Privacy Notice: Education and Engagement Service
UK Parliament is committed to ensuring that your privacy is protected. In line with our responsibilities under the United Kingdom General Data Protection Regulation (UK GDPR) and Data Protection Act 2018, this Privacy Notice explains the personal data that we collect and process and how we protect any personal information that you provide.
Who are we?
The Corporate Officers of the House of Commons (HC) and House of Lords (HL) are joint data controllers for any personal data described in this notice.
The Data Protection Officers are the Head of Information Rights and Information Security (IRIS), House of Commons and the Head of Information Compliance, House of Lords.
- Email: IRIS@parliament.uk or email@example.com
- Telephone: 0207 219 4296 (HC) or 0207 219 0100/8481 (HL)
- Post: IRIS, House of Commons, SW1A 0AA or Information Compliance Team, House of Lords, SW1A 0PW.
Under United Kingdom General Data Protection Regulation, you have:
- The right to be informed of how your data will be used and protected
- The right to access your information and obtain a copy
- The right to make changes to your personal data
- The right to request a deletion or restrict the processing of your data in certain circumstances
- The right to data portability
- The right to object to direct marketing and other processing
- Rights in relation to automated decision-making and profiling
For more information visit the Information Commissioner’s Office (ICO) website.
To make a Subject Access Request for your personal data, report a breach or to request the sharing of personal data outside of normal processes, please contact IRIS@parliament.uk or firstname.lastname@example.org
Most of the personal information processed by UK Parliament is provided to us directly by you, for one of the following reasons:
- You subscribe to our e-newsletter
- You wish to attend, or have attended, an event
- You are representing your organisation
- You have made an information request to us
- You have made a complaint or enquiry to us
General Data Processing Information:
The personal information we collect or create may include:
- Name and contact details
- Complaints or enquiries made by you
- Survey data
- Records of goods or services provided
- Photographs and film
- Accident forms
In limited circumstances, we also process sensitive classes of information that may include:
- Racial or ethnic origin
- Religious, political or other similar beliefs
- Physical or mental health details
What do we do with your personal data?
Our legitimate interests as a data controller include processing personal information to:
- Provide education and support services to the public
- Advertise and promote UK Parliament’s Education and Engagement services
- Conduct surveys
- Undertake research
- Manage our accounts
- Provide commercial activities and services
Legal bases for processing
Under UK GDPR and the Data Protection Act 2018, we will process personal data under the following bases:
Personal data processed for providing education and engagement services to the customer – covering both commercial and non-commercial activity.
Legal basis under UK GDPR: 6(1)(f) legitimate interests.
Personal data processed for other commercial and non-commercial activity, support services or as part of commercial transactions, including enquiry and third-party contact details.
Legal basis under UK GDPR: 6(1)(f) legitimate interests.
Purpose: To provide additional services, to develop and maintain enquirer and commercial relationships
Contact details and other personal data related to marketing
Legal basis under UK GDPR: Held under 6(1)(f) legitimate interests, but consent will be obtained for the marketing activity in accordance with PECR.
We will use ‘legitimate interest’ for the promotion of related commercial and non-commercial services provided by UK Parliament to existing or former customers, where they have been given the option to withdraw consent on each contact. We will obtain explicit consent for other direct marketing, including campaigning or marketing contact on behalf of third parties or with people who are not existing or former customers.
Purpose: To promote the activities of UK Parliament’s Education and Engagement services and partner organisations, to raise awareness of opportunities and events of potential interest to customers.
Where do we store your data?
We take the security of your data seriously. All personal data you provide to us will be stored securely, both physically and electronically, in accordance with our policies. We have an information security process in place to oversee the effective and secure processing of your personal data.
Some personal data controlled by us are held outside the UK. These data are predominantly held in data centres within the European Economic Area (EEA), for the purpose of hosting and maintenance. Regulations under section 17A of the DPA 2018 specify that all countries within the EEA are regarded as providing an adequate level of data protection. If personal data are transferred to a country outside the UK or EEA, the adequacy of that country and the organisations and systems processing the data is assessed to ensure that appropriate safeguards are in place.
UK Parliament Education and Engagement Service will retain your personal data for as long as is necessary for the purpose it was collected. Retention periods can be found in the Houses of Parliament Authorised Records Disposal Practice (ARDP).
If you have made an expression of interest in one of UK Parliament’s Education and Engagement services and activities, or have booked a service or activity for yourself or on behalf of your organisation, we will store your contact details in our Customer Relationship Management (CRM) system, Microsoft Dynamics 365.
We use a third-party system, Mailchimp, to send our email communications and your name, email address and location is recorded within that database. Mailchimp’s servers are located in the United States. Mailchimp certifies to the Privacy Shield framework and can therefore lawfully receive EU data. Find out more about Mailchimp’s data policies here.
If you contact us via an online form on the UK Parliament website, either to make a booking or enquire about a service or activity, this information is held securely on a UK based server, WordPress.
All forms on UK Parliament’s Learning website are powered by GravityForms, a WordPress plugin. Form submissions (entries) are saved to the UK Parliament Learning website where they will be deleted on a monthly basis.
When you submit an online form, an automated email notification will be triggered to the relevant team in the UK Parliament Education and Engagement Service, who will process the form and be in touch with you based on the information you have provided to progress your enquiry/booking.
Under ‘legitimate interests’, we will keep your data on our CRM, D365, in order to keep track of your enquiry/booking, and to contact you with information related to your enquiry/booking. Your data will be stored on our CRM for 5 years from the point of your last engagement or contact with us.
