Privacy Policy

This document outlines how the Office of Heidi Allen MP processes and manages personal data. It:

  1. identifies our data controller;
  2. provides our lawful basis for processing personal data;
  3. outlines the scope of personal data we hold and process;
  4. outlines the scope of the special category personal data we hold and process;
  5. describes and justifies our data retention policy;
  6. shows how we intend to respond to Subject Access Requests; and
  7. contains a copy of our privacy notice.

The policies outlined within this document come into full effect on Friday 25th May 2018.

1. Data Controller

The Data Controller is Heidi Allen MP.

2. Lawful basis for processing

Casework is processed primarily under the lawful basis of public task, with exceptional cases processed under the lawful basis of consent.

Personal data contained in the non-political Heidi Allen MP Mailing List is processed under the lawful basis of consent and public task. It does not fall within the definition of direct marketing.

We undertake to always act within the reasonable expectations of our constituents and any other individuals about whom we hold personal data.

3. Data we hold

As of 25th May 2018, the office holds information on all registered voters in the South Cambridgeshire Parliamentary constituency. The electoral register is passed to us by South Cambridgeshire District Council and Cambridge City Council. In addition, this office holds personal information to carry out the duties of an MP in the following categories; casework, policy casework, mailing lists, paper surveys.

We operate a paperless office. Personal data is stored electronically and securely on our computer systems. These computers are in offices which are locked when unattended.


The Office uses a CMS (Content Management System) application, Cross Reference, to help with the management of constituent casework records. This information predominantly includes but is not limited to:

  • Names, addresses and email addresses.
  • Telephone numbers.
  • National Insurance Numbers, Passport Numbers.
  • Special category data, outlined in point 4.


Policy casework is stored on Cross Reference.
This information predominantly includes but is not limited to:

  • Names, addresses and email addresses.
  • Telephone numbers.
  • Special category data

Mailing lists

The Office also maintains a mailing list of supporters. This data is held with the Mailchimp service, based in the US certified under the Privacy Shield regime. Personal data we hold in this regard includes:

  • Names, addresses and email addresses.

This information is not political in nature and therefore it is not categorised as direct marketing.

Paper surveys

The Office conducts occasional paper surveys of constituents in order to better understand their views on local issues. Personal data we hold in this regard includes:

  • Names, addresses and email addresses.
  • Telephone numbers
  • Special category data

Any survey requires explicit consent to be given for data to be retained.

4. Special category data we hold

The office may also hold special category data for a smaller number of data subjects. This data will be processed under the lawful basis indicated in point two, as is permitted in clauses 23 and 24 of schedule 1 of the Data Protection Act. The data may include:

  • Political opinions
  • Religious beliefs
  • Trade union activities
  • Sexual orientation
  • Race and ethnic origin
  • Details of criminal offences
  • Physical and mental health

5. Data retention policy

Our office will hold personal data for no longer than the duration of Heidi Allen’s time in Parliament as MP for South Cambridgeshire. From Friday 25th May 2018, we will only hold data dating from Thursday 7th May 2015. Casework and policy queries are often revisited to provide the best service and representation for constituents, from whom we may continue to receive correspondence. Therefore, it is reasonable for an elected representative to hold personal data for the duration of their time representing a constituency.

6. Subject Access Requests

We will comply with Subject Access Requests in line with the guidance given by the Information Commissioners Office (ICO)

We will respond as quickly as possible, within 30 calendar days.

We will request verification of the identity of any individual making a request, and ask for further clarification and details if needed.

Data subjects have the right to the following:

  • To be told whether any personal data is being processed.
  • To be given a description of the personal data, the reasons it is being processed and whether it will be given to another organisations or people.
  • To be given a copy of the information comprising the data, and given details of the source of the data where this is available.

7. Making people aware of the Privacy notice

Our office will undertake to ensure all constituents sharing their personal data can have the opportunity to read our privacy notice. We will:

  • Publish our privacy notice on Heidi’s website
    Add a link to our privacy notice on Heidi’s auto-response on Microsoft Outlook.
  • Direct constituents who contact us via letter and telephone to our privacy notice online, or supply them with a paper copy if needed.

Privacy Notice

I will only use the information you have given to my office for the purposes of which you have asked. Your data will be processed under the lawful basis of “public task and legitimate interest” and/or “explicit consent” according to the Data Protection Act 2018. I will not share your information other than for these purposes. It is easy to withdraw your consent at any time by contacting my office.