Policy paper

Rural Payments Agency Data Protection Policy

Published 9 May 2024

1. Policy Summary

The Rural Payments Agency (RPA) Data Protection Policy provides the framework for ensuring that the Agency meets the necessary legal obligations under the United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).

The policy applies to all processing of personal data carried out by RPA. This includes processing carried out by joint controllers, contractors, and processors.

2. Data Protection Principles

Data protection law covers how personal data is sourced, stored, managed, used, and disposed of. Personal data represents characteristics of individuals and can be used to make decisions that will affect people’s lives. Personal data is protected because:

• there is a potential for misuse which could negatively affect individual people (data subjects) and organisations

• data has an economic value and legislation controls how that value can be accessed, by whom and for what purposes

The policy therefore ensures that RPA complies with data protection legislation guided by the six data protection principles. These require that personal data is:

• processed fairly, lawfully and in a transparent manner

• used only for limited, specified stated purposes and not used or disclosed in any way incompatible with those purposes

• adequate, relevant, and limited to what is necessary

• accurate and kept appropriately up to date

• not retained for longer than necessary

• kept safe and secure within technical and organisational environments as part of the Agency’s Information Governance Model

The accountability theme (often referred to as a principle) requires that RPA must be able to show evidence of compliance with the above six principles. Compliance ensures we do not put data subjects at risk because of how we process their information.

2.1 Policy Coverage

This policy enables you to understand how RPA will meet its obligations under data protection law. The policy covers the Agency’s collation, management, use and disposal of personal data. It is part of RPA’s information management architecture which sets out its approach to information management practice.

RPA will take every reasonable step to ensure that personal information is collected, retained, and otherwise processed in a lawful manner and that the rights of data subjects are upheld.

3. The Information Governance Model

To meet these obligations, RPA enacted effective measures to ensure compliance with data protection law. RPA’s people have access to several policies, procedures, and guidance (including desk-aids and desk instructions) to give them direction on the application of the data protection legislation. The collective name for this information architecture is the Information Governance Model. It is documented in the RPA Data Protection Landscape (P/DP&G/IGM).

The Information Governance is further informed by the Accountability Framework, a product released by the Information Commissioner’s Office (ICO) and by which organisations may self-assess their state of compliance.

RPA has assigned information asset owners (IAOs) to each of its directorates or significant functions. The IAO works with the information governance practitioners in RPA to oversee the use and processing of personal data, for example data sharing in support of the rural economy, and to manage and mitigate all associated risks. Leading their people day-to-day to ensure information is processed with due care and diligence and that people are familiar with the data protection procedures and processes. Along with the practitioners, the IAOs meet quarterly at the Information Governance Business Unit Group (IGBUG). The IGBUG reports to both the Security Risk Owner (SRO) for accountability and the Finance and Assurance Subcommittee (FASC) for assurance.

As a delivery body of the Department for Environment, Food and Rural Affairs (Defra), RPA is also accountable to the Defra Data Protection Officer (DPO), who advises on and monitors compliance with data protection law. RPA has also appointed a Data Protection Lead (DPL) to act as a local point of contact to liaise with the Defra DPO.

Further governance roles beyond the immediate model are described as follows.

3.1 Audit and Risk Assurance Committee

The Audit and Risk Assurance Committee (ARAC) is responsible for advising the Accounting Officer on strategic process for risk, control, and governance, which includes data protection risk and compliance. Regular reporting to the ARAC will include updates from each IGBUG on information risk and cyber security, and any reports of breaches.

3.2 Executive Team

The Executive Team (ET) supports the Chief Executive in leading RPA in delivering its strategy and business plan within a framework of effective controls. ET is responsible for determining the inclusion of data protection into strategic priorities and upholding an information governance culture. ET undertakes oversight functions and responsibilities regarding data protection.

3.3 Our People

Our people will actively involve their IAO in a proper and timely manner in all issues which relate to the protection of personal data. People are expected to:

• understand and follow this policy

• participate in training as required to be fully informed of their obligations and RPA’s liabilities

• know how to recognise a personal data breach and unauthorised processing

• ask questions about data protection when in doubt and raise any concerns with their IAO

• report any suspected personal data breaches without delay

4. Special Category Data and Other Sensitive Information

RPA acknowledges that some personal data is more sensitive and must be afforded greater protection. This is personal data related to: race or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data; biometric identification (ID); health; sexual life and/or sexual orientation and criminal records (convictions and offences).

As part of RPA’s statutory and corporate functions, Special Category Data and criminal offence data is processed in accordance with the requirements of Article 9 and 10 of the UK GDPR and Schedule 1 of the DPA 2018. There is a separate policy for Special Category Data.

Personal data, including Special Category Data, will only be collected and processed under one or more of the given processing conditions. This applies to personal data in all formats, including photographs, video recording and other imagery.

5. Data Protection Impact Assessments

RPA has a procedure to assess processing of personal data that is considered to be high risk and which accordingly needs a data protection impact assessment (DPIA) to be carried out before any further use is made of the information.

RPA will run a DPIA when adopting new technologies or where processing personal data is likely to result in a high risk to the rights and freedoms of individuals, for example profiling or legal consequences, or large-scale processing of Special Category Data. Where the DPIA indicates high risk post-mitigation, RPA will consult the ICO.

The Agency adopted the concepts of ‘data protection by design’ and ‘data protection by default’ and ensures personal data collection is kept to a minimum and managed appropriately. Project processes and tools are in place to assist people in ensuring compliance and privacy by design is integral to any product, project or service offered by RPA.

6. Children and Vulnerable Adults

Where processing data relating to children and vulnerable adults, RPA will:

• complete a DPIA

• make available a separate Privacy Notice which is understandable to a child, setting out what we do with their data and their rights

• make reasonable efforts to ensure that anyone who provides their own consent is at least 13 years old

7. Transparency

All processing must have one of the lawful bases set out in the UK GDPR. Each lawful basis allows an individual to have certain rights related to their personal data. These include the right to be informed about how their data is being used (such as transparency).

RPA sets the context of its personal information processing activities in its Personal Information Charter (POL/DP&G/PIC).

Also available are the supporting Privacy Notices, one per processing theme for both customers and the Agency’s people (including contractors). This hierarchy is explained in the Right To Be Informed Procedure (P/DP&G/RBI).

RPA provides a Privacy Notice at the point of data capture, where obtaining data directly from the subject, or within one month when obtaining data via a third party. The privacy notice will specify and make explicit the purpose of data collection and details of processing.

RPA will make sure data is processed lawfully and fairly and is accountable under the UK GDPR. Changes to Privacy Notices will be tracked and must be able to show that personal data is processed in a transparent manner for the data subject.

8. Record of