This Privacy Notice details the personal data we hold about you and how we will process it in line with our obligations under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA). In this Privacy Notice, references to ‘us’, ‘our’ or ‘we’ are to the House of Commons. Everything that we do with your data – for example storing it, working with it or deleting it – is referred to as “processing”.
1. About the House of Commons
The Corporate Officer (Clerk of the House) is the Controller of any personal data processed as described in this Privacy Notice. The Data Protection Officer is the Head of Information Rights and Information Security.
If you have any questions about the use of your personal data, please contact us:
- Email - IRIS@parliament.uk
- Telephone – 0207 219 4296
- Post – IRIS Service, House of Commons, SW1A 0AA
2. The personal data we collect, the purpose and lawful basis for processing
This notice relates to the personal data which has been shared by you with the House of Commons in your capacity as a sole trader. For example, your name, address and bank account details. We collect this data from you and process it in the course of our contractual relationship, for example when we pay you for goods or services.
From time to time, we also run a data analytics exercise on that personal data for internal assurance and counter fraud purposes.
The data analytics exercise involves examining large volumes of raw data, using speciality software, identifying issues of data quality, exceptions or analysis, one element of which can be data matching, which may warrant further investigation, as well as assurance. Our internal audit team will review any data inconsistencies or anomalies flagged as part of the data analytics exercise.
The processing in the data analytics exercise is done under Article 6 (1) (e) of the GDPR (performance of a task carried out in the public interest) for the purposes of prevention and detection of fraud.
National Fraud Initiative
We also participate in the National Fraud Initiative (NFI) which assists in the prevention and detection of fraud. The NFI is a data matching exercise that compares information held by, and between, around 1,300 public sector organisations to help identify potentially fraudulent claims, errors and over-payments.
Data matching involves comparing sets of data held by one organisation with records held by the same or another organisation to see how far they match. This includes personal data about sole traders.
Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it indicates that there is an inconsistency that requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.
A full data specification for the NFI is available on the Cabinet office website.It is expected that data matching will be carried out between October and January on a bi-annual basis with the investigation of anomalies from the end of January. Data going back 3 years will be used.
The data processing involved in sharing personal data with the Cabinet Office for the NFI is done under the lawful basis found at Article 6 (1) (e) of the GDPR (performance of a task carried out in the public interest) for the purposes of prevention and detection of fraud.
Further detail about the lawful bases for processing personal data can be found on the Information Commissioner’s website.
3. Who we share your personal data with
When we run a data analytic exercise we share your personal data with a specialist external provider of audit services. The external provider is engaged by us as a data processor and we have a GDPR compliant contract with them. This provides assurance that they have appropriate security controls in place and will protect your personal data.
In order to participate in the NFI, we share your personal data with the Cabinet Office as described above. The Cabinet Office runs a data matching exercise on the personal data in order to prevent and detect fraud. The Cabinet Office will share with us any data inconsistencies.
You may also wish to refer to the Code of Data Matching Practice on the Cabinet Office website where you can also find out more information on the National Fraud Initiative in general.
4. Storage and retention of your personal data
The House of Commons will retain your personal data for as long as is necessary for the purpose it was collected, i.e. for the duration of your contract or trading relationship with us, or longer where it is lawful to do so. Periodically when an account has been inactive for over two years the data is deleted.
Where we share your data with the external provider of audit services, we will ensure that they are required to provide appropriate technical and organisational measures to protect the security of your personal data (in storage, use and transfer), that appropriate retention periods are in place and that they are under a duty of confidentiality. This will be defined in any contract we have with the data processor.
The Cabinet Office will retain your data for four years.
5. Disclosure and security of your personal data
All personal data will be stored securely, both physically and electronically, in accordance with our policies. We have an information security process in place to oversee the effective and secure processing of your personal data.
Some personal data controlled by the House of Commons Administration are held outside the UK. These data are predominantly held in data centres within the European Economic Area (EEA), for the purpose of hosting and maintenance. If personal data are transferred to third countries outside the EEA, the adequacy of those countries and organisations holding the data is assessed to ensure appropriate safeguards are in place.
Data will be securely transmitted to the NFI under data handling protocols specified by the NFI team and agreed with our Senior Information Risk Owner or their representatives.
Data will be securely transmitted to the specialist external provider of audit services under data handling protocols agreed with our Senior Information Risk Owner or their representatives.
6. Your rights
You can exercise your rights in relation to the personal data we hold by contacting the Information Rights and Information Security (IRIS) Service. These rights include (subject to limited exemptions):
- The right of access
- The right to request rectification
- The right to request erasure
- The right to restrict the processing
- The right to object to the processing
- The right of data portability
7. Right to complain
If you are unhappy with the use of your personal data by the House of Commons Administration, you should contact the Data Protection Officer in the first instance. You also have the right to complain to the supervisory authority if you consider that the Administration is in breach of your data protection rights. The supervisory authority is the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
Further details about your rights and the complaints process can be found on the Information Commissioner’s website.