PA/PA Wire/PA Images

The House of Commons spent £100,000 of taxpayers' money on training for the General Data Protection Regulation (GDPR), which was criticised by MPs as being “inaccurate,” "ludicrous" and "exaggerated," documents have revealed.

Ely-based IT compliance and risk management firm IT Governance completed GDPR training for the House of Commons, but was found to be wanting. A Freedom of Information request by independent data protection consultant Tim Turner revealed that the £97,500 contract was awarded without being publicly tendered — as the decision to organise the training was taken too close to GDPR’s entry into force.


“The problem is the lack of transparency,” says Turner. “The House of Commons paid out just under £100,000 for work that resulted in complaints from MPs and possibly the unnecessary deletion of constituents' data. Any such deletion could itself be a breach of data protection if retention was necessary for ongoing casework.”

“There are legitimate concerns about the quality of this training given the fallout and the huge amount IT Governance were paid to deliver it,” Turner says. “I think the public interest favours openness about how wisely that money was spent and why IT Governance, who are relative newcomers to data protection training, were chosen.”

Read next Inside the troubled, glitchy birth of parliament’s online voting app Inside the troubled, glitchy birth of parliament’s online voting app

IT Governance chief executive Alan Calder says the company completed the work correctly. “We think we did a good, value-for-money job for the British taxpayer, all our MPs and their constituency offices.”

Yet, in mid-May, Labour MP Chris Bryant raised concerns about training provided by the firm, in advance of GDPR’s introduction on May 25. Bryant told parliament that “some of the training that was provided [by IT Governance] on behalf of the House authorities gave MPs’ staff the impression that they should be deleting all electronic information relating ​to their constituency casework from before the 2017 general election”. In fact, such information can be kept under GDPR.


Chi Onwurah, Labour’s shadow minister for industrial strategy, science and innovation, also raised concerns in parliament. “In my view the training was inaccurate,” she says. “It took a very low-risk approach to GDPR.”

“To be told – as my staff were – that we shouldn’t keep data on constituents more than two years unless you could prove it was necessary, and certainly not more than an election, didn’t seem to show any understanding of either how MPs work or GDPR. I was concerned about it,” Onwurah adds. “I think many MPs were concerned by it.”

What is GDPR? The summary guide to GDPR compliance in the UK Privacy What is GDPR? The summary guide to GDPR compliance in the UK

Read next Can Universal Basic Income fix the coronavirus crisis? Can Universal Basic Income fix the coronavirus crisis?

So many concerns were raised by parliamentary staff about the standard of the training that MPs were sent an open letter reported on by The Spectator, co-authored by Britain’s Information Commissioner, Elizabeth Denham, and the government’s digital minister, Margot James, to allay their concerns.


The letter said: “Following your staff’s feedback, House Authorities have undertaken to update the training, ensuring it is tailored to your needs. We would advise your staff to attend training once it has been updated.”

DCMS refused to comment on why the letter had been sent out by the digital minister, while the Information Commissioner’s Office re-released generic comments it previously provided to WIRED as GDPR came into force in May. The ICO said organisations should "do their homework" before taking advice on GDPR and data protection issues.

When asked, a House of Commons spokesperson defended the training: “The training provided raised awareness about the principles and requirements of GDPR. Sessions were followed up with a toolkit and an advice line.” The spokesperson added that the cost of the contract works out at less than £115 per attendee, and that the House of Commons did not pay additional costs for the training to be reworked following complaints. “We are satisfied with the delivery of the training and the quality of the work,” they said.

According to the House of Commons, which commissioned the training from IT Governance, it was only in December 2017 that it decided to provide GDPR training to MPs and staff members. This is despite GDPR being adopted by the European Parliament and European Union – of which the UK is still a member – in January 2016, and then-digital minister Matt Hancock announcing in August 2017 the government’s intent to create a new data protection act to help implement GDPR.


According to the response to the FOI request: ”the tender was not advertised, due to time pressures”. The House of Commons contacted nine firms which had previously provided training to public service organisations to invite them to bid for the work, rather than putting the contract out to open tender.

“MPs and their staff routinely process huge amounts of the most sensitive data and GDPR had a two year implementation period – this shouldn’t have come as a surprise, and if they needed longer to put this out to tender properly, they shouldn’t have started when they did,” says Turner.

The House of Commons’ spokesperson said that the contract was worth less than £615,278 (or €750,000), and could therefore be awarded without a public tender. The House of Commons did not answer the question of why, when it was clear from late 2016 that GDPR would be implemented in the UK, the contract was only put out to tender in December 2017.