On 25 May 2018, European data protection legislation was updated for the first time in 20 years.

GDPR and its implementation with the Data Protection Act 2018 replace the 1995 EU Data Protection Directive to deliver a harmonised approach to data protection across the EU.

Individuals “subject rights” have been significantly strengthened and better described.

We are committed to privacy good practice and security with GDPR compliance. The policies and documents on this page provide assurance and evidence of this commitment.

We are a public authority defined under the Freedom of Information Act 2000

We are registered (Z2136128) with the Information Commissioner’s Office.

Our Data Protection Officer can assist you with privacy questions, rights and reviews. You can contact them by email to or by post addressed to IPSA Data Protection, 2nd Floor, 85 Strand, London WC2R 0DW.

If we have been unable to help you with your data protection rights, you have the right to complain to the Information Commissioner.

You can call the Information Commissioner's helpline on 0303 123 1113 or, for more options visit the ICO website.

Freedom of Information legislation came into force on 1 January 2005. It provides members of the public with a right of access to information held by public authorities to:

  • support openness and transparency across the public sector

  • provide them with a greater understanding of how public money is spent

  • help them understand how decisions are taken which affect the services provided to them

Data protection laws give data subjects (“natural living persons”) a suite of rights to confirm processing, the nature of that processing, and to potentially alter or halt processing.

This policy applies to all of our staff, whether permanent, temporary, locum or contractor staff. Others who may come into contact with personal data but are not actually employed by us, for example, partner organisations and voluntary staff, have a contractual obligation to follow the requirements of confidentiality that any member of staff is expected to follow.

Read our full Information rights, Freedom of Information and DPA policy.

IPSA collects and processes personal data relating to its workforce, which includes: employees, temporary staff, contractors/consultants, board members and applicants/candidates for IPSA roles.

IPSA is committed to being transparent about how it collects and uses that data and to meeting its obligations under data protection legislation.

Information that IPSA holds by which individuals can be identified is known as their "personal data". The personal data that we hold includes data that we obtain directly from our workforce as well as data we obtain from other people and organisations about our workforce.

Read our full Human resources privacy notice.

During an MP's time in office, or while their staff working for an MP, we collect and process a range of different types of personal information.

When they cease to be an MP or be employed by an MP, we continue to hold some data for a predefined period to fulfil our remaining tasks and legal obligations.

The type of information we collect depends on the nature of your relationship with us and which of our services are used.

Read the full Privacy Notice for MPs and their staff.

The "appropriate policy document" for IPSA sets out how we will protect Special Categories Personal Data.

It meets the requirement at paragraph 1 of Schedule 1 to the Data Protection Act 2018 that an appropriate policy document is in place where the processing of special category personal data is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection.

Read the full Appropriate Policy Document.

The purpose of the Information Governance and Assurance Framework is to formally establish IPSA’s position regarding Information Governance and Assurance.

It is a baseline for Information Governance training and awareness and sets out the policies and procedures all staff need to understand and apply in the course of their day-to-day work.

The Framework covers all staff (including temporary and contract staff) who create, store, share and dispose of information. It sets out the procedures for sharing information with stakeholders, partners and suppliers. It concerns the management of all paper and electronic information and its associated systems within the organisation, as well as information held outside the organisation that affects its regulatory and legal obligations.

Read our full Information Governance and Assurance Framework.

Our Data Breach Policy sets covers:

  • action to be taken to contain the incident in the event of a data breach

  • decision on whether the Information Commissioner’s Office (ICO) should be notified, and then following reporting ICO procedures in a timely manner

  • actions to investigate the breach, and short and longer term mitigation. In particular to accurately capture the incident and record the log entries

  • action to be taken in respect of the individual(s) responsible for the breach

Read our full Data Breach Policy.

IPSA creates and manages a wide range of records to enable us to fulfil our statutory responsibilities and strategic aims.

A record is defined as information created, received and maintained as evidence and by an organisation or person, in pursuance of legal obligations or in the transaction of business.

We are responsible for storing, managing and archiving these records securely and accessibly, in compliance with legislative requirements on data protection, FOI and public records and with our obligations to account for our activities and expenditure to Parliament and the public.

In fulfilment of our statutory responsibilities and in the spirit of transparency we regularly publish data on MPs’ business costs, in accordance with our approved publication scheme.

For the purposes of the Data Protection Act IPSA is a controller and processor of a range of personal data, as set out in our Information Asset Registers and Register of Processing Activities, which we are required to fulfil in accordance with DPA/ GDPR principles.

Read our full Records Retention Policy and Schedule.