Before I call the shadow Foreign Secretary to put her urgent question, it may be helpful to the House if I respond to the point of order that the hon. Member for Rhondda (Chris Bryant) raised yesterday, in which he suggested that advice had been given by those offering advice on behalf of the House authorities that, in order to comply with the new data protection regime due to come into force on 25 May, personal constituency data gathered prior to the recent general election should be deleted. Despite vigorous inquiry yesterday by the House authorities and the contractor commissioned by the House authorities to support Members and their staff, no trace has been found by those responsible of such advice having been given.
It may be of help if I set out the actual situation as has been advised to me, and therefore as I understand it to be. Under the general data protection regulation and, indeed, existing legislation, there is no prescribed retention period. It is up to each Member to have a policy that either states for how long he or she will keep data, or sets out the criteria that that Member will use in making such decisions. That is clearly set out in the templates provided by the training company commissioned by the House. Members will shortly receive a letter from the Leader of the House. The Chair of the Administration Committee also wrote to Members last week with advice from the Information Commissioner’s Office addressing typical cases encountered by Members.
The Commission discussed the programme of GDPR assistance to Members at its meeting yesterday evening, and I can confirm that training and advice will continue to be provided for some time. I understand that the ICO accepts that full compliance on 25 May is unlikely to be achieved by many organisations or individuals, but it will expect the basics to be in place: a demonstrable plan of action and an evident will to implement it.
Our casework supporting constituents is invaluable, but as it involves processing often sensitive personal data, it is particularly important that we engage seriously with the GDPR regime. I am sure that we will all strive to do so.