Personal information charter

This privacy notice explains how the Committee on Standards in Public Life uses the personal information of members of the public.

This privacy notice is provided so that you know how your personal information is acquired, processed, stored, transferred and if possible, deleted.

All members of the Secretariat and Committee will comply with this privacy notice.

The Secretary to the Committee will ensure that all personal data is handled in accordance with information handling policies and the practices explained in this privacy notice.

This privacy notice will be updated from time to time and new versions published on our website.

Committee on Standards in Public Life Privacy notice

Introduction

This privacy notice explains how the Committee Secretariat (‘the Secretariat’) and members of the Committee on Standards in Public Life use (‘process’) the personal information (data) of members of the public. This notice is provided so that you know how your personal information is acquired, processed, stored, transferred and if possible, deleted.

All members of the Secretariat and Committee will comply with this privacy notice.

The Secretary to the Committee will ensure that all personal data is handled in accordance with information handling policies and the practices explained in this privacy notice.

This privacy notice will be updated from time to time and new versions published on our website.

Types of personal data processed by the Secretariat

The nature of the information we may hold about you may include:

  • names, addresses, telephone numbers, email addresses and other contact details;
  • personal opinions or experiences about matters responding to consultation criteria for various public inquiries conducted by the Committee and its Secretariat;
  • professional titles and role descriptions where applicable;
  • biographies and details of current and past work and employers, where applicable;
  • correspondence with the Secretariat and Committee members;
  • images (where applicable), if taken at our events for the Committee’s blogs and social media sites.

The legal basis for processing your personal data is ‘public task’.

Processing is necessary for the legitimate interests of the performance of a task carried out in the public interest or in the exercise of official authority vested in the Committee on Standards in Public Life as the data controller.

Applicable sensitive personal data we may hold is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person.

The legal basis for processing your sensitive personal data is:

  • It is necessary for reasons of substantial public interest for the exercise of a function of a public authority; and
  • It is necessary for historical research or statistical purposes, and it is in the public interest.

Why the Secretariat needs to process personal data

The Secretariat needs to process personal data as part of the Committee on Standards in Public Life’s remit and its duties carried out in the public interest..

The Secretariat anticipates the following uses fall within the category of its legal bases for processing your personal and sensitive information:

  • in relation to public consultations;
  • in relation to general inquiries related to the Committee’s work;
  • to enable understanding of the Committee’s Work programme;
  • to give notice of forthcoming events;
  • to make use of (agreed and where applicable) photographic images on the Committee’s blog and social media sites;
  • where otherwise necessary for the purpose of the work of the Committee.

How the Committee Secretariat collects data

This may be via post, or email, by telephone or in person.

Who has access internally and sharing with third parties

Information collected by the Secretariat is held on a secure server hosted and controlled by the Cabinet Office. The contracts for these systems are managed by the Cabinet Office and the Cabinet Office is the ‘data controller’ for the information on these IT systems.

We will share some personal data with our self-employed Press Officer for the purpose of promotion of the Committee’s work in the media and on social media sites. The Secretariat is considered the ‘data controller’ of all personal information passed to the Press Officer and policies governing the use, storage, transmission and deletion of all personal information by the Press Officer are set out in contract for service.

Under the new regulations, all suppliers with whom the Secretariat enters into a contract are severally liable for data breaches arising from their own processing of personal information.

The Secretariat will also share some personal data with our stakeholder organisations for the purpose of promotion of the Committee’s work, for example, in speeches, seminars and roundtables. These organisations are all separately bound by the new regulations.

How the Secretariat stores the data and how long we keep the data

We will store your data electronically.

The Secretariat will keep a Personal Data Processing Record setting out who is responsible for the personal data processing; for what purposes are the personal data being processed; the nature of the processing; which categories of data subjects the processing relates to; which categories of personal data are being processed; with whom the personal data is shared; how long we intend to keep the data; the legal grounds for processing the data; any special categories of personal data; the organisational measures in place for protecting the personal data; who is processing the data on servers and in our email software hosted by the Cabinet Office. This will be available to the Information Commissioner on request.

