The Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR) form the UK’s data protection regime. The legislation sets out the responsibilities of:
- controllers - the persons or bodies that determine the purposes and means of processing of personal data; and
- processors - those who process personal data on behalf of a controller.
It also details the rights that people have - eg a right to access to their data.
The Information Commissioner’s Office (ICO) oversees and enforces the law.
As Members of Parliament are “controllers”, they must comply with the 2018 Act and the UK GDPR. The ICO has published Guidance for the use of personal data by elected representatives in carrying out constituency casework (updated December 2022).