Personal information charter
This charter sets out what customers, contractors and employees can expect from the Rural Payments Agency (RPA) when we ask for, or hold your personal information
Rural Payments Service
RPA’s Rural Payments Service supports a number of other organisations within the Defra group. To find out how personal information is protected by Animal and Plant Health Agency, Department for Environment Food & Rural Affairs, Forestry Commission and Natural England follow the links below.
Animal and Plant Health Agency - Personal information charter
Department for Environment Food & Rural Affairs - Personal information charter
Forestry Commission – Our Information Charter
Natural England - Personal Information Charter
For RPA read the information below.
Introduction
RPA is committed to the responsible handling and security of personal data. Your privacy is important to us and protected in law through the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act (DPA 2018).
We follow the Information Commissioner’s Office (ICO)’s recommendations when informing people about their rights, follow their accountability framework and review our compliance with data protection law every year. RPA has published policies covering data protection.
We must provide you with information showing how we process your personal data. This is set out below and in 2 supporting documents (privacy notices) which provide more detail on specific functions.
- Customer Privacy Notices which provides specific information on our public facing tasks
- internal Privacy Notices for Employees, Workers and Contractors (UK)
This applies to any Defra group organisation website, application, product, software, or service that links to it (collectively, our ‘Services’). A Service will link directly to a specific Privacy Notice that shows the particular privacy practices of that Service.
How you can help
When we make changes, we will update the relevant Privacy Notice and do our best to let you know. We can only do this if you let us have your contact details, your preferred forms of communication and you tell us about any changes to these.
Who controls your personal data
The Department for Environment, Food and Rural Affairs (Defra) is the data controller for personal data you give to RPA.
This personal information charter details individual rights when we process your data and who to contact.
More detailed information on how we manage personal data for each of our functions is shown in the specific Customer Privacy Notices and Privacy Notices for Employees, Workers and Contractors (UK).
Lawful basis for processing
RPA primarily processes personal data on the legal basis of a task carried out in the public interest (UK GDPR Art 6(1) (e)). Section 8(d-e) of the DPA 2018 expands on UK GDPR to say that public interest processing includes processing that is necessary for the exercise of a function of the Crown, a Minister, or a government department, or an activity that support or promotes democratic engagement.
Sometimes RPA has a legal obligation to provide your personal data to another part of the UK government, or for EU funded measures, to the EU. Examples of this include:
- HM Revenue and Customs (HMRC) in support of tax revenue and National Insurance
- Cabinet Office in support of the Government Grants Information System (GCIS)
- Defra in support of their publication of data for beneficiaries of certain functions
- EU institutions in support of their legislative functions in managing the legacy of EU funded measures
Where processing is based on your consent, it will be specified in the privacy notice and you have the right to withdraw that consent at any time.
Transparency
Transparency applies to 3 areas under the GDPR/UK GDPR:
1) giving information to data subjects about fair processing
2) how data controllers communicate with data subjects about their rights under the UK GDPR
3) how data controllers manage the exercise by data subjects of their rights
Transparency encourages trust in the processes which affect people so they can understand, and if necessary, challenge those processes. It is also about making sure data is processed lawfully and fairly and is accountable under the UK GDPR. The controller must be able to show that personal data is processed in a transparent manner for the data subject.
What is personal data?
Personal data is data which identifies an individual directly or indirectly, particularly by using an identifier such as their name or a reference number.
Some personal data is more sensitive and needs more careful handling. These ‘special categories of personal data’ refer to a living person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning someone’s sex life or sexual orientation.
Who does the UK GDPR apply to?
The ICO has set out its view on who UK GDPR applies to:
- the UK GDPR applies to ‘controllers’ and ‘processors’
- a controller determines the purposes and means of processing personal data
- a processor is responsible for processing personal data on behalf of a controller
- if you are a processor, the UK GDPR places specific legal obligations on you; for example, you need to keep records of personal data and processing activities. You will have legal liability if you are responsible for a breach
- if you are a controller, you must make sure your contracts with processors meet the UK GDPR
- the UK GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU
- the UK GDPR does not apply to processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities
Defra group
Defra and its four core agencies form a single legal entity and Data Controller. These five organisations are:
- The Department for Environment, Food and Rural Affairs (Defra) which comprises the core department and Defra Group Corporate Services
- Animal and Plant Health Agency (APHA)
- Centre for Environment, Fisheries and Aquaculture Science (CEFAS)
- Rural Payments Agency (RPA)
- Veterinary Medicines Directorate (VMD)
The wider Defra group comprises 33 organisations.
