From 25 May 2018, the General Data Protection Regulation (GDPR), together with the Data Protection Act 2018 (the DPA), replaced the Data Protection Act 1998 in regulating the processing of personal data. Following the UK’s exit from the EU, the UK adapted the GDPR as the UK GDPR.
Members are data controllers in their own right for the purposes of data protection law, entirely separate to the SPCB. Under UK GDPR, every data controller must have a legal basis for any processing of personal data. The term ‘processing’ is wide and includes collecting, storing, using and disclosing or sharing personal data. Personal data is any information that relates to a living human being and can be used to identify them even if additional information is needed to do so.
Whilst the defamation privilege in the Scotland Act 1998 protects Members against defamation proceedings as regards any statements made in parliamentary proceedings and publications under the authority of the Parliament, data protection requirements still apply. As a result, there must be a legal basis whenever personal data is included in a motion or disclosed orally during Parliamentary proceedings as this will be processed (including published) by the Parliament. The DPA allows processing of personal data where it is “necessary for the exercise of a function of either House of Parliament” but the Scottish Parliament and its Members cannot rely on this exemption which preserves Parliamentary privilege only for the House of Commons and the House of Lords.
Data controllers also have a duty to provide information about the ways in which they process personal data, including information about the purpose of the processing, the legal basis relied upon and who the data may be shared with. One way of fulfilling that duty is for data controllers to add a Privacy Notice to their website setting out the required information (it is not necessary to seek consent from each individual whose personal data is processed, unless the legal basis relied upon is consent).
Under the admissibility rules in Standing Orders, motions must not contain offensive language, breach any enactment or rule of law or be contrary to the public interest or contravene the sub judice rule. In addition, the Guidance on Motions says “the text of motions and amendments should not disclose any information that is protected by an interdict or court order, that is commercially sensitive or confidential or the publication of which may cause personal distress or loss. Particular care should be taken in relation to any motion that names individuals as their identities may need to be protected in their own interests”.
As a matter of course, Chamber Desk advises Members to keep personal data to a minimum in motions and questions and this practice continues under UK GDPR.
In order to process personal data lawfully, all data controllers must identify a valid legal basis for each processing activity they undertake. This means that Members intending to lodge a motion containing information which identifies a living individual (or from which a living individual can be identified) must have a legal basis under data protection law for doing so.
The legal bases for processing of personal data are set out in Article 6 of the UK GDPR and this applies to the processing of all personal data relating to an individual. If the motion includes reference to special category (formerly referred to as “sensitive personal data”) and/or criminal offence data, then in addition to the legal basis under Article 6 UK GDPR the Member will need to identify a specific condition for processing in terms of Article 9 UK GDPR (for special category data) and Article 10 UK GDPR (for criminal offence data). Some of which require Members and the SPCB to have an Appropriate Policy Document in place to outline the relevant compliance measures.
The appropriate legal basis and conditions for processing will depend on the particular circumstances. Information about the different legal bases and conditions for processing and when they can be used together with relevant examples are set out in the annex at the end of this document. The onus is on Members to identify and record their legal basis for processing of personal data as the Chamber Desk will assume that the Member is satisfied with the position and that the motion complies with the Member’s obligations under data protection law.
When submitting motions that contain personal data, Members must therefore: (i) be satisfied that, in disclosing this information, they are complying with data protection legislation and (ii) confirm to Chamber Desk in writing which legal basis (for all processing of personal data) and separate conditions for processing (for special category and criminal offence data) they are relying on for including such personal data in the motion.
The Chamber Desk will not accept motions unless they are accompanied by such confirmation. The reasons for this are to (i) ensure that lodged motions comply with the admissibility criteria set out in Standing Orders, (ii) assist Members in complying with data protection requirements, and (iii) avoid compromising the SPCB's compliance with data protection requirements in processing these motions
Whilst this document has been prepared as guidance for Members on the requirements for complying with the DPA and UK GDPR, when submitting parliamentary motions it is important to emphasise that each case will need to be considered on its own individual facts and circumstances. If you require assistance with determining the legal basis for processing, then please contact the Information Management and Governance Team at the following address: [email protected]
This guidance will be updated on an ongoing basis in light of experience and any future developments.
