Privacy notice for the Independent Complaints and Grievance Scheme
This privacy notice provides you with information about how we collect and use personal data for the purposes of the Independent Complaints and Grievance Scheme (“the Scheme”).
In this privacy notice, references to ‘we’, ‘our’ or ‘us’ are to the House of Commons and House of Lords Administrations. Everything that we do with your personal data – for example, collecting, storing, using, sharing or deleting it – is referred to as ‘processing’.
This privacy notice applies to anyone whose personal data we process in dealing with a complaint made under the Scheme, including the complainant, the respondent, and witnesses.
Investigations under the Scheme are conducted by independent investigators contracted by the Corporate Officer of the House of Commons and the Corporate Officer of the House of Lords (“the Corporate Officers”). The personal data that investigators gather in an investigation is processed by them on behalf of the Corporate Officers. This notice also applies to that processing.
This notice will be reviewed periodically and, if necessary, updated.
- About us
The House of Commons and House of Lords are separate organisations. The controllers in each case are the Corporate Officer of the House of Commons and the Corporate Officer of the House of Lords. In some cases, personal data processing as described in this notice will be carried out by one of these two controllers only, while in other cases they will act as joint controllers together.
The Head of Information Compliance in the House of Commons is the Data Protection Officer for the House of Commons, while the Head of Information Compliance in the House of Lords is the Data Protection Officer for the House of Lords. Contact details for them can be found at the end of this notice.
- The personal data we process
For the purposes of the Scheme, we will process the following personal data:
- your name and contact details (such as email address and telephone number)
- if you are a complainant or a respondent, details of the complaint under the Scheme made by you or about you by another person
- if you are a witness, information you provide about a case
- information about your relationship with either House of Parliament
- information about your involvement in any previous investigation
- other personal data that you may share when you contact us by letter, email, phone or other means
- What happens if you do not provide your personal data
If you do not provide your personal data, it may affect your involvement with a complaint:
- If you are a complainant, you cannot make a complaint without providing your personal data
- If you are a respondent, you cannot respond to a complaint without providing your personal data
- If you are a witness, you cannot provide information about a case without providing your personal data
- How we collect your personal data
Your personal data can be provided to us:
- by you, when you contact us by letter, email, phone, the Helpline, or other means
- by another person, by the same routes
- in the course of an investigation carried out by an independent investigator (who for that purpose processes personal data on behalf of the Corporate Officers)
- Purposes of the processing
The processing of your personal data is necessary for the following purposes:
- If you are a complainant, to make and process your complaint
- If you are a respondent, to take your information into account as part of a complaint
- If you are a witness, to take your information into account as part of a complaint
- Undertaking quality assurance or learning of the work carried out by the independent investigators, either by quality assuring the investigation while it is active or by conducting a review of a closed case
- The lawful basis of the processing
In order to process your personal data, we must have a ‘lawful basis’. The lawful bases are set out in the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).
The lawful bases for processing your personal data will depend on the specific reason we have collected it. The relevant lawful bases in this case are:
- UK GDPR Article 6(1)(a) – we have your consent
- UK GDPR Article 6(1)(e) – the processing is necessary for the performance of a public task, namely the exercise of a function of either House of Parliament (see DPA 2018 Section 8), or where the processing is in the public interest
- UK GDPR Article 6(1)(f) – the processing is necessary for the purposes of our legitimate interests or those of a third party when balanced against your interests and rights
The relevant legitimate interests for the purposes of Article 6(1)(f) are:
- our legitimate interest of ensuring that complaints made under the Scheme are fairly and robustly investigated and (if upheld) appropriate sanctions are imposed, with a view to upholding the principles set out in the Parliamentary Behaviour Code
- our legitimate interest of ensuring that investigations by independent investigators are conducted to an appropriate standard
- our legitimate interest of dealing with a legal claim
A further ‘condition for processing’ is required when processing special categories of personal data. Special categories include racial or ethnic origin, religious or philosophical beliefs, trade union membership, genetic and biometric data, health data, and information about sex life or sexual orientation. The conditions for processing are set out in the UK GDPR and the DPA 2018.
The conditions we rely on for processing this type of data for the purposes of the Scheme are:
- UK GDPR Article 9(2)(a) – where we have your explicit consent to do so;
- UK GDPR Article 9(2)(f) – the processing is necessary to deal with any legal claims;
- UK GDPR Article 9(2)(g) – the processing is necessary for reasons of substantial public interest, namely:
- the exercise of a function of either House of Parliament (see para 7 of Schedule 1 to the DPA 2018) or
- to protect you or another person from physical, mental or emotional harm (see para 18 of Schedule 1 to the DPA 2018).
