Privacy Notice and Rights (Fair Processing Notice)
Who we are and what we do
IPSA is a regulator and data controller created by the Parliamentary Standards Act 2009. IPSA is independent of the Government, and fulfils three primary responsibilities:
- Regulate MPs’ business costs and expenses
- Determine and administer MPs’ pay and pension arrangements
- Provide financial support to MPs for their parliamentary business
We publish reports and claims in the public interest, with redaction for privacy and security reasons.
IPSA is committed to “Privacy by Design” and implements a layered security approach such as access controls, good practice such as encryption and security audits, staff training, and supplier contracts (data processor and sharing arrangements). We do not transfer personal data outside of the EU.
Data Protection Officer
We are required to appoint a Data Protection Officer. They are responsible for all matters relating to data protection, and their contact details are listed in the Contacts section below.
What is a Privacy Notice (or Fair Processing Notice)?
We use (“process”) personal information in the exercise of our functions under the Parliamentary Standards Act 2009. The information that we use includes “personal data” and “special category personal data”. Personal data is any information from which someone can be identified, and “special category” refers to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health information, or data about a person’s sex life or sexual orientation. Financial data is personal data but not “special category” data.
This notice sets out our purposes for processing personal data, our lawful basis for doing so, the personal data that we process, who we might pass that data to, how long we will keep your data, and your rights in relation to the processing of personal data.
What personal data does IPSA process and what is our lawful basis?
MPs and their Staff
We process personal data relating to MPs and their staff. We do so where necessary in the public interest and to fulfil our statutory functions. We will collect this data throughout the time MPs serve and the duration of employment of their staff. The New Members’ Reception Area (NMRA) process is the main process by which IPSA collects MPs’ data at the beginning of their parliamentary service. Their personal data and that of their staff is amended principally by means of forms published on the IPSA website. IPSA Online (www.ipsaonline.org.uk) enables personal data updates, requests, accuracy checking, budget tracking, and inspection (supporting subject rights). MP Account Managers use a Customer Relationship Management system for case handling. Personal data will include at least: contact details and home addresses, contracts, work patterns, bank details, receipts and invoices. IPSA may also seek evidence of circumstances for benefits and allowances.
We are required to publish certain personal data relating to MPs’ business costs and expenses. Our Publication Policy is here: http://www.theipsa.org.uk/publications/consultations/publication-policy/
Third Party Complaints and Enquiries
We will gather contact details and sufficient information from you to enable us to process complaints or enquiries. Complaints or enquiries dealt with by us will be conducted in the public interest or in the exercise of our statutory functions. If we require consent to any processing of personal data then we will seek this from you.
We process employment personal data, described in a separate Privacy Notice – Human Resources.
Sharing your Information
There will be times when we share your information with other organisations. Where we do share information we only do so when we are sure there is respect for your rights and data is secured.
We may instruct third party data processors who act on our behalf and instructions. They include information technology support, archiving partners, employee benefit providers, consultants, and commercial partners. We will only share personal data on the basis of contractual terms that ensure that data is protected and that processors comply with data protection legislation and safeguards.
Complaints will be shared with the investigating body where it is necessary. We may also need to share personal data with third party organisations in order to deal with enquiries. We will only send what is needed to answer the issue, unless we are obliged by law.
We work closely with the House of Commons on matters related to our statutory functions. They provide HR and pensions support to Members and their staff. We have data sharing agreements with the House of Commons.
We may otherwise share information with third party organisations, such as the police, HMRC, for reference requests, in restricted circumstances and where the law provides for us to do so.
Rights of Data Subjects
- To obtain a copy of your data, with a description of processing (‘subject access request’)
- To have inaccurate or out of date information corrected
- To object to the processing of personal data
- To restrict processing of your personal data (where contested or to prevent loss)
- To have your personal data erased
- To prevent direct marketing
- To prevent fully automated decision making and profiling
- To have your personal data transmitted to another organisation
- Where consent is the lawful basis, you may withdraw this at any time by writing to us
If we do not intend to or cannot comply with a request then we will explain why.
Retention and Destruction
We will only process personal data for as long as necessary for the purpose for which we are processing that personal data. We will securely dispose of any personal data in accordance with our retention and destruction policy.
Contacts and Complaints
If you wish to exercise your rights or have questions please write to the Data Protection Officer in the first instance as below. You may also contact IPSA as data controller at the same address:
Email: firstname.lastname@example.org OR
Post: IPSA Data Protection, 4th Floor, 30 Millbank, London SW1P 4DU
Please include your name, organisation, full address, and telephone (if possible) and clearly lay out questions and expectations. We aim to answer, depending on complexity, within a calendar month.
In the event we are unable to help and you wish to complain, contact the ICO.
ICO helpline 0303 123 1113 or, for more options: https://ico.org.uk/global/contact-us/