We use SmartSurvey to collect feedback data, which is stored in the UK. Find out more about Smart Survey’s GDPR policy here.
We use the TOR Maxim booking system to record and process bookings for educational visits to Parliament. Information is stored in a data centre managed by TOR in the UK.
Your personal data may also be stored in documents such as compliance inspection reports, emails and other records stored within our secure network.
If you sign up to a UK Parliament event via the Eventbrite platform, we will process information concerning attendees at the event that you are signing up to attend. We will not use your data for any other purpose.
The retention period for this personal data is 5 years after any final communication relating to the event, after which it will be disposed of securely. If you ask us to delete your personal data before the end of the retention period, UK Parliament will delete or anonymise your personal data.
In both instances, your personal data may still be held in Eventbrite’s databases and to remove it you will need to initiate a separate data deletion request directly with Eventbrite.
If you request printed learning resources, we will share your name, contact details and address details with a handling company (Ark-H) who are based in the UK. Your personal data will be used by Ark-H handling to send your resources to you and will be disposed of after six months. If you opt-in to us using your personal data to contact you to get feedback about our resources, we will retain your personal data for a period of one year. If you do not want to be contacted during this time, or would like us to cease contacting you at any point during period, please contact us. Further information on retention periods can be found in the Houses of Parliament Authorised Records Disposal Practice (ARDP).
We will not share your data with any other third parties.
Your details will not be transferred outside of the EEA without your consent.
UK Parliament uses Microsoft Teams for running online external workshops, talks and tours to the public. No personal data is collected, processed or stored by Microsoft if users dial into the session anonymously through the web browser option rather than the app. If users choose to dial in through their own Microsoft account, Microsoft will hold the name and email address of all users. If the lead contact or booker dials in with their own Microsoft account, then other attendees on the call will be able to see their name and email address during the call. This can be avoided by dialling in anonymously through the web browser option rather than the app.
If the lead contact or booker has registered for an online workshop, talk or tour with young people under the age of 16, who are dialling in independently, it is their responsibility to ensure they dial in anonymously or have parents’ permission for them to dial in with their Microsoft accounts. UK Parliament does not take responsibility for data visible to other participants, as a result of someone dialling in with their Microsoft account or adding their full name when dialling in anonymously.
In a Microsoft Teams workshop, talk or tour organised by UK Parliament, a record of the chat is kept for 24 hours. After 24 hours, all record of the chat is automatically deleted.
The attendee report created by Microsoft Teams when the session begins, contains the name and email address for all attendees who dial in via a Microsoft account. It will not contain this information if users dial in anonymously. This report is available to the meeting organiser (UK Parliament) only, and only exists during the meeting. Once the meeting has ended, the report can no longer be downloaded. Microsoft has no access to customer data.
Data about Microsoft calls and meetings, including who joins them and when, is available to Office 365 Admins for 30 days before being automatically deleted. This is accessible only by the Productivity & Collaboration team for troubleshooting purposes.
How do we process your data?
If you submit an online expression of interest form via our website, this will be sent to the relevant internal team via Microsoft Outlook, and they will respond to your query with an email.
If you sign up for one of our online workshops, talks or tours, the lead contact or booker registration data (including name, email, contact number, location) will be sent, via outlook, to the workshop, talk or tour presenter, this is in the event that the lead contact or booker needs to be contacted in relation to their session.
If you submit an enquiry or make an event booking, we will keep a record of this for 5 years in our CRM after the enquiry has been closed or the event has finished.
If you have explicitly consented to receiving email communications from UK Parliament’s Education and Engagement team, we will send updates about our services and activities until such time as you unsubscribe.
If you have taken part in a service or activity, we will send a feedback form to you via SmartSurvey and use qualitative and quantitative information you provide to report on performance and make improvements to our services. Occasionally we may use written feedback for marketing purposes, however this will only happen if you have given explicit consent for us to do so.
If you request printed learning resources, we will share your name, contact details and address details with our handling company (Ark-H) who are based in the UK. They will only use your details to post your resources and will remove your data from their systems after 6 months. If you opt-in to us using your personal data to contact you to get feedback about our resources, we will retain your personal data for a period of one year. We will not share your data with any other third parties.
Your details will not be transferred outside of the EEA without your consent.
Legal basis: we will process your data based on UK GDPR Article 6(1)(f) – legitimate interests.
We process your information based on your consent under UK GDPR Article 6(1)(a). You have the right to withdraw your consent at any time, in which case we will delete your data. All non-operational communications will contain a link allowing you to update your communication preferences.
How long do we keep your data?
We will only retain your personal data for as long as:
- it is needed for the purposes set out in this document
- the law may require us to
We will keep your email data until you unsubscribe. We will keep your feedback data for 6 months.
How do we market to you?
If you choose to receive marketing communications from us, we will use data you have provided so that we can send you relevant information about events you may be interested in.
We will store your marketing preferences in our CRM and in our email platform, Mailchimp as described above and will send email communications to you.
Do we carry out profiling?
We will use the information you have given us about the areas you are interested in and where you live to limit the amount of contact we make with you and inform you only of what we think is relevant to you. If you would not like us to carry out this profiling, please contact us and we can ensure you receive all marketing emails. Please bear in mind that this will mean you may receive information that is not relevant to your interests.
You have the right to request:
- information about how your personal data is processed
- a copy of that personal data
- that anything inaccurate in your personal data is corrected immediately
You can also:
- raise an objection about how your personal data is processed
- request that your personal data is erased if there is no longer a justification for it
- ask that the processing of your personal data is restricted in certain circumstances
This Privacy Notice was updated on Dec 2020.