Menu
UK Parliament

House of Commons Data Protection Policy

Purpose

The House of Commons takes our responsibility for handling personal data very seriously. We process the personal data of a wide range of individuals including (but not limited to) members of the public, House of Commons staff, contractors, MPs and their staff, and visitors.

We process this personal data in accordance with data protection legislation, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). This policy provides a general statement of how we achieve this.

Scope

This policy applies to the House of Commons Service and the Parliamentary Digital Service (PDS). It also applies to 'bicameral' parliamentary teams who handle House of Commons information but who also carry out work for the House of Lords.

It does not apply to individual Members of Parliament, or the staff who work for them, or to Members’ groups such as All-Party Parliamentary Groups – as the legislation applies to them separately from the House itself. For the same reason, it also does not apply to the House of Lords administration, Peers or the staff who work for them.

Key terms

Data subject

The individual whose personal data we process.

Personal data

This is information that relates to an identified or identifiable living individual. A natural person is one who can be identified, directly or indirectly, from the information and who is not a separate legal entity such as a limited company.

Special category personal data

This is sensitive personal data which requires extra protection and conditions for processing. This includes personal data which relates to an individual’s race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life or sexual orientation.

Processing

This is any operation or set of operations which is performed on personal data, whether or not by automated means. It includes collection, storage, use, disclosure (including sharing) and destruction.

To process personal data, a controller must either have consent or it must be necessary for a specific purpose (known as a lawful basis for processing, Article 6 UK GDPR).

To process special category data, a controller must satisfy one of the conditions in Article 9 UK GDPR, for the specific purpose intended. We provide more information about how we process special category data in our Policy on processing special categories of personal data and criminal convictions data, which is required by Schedule 1 Part 4 of the DPA 2018.

Controller

The controller decides the purposes and means of processing personal data. This may be a named person, or it may be a “legal person” such as an organisation, public authority or other body. More information about the House of Commons’ controller can be found at the end of this policy.

Processor

A processor processes personal data on behalf of a controller, usually under contract.

Data Protection Officer

A named person within an organisation who assists the controller by ensuring compliance with the legislation, as well as acting as a point of contact and advice. More information about the House of Commons’ Data Protection Officer can be found at the end of this policy.

Responsibilities

In addition to the individuals described above, some key teams and individuals are also responsible for data protection compliance in the House of Commons.

Information Compliance Service

This team is responsible for the House of Commons compliance with information legislation. This includes providing advice, training and guidance, answering information rights requests and carrying out personal data breach reports and investigations.

Departmental Information Risk Owners (DIROs) and the Senior Information Risk Owner (SIRO)

Each team of the House of Commons has a DIRO, who is responsible for maintaining registers of personal data holdings, raising local awareness and monitoring compliance with data protection law within their Teams.
The SIRO is responsible to the House of Commons Executive Board for a wide range of information risk related matters, including compliance with data protection law.

Other Teams

Some teams have specific responsibilities in relation to data protection compliance such as:

  • Parliamentary Commercial Directorate – to ensure third party processors have UK GDPR compliant contracts in place which require them to handle personal data in line with our own policies and processes
  • Parliamentary Digital Service – responsible for the confidentiality, integrity, availability and security of personal data within Parliamentary systems.

All staff of the House of Commons

All staff are responsible for the personal data they process as part of their roles within the House of Commons. This includes the appropriate handling, sharing and security of personal data and the requirement to report any instances of misuse, loss or unauthorised access of personal data. Further, staff are responsible for ensuring that personal data and, in particular, special category data, are not held for longer than is necessary for the purpose they were collected. The House of Commons has a retention and disposal policy in place (Authorised Retention and Disposal Policy (ARDP)) which must be adhered to.

Details about staff responsibilities are provided in Chapter 23 of the House of Commons Staff Handbook.

Data Protection Principles

We ensure that all personal data is processed in accordance with the Data Protection Principles found in Article 5 UK GDPR. These principles state that personal data must be:

  • processed lawfully, fairly and in a transparent manner
  • processed only for specified, explicit and legitimate purposes
  • adequate, relevant and not excessive
  • accurate and kept up to date
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed; and
  • processed in a secure manner, protecting against unlawful access, loss or destruction

We are also committed to being responsible, accountable and able to demonstrate compliance for our processing of personal data, as required by the UK GDPR (Accountability principle).

Individual rights

The House of Commons respects the rights of individuals concerning their own personal data and will comply appropriately with any request by a data subject relating to those rights. These rights, found in Chapter 3 UK GDPR, are:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling.

Further information

For general queries, privacy and rights

Please consult the House of Commons data protection pages on the UK Parliament website.

Data protection guidance is also available on the Information Commissioner’s website both for the public and for organisations.

For specific queries, concerns or complaints

Please contact the Information Compliance Service as follows:

Email: hcinformationcompliance@parliament.uk Tel: 020 7219 2559

Complaints and enquiries can also be directed to the UK’s regulator for data protection, the Information Commissioner’s Office. More details can be found on their website.

Our Data Protection Officer

The Head of the Information Compliance Service is the DPO for the House of Commons.

Email: hcinformationcompliance@parliament.uk Tel: 020 7219 4296

Our Controller

The Clerk of the House of Commons is our Controller.

Email: governanceoffice@parliament.uk Tel: 020 7219 1771

 

Version control

v2.3 October 2023

Policy owner: Data Protection Officer, House of Commons

Due for review: April 2025