Privacy Notice for staff and contractors (and former staff)

1. About Us

In this notice and any linked information, references to ‘us’, ‘our’ or ‘we’ are to the House of Commons Service or Parliamentary Digital Service. The Corporate Officer (Clerk of the House of Commons) is the Controller of any personal data processed as described in this Privacy Notice. The Data Protection Officer is the Head of Information Compliance.

If you have any questions about the use of your personal data, please contact Information Compliance.

Email: hcinformationcompliance@parliament.uk

Telephone: 0207 219 4296

Post: Information Compliance, House of Commons, SW1A 0AA

2. The personal data we collect and lawful basis for processing

We will collect, store and use the personal data provided by you to manage the relationship or contract between us. We may also collect personal data from other sources for purposes such as personal references, pensions, security clearance, health and wellbeing or from other parties acting on your behalf.

During the course of your time working with the House of Commons Service, we will collect and generate information about you in a variety of ways through application forms or other documents you complete or provide, from correspondence with you or through interviews, meetings or other assessments. To ensure we keep your information up to date and accurate it is important that you notify us of any changes to your personal details as soon as they are known.

Types of personal data we collect may include:

• Your name and contact details, including email address and telephone number;
• Date of birth, sex, and National Insurance number;
• Information about your marital status, next-of-kin, dependents and emergency contact details;
• Any contact details you provide, for example, for business continuity purposes, equipment orders to your personal address, ‘track and trace’ and workforce planning at team level or centrally;
• The terms and conditions of your employment, details of your qualifications, skills, experience, references, education and employment history;
• Information about your pay, including entitlement to benefits such as pensions, details of your bank account and any subscription to trade unions;
• Information about your nationality and entitlement to work in the UK;
• Information about medical or health conditions, including whether or not you have a disability or need for which we may be required to make reasonable adjustments or health referrals, accident at work reports, medical absence and return information;
• Information you have provided regarding Protected Characteristics (Equality Act and s.75 of the Northern Ireland Act) for the purpose of equal opportunities monitoring. This includes racial or ethnic origin, religious beliefs, disability status, and gender identification and may be extended to include other protected characteristics. This data may be shared as appropriate for monitoring and management actions;
• Socio-economic background (if you choose to supply it), including the type of school you attended and your eligibility for free school meals;
• Photographic identification, such as copies of passports or driving licences to use as evidence of residency or for security verification purposes;
• Security clearance details including basic checks and higher security clearance details according to your role, information about any criminal convictions you declare, and information needed in relation to security clearance or criminal records checks permitted by law;
• Details of your days of work, working hours, rostering and attendance at work;
• Details of periods of leave taken by you, including annual leave, medical absence, special leave, career breaks, sabbaticals and the reasons for the leave;
• Assessments and evidence of your performance, including appraisals, performance reviews and ratings, performance improvement plans and related correspondence;
• Training, talent management and coaching records;
• Details of any disciplinary or grievance procedures in which you have been involved, information processed for the purposes of compliance with Parliament’s Behaviour Code in which you may be a party or a witness;
• Personal data used in relation to any complaints or investigation process, including information relating to any restrictions on access to services that may result from complaints;
• Whistleblowing concerns raised by you, or to which you may be a party or witness
• Photographs of you in connection with your work for use in internal and external communications and publications;
• Audio and visual recordings of meetings, training or briefings made in the course of your work (you will be informed prior to the start of any recording);
• Information relating to the Register of Staff Interests; any secondary employment, political declarations, conflict of interest declarations or gift declarations;
• Information required for participation in the National Fraud Initiative (prevention and detection of fraud), this includes accounts payable, payroll and pensions data such as name, address, date of birth, national insurance number and bank account/sort code;
• Your access and use of the Parliamentary Estate via facilities and systems, including images captured by the security cameras operating on the Parliamentary Estate, data capturing your movements via pass readers and electronic keys and monitoring access to systems and software in compliance with acceptable use policies;

• Personal data (and special category data where necessary) required for workforce planning or any assessment of the availability of staff to maintain and run parliamentary functions;
  • Your responses to staff surveys where appropriate;
  • Details required for inclusion in staff recognition and reward schemes or the referral for an honour.

Lawful bases

The lawful basis for collecting and using your personal data will depend on the specific reason we have collected it.  These include:

• UK GDPR Article 6 (1)(a) - we have your consent;
• UK GDPR Article 6 (1)(b) - for the performance of a contract (employment or other) we have with you or have an intention of entering in to;
• UK GDPR Article 6 (1)(c) – in order to comply with our obligations as an employer or to fulfil a legal obligation to collect the personal data from you;
• UK GDPR Article 6 (1)(d) in order to protect your vital interests or those of another person;
• UK GDPR Article 6 (1)(e) for the performance of our public task as the House of Commons or where the processing is in the public interest;
• UK GDPR Article 6(1)(f) for our legitimate interests (or the legitimate interests of a third party) when fairly balanced against your interests and rights. 

Where we rely on legitimate interests as our lawful basis, a test is applied to ensure the processing is balanced against your rights, for example:

Business continuity data:
Our legitimate interests are served in being able to contact staff in the event of an incident.  The processing is necessary to ensure staff are kept informed of incidents that may have an impact upon them and use of personal data for this purpose does not present a risk to the rights and freedoms of the individual.

Staff recognition and reward schemes:
Our legitimate interests are served in being able to recognise and promote good practice and commitment within the workplace. The processing is necessary to identify and contact the individuals being awarded and use of personal data for this purpose does not present a risk to the rights and freedoms of the member of staff.

The legitimate interest test when this lawful basis applies is recorded on our data maps.  For more information contact the Data Protection Officer.

