Privacy Statement

Privacy policy for Patrick Grady MP

This the Privacy Notice of the office of Patrick Grady MP
This privacy notice explains how my office collects and uses personal information about individuals.

My office address and contact details are:

Address: Unit 1 Firhill Business Centre, 74-76Firhill Road, Glasgow, G20 7BA
Email: Patrick.grady.mp@parliament.uk
Phone: 0141 946 3062

Notification:

I am registered as a data controller with the UK Information Commissioner and the reference number is: ZA117599

How I use your personal data:

I would like to send you information about constituency news and events, but I will not use your contact details to do this unless you have said that you would like to be sent this information. If you have said that you would like this information, but later change your mind, you have a right at any time to let us know if you no longer wish to be sent this information. If you wish to receive or stop receiving this information, please contact my office.

What is personal data?

Personal data is any information from which a living individual can be identified. I will hold all personal data securely, I will only use it for the purposes it was collected or acquired for and I will only pass it on to third parties with your consent or according to a legal obligation. Further information about the data protection legislation and your rights is available here: https://ico.org.uk/for-the-public/is-my-information-being-handled-correctly/

What information do we collect about you?

My office collects personal information that is supplied to me in my role as a Member of Parliament. It includes information supplied by my constituents and others in relation to matters which I have been asked to pursue in the interests of individuals and groups who live in my constituency such as:

• details of specific cases
• information provided by signatories on petitions
• responses to questionnaires and
• contact details for the purpose of communicating news and updates
• I also collect information on use of my website using cookies

How will we use the information about you?

If you ask me to pursue a matter on your behalf, I will use your information in order to pursue the matter you have raised with me. My staff and volunteers will normally see this information to find help and advice for you. Your personal data and special category data may be passed to other agencies (such as the Department for Work and Pensions, the CMS, the local Housing Department) if I believe this to be necessary to pursue the matter you have raised with me. Your information may also be passed on to the House of Commons Information Office to obtain further information about your case. I intend that only the minimum possible personal information will be shared with other agencies, as necessary to assist you.

If you give me personal information about someone other than yourself, I may need to check the facts with that other person. If you ask me to take action on behalf of a friend or relative I may need to contact that person to confirm that they are happy for me to act on their behalf. If you feel it would not be appropriate for me to contact the other person, you should discuss this with me when you give me their information.

Constituency news and events

I would like to send you information about constituency news and events, but I will not use your contact details to do this unless you have said that you would like to be sent this information. If you have said that you would like this information, but later change your mind, you have a right at any time to let us know if you no longer wish to be sent this information. If you wish to receive or stop receiving this information, please contact my office.

Purposes and categories of processing personal data:

I collect and use personal data to fulfil the following functions and associated activities of my office:

• to carry out casework on behalf of my constituents;
• to tend to issues and campaigns I am involved in ;
• to maintain supplier relationships;
• to process expenses, accounts and associated records.

If you contact me with an inquiry or a complaint, I will normally need to store your contact details to deal with your inquiry or complaint. This is considered to be “normal category data” under the GDPR.

Other personal data you may provide to me may include details about your personal and family life, social circumstances and business activities, your employment and education details, financial information or information about your housing situation etc.. Depending on what views, issues or experiences you wish to discuss with me, you may be sharing “special category” data with me. For example, this could include details about race or ethnic origin, political or religious views, sex life or sexual orientation, trade union membership, physical or mental health, genetic or biometric data or any criminal offences.

If you are a supplier, I will normally need to store your name, contact and payment details for the purposes of the contract between us.

The legal basis for processing personal data:

Data protection law states that I must have a legal basis for handling your personal data. The permitted legal bases can be found in the GDPR and the DPA.

Casework

Where it is necessary for me to process data for the purpose of taking reasonable action on behalf of a constituent, I do not require the constituent’s consent for that processing.  The legal basis for the processing is that it is necessary for a task carried out in the public interest or, as regards special category data, the substantial public interest. In particular: Where it is necessary for me to process data for the purpose of taking reasonable action on behalf of a constituent, I do not require the constituent’s consent for that processing.  The legal basis for the processing is that it is necessary for a task carried out in the public interest or, as regards special category data, the substantial public interest. In particular: 

In relation to ‘normal’ catgeory data, the legal basis is that the processing is necessary for an activity supporting or promoting democratic engagement (article 6(1)(e) GDPR and section 8(e) DPA). Democratic engagement covers a wide range of political activities inside and outside election periods, including but not limited to: democratic representation, communicating with electors and interested parties, surveying and opinion gathering, campaigning activities, activities to increase voter turnout, supporting the work of elected representatives, prospective candidates and official candidates and fundraising to support any of these activities; 

In relation to ‘special category data’, the legal basis is that the processing is necessary for reasons of substantial public interest,  which includes any processing carried out by an MP, or a person acting with their authority, for the purpose of reasonable actions taken by the MP in response to a request by an individual to take action on their behalf (Article 9(2)(g) GDPR and paragraph 23 of Schedule 1 of the DPA).

