Personal information charter

Our standards for requesting or storing personal information.


This charter sets out what customers, contractors and employees can expect from Defra when we ask for, or hold, your personal information. When we make changes, we will update the relevant privacy notice.

We have also published charters for the following Defra group organisations:

What you can expect from us, and what we ask from you

We need to handle personal data about you so that we can provide better services. Your personal data is protected in law by the Data Protection Legislation which is the collective term for the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).

High standards in handling personal data are important to us because they help us keep the confidence of everyone who deals with us.

So, when we ask you for personal data, we will process your personal data in line with our privacy notices

In return, we ask you to:

  • provide us with accurate information
  • tell us as soon as possible if there are any changes, such as a new address
  • let us know, at time of writing, if you would like your correspondence or enclosed documents returned to you

This helps us to keep your personal data reliable and up to date, and ensures your correspondence is returned if requested.

What personal data we collect

The types of personal data that Defra processes will depend on the contact that you have with us. Types of personal data that Defra processes include:

  • name and contact details
  • family, lifestyle and social circumstances
  • financial details
  • employment and education details
  • goods or services provided
  • education and training details
  • sound and visual images
  • licenses or permits held
  • complaints
  • information relating to health and safety

Defra processes sensitive information that may, where necessary include:

  • physical or mental health details
  • racial or ethnic origin
  • political, religious or other beliefs of a similar nature
  • trade union membership
  • sexual life
  • genetic data
  • biometric data

We also process information relating to criminal convictions and offences including:

  • offences and alleged offences
  • criminal proceedings, outcomes and sentences
  • criminal intelligence

How we use your personal data

We process your personal data in several ways to deliver public services. We will aim to inform you at the point of collection via a privacy notice:

  • the reasons why we need your personal data
  • how your personal data is being collected
  • what we will do with it and who we will share it with

In some cases, we may pass it on to our agents or representatives to do these things on our behalf.

How we use personal data for law enforcement purposes

We regulate activities that may impact the natural environment and investigate environmental offences. As part of our role as an environmental regulator, we process personal data under Part 3 of the Data Protection Act 2018 to:

  • detect and prevent crime
  • take enforcement action
  • prosecute and apprehend offenders

We may collect and process personal data about you when investigating alleged environmental offences as a data controller. This may include special category personal data, such as health or ethnic origin, where it is necessary for our law enforcement purposes.

If we process your personal data for law enforcement purposes, we:

  • may include it in press releases about prosecutions
  • will not disclose it to any other party without your explicit consent unless it is lawful to do so
  • do not use it to make an automated decision or for automated profiling
  • retain it in line with our retention schedule - this takes into account the type, content and sensitivity of your personal data

Legislation governs our activities as the environmental regulator. This gives us authority to investigate suspected or alleged offending. Our lawful basis for processing your personal data under the data protection legislation is that it is necessary for performing tasks carried out for law enforcement purposes as a competent authority.

Who we share your personal data with

We share or disclose personal data where we are required to so by law or to provide services to fulfil our public task. Where we know there is a requirement to share your personal data, we will tell you why and who we will share your personal data with.

We will ensure that any data processor we use, agree to handle your data in line with your rights.

When we publish personal data

As a public body we are required to be transparent about the use of money, for example, and in some cases, this may require the publication of personal information. Data published in these cases will balance the needs for transparency compared to your privacy rights.

Examples where we publish personal data are:

  • senior executive salaries
  • public registers
  • publication of information related to recipients of public funding such as grants, direct payments, agri-environment and financial assistance schemes

We may have to release personal data and commercial information under the Environmental Information Regulations 2004 and the Freedom of Information Act 2000.

Anonymised or non-personal data may be shared in support of public tasks, and where possible disclosed under an Open Government Licence.

How long Defra holds personal data

As a public body we retain personal data for assorted reasons, primarily to ensure accountability. When we no longer need personal data, arrangements are made to securely delete or destroy it. Retention periods are set in line with statutory, regulatory, legal, security reasons or for their historic value.

Details will be on the relevant privacy notice.

What happens if you do not provide the personal data

If you do not supply the requested personal data, it is more than likely that the service you are applying for or wish to use will not be available to you. This may have consequences in terms of non-compliance, for example, not complying with specific legislation.

We try to ensure that we only collect the minimum personal data that is necessary for us to offer the services to you.

