Skip to main content

‹ Back to Home

The Restoration and Renewal Sponsor Body – Privacy Policy

Purpose

The Restoration and Renewal Sponsor Body is committed to being transparent about how it collects and uses the personal data of its staff, contractors, stakeholders, and the public. This privacy notice serves to promote awareness and demonstrate compliance with the requirements of the UK General Data Protection Regulations (GDPR).

Controller and Data Protection Officer

The Restoration and Renewal Sponsor Body as a legal entity is the ‘Controller’ of the personal data and special category data it collects and uses in order to meet its responsibilities under the Parliamentary Buildings (Restoration and Renewal) Act 2019 and the Restoration and Renewal Programme Delivery Agreement between the Restoration and Renewal Sponsor Body and the Restoration and renewal Delivery Authority Ltd.

This includes information relating to:

  • Restoration and Renewal Sponsor Body staff and contractors

  • External communications and public engagement in relation to the Programme.

  • The ownership and control over the public website and other communication channels, including all social media channels, for the Programme, and for consulting Parliament.

The Restoration and Renewal Sponsor Body’s ‘Data Protection Officer’ is Luke Whiting, Head of Information Assurance.

You can contact our Data Protection Officer through email at:

externalinformationrequests@r-r.org.uk

Or via post at:

Houses of Parliament Restoration and Renewal Programme 7 Millbank, London SW10 3JA

Personal Data Collected- Employees and contractors

The Restoration and Renewal Sponsor Body will obtain personal data only by lawful and fair means so that we can manage the relationship or contract between us. Where appropriate, we will collect data with the knowledge and consent of the individual concerned. We will adopt all necessary measures to ensure that the personal data collected and processed is secure and kept up to date.

You have some obligations under your employment contract to provide us with data. You are required to report absences from work and may be required to provide information about disciplinary or other matters under your duty of good faith to your employer. You may also have to provide data to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide the data may mean that you are unable to exercise your statutory rights.

Certain information, such as contact details, your right to work in the UK and payment details, must be provided to enable us to enter lawfully into a contract of employment with you. If you do not provide other information, this will hinder or even frustrate our ability to administer the rights and obligations arising because of the employment relationship. There may be other occasions where it is necessary to process your personal data that are not detailed in this privacy notice; please do contact your manager or the Data Protection Officer if you would like these explained.

Types of personal data we collect may include (but not limited to):

  • Your name and contact details, including email address and telephone number, date of birth and gender;

  • Information about your marital status, next-of-kin, dependants and emergency contacts;

  • The terms and conditions of your employment, details of your qualifications, skills, experience, references and employment history, including start and end dates, with previous employers and within current role;

  • Information about your pay, including entitlement to benefits such as pensions, details of your bank account and national insurance number, subscription to trade union;

  • Information about your nationality and entitlement to work in the UK;

  • Information about any criminal convictions you may have, and information needed in relation to security clearance or criminal records checks permitted by law;

  • Details of your days of work, working hours, rostering and attendance at work;

  • Details of periods of leave taken by you, including holiday, sickness absence, special leave, career breaks, sabbaticals and the reasons for the leave;

  • Details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence;

  • Assessments and evidence of your performance, including appraisals, performance reviews and ratings, performance improvement plans and related correspondence;

  • Training, talent management and coaching records;

  • Photographs of you in connection with your work;

  • Diversity data (if you choose to supply it);

  • Information relating to Register of Staff Interests;

  • Information required for participation in the National Fraud Initiative (prevention and detection of fraud), this includes Accounts Payable, payroll and pensions data such as name, address, date of birth, national insurance number and bank account/sort code;

  • Information about medical or health conditions, including whether you have a disability or need for which we may be required to make reasonable adjustments;

  • Contact details for business continuity; and

  • Images captured by the security cameras operating on the Parliamentary Estate and data capturing your movements around the estate.

We may collect this information in a variety of ways through application forms or other documents you complete or provide, from correspondence with you or through interviews, meetings, or other assessments. In some cases, we may collect personal data about you from third parties, such as references supplied by former employers or information from employment background check providers.

Lawful Basis

The lawful basis for collecting and processing your personal data as part of your employment or contract will depend on the specific reason we have collected it. We will act in accordance with all applicable laws and contractual obligations and not process data unless one of the following requirements are met:

  • Where the data subject has given their consent to do so;

  • Where processing is necessary for the performance of a contract (employment or other) that data subject is party to or intended to enter;

  • Where necessary to comply with a legal obligation to which the Controller is subject to;

  • Where processing is necessary in order to protect the vital interests of the data subject(s);

  • Where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;

  • Where processing is necessary for our legitimate interests and is fair when balanced against your interests and rights.

