Data Protection Act 1998: Guidance for Cabinet Office Staff
Standards and Best Practice Handbook for Government Departments
16. Handling Letters from MPs and Other Elected Representatives
Issue
1. From time to time an MP,
councillor or other elected representative may contact a government
department about a constituent, and any reply would involve disclosing
personal data held by the department about that constituent (data subject).
Before such data can be processed (disclosed), as well as the processing
being fair and lawful, at least one of the conditions in Schedule 2 must be
met. In practice, where non-sensitive personal data is concerned, it will
usually be safe to assume that consent has been given and that condition 1
has been met.
2. Where sensitive personal data is concerned, the Data Protection Act 1998
prohibits the processing of such data unless one of the conditions set out
in Schedule 3 to the Act or in subordinate legislation made under paragraph
10 of Schedule 3 applies. Sensitive personal data comprise information
about an individual’s:
-
racial or ethnic origin;
-
political opinions;
-
religious beliefs;
-
trade union membership;
-
health;
-
sexual life;
-
criminal activity.
3. Where an MP has been asked by a constituent to contact a department on
his behalf, and where sensitive personal data might be disclosed in any
reply, in many cases the only way in which such processing could take place
would be if the individual concerned had given his or her explicit consent.
While a requirement to seek explicit consent constitutes a good data
protection safeguard for the individual concerned, it can sometimes cause
difficulties in practice (for example, if urgent action is needed).
4. In order to overcome the above difficulty in disclosing sensitive
personal data to MPs and other elected representatives, the Data Protection
(Processing of Sensitive Personal Data) (Elected Representatives) Order
002: (SI 2002 No.2905) was brought into force on 17 December 2002. It does
two things:
-
it provides a condition allowing elected representatives, as defined in
the above Order, to process sensitive personal data when dealing with
requests from individuals without the need to seek explicit consent;
-
it provides a condition allowing third parties (including government
departments) to disclose sensitive personal data to elected
representatives who are acting at the request of individuals, again
without the need to seek explicit consent.
Standards
5. Where a letter is received from an MP, councillor or other elected
representative and a reply would not disclose sensitive personal data,
consent to disclose the personal data can normally be assumed. Where a
reply would require the disclosure of sensitive personal data to an elected
representative in circumstances set out in the above Order, the disclosure
will be legitimate under Schedule 3. The representative’s statement that he
is acting on behalf of his constituent should be accepted. If, however,
there is any doubt about the identity of the person purporting to be the
representative, he may be required to verify his identity, in accordance
with a department’s normal procedures.
Recommended best practice
6. Where an MP or other elected representative approaches a department on
behalf of a constituent, it should usually be assumed that he is acting
with the consent of his constituent. A representative may, however, still
be required to verify his identity. Where the letter is, for example, on
House of Commons or local authority headed paper, and the reply is to be
sent to that address, it can usually be assumed to be genuine. Similarly,
if it is from a constituency office, or from a home address, which are
already known to the department, it can usually be assumed to be genuine.
If the letter is from a known address, but is asking for a reply to be sent
to a different and unknown address, or the letter looks suspect, further
enquiries may be necessary in order to ensure that, for instance, a
fraudulent request has not been made on forged or stolen headed paper.
7. Where the letter has not been signed by the representative personally,
but by a secretary, or other assistant, provided that the factors in the
preceding paragraph have been taken into consideration, it can be assumed
that the secretary is acting on behalf of the representative and it should
be dealt with in the normal way.
8. When an elected representative contacts a department about a
constituent, and a reply will disclose sensitive personal data about that
constituent, the data may be disclosed, provided that any other necessary
conditions have been met. When an elected representative contacts a
department about a constituent, and a reply will disclose sensitive
personal data about a third party, if there is a valid reason why the third
party’s consent cannot be obtained, as set out in paragraph 6(e) of the
Schedule to the Order, the data may be disclosed, provided that any other
necessary conditions have been met. The request need not be made in writing
but, especially if a request is made by telephone, care should be taken in
verifying the identity of the caller before sensitive personal data is
revealed. A caller alleging he is an elected representative may be asked
questions to which an impostor is unlikely to know the answers.
Alternatively, a department may take a query over the phone, but call back
to a known telephone number, or write to a known address.
9. Question and Answer guidance on the effects of the Data Protection
(Processing of Sensitive Personal Data) (Elected Representatives) Order
2002: (SI 2002 No.2905) is attached as an annex to this section as 16A.
