Skip to main content
Legal
Privacy notice

Privacy notice

Contents

Introduction

The Ethics and Integrity Commission (EIC) is an Advisory Non-Departmental Public Body of the Cabinet Office. It is sponsored by the Cabinet Office through its senior sponsor, the Director of Propriety and Ethics. It is however an independent Data Controller registered with the Information Commissioner’s Office.

The purpose of the EIC is to promote the highest standards in public life. The EIC is responsible for:

  1. Promoting and safeguarding the Seven Principles of Public Life;
  2. Conducting research and thematic inquiries and making recommendations on changes to present arrangements to help ensure the highest standards in public life;
  3. Advising public authorities on the development of clear codes of conduct with effective oversight arrangements, in line with the planned forthcoming obligations of the Public Office (Accountability) Bill;
  4. Examining current concerns about standards of conduct of all public office holders, and reporting annually to the Prime Minister on the health of standards in public life;
  5. Engaging and informing the wider public on the values, rules and oversight mechanisms that govern standards in public life;
  6. Convening ethics and standards bodies in central government (and parliamentary standards bodies, with their agreement) to share best practice and identify and address areas of common concern.

This privacy notice sets out how the EIC will use your personal information, and what your rights are, as per Articles 13 and/or 14 of the UK General Data Protection Regulation (UK GDPR).

Your data

Purpose

The purposes for which we are processing your personal data are:

  • For the recruitment and management of EIC staff and members;
  • For the management and administration of members of the Network of Standards Bodies;
  • For the running of EIC reviews (including consultations) and reports, including the report to the PM and Annual Report;
  • For engaging with public bodies on codes of conduct work;
  • For managing correspondence with the public and other stakeholders (including FOI and Subject Access requests);
  • To meet EIC transparency obligations;
  • For the procurement of press officer services; and
  • For the operation of EIC website, blog and social media. 

Data

We will process the following personal data:

  • For the recruitment and management of EIC staff and members (note that EIC staff are employed by the CO and, therefore, some information will be shared between the EIC and CO):
    • Name, date of birth, NI number
    • Email address, physical address, telephone numbers (including for next of kin)
    • Employment details: start date, end date, job title, grade, salary, performance details, outcomes of vetting procedures and clearance level, security pass information, public appointment information (for EIC members), fees and expenses information
    • Health information: disability information, sick leave information, dietary requirements (where appropriate, e.g. for making reasonable adjustments)(covered by CO Occupational Health Privacy Notice)
    • Audio, video recordings and photographs of staff and EIC members (where appropriate, e.g. taken at EIC events)
    • All HR and finance personal information relating to the recruitment and management of EIC staff and Members is covered by the CO’s Privacy Notice, How the Cabinet Office handles HR and finance personal information
  • For the management and administration of members of the Network of Standards Bodies:
    • Name, email address, physical address, telephone numbers
    • Job title and organisation of members of the Network of Standards Bodies
    • Opinions of members of the Network of Standards Bodies
  • For the running of EIC reviews (including consultations) and reports, including the report to the PM and Annual Report:
    • Name, email address, physical address (where appropriate, e.g. to send a physical copy of a report) and telephone number of stakeholders and any specialist advisers employed on a short-term contract to support any EIC review
    • Job title and organisation of stakeholders
    • Biography, past work history and experience of any advisers hired to support any EIC review
    • Opinions and political opinions (including views on existing and proposed policy) captured in both written evidence submitted online to the EIC by stakeholders and (where invited) the public as part of a consultation process, and in oral evidence meetings with stakeholders, which might be reflected or quoted in EIC reports. Where appropriate separate DPIAs will be undertaken for the purposes of public consultations.
    • Subject Matter Expert Opinions (including views on existing and proposed policy) of EIC staff, EIC members, the Senior Academic Adviser to the EIC and any other hired advisers relating to EIC reviews and reports. The reports and recommendations will essentially distill the opinions of those listed above, including committee members and other advisers etc all of which will be reflected in committee papers, our reports and recommendations.
  • For engaging with public bodies on codes of conduct work:
    • Engagement with public sector bodies to assist them in the development of clear codes of conduct with effective oversight arrangements
  • For managing correspondence with the public and other stakeholders (including FOI and Subject Access requests):
    • Name, physical address (where appropriate), email address, telephone number, job title, organisation
    • Any opinions and political opinions raised in correspondence
    • Any other information volunteered to the EIC in correspondence
  • To meet EIC transparency obligations:
    • Register of Interests: information relating to paid and unpaid interests which “might influence [an EIC Member’s or member of staff’s] judgement or which could reasonably be thought by others to do so”, including:
      • personal interests and the interests of close family members (where appropriate); and
      • information about any gifts and hospitality EIC Members have received, including name and organisation of the benefactor
    • Stakeholder Meeting Register: name, job title and organisation of stakeholders EIC Members have met with
    • EIC Minutes and Agendas: names, job titles and (where appropriate) opinions and political opinions of those present
  • For the procurement of press officer services:
    • Name and date of birth
    • Email address, physical address, telephone number
    • Biography, past work history and experience (including contact information)
  • For the operation and provision of EIC website content and social media:
    • Name, job title and terms of appointment of EIC Members
    • Opinions and political opinions
    • Audio, video recordings and photographs of staff and EIC members (where appropriate)
    • Email addresses of those who subscribe to alerts and newsletters
    • Social media handles
    • Cookies.