A further lawful basis is required when processing ‘Special Categories’ of data; these include racial or ethnic origin; religious or philosophical beliefs; trade or professional memberships, genetic and biometric data; health data; sex life or sexual orientation. We will only process this data where one of the following conditions apply:

  • Where the Data Subject expressly consents to;

  • Where the processing relates to data which has already been made public by the data subject;

  • Where the processing is necessary for carrying out obligations and exercising rights under employment, social security or social protection law;

  • Where the processing is necessary to protect the vital interests of the data subject(s) should they be physically or legally incapable of giving consent.

Special Category data will only be processed following discussion with the Restoration and Renewal Sponsor Body’s Data Protection Officer to ensure that the basis for processing is understood and clearly recorded.

Sharing employee or contractor data

Personal data may be shared internally if access is necessary for services to perform their role. This may include (but not limited to) your Line Manager disclosing information to HR Office, Payroll, Information Management and Digital Services.

We may also disclose your personal data to third parties where we have a lawful basis for doing so, such as:

  • Pre-employment references/checks from other employers

  • Criminal records checks from the Disclosure Barring Service

  • Provision of shared services (for example pension provider)

  • Security bodies and Police for their enquiries (for example audit, fraud, crime prevention/detection)

We will only transfer personal data to, or allow access by, third parties when it is assured that the information will be processed legitimately and protected appropriately by the recipient. It should be noted that third parties are separate data Controllers and should be contacted directly if you wish to exercise any of your rights relating to the personal data they hold about you.

Personal data collected as part of our public engagement

Public and stakeholder engagement is central to how the Restoration and Renewal Sponsor Body will identify and refine options and plans for the restoration and renewal of the Houses of Parliament.

The public engagement work of the Restoration and Renewal Sponsor Body will include online consultations and debates, workshops and conversations, and live events and tours of Parliament. These will all either be facilitated directly by the Restoration and Renewal Sponsor Body, by third parties on our behalf, or by stakeholder partners.

The Restoration and Renewal Sponsor Body will only obtain personal data as part of its public engagement activities on the restoration and renewal of the Houses of Parliament where it is necessary to do so for that purpose. If we need to hold and use your personal data, we will do so lawfully, proportionately, and by fair means. We will adopt all necessary measures to ensure that the personal data collected and processed is complete and accurate to reflect the current situation of the data subject.

Types of personal data we may need to collect as part of our public engagement work may include:

  • First and last name

  • Contact and address information

  • Confirmation you are a British citizen or resident

  • Opinions you share with us as part of the engagement

  • Images, videos, or recordings taken at the events with your permission

  • An image of you if you choose to upload a profile photo online

  • Any information you share about yourself in your bio online

More information about our public engagement event can be found online here: https://engage.restorationandrenewal.uk/en/

Lawful Basis

Our lawful basis for collecting and processing your personal data as part of these public engagement activities will usually be Article 6(1)(e) of the UK GDPR as the processing is necessary for the performance of a task carried out in the public interest in our role as a public body.

However, where we need to collect information for a unique purpose or wish to reuse information you have given us for another purpose, we will seek your consent to do so. Sharing engagement data

Responses and data collected as part of our public engagement activities will, wherever possible, be anonymised before they are shared with third parties. Once anonymised, the information may be shared with others, including in public documents, without further notice to you.

Personal data collected as part of the public engagement activities may though, where necessary, be shared with:

• the Restoration and Renewal Delivery Authority Ltd • the House of Commons • the House of Lords

We will only transfer personal data to, or allow access by, third parties when it is assured that the information will be processed legitimately and protected appropriately by the recipient.

Storage, Retention and Third-Party Providers

We take the security of data provided to us by our staff, stakeholders, and the public seriously. All personal data provided will be stored securely, both physically and electronically.

We have in place internal policies and controls to ensure that your data is not lost, accidentally destroyed, misused, or disclosed, and is not accessed except by those authorised to do so by us.

Personal data is held by the Restoration and Renewal Sponsor Body in data centres within the UK or European Union (EU) for the purposes of hosting, maintenance and back up. We (or processors acting on our behalf) may also store or process your personal data in countries outside the UK but only where we are assured of the security of the data and the adequacy of the data protection regimes of those countries and organisations holding the data.

In general, we will hold personal data about staff and contractors for the duration of their employment unless required to retain it longer by law. For full details of the periods for which your data are held, please refer to the Authorised Records Disposal Practice.