What are my rights?
Your rights under UK GDPR/Data Protection Act 2018 are listed in full in the Information Commissioner’s website.
How we use your data
We use your personal data to deliver Public Services as set out in the supporting Customer Privacy Notices and Privacy Notices for Employees, Workers and Contractors (UK). They set out the reason(s) we need your information, how your information is being collected, what we will do with it and who we will share it with. In some cases we may pass it on to our agents/representatives to do these things on our behalf.
When we share personal data
We share personal data where we are legally required to do so or to provide services to meet our public task. This means the legislative requirements RPA has to meet, or assurance activity such as counter-fraud measures. We also share data about compliance functions RPA shares with other bodies, or to support the functions these bodies do to meet public tasks. If we need to do this, we will tell you why and who we will share your personal data with. We will also make sure that the data controller or data processor agrees to handle your data in a way that meets with your rights.
For all of the functions (schemes and services) below, we retain the right to share your data with the Department for Environment and Rural Affairs, the Defra group and the European Union (EU).
We are obliged to provide returns of information on payments to the Cabinet Office in support of the Government Grants Information System (GGIS). The GGIS enables the recording and reporting of grant information across government in a simple, standardised and scalable way. It will improve transparency and provide insight into grant spend, enabling departments to manage grants efficiently and effectively while actively reducing the risk of fraud.
In relation to counter-fraud measures, including the National Fraud Initiative (NFI), we may also share data with the Cabinet Office, Department for Work and Pensions (DWP) and HM Revenue and Customs (HRMC). Defra have issued a separate privacy notice concerning the NFI.
We may also share your information with Local Authorities, food or animal regulatory organisations and other organisations listed in the Privacy Notices. The lists are not exhaustive but identify the regular sharing relationships. Ad-hoc or irregular sharing will only be considered if fully complying with the UK General Data Protection Regulations and the Data Protection Act 2018. We do not need your consent to share if that party is carrying out a public function or complies with an identified exemption within the UK GDPR.
Publication of personal data
Public bodies need to be transparent about the use of money for example and in some cases, it may mean the publication of personal information. Data published in these cases will balance the need for transparency with your privacy rights. Examples where we, or others, publish personal data are:
- Senior Executive salaries
- Public registers
- European legislation (Regulation 1306/2013) requires Defra to publish certain information about you, if you receive CAP scheme payments (both those funded by the EU and those UK-funded payments for schemes run under retained EU legislation)
- the Subsidy Control Act 2022 requires Defra to publish some beneficiary data. The information is published on the Government’s subsidy database
We may have to release personal data and commercial information under the Environmental Information Regulations 2004 and the Freedom of Information Act 2000 and the Data Protection Act 2018. Anonymous or non-personal data may be shared in support of public tasks and where possible disclosed under an Open Government Licence.
Publication of beneficiary information
The UK Coordinating Body (part of Defra) publish payment data for CAP scheme payments, both those funded by the EU and those UK-funded payments for schemes run under retained EU legislation via the CAP Payments Service.
The EU Withdrawal Agreement means that the UK must continue to abide by the requirements of 1306/2013 until closure of the EU Funded programmes. The last EU-funded payments were made in December 2023, and these will be included in the data to be published for EU financial year 2024 on the CAP payments website in May 2025. Data is required to be made available for two years, so this final set of data will be removed in May 2027, when the website will be closed.
This will include:
- your name
- your company name
- your postcode and county
- how much you were paid and reason for payment (for example, Basic Payment Scheme payments)
If you are paid €1,250 or less, the information will be anonymous.
Defra will publish payment data on recipients of financial assistance grants to meet the requirements of the Subsidy Control Act 2022. In broad terms that means and function which is funded by the Agriculture Act.
- Sustainable Farming Incentive (SFI)
- Farming Equipment and Technology Fund (FETF)
- Countryside Stewardship under the Agriculture Act 2020 (Mid Tier and Higher Tier schemes)
- Farming Transformation Fund (Water Resource Management scheme; Improving Farm Productivity scheme; Adding Value scheme; Slurry Infrastructure scheme)
- Delinked payments
This will include:
- your name
- your company name
- your postcode and county
- how much you were paid and reason for payment
If you are paid £1,250 or less, or if you are a beneficiary of certain animal health and welfare or plant health schemes, the information will be anonymous.
This data will be published by the find farm and land payment data service.