In accordance with the DPA 2018, our policies for processing special category data can be found on our website:
- House of Commons Appropriate Policy Document: https://www.parliament.uk/globalassets/documents/Data-protection/information-compliance/Commons/House-of-Commons-Appropriate-Policy-Document.docx
- House of Lords Policy on processing special categories of personal data and criminal convictions data: https://www.parliament.uk/globalassets/documents/foi/house-of-lords-foi-and-data-protection/policy-on-processing-special-categories-of-personal-data-and-criminal-convictions-data-v2.pdf
Other lawful bases and conditions for processing may apply if the processing of personal data is necessary in emergency circumstances, for example, to protect an individual’s vital interests or for the provision of health or medical services.
- Who we share your personal data with
Where necessary, we may share your personal data with or disclose it to:
- the independent investigator appointed to investigate the complaint (see the introduction above)
- the relevant decision-making body (see below)
- persons who can take appropriate steps to protect you or another person from harm
- other organisations where there is legal obligation to do so. For example, the Police, for the purposes of prevention and detection of crime
- Other third parties who we may contract with to assist us with the effective investigation of complaints; for example, transcription services.
- An external party, who may choose to access case files to assist in their work reviewing or auditing the effectiveness of the ICGS and its processes; for example, an independent reviewer.
Which decision-making body (DMB) is relevant depends on who the respondent is:
- The DMB for staff of the Commons, Lords or Parliamentary Digital Service is the relevant HR department
- For MPs, the DMB is the Parliamentary Commissioner for Standards and in some cases, the Independent Expert Panel or the House of Commons itself
- For MP’s staff, the DMB is their employing MP or the MP’s political party (who in either case is a separate controller)
- For members of the Lords and their staff, the DMB is the Lords Commissioner for Standards
- For external contractors, their employer is the DMB (who is a separate controller)
Some DMBs are part of the House of Commons or the House of Lords, while others are separate controllers. Please note that DMBs which are separate controllers may have their own privacy notice that covers the processing of your personal data once they receive it from us.
We may disclose or publish statistical information about use of the Scheme in order to fulfil our obligations under the Freedom of Information Act 2000. This statistical information will not include your personal data.
- Storage of your personal data
We will retain your personal data for as long as is necessary for the purpose it was collected, subject to any exemptions set out in law. The length of time personal data is retained differs depending on the purpose of their collection and any relevant legal requirements. The applicable retention period can be found in the Authorised Retention and Disposal Policy (ARDP), which is Parliament’s information disposal policy. The ARDP can be found on our website: https://www.parliament.uk/business/publications/parliamentary-archives/who-we-are/information-records-management-service/.
We take the security of your data seriously. All personal data you provide to us, whether electronically or in paper form, will be stored securely in accordance with our policies. We have information security measures in place to oversee the effective and secure processing of it.
Some personal data controlled by us is held outside the UK, including on data servers in the European Economic Area (EEA). For the purposes of the UK GDPR and the DPA 2018, all countries within the EEA are regarded as providing an adequate level of data protection. We would not transfer personal data to a person in a country outside the UK or EEA unless satisfied that that person and country had safeguards in place to protect personal data.
- Your rights
Data protection laws provide you with rights over the personal data that we process about you. Subject to limited exceptions (see below), these are:
- Where we are relying on your consent to process your personal data, you can withdraw that consent or unsubscribe from our services,
- The right to access your personal data
- The right to rectification of your personal data
- The right to erasure of your personal data
- The right to restrict the processing of your personal data if you have an objection to us doing so
- The right to object to the processing of your personal data
- The right to portability of your personal data
- Rights in relation to automated decision-making and profiling
You can contact us if you wish to exercise any of these rights. Contact details can be found at the end of this notice.
Please note that formal individual rights requests are managed by the Information Compliance teams of both Houses of Parliament. They will retain your request, including any relevant personal data, to demonstrate that we have met our legal obligations under the data protection laws. These records are kept securely for five years.
If you wish to exercise the above rights in relation to personal data held by other controllers who are involved in the complaints process, please contact them directly.
Please note, some of your rights are subject to the exceptions specified in the UK GDPR and the DPA 2018, including in particular:
- under para 7 of Schedule 2 to the DPA 2018, the rights do not apply where this would be likely to prejudice the proper discharge of our public function of protecting members of the public against seriously improper conduct
- under para 13 of Schedule 2 to the DPA 2018, the rights do not apply where required for the purpose of avoiding an infringement of the privileges of either House of Parliament
If you have any concerns relating to the use of your personal data, you may complain to us using the contact details at the end of this notice.
You can also complain to the Information Commissioner’s Office, the supervisory authority, by contacting them: www.ico.org.uk/global/contact-us/.
- Contact details
If you have any concerns relating to the use of your personal data for the ICGS please contact firstname.lastname@example.org in the first instance.
If you have any further questions about the use of your personal data, please contact the relevant Data Protection Officer.
House of Commons:
- Email: email@example.com
- Post: Data Protection Officer, Information Compliance, House of Commons, SW1A 0AA
House of Lords:
- Email: firstname.lastname@example.org
- Post: Data Protection Officer, Information Compliance, House of Lords, SW1A 0PW
Further information about data protection in Parliament can be found on our website: https://www.parliament.uk/site-information/data-protection/.
Applies from 23rd November 2023 until further notice