Definitions

·      Personal data means information about a living individual who can be identified from the information. If information is anonymous and an individual is not recognisable, it is not personal data.

·      Special category data is personal data that is sensitive and needs extra protections. The special categories of personal data are race, ethnic origin, political opinion or affiliation, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life or sexual orientation.

·      Processing means everything done with personal data such as collecting, storing, sharing, deleting, archiving, etc.

·      Controller means the person or organisation who is the main decision-maker in relation to personal data. They have overall control and a responsible for compliance with the law.

·      Data subject means the individual to whom personal data relates.

Details of controller and how to contact them

·      The controller is Dr Lauren Sullivan MP.

·      The controller can be contacted: by post at House of Commons, London SW1A 0AA; by telephone on 020 7219 1448; by email at lauren.sullivan.mp@parliament.uk

Categories of personal data that will be collected

·      Information supplied by my constituents and others in relation to matters which I have been asked to pursue in the interests of individuals and groups who live in my constituency.

·      This includes, but is not limited to: contact details for the constituent; sensitive and non-sensitive personal data in connection with constituency casework (including ‘special category data’ – see definitions); information provided by signatories on petitions; responses to questionnaires; statistical data on the type and number of cases processed for monitoring processes; contact details for the purpose of communicating news and updates.

Reasons for collecting and using personal data

·      To take up, action and respond to casework on constituents’ behalf.

·      To consult constituents on local and national issues and seek their views.

·      To advise about local events and campaigns.

·      To inform constituents about my work.

·      To process employee data for the purposes of employment contracts.

Lawful basis for processing personal data

·      The processing of personal data is necessary for a public task in my role as MP; or

·      the processing is necessary for my legitimate interests as an MP; or

·      the individual has given consent to the processing; or

·      the processing is necessary for the performance of a contract.

Who I share personal data with

·      Only those organisations and bodies with whom it is necessary in accordance with the lawful basis for the processing of the data (see above), such as:

·      Government departments.

·      Local authorities and other public bodies such as the NHS, police etc.

·      Foreign embassies and consulates.

·      Private organisations such as charities.

Transfers of personal data to or from any international organisations outside the European Economic Area (EEA)

·      It may be occasionally necessary to transfer personal data to or from countries outside the EEA.

·      In many instances, such a transfer will be covered by an ‘adequacy decision’.

·      If the country is not covered by an adequacy decision, I will inform you of the safeguards in place to protect your information.

Retention period for personal data

·      Data protection law does not set out a specific framework for how long to retain personal data.

·      I do not keep personal data any longer than it is needed.

·      I will not keep personal data longer than six years from the time it is processed.

Your rights over your data

·      You have certain rights over what I do with your data.

·      The right to be informed about how I collect and use your personal data.

·      The right of access to a copy of your personal data (by making a ‘subject access request’ to my office).

·      The right to rectification of any personal data which is inaccurate or incomplete.

·      The right to erasure of your personal data.

·      The right to restrict processing or to suppress your personal data.

·      The right to data portability, meaning you have the right to request personal data you have provided is sent to you in a way that is structured, commonly used and machine readable. You also have the right to request that I transmit this data directly to another controller.

·      The right to object to the processing of your personal data, in certain circumstances.

·      Rights related to automated decision making including profiling. (I do not use such tools, nor do I plan to; if that were ever to change, I would provide details of the process and envisaged consequences of any such decision.)

·      These rights are exercised by you via this privacy notice and/or by making a request to me as the controller as per my contact details above.

Right to withdraw consent

·      When a constituent contacts me for a reply or assistance, consent will be implied at the point of contact for the processing of the constituent’s personal data (see lawful basis for processing data).

·      Special category data (see definitions) requires an additional condition as a lawful basis for processing – either that processing is necessary for reasons of substantial public interest (this includes responding to constituent casework), or that the individual has given explicit consent for processing such data, or that the data is necessary for employment purposes.

·      You have the right to withdraw your consent for the processing of your personal data if you so choose. Please be aware that there may, however, be another lawful basis for the processing of your data.

Right to lodge a complaint with the supervisory authority

·      Individuals have the right to complain to the controller (see definitions) and the UK regulator, which is the Information Commissioner's Office (ICO). The ICO has powers to investigate compliance and enforce data protection law.

·      If you are unhappy about the use of your personal data, you can contact the ICO online at ico.org.uk/make-a-complaint or via their helpline on 0303 123 1113. 

Data breaches

·      Procedures are in place to detect, report and investigate a personal data breach. 

·      The ICO will be notified if the data breach is likely to result in a risk to the rights and freedoms of individuals.

·      I will also notify those concerned directly if the breach is likely to result in a high risk to the rights and freedoms of individuals.