16A The Data Protection (Processing of Sensitive Personal Data) (Elected
Representatives) Order 2002: (SI 2002 No.2905)
Question and Answer Guidance
1. Does the order compel Departments to provide sensitive personal
data?
No. The order allows Departments to provide sensitive personal data. It
does not require them to do so.
2. Which elected representatives does the Order cover?
It applies to
-
Members of the House of Commons (but not the House of Lords);
-
Members of the Scottish Parliament, the National Assembly for Wales and
the Northern Ireland Assembly;
-
Members of the European Parliament elected in the UK;
-
elected members (but not co-opted members) at all tiers of local
government throughout the UK;
-
elected mayors and elected members of the London Authority.
The order applies to them only when they are carrying out their functions
as elected representatives. It does not apply in relation to any contact
that they might have with Departments in their personal capacity.
3. What happens when an election is called?
Departments can continue to rely on the order in dealing with elected
representatives’ requests for as long as the order continues to apply to
the elected representative in question. When an election is called, the
order continues to apply to all elected representatives throughout the
pre-election period. It also continues to apply after the election to those
who are re-elected. In the case of those who are not re-elected, the order
will cease to apply at the end of a short period after the election. The
periods are as follows.
-
Members of the House of Commons, the Scottish Parliament and the Northern
Ireland Assembly: The order ceases to apply at the end of the fourth day
after the day on which the general election is held.
-
Members of the National Assembly for Wales: The order ceases to apply at
the end of the fourth day after the day on which the ordinary election is
held.
-
UK Members of the European Parliament: The order ceases to apply at the
end of the day before the opening of the first session of the European
Parliament following the general election.*
-
Elected members of local authorities and elected Mayors (other than the
Mayor of London and members of the London Assembly): The order ceases to
apply to elected representatives, except Chairmen and Vice-Chairmen of
Committees, on the fourth day after the election. It applies to Chairmen
and Vice-Chairmen of Committees until they are replaced following the
Council’s first annual meeting after the election.*
-
The Mayor of London and members of the London Assembly: The order ceases
to apply at the beginning of the second day after the day on which the
last of the successful candidates at the ordinary election is declared to
be returned.*
-
Elected members of the Common Council of the City of London: The order
ceases to apply at the end of the fourth day after the day on which the
Wardmotes are held.
* These periods are not expressly mentioned in the order. The substantive
legislation applying to the elections in question has the effect stated.
4. What happens if an elected representative loses his/her seat
while a request is outstanding?
If Departments receive requests shortly before an election, they should
make every effort to send the substantive reply before the election takes
place. Elected representatives who lose their seats are covered by the
order only for a short time after an election (see above). If substantive
replies cannot be prepared in time for them to reach the former elected
representative within that period, they should not be sent to him or her.
They should only be sent to the outgoing elected representative’s successor
if Departments have been informed that the outgoing elected representative
has asked the successor to take on the case. In such a case the order will
apply as normal. In other cases Departments should follow their normal
procedures for dealing with outstanding correspondence from former elected
representatives, but no sensitive personal data should be disclosed without
the individual’s explicit consent.
5. What conditions does the order impose?
Under the order Departments may only disclose sensitive personal data to an
elected representative in response to a request from him or her where
-
the elected representative is dealing with a request from an individual;
-
the data are relevant to the elected representative’s request to the
Department; and
-
the disclosure of the data is necessary to respond to the elected
representative’s request.
There is an extra condition where the disclosure is of sensitive personal
data of an individual other than the one who made the request to the
elected representative (ie a third party). In such cases the disclosure can
only be made
-
where the third party cannot give explicit consent;
-
where the Department cannot reasonably be expected to obtain the third
party’s explicit consent;
-
because seeking the third party’s explicit consent would prejudice the
action taken by the elected representative; or
-
in the interests of another individual (including the individual who made
the request to the elected representative) where the third party’s
explicit consent has been sought and has been unreasonably withheld.
6. Are there any special considerations when the elected
representative seeks sensitive personal data of third parties?
These cases are especially delicate and require particularly careful
handling. Departments will wish to pay particular attention to the elected
representative’s reasons for seeking the sensitive personal data of
somebody other than the person who has sought the elected representative’s
help. If there is uncertainty, Departments should seek more information
from the elected representative.
If Departments are uncertain in a particular case whether any of the extra
conditions relating to sensitive personal data of third parties applies
(see Question 5) they should seek legal advice.