Use of automated decision-making or profiling

Your personal data may be subject to automated decision making. You will be informed where automated decision making applies including profiling, and the possible consequences of such processing.

Use of artificial intelligence (AI)

Your personal data may be processed using AI.

If AI processing is being considered, you will be asked to answer some (compulsory) data protection impact assessments screening questions. A privacy notice will be published or amended to ensure transparency.

The processing of personal data by AI will only be permitted where alignment with the data protection legislation can be evidenced and appropriate safeguards are in place to protect your rights and freedoms.

Transfer your personal data outside of the United Kingdom

Defra will only transfer your personal data to another country that is deemed adequate for data protection purposes. If your personal data is processed outside the United Kingdom, you will be informed of this and the additional safeguards that are in place.

Your rights

Find more detail about your individual rights under the Data Protection Legislation.

My details are inaccurate or incomplete

If you discover that the personal data, we hold about you is inaccurate, or incomplete, contact us using the contact details in the How to contact us section of the charter. so we can update your records.

When doing so, explain where you have seen it and what data you feel is inaccurate. We will aim to respond to you within one month but may extend this period by an extra 2 months if the request is complicated.

Where we maintain that the original personal data held was accurate, we will explain why. If you do not agree, you can ask us to reconsider or you have the right to complain directly to the Information Commissioner’s Office (ICO).

Please provide the personal data you hold on me

You can ask to see what data we hold about you. This is called a ‘subject access request’. Contact us using the contact details in the How to contact us section of the charter.

Alternatively, you can use the Information Commissioner’s Make a subject access request. Use data.protection@defra.gov.uk as Defra’s contact email address.

On receipt of your request we will acknowledge it and may ask for proof of your identity.

When you ask to see personal data we hold, it is helpful to include as much personal data to help us find the data you want. For example, tell us the functions, schemes, or transactions and dates that you want to know about.

We will respond within one month but may extend this period by an extra 2 months, if the request is complicated. If we decide that the costs or resources to provide you with all the data requested is excessive, due to its volume, we may have to refuse your request.

You have the right to request that we stop processing your personal data and that we delete the personal data that we hold at any time.

However, we may not be able to agree to your request should the data be required to comply with a legal obligation, performance of a contract, public interest task or exercise of official authority.

We may also refuse your request for the purposes of public health purposes, exercise or defence of legal claims or archiving purposes in the public interest, scientific research, historical research or statistical purposes.

Where this is the case, we will advise you of this. Prior to deletion we may anonymise and hold data for data analysis.

How to contact us

For general enquiries contact the team in Defra that you are already communicating with. They are best placed to manage general enquiries, update the accuracy of your data or provide you with any personal data.

To report a data breach contact the Defra Helpline on 03459 33 55 77 (UK) +44 20 7238 6951 (from outside the UK) or online.

For all other enquiries, for example, to tell us your details are inaccurate or incomplete, to ask to see the data we hold about you, or to withdraw my consent or request my personal data be deleted, contact the Defra Helpline:

Defra Helpline

Seacole Building
2 Marsham Street
London
SW1P 4DF

Contact form https://www.gov.uk/gui...

Telephone (UK only) 03459 33 55 77

Telephone (from outside the UK) +44 20 7238 6951

The quickest way to get a response is to call our Helpline which is open Monday to Friday 8:30am to 5pm (find out about call charges at www.gov.uk/call-charges), alternatively you can email us.

We aim to respond to queries within 20 working days, however due to the current volumes of correspondence we are receiving there could be a significant delay.

Make a complaint

If you want to make a complaint contact the Defra Data Protection Team by emailing data.protection@defra.gov.uk. Or you contact the Defra Group Data Protection Officer who is responsible for independently checking that Defra complies with legislation by emailing: DefraGroupDataProtectionOfficer@defra.gov.uk or by post at:

Defra Group Data Protection Officer
Department for Environment, Food and Rural Affairs
Seacole Building
2 Marsham Street
London
SW1P 4DF

If you’re unhappy with our response or if you need any advice you should contact the Information Commissioner’s Office (ICO) who are the supervisory authority:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113

Email: casework@ico.org.uk

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts. Should you wish to exercise that right full details are available on the Information Commissioner’s website.

Changes to the Personal Information Charter

We keep our Personal Information Charter under regular review. This Personal Information Charter was last updated on 23 October 2023.