Guidance

Trade surveillance and diagnostic laboratory testing privacy notice

Updated 30 September 2024

Applies to England, Scotland and Wales

Your data is being collected by

The data controller is the Department for Environment, Food and Rural Affairs (Defra) for personal data that you give to the Animal and Plant Health Agency (APHA).

APHA is an Executive Agency of Defra. You can contact APHA’s Data Protection Manager by email at: data.protection@defra.gov.uk.

APHA also works with the Scottish Government and Welsh Government, who are joint controllers with APHA for any relevant personal data.

Any questions about how Defra and APHA are using your personal data and your associated rights should be sent to APHA’s Data Protection Manager by email at: data.protection@defra.gov.uk.

The Data Protection Officer responsible for monitoring that Defra and APHA are meeting the requirements of the legislation can be contacted by email at: DefraGroupDataProtectionOfficer@defra.gov.uk.

What personal data is collected

We collect the following items of personal data:

  • name
  • address 
  • contact details
  • name, address and contact details of the private veterinarian submitting the samples for laboratory testing
  • identification details of the live animals being tested, for which you are the owner and/or keeper
  • records of the test results

How your data has been obtained

Your data is obtained through sample submissions procedures, on forms completed by yourself or your private veterinary surgeon as part of seeking testing services from APHA.

In cases of statutory testing and investigations, the data may be collected by APHA or other officials in the line of their work to underpin safeguarding of human and animal health.

Why APHA is using your data

The personal data collected is in relation to the owner and animals from which samples are submitted for testing (name, address, animal identification and details of symptoms).

Personal data is collected and stored for APHA’s statutory functions in relation to disease control and management; specifically imports and exports, food safety, notifiable disease and welfare.

In addition, scanning surveillance functions carried out by APHA are necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller to manage farmed animal disease within Great Britain (England, Scotland and Wales).

APHA may also use this data in order to conduct research into the control and management of these diseases. As well as this data are processed under contract for commercial purposes.

More information about APHA can be found at gov.uk/apha.

  • the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • for compliance to a legal obligation on the controller
  • the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering a contract

Depending on the reason for diagnostic submissions, the data required is either a legal requirement to meet statutory obligations (statutory disease surveillance, international trade testing, notifiable disease testing), or is part of the contract for delivery of services (routine diagnostic testing) to enable APHA to monitor disease trends and conduct surveillance for new and re-emerging disease threats.

Consequences of not providing the necessary data

For APHA’s statutory functions in relation to disease control and management specifically imports, food safety, notifiable disease, and welfare, there is a legislative requirement to provide necessary personal data.

For non-statutory scanning surveillance provision of minimal data is underpinned by the terms and conditions of using the testing service.

For a current list of legislation managing these disease visit legislation.gov.uk.

Personal data used for automated decision making

The information you provide is not connected with:

  • individual decision making, in other words making a decision solely by automated means without any human involvement

Personal data used for automated decision making ‘profiling’ and the consequences of this

The information you provide is not connected with:

  • profiling, in other words automated processing of personal data to evaluate certain things about an individual

Who APHA shares your data with

Personal data may be made available to local authorities and other public bodies in the UK and EU to meet legal requirements.

We may share data with Defra and its agencies, Welsh Government, Scottish Government, Food Standards Agency, Public Health, and other organisations and enforcement authorities.

We may have to release information (including personal data and commercial information) under the following legislation:

  • UK General Data Protection Regulation (UK GDPR)
  • Data Protection Act 2018
  • Freedom of Information Act 2000
  • Environmental Information Regulations 2004

We will not allow any unwarranted breach of confidentiality and we will not act in contravention of our obligations under UK data protection legislation.

Storing and using data outside the UK

A very small percentage of government records containing personal information are selected for permanent preservation at the National Archives. They are made available in accordance with the Freedom of Information Act 2000, as amended by the Data Protection Act 2018.

The data you provide will largely not be transferred outside of the UK. On rare occasions, when it is lawful and complementary to our work carried out in the public interest, research data may be transferred securely outside of the UK.

How long APHA holds personal data for

Retention periods are set by considering statutory, regulatory, legal, and security reasons, alongside historic value.

All information in APHA is held in accordance with our retention policy. If you would like more information contact enquiries@apha.gov.uk.

Your rights

Find out about your rights under data protection law.

Complaints

You have the right to lodge a complaint about the use of your personal data at any time with the Information Commissioner’s Office (ICO – the data protection supervisory authority).

APHA’s personal information charter

APHA’s personal information charter broadly sets out details of Defra’s processing of personal data.