7. Do Departments need to seek the individual’s consent to the
disclosure of his or her sensitive personal data to the elected
representative?
No. The purpose of the order is to ensure that sensitive personal data can
be disclosed without seeking the individual’s explicit consent. But it does
not mean that Departments must not seek consent. It is for Departments to
decide whether to check with the individual concerned that he or she is
content for his or her sensitive personal data to be disclosed. That would
be a good data protection safeguard. But the order means that checking is
not essential. For example, if the time taken to do the check would mean
that an important deadline was missed, or checking would otherwise cause
problems for the constituent or another person, the order allows the data
to be disclosed without a check.
NOTE: The order does not override the law of confidence.
It may be necessary to seek the individual’s consent to the disclosure if
confidential information is involved. See Question 11 below.
8. Do Departments still have to comply with the rest of the data
protection principles?
Yes. Meeting one of the criteria for processing sensitive personal data is
only one of the requirements of the data protection principles. Departments
wishing to disclose sensitive personal data to elected representatives also
have to comply with all the other requirements. In particular, Departments
must ensure that making the disclosure is fair and lawful, and not
incompatible with the purpose for which they hold the data.
9. Does the order create a new power for Departments to disclose
sensitive personal data?
No. The order does not affect the general rule that Departments may only do
things that they have power to do under statute or at common law. If no
such power exists, they may not disclose sensitive personal data, despite
the existence of the order. This is a complex area of law. If Departments
are in any doubt they should seek legal advice.
10. How does the order affect subject access?
It does not affect the normal rules on subject access. An individual may
ask somebody else, including an elected representative, to exercise his or
her subject access right on his or her behalf. If an elected representative
makes a subject access request on behalf of another individual, Departments
should treat it according to the normal rules that apply to such requests.
11. Does the order override the law of confidence* or any other
legal restriction on disclosure?
No. The order does not affect the law of confidence in any way. Where
sensitive personal data are held subject to a duty of confidence, they may
only be disclosed without the express consent of the individual concerned
if there is a legal requirement to make the disclosure or if the disclosure
would be in the overriding public interest. Departments must also continue
to respect fully any other legal restriction on disclosure that applies in
a particular case. If Departments are in any doubt whether the law of
confidence or any other legal restriction on disclosure applies in a
particular case, they should seek legal advice.
* NOTE: The law of confidence can apply to any information, not just
personal data. It is a complex legal concept, but broadly it applies where
-
the information itself is of a confidential nature and is not publicly or
generally available; and
-
the circumstances in which the information is disclosed from one person
to another impose on the person receiving the information a duty to
respect the confidence (eg if the discloser says the information is not
to be disclosed to anyone else).
12. How do Departments know that the elected representative is
acting at the request of another individual?
If the elected representative says that he or she is asking for information
on behalf of someone else, Departments should normally be able to take the
elected representative’s word for it. The elected representative may often
provide a letter or other form of written “mandate” from the individual.
But there is no requirement for the individual to put the request to the
elected representative in writing, and getting a written mandate may not
always be possible. For example, in urgent cases the individual’s approach
to the elected representative may have been made by telephone. If
Departments are in particular doubt, they may wish to check the position
with the individual.
13. Does the elected representative have to make the request to the
Department in writing?
No, but Departments will need to satisfy themselves that the person making
the request to them is an elected representative. Departments are
experienced in dealing with requests from elected representatives made in
various forms. Requests involving the disclosure of sensitive personal data
should be dealt with in accordance with Departments’ normal procedures.
14. Must elected representatives always make requests to
Departments themselves?
No. The order allows requests to be made by, and disclosures to be made to,
both elected representatives themselves and people acting with their
authority. For example, this would cover members of the elected
representatives’ staff. Departments are experienced in dealing with
requests made on behalf of elected representatives. Requests for sensitive
personal data from people other than the elected representatives
themselves, should be dealt with in accordance with Departments’ normal
procedures.
15. Does the order allow Departments to disclose sensitive personal
data received from elected representatives to another public authority in
order to deal with the elected representatives’ requests?
No. But one of the other conditions provided by Schedule 3 to the 1998 Act
or the Data Protection (Processing of Sensitive Personal Data) Order 2000
might be relevant. For example, paragraph 7 of Schedule 3 relates to
processing which is necessary for statutory or Departmental purposes.
Data Protection Handbook [PDF, 710KB]
[Top]
