Menu
UK Parliament

House of Commons privacy notice for current and former staff and contractors

This privacy notice provides general information about how we collect and use the personal data of staff and contractors.

It applies to the following groups, whether current or former:

  • employees of the House of Commons, Parliamentary Digital Service (PDS) or the Restoration and Renewal Client Team
  • members of agency staff, contractors or consultants
  • secondees or individuals ‘on loan’ to the House
  • interns or individuals on a work experience or sandwich placement
  • volunteers
  • non-executive directors, specialist advisers or similar

In this privacy notice, references to ‘we’, ‘our’ and ‘us’ are to the House of Commons. Everything that we do with your personal data – for example, collecting, storing, using, sharing or deleting it – is referred to as ‘processing’. References to ‘you’ are to any of the groups in the list above.

This privacy notice applies to information we process both during and after your time with the House of Commons, PDS or the Restoration and Renewal Client Team, including any future changes to details we currently hold.

This notice will be reviewed periodically and, if necessary, updated.

Other privacy notices may also apply when you engage directly with certain services. These will be provided directly by the service area and will explain how personal data is used in relation to specific circumstances (for example, in the cases of the Parliamentary Health and Wellbeing Service or the Independent Complaints and Grievance Scheme).

About Us

The Corporate Officer of the House of Commons (a role performed by the Clerk of the House) is the controller of any personal data processed as described in this privacy notice.

The House of Commons Data Protection Officer is the Head of Information Compliance. Their contact details can be found at the end of this notice.

In some instances, we process personal data jointly with the House of Lords. In these cases, the Corporate Officer of the House of Commons and the Corporate Officer of the House of Lords (a role performed by the Clerk of the Parliaments) act as joint controllers.

The personal data we process about you

The personal data we process about you may include, where necessary:

  • Your name, address and contact details
  • Your date of birth, sex, and National Insurance number
  • Information about your marital status, next-of-kin, dependents and emergency contact details
  • Personal requirements or preferences such as dietary, access or religious needs
  • Your job title, the terms and conditions of your employment, details of your qualifications, skills, experience, references, education and employment history
  • Information about your nationality and entitlement to work in the UK, such as photographic identification to use as evidence of residency
  • Information about your pay, including entitlement to benefits such as pensions, details of your bank account and any subscription to trade unions
  • Information about any expenses you claim, such as your travel and meals
  • Information about medical or health conditions, including whether or not you have a disability or need and, if you do, the nature of the disability or need
  • Information relating to any health or safety incidents you are involved in
  • If you are a senior member of staff or a non-executive director, information from your social media accounts where required for completing pre-employment checks
  • Photographic identification, such as copies of passports or driving licences for security verification purposes
  • Security clearance details including basic checks and higher security clearance details according to your role, information about any criminal convictions you declare, and information needed in relation to security clearance or criminal records checks permitted by law
  • Details of your days of work, working hours, rostering and attendance at work
  • Details of periods of leave you take, including the reasons for the leave
  • Training, talent management, coaching records, assessments and evidence of your performance, and records of membership of any professional bodies
  • Personal data (and special category data where necessary) required for benchmarking, workforce planning or any assessment of the availability of staff to maintain and run parliamentary functions
  • Photographs of you in connection with your work, for example in relation to an accident at work or for use in internal and external communications and publications
  • Audio and visual recordings of meetings or events, where you appear (the recording of which you will be informed about prior)
  • If you consent to sharing it with us, diversity monitoring information about you, including your age range, geographical region, education history, employment and socio-economic status and background, racial or ethnic origin, religious or philosophical beliefs, health or medical conditions, sex and gender identity, and your sexual orientation
  • Information for the Register of Staff Interests, including any secondary employment, political declarations, conflict of interest declarations or gift declarations
  • Details of any disciplinary or grievance procedures in which you have been involved
  • Personal data used in relation to any complaints, disciplinary or grievance process, including information relating to any restrictions on access to services that may result from complaints
  • Whistleblowing concerns you raise, or to which you may be a party or witness
  • Your access and use of the parliamentary estate, including images captured by the security cameras and data capturing your movements via pass readers and electronic keys
  • Your access and use of the parliamentary devices and services, including monitoring in relation to acceptable use policies
  • Your payment card details, for example when you make a purchase at a catering venue
  • Your experiences of and opinions about House services or our workplace, for example when giving feedback, making a complaint, or responding to a staff survey
  • Details required for inclusion in staff recognition and reward schemes or the referral for an honour, such as the reasons for being nominated
  • Other personal data that you may share when you contact us by letter, email, phone or other means

How we collect your personal data

Your personal data is provided to us:

  • when your relationship with us starts, such as onboarding in the case of employment
  • subsequently, in a variety of ways such as correspondence with you, forms, meetings, events, or assessments
  • by third parties who may contact us about you, such as a referee or your pension provider
  • from sources in the public domain

We will also generate personal data about you ourselves, such as your job title and your contact details.