CitizenLab are a third-party processor who provide us with services to run the public engagement online platform. CitizenLab process personal data on our behalf based on written instructions. They are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data. CitizenLab processes personal data in the EU and uses sub-processors who process personal data in the EU and USA.

We will hold personal data obtained through our public engagement online platform for 2 years from the last time you log onto the public engagement platform; or for up to 2 years after the public engagement ends, whichever is later.

We may hold consultation data for longer in an anonymised format, in which case we may use this information indefinitely without further notice to you.

Your rights under the UK GDPR

As a data subject, you can exercise the following rights in relation to the personal data we hold:

  • access and obtain a copy of your data on request;

  • request us to change incorrect or incomplete data;

  • request us to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing;

  • object to the processing of your data where we are relying on our legitimate interests as the legal basis for processing: and

  • withdraw your consent to us processing your data where we are relying on consent.

  • You also have the right to complain to the Information Commissioner’s Office, the supervisory authority, about our collection and use of your personal data. They can be contacted at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

If you would like to exercise any of these rights, please contact the Data Protection Officer: externalinformationrequests@r-r.org.uk or via post at Houses of Parliament Restoration and Renewal Programme 7 Millbank, London SW10 3JA.

Restoration and Renewal Delivery Authority Ltd – Privacy Policy

Purpose

The Restoration and Renewal Delivery Authority Ltd is committed to being transparent about how it collects and uses the personal data of its staff, contractors, stakeholders, and the public. This privacy notice serves to promote awareness and demonstrate compliance with the requirements of the UK GDPR.

Controller and Data Protection Officer

The Restoration and Renewal Delivery Authority Ltd as a legal entity is the ‘Controller’ of the personal data and special category data it collects and uses in order to meet its responsibilities under the Parliamentary Buildings (Restoration and Renewal) Act 2019 and the Restoration and Renewal Programme Delivery Agreement between the Restoration and Renewal Sponsor Body and the Restoration and renewal Delivery Authority Ltd.

This includes information relating to:

  • The Restoration and Renewal Delivery Authority Ltd staff and contractors

  • The formulation of proposals relating to Palace restoration works

  • The management and delivery of the programme and the execution and completion of the works;

The Restoration and Renewal Delivery Authority Ltd’s ‘Data Protection Officer’ is Luke Whiting who is the Head of Information Assurance at the Restoration and Renewal Sponsor Body.

You can contact our Data Protection Officer through email at:

externalinformationrequests@r-r.org.uk

Or via post at:

Houses of Parliament Restoration and Renewal Programme 7 Millbank, London SW10 3JA

Personal Data Collected- Employees and contractors

The Restoration and Renewal Delivery Authority Ltd will obtain personal data only by lawful and fair means so that we can manage the relationship or contract between us. Where appropriate, we will collect data with the knowledge and consent of the individual concerned. We will adopt all necessary measures to ensure that the personal data collected and processed is secure and kept up to date.

You have some obligations under your employment contract to provide us with data. In particular, you are required to report absences from work and may be required to provide information about disciplinary or other matters under your duty of good faith to your employer. You may also have to provide data to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide the data may mean that you are unable to exercise your statutory rights.

Certain information, such as contact details, your right to work in the UK and payment details, must be provided to enable us to enter lawfully into a contract of employment with you. If you do not provide other information, this will hinder or even frustrate our ability to administer the rights and obligations arising as a result of the employment relationship. There may be other occasions where it is necessary to process your personal data that are not detailed in this privacy notice; please do contact your manager or the Data Protection Officer if you would like these explained.

Types of personal data we collect relating to your employment may include (but not limited to):

  • Your name and contact details, including email address and telephone number, date of birth and gender;

  • Information about your marital status, next-of-kin, dependants and emergency contacts;

  • The terms and conditions of your employment, details of your qualifications, skills, experience, references and employment history, including start and end dates, with previous employers and within current role;

  • Information about your pay, including entitlement to benefits such as pensions, details of your bank account and national insurance number, subscription to trade union;

  • Information about your nationality and entitlement to work in the UK;

  • Information about any criminal convictions you may have, and information needed in relation to security clearance or criminal records checks permitted by law;

  • Details of your days of work, working hours, rostering and attendance at work;

  • Details of periods of leave taken by you, including holiday, sickness absence, special leave, career breaks, sabbaticals and the reasons for the leave;

  • Details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence;

  • Assessments and evidence of your performance, including appraisals, performance reviews and ratings, performance improvement plans and related correspondence;

  • Training, talent management and coaching records;

  • Photographs of you in connection with your work;

  • Diversity data (if you choose to supply it);

  • Information relating to Register of Staff Interests;

  • Information required for participation in the National Fraud Initiative (prevention and detection of fraud), this includes Accounts Payable, payroll and pensions data such as name, address, date of birth, national insurance number and bank account/sort code;

  • Information about medical or health conditions, including whether you have a disability or need for which we may be required to make reasonable adjustments;

  • Contact details for business continuity; and

  • Images captured by the security cameras operating on the Parliamentary Estate and data capturing your movements around the estate.

