Privacy Policy

Privacy Policy


The Restoration and Renewal Delivery Authority Ltd (the Delivery Authority) is committed to being transparent about how it collects and uses the personal data of its staff, contractors, stakeholders, and the public. This privacy notice serves to promote awareness and demonstrate compliance with the requirements of the UK GDPR.

Explanation of terms used in this notice

The following terms are defined by the UK GDPR and DPA 2018. A short explanation is given below (though it is not intended to substitute for the legal definitions). By personal data, we mean information relating to a living identified or identifiable person. By special category personal data we mean:

  • Personal data that reveals any of the following about an individual: racial or ethnic origin; political opinions; religious or philosophical beliefs; or trade union membership.

  • Personal data that consists of: genetic data; biometric data used for the purpose of identifying an individual; data concerning health; or data concerning an individual’s sex life or sexual orientation.

By criminal offence data we mean data about whether an individual has committed or has been convicted of a criminal offence.

Controller and Data Protection Officer

The Delivery Authority as a legal entity is the ‘Controller’ of the personal data and special category data it collects and uses in order to meet its responsibilities under the Parliamentary Buildings (Restoration and Renewal) Act 2019 and the Restoration and Renewal Programme Delivery Agreement between the Restoration and the Parliamentary Works Sponsor Body (the Sponsor Body) and the Delivery Authority.

This includes information relating to:

  • The Delivery Authority staff and contractors

  • The formulation of proposals relating to Palace restoration works

  • The management and delivery of the programme and the execution and completion of the works;

The Delivery Authority’s ‘Data Protection Officer’ is Luke Whiting who is the Head of Information Assurance at the Sponsor Body. You can contact our Data Protection Officer through email at or via post at Houses of Parliament Restoration and Renewal Programme 8/64vs, House of Commons, London, SW1A 0AA

Use of personal data - Employees and contractors

The Delivery Authority will process personal data only by lawful and fair means so that we can manage the relationship or contract between us. Where appropriate, we will collect data with the knowledge and consent of the individual concerned. We will adopt all necessary measures to ensure that the personal data collected and processed is secure and kept up to date.

You have some obligations under your employment contract to provide us with data. You are required to report absences from work and may be required to provide information about disciplinary or other matters under your duty of good faith to your employer. You may also have to provide data to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide the data may mean that you are unable to exercise your statutory rights.

Certain information, such as contact details, your right to work in the UK and payment details, must be provided to enable us to enter lawfully into a contract of employment with you. If you do not provide other information, this will hinder or even frustrate our ability to administer the rights and obligations arising because of the employment relationship.

We will also process personal data for the purposes of managing our IT infrastructure. We monitor systems to maintain their security, to ensure compliance with our policies, and in order to protect our staff, contractors, and programme data.

There may be other occasions where it is necessary to process your personal data that are not detailed in this privacy notice; please do contact your manager or the Data Protection Officer if you would like these explained.

Types of personal data we collect and process may include (but not limited to):

  • Your name and contact details, including email address and telephone number, date of birth and gender;

  • Information about your marital status, next-of-kin, dependants and emergency contacts;

  • The terms and conditions of your employment, details of your qualifications, skills, experience, references and employment history, including start and end dates, with previous employers and within current role;

  • Information about your pay, including entitlement to benefits such as pensions, details of your bank account and national insurance number, subscription to trade union;

  • Information about your nationality and entitlement to work in the UK;

  • Information about any criminal convictions you may have, and information needed in relation to security clearance or criminal records checks permitted by law;

  • Details of your days of work, working hours, rostering and attendance at work;

  • Details of periods of leave taken by you, including holiday, sickness absence, special leave, career breaks, sabbaticals and the reasons for the leave;

  • Details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence;

  • Assessments and evidence of your performance, including appraisals, performance reviews and ratings, performance improvement plans and related correspondence;

  • Training, talent management and coaching records;

  • Photographs of you in connection with your work;

  • Diversity data (if you choose to supply it);

  • Information relating to Register of Staff Interests;

  • Information required for participation in the National Fraud Initiative (prevention and detection of fraud), this includes Accounts Payable, payroll and pensions data such as name, address, date of birth, national insurance number and bank account/sort code;

  • Information about medical or health conditions, including whether you have a disability or need for which we may be required to make reasonable adjustments;

  • Contact details for business continuity;

  • Images captured by the security cameras operating on the Parliamentary Estate and data capturing your movements around the estate; and

  • Information about your IT account usage, including location data.

We may collect this information in a variety of ways through application forms or other documents you complete or provide, from correspondence with you or through interviews, meetings, or other assessments. In some cases, we may collect personal data about you from third parties, such as references supplied by former employers or information from employment background check providers.