Purposes of the processing

The processing of your personal data is necessary for the following purposes:

  • to support the functioning of Parliament
  • to provide services to you and your colleagues
  • to undertake human resources-related processes, including:
    • carrying out onboarding processes, including right to work checks
    • facilitating reasonable adjustments, health referrals, medical absence and return processes, or evacuation plans
    • providing and managing training and professional development
    • providing you with a Government Procurement Card, where applicable
    • including you in recognition and reward schemes or nominating you for an honour
    • undertaking workforce planning and benchmarking of roles
    • investigating and taking action in relation to complaints against you or others, where they may arise
    • for you to register interests in compliance with our rules on conflicts of interest, business interests and outside appointments
    • to prevent and detect fraud internally and to participate in the National Fraud Initiative
  • for us to host and run events, including booking, balloting and invitation processes
  • to ensure security of the estate and personnel on and off the estate
  • to ensure security of the parliamentary network and compliance with acceptable use policies
  • to report and take remedial action in relation to health and safety incidents
  • to publish internal or external-facing communications, including photographs or videos
  • to monitor the diversity of the workforce
  • to prepare business continuity plans, manage incidents as they take place, and contact next of kin if necessary
  • to solicit feedback on the workplace and on services we provide, and then act on that feedback
  • to enable the House to fulfil its legal obligations

If you do not provide your personal data, the extent to which each of these purposes can be fulfilled may be affected.

The lawful basis of the processing

In order to process your personal data, we must have a ‘lawful basis’. The lawful bases are set out in the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).

The lawful bases for processing your personal data will depend on the specific reason we have collected it. In each case one or more of the following lawful bases for processing with apply:

  • UK GDPR Article 6(1)(a) – we have your consent
  • UK GDPR Article 6(1)(b) – the processing is necessary in relation to a contract we have with you (or are entering into)
  • UK GDPR Article 6(1)(c) – the processing is necessary for us to comply with the law
  • UK GDPR Article 6(1)(e) – the processing is necessary for the performance of a public task, which includes the exercise of a function of either House of Parliament (DPA 2018 Section 8), or where the processing is in the public interest
  • UK GDPR Article 6(1)(f) – the processing is necessary for the purposes of our legitimate interests or those of a third party, when balanced against your interests and rights

The following situations are examples in which processing your personal data relies on the ‘legitimate interests’ lawful basis:

  • Where we collect your personal data for business continuity purposes, our legitimate interest is in being able to contact staff in the event of an incident
  • In the case of staff recognition and reward schemes, our legitimate interest is in being able to recognise and promote good practice and commitment in the workplace
  • If you submit feedback or make a complaint to the House about our services, our legitimate interest is in responding to your complaint and/or improving the services we provide

A further ‘condition for processing’ is required when processing special categories of personal data. Special categories include racial or ethnic origin, religious or philosophical beliefs, trade union membership, genetic and biometric data, health data, and information about sex life or sexual orientation. The conditions for processing are set out in the UK GDPR and the DPA 2018.

The conditions for processing your special category personal data are:

  • UK GDPR Article 9(2)(a) – we have your explicit consent
  • UK GDPR Article 9(2)(b) – the processing is necessary for us to meet our obligations and exercising our rights in employment and the safeguarding of your fundamental rights
  • UK GDPR Article 9(2)(f) – the processing is necessary for the establishment, exercise or defence of legal claims
  • UK GDPR Article 9(2)(g) – the processing is necessary for reasons of substantial public interest including the conditions set out in Schedule 1, Part 2 of the DPA 2018
  • UK GDPR Article 9(2)(h) – the processing is necessary for the purposes of preventative or occupational medicine and assessing your working capacity as an employee
  • UK GDPR Article 9(2)(j) – the processing is necessary for archiving purposes in the public interest

A further condition is also required when processing personal data about criminal convictions and offences. The conditions for processing in this case are:

  • DPA 2018 Schedule 1, Part 1, Paragraph 1 – the processing is necessary for complying with employment, social security and social protection law
  • DPA 2018 Schedule 1, Part 2, Paragraph 10 – the processing is necessary for preventing or detecting an unlawful act

In accordance with the DPA 2018, our policy for processing special category data and criminal convictions and offences data can be found on our website: https://www.parliament.uk/site-information/data-protection/policies/hc-special-category-policy/.