Chamber Desk
October 2022
There are three different types of personal data: normal category data, special category data and criminal offence data. Different rules apply for processing personal data within these categories.
This is any information relating to a living person who can be identified or who is identifiable either directly from that information or indirectly from that information in combination with other information. This would include a person’s name, age, their contact details, date of birth, phone number, home address and home email.
The legal bases available to data controllers for processing normal category data are set out in Article 6(1) of the UK GDPR and section 8 of the DPA.
When including personal data in a motion, Members must be satisfied that there is a legal basis that applies and decide which is most appropriate in the circumstances. In practice, the most common legal bases that Members are likely to use are as follows:
The legal basis for the further processing of the motion by the SPCB will be that the processing is necessary for the performance of a task carried out in the public interest which is the exercise of the SPCB’s functions; that is, the creation of a public record by publication of proceedings on Members’ motions (Article 6(1)(e) UK GDPR and section 8(d) DPA).
Many motions include normal category data as described above.
"That the Parliament congratulates Alison White, Susan Brown and Tracey Green on the work they carry out for the Live Well charity; notes that they raised £5,000 recently following a sponsored walk, in aid of the charity, and wishes them every success in the future."
As with all motions that include personal data, the Member must be satisfied that they have a legal basis for doing so under data protection law.
In this example, the Member may consider that the legal basis for including such personal data is legitimate interests – that is, the legitimate interests of Parliament acknowledging the charitable work of individuals, or indeed the legitimate interests of the third parties (the three named individuals) to receive such acknowledgment. The Member may choose therefore not to seek the consent of the individuals and submit the motion on the basis of one of these other legal bases. If the Member intends to rely on the legitimate interests ground, they will need to consider any potential impact on the privacy rights of the individuals; however, given the nature of the information, any such impact is likely to be low, particularly if the information was made public by the individuals in seeking sponsorship by way of a publicity campaign.
"That the Parliament thanks Mary Black for the work that she does to help people in her local community in Dunfermline by regularly providing food to the local foodbank, undertaking home visits to older people in the town [etc]."
While the Member may consider that the use of this data may pursue the legitimate interest of raising awareness in relation to the work of Mary Black, the motion may be highlighting something that has an impact on the individual’s privacy and/or where they would not expect their data to be used in this way. As a result, it may not be appropriate to rely on the legitimate interests ground here (unless Mary Black has herself publicised the fact that she undertakes these activities). The Member may therefore wish to seek the consent of the individual named and rely on this as their legal basis.
"That the Parliament congratulates all of the winners at the recent Local Hero Awards 2018, which included [list of individual names]."
Here, the Member may consider that the legal basis for including such personal data is legitimate interests – that is, the legitimate interests of Parliament acknowledging the winners of the Local Hero Awards, or indeed the legitimate interests of the winners to receive such acknowledgment. In deciding whether including this personal data would have any impact on the privacy of the individuals, the Member could take into account the fact that these awards were promoted and publicised in the media, it is information already in the public domain, and goes no further than naming individuals and the prizes that they won.
To comply with the principle of data minimisation, naming 11 members of a football team may not be necessary for the purpose of a motion, where simply congratulating the team on their achievement might suffice.
"That the Parliament understands that, after a cost-cutting exercise, the Chief Executive of Top Pharma has announced that over 100 staff will be made redundant..."
In this case, while a name has not been used, the job title makes the person identifiable from the information used. In cases such as this which involve raising awareness/encouraging debate on an important issue of significance to the general public, the member may choose to confirm to the Chamber Desk that the public interest task legal basis applies because it falls within the remit of the function of an elected representative to raise such issues for discussion.
"That the Parliament expresses its disapproval of what it considers the abhorrent racist views espoused by Mr John Smith as reported in the media."
In this example, the reference to Mr Smith and his views amounts to personal data. Depending on who Mr Smith is and what role he has in public life, the Member may consider that including this personal data in a motion is necessary for the performance of a task carried out in the public interest (that is, raising awareness of/encouraging debate on an important issue.).