Lawful Basis

The lawful basis for collecting and processing your personal data as part of your employment or contract will depend on the specific reason we have collected it. We will act in accordance with all applicable laws and contractual obligations and not process data unless one of the following requirements are met:

  • Where the data subject has given their consent to do so;

  • Where processing is necessary for the performance of a contract (employment or other) that data subject is party to or intended to enter;

  • Where necessary to comply with a legal obligation to which the Controller is subject to;

  • Where processing is necessary in order to protect the vital interests of the data subject(s);

  • Where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;

  • Where processing is necessary for our legitimate interests and is fair when balanced against your interests and rights.

A further lawful basis is required when processing ‘Special Categories’ of data; these include racial or ethnic origin; religious or philosophical beliefs; trade or professional memberships, genetic and biometric data; health data; sex life or sexual orientation. We will only process this data where one of the following conditions apply:

  • Where the Data Subject expressly consents to;

  • Where the processing relates to data which has already been made public by the data subject;

  • Where the processing is necessary for carrying out obligations and exercising rights under employment, social security or social protection law;

  • Where the processing is necessary to protect the vital interests of the data subject(s) should they be physically or legally incapable of giving consent.

Special Category data will only be processed following discussion with the Delivery Authority’s Data Protection Officer to ensure that the basis for processing is understood and clearly recorded.

Sharing employee or contractor data

Personal data may be shared internally if access is necessary for services to perform their role. This may include (but not limited to) your Line Manager disclosing information to HR Office, Payroll, Information Management and Digital Services.

We may also disclose your personal data to third parties, including the Sponsor Body, where we have a lawful basis for doing so, such as:

  • Pre-employment references/checks from other employers

  • Criminal records checks from the Disclosure Barring Service

  • Provision of shared services (for example pension provider)

  • Security bodies and Police for their enquiries (for example audit, fraud, crime prevention/detection)

  • HIVE, a third-party employee feedback service.

We will only transfer personal data to, or allow access by, third parties when it is assured that the information will be processed legitimately and protected appropriately by the recipient. It should be noted that third parties are separate data Controllers and should be contacted directly if you wish to exercise any of your rights relating to the personal data they hold about you.

How long do we keep employee and contractor information?

In general, we will hold personal data about staff and contractors for the duration of their employment unless required to retain it longer by law.

Use of personal data- room booking and management

The Programme (including Sponsor Body and Delivery Authority) processes personal data to manage office meeting room space. Personal data processed for this purpose is limited to the names and email addresses of meeting organisers and the attendees if their email address is included within the room booking invitation.

The Programme shares some meeting room space with Parliament. For the Programme and Parliament Staff to book meetings in this shared space, the Programme and Parliament share information with each other about room availability. This includes high level information about meetings that have been booked. Personal data processed for this purpose is limited to the names and email addresses of meeting organisers and the attendees if their email address is included within the room booking invitation.

Processing personal data for the purpose of room booking and management is necessary for our legitimate interests to ensure the efficient management and security of the shared meeting space.

Personal data is held and stored by the Programme and Parliament within their respective Microsoft Exchanges for a period of one year before it is automatically deleted.

Use of personal data - CCTV

As part of the parliamentary estate, CCTV in the Programme’s office space is operated and managed by the Parliamentary Security Department (the data controller) in line with their CCTV policy and privacy notice. Cameras are focused on the entrance and exits only. The Parliamentary Security Department retains images for 30 days except in limited circumstances and information they hold is not routinely shared with third parties.

Use of personal data- Public and stakeholder engagement

Public and stakeholder engagement is central to how the Delivery Authority will identify and refine options and plans for the restoration and renewal of the Houses of Parliament.

The public engagement work of the Delivery Authority will include consultation with the people and businesses around Parliament as well as online consultations and debates, workshops and conversations. These will all either be facilitated directly by the Delivery Authority, by third parties on our behalf, or by stakeholder partners.

The Delivery Authority will only obtain personal data as part of its public engagement activities on the restoration and renewal of the Houses of Parliament with your agreement where it is necessary to do so for that purpose.

Types of personal data we may need to collect as part of our public engagement work may include:

  • First and last name

  • Contact and address information

  • Reasonable adjustments you may need to attend an event

  • Confirmation you are a British citizen or resident

  • Opinions you share with us as part of the engagement

  • Images, videos, or recordings taken at the events with your permission

  • An image of you if you choose to upload a profile photo online

  • Any information you share about yourself in your bio online

More information about our public engagement event can be found online here: 

CitizenLab are a third-party processor who provide us with services to run the public engagement online platform. We also use third party processors such as Eventbrite to promote and manage ticketed events, and STEM Learning, a provider of education and careers support in science, technology, engineering and mathematics (STEM), to facilitate competitions with schools.