The Defra Personal Information Charter provides more detail on how they process the data we provide to them for this purpose.
How long we will keep data
Public bodies keep information to make sure they are accountable. When we no longer need personal data, it is securely deleted or destroyed. Retention periods are set in line with statutory, regulatory, legal, security reasons or for their historic value. Details are shown on the relevant Privacy notice.
Your personal data is kept by us in line with our information retention schedules. Information on retention is included in individual Customer Privacy Notices and Privacy Notices for Employees, Workers and Contractors (UK), but may be extended on a case by case basis if necessary.
Examples of this include: appeal, audit activity, complaint, irregularity, has historic value, as determined by the Public Records Act, legal action, a formal request for information, or if it sets a precedent.
In these cases access to this information and processing of it will be limited to this specific use and where possible, personal data redacted, or its access restricted.
What if my details are inaccurate or incomplete?
If you discover that the personal data we hold about you is not correct, please contact us (see ‘How to contact us’). You will need to tell us where you have seen it and what data you feel is inaccurate. We will try to respond to you within one month (two months if the request is complicated).
Where we think that the original information held was accurate, we will explain why. If you do not agree with our decision, you have the right to complain to the Information Commissioner’s Office, as detailed in this Personal Information Charter.
How do I ask to see the data you hold about me?
You can ask to see what data we hold about you. This is called a ‘subject access request’. Send your written request to RPA’s Information Rights Team (IRT) at the address in the ‘How to contact us’ section below.
We will acknowledge your request and may ask for proof of your identity.
We will respond within one month (two months in complex cases). We may have to refuse your request if the cost is too expensive, or ask you to contribute towards these costs. Include as much information in your request as possible, for example, the functions, schemes, or transactions and dates that you want to know about.
Do you transfer my personal data outside of the European Economic Area?
In most cases, personal data is not transferred or stored outside of the UK, or the European Economic Area, the areas that UK GDPR and GDPR apply. If your personal data is processed outside the United Kingdom or European Economic Area, it will be noted on the Privacy Notice, along with the safeguards that are in place.
Can I withdraw my consent or ask that my personal data is deleted?
If we process your data based upon consent, it will be specified in the privacy notice and you have the right to withdraw that consent at any time. As a general rule Consent is obtained for a specific purpose and you will have been asked to sign a form consenting to that use of the data.
Consent is only one of the legal basis for processing personal data and in most cases we process personal data on the legal basis of a task carried out in the public interest. This does not require consent and thus has no automatic right to withdraw it. However, you have other rights.
You have the right to request that:
1) we no longer process your personal data
2) we delete your personal data at any time
However, we may have to refuse your request if the data is needed to meet a legal obligation, performance of a contract or public interest task or exercise of official authority. We may also refuse your request for public health purposes, exercise or defence of legal claims or archiving purposes in the public interest, scientific research, historical research or statistical purposes. If this is the case, we will advise you of this.
We may hold and make your data anonymous for data analysis before we delete it.
What will happen if I do not supply the requested personal data?
If you do not supply the requested personal data it is likely that the service you want may not be available to you. This may mean that you don’t meet with specific legislation. We try to make sure that we only collect the minimum personal data necessary for us to offer the service(s) to you.
Will my data be used for automated decision making?
Your personal data may be subject to automated decision making. The relevant Privacy Notice will confirm where this happens and the expected consequences of this processing.
How to contact us
For general enquiries, please contact the team you are already communicating with. They can update your data or give most of your information. If they cannot help you, or you have a complaint about how your data is being handled, please use following contacts:
You can call or email the Customer Service Centre or write to:
Rural Payments Agency
PO Box 69
Reading
RG1 3YD
Telephone: 0300 0200 301
How do I report a data breach?
You can email the Security team or write to:
The Security Team
200 North Gate House
Reading
RG1 1AF
How do I ask to see the data you hold about me?
For general enquiries, contact the team you are already communicating with. However, if they cannot help you further, or you wish to formally request your personal information, please email the Information Rights Team or write to:
RPA Information Rights Team
Rural Payments Agency
Eden Bridge House
Lowther Street
Carlisle
Cumbria
CA3 8DX
How do I make a complaint about how my personal data has been handled?
If you have concerns about the handling of a request to exercise your rights, please follow RPA’s guidance about how to make a complaint about how RPA uses your data.
Changes to the Personal Information Charter
We keep our Personal Information Charter under regular review. This was last updated on 17 December 2024.