Special categories of data

A further lawful basis is required when processing special categories of data as these require additional control. Special categories include: racial or ethnic origin; religious or philosophical beliefs; trade union membership; genetic and biometric data; health data; sex life or sexual orientation.

The lawful bases we will rely on for these special categories are:

• UK GDPR Article 9 (2)(a) - we have your explicit consent;
• UK GDPR Article 9(2)(b) – in order to meet our obligations and exercising our rights in employment and the safeguarding of your fundamental rights;
• UK GDPR Article 9(2)(c) – in order to protect your vital interests or those of another person where you are incapable of giving your consent;
• UK GDPR Article 9(2)(f) - for the establishment, exercise or defence of legal claims;
• UK GDPR Article 9(2)(g) – for reasons of substantial public interest and the exercise of a function of the House of Commons (Section 8 of the Data Protection Act 2018);
• UK GDPR Article 9(2)(h) - for the purposes of preventative or occupational medicine and assessing your working capacity as an employee
• UK GDPR Article 9(2)(j) - for archiving purposes in the public interest.

In addition, we rely on appropriate processing conditions found in the DPA 2018, for example:

• Schedule 1 part 1 paragraph 1 – conditions relating to employment
• Schedule 1 part 2 paragraph 8 & 9 – equality of opportunity and promoting diversity

Criminal Convictions and Offences

We process information about staff criminal convictions and offences (for the purposes of security vetting and employment purposes) in accordance with GDPR Article 10. The lawful basis we rely on to process this data are:

• UK GDPR Article 6 (1)(b) for the performance of a contract and the processing condition at DPA 2018 Schedule 1 part 1 paragraph 1
• UK GDPR Article 6 (1)(e) for the performance of our public task and the processing condition at DPA 2018 Schedule 1 part 2 paragraph 10

In compliance with DPA 2018, our Safeguards Policy (pdf, 135KB) provides further information about the processing of special category and criminal conviction data.

Whilst most of the data collected about you will be processed while you are working for or have a relationship with the House of Commons, some personal data will be retained after your employment or our working relationship has ended.  Records will be kept in accordance with our authorised retention and disposal policy (ARDP) and used as appropriate.  For example, your pensions records and information used for references provided to future employers. 

There may be specific occasions when the House may need to contact you in the future.  For example, if you are named as a respondent or as a potential witness following a complaint, or grievance or any other such case. 

If you would like to know more about the lawful basis related to the information we process, please contact the Data Protection Officer You can also find out more on the Information Commissioners Office website, who are the regulator for data protection legislation.

3. Who we share your personal data with 

As part of your employment or time working with us, we will need to use and share your personal data internally. This will include disclosing certain information to other service areas and managers where there is a need. For example, your line manager might provide Human Resources and Diversity or Finance with information about your medical absence or a grading change. We will occasionally share personal data for the purpose of feedback and focus groups where appropriate.   We will also share your personal data for inclusion in internal newsletters and announcements or as part of recognition and reward schemes.

Some anonymised/pseudonymised or statistical information (including protected characteristic data/special category data on occasion) may be used and shared with managers and boards to improve our services, support our employment and recruitment practices.

We may also disclose your personal data to third party organisations where lawful to do so, such as:

• The House of Lords administration (who is a joint Controller) for the provision of shared services to you;
• Providers of goods and services contracted by the House (e.g. pensions providers, IT solutions, travel service providers, those carrying out surveys/focus groups);
• Other organisations such as government departments, security related bodies and the Police for their enquiries (for example, audit, fraud and the prevention and detection of crime);
• Organisations we manage secondments with, such as government departments and the Restoration and Renewal Sponsor Body and Delivery Authority
• Or where necessary for the performance of a function which that organisation carries out in the public interest, for example: trade unions

4. Storage and retention of your personal data

We take the security of your data seriously. All personal data you provide to the House of Commons Service or Parliamentary Digital Service will be stored securely, both physically and electronically.

We have an information security process in place to oversee the effective and secure processing of your personal data.  Where we use third party processors, we ensure

appropriate contracts, security, duty of confidentiality, technical and organisational measures are in place to ensure the security of data has been assessed as appropriate.

Personal data is predominantly held in data centres within the UK or the wider European Economic Area for the purposes of hosting, maintenance and back up. We (or processors acting on our behalf) may also store or process your personal data in countries outside the European Economic Area but only where we are assured of the security of the data and the adequacy of the data protection regimes of those countries and organisations holding the data.

We will retain your personal data for as long as is necessary for the purpose it was collected,

i.e. for the duration of your contract or your time working with us, or longer if it is needed after your employment ceased, for example pension purposes or in relation to an investigation. We will hold your personal data in compliance with our authorised retention and disposal policy (ARDP).

5. Your rights

You can exercise the following rights in relation to the personal data we hold:

• Where we are relying on your consent to use your personal data, you can withdraw that consent by writing to HR Advice and Policy team (House of Commons) or HR Services in
• You can request access to the personal data we hold about you or ask for certain data in a machine-readable format by contacting the Data Protection Officer whose contact details are found at the top of this
• You can ask us to update your personal data if it changes. In certain circumstances, you can request we erase the personal data we hold or ask us to stop or restrict processing if you have an
• If you have any concerns relating to the use of your personal data, you may complain to the Data Protection Officer whose contact details are found at the top of this
• You also have the right to complain to the Information Commissioner’s Office (ICO), the supervisory authority, about our collection and use of your personal data. The ICO can be contacted at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Further details about your rights can be found on the Infor mat ion Commiss ion er’s  website.

Last updated: May 2021