Privacy Notice – MPs and their staff
IPSA was established under statute by the Parliamentary Standards Act 2009 to pay MPs' salaries and manage the business costs system. This includes setting their budgets and paying the salaries of their staff, in accordance with the Scheme of MPs’ Staffing and Business Costs.
This privacy notice sets out how we meet our obligations under the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018.
It explains how we collect, protect and use personal information about MPs and their staff, including former MPs and their staff, volunteers, connected parties, consultants, interns and other workers who undertake any form of work for an MP, and who are reimbursed or paid through an MP’s business costs or salary budget.
It should be read in conjunction with IPSA’s Privacy Notice and Rights on our website.
What sort of personal information do we hold?
During your time in office or working for an MP, we will collect and process a range of different types of personal information about you.
When you cease to be an MP or employed by an MP, we will continue to hold some data about you for a predefined period to fulfil our remaining tasks and legal obligations.
The type of information we collect about you will depend on the nature of your relationship with us and which of our services you use. Information collected may include all or any of the following:
Personal information
name, date of birth, gender
work and home contact details– if you are an MP we may also hold contact details for your next of kin and dependents
national insurance (NI) number, employee resource ID number
proof of identity
Job information
if you are an MP we hold information about your constituency and any offices held
if you are a member of staff, we hold details of your job title and MP employer
employment contract, for example, starting and leaving dates; working hours, contract type, salary
leave taken, including holiday, sickness absence, parental and maternity leave
promotions or changes to pay, reward and recognition payments
information necessary for legal compliance, including details of ethnicity or disability or access requirements
Financial details
bank details to pay your salary and any business costs due
payroll information such as salary, statutory payments and benefits you have received
attachment of earnings and settlement payments
and, for MPs:
details of transactions and business costs, including disallowed items
Contact with IPSA and use of our services
correspondence, including email, telephone calls or letters, and the reasons for contacting us
information about which of our web pages you have visited when you visited them, and your use of IPSA Online
information gathered in the course of validating business cost claims or investigating matters of regulatory concern – this could include information relating to actual or alleged criminal offences or illegal activities
calls are routed through IPSA’s secure telecoms network and only recorded with your prior, informed consent
This list is not intended to be exhaustive and may be updated from time to time as our service needs and legal requirements dictate.
How do we obtain this information?
Most of this information will be collected directly from you or from your MP employer when you take office or start your employment.
You may have also supplied it to us independently so we can provide you with assistance or support, for example:
to update your personal record using the IPSA Online employee self-service system during your employment
as a member of staff, when you complete your starter, payroll and leaver forms as a member of staff
as a newly elected MP, when you attend the New Members’ Reception Area (NMRA) event
If we do not receive information directly from you, we either generate it ourselves (such as your employment resource ID), or we receive it from third parties, including:
House of Commons
HM Revenue and Customs (HMRC)
pensions scheme providers
other regulators
Why do we hold this information?
We hold personal information about you to:
Comply with our legal, regulatory and internal governance obligations as a public authority, for example:
meet audit requirements
raise and investigate matters of regulatory concern
establish, defend or exercise our legal rights
comply with orders and requests received from public and regulatory, governmental and judicial bodies
investigate grievances and complaints
Ensure that our services are provided in the most effective manner for you
contact you to fulfil a request or respond to an enquiry
invite you to provide feedback, assist with surveys and input into consultation exercises
provide you with news, service announcements and updates
ensure our records are accurate and up to date
administer our legitimate internal management analysis, audit, forecasts and business planning and transactions
to provide you with services you have requested and create accounts with direct suppliers, for example, for travel and stationery supplies.
Enforce our rules and policies, and maintain our security
We may also convert personal information into pseudonymous or anonymous data to use for research and analysis to improve our services and performance.
What is our lawful basis for processing your personal information?
In order to be able to process your data lawfully, we must rely on a specific lawful basis under data protection legislation.
The relevant lawful basis depends on the main reason why we need the data. These are:
Necessary for the performance of IPSA’s public task (GDPR article 6(1)(e))
IPSA was established under statute by the Parliamentary Standards Act 2009 to pay MPs' salaries and manage the business costs system. This includes setting their budgets, paying salaries, and validating business cost claims in accordance with the Scheme of MPs’ Staffing and Business Costs.
More information about IPSA and our statutory role is available on the Who we are pages of our website.
Necessary for IPSA to comply with a legal obligation (GDPR article 6(1)(c))
We process data about you under this legal basis when we need to in order to comply with UK legislation, such as in the areas of equality and employment or for tax purposes.
Necessary for the purposes of IPSA’s legitimate interests (GDPR article 6(1)(f))
Sometimes we will process your data because we have identified a "legitimate interest" in doing so.
The legitimate interests we identify are determined through an assessment made by weighing our requirements against the impact of the processing on you.
This is done to make sure that our legitimate interests will never override your right to privacy that requires the protection of your personal data.
