ‘lawful basis’. The lawful bases are set out in the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).

The lawful bases for processing your personal data will depend on the specific reason we have collected it. The relevant lawful bases for the purpose of your personal data are:

  • UK GDPR Article 6(1)(a) – we have your consent
  • UK GDPR Article 6(1)(b) – the processing is necessary in relation to a contract we have with you (or are entering into)
  • UK GDPR Article 6(1)(c) – the processing is necessary for us to comply with the law
  • UK GDPR Article 6(1)(e) – the processing is necessary for the performance of a public task, which includes the exercise of a function of either House of Parliament (DPA 2018 Section 8), or where the processing is in the public interest
  • UK GDPR Article 6 (1)(f) – the processing is necessary for the purposes of our legitimate interests pursued or those of a third party, when balanced against your rights and interests

Our legitimate interest when processing your personal data under UK GDPR Article 6(1)(f) is in providing advice, assistance or services, which in turn supports you in your role working for a Member or which supports the Member who employs you. The following situations are examples in which the lawful basis for processing your personal data is this legitimate interest:

  • The Parliamentary Digital Service holds information about what IT equipment they have issued you
  • The House of Commons Library processes personal data about you in order to respond to enquiries you submit to them
  • The Accommodation team holds personal data about enquiries they receive relating to offices and other spaces on the estate
  • The Members’ and Members’ Staff Services engagement team holds personal data about enquiries they receive in order to provide induction and pastoral support
  • The Members’ HR Advice Service may process your personal data if the Member or their HR proxy seeks advice from the Service about the handling of an employment matter

A further ‘condition for processing’ is required when processing special categories of personal data. Special categories include racial or ethnic origin, religious or philosophical beliefs, trade union membership, genetic and biometric data, health data, and information about sex life or sexual orientation. The conditions for processing are set out in the UK GDPR and the DPA 2018.

The conditions for processing your special category personal data are:

  • you have provided your explicit consent (UK GDPR Article 9(2)(a))
  • processing relates to personal data which you have manifestly made public (UK GDPR Article 9(2)(e))
  • processing is necessary for the establishment, exercise or defence of legal claims (UK GDPR Article 9(2)(f))
  • processing is necessary for reasons of substantial public interest (UK GDPR Article 9(2)(g), including the conditions set out in Schedule 1, Part 2 of the DPA 2018)

In accordance with the DPA 2018, our policy for processing special category data can be found on our website: https://www.parliament.uk/site-information/data-protection/commons-data-protection-information.

Other lawful bases and conditions for processing may apply if the processing of personal data is necessary in emergency circumstances, for example, to protect an individual’s vital interests or for the provision of health or medical services.

Who we share your personal data with

Where necessary, we may share your personal data with or disclose it to:

  • the general public, for example in the Register of Interests of Members' Secretaries and Research Assistants.
  • providers of goods and services contracted by the House, such as pensions providers, IT suppliers and travel service providers.
  • the Police, in order to assess and mitigate security risks to the parliamentary estate and people on it.
  • other public sector bodies, such as the House of Lords Administration, the Independent Parliamentary Standards Authority (IPSA), the Restoration and Renewal Delivery Authority, and government departments or agencies. For example, to provide services to you and the Member who employs you.

We will never share or sell your personal data to other organisations for direct marketing purposes.

Storage of your personal data

We will retain your personal data for as long as is necessary for the purpose it was collected. The length of time personal data is retained for differs dependent on the purpose of collection as well as any relevant legal requirements. The applicable retention period can be found in the Authorised Retention and Disposal Policy (ARDP), which is Parliament’s information disposal policy. The ARDP can be found on our website: https://www.parliament.uk/business/publications/parliamentary-archives/who-we-are/information-records-management-service/.

We take the security of your data seriously. All personal data you provide to us, whether electronically or in paper form, will be stored securely in accordance with our policies. We have information security measures in place to oversee the effective and secure processing of it.

Some personal data controlled by us is held outside the UK, including on data servers in the European Economic Area (EEA). For the purposes of the UK GDPR and the DPA 2018, all countries within the EEA are regarded as providing an adequate level of data protection. We would not transfer personal data to a person in a country outside the UK or EEA unless satisfied that that person and country had safeguards in place to protect personal data.

Your rights

Data protection laws provide you with rights over the personal data you provide us. Subject to limited exceptions, these are:

  • Where we are relying on your consent to process your personal data, you can withdraw that consent or unsubscribe from our services
  • The right to access your personal data
  • The right to rectification of your personal data
  • The right to erasure of your personal data
  • The right to restrict the processing of your personal data if you object to us doing so
  • The right to object to the processing of your personal data
  • The right to portability of your personal data
  • Rights in relation to automated decision-making and profiling

You can contact us if you wish to exercise any of these rights. Contact details can be found at the end of this notice.

Please note that formal individual rights requests are managed by the House of Commons Information Compliance Service. They will retain your request, including any relevant personal data, to demonstrate that we have met our legal obligations under the data protection laws. These records are retained according to the ARDP.

Contact details

If you have any concerns relating to the use of your personal data, please contact the relevant service area in the first instance.

If you have any further questions about the use of your personal data, please contact the relevant Data Protection Officer:

You also have the right to complain to the Information Commissioner’s Office, the supervisory authority, by contacting them: www.ico.org.uk/global/contact-us/.

Further information about data protection in Parliament can be found on our website: https://www.parliament.uk/site-information/data-protection/.

Version 4.0 – applies from 29/05/2024