As with all motions, the general advice is that Members should consider keeping personal data included to the minimum necessary for its purpose.
It is not necessary for Members to provide the Chamber Desk with any documentation in support of their choice of legal basis for any motions that contain personal data. They should however retain these where consent is obtained in order to provide a record of compliance for their own purposes.
This includes information revealing a person's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data concerning a person’s sex life or sexual orientation, data concerning physical or mental health, the processing of genetic data and biometric data for the purpose of uniquely identifying a natural person.
The UK GDPR prohibits the processing of special category data unless one of the exemptions set out in Article 9(2) of the UK GDPR applies. These are known as the conditions for processing special category data. The Information Governance team (IMG) have prepared an APD template for Members to use and adapt which can be accessed on the Members' page on data protection on the parliament intranet. The SPCB has an APD in place for Parliamentary questions and motions, and Members are also required to have one in place.
When including special category personal data in a motion, Members must be satisfied that in addition to a legal basis for processing (under Article 6(1) UK GDPR), they are able to identify a condition for processing in terms of Article 9(2) UK GPDR. The conditions most likely to be appropriate are that:
"That the Parliament congratulates Joe Blue on achieving [x]; notes that Joe has a [named medical] condition and that this has reduced his mobility and needs constant care, however this has not prevented him from doing [y]…"
In this case, under UK GDPR, the Member must be satisfied that a legal basis for the use of the medical information in this way applies.
This means they must either be satisfied that the use of the personal data describing the medical condition is necessary to carry out the Member’s function and it is in the substantial public interest to do so, or that a different legal basis is suitable and appropriate.
The Member must be certain that the use of the data is closely linked to the Member’s role as an elected representative. The Member must also be satisfied that there is an additional substantial public interest and that it is fair to the data subject and proportionate to use the data in this way.
If the Member is not satisfied that the above legal basis can be applied, they can seek the data subject’s explicit consent (or someone who can lawfully provide consent on his behalf if he does not have capacity to do so) to use information for this purpose that identifies his disability, or they can confirm that the data subject has already “manifestly” made this information public on, for example, his social media accounts or another public forum. Where explicit consent is sought, the Member should seek an express written statement from the individual (an e-mail from the individual is acceptable). As explained above, it is important to remember that consent cannot be withdrawn once the SPCB has commenced processing of the information and it is important to inform the data subject of this when seeking consent.
"That the Parliament notes that Jenny Black from Edinburgh has won £1 million after purchasing her first-ever National Lottery ticket; further notes that Jenny, who lives with her partner Susan plans to do [x] with the money."
The legal basis of information having been manifestly made public by the data subject only applies if the information was made public by the data subject themselves. In this case, the information included may have been taken from a newspaper article or TV news story. While this information is in the public domain, it cannot be assumed that all or any of the personal data was provided to the media by the named individuals. The Member might not, therefore, be able to rely on the ‘manifestly made public’ legal basis. However, if the information was made available by the individuals, for example on their social media accounts, then the Member may consider that the information has manifestly been made public by them and confirm that this is the legal basis on which the information is being published.
"That the Parliament congratulates Rachel Silver on winning a gold medal at the Paralympic Games; notes that Rachel has [condition] and has been participating in the sport since she was 10…"
While this motion mentions a disability, the context is that a medal was won in a competition that was for disabled athletes only. In such circumstances, the Member may choose to process this data relating to the person’s name and their disability on the legal basis that the individual has manifestly made the information public through her participation in a public event open only to disabled athletes.
"The Parliament notes that George Green who suffers from a severe asthmatic condition has campaigned over the past 20 years for the benefits of clean air through the reduction of industrial pollution."
Whilst this motion refers to the health condition of an individual it is likely that, as a campaigner, the person will have manifestly made information about his condition public. Even if the Member is unable to identify any publicly available information, there may well be substantial public interest reasons for processing personal data in circumstances where a person is campaigning for a cause that is in the public interest.
This includes personal data relating to criminal convictions and offences or related security measures and covers criminal activity; allegations; investigations; proceedings; penalties; conditions or restrictions placed on an individual under the criminal justice process; civil measures that may lead to a criminal penalty if not adhered to; as well as unproven allegations.
