18 September 2023 - a section has been added to clarify what elected representatives should do with their constituents personal data when the boundary of their constituency changes. The processes are essentially the same as those for an elected representative who is ending their role.
The changes have been added because the Boundary Commission for England has recently reviewed and changed (external link) the boundaries for constituencies in England. These changes will take effect at the next General Election and elected representatives have requested clarification on what processes they should follow when dealing with their constituents personal data in these situations.
21 December 2022 - The guidance explains:
- what you must, should, and could do to comply with data protection law;
- the lawful reason you can rely on for processing personal data;
- what to do if you are using special category data; and
- what to do when you end your role as a representative.
At a glance
- This guidance helps elected representatives and their staff comply with data protection law when you carry out constituency casework.
- As part of your function as an elected representative, you are a controller for the personal data you use (including collection, storage, sharing and disposal).
- As a controller, you must comply with the data protection principles and enable people whose data you process to exercise their information rights.
- In carrying out constituency casework, you must satisfy a lawful reason for processing personal data under Article 6 of the UK General Data Protection Regulation.
- If you are processing special category data (such as personal data about health, political opinions or ethnicity), you must also satisfy a UK GDPR Article 9(2) condition for processing.
- This guidance also includes information on what you should do with personal data when you stop being an elected representative.
- Who are elected representatives?
- What do we mean by constituency casework?
- What is the UK’s data protection regime and who is response for compliance?
- What are the data protection principles?
- What are the data protection rights?
- What lawful reason can I rely on for processing personal data?
- Using special category data
- Ending your role as a representative
- More information
This guidance assumes you are familiar with key terms and concepts in the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). If you need an introduction to data protection – or more context and guidance on key concepts – you should refer to our separate Guide to data protection.
The purpose of this guidance is to provide data protection advice specifically for carrying out constituency casework. We have written separate guidance on the use of personal data in political campaigning.
What is a legal requirement in this guidance and what is good practice?
To help you to understand the law and good practice as clearly as possible, this guidance says what you must, should, and could do to comply with data protection law.
- Must refers to legislative requirements.
- Should does not refer to a legislative requirement, but what we expect you to do to comply effectively with the law. You should do this unless there is a good reason not to. If you choose to take a different approach, you must be able to demonstrate that this approach also complies with the law.
- Could refers to an option or example that you could consider to help you to comply effectively. There are likely to be various other ways you could comply.
This approach only applies where indicated in our guidance. We will update other guidance in due course.
This guidance is for any representative as defined in the DPA 2018, although it is most relevant to parliamentarians and assembly members carrying out regular constituency casework.
This guidance takes the meaning of elected representatives from the DPA Schedule 1, Paragraph 23(3) as:
(a) members of the House of Commons;
(b) members of the Welsh Parliament/Senedd Cymru;
(c) members of the Scottish Parliament;
(d) members of the Northern Ireland Assembly 1;
(f) elected members of a local authority within the meaning of section 270(1) of the Local Government Act 1972, namely—
(i)in England, county councils, district councils, London borough councils or a parish councils;
(ii)in Wales, county councils, county borough councils or community councils;
(g) elected mayors of local authorities within the meaning of Part 1A or 2 of the Local Government Act 2000;
(h) mayors for the areas of a combined authority established under section 103 of the Local Democracy, Economic Development and Construction Act 2009;
(i) the Mayor of London or elected members of the London Assembly;
(j) elected members of—
(i) the Common Council of the City of London, or
(ii) the Council of the Isles of Scilly;
(k) elected members of councils constituted under section 2 of the Local Government etc (Scotland) Act 1994;
(l) elected members of district councils within the meaning of the Local Government Act (Northern Ireland) 1972 (c. 9 (N.I.));
(m) police and crime commissioners.
The DPA 2018 does not explicitly define constituency casework but Schedule 1, Paragraph 23 instead refers to processing carried out:
"(i) by an elected representative or a person acting with the authority of such a representative,
(ii) in connection with the discharge of the elected representative’s functions, and
(iii) in response to a request by an individual that the elected representative take action on behalf of the individual, and
(b) where the processing is necessary for the purposes of, or in connection with, the action reasonably taken by the elected representative in response to that request.” 2
For the purposes of this guidance, we use the term constituency casework to mean the above.
The UK GDPR and DPA 2018 form the UK’s data protection regime. Together they set out the key principles, rights and obligations for most uses of personal data in the UK.
The above legislation sets out the responsibilities of:
- controllers – the person or organisation that determines the reasons and ways of using personal data; and
- processors – the person or organisation that uses data on behalf of a controller.