Other lawful bases and conditions for processing may apply if the processing of personal data is necessary in emergency circumstances, for example, to protect an individual’s vital interests or for the provision of health or medical services.

Who we share your personal data with

Where necessary, we may share your personal data with or disclose it to:

  • Other organisations we deliver services with, such as the House of Lords, the Restoration and Renewal Delivery Authority and The National Archives
  • Providers of goods and services contracted by the House, such as pensions providers, providers of IT solutions, travel services, and those carrying out surveys or focus groups
  • A specialist external auditor (to assist us in carrying out internal anti-fraud exercises) and the Cabinet Office (who run the National Fraud Initiative). This is limited to accounts payable, payroll and pensions information.
  • If you are registered to attend or have attended an event, the organisers of that event
  • If you are a member of a trade union, that trade union
  • If you have been involved in a health and safety incident, third parties such as the Health and Safety Executive. This is so that we can fulfil our health and safety responsibilities.
  • If you are a secondee or ‘on loan’, the organisation you have come from
  • If you are nominated for an honour, the Cabinet Office. If you do not want your personal data shared for this purpose, please inform your line manager, who would otherwise be required to provide information about you, and Payroll Services. If your line manager changes, it is your responsibility to inform them of your decision
  • Other public sector organisations such as government departments, security-related bodies and the Police (for example, for audit purposes, assessing the likelihood of an ‘insider threat’, or for reporting concerns about modern slavery).
  • The general public, if:
    • you appear in external communications or publications, such as library briefings, the general public, via text or images in those communications or publications
    • you work in the Chamber, in committees or any other places which are broadcast, via that broadcast
    • you are a senior member of staff in band SCS2 or above, in the case of your salary, your registered interests, and gifts and hospitality you accept
    • we receive a Freedom of Information or Environmental Information Regulations request, your personal data falls in scope of it, and we cannot withhold it from disclosure. In general, the more senior you are, the more likely we are to disclose your personal data.
  • Other organisations or the general public, where there is a legal obligation to do so. For example, the Police, for the purposes of prevention and detection of crime

We will never share or sell your personal data to other organisations for direct marketing purposes.

Events hosted by the House

If you attend an event hosted by the House of Commons, please be aware that personal data of yours (such as images, video and sound recordings) may be collected. These may be reproduced in print or online via our social media channels, our website, and education or engagement materials we commission about Parliament. If you would like to be excluded from these recordings, please contact the organisers prior to the event.

Storage of your personal data

We will retain your personal data for as long as is necessary for the purpose it was collected. The length of time personal data is retained for differs dependent on the purpose of their collection as well as any relevant legal requirements. The applicable retention period in any case can be found in the Authorised Retention and Disposal Policy (ARDP), which is Parliament’s information disposal policy. The ARDP can be found on our website: https://www.parliament.uk/business/publications/parliamentary-archives/who-we-are/information-records-management-service/.

We take the security of your data seriously. All personal data you provide to us, whether electronically or in paper form, will be stored securely in accordance with our policies. We have information security measures in place to oversee the effective and secure processing of it.

Some personal data controlled by us is held outside the UK, including on data servers in the European Economic Area (EEA). For the purposes of the UK GDPR and the DPA 2018, all countries within the EEA are regarded as providing an adequate level of data protection. We would not transfer personal data to a person in a country outside the UK or EEA unless satisfied that that person and country had safeguards in place to protect personal data.

Your rights

Data protection laws provide you with rights over your personal data. Subject to limited exceptions, these are:

  • Where we are relying on your consent to process your personal data, you can withdraw that consent or unsubscribe from our services
  • The right to access your personal data
  • The right to rectification of your personal data
  • The right to erasure of your personal data
  • The right to restrict the processing of your personal data if you have an objection to us doing so
  • The right to object to the processing of your personal data
  • The right to portability of your personal data
  • Rights in relation to automated decision-making and profiling

You can contact us if you wish to exercise any of these rights. Contact details can be found at the end of this notice.

Please note that formal individual rights requests are managed by the House of Commons Information Compliance Service. They will retain your request, including any relevant personal data, to demonstrate that we have met our legal obligations under data protection law. These records are kept securely for two years.

Contact details

If you have any concerns relating to the use of your personal data please contact the relevant service area in the first instance.

If you have any further questions about the use of your personal data, please contact the Data Protection Officer:

You also have the right to complain to the Information Commissioner’s Office, the supervisory authority, by contacting them: www.ico.org.uk/global/contact-us/.

Further information about data protection in Parliament can be found on our website: https://www.parliament.uk/site-information/data-protection/.

Version 6.1 – applies from 31/12/2024