Examples of when we will process your data in our legitimate interests are:
providing you with an IPSA resource ID
enabling effective communications with you regarding the information you need to know for pay, pensions or other work-related purposes (such as through our weekly news bulletin)
using your payroll information to conduct pay reviews and forecasting, and to help IPSA plan ahead
Necessary to protect your vital interests or those of another person (GDPR article 6(1)(d))
On very rare occasions, we may need to access or share your information in order to protect your life or that of another person, for example in an emergency situation where we cannot gain your consent or to do so could endanger life.
We will only rely on vital interests in extremely limited circumstances when no other legal basis is available.
You have given us your consent to process your data for a specific purpose (GDPR article 6(1)(a))
We may sometimes ask for your consent to do something that involves the use of your personal data. We will do this where no other lawful basis applies.
Processing your "special category" personal data
Some of the information we may process about you is classed as “Special Category Personal Data” and receives extra protection under data protection law.
The GDPR classes the following information as Special Category Personal Data:
racial or ethnic origin
political opinions
religious or philosophical beliefs
trade union membership
genetic and biometric data
data concerning health or data concerning a natural person’s sex life or sexual orientation
We can only process this type of data if we have an additional lawful basis and meet higher standards for safeguarding it.
Of the lawful bases available to us, those IPSA is most likely to rely on in relation to special category data are:
Processing is necessary for us to carry out our obligations or exercise our or your rights (GDPR article 9(2)(g))
This would apply when, for example, we:
keep a record of reasonable adjustments for reasons of health or disability, or other special arrangements to support you in your work and meet our obligations under equality and discrimination legislation
process statutory sick or parental pay
Processing is necessary for the establishment, exercise or defence of legal claims against IPSA (GDPR article 9(2)(f))
With your explicit consent (GDPR article 9(2)(a))
For example, to set up a voluntary salary deduction to a trade union
How long do we keep information about you?
We will not keep information about you for longer than it is needed for:
the purpose it was collected
to meet legal and audit requirements, or
our legitimate, justifiable business reasons
Our record retention schedules document how long different information is held. These are available on request.
How is your information shared by us?
Occasionally, we need to share certain information about you with third parties.
We only share the minimum amount of personal information necessary and only where we have identified a lawful basis for doing so. When we share information with third parties we ensure there is either a contract or data-sharing agreement in place to protect your rights and safeguard your data, or where we are legally obliged to disclose the information.
Organisations your information may be shared with include:
House of Commons
House of Commons Independent Complaints and Grievances Scheme
HMRC
external pensions providers to administer pensions
law enforcement agencies for the prevention or detection of crime
external auditors
other regulators, such as the Compliance Officer for IPSA, the Committee for Public Standards, or Electoral Commission
legal advisors to IPSA, tribunals, and courts of law
service providers and direct suppliers, for example, payment card providers, technical support services
There are guidelines and procedures in place to help staff to ensure that only the minimum necessary personal data is made shared.
Publication of your personal data
We are required to publish certain personal data relating to MPs’ business costs and may be required to disclose some personal information under the Freedom of Information Act.
We will only release personal information where there is no applicable exemption, and where data protection and privacy laws allow us to do so.
Further details about the information we publish are set out in our Publication Policy.
How do we protect your information?
Our ability to work on-site and remotely has been well-tested. All our staff are issued with IPSA laptops which can connect to the IPSA network securely.
Internal policies and controls are in place to ensure that your data is not lost, accidentally destroyed, misused, or disclosed, and is not accessed except by our employees in the performance of their duties.
As part of our processes, we have implemented "Privacy by Design" across the organisation, ensuring that Privacy is considered as part of everything that we do and in particular, ensuring that:
appropriate access controls are applied to all our information
appropriate risk assessments are conducted, and
our staff receive appropriate Data Protection and Information Security training
We also continue to work with our suppliers to ensure that they meet our standards, act only on our instructions, and are under a legally binding contract.
All our service providers are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of your data.
What rights do you have in relation to the way we process your data?
Under data protection law you have a number of rights. You can:
obtain a copy of your data, with a description of processing ("subject access request")
have inaccurate or out-of-date information corrected
object to the processing of personal data
ask for us to restrict the processing of personal data (where contested or to prevent loss)
have your personal data erased (in limited circumstances)
prevent direct marketing
prevent fully automated decision-making and profiling
have your personal data transmitted to another organisation, and
where consent is our lawful basis for processing your personal data, you may withdraw this at any time by writing to us
Please note that these rights are not absolute. There may be circumstances where we cannot comply with a request or where an exemption applies. If this is the case, we will write to you to explain why.
If you would like to exercise any of these rights, please contact us at privacyrights@theipsa.org.uk
Further information
If you have any general questions about how we use and protect your personal information, you can contact us by email at info@theipsa.org.uk or call us on 020 7811 6400 (Monday - Friday, 10am – 4pm (calls may be recorded for training and quality purposes).
IPSA is registered as a data controller with the Information Commissioner’s Office (our notification number is Z2136128).
IPSA’s Data Protection Officer may be contacted at privacyrights@theipsa.org.uk or in writing to IPSA, 85 The Strand, London WC2R 0DW.
In the event, we are unable to help and you wish to complain, then you should contact the ICO.
They can be contacted via their helpline telephone number: 0303 123 1113 or for additional contact options, you may wish to visit their website.