This document outlines how the Office of Justin Tomlinson MP processes and manages personal data.
It:
-
Identifies our data controller;
-
Provides our lawful basis for processing personal data;
-
Outlines the scope of personal data we hold and process;
-
Outlines the scope of the special category personal data we hold and process;
-
Describes and justifies our data retention policy;
-
Shows how we intend to respond to Subject Access Requests;
-
And contains a copy of our privacy notice
The policies outlined within this documentation come into full effect on Friday 25th May 2018.
-
Data Controller
Justin Tomlinson MP is the data controller.
-
Lawful basis for processing
-
Casework is processed primarily under the lawful basis of public task, with exceptional cases processed under the lawful basis of consent.
-
Personal data contained in the Justin Tomlinson MP Email Mailing List is processed with consent for the purposes of communication and campaigning.
-
We undertake to always act within the reasonable expectations of our constituents and any other individuals about whom we hold personal data.
-
Data we hold
As of the 25th May 2018 - when the regulations came into force - the office holds information on 3184 number of constituents.
We operate a paperless office. Personal data is stored electronically and securely on our computer systems. Our systems are in offices which are locked when unattended.
Casework:
The Office uses a Content Management System application, Cross Reference, to help with the management of constituent casework records. Casework can also be stored in a folder system on Microsoft Outlook, and a folder system in Windows. This information predominantly includes but is not limited to:
-
Names, addresses and email addresses
-
Telephone numbers
-
National Insurance numbers and Passport numbers
-
Special category data, outlined in point 4
Policy:
The Office uses a Content Management System application, Cross Reference, to help with the management of constituent casework records. Casework can also be stored in a folder system on Microsoft Outlook, and a folder system in Windows.
This information predominantly includes but is not limited to:
-
Names, addresses and email addresses
-
Telephone numbers
-
Special category data on political beliefs
Mailing Lists:
The Office also maintains a mailing list of email addresses. These subscribers receive Justin’s monthly e-newsletter and information about his activities as the MP. Personal data we hold in this regard includes:
-
Names and email addresses
This data is collected through consent for the purposes of communication and campaigning. We never share this data with a third party.
-
Special category data we hold
The Office may also hold special category data for a smaller number of data subjects. This data will be processed under the lawful basis indicated in point two, as is permitted in clauses 23 and 24 of schedule 1 of the Data Protection Act. The data may include:
-
Political Opinions
-
Religious Beliefs
-
Trade Union activities
-
Race and ethnic origin
-
Details of criminal offenses
-
Physical and mental health
-
Sexual orientation
-
Family history
-
Data Retention Policy
Our office will hold personal data for the duration of Justin Tomlinson MP’s time as the MP for North Swindon. Casework and policy queries are frequently revisited and the Office will retain data which is necessary for this purpose, unless specifically requested by the constituent as per point 6 of this document. Therefore, we feel it is reasonable for an elected representative to hold personal data for the duration of their time in office.
-
Subject Access Requests
We will comply to Subject Access Requests in line with the guidance given by the Information Commissioners Office (ICO).
-
We will respond as quickly as possible, within 30 calendar days.
-
We will request verification of the identity of any individual making a request, and ask for further clarification and details if needed.
-
Data subjects have the right to the following:
-
To be told whether any personal data is being processed
-
To be given a description of the personal data, the reasons it is being processed and whether it will be given to another organisation or people.
-
To be given a copy of the information compromising the data, and given the details of the source of the data where this is available.
-
Privacy notice
Our office will undertake to ensure all constituents sharing their personal data can have the opportunity to read our privacy notice. We will:
-
Publish our privacy notice on Justin’s website: www.justintomlinson.com
-
Add a link to our privacy notice to staff email signatures, and to Justin’s email signature
-
Add a link to our privacy notice on Justin’s auto-response on Microsoft Outlook.
-
Modify our voicemail messages to include information about how constituents can read our privacy notice.
-
Make constituents who have written to us aware that their data has been stored in line with our data collection and use policy on the letter returned to them.
Privacy Notice
This privacy notice relates to the personal data processed by the Office of Justin Tomlinson, Member of Parliament for North Swindon, in relation to casework and policy queries.
Who is the Data Controller?
Justin Tomlinson MP is the Data Controller.
What does the Office do?
Justin’s Office discharges the duties and functions of an elected Member of Parliament. As part of this work, we conduct constituency casework and respond to policy queries, for which we must process personal data of our constituents.
We also manage Justin’s E-Newsletter which provides information on Justin’s activities locally and in Westminster. As part of this, we use data which is collected through consent for the purposes of communication and campaigning. Your data may be shared within the Conservative family but we never share it with a third party.
How do we process data?
This office processes constituents’ data under the lawful basis of public task. In instances where this lawful basis is not sufficient and explicit consent is required, a member of the office will contact you to establish your consent.
We are committed to ensuring that the information we collect and use is appropriate for this purpose, and does not constitute an invasion of your privacy.
The office holds name and e-mail addresses for those who are on Justin's e-newsletter mailing list. This data is collected through consent for the purposes of communication & campaigning.
Will we share your data with anyone else?
If you have contacted Justin about a personal or policy issue, we may pass your personal data on a third-party in the course of dealing with you, such as local authorities, government agencies, public bodies, health trusts, regulators, and so on. Any third parties that we may share your data with are obliged to keep your details securely, and to use them only for the basis upon which they were originally intended. When they no longer need your data to fulfil this service, they will dispose of the details in line with our procedures.
We will not share the personal information of members of the Justin Tomlinson MP Mailing List or those in receipt of our E-Newsletter.
In any case, we will not use your personal data in a way that goes beyond your reasonable expectations in contacting us.
For how long will you keep my personal data?
Unless specifically requested by you, our office will hold your personal data for the time that Justin Tomlinson is the MP for North Swindon.
Casework and policy queries are often revisited to provide the best service and representation for constituents, from whom we may continue to receive correspondence. Therefore we feel it is reasonable for an elected representative to hold personal data for the duration of their time as the Member of Parliament.
What rights do I have to my personal data?
At any point while we are in possession of or processing your personal data, you, the data subject, have the following rights:
-
Right of access – you have the right to request a copy of the information that we hold about you.
-
Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
-
Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
-
Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
-
Right of portability – you have the right to have the data we hold about you transferred to another organisation.
-
Right to object – you have the right to object to certain types of processing, such as direct marketing.
-
Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.
-
Right to judicial review – if our office refuses your request under rights of access, we will provide you with a reason why. You have the right to complain.
How can I contact somebody about my privacy?
You can get in touch with our office by letter, email or telephone using Justin’s office contact details.
Please note that we will ask for identification should you choose to exercise any of the above rights in relation to personal data we hold.