We may collect this information in a variety of ways through application forms or other documents you complete or provide, from correspondence with you or through interviews, meetings or other assessments. In some cases, we may collect personal data about you from third parties, such as references supplied by former employers or information from employment background check providers.

Lawful Basis

The lawful basis for collecting and processing your personal data as part of your employment or contract will depend on the specific reason we have collected it. We will act in accordance with all applicable laws and contractual obligations and not process data unless one of the following requirements are met:

  • Where the data subject has given their consent to do so;

  • Where processing is necessary for the performance of a contract (employment or other) that data subject is party to or intended to enter;

  • Where necessary to comply with a legal obligation to which the Controller is subject to;

  • Where processing is necessary in order to protect the vital interests of the data subject(s);

  • Where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;

  • Where processing is necessary for our legitimate interests and is fair when balanced against your interests and rights.

A further lawful basis is required when processing ‘Special Categories’ of data; these include racial or ethnic origin; religious or philosophical beliefs; trade or professional memberships, genetic and biometric data; health data; sex life or sexual orientation. We will only process this data where one of the following conditions apply:

  • Where the Data Subject expressly consents to;

  • Where the processing relates to data which has already been made public by the data subject;

  • Where the processing is necessary for carrying out obligations and exercising rights under employment, social security or social protection law;

  • Where the processing is necessary to protect the vital interests of the data subject(s) should they be physically or legally incapable of giving consent.

Special Category data will only be processed following discussion with the Restoration and Renewal Delivery Authority Ltd’s Data Protection Officer to ensure that the basis for processing is understood and clearly recorded.

Sharing employee or contractor data

Personal data may be shared internally if access is necessary for services to perform their role. This may include (but not limited to) your Line Manager disclosing information to HR Office, Payroll, Information Management and Digital Services.

We may also disclose your personal data to third parties where we have a lawful basis for doing so, such as:

• Pre-employment references/checks from other employers • Criminal records checks from the Disclosure Barring Service • Provision of shared services (for example pension provider) • Security bodies and Police for their enquiries (for example audit, fraud, crime prevention/detection)

We will only transfer personal data to, or allow access by, third parties when it is assured that the information will be processed legitimately and protected appropriately by the recipient. It should be noted that third parties are separate data Controllers and should be contacted directly if you wish to exercise any of your rights relating to the personal data they hold about you.

Storage and Retention

We take the security of data provided to us by our staff, stakeholders and the public seriously. All personal data provided will be stored securely, both physically and electronically. We have in place internal policies and controls to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the performance of their duties.

Personal data is held in data centres within the UK or European Union for the purposes of hosting, maintenance and back up. We (or processors acting on our behalf) may also store or process your personal data in countries outside the UK but only where we are assured of the security of the data and the adequacy of the data protection regimes of those countries and organisations holding the data.

Where we engage third parties to process personal data on our behalf, they do so on the basis of written instructions. They are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data. In general, we will hold personal data about staff and contractors for the duration of their employment unless required to retain it longer by law. For full details of the periods for which your data are held, please refer to the Authorised Records Disposal Practice.

Your rights under the UK GDPR

As a data subject, you can exercise the following rights in relation to the personal data we hold, no matter why we hold your personal data:

  • access and obtain a copy of your data on request;

  • request us to change incorrect or incomplete data;

  • request us to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing;

  • object to the processing of your data where we are relying on our legitimate interests as the legal basis for processing: and

  • withdraw your consent to us processing your data where we are relying on consent.

  • You also have the right to complain to the Information Commissioner’s Office, the supervisory authority, about our collection and use of your personal data. They can be contacted at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

If you would like to exercise any of these rights, please contact the Data Protection Officer. externalinformationrequests@r-r.org.uk or via post at Houses of Parliament Restoration and Renewal Programme 7 Millbank, London SW10 3JA

Changes to this Privacy Notice

We reserve the right to update this privacy notice at any time. This privacy policy was last updated on 19 July 2021.