As part of your function as an elected representative, you are a controller for the personal data you use to deal with constituency casework (including collection, storage, sharing and disposal). This is because you are responsible for deciding the reasons and ways of using the data.
As a controller, you are responsible for complying with the data protection principles and enabling people whose data you use to exercise their information rights.
Processors act on the behalf of controllers. These are separate organisations, rather than your employees. You may have a number of processors using data on your behalf. For example, many representatives use an online casework management system or third-party digital service. The organisation you contract to provide these services is likely to be a processor.
Whenever you use a processor you must have a written contract (or another legal act) in place between you and the processor. The contract is important so that both parties understand your responsibilities and liabilities. For more information, see our detailed guidance about controllers and processors.
The UK GDPR sets out seven key principles, that you must comply with:
- Lawfulness, fairness and transparency – You must have a lawful reason for using personal data (see what lawful reason can I rely on for processing data below) and an additional condition under Article 9 UK GDPR if you are using special category data (see using special category data below).
You must use personal data in a way that is fair. You should only use personal data in ways that people would reasonably expect and not use it in ways that have unjustified adverse effects on them.
You must also process data in a transparent way, being clear and honest about how you will use their data, and comply with the transparency obligation in people’s “right to be informed” (see what are the data protection rights below).
- Purpose limitation - You must have a specific and legitimate reason for collecting and using personal data. In relation to this guidance the purpose is the need to respond to constituency casework.
It will only be appropriate to use information obtained as part of constituency casework for an alternate purpose if it is to fulfil a clear function or obligation set out in law, the new processing is compatible with the original purpose or you obtain consent. If you are using information for a different purpose, you should be clear about this and should update your privacy information.
If you are dealing with a constituency casework matter and wish to send the constituent your regular newsletter or other mailing, you must obtain consent for this processing as it is outside of your original purpose of responding to their constituency concern.
You may sometimes need to continue to contact a constituent after initially responding to them, for example because they raised a wider policy question or their constituency casework is ongoing. This is unlikely to be considered a new or separate purpose and so you would not need to obtain consent for this processing. If the individual indicates they no longer wish to be contacted about an ongoing issue, it is unlikely to be fair to continue to do so.
For further guidance, read our guidance on the use of personal data for political campaigning in relation to purpose limitation.
- Data minimisation - You must only collect and use the minimum amount of data that you need for the purpose you are collecting it for.
- Accuracy - You must ensure that you keep data accurate and up-to-date.
- Storage limitation - You must only retain personal data for as long as you need it.
- Integrity and confidentiality (security) - you must put all appropriate measures in place to secure the personal data you hold. You must protect data from unauthorised or unlawful processing and accidental loss, destruction, or damage.
These measures can often be simple but it is important you take steps to protect the data you hold. You should use strong passwords, make sure you double check correspondence before sending it out and store any physical data securely. You should also ensure your staff understand the importance of security. Read our Basic personal data security: quick wins guide on our SME hub.
If you inappropriately disclose, lose, alter or destroy personal data, you may need to report this to the ICO. You can use our self-assessment tool to consider whether you need to report the breach. In more serious cases, you also need to inform the people affected.
- Accountability – You are responsible for the data you hold and must demonstrate compliance with the other principles. You must have appropriate measures and records in place as proof of your compliance.
Under UK GDPR, people have a number of rights over their data. You must be aware of all these rights, but in particular the right to be informed and the right of access for your role in carrying out constituency casework.
People have the right to be informed. This means that you must provide people with ‘privacy information’ at the time you collect their personal data from them. This information includes your reasons for using their personal data, your retention and disposal arrangements, and who you will share it with.
This should normally be straightforward when a constituent asks you to assist them in resolving a problem. For example, your automated email response could include details and links to your privacy notice and you could publish it on your web page, if you have one.
In other situations, such as when another person contacts you on a constituent’s behalf, you should proactively provide the constituent with privacy information. See our guidance on the right to be informed and our privacy notice tool.
People have the right to ask for copies of their personal data held by a controller. This is called the right of access and is commonly known as making a subject access request or ‘SAR’. As controller, you must respond to a SAR usually within a calendar month. You must provide a copy of the personal data you hold and information about your processing, unless exemptions apply or you can refuse the request as manifestly unfounded or excessive. See our guidance on SARs.
For further information, see our guidance on individual rights.
Under Article 5(1)(a) of the UK GDPR, you must process personal data lawfully. This means you must be able to rely on a lawful reason, known as a lawful basis, which are listed in Article 6(1) of the UK GDPR. Your processing must also not contravene other laws.
In the vast majority of cases as elected representatives, you are able to rely on the lawful basis Article 6(1)(e) - public task. This applies when using personal data is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear reason in law.
Section 8 of the DPA 2018 gives further details about the different official functions and tasks in the public interest to which Article 6(e) – public task refers. These are:
“ (a)the administration of justice,
(b)the exercise of a function of either House of Parliament3,
(c)the exercise of a function conferred on a person by an enactment or rule of law,
(d)the exercise of a function of the Crown, a Minister of the Crown or a government department, or
(e)an activity that supports or promotes democratic engagement.”
You are very likely to be able to rely on Section 8(c) or (e) when processing personal data as an elected representative. As a fundamental part of your role is representing constituents through carrying out constituency casework, you are very likely to need to use personal data for this purpose.
In practice, the use of either of these conditions is likely to be similar as they come under the umbrella of the same lawful reason. However, as part of the accountability principle, you must be able to demonstrate and justify your reliance on a particular lawful basis.
For further information, see our guidance on lawful bases.
Under UK GDPR, particularly sensitive types of data require more protection. These are referred to as special category data. Special category data is defined as information revealing or concerning a person’s:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- genetic data;
- biometric data, where used for identification purposes;
- sexual life; or
- sexual orientation.
Where you need to process special category data in order to carry out constituency casework, you must have a “condition for processing” under Article 9(2) UK GDPR. This is in addition to a lawful reason for processing.
Personal data about criminal allegations, proceedings or convictions are not technically considered special category data. However, there are similar rules and safeguards for using this type of data to deal with the risks associated with it. For more information, see our guidance on criminal offence data.
There are a number of conditions for processing special category data. However, there is a specific condition for processing for elected representatives carrying out constituency casework. This is UK GDPR Article 9(2)(g) ‘reasons of substantial public interest’. When you rely on this condition, and you are using criminal offence data, you must also identify a condition under Part 2, Schedule 1 of the DPA. The most appropriate is Schedule 1, Paragraph 23(1):
“23(1) This condition is met if
(a) the processing is carried out—
(i)by an elected representative or a person acting with the authority of such a representative,
(ii)in connection with the discharge of the elected representative’s functions, and
(iii)in response to a request by an individual that the elected representative take action on behalf of the individual”
This means that where the special category or criminal offence data belongs to the person who requested you take action on their behalf, you can rely on this condition. As you are relying on the substantial public interest condition you do not need to seek consent which is a separate condition.
When relying on this condition you must have an appropriate policy document outlining your compliance measures and retention policies for special category data. Our template appropriate policy document shows the type of information you should include. You could use the information contained within your appropriate policy document to complement your general accountability documentation.
Using information about a third party
You may sometimes be asked by an individual to progress a casework matter on behalf of another constituent that involves processing that constituent’s personal data, often including special category data. This individual could be a family member, friend or legal representative. If they have permission to take the matter forward then you can progress the matter as normal.
For the purpose of this guidance, permission constitutes a lawful authority such as a power of attorney or letter of authority, or the explicit consent of a data subject which may be given verbally or in writing. If given verbally, you must clearly document this consent. We have detailed guidance on using consent on our website.
There are circumstances where the individual will not have this permission, such as a family member asking you to take up a case of a relative who is unwell. If taking the case forward will involve processing the constituent’s special category or other personal data, then you must where possible seek permission for the individual to act on behalf of the constituent. Once you have that permission you can pursue the case as normal.
If you are unable to obtain permission from the constituent you must consider whether it is proportionate and necessary to progress the case without this permission. You do not need to obtain permission where:
- You can deal with the casework matter without processing the constituent’s personal data or causing them any prejudice;
- Obtaining permission would prejudice the action you are taking or would otherwise be unreasonable in the circumstances; or
- Permission is being unreasonably withheld and using the data is necessary in the interests of another person.
If having considered the above you decide it is necessary and proportionate to progress the case without permission, you can rely on Article 6(1)(e) ‘public task’ as your lawful basis and Article 9(2)(g) ‘necessary for the reasons of substantial public interest’ and the condition at DPA, Schedule 1, Paragraph 23 (see above).
When you choose to process personal data in these circumstances you should clearly record why you thought it was necessary to do so without obtaining permission. These records will provide evidence of your decisions and actions if you need to use them as part of any complaints process.
Organisations disclosing information to an elected representative
You may need to ask external organisations to disclose information, including special category data, to you in the course of your constituency casework.
In most cases it is likely to be reasonable for an organisation to disclose information as part of an elected representative’s handling of a casework matter. However it is important to remember they are not compelled to provide this, and there may be circumstances where the release of information is not appropriate without the approval of the individual. For example, in a confidential medical setting.
