The IPSA Compliance Officer role is a data controller created by the Parliamentary Standards Act 2009, is independent of the Government and IPSA, and fulfils three primary responsibilities:

  1. Assess complaints, and when appropriate instigate formal investigations and conduct reviews at request of MPs in relation to rejected expense claims.

  2. Identify if any matters of MP conduct need to be referred to other organisations.

  3. In support of an assessment, investigation or review, commission and share personal data with subject matter experts.

Reports are published in the public interest, with redaction for privacy and security reasons.

The Compliance Officer is committed to privacy and implements a layered security approach such as access controls, good practice such as encryption and audits, staff training, and supplier contracts (data processor and sharing arrangements).

We do not transfer personal data outside of the EU.

We use (“process”) personal information in the exercise of our functions under the Parliamentary Standards Act 2009.

The information that we use includes “personal data” and “special category personal data”.

Personal data is any information from which someone can be identified, and “special category” refers to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health information, or data about a person’s sex life or sexual orientation.

Financial data is personal data but not “special category” data.

This notice sets out our purposes for processing personal data, our lawful basis for doing so, the personal data that we process, who we might pass that data to, how long we will keep your data, and your rights in relation to the processing of personal data.

Members of Parliament

We process personal data relating to MPs. We do so where necessary in the public interest and to fulfil our statutory functions. Data is collected by referral or direct where an issue is requested for assessment and investigation.

Personal data will include at least:

  • contact details and home addresses

  • contracts

  • work patterns

  • bank details

  • claims – including receipts and invoices

The Compliance Officer may also seek evidence according to the needs of the investigation.

We are required to publish reports on the outcomes of our investigations.

Website visitors

For website visitors and remote systems, we will collect computer information necessary for website use, performance and access for security, best practice, and ensuring our systems work as intended.

This may include metrics, routing and cookies. IPSA's website has a separate privacy policy.

Our workforce

We process personal employment data, as described in IPSA's human resources privacy notice.

There will be times when we share your information with other organisations. Where we do share information we only do so when we are sure there is respect for your rights and data is secured.

We may instruct third party data processors who act on our behalf and instructions. They include information technology support, archiving partners, employee benefit providers, consultants, and commercial partners. We will only share personal data on the basis of contractual terms that ensure that data is protected and that processors comply with data protection legislation and safeguards.

We may also need to share personal data with third party organisations in order to deal with enquiries. We will only send what is needed to answer the issue, unless we are obliged by law.

We work closely with IPSA and the House of Commons on matters related to our statutory functions. We may otherwise share information with third party organisations, such as the police, law firms, HMRC, for reference requests, in restricted circumstances and where the law provides for us to do so.

  • to obtain a copy of your data, with a description of processing (‘subject access request’)

  • to have inaccurate or out of date information corrected

  • to object to the processing of personal data

  • to restrict processing of your personal data (where contested or to prevent loss)

  • to have your personal data erased

  • to prevent direct marketing

  • to prevent fully automated decision making and profiling

  • to have your personal data transmitted to another organisation

  • where consent is the lawful basis, you may withdraw this at any time by writing to us

If we do not intend to or cannot comply with a request then we will explain why.

Read our full data protection policy.

We will only process personal data for as long as necessary for the purpose for which we are processing that personal data.

We will securely dispose of any personal data in accordance with our retention and destruction policy.

If you wish to exercise your rights or have questions, please write to the Compliance Officer in the first instance as below.

You may also contact them as data controller at the same address:

Please include your name, organisation, full address, and telephone (if possible) and clearly outline your questions and expectations.

We aim to answer, depending on complexity, within one calendar month.

If we are unable to help and you wish to complain, please contact the ICO.

The ICO helpline is 0303 123 1113. Further options can be found on the ICO website.

COVID-19 FOI and DPA requests

In line with government advice, IPSA's office is currently closed and staff are working from home.

We are keen to ensure that we can continue to support you as much as possible during this period of remote working with minimal impact on our service.

We strongly advise you not to send information requests to us by post as we have very limited and irregular access to our London office. There are likely to be significant delays between mail being delivered to the office and us collecting it for processing.

We will continue to receive and process any requests sent by email.