This Library Briefing Paper looks at the General Data Protection Regulation, the Data Protection Act 2018, and when MPs can process personal information.Jump to full report >>
Under the GDPR, Members of Parliament are data controllers. Any processing of personal data by Members must comply with the GDPR and the 2018 Act. This means that personal data can only be processed if there is a lawful basis for doing so. The lawful bases are:
Members’ casework and special category data
Special category personal data includes data revealing, among other things, a person’s racial origin, ethnic origin, health details, sexual orientation, and political and philosophical beliefs. Schedule 1 of the 2018 Act sets out a number of areas in which the processing of special category personal data is permitted without an individual’s explicit consent.
For Members of Parliament (and other elected representatives), paragraphs 23 and 24 of Schedule 1 have two main functions that apply when a constituent has contacted them.
Paragraph 23 sets out when a Member of Parliament (or someone acting with their authority) can process certain “special category” data about an individual, in the course of the Member’s “functions as a representative” (e.g. constituency casework), without having to establish explicit consent.
Paragraph 24 allows, but does not require, others (e.g. agencies or organisations) who are contacted by Members to disclose special category personal data to them where this is necessary to help with their functions, without having to obtain the explicit consent of the individual concerned.
Sources of advice
The Information Commissioner’s Office (ICO) oversees data protection law. Guidance for elected representatives is available from the ICO website. The ICO can discuss individual cases - its advice line is 0303 123 1113.
The House has an Information Rights and Information Security (IRIS) Service. IRIS has published information [intranet only] for Members. IRIS can provide advice to Members and their staff on the application of data protection law.
Commons Briefing papers SN01936
Author: John Woodhouse
Topic: Data protection