Third party processors such as CitizenLab, Eventbrite, and STEM Learning only process personal data on our behalf based on written instructions. They are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data. CitizenLab, Eventbrite, and STEM Learning processes personal data in the EU. They have sub-processors who process personal data in the EU and USA.

Lawful Basis

Our lawful basis for collecting and processing your personal data, and where applicable, special category data, as part of these public engagement activities will usually be one of the following:

  • Where the data subject has given their consent and/or their explicit consent to do so;

  • Where processing is necessary for our legitimate interests and is fair when balanced against your interests and rights;

  • Where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.

However, where we need to collect information for a unique purpose or wish to reuse information you have given us for another purpose, we will seek your consent to do so.

Sharing engagement data

Responses and data collected as part of our public engagement activities will, wherever possible, be anonymised before they are shared with third parties. Once anonymised, the information may be shared with others, including in public documents, without further notice to you.

Personal data collected as part of the public engagement activities may though, where necessary, be shared with:

  • the Sponsor Body

  • the House of Commons

  • the House of Lords

We will only transfer personal data to, or allow access by, third parties when it is assured that the information will be processed legitimately and protected appropriately by the recipient.

How long do we keep engagement information?

The Delivery Authority will hold personal data obtained through our public engagement online platform for 2 years from the last time you log onto the public engagement platform; or for up to 2 years after the public engagement ends, whichever is later.

In general, we will hold personal data and/or special category data collected as part of running an engagement activity for 6 months or as long as it is needed for that purpose.

We may hold consultation data for longer in an anonymised format, in which case we may use this information indefinitely without further notice to you.

Use of personal data-procurement & supplier & contract management

The Delivery Authority processes personal data in order to procure and manage the services and suppliers needed to support it in its work.

This may include Supplier personal data e.g. name, system user ID, email, phone numbers, address, VAT number, supplier identifiers and, in the case of some specialist services, sanitised business CVs.

The Delivery Authority’s commercial processes include:

  • Tendering

  • Supplier management

  • Contract management

  • Purchasing

  • Spend management

  • Anti-fraud processes

  • Analytical processes

The Delivery Authority, as controller, uses eProcurement solutions to process personal data on its behalf. This means that the Delivery Authority will store data in the procurement platform and AWARD systems respectively and process your data using system functions in support of the Delivery Authority’s commercial operations. All information is stored within data centres based in the UK.

Sharing procurement & supplier & contract management data

We may share personal data with our advisors and consultants that support the Delivery Authority’s commercial functions where necessary. We may also share personal data with the Sponsor where necessary.

Lawful Basis

The Delivery Authority’s lawful bases for processing personal data for the purposes of this commercial activity is that it is necessary for the performance of a task carried out in the public interest (Article 6(1)(e) of the UK GDPR).

How long will we keep procurement & supplier & contract management information?


The Delivery Authority may retain personal data processed as part of our commercial activity in line with the prescribed by legal requirements for commercial information handling and our data retention policy. This could be up to seven years.

Storage and security of personal and special category data

We take the security of data provided to us by our staff, stakeholders, and the public seriously. All personal data provided will be stored securely, both physically and electronically. We have in place internal policies and controls to ensure that your data is not lost, accidentally destroyed, misused, or disclosed, and is not accessed except by those authorised to do so by us.

Personal data is held by the Delivery Authority in data centres within the UK or European Union (EU) for the purposes of hosting, maintenance and back up. We (or processors acting on our behalf) may also store or process your personal data in countries outside the UK but only where we are assured of the security of the data and the adequacy of the data protection regimes of those countries and organisations holding the data.

Your rights under the UK GDPR

As a data subject, you can exercise the following rights in relation to the personal data we hold:

  • access and obtain a copy of your data on request;

  • request us to change incorrect or incomplete data;

  • request us to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing;

  • object to the processing of your data where we are relying on our legitimate interests as the legal basis for processing: and

  • withdraw your consent to us processing your data where we are relying on consent.

  • You also have the right to complain to the Information Commissioner’s Office, the supervisory authority, about our collection and use of your personal data. They can be contacted at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

If you would like to exercise any of these rights, please contact the Data Protection Officer: or via post at Houses of Parliament Restoration and Renewal Programme 7 Millbank, London SW10 3JA.

Changes to this Privacy Notice

We reserve the right to update this privacy notice at any time. This privacy policy was last updated on 5 April 2022.