Data Protection and Privacy Policy
This document outlines how Paul Scully MP MP for the Sutton and Cheam Constituency processes and manages personal data and:
- Identifies the data controller.
• Provides the lawful basis for processing personal data.
• Outlines the scope of personal data held and processed.
• Outlines the scope of the special category personal data held and processed.
• Outlines the process of Subject Access Requests.
• Contains a copy of the privacy notice.
The policies outlined within this document came into effect on Friday 25th May 2018.
- Data Controller
The Data Controller is Paul Scully MP MP for the Sutton and Cheam Constituency
- Contacting us about Data Protection:
If you have any questions about this policy or for more information about how we use your data or would like to exercise any of your rights you can contact our Data Protection Officer (where applicable) using the contact details on this website. - Lawful basis for processing
Casework, campaigning and communication is processed under the lawful basis of a task carried out in the public interest, to support or promote democratic engagement. We also may have a legitimate interest to process your data. Exceptional cases may also be processed under the lawful basis of consent.
The office undertakes to always act within the reasonable expectations of constituents and any other individuals about whom we hold personal data.
- Conservative Associations
Conservative Associations are a part of the Conservative and Unionist Party, commonly known as the Conservative Party (The Party). As such they are a part of the “wider Conservative party” referred to in the Privacy Notice published on the national party’s website, and this Privacy Notice should be read in conjunction with that, available at www.conservatives.com/privacyand we process data and comply with the standards as set out in that policy.
We undertake our own local campaigning and fundraising activities, and for these we are the data controller. For membership matters and some campaigning we are a data processor acting on behalf of the Party.
For further information about the information we collect, our legal basis for processing it, and who we share it with, please go to www.conservatives.com/privacy
Associations with elected representatives and (prospective) candidates may process some casework data on behalf of their elected representative and candidates in so far as messages received by an association or candidate may need to be passed on. Any data processed will be processed in accordance with Section 11 of this Privacy Notice.
This Section applies where the privacy notice appears on the website of a registered Conservative Association.
If you are unhappy with the way that an Association has processed or handled your data then you have a right to complain to our Party Headquarters:
Compliance Department
Conservative Campaign Headquarters
4 Matthew Parker Street
London
SW1H 9HQ
compliance@conservatives.com.
020 7984 8005.
- Data sources
Data held is that provided by constituents when they contact this office and correspondence with third parties in response to cases taken up. We may also use the Register of Electors for the constituency, which councils provide to elected representatives under the Representation of the People Act for electoral purposes only.
- Data held
Personal data is stored electronically and securely in offices that are locked when unattended. We ensure that our service providers comply with the same high standard that we do, including complying with the Privacy Shield Framework for data transferred outside the EEA.
Casework records predominantly include but are not limited to:-
- Names, addresses and email addresses;
• Telephone numbers;
• National Insurance numbers and Passport numbers;
• Special category data (outlined in section 4).
Policy campaign records predominantly include but are not limited to:-
- Names, addresses and email addresses;
• Telephone numbers;
• Special category data on political beliefs.
Mailing list records predominantly include, but are not limited to:-
- Names, addresses and email addresses;
• Telephone numbers;
• Special category data on political beliefs.
If you contacted us via electronic means, we also collect further information, such as the IP address of your computer, which we will only access if legally required to do so.
- Special category data
The office may hold special category data for a smaller number of data subjects. This data will be processed under the lawful basis indicated in section 2, as is permitted in clauses 23 and 24 of schedule 1 of the Data Protection Act. The data may include all the types of special category data set out in the Data Protection Act.
- Transferring your data outside of the European Economic Area
Some service providers are located outside of the European Economic Area (EEA) and therefore it may be necessary to transfer your personal data outside of the EEA. Where The Office does transfer your data outside of the EEA we will make sure that it is protected in the same way as if the data was inside the EEA.
We will use one of the following safeguards to ensure this:
• Where the European Commission has issued an adequacy decision determining that a non-EEA country or organisation ensures an adequate level of data protection.
• A contract is put in place with the recipient of the data obliging them to protect the data to the same standards as the EEA.
• The transfer is to an organisation that complies with the EU-US Privacy Shield.
The Office is not permitted to transfer certain types of data, such as Electoral Register Data, outside of the EEA.
- Data retention policy
Personal data will be held for no longer than we deem necessary, and for no longer than we specify in our data retention policy. Some types of data may be held for longer than others.
- Subject Access Requests
The office will comply with Subject Access Requests in line with the guidance given by the Information Commissioner’s Office (ICO):
• We will respond as quickly as possible, within 30 calendar days.
• We will request verification of the identity of any individual making a request, and ask for further clarification and details if needed.
• Data subjects have the right to the following:
o To be told whether any personal data is being processed
o To be given a description of the personal data, the reasons it is being processed and whether it will be given to another organisations or people.
o To be given a copy of the information comprising the data, and given details of the source of the data where this is available.
- Privacy notice for Casework and Policy Queries
This privacy notice relates to the personal data processed by the Office of Paul Scully MP MP for the Sutton and Cheam Constituency, in relation to casework and policy queries.
Who is the Data Controller?
The Data Controller is Paul Scully MP MP for the Sutton and Cheam Constituency.
How do we process data?
This office processes constituents’ data under the lawful basis of public task or legitimate interest, depending on the matter raised by the constituent. In instances where this lawful basis is not sufficient and explicit consent is required, a member of the office will contact you to establish your consent.
We may use your data to contact you with a non-political newsletter under the lawful basis of public task. Additionally, if we have your consent, we may use your data to contact you with a political newsletter.
Will we share your data with anyone else?
If you have contacted us about a personal or policy issue, the office may pass your personal data on to a third-party in the course of dealing with your enquiry, such as local authorities, government agencies, public bodies, health trusts, regulators, and so on. Any third parties that we may share your data with are obliged to keep your details securely, and to use them only for the basis upon which they were originally intended.
We may need to share your data with a third party, such as the police, if required to do so by law.
Only data collected by Conservative Party associations, federations, branches, groups and affiliates may be shared with the wider Conservative family.
In any case, we will not use your personal data in a way that goes beyond your reasonable expectations in contacting us.
How long will you keep my personal data?
Unless specifically requested by you, the office will hold personal data for the duration of our data retention policy. If required for legal purposes data will continue to be held irrespective of a request to erase.
What rights do I have to my personal data?
At any point while the office is in possession of, or processing personal data, you, the data subject, have the following rights:
- Right of access – you have the right to request a copy of the information that we hold about you.
• Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
• Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
• Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
• Right of portability – you have the right to have the data we hold about you transferred to another organisation.
• Right to object – you have the right to object to certain types of processing, such as direct marketing.
• Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.
• Right to judicial review: if our office refuses your request under rights of access, we will provide you with a reason why. You have the right to complain.
How can I contact somebody about my privacy?
If you have any questions about the data held please contact Paul Scully MP MP for the Sutton and Cheam Constituency via the contact information on this website.
Please note that we will ask for identification should you choose to exercise any of the above rights in relation to personal data we hold.
This website itself is supported technically by WordPress, whose own Privacy Policy that can be found here: https://automattic.com/privacy.
We retain the right the right update this policy at any time. If there are changes that significantly impact your rights, we will contact you in advance.
- Making a complaint
If you are unhappy with the way that we have processed or handled your data then you have a right to complain to the Information Commissioner’s Office (ICO). The ICO is the supervisory body authorised by the Data Protection Act 2018 to regulate the handling of personal data within the United Kingdom.
The contact details for the Information Commissioner’s Office are:
- Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
• Telephone: 0303 123 1113
• Website: https://ico.org.uk/concerns/