Legal basis of processing

For the recruitment and management of EIC staff and members:

Article 6 1(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

For the following purposes of:

  • management and administration of members of the Network of Standards Bodies;
  • running of EIC reviews (including consultations) and reports, including the report to the PM and Annual Report;
  • engaging with public bodies on codes of conduct work;
  • managing correspondence with the public and other stakeholders (including FOI and Subject Access requests);
  • meeting EIC transparency obligations;
  • the procurement of press officer services; and
  • the operation and provision of EIC website content and social media

Article 6 1(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

For the processing of audio, video recordings and images:

Article 6 1(a) The consent of the data subject.

For special category data:

For the recruitment and management of EIC staff and members:

Article 9 2(g) processing is necessary for reasons of substantial public interest
Schedule 1 Equality of opportunity or treatment.

For managing correspondence with the public and other stakeholders (including FOI and Subject Access requests):

Article 9 2(g) processing is necessary for reasons of substantial public interest
Statutory and government purposes.

Recipients

Your personal data will be shared by us with the Cabinet Office. This is because the Cabinet Office provides the EIC with IT services (through its IT contractors), and HR and finance services. A Memorandum of Understanding (MOU) on joint data controller responsibilities between the EIC and the CO can be found here.

A privacy notice on how the CO handles HR and finance personal information can be found here. Any occupational health information processed by the EIC in relation to the recruitment and management of EIC staff and Members is covered by the CO’s internal Occupational Health Privacy Notice, which can be found here.

Your personal data will also be shared with our website provider and host, WP Engine, and with social media platforms where you interact with us on them.

Where we seek communications advice, your data may also be shared with the EIC Press Officer.

Retention

Personal data will be kept by the EIC for the following periods:

For the recruitment and management of EIC staff and Members:

  • Identifiable information, employment details, health information (where it has been processed), HR and finance personal information of staff and EIC Members will be held for as long as they remain in post and for a minimum of 6 months after they have left the EIC.
  • For staff and employment data processed by the Cabinet Office, this will be retained in line with Cabinet Office policy as stated in CO’s Privacy Notice, How the Cabinet Office handles HR and finance personal information
  • Audio, video recordings and photographs of staff and EIC Members will be kept as long as they remain in post. We will always obtain consent before posting audio, videos and photographs on our website and social media accounts, which staff and Members have a right to withdraw at any time. Once posted, these will be kept for as long as staff and Members remain in post. However, the EIC does not have control over what others do with this information once it has been published.
  • Independent EIC Members serve a single, non-renewable 5 year term, and political EIC Members serve a renewable 3 year term.

