Menu
UK Parliament

House of Lords Data Protection Policy Statement

The House of Lords is committed to processing personal data in accordance with the UK General Data Protection Regulation (“the UK GDPR”), as supplemented by the Data Protection Act 2018 (“the DPA”).

The House of Lords Administration needs to process certain information about members of the House of Lords, current, past and prospective employees, suppliers, customers and other individuals it interacts with.

It will ensure that all personal data are processed in accordance with the six Data Protection Principles, which state that personal data shall be:

  • processed lawfully, fairly and in a transparent manner;
  • processed only for specified, explicit and legitimate purposes;
  • adequate, relevant and not excessive;
  • accurate and kept up-to-date;
  • kept in a form which permits identification of data subjects for no
  • longer than is necessary for the purposes for which the data are processed; and
  • processed in a secure manner.

Responsibilities Controller

The Clerk of the Parliaments, as the corporate officer of the House of Lords, has the role of controller in relation to the processing of personal information by or on behalf of the House of Lords.

The House’s Data Protection Officer (DPO) is the Head of Information Compliance.

The Information Compliance Team is responsible for:

  • providing guidance to staff on their responsibilities under data protection legislation and any specific procedures which they need to follow;
  • ensuring appropriate training is available to staff;
  • co-ordinating responses to data subject access requests, providing advice on the use of exemptions and other requests relating to individuals exercising their rights under the UK GDPR and DPA;
  • producing and updating data protection impact assessments;
  • monitoring internal compliance with the Data Protection policy statement and procedures, reporting to the Management Board as required;
  • investigating any loss or breach of personal data, and reporting to the Information Commissioner as required;
  • ensuring compliance with the Data Protection (Charges and Information) Regulations 2018, i.e. payment of the fee and provision of relevant information to the Information Commissioner’s Office (ICO);
  • reviewing policy and procedures in the light of developing case law and experience; and
  • maintaining the House’s record of processing activities.

The Human Resources Office is responsible for:

  • ensuring personal data about our staff (current and former) is processed in accordance with the data protection principles
  • taking advice as appropriate from the Information Compliance Team and Deputy Counsel to the Chairman of Committees in relation to requests from third party organisations for access to personal data relating to current and former House staff; and
  • ensuring that staff are given an opportunity to update their personal details.

The Digital Service is responsible for:

  • the security of the Parliamentary network, including the protection of personal information held and processed on Parliamentary systems, from loss, damage, corruption or misuse;
  • informing the Information Compliance Team of the loss of equipment (laptops, mobile devices, portable media) and any potential personal data breaches it becomes aware of; and
  • ensuring that the necessary technical controls, policies and procedures are in place to comply with Data Protection requirements.

Data Protection and Information Security Co-ordinators
A nominated member of staff in each office acts as a Data Protection and Information Security Co-ordinator and has responsibility for:

  • informing the Information Compliance Team of any new processing of personal data within their office, including the development of information systems;
  • maintaining office personal data processing logs;
  • disseminating guidance from the Information Compliance Team within their office;
  • identifying potential data protection issues within their office and seeking guidance from the Information Compliance Team, as appropriate; and
  • ensuring that personal information held in their office is processed in accordance with the data protection principles.

Parliamentary Procurement and Commercial Services is responsible for:

  • ensuring Data Protection requirements are included in all relevant contractual terms and conditions; and
  • data processing schedules are included in contracts where contractors process personal data on behalf of and under the instruction of the Data Controller.

All Staff are responsible for:

  • treating personal data with care and respect and in a secure manner;
  • ensuring that they collect and process personal information in accordance with the House’s policy statement and procedures;
  • undertaking relevant training on data protection;
  • using Parliamentary IT systems in accordance with the Acceptable Use Policy and only storing or sharing personal data on approved systems
  • understanding individuals’ rights regarding the processing of their personal data and sending any relevant requests or enquiries to the Information Compliance team (for example, individuals may ask for personal data about them which is held by the House to be deleted, and they do not have to cite the UK GDPR/DPA when requesting this), and
  • seeking guidance from their Data Protection and Information Security Co-ordinator and/or the Information Compliance Team, as required.

 

Updated March 2021