Data protection: constituency casework

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 form the UK’s data protection regime.

Under the GDPR, Members of Parliament are data controllers. Any processing of personal data by Members must comply with the GDPR and the 2018 Act. This means that personal data can only be processed if there is a lawful basis for doing so. The lawful bases are:

• Consent: an individual has given clear consent for the processing of their personal data for a specific purpose.
• Contract: the processing is necessary for a contract between an individual and an organisation.
• Legal obligation: the processing is necessary to comply with the law (not including contractual obligations).
• Vital interests: the processing is necessary to protect someone’s life.
• Public task: the processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law.
• Legitimate interests: the processing is necessary for legitimate interests or the legitimate interests of a third party unless there is a good reason to protect an individual’s personal data which overrides those legitimate interests.

Members’ casework and special category data

Special category personal data includes data revealing, among other things, a person’s racial origin, ethnic origin, health details, sexual orientation, and political and philosophical beliefs. Schedule 1 of the 2018 Act sets out a number of areas in which the processing of special category personal data is permitted without an individual’s explicit consent.

For Members of Parliament (and other elected representatives), paragraphs 23 and 24 of Schedule 1 have two main functions that apply when a constituent has contacted them.

Paragraph 23 sets out when a Member of Parliament (or someone acting with their authority) can process certain “special category” data about an individual, in the course of the Member’s “functions as a representative” (e.g. constituency casework), without having to establish explicit consent.

Paragraph 24 allows, but does not require, others (e.g. agencies or organisations) who are contacted by Members to disclose special category personal data to them where this is necessary to help with their functions, without having to obtain the explicit consent of the individual concerned.

Sources of advice

The Information Commissioner’s Office (ICO) oversees data protection law. Guidance for elected representatives is available from the ICO website. The ICO can discuss individual cases – its advice line is 0303 123 1113.

The House has an Information Rights and Information Security (IRIS) Service. IRIS has published information [intranet only] for Members. IRIS can provide advice to Members and their staff on the application of data protection law.