For the management and administration of Members of the Network of Standards Bodies:

  • Identifiable information and employment details of Members of the Network of Standards Bodies will be held for as long as they remain in post and for a minimum of 6 months after they have left their organisation and are no longer a Member of the EIC’s Network of Standards Bodies.
  • Opinions of Members of the Network of Standards Bodies may be reflected in minutes of meetings, which will be agreed and published on our website to fulfil EIC transparency commitments. These documents will be retained indefinitely for historical transparency and record keeping purposes.

For the running of EIC reviews (including consultations) and reports:

  • Identifiable information and employment details of stakeholders who have contributed to EIC reviews and reports will be retained for as long as they remain in post in their organisations and for a minimum of 6 months after that.
  • Evidence (written and oral) collected during any consultation process from stakeholders and the public will be kept in the form in which the EIC received it (e.g. unredacted and including identifiable information) and in altered form (e.g. redacted) for a minimum of 5 years after the consultation process has ended. The redacted version will also be published on our website to fulfil EIC transparency commitments. This information may therefore be retained for historical public record keeping purposes.
  • Subject matter expert opinions and political opinions captured in EIC blogs and reports will be published and retained on our website indefinitely for transparency and historical public record.

For engaging with public bodies on codes of conduct work:

  • Any information collected from public sector bodies to assist them in the development of clear codes of conduct will be held for as long as necessary to fulfil the functions of this task. After which it will be retained for a period of 7 years prior to first review and information or documents retained after first review will be held for 20 years
  • This information may be subsequently retained for historical record keeping purposes.

For managing correspondence with the public and other stakeholders (including FOI and Subject Access requests):

  • Identifiable information, opinions and political opinions, and any other information raised in EIC correspondence from the public and other stakeholders will be dealt with on an individual basis depending on the nature of the correspondence. As a general rule, the EIC will not keep any personal information from correspondence longer than deemed necessary, which is normally 3 years after the correspondence has been received or the case is closed or concluded.
  • For Freedom of Information and Subject Access Requests, information will normally be retained for 3 years since last contact.
  • Public correspondence may be kept if it is sufficiently significant that it should be retained for the historical record, in accordance with the CO’s privacy notice on correspondence.

To meet EIC transparency obligations:

  • EIC Members’ paid and unpaid interests will be held and published on our website for as long as they remain in post.
  • Identifiable information (name) and employment details (job title and organisation) relating to stakeholders that EIC Members have met with will be retained on our website for the historical record.

For the procurement of press officer services:

  • Identifiable information and employment details of the EIC Press Officer will be held for the duration of the contract (2 years).

For the operation of EIC website and social media:

  • Identifiable information and employment details of EIC Members will be published on our website for as long as they remain in post.
  • Audio, video recordings and photographs of staff and EIC Members will be kept as long as they remain in post. We will always obtain consent before posting audio, videos and photographs on our website and social media accounts, which staff and Members have a right to withdraw at any time. Once posted, these will be kept for as long as staff and Members remain in post. However, the EIC does not have control over what others do with this information once it has been published.

Your rights

  • You have the right to request information about how your personal data is processed, and to request a copy of that personal data.
  • You have the right to request that any inaccuracies in your personal data are rectified without delay.
  • You have the right to request that any incomplete personal data is completed, including by means of a supplementary statement.
  • You have the right to request that your personal data is erased if there is no longer a justification for them to be processed.
  • You have the right in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted.
  • You have the right to object to the processing of your personal data where it is processed for direct marketing purposes.
  • You have the right to object to the processing of your personal data.

In relation to images, audio and video recordings:

  • You have the right to withdraw consent to the processing of your personal data at any time.