We will take available technical and organisational steps to ensure the security of personal data, that the personal data are appropriately protected against loss, destruction or unauthorised access. The Secretariat will take advice from the IT and/or security team as necessary, e.g. if we are unsure if an application or process is secure. We ensure new staff receive relevant training on our data processing policies and procedures.

The Secretariat retains personal data securely and only for how long it is necessary to keep for a legitimate and lawful reason.

Please contact the Secretariat to the Committee if:

  • you have any specific queries about how our retention policy is applied; or

  • you do not regard our policies as applying to your information any longer; or

  • you consider the information we hold about you to be inaccurate or in need of completion or rectification; or
  • to request that your personal data to be deleted from our records (to the extent that is practicable and otherwise lawful).

Some information will be kept for archiving purposes. Archived personal information will not be accessed regularly and is kept to fulfill other legal obligations of the Secretariat, or of Committee members individually or collectively.

Breaches of personal data

In the event of a personal data breach (emails, social media, documents or equipment) we will keep a record of the breach and we will inform our appointed Data Protection Officer (DPO) who will if appropriate, notify the Information Commissioner’s Office (ICO) within specified timelines. In the event we are unable to contact our DPO and the Secretariat is aware of a notifiable data breach, the Secretariat will separately make a report of the breach to the ICO within 72 hours, if required and feasible.

Under separate and existing obligations, in the event of a data breach we will also notify the Cabinet Office Security and IT Security Units.

If we think a breach is likely to result in a high risk of adversely affecting an individuals’ rights and freedoms, we will also make every effort to inform those affected individuals without undue delay.

The Committee’s Data Protection Officer can be contacted at: Mr Stephen Jones Cabinet Office 70 Whitehall London SW1A 2AS dpo@cabinetoffice.gov.uk

Your rights

As the owner of the personal data, you have a right to request:

  • information about how your personal data are processed;
  • that any inaccuracies in your personal data are rectified without delay and incomplete personal data are completed, including by means of a supplementary statement;
  • that your personal data are erased if there is no longer a justification for them to be processed;
  • in certain circumstances (for example, where accuracy is contested) that the processing of your personal data is restricted;
  • to withdraw consent to the processing of your personal data at any time;
  • a copy of any personal data you have provided, and for this to be provided in a structured, commonly used and machine-readable format.

All Secretariat members will be responsible for ensuring we respond promptly to requests from Committee members exercising these rights.

Queries and Complaints

If you have any queries about this privacy notice, wish to make a data subject request to the Secretariat or wish to discuss the Secretariat’s data protection obligations, please contact:

Secretary to the Committee on Standards in Public Life, 1 Horse Guards Road, London, SW1A 2HQ, tel: 020 7271 2948, email: public@public-standards.gov.uk

Our Data protection Officer: Mr Stephen Jones Cabinet Office 70 Whitehall London SW1A 2AS dpo@cabinetoffice.gov.uk

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:

Information Commissioner’s Office Wycliffe House Water Lane, Wilmslow, Cheshire SK9 5AF Tel: 0303 123 1113 or casework@ico.org.uk Any complaint to to the Information Commissioner is without prejudice to your right to seek redress through the courts.

Use of terms in this privacy notice

We have provided some of the meanings of the terms used in this notice below to ensure that the above information is unambiguous. These terms are based on guidance from the Information Commissioner’s Office.

Controller – a person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Only controllers need to pay the data protection fee.

Processor – a person, public authority, agency or other body which processes personal data on behalf of the controller.

Data protection officer – Under the GDPR, some organisations need to appoint a data protection officer who is responsible for informing them of and advising them about their data protection obligations and monitoring their compliance with them.

Data subject – the identified or identifiable living individual to whom personal data relates.

Member of staff – any employee, worker (within the meaning given in section 296 of the Trade Union and Labour Relations (Consolidation) Act 1992) office holder or partner.

Personal data – any information relating to a person (a ‘data subject’) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

Processing – in relation to personal data, means any operation or set of operations which is performed on personal data or on sets of personal data (whether or not by automated means, such as collection, recording, organisation, structuring, storage, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure or destruction).

Public authority – means a public authority as defined by the Freedom of Information Act 2000 or a Scottish public authority as defined by the Freedom of Information (Scotland) Act 2002.