Other processing activities

For other activities and functions which involve the processing of personal data, the legal basis for processing may, depending on the circumstances, be:For other activities and functions which involve the processing of personal data, the legal basis for processing may, depending on the circumstances, be:

• Processing necessary for a task carried out in the public interest (which includes processing necessary for an activity supporting or promoting democratic engagement (article 6(1)(e) GDPR and section 8(e) DPA). Democratic engagement covers a wide range of political activities inside and outside election periods, including but not limited to: democratic representation, communicating with electors and interested parties, surveying and opinion gathering, campaigning activities, activities to increase voter turnout, supporting the work of elected representatives, prospective candidates and official candidates and fundraising to support any of these activities• Processing necessary for the pursuit of legitimate interests• Consent of the data subject (the person who the personal data relates to.)• Processing necessary to comply with legal obligations• Processing necessary to protect vital interests of individuals• Processing necessary for the performance of a contract• As for any sensitive (or ‘special category’) data, the legal basis relied upon may, depending on the circumstances, be: 

• Processing necessary to comply with legal obligations• Explicit consent • Processing necessary to protect vital interests of individuals• The data has been manifestly made public by the data subject• Processing necessary for the establishment, exercise or defence of legal claims

Categories of processing activities and corresponding legal basis:

Processing of personal data means anything from collecting, storing, using to sharing and deleting (see link above for more information).Processing of personal data means anything from collecting, storing, using to sharing and deleting (see link above for more information).I process personal data in the following ways: For further information on the legal basis for processing here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/

 Processing activity The legal basis How long I retain the data How the data may be shared
 Receiving, storing and responding to general enquiries by letter, email or in person The processing is necessary for the performance of a task carried out in the public interest or for the purpose of a legitimate interest (Art 6(1)(e) GDPR). The task is the engagement of constituents with their elected parliamentary representative. The accessibility of elected representatives is in the public interest. 5 years from the date of last contact (this is based on the standard length of a Parliamentary term) Electronically or via written correspondence or in a telephone or personal consultation.
 Receiving, storing and responding to complaints by letter, email or in person The processing is necessary for the performance of a task carried out in the public interest (Art 6(1)(e) GDPR). The task is the engagement of constituents with their elected parliamentary representative. The accessibility of elected representatives is in the public interest. 5 years from the date of last contact (this is based on the standard length of a Parliamentary term) Electronically or via written correspondence or in a telephone or personal consultation.
 Receiving and storing data in relation to a personal issue or problem raised by a constituent (casework)  The processing is necessary for the performance of a task carried out in the public interest (Art 6(1)(e) GDPR).
The task is the engagement of constituents with their elected parliamentary representative. The accessibility of elected representatives is in the public interest.
For special category data:
The processing is necessary for reasons of substantial public interest (Art 9(2)(g) GDPR and DPA Sch 1, para 23; (this covers any processing carried out by an MP, or a person acting with their authority, for the purpose of reasonable actions taken by an MP in response to a request by an individual to take action on their behalf).
  5 years from the date of last contact (this is based on the standard length of a Parliamentary term) Electronically or via written correspondence or in a telephone or personal consultation.
 Collect and use data for the purpose of sending out newsletters, updates or with information about surgeries, office contact details and upcoming events and campaigns  The processing is necessary for the performance of a task carried out in the public interest (Art 6(1)(e) GDPR).
Or alternatively if consent has been given by the subject to process their data (Art 6(1)(a) GDPR)
 5 years from the date of last contact (this is based on the standard length of a Parliamentary term) Electronically or via written correspondence
 Contacting constituents with surveys relevant to issues affecting the local constituency. The processing is necessary for the performance of a task carried out in the public interest or for the purpose of a legitimate interest (Art 6(1)(e) GDPR). The task is the engagement of constituents with their elected parliamentary representative. The accessibility of elected representatives is in the public interest. 5 years from the date of last contact (this is based on the standard length of a Parliamentary term) Electronically or via written correspondence
  Collecting constituent details for petitions or campaigns relating to local or national issues. The processing is necessary for the performance of a task carried out in the public interest or for the purpose of a legitimate interest (Art 6(1)(e) GDPR). The task is the engagement of constituents with their elected parliamentary representative. The accessibility of elected representatives is in the public interest. 5 years from the date of last contact (this is based on the standard length of a Parliamentary term) Electronically or via written correspondence or in a telephone or personal consultation.
 Take, store and use photos and videos in connection with my engagements and events I attend in my capacity as a MP. The processing is necessary for the performance of a task carried out in the public interest (Art 6(1)(e) GDPR) or for the purpose of a legitimate interest (Art 6(1)(f) GDPR) or the data subject has provided consent (Art 6(1)(e) GDPR). The duration of my service as an MP, unless an individual requests their data to be deleted. On my website or via social media or in a paper publication.

