Fair Processing Notice

This notice sets out our purposes for processing personal data, and our lawful bases for doing so.

It also explains your rights in relation to that processing, the types of personal data that we process, who we might share your data with, and how long we retain your data for.

For the purposes of Data Protection Legislation, IPSA acts as Data Controller.

The information that we use (‘’process’’) includes both “personal data” and “special category personal data”. 

Personal data is any information from which someone can be identified, whilst “special category personal data” refers to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health information, or data about a person’s sex life or sexual orientation.

Financial data is considered to be personal data, but not “special category personal data”.

MPs and their Staff

We process personal data relating to MPs and their staff. 

We do so to fulfil our statutory functions, where this is necessary in the public interest, or in very limited circumstances where the processing is in our Legitimate Interests, and provided that those interests are not overridden by your rights.

Personal data will be collected throughout the relationship with IPSA, and may in certain circumstances, be shared with third parties with whom we have a relationship, but only where we have a lawful basis for doing so.

Third-party complaints and enquiries

We will gather relevant contact information, as well as any additional information that we may require from you, to enable us to handle complaints or enquiries.

Complaints or enquiries dealt with by us will be conducted in the exercise of our statutory functions, or where there is a clear public interest.

Website visitors

For website visitors, we will collect the computer information necessary to ensure effective website access and use, security as well as performance, ensuring that our systems work as intended. Information that may be collected includes metrics, routing and cookies.

We have a separate Website Privacy Policy.

Our workforce

We process employee personal data which is described in a separate Human Resources privacy notice.

We will seek consent before processing in all circumstances where this is required.

The General Data Protection Regulation affords you enhanced rights in relation to the processing of your personal data.

You are entitled to:

• obtain a copy of your data, with a description of processing ("subject access request")

• have inaccurate or out of date information corrected

• object to the processing of personal data

• restrict the processing of personal data (where contested or to prevent loss)

• have your personal data erased (in limited circumstances)

• prevent direct marketing

• prevent fully automated decision making and profiling

• have your personal data transmitted to another organisation

In addition to these Rights, where consent is our lawful basis for processing your personal data, then you may withdraw this at any time by writing to us.

Data Subjects’ Rights are not absolute, and there may be circumstances where we cannot comply with a request. In these circumstances, we will write to you to explain why.

We are committed to protecting the personal data we hold, and in this regard, have implemented a layered security approach to our systems.

This includes the implementation of the latest network security standards.

As part of our processes, we have implemented "Privacy by Design" across the organisation, ensuring that Privacy is considered as part of everything that we do and in particular, ensuring that:

• appropriate access controls are applied to all our information

• appropriate risk assessments are conducted

• our staff receive appropriate Data Protection and Information Security training.

We also continue to work with our suppliers to ensure that they meet our standards.

Systems we use

IPSA uses a Customer Relationship Management system (CRM) for case handling. In addition to this, we use dedicated systems to process Human Resources and Payroll-related data.

Personal data held on these systems will include at least:

• contact details and home addresses

• contracts

• work patterns

• bank details

• receipts and invoices

IPSA may process data in relation to benefits and allowances.

IPSA Online

IPSA Online enables MPs and their staff to check the accuracy of, or update their data, to raise requests, or to track their budgets.

IPSA Publication Scheme

Our Publication Policy requires that we publish certain personal data relating to MPs’ business costs and expenses.

There will be times when we share your information with other organisations.  In these circumstances, we will only do so when we are sure there is respect for your rights, and that your data is secure.

We have a number of data-sharing agreements in place with the House of Commons, with whom we work closely on matters related to our statutory functions. They provide HR and pension-related support to IPSA, MPs and their staff.

We may instruct third party data processors to act on our behalf and in accordance with our instructions. These processors may include information technology support, payment providers, communications platforms, archiving partners, benefits providers, consultants or other third parties commissioned to work on projects.

We will only share personal data where we have appropriate contractual terms in place to ensure that data is adequately protected and that the processor complies with data protection legislation.

We may also share complaints with other investigating bodies or third party organisations to enable us to investigate and resolve matters, although we will only share relevant data where it is necessary for us to do so, where we are obliged to do so by court order or by law, or where there are other clear public interest considerations.

IPSA sends out a weekly news bulletin by email. This bulletin contains important information to help you carry out your role and includes information relating to payroll and publication data, HR changes and events. There may also be other times when we need to communicate with you.

You may unsubscribe from our communications at any time. However, even if you do unsubscribe, there may be circumstances where we will still need to contact you separately to provide you with information or updates that are likely to be of importance to you or have an impact on your work.

We will only process personal data for as long as it is necessary to fulfil our functions and in accordance with the purposes for which collected the data.

We are required to retain certain types of data (such as employment-related data) for minimum periods in accordance with other statutory requirements.

Personal data is deleted from our systems in accordance with our retention and deletion schedules.

Our Data Protection Officer is responsible for all matters relating to data protection. They can be contacts:

• by email to privacyrights@theipsa.org.uk

• by post to IPSA Data Protection, 2nd Floor, 85 Strand, London WC2R 0DW

If you wish to exercise your rights or have questions, please write to the Data Protection Officer in the first instance.

If you do contact us, please include your name, organisation, full address, and telephone (if possible), and clearly set out your questions or concerns. We aim to respond within a calendar month although this will depend on the nature and complexity of the enquiry.

If we are unable to help and you wish to complain, then you should contact the ICO.

They can be contacted via their helpline telephone number: 0303 123 1113 or for additional contact options, you may wish to visit their website.

for more information, visit Complaints and feedback.