For processing criminal offence data, as with special category data, Members will need to have a legal basis for processing in terms of Article 6(1) of the UK GDPR (for example, public interest or legitimate interests); however, as a result of Article 10 UK GDPR and section 10(5) of the DPA, it is also necessary to comply with a condition in Parts 1, 2 or 3 of Schedule 1 of the DPA. The conditions which are most likely to be relevant to Members are that:
"The Parliament offers its support for John Grey who has been detained whilst travelling across the war-torn region of [country x] in search of his daughter, Jane, who went missing there in 2019 whilst carrying out humanitarian work."
In this case the information has been provided by press reports and whilst the Member does not have consent of the data subjects to process this information (which includes criminal offence data) and in the absence of information to show that this information has been made public by the data subjects, there are strong public interest reasons; that is, to raise public awareness of the plight of these individuals for processing this information. The Member may therefore wish to rely on substantial public interest as the condition for processing of criminal offence data in this instance.
"That the Parliament is aware that Susan Orange and Derek Magenta, parents of the murdered schoolgirl Amber Magenta, have set up a Memorial Fund in Amber’s memory with a view to offering counselling and practical support to families who, like themselves, have suffered severe depression due to the loss of a child; the Parliament commends Susan and Derek’s bravery and wishes them well in this venture; and further notes that Amber’s killer, Robert Beige, has now been convicted of murder and sentenced to life imprisonment, with a punishment part of 20 years."
There are a number of issues arising in this example.
There is currently no specific guidance from the Information Commissioner on what ‘manifestly made public’ by the data subject means in the context of criminal offence information (would the test be satisfied, for example, if a named individual has been convicted of an offence, the details of which will have been announced in a public forum?). This guidance will be reviewed in the light of any advice or official guidance from the Information Commissioner, or any case law, relating to this question.
As with all motions, the general advice is that Members should consider keeping personal data included to the minimum necessary for its purpose.
It is not necessary for Members to provide the Chamber Desk with any documentation in support of their choice of legal basis for any motions they submit that contain personal data. They should however retain these where consent is obtained in order to provide a record of compliance for their own purposes.
In addition to identifying a legal basis for the processing of personal data, Members must ensure the processing complies with the other data protection principles. This includes ensuring the processing is fair, transparent, accurate and uses the minimum amount of personal data necessary for the question.
Fairness requires consideration of how the personal data was obtained, whether the personal data is being handled in a way an individual would reasonably expect; how the use of their data may affect them including any potential adverse impact, and if so, whether this is justified. Where personal data is a repeat of information in the public domain as a result of reporting in the press, this will inform the issue of fairness in particular, the reasonable expectations of identifiable individuals. For example, where there are press reports, there may be a legitimate expectation that such matters may be raised in Parliament by Members where these are matters of concern to them and their constituents.
If this special category and/or criminal offence data is not already in the public domain, it is for the Member to be satisfied as to the fairness of including the personal data in the question for example, what the individual’s expectations would be as to how their data is used, the potential impact on them and whether it is reasonable in the circumstances to notify the individual identified. For example, if a constituent has specifically asked a Member to raise a motion relating to their personal health circumstances or a matter relating to a conviction, the likely appropriate legal basis for the processing of this special category or criminal offence data will be the Member is taking the action in response to a request by an individual (paragraph 23, Part 2 of Schedule1 to the DPA). Nevertheless, the individual should still be made aware of how this information will then be used, including further processed by the Parliament and become part of the public record. Or to use another example, even where the personal data has been manifestly made public by the data subject for example, an interview with the data subject where they disclose information which constitutes special category or criminal offence data, the Member should still consider the fairness of using this personal data for the purpose of a parliamentary motion.
Finally, Members may wish to note that there is a presumption in the DPA that children aged 12 or over (in Scotland) have capacity to provide consent for the processing of personal data relating to them (and for exercising their rights under data protection law). For children who are under 12, consent can be provided by a parent or guardian.
Useful guidance on UK GDPR can also be found on the Information Commissioner’s Office website, particularly in relation to: