Personal information charter

This charter sets out what customers, contractors and employees can expect from APHA when we ask for or hold their personal information.


Data controller

The Department for Environment, Food and Rural Affairs (Defra) is the data controller for the personal data you give the Animal and Plant Health Agency (APHA).

APHA also works with the Scottish Government and the Welsh Government, and we are joint controllers for any relevant personal data.

For Scotland: visit the Scottish Government website privacy policy.

For Wales: visit the Welsh Government website and search for privacy.

Introduction

The Defra group is committed to the responsible handling and security of personal data.

Your privacy is important to us and protected in law by the UK General Data Protection Regulation (UK GDPR), and the Data Protection Act 2018 (DPA 2018).

We must provide you with information setting out how we process your personal data. This is set out on this page.

This is intended to apply to any Defra group organisation website, application, product, software, or service that links to it (collectively, our ‘services’). A service will link directly to a specific privacy notice that outlines the particular privacy practices of that service.

When we make changes, we will update the relevant privacy notice and do our best to let you know. We can only do this, if you let us have your contact details, your preferred forms of communication and you inform us of any changes to these.

Privacy notices

This personal information charter outlines individuals’ rights when we process your data. It focuses on the high-level requirements and who to contact to exercise your rights.

More detailed information on how we manage personal data for each of our functions is included within our privacy notices.

Transparency

Transparency is an obligation under the UK GDPR, which applies in 3 key areas:

  1. Providing ‘fair processing’ to people whose personal data is being processed.
  2. How data controllers communicate with data subjects in relation to their rights under the UK GDPR and DPA 2018.
  3. How data controllers enable data subjects to exercise their rights under the UK GDPR and DPA 2018.

Transparency is a long-established feature of UK law. It is about engendering trust in the processes which affect citizens by enabling them to understand, and if necessary, challenge those processes. It is also an expression of the principle of fairness in relation to the processing of personal data.

Under the UK GDPR, in addition to the requirements that personal data must be processed lawfully and fairly, transparency is included as a fundamental aspect of these principles. Transparency is intrinsically linked to fairness and the new principle of accountability under the UK GDPR. The controller must also be able to demonstrate that personal data are processed in a transparent manner.

Personal data

What is personal data?

Personal data is information relating to an identifiable, living person.

Some personal data is more sensitive in nature and requires more careful handling. The UK GDPR defines ‘special categories of personal data’ as data relating to a living person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning someone’s sex life or sexual orientation.

Who the UK GDPR applies to

The UK GDPR applies to UK ‘controllers’ and ‘processors’ and puts legal obligations upon them in respect of their handling of personal data.

A controller determines the purposes and means of processing personal data.

A processor is responsible for processing personal data on behalf of a controller.

The UK GDPR places specific legal obligations on processors; for example, they are required to maintain records of personal data and processing activities. They will have legal liability if they are responsible for a breach.

Controllers are not relieved of their obligations where they use a processor – the UK GDPR places further obligations on controllers, who must ensure that their contracts with processors comply with the UK GDPR.

The UK GDPR applies to processing carried out by organisations operating in the UK. It also applies to organisations outside the UK that offer goods or services to individuals in the UK. These organisations must have a representative in the UK.

The UK GDPR does not apply to certain activities, including processing of personal data for law enforcement or national security purposes. The DPA 2018 applies to processing of personal data for these purposes.

Processing of personal data carried out by individuals purely for personal or household activities is exempt from the UK GDPR and DPA 2018.

Defra group

The Defra group is a number of separate legal entities and organisations, which are grouped into separate data controllers.

The Department for Environment, Food and Rural Affairs (Defra) and its executive agencies:

  • Animal and Plant Health Agency (APHA)
  • Centre for Environment, Fisheries and Aquaculture Science (CEFAS)
  • Rural Payments Agency (RPA)
  • Veterinary Medicines Directorate (VMD)

Non-departmental public bodies:

  • Board of Trustees of the Royal Botanic Gardens Kew
  • Environment Agency (EA)
  • Joint Nature Conservation Committee (JNCC)
  • Marine Management Organisation (MMO)
  • Natural England (NE)

Non-ministerial department:

  • Forestry Commission (FC)

Your rights

You have rights under the UK GDPR and the DPA 2018 and they are listed out in full on the Information Commissioner’s website.

Using your personal data

We process your personal data in a number of ways to deliver public services. We will look to inform you at the point of collection via a privacy notice, the reason we need your information, how your information is being collected, what we will do with it and who we will share it with.

In some cases, we may pass it on to our agents or representatives to do these things on our behalf.

How we use personal data for law enforcement purposes

We are the law enforcement authority and have prosecuting powers for certain offences relating to plants, animals and animal products under legislation and international agreements, for example, the Convention on Internal Trade in Endangered Species (CITES).

As part of our role as a government agency and law enforcement authority, we process personal data under Part 3 of the Data Protection Act 2018 to:

  • detect and prevent crime
  • take enforcement action
  • prosecute and apprehend offenders

We may collect and process personal data when investigating alleged or actual offences as a data controller and taking prosecuting action in respect of offences that are within our law enforcement authority role.

This may include special category personal data, such as health or ethnic origin, where it is necessary for our law enforcement purposes.

If we process personal data for law enforcement purposes, we:

  • may publish details about prosecutions, including names of people who are being or have been prosecuted and other personal data as appropriate, on our website and include them in press releases
  • will not disclose it to any other party without your explicit consent unless it is lawful to do so
  • retain it in line with our retention schedule - this takes into account the type, content and sensitivity of your personal data

Legislation governs our activities as the government agency responsible for plant health and animal health and welfare. This gives us authority to investigate alleged or actual offences.

Our lawful basis for processing personal data under the data protection legislation is that it is necessary for performing tasks carried out for law enforcement purposes as a ‘competent authority’.

Sharing your personal data

We share or disclose personal data where we are required to so by law or to provide services to fulfil our public task. Where we know there is a requirement to share your personal data, we will tell you why and who we will share your personal data with. We will ensure that the data processor agrees to handle your personal data in conformity with your rights.

Publishing your personal data

Public bodies are required to be transparent about the use of money, for example, and in some cases, this may require the publication of personal information. Data published in these cases will balance the needs for transparency compared to your privacy rights. Examples where we publish personal data are:

  • senior executive salaries
  • public registers
  • publication of beneficiary information

We may have to release personal data and commercial information under the Environmental Information Regulations 2004 and the Freedom of Information Act 2000. However, we will not permit any unwarranted breach of confidentiality, nor will we act in contravention of our obligations under data protection laws.

Anonymised or non-personal data may be shared in support of public tasks, and where possible disclosed under an Open Government Licence.

Keeping your personal data

As a public body we retain personal data for various reasons, primarily to ensure accountability. When we no longer need personal data, arrangements are made to securely delete or destroy it. Retention periods are set by considering statutory, regulatory, legal, and security reasons, alongside historic value.

All information in APHA is held in accordance with our retention policy. If you would like more information please contact enquiries@apha.gov.uk.

Updating your personal data

If you discover that the personal data we hold about you is inaccurate, or incomplete, please contact us (see the ‘How to contact us’ section), so we can update your records. When doing so, please explain where you have seen it and what data you feel is inaccurate. We will aim to respond to you within one month but may extend this period to 2 months if the request is complicated.

Where we maintain that the original information held was accurate, we will explain why. If you do not agree with our decision, you have the right to complain to the Information Commissioner’s Office, as detailed in this personal information charter.

Requesting your personal data

You can ask to see what data we hold about you. This is called a ‘subject access request’. Send your written request to APHA (see the ‘how to contact us’ section).

On receipt of your request, we will acknowledge it and may ask for proof of your identity.

We will respond within one month, and exceptionally extend this by up to 2 months in complex cases. If we determine that the costs or resources to provide you with all of the data requested would be excessive due to the volume, we may have to refuse your request or ask you to provide a contribution to meet these costs.

When you ask to see information we hold it is helpful to include as much information as possible to help us find the data you want, for example, tell us the functions, schemes, or transactions and dates that you want to know about.

Transfer of personal data outside of the European Economic Area

There are instances where personal data is stored outside the UK and European Economic Area. However, in most cases personal data is not transferred or stored outside of the UK or European Economic Area.

If your personal data is processed outside the UK or European Economic Area, you will be informed of this and the safeguards that are in place to protect your personal data.

You have the right to request that:

  • we no longer process your personal data
  • we delete your personal data at any time

However, these rights applies where we are processing your personal data on the basis of your consent only or if it is no longer necessary for us to keep your personal data.

These rights do not apply when we are required to keep and use the data to comply with a legal obligation, performance of a contract or public interest task or in the exercise of our official authority.

We may also refuse such requests for the purposes of public health exercise or defence of legal claims or archiving purposes in the public interest, scientific research, historical research, or statistical purposes. Where this is the case, we will advise you of this.

Before deleting personal data, we may anonymise it so that people are not identifiable and use the anonymised data for analysis and statistical purposes.

Authorise a third party to access your data or act as your representative

To nominate a third party to access your personal data held by APHA or act as your representative or agent on your behalf, please complete the APHA third party access authorisation form and send it to APHA.

Consequences if you do not supply the requested personal data

If you do not supply the requested personal data, it is more than likely that the service you are applying for or wish to use will not be available to you.

This may have consequences in terms of non-compliance, for example not complying with specific legislation. We collect only the minimum personal data that is necessary for us to offer the services to you.

Use of personal data for automated decision-making

Your personal data may be subject to automated decision-making. You will be informed where automated decision making applies including profiling, and the envisaged consequences of such processing.

Use of artificial intelligence

Your personal data may be processed using artificial intelligence (AI).

If AI processing is being considered, you will be asked to answer some (compulsory) data protection impact assessments screening questions. A privacy notice will be published or amended to ensure transparency.

The processing of personal data by AI will only be permitted where alignment with the data protection legislation can be evidenced and appropriate safeguards are in place to protect your rights and freedoms.

Make a complaint about how your personal data has been handled

If you think your data has been misused or that the organisation holding it has not kept it secure, you should contact them and tell them. For APHA contacts, see the table in the ‘ How to contact us’ section.

How to contact us

For day to day use, please contact the team you are already communicating with. They are best placed to manage general enquiries or to update the accuracy of your data or provide you with information.

However, if they cannot help you, or you have a complaint about how your data is being handled, please use the following contact, making it clear which right you wish to exercise:

Request Contact
Make a complaint Follow APHA’s complaints procedure.
Report a data breach Email Security.Team@defra.gov.uk include ‘data breach’ in the subject.
Update your details Email enquiries@apha.gov.uk or write to Data Protection Manager, c/o the Knowledge and Information Management Team, Weybourne Building, APHA Weybridge, Woodham Lane, New Haw, Addlestone, Surrey, KT15 3NB.
Ask for a copy of your personal data Email enquiries@apha.gov.uk or write to the Knowledge and Information Management Team, Weybourne Building, APHA Weybridge, Woodham Lane, New Haw, Addlestone, Surrey, KT15 3NB.
Withdraw consent or request your data is deleted Email enquiries@apha.gov.uk or write to Data Protection Manager, c/o the Knowledge and Information Management Team, Weybourne Building, APHA Weybridge, Woodham Lane, New Haw, Addlestone, Surrey, KT15 3NB.
Authorise a third party to access your data or act as your representative Fill in the authorisation form.

The Defra Data Protection Officer is responsible for monitoring that APHA is meeting the requirements of data protection legislation and they can be contacted at:

Defra Group Data Protection Officer
Department for Environment, Food and Rural Affairs
SW Quarter, 2nd floor
Seacole Block
2 Marsham Street
London
SW1P 4DF

Email: DefraGroupDataProtectionOfficer@defra.gov.uk

If you’re unhappy with the response or if you need any advice, you should contact the Information Commissioner’s Office (ICO) who are the regulatory and supervisory authority for data protection.

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113

Email: casework@ico.org.uk

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts. Should you wish to exercise that right full details are available on the Information Commissioner’s website.

Changes to our personal information charter

We keep our personal information charter under regular review. It was last updated on 19 April 2024.