Privacy Policy

Introduction

The Restoration and Renewal Delivery Authority Ltd Privacy Notice

The Restoration and Renewal Delivery Authority Ltd (the Delivery Authority) is committed to being transparent about how it collects and uses the personal data of its staff, contractors, stakeholders, and the public. This privacy notice serves to promote awareness and demonstrate compliance with the requirements of the UK GDPR.

The Delivery Authority is the controller for the personal information it processes, unless otherwise stated.

Contact Details

The Delivery Authority’s Data Protection Officer is Joshua Perry. If you wish to contact him you can do so via the postal address below, or by sending an email to the email address provided below.

Post: Restoration And Renewal Delivery Authority Ltd, Elm House, 10-16 Elm Street, LONDON, WC1X 0BJ, GB
Email: externalinformationrequests@r-r.org.uk

What information The Delivery Authority collects, uses and why

The Delivery Authority collects or uses personal data to meet its responsibilities under the Parliamentary Buildings (Restoration and Renewal) Act 2019 and the Restoration and Renewal Programme Delivery Agreement between the Delivery Authority and the Corporate Officers of the Houses of Parliament.

This can include information relating to staff and contractors as well as members of the public, to facilitate the management and delivery of the R&R programme and the execution and completion of the works, and to undertake processes relating to staff employment.

Where you provide personal information via the Delivery Authority website, by contacting the Delivery Authority directly, applying for a job or working with The Delivery Authority, it may collect or use the following information:

Names and contact details, including contact details for business continuity (eg name, address, telephone number or personal email address)
Information about your marital status, next-of-kin, dependants and emergency contacts;
Date of birth
Payment details (including card or bank information for transfers and direct debits)
Information required for participation in the National Fraud Initiative (prevention and detection of fraud), this includes Accounts Payable, payroll and pensions data such as name, address, date of birth, national insurance number and bank account/sort code;
The terms and conditions of your employment, details of your qualifications, skills, experience, references and employment history, including start and end dates, with previous employers and within your current role;
Information about your pay, including entitlement to benefits such as pensions, details of your bank account and national insurance number, subscription to trade union;
Information about your nationality and entitlement to work in the UK;
Information about any criminal convictions you may have, and information needed in relation to security clearance or criminal records checks permitted by law;
Details of your days of work, working hours, rostering and attendance at work;
Details of periods of leave taken by you, including holiday, sickness absence, special leave, career breaks, sabbaticals and the reasons for the leave;
Details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence;
Assessments and evidence of your performance, including appraisals, performance reviews and ratings, performance improvement plans and related correspondence;
Training, talent management and coaching records;
Health and safety information, including relating to any Health and Safety incidents
Website user information (including user journeys and cookie tracking)
Photographs or video recordings of you in connection with your work
Images captured by the security cameras operating on the Parliamentary Estate and data capturing your movements around the estate; and
Information about your IT account usage, including location data.
Records of meetings and decisions
Identification documents
Information relating to the Register of Staff Interests
Diversity data (if you choose to supply it)

As part of the Delivery Authority’s statutory and corporate functions, it may process special category data. Special category data is defined at Article 9 of the UK GDPR as personal data revealing:

Racial or ethnic origin;
Political opinions;
Religious or philosophical beliefs;
Trade union membership;
Genetic data;
Biometric data for the purpose of uniquely identifying a natural person;
Data concerning health; or
Data concerning a person’s sex life or sexual orientation.

CCTV

As part of the parliamentary estate, CCTV in the Programme’s office space is operated and managed by the Parliamentary Security Department (the data controller) in line with their CCTV policy and privacy notice. Cameras are focused on the entrance and exits only. The Parliamentary Security Department retains images for 30 days except in limited circumstances and information they hold is not routinely shared with third parties.

Lawful bases

Under UK data protection law, the Delivery Authority must have a “lawful basis” for collecting and using your personal information. You can find out more about lawful bases on the ICO’s website.