When you stop being an elected representative you should review your casework records. You continue to be the controller for all the records you hold and anything you do with a person’s data should be in line with their reasonable expectations. For example, you should not normally pass on constituency casework records to a new elected representative, unless the constituent is content for this to happen.
If there is an increased likelihood of a change of representative, prepare for this as soon as is practical.
You should securely destroy records about closed cases that are not likely to be reopened.
You should consider what to do with live cases and any closed cases likely to be re-opened on a case-by-case basis. In doing this you should take into account the expectations of the individuals and consult with them where their views are not clear. Options that you could offer to constituents include:
- securely destroying the documents;
- passing the case file to the new representative with the constituent’s consent; or
- passing the case file to the constituent themselves.
Special category data
If you are not re-elected, it is important to be aware that you only have a condition for using special category data for four days after the election.
This is the case if you are relying on Article 9(2)(g) ‘necessary for the reasons of substantial public interest’ and DPA 2018, Schedule 1, Paragraph 23. The law stipulates that an individual who was a member of the House Commons, Welsh Parliament/Senedd Cymru, Scottish Parliament or Northern Ireland Assembly immediately before that Parliament or Assembly is dissolved, “is to be treated as if the person were such a member until the end of the fourth day after the day on which the subsequent general election in relation to that Parliament or Assembly is held.”
If you no longer have a condition for processing and you continue to do so then you are very likely be in breach of UK GDPR.
As four days is such a short time frame, it is sensible to review your records containing special category data in advance where practical and not to keep casework records for longer than is necessary. This will give you time to consider what to do with each case file and consult constituents, as necessary. This is particularly sensible if you are standing down at the election.
We understand that this may not always be possible and that the risks around destroying case files without review can be as great or greater than those associated with continuing to use special category data without an appropriate condition. If you have taken reasonable steps to comply with the law in this way but find yourself in breach, we will take a pragmatic approach to any resulting action, in line with our Regulatory Action Policy.
How do changes in constituency boundaries affect how I process personal data relating to constituency casework?
Constituency boundaries are reviewed periodically to make sure that constituencies are all roughly a similar size and respect local ties between areas. Boundary changes take effect at the relevant election (e.g., general election for Westminster MPs). At this time, the composition of constituents in many constituencies will change to reflect the new boundaries. New constituencies will likely be created, others disbanded and others have numbers of constituents increased or decreased.
In data protection terms, this means that even if you have been re-elected to the same constituency, where a boundary change has taken place, you will likely no longer be the controller for personal data belonging to affected constituents who are now outside of your constituency. Where new cases are raised or constituents have opted to have their case files passed to you, you may also become the controller for personal data belonging to new constituents now inside of your constituency.
Should I continue to carry out all constituents’ casework?
As boundary changes do not take place until the election, elected representatives should continue to process constituency casework data for all constituents in the way they normally would until this point. This includes casework relating to those affected by boundary changes.
At dissolution, when ending your role as an elected representative (whether re-standing for election in the same constituency, re-standing in a different constituency or not re-standing at all) you should review casework records and process people’s data in line with their reasonable expectations in the same way as you would if there were no boundary changes. See Ending your role as an elected representative section above.
What can I do to prepare?
Regardless of boundary changes, you should review your records and not keep any casework data longer than necessary.
You should not normally pass on constituency casework records to a new elected representative, unless the constituent is content for this to happen.
As far in advance of the election as practicable you should destroy records about closed cases that are not likely to be reopened and prepare options for constituents on what they would like you to do with live or likely to be re-opened cases.
When taking on new or reviewing live or likely to be re-opened casework relating to constituents affected by boundary changes, if you know you will no longer be representing them after the election (regardless of outcome) you should make constituents aware of this and which constituency they will soon be part of. This will allow them to make a clearer choice on what they would like to happen to their case file.
Once boundary changes are finalised, you could provide this information and options well in advance to make it easier for you to action constituents’ choices at dissolution.
For more information on other parts of data protection law, please read our guidance pages. We also have specific resources for small and medium size enterprises which you might find useful.
1. (e) a member of the European Parliament elected in the United Kingdom;
Provision removed on 31 December 2020 from the Data Protection Act following the UK’s withdrawal from the European Union.
2. Data Protection Act 2018 Schedule 1 (paragraph 23)(1)(a)
3. Section 8 (b) the exercise of a function of either House of Parliament is likely to be the most appropriate basis for the House of Commons and House of Lords as institutions to rely upon, rather than for MPs or members of the House of Lords.