International Transfers

As your personal data is shared with the Cabinet Office, and their data processors who provide our IT infrastructure, it may be transferred and stored securely outside the UK. Where that is the case it will be subject to equivalent legal protection through an adequacy decision, reliance on Standard Contractual Clauses, or reliance on a UK International Data Transfer Agreement

Data shared with X may be transferred and stored securely outside the UK. Where that is the case it will be subject to equivalent legal protection through an adequacy decision, reliance on Standard Contractual Clauses, or reliance on a UK International Data Transfer Agreement

Data shared with Blue Sky and Linkedin is done so with the consent of the data subject. With the individual being fully aware of the risks.

Contact details

The data controller for your personal data is the Ethics and Integrity Commission. The contact details: [email protected]

The contact details for the Cabinet Office Data Protection Officer are: Stephen Jones, Data Protection Officer, Cabinet Office, 70 Whitehall, London, SW1A 2AS, or [email protected].

The Data Protection Officer provides independent advice and monitoring of Cabinet Office’s use of personal information.

Complaints

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. 

The Information Commissioner can be contacted at: 

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, or 0303 123 1113, or [email protected]

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

Memorandum on joint data controller responsibilities between the Ethics and Integrity Commission and the Cabinet Office

The Ethics and Integrity Commission (EIC) collects, holds and uses personal data in discharging its responsibilities. This data can relate to members of the public (e.g. from the collection of evidence in support of reviews undertaken by the EIC, or from its work on codes of conduct or general correspondence), and to EIC Commission members and staff members. Because the EIC uses Cabinet Office IT systems, all of its personal data is held by the Cabinet Office, a separate data controller. The EIC also relies upon the Cabinet Office for HR, finance and other corporate services, which requires sending personal data to the Cabinet Office.

It is the view of the EIC and the Cabinet Office, therefore, that they are acting as joint data controllers in relation to the processing of personal data held by the EIC.

Both the Cabinet Office and the EIC will:

  • comply with the data protection principles, and with all relevant data protection legislation;
  • properly involve their Data Protection Officer (DPO) in a timely manner in issues that relate to data protection;
  • ensure an appropriate level of technical and organisational security for the personal data;
  • take all reasonable steps to ensure the reliability and integrity of any of their Personnel who have access to the Personal Data and ensure that such Personnel have undergone adequate training in the use, care, protection and handling of personal data;
  • ensure that it notifies the other Party as soon as it becomes aware of a Personal Data Breach concerning the jointly controlled data; and
  • publish this memorandum.

The Cabinet Office will be the responsible lead data controller for processing of staff personal data pursuant to carrying out corporate services functions provided to the EIC  (e.g. HR, finance, accommodation, IT). These responsibilities include:

  • the provision of Privacy Notices to staff about how their personal data are being handled for the functions the Cabinet Office provides;
  • the maintenance of processing records under Article 30 of the UK GDPR;
  • reporting data breaches that relate to the processing of staff data; 
  • carrying out any Data Protection Impact Assessments (DPIAs) required by law pursuant to the processes undertaken;
  • responding to data subject requests relating to staff data; and
  • manage any contracts of data processors as part of the Cabinet Office’s provision of corporate services to the EIC.

The EIC will be the responsible lead data controller for processing of personal data pursuant to delivering its duties (including in relation to FoI requests and general correspondence).

These responsibilities include:

  • the provision of Privacy Notices to data subjects setting out how the EIC uses their personal data;
  • the maintenance of processing records under Article 30 of the UK GDPR relating to how the EIC uses personal data to carry out its duties;
  • reporting data breaches which occur as a result of the actions of the EIC, including usage of the IT systems provided to it;
  • carrying out any Data Protection Impact Assessments (DPIAs) required by law for activities of the EIC;
  • responding to data subject requests that relate to the carrying out of the duties of the EIC. The Cabinet Office will provide reasonable required assistance to the EIC  in responding the data subject requests; and
  • managing any data processor contracts in relation to additional IT services procured by the EIC.