The Delivery Authority’s lawful basis for collecting and processing personal data, and where applicable, special category data, as part of its activities will usually be one of the following:

Consent – The Delivery Authority has permission from you after giving you all the relevant information. All your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
Contract – the Delivery Authority has to collect or use the information so it can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
Legal obligation – the Delivery Authority must collect or use your information so it can comply with the law. All of your data protection rights
Legitimate interests – the Delivery Authority is collecting or using your information because it benefits you, the organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability.
Public task – the Delivery Authority has to collect or use your information to carry out a task which it is required by law to undertake. All of your data protection rights may apply, except the right to erasure and the right to portability.

A further condition for processing is required when processing special categories of personal data. The conditions for processing are set out in the UK GDPR and the DPA 2018.

The conditions for processing your special category personal data are:

you have provided your explicit consent
the processing is necessary for the Delivery Authority to meet its obligations and exercising its rights in employment and the safeguarding of your fundamental rights
processing relates to personal data which you have manifestly made public
processing is necessary for the establishment, exercise or defence of legal claims
processing is necessary for reasons of substantial public interest including the conditions set out in Schedule 1, Part 2 of the DPA 2018)
the processing is necessary for archiving purposes in the public interest

Other lawful bases and conditions for processing may apply if the processing of personal data is necessary in emergency circumstances, for example, to protect an individual’s vital interests or for the provision of health or medical services.

Your Rights

Which lawful basis The Delivery Authority relies on may affect your data protection rights which are in brief set out below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:

Your right of access - You have the right to ask for copies of your personal information. You can request other information such as details about where the Delivery Authority gets personal information from and who it shares personal information with. There are some exemptions which means you may not receive all the information you ask for. You can read more about this right here.
Your right to rectification - You have the right to ask to correct or delete personal information you think is inaccurate or incomplete. You can read more about this right here.
Your right to erasure - You have the right to ask to delete your personal information. You can read more about this right here.
Your right to restriction of processing - You have the right to ask to limit how we can use your personal information. You can read more about this right here.
Your right to object to processing - You have the right to object to the processing of your personal data. You can read more about this right here.
Your right to data portability - You have the right to ask that the Delivery Authority transfers the personal information you provided to another organisation, or to you. You can read more about this right here.
Your right to withdraw consent – When the Delivery Authority uses consent as its lawful basis you have the right to withdraw your consent at any time. You can read more about this right here.

If you make a request, the Delivery Authority must respond to you without undue delay and in any event within one month.

To make a data protection rights request, please contact the Delivery Authority using the contact details at the top of this privacy notice.

Where The Delivery Authority gets personal information from

The Delivery Authority may collect personal information from a variety of courses including:

Directly from you
Publicly available sources
Previous employers
Suppliers and service providers, such as your pension provider or employment background check providers
The Corporate Officers

How long The Delivery Authority keeps information

The Delivery Authority will retain your personal data for as long as is necessary for the purpose it was collected. The length of time personal data is retained for differs depending on the purpose of their collection as well as any relevant legal requirements. The Delivery Authority may retain your personal data for a longer period in the event of a complaint or if or where it is reasonably believed there is a prospect of litigation in respect of our relationship with you. The applicable retention periods can be found in the Delivery Authority’s Retention Guidance Document.

Who The Delivery Authority shares information with

The Delivery Authority may share personal information with others, including:

Its Data Processors
Professional or legal advisors
Relevant regulatory authorities
External auditors or inspectors
Professional consultants
Organisations the Delivery Authority is legally obliged to share personal information with
Publicly on the Delivery Authority’s website, social media or other marketing and information media
Previous employers
Suppliers and service providers
The Corporate Officers

The Delivery Authority will never share or sell your personal data to other organisations for direct marketing purposes.

Personal data is held by the Delivery Authority in data centres within the UK or European Union (EU) for the purposes of hosting, maintenance and back up. The Delivery Authority (or processors acting on its behalf) may also store or process your personal data in countries outside the UK but only where it is assured of the security of the data and the adequacy of the data protection regimes of those countries and organisations holding the data.

How to complain

If you have any concerns about our use of your personal data, you can make a complaint using the contact details at the top of this privacy notice.

If you remain unhappy with how the Delivery Authority has used your data after raising a complaint, you can also complain to the ICO.
The ICO’s address:

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Helpline number: 0303 123 1113
Website: https://www.ico.org.uk/make-a-complaint

Changes to this Privacy Notice

The Delivery Authority will keep this privacy notice under regular review. It was last updated May 2025.