Documents to download

The Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR) form the UK’s data protection regime.

Under the 2018 Act and the UK GDPR, the sharing of a constituent’s personal data by a Member of Parliament must have a lawful basis. There are six bases:

  • Consent – a person has given consent to the sharing of their data.
  • Contract – processing is necessary for the performance of a contract to which a data subject is party.
  • Legal obligation – processing is necessary to comply with a legal obligation to which a data subject is party.
  • Vital interests – the processing is necessary to protect someone’s life.
  • Public task – the processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law.
  • Legitimate interests – the processing is necessary for legitimate interests, or the legitimate interests of a third party, unless there is a good reason to protect an individual’s personal data which overrides those interests.

Members’ casework

For the processing of non-sensitive personal data in relation to casework, Members can usually rely on the implied consent of a constituent.

There are additional protections for processing “special category” data because of its sensitivity. This type of data includes information revealing a person’s racial origin, ethnic origin, health details, sexual orientation, and political and philosophical beliefs.

For MPs, paragraphs 23 and 24 of Schedule 1 of the 2018 Act have two main functions that apply when a constituent has contacted them:

Paragraph 23 sets out when a Member of Parliament (or someone acting with their authority) can process certain “special category” data about an individual, in the course of the Member’s “functions as a representative” (e.g. constituency casework), without having to establish explicit consent.

Paragraph 24 allows, but does not require, others (e.g. agencies or organisations) who are contacted by Members to disclose special category personal data to them where this is necessary to help with their functions, without having to obtain the explicit consent of the individual concerned.

Where to go for advice

The Information Commissioner’s Office (ICO) oversees and enforces data protection law. The ICO can advise on individual cases. Contact details are online and include a helpline: 0303 123 1113.


Documents to download

Related posts