This document outlines how the Office of James Sunderland processes and manages personal data. It:
- identifies our data controller;
- provides our lawful basis for processing personal data;
- outlines the scope of personal data we hold and process;
- outlines the scope of the special category personal data we hold and process;
- describes and justifies our data retention policy;
- shows how we intend to respond to Subject Access Requests;
- shows how we share your data;
- outlines your rights to your personal data;
- states how to contact us about your data; and
- states how to make a complaint.
The policies outlined within this document come into full effect on 1 January 2020.
Who is the Data Controller?
The Data Controller is James Sunderland
2. Lawful basis for processing
i. Casework is processed primarily under the lawful basis of public task, with exceptional cases processed under the lawful basis of consent.
ii. Personal data contained in our mailing list is processed under the lawful basis of consent. it does not fall within the definition of direct marketing.
iii. We undertake to always act within the reasonable expectations of our constituents and any other individuals about whom we hold personal data.
3. Data we hold
Personal data is stored electronically and securely on our computer systems and paper records are stored in a locked filing cabinet system. Our systems are in offices which are locked when unattended and alarmed and monitored by CCTV.
The Office uses a CMS (Content Management System) application, Caseworker.mp, specifically designed to help with the management of constituent casework records. This information predominantly includes but is not limited to:
- Names, addresses and email addresses.
- Telephone numbers.
- National Insurance Numbers, Passport Numbers.
- Special category data, outlined in point 4.
Policy casework is stored on the same CMS application. This information predominantly includes but is not limited to:
- Names, addresses and email addresses.
- Telephone numbers.
- Special category data on political beliefs.
The Office also maintains a mailing list. These subscribers receive a regular newsletter. Personal data we hold in this regard includes:
- email addresses, names and postcode.
This information is not political in nature and therefore it is not categorised as direct marketing.
4. Special category data
The office may also hold special category data for a smaller number of data subjects. This data will be processed under the lawful basis indicated in point two, as is permitted in clauses 23 and 24 of schedule 1 of the Data Protection Act.
5. Data retention policy
Personal data will be held for no longer than necessary. Some types of data may be held for longer than others. Typically the maximum retention is two election cycles. Review of the data held will occur in each election cycle to determine whether it should be maintained or put beyond use.
6. Subject Access Requests
We will comply with Subject Access Requests in line with the guidance given by the Information Commissioners Office (ICO).
i. We will respond as quickly as possible, within 30 calendar days.
ii. We will request verification of the identity of any individual making a request and ask for further clarification and details if needed.
iii. Data subjects have the right to the following:
a. To be told whether any personal data is being processed.
b. To be given a description of the personal data, the reasons it is being processed and whether it will be given to another organisations or people.
c. To be given a copy of the information comprising the data and given details of the source of the data where this is available.
7. Will we share your data with anyone else?
If you have contacted us about a personal or policy issue, we may pass your personal data on to a third-party in the course of dealing with you, such as local authorities, government agencies, public bodies, health trusts, regulators, and so on. Any third parties that we may share your data with are obliged to keep your details securely, and to use them only for the basis upon which they were originally intended. When they no longer need your data to fulfil this service, they will dispose of the details in line with our procedures.
We will not share the personal information of members of our mailing list or those in receipt of our newsletter.
In any case, we will not use your personal data in a way that goes beyond your reasonable expectations in contacting us.
8. What rights do I have to my personal data?
At any point while we are in possession of or processing your personal data, you, the data subject, have the following rights:
- Right of access – you have the right to request a copy of the information that we hold about you.
- Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
- Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
- Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
- Right of portability – you have the right to have the data we hold about you transferred to another organisation.
- Right to object – you have the right to object to certain types of processing, such as direct marketing.
- Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.
- Right to judicial review: if our office refuses your request under rights of access, we will provide you with a reason why. You have the right to complain.
9. How can I contact somebody about my privacy?
You can get in touch with our office by letter, email or telephone using the details at the foot of this page.
Please note that we will ask for identification should you choose to exercise any of the above rights in relation to personal data we hold.
10. Making a complaint
If you are unhappy with the way that we have processed or handled your data then you have a right to complain to the Information Commissioner’s Office (ICO). The ICO is the supervisory body authorised by the Data Protection Act 2018 to regulate the handling of personal data within the United Kingdom. The contact details for the ICO are:
If you have any questions about the data held please contact James Sunderland via the contact information on this website.
Please note that proof of identity is required should you choose to exercise any of the above rights in relation to personal data.
We retain the right to update this policy at any time. If there are changes that significantly impact your rights, we will contact you in advance.