Menu
UK Parliament

House of Commons Data Protection Policy

Purpose

The House of Commons processes the personal data of a wide range of individuals including (but not limited to) members of the public, House of Commons staff, contractors, MPs and their staff, and visitors.

We process this personal data in accordance with data protection legislation, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). This policy provides a general statement of how we achieve this.

Scope

This policy applies to the House of Commons Administration and the Joint Departments of Parliament. It also applies to 'bicameral' parliamentary teams who handle House of Commons information but who also carry out work for the House of Lords.

It does not apply to individual Members of Parliament where they act as data controllers, or to Members’ groups such as All-Party Parliamentary Groups – as the legislation applies to them separately from the House itself. For the same reason, it also does not apply to the House of Lords Administration, Peers or the staff who work for them.

Key terms

Data subject

The individual whose personal data we process.

Personal data

This is information that relates to an identified or identifiable living individual. A natural person is one who can be identified, directly or indirectly, from the information and who is not a separate legal entity such as a limited company.

Special category personal data

This is sensitive personal data which requires extra protection and conditions for processing. This includes personal data which relates to an individual’s race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life or sexual orientation.

Processing

This is any operation or set of operations which is performed on personal data, whether or not by automated means. It includes collection, storage, use, disclosure (including sharing) and destruction.

To process personal data, a controller must either have consent or it must be necessary for a specific purpose (known as a lawful basis for processing, Article 6 UK GDPR).

To process special category data, a controller must satisfy one of the conditions in Article 9 UK GDPR, for the specific purpose intended. We provide more information about how we process special category data in our Special category and criminal convictions data processing policy, which is required by Schedule 1 Part 4 of the DPA 2018.

Controller

The controller decides the purposes and means of processing personal data. This may be a named person, or it may be a “legal person” such as an organisation, public authority or other body. More information about the House of Commons’ controller can be found at the end of this policy.

Processor

A processor processes personal data on behalf of a controller, usually under contract.

Data Protection Officer

A named person within an organisation who assists the controller by ensuring compliance with the legislation, as well as acting as a point of contact and advice. More information about the House of Commons’ Data Protection Officer can be found at the end of this policy.

Responsibilities

In addition to the individuals described above, some key teams and individuals are also responsible for data protection compliance in the House of Commons.

Information Compliance Service

This team is responsible for the House of Commons compliance with information legislation. This includes providing advice, training and guidance, answering individual rights requests and carrying out personal data breach reports and investigations.

Departmental Information Risk Owners (DIROs) and the Senior Information Risk Owner (SIRO)

Each team of the House of Commons has a DIRO, who is responsible for maintaining a register of processing activities (ROPA), raising local awareness and monitoring compliance with data protection law within their Teams.

The SIRO is responsible to the House of Commons Executive Board for a wide range of information risk related matters, including compliance with data protection law.

All staff of the House of Commons

All staff are responsible for the personal data they process as part of their roles within the House of Commons. This includes the appropriate handling, sharing and security of personal data and the requirement to report any instances of misuse, loss or unauthorised access of personal data. Further, staff are responsible for ensuring that personal data and, in particular, special category data, are not held for longer than is necessary for the purpose they were collected. The House of Commons has a retention and disposal policy in place (Authorised Retention and Disposal Policy (ARDP)) which must be adhered to.

Details about staff responsibilities are provided in Chapter 22 of the House of Commons Staff Handbook.

Data Protection Principles

We ensure that all personal data is processed in accordance with the Data Protection Principles found in Article 5 UK GDPR. These principles state that personal data must be:

  • processed lawfully, fairly and in a transparent manner
  • processed only for specified, explicit and legitimate purposes
  • adequate, relevant and not excessive
  • accurate and kept up to date
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed; and
  • processed in a secure manner, protecting against unlawful access, loss or destruction

We are also committed to being responsible, accountable and able to demonstrate compliance for our processing of personal data, as required by the UK GDPR (Accountability principle).

Individual rights

The House of Commons respects the rights of individuals concerning their own personal data and will comply appropriately with any request by a data subject relating to those rights. These rights, found in Chapter 3 UK GDPR, are:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling.

Further information

For general queries, privacy and rights

Please consult the House of Commons data protection pages on the UK Parliament website.

Data protection guidance is also available on the Information Commissioner’s website both for the public and for organisations.

For specific queries, concerns or complaints

Please contact the Information Compliance Service as follows:

Email: hcinformationcompliance@parliament.uk Tel: 020 7219 2559

Complaints and enquiries can also be directed to the UK’s regulator for data protection, the Information Commissioner’s Office. More details can be found on their website.

Our Data Protection Officer

The Head of the Information Compliance Service is the DPO for the House of Commons.

Email: hcinformationcompliance@parliament.uk Tel: 020 7219 4296

 

Version control

v3.0 August 2025

Policy owner: Data Protection Officer, House of Commons

Due for review: August 2027