Privacy notice

Last updated: September 2022

We respect your right to privacy and manage your personal data in line with our responsibilities under the United Kingdom General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA 2018). This privacy notice provides the information required by the UK GDPR about the personal data that we collect from you and how we may use your information.

In this notice, references to 'us', 'our' or 'we' are to the House of Commons; and to ‘you’ or ‘your’ are to an individual whose personal data we process.

Everything that we do with your personal data – for example, collecting, storing, using, sharing or deleting it – is referred to as “processing”.

This notice will be updated periodically. We will communicate any significant changes as appropriate.

1. About us

The Corporate Officer of the House of Commons (the Clerk of the House) is the Controller of any personal data processed as described in this Privacy Notice.

The House of Commons Data Protection Officer is the Head of Information Compliance.

If you have any questions about the use of your personal data, please contact the Information Compliance Team:

2. The personal data we process

When you contact us, visit us, access or use our services either online, by post, in person or by other means, we may collect, store and use your personal data.

The personal data we collect from people who start and sign petitions will include: your name, your email address, your postcode, the country you live in, whether you are a British citizen, the IP address you use when starting or signing a petition.

3. Use of your personal data

The Petitions service is provided by the House of Commons. Your personal data will be processed for the purposes of starting and signing petitions to raise issues with the UK Government and Parliament.

We use your personal data to:

  • check that you’re eligible to sign a petition
  • make sure that people only sign a petition once
  • contact you about petitions you start
  • with your consent, send you updates about petitions you have signed.

If you start a petition and we accept it, your name will be published with the petition for the time it is open for signatures. We won’t publish any other personal information about you.

If you’ve signed a petition, we won’t publish any personal information about you. We’ll use your postcode to work out how many people in each parliamentary constituency have signed a petition.

For the purpose of petitions, we consider that the lawful basis for processing your data is that we are engaged in a public task. The processing is necessary for the performance of a public task, namely the exercise of a function of the House of Commons (UK GDPR Article 6 (1) (e) and DPA 2018 (8)). Specifically, processing this data is necessary for the e-petitions website and the work of the Petitions Committee.

For the purpose of informing you about the status of petitions, we rely on your consent to send updates to an email address provided by you (UK GDPR Article 6(1)(a)).

Whilst there is no requirement to provide special category data, any information you provide which includes racial or ethnic origin; religious or philosophical beliefs; trade union membership; genetic and biometric data; health data; sex life or sexual orientation will be considered necessary for reasons of substantial public interest, namely the exercise of a function of the House of Commons (UK GDPR Article 9 (2)(g) and DPA 2018 Schedule 1 (7)(b)).

Our policy for processing special category data can be found here:
House of Commons Data Protection information - UK Parliament

Guidance about the lawful basis for processing personal data can be found on the Information Commissioner’s website

4. Sharing your personal data

We may share or disclose your personal data with:

  • Suppliers and contractors of goods or services contracted by House of Commons in relation to the purpose of fulfilling a public task
  • Other organisations where there is a lawful basis to do so or a duty to disclose in order to comply with any legal obligation. For example, the Police, for the purposes of prevention and detection of crime

Unboxed Consulting Limited who provide technical support for the petitions system will have access to the system for troubleshooting and maintenance purposes only.

We will never share or sell your personal data to other organisations for direct marketing purposes.

5. Retention and security of your personal data

We will retain your personal data for as long as is necessary for the purpose it was collected. In most cases, a retention period will apply which can be found in the Houses of Parliament Authorised Records Disposal Policy on our website.

In relation to Petitions, we will hold your personal data for six months after the dissolution of the current Parliament. A Parliament is the period of parliamentary time between one general election and the next. There are some exceptions as follows:

  • In connection with committee inquiries, we may lawfully retain your personal data for archiving in the public interest and this may amount to indefinite retention.
  • Where the personal data held are subject to the requirements of parliamentary privilege, some individual’s rights under the UK GDPR may not apply in order to prevent an infringement of those privileges.

However, we will consider individual rights requests in relation to historic evidence on a case-by-case basis. Please also see section 6 of this notice.

We take the security of your data seriously. All personal data you provide to us (whether electronically or in paper form) will be stored securely in accordance with our policies. We have technical and organisational security measures in place to oversee the effective and secure processing of your personal data and to minimise the possibility of the loss or unauthorised access of your personal data.

Some personal data controlled by us is held outside the UK, including on data servers in the European Economic Area (EEA). Under the Data Protection Act 2018, all countries within the EEA are regarded as providing an adequate level of data protection. We would not transfer personal data to a person in a country outside the UK or EEA unless satisfied that that person and country had safeguards in place to protect personal data.

6. Your rights

We will ensure you can exercise your rights in relation to the personal data you provide to us in accordance with UK GDPR and DPA 2018. Under data protection law, you have the following rights:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling.

Where we are relying on your consent to use your personal data, you can withdraw that consent at any time by contacting petitionscommitteeprivacy@parliament.uk or the Data Protection Officer.

Personal data associated with the signing of an e-petition can only be erased by removing the signature from the petition, in cases where a petition has been signed by mistake or where the requester no longer supports the request of the petition. This is to ensure that validity and accuracy of the total number of signatures on each petition. You can request the removal of your signature from a petition for these reasons by contacting petitionscommitteeprivacy@parliament.uk or the Data Protection Officer.

Some of your rights are subject to the exceptions specified in the UK GDPR and Data Protection Act 2018, in particular:

  • Processing for the performance of a public task – some rights do not apply for the processing of personal data for the starting or signing of e-petitions.
  • Parliamentary Privilege - some rights do not apply where required for the purpose of avoiding an infringement of the privileges of either House of Parliament. (para. 13 of Schedule 2 DPA 2018)
  • Archiving in the public interest – some rights do not apply for the processing of personal data for archiving purposes (para. 28 of schedule 2 DPA)

Please note: Formal Individual Rights Requests are managed by the House of Commons Information Compliance Service who will retain your request, including any relevant personal data, to demonstrate we have met our legal obligations under data protection legislation.  These records are kept securely for two years, after which they are destroyed. 

If you have any concerns relating to the use of your personal data by the Petitions Committee please contact petitionscommitteeprivacy@parliament.uk in the first instance.

You may also complain to the Data Protection Officer whose contact details can be found at Section 1.

You also have the right to complain to the Information Commissioner, the supervisory authority, about our processing of your personal data. They can be contacted at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

Further details about your rights can be found on our website, House of Commons Data Protection information - UK Parliament, and the Information Commissioner’s website.