The House of Commons has been accused of wasting nearly £100,000 of taxpayers’ money on GDPR training for MPs and staff amid claims that the courses were “inaccurate” and “ludicrous” and did not provide the level of expertise needed for attendees to achieve compliance.
According to an Freedom of Information request by independent data protection consultant Tim Turner, Ely-based IT compliance and risk management firm IT Governance secured the £97,500 contract without a being public tender.
But in the weeks before GDPR D-Day May 25, a number of MPs had raised serious concerns about the quality of the training.
Labour MP Chris Bryant told Parliament that “some of the training that was provided on behalf of the House authorities gave MPs’ staff the impression that they should be deleting all electronic information relating to their constituency casework from before the 2017 general election”.
Labour shadow minister for industrial strategy, science and innovation Chi Onwurah was also critical. She told Parliament: “In my view the training was inaccurate. It took a very low-risk approach to GDPR.
“To be told – as my staff were – that we shouldn’t keep data on constituents more than two years unless you could prove it was necessary, and certainly not more than an election, didn’t seem to show any understanding of either how MPs work or GDPR. I was concerned about it. I think many MPs were concerned by it.”
In response, IT Governance chief executive Alan Calder insists the company completed the work correctly. “We think we did a good, value-for-money job for the British taxpayer, all our MPs and their constituency offices.”
However, Turner commented: “The problem is the lack of transparency. The House of Commons paid out just under £100,000 for work that resulted in complaints from MPs and possibly the unnecessary deletion of constituents’ data. Any such deletion could itself be a breach of data protection if retention was necessary for ongoing casework.
“There are legitimate concerns about the quality of this training given the fallout and the huge amount IT Governance were paid to deliver it. I think the public interest favours openness about how wisely that money was spent and why IT Governance, who are relative newcomers to data protection training, were chosen.”
A House of Commons’ spokesperson said that, as the contract was worth less than £615,278, it could therefore be awarded without a public tender.
MPs ‘as clear as mud’ about how to comply with GDPR
GDPR zero hour: Now the hard work begins say experts
‘Inadequate’ Data Protection Bill is ‘already out of date’
Parish councils win reprieve as ICO gets more powers
Parish councils cry foul at cost of GDPR compliance
GDPR consent guidance is published – with a warning
Most EU data enforcers in a shambles as GDPR looms
Half of UK firms have set aside money for GDPR fines