The Data Protection Act (DPA) sets out rules for processing personal information. It gives certain rights to individuals and it also says that those who record and use personal information must adhere to eight data protection principles.
This page summarises the general obligations which apply to the House of Commons and the House of Lords as data controllers under the DPA:
The House of Commons and the House of Lords are separate data controllers. Use the links on the left hand side of this page to see the policies that apply specifically to each House and to find out how to request access to your personal data.
Individual Members of Parliament (MP's) are data controllers in their own right. Requests for your own personal data that is held by an MP should be sent directly to that MP and not to the House of Commons. Supporting guidance for MP's is available on the House of Commons page.
The data protection principles
Personal data shall be:
1. Fairly and lawfully processed
2. Processed for limited purposes
3. Adequate, relevant and not excessive
5. Not kept for longer than is necessary
6. Processed in line with an individual's rights
8. Not transferred to other countries without adequate protection
Data subject rights
Under the Data Protection Act (DPA) individuals may ask, in writing, to see information that is held about them. This is known as a 'subject access request. A data controller may ask for the following before processing a subject access request:
- a fee of £10 to be paid
- more information to enable them to locate the requested information,
- and adequate proof of identity from the applicant before considering the request
A response to a subject access request will be given within forty calendar days of receipt of the above.
Relationship with FOIA
Requests for access to personal data that are made by someone who is not the subject of that personal data are not subject access requests. These should be considered under the Freedom of Information Act, but the information will not be shared if doing so will breach one of the data protection principles.
There are a number of exemptions contained in the Act. These may apply to the right of subject access or to the duty to comply with one or all of the principles. Examples of exemptions include:
- crime and taxation
- parliamentary privilege
- research, history and statistics
- confidential references
- legal professional privilege
Further details on the exemptions and how they apply can be found on the Information Commissioner's website www.ico.org.uk
Complaints and appeals
You are entitled to complain to us if you are not happy with the response to your subject access request or with our handling of your personal data. Your complaint will be reviewed internally, according to the procedure of the House who handled your request. If you are not happy with the internal review of your request, you can appeal to the Information Commissioner's Office www.ico.org.uk