General Data Protection Regulation Notice
Document Retention and Data Protection (GDPR Update) 2018
Members and their staff in both constituency and Westminster offices must follow the eight principles which set out the minimum requirements under the Data Protection Act 1998 which have been updated to included GDPR. Under GDPR the MP’s office is mostly a Data Controller and therefore fully responsible for the data subjects information collected and held.
- Fair and lawful; In terms of casework and policy work it is important to confirm that the person who is requesting representation is a constituent and has given consent whether this is by speaking to them directly, receiving their email or written request. If the constituent is unable to give consent directly ie. is incapacitated or stuck abroad then either signed authority should be sought or if not appropriate the next of kin can raise the issue on their behalf. If the constituent affected is a child their parents can raise the matter on their behalf but action must be taken to ensure they are the parent ie. record details of full name and date of birth of the child. In the constituency office we also have CCTV cameras which record footage in the office. This is only viewed if necessary ie. there has been a security incident, by the Office Manager and the Police if involved, no other staff should access footage unless the Office Manager is not available. CCTV recordings are only kept for a minimum period and notices are placed in the constituency office informing visitors that it is in place and referring them to the Privacy notice on the website for further information.
- Specified, lawful and compatible purposes; Contact details provided cannot be used for newsletters or unconnected communications unless the constituent has opted in for further contact. If consent has been provided without a case or policy enquiry (for example, members newsletter) then this consent must be stored in the GDPR file if in writing or in the GDPR email folder if an email consent. If consent is later withdrawn then contact details should be removed and the consent form destroyed either by shredding or deletion. If a ‘casework or policy issue’ constituent has opted in then this should be tagged clearly on caseworker as ‘contact allowed’, if a constituent opts out this tag should be immediately removed. All Constituent Contact Forms now include a section to opt in and require a signature by the constituent, caseworker templates for both email and default constituent letters also contain a privacy notice which explains how to opt in and opt out. If you are using any other written way to make initial contact with a constituent the following privacy notice must be included, it may be good practice to include this below your personal email signature. Constituents: I will treat as confidential all personal information you give to me or my staff. I may need to pass on this information to others so they can help you. I undertake to handle the information you give me in line with the requirements of GDPR under the Data Protection Act 2018. We would also like to use your information to let you know about constituency news and events that may be of interest to you if you would like to hear from us please email YES to email@example.com or by reply. If you no longer wish to receive constituency news and events please email STOP to firstname.lastname@example.org providing your name so we can stop further communications. Privacy Notice: If you have any queries regarding the processing of your personal data by my office you can view our Privacy Notice here, http://www.juliecooperforburnley.co.uk/privacy_policy which outlines what data we hold, why and for how long as well as your rights.Others: I have been asked by my constituent to pursue this matter and am doing so in line with the requirements of GDPR under the Data Protection Act 2018. This may involve the handling of sensitive personal information, as permitted under the Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order 2002.If taking details for casework or policy issues over the telephone then the data subject / constituent must be informed what information is being taken and why it isnecssary, then an initial letter should be sent uot that day which includes details of the privacy notice and where to find it on the website or how to request a written copy.
- Adequate, relevant and not excessive; Only retain information or documents which are relevant, anything else should be shredded if it contains any personal information. Original responses received should be sent to the constituent and scanned on to their case caseworker, only retain a paper copy if considered necessary.
- Accurate and up to date; Ensure that information input on to caseworker is accurate and paperwork retained is filed in the correct file. If information updates are provided ensure these are amended at the time they are reported.
- Not kept for longer than is necessary;Information held on the caseworker system and in paper files is only retained for a Parliamentary term or 5 years from the date of closure. All cases must be clearly marked when closed the month and year of closure. In January each year a manual trawl of all paper files must be completed and all those older than 5 years must be taken out, checked and then shredded, once shredded caseworker.mp must be given information as to which files to delete from their database.
- Rights of data subjects;Where required signed authorisations should be sought and retained both in the paper file and scanned to the caseworker file. This includes in cases dealing with health issues and cases where constituents have not been able to provide authority directly. Constituents or data subjects can also request their information is deleted, withdraw consent to handle their data or complain if they feel their data has been mishandled. Details of how data subjects can do this are provided within the Privacy notice on the website. In all cases full procedures must be followed as per the GDPR file and Information Commissioners Office advice, refer all requests to the Office Manager.
- Protected by appropriate security; Caseworker is protected due to the security settings to enter the database, do not share your password for caseworker with anyone and ensure it is kept secure. Paper files must be filed away in lockable cabinets whenever not in use. Any paper files or documents held on your desk must not be visible if there are visitors in the office and if you are away from your desk your computer screen should be left locked. If anyone calls to check progress on a case all possible checks should be made to ensure that the person calling has the authority to receive that information from the constituent or that it is the constituent themselves.
- Not transferred outside of the EEA; This is highly unlikely to affect the work we do within our offices but must be considered nonetheless particularly if we are considering using software for processing data such as caseworker.mp which may be based outside the EU. If considering using software the Office Manager must be consulted as the GDPR/Data Protection officer.
Further details about our responsibility in terms of data protection and GDPR within the office can be found on the Parliamentary Intranet here;