Sharing of personal data:

I sometimes may be required to share the personal information I hold with other individuals or organisations including for example:
• healthcare, social and welfare organisations
• housing associations or landlords
• local and central government bodies
• educators and examining bodies
• statutory law enforcement agencies
• investigating bodies
• elected representatives and other holders of public office
• financial organisations
• crime prevention agencies and the police
• Other authorised third parties

Depending on the circumstances, the legal basis for sharing data with these organisations may be that:
• the sharing is necessary for complying with a legal obligation to which I am subject (Art 6(1)(c) GDPR);
• the sharing is necessary in order to protect the vital interests of the data subject or of another person (Art 6(1)(d)); or
• the sharing is necessary for the performance of a task carried out in the public interest or substantial public interest (Art 6(1)(e) or Art 9(2)(g) GDPR).

I may seek your prior express consent to share your personal data with any of the following:
• employment and recruitment agencies
• press and the media
• family, associates and representatives of the person whose personal data I am processing
• enquirers
• subjects of complaints
• political parties
• charitable parties

The consequences of my not processing personal data are:

Where I am processing personal data for the performance of a contract, the consequence of not processing the personal data is that I may not be able to fulfil my obligations under that contract.

Where I am processing personal data in accordance with a statutory obligation, the consequence of not processing personal data may be that I am liable to regulatory fines for non-compliance with that statutory duty.

Automated data processing:

I do not use automated processing techniques to process your data.

Sharing or processing personal data outside the European Economic Area:

In carrying out the standard activities of my office I make use of cloud-based software platforms such as Office 365, Caseworker.mp, Mailchimp and Trello. Where these are used to process personal data they are accessed by devices which are passwprod protected and encyrpted. Each platform is protected by unique logins for each user combined with two-factor authentication through authenticator apps such as Google Authenticator. Where data is transferred outside the EU – as with Mailchimp and Trello where the servers are based in the US – these companies are certified to the EU-US Privacy Shield framework and are lawfully able to receive EU data in compliance with the GDPR.

Retention of personal data:

I retain personal data for the period that is necessary to carry out casework on behalf of my constituents, work on issues and campaigns I am involved in, and to maintain supplier information, expenses, accounts and associated records. In respect of casework I will delete personal data once a case has been closed for 5 years.

Using my website

My website uses cookies to gather information about how visitors use my website to help me improve its performance, and secondly, to improve the visitor experience when using the website by delivering pages more quickly or remembering user settings. Additionally, videos on the website may use cookies created by third-party providers such as Flash or YouTube. Users are able to disarm cookies but some features of the website may not function as a result.

Other websites

This privacy notice only applies to information on my website and does not apply to information contained on other websites that are linked from this one.

Your rights

The GDPR sets out the rights which individuals have in relation to personal information held about them by data controllers. These rights are listed below, although whether you will be able to exercise each of these rights in a particular case may depend on the purpose for which the data controller is processing the data and the legal basis upon which the processing takes place (see the individual privacy notices listed above for further details in relation to specific processing activities).

Access to your information – You have the right to request a copy of the personal information about you that I hold.

Correcting your information – I want to make sure that your personal information is accurate, complete and up to date and you may me to correct any personal information about you that you believe does not meet these standards.

Deletion of your information – You have the right to ask me to delete personal information about you where:
• You consider that I no longer require the information for the purposes for which it was obtained
• I am using that information with your consent and you have withdrawn your consent.
• You have validly objected to my use of your personal information –my use of your personal information is contrary to law or our other legal obligations.

Objecting to how we may use your information – You have the right at any time to require me to stop using your personal information for direct marketing purposes. In addition, where I use your personal information to perform tasks carried out in the public interest or for a legitimate interest then, if you ask me to, I will stop using that personal information unless there are overriding legitimate grounds to continue.

Restricting how we may use your information – in some cases, you may ask me to restrict how I use your personal information. This right might apply, for example, where I am checking the accuracy of personal information about you that I hold or assessing the validity of any objection you have made to my use of your information. The right might also apply where this is no longer a basis for using your personal information but you don’t want me to delete the data. Where this right is validly exercised, I may only use the relevant personal information with your consent, for legal claims or where there are other public interest grounds to do so.

Withdrawing consent using your information – Where I use your personal information with your consent you may withdraw that consent at any time and we will stop using your personal information for the purpose(s) for which consent was given.

Please contact me using the contact details provided above.

Changes to my privacy statement

I keep this privacy statement under regular review and will place any updates on this website. Paper copies of the privacy statement may also be obtained using the contact information above. This privacy statement was last updated on 24 May 2018.

Contact information and further advice

Please contact my office if you have any queries regarding this privacy policy or how my office handles your information. You can find my contact details at the top of this statement or at www.patrickgrady.scot/contact

Complaints

I seek to resolve directly all complaints about how I handle personal information but you also have the right to lodge a complaint with the Information Commissioner’s Office:

Online: https://ico.org.uk/global/contact-us/email/
By phone: 0303 123 1113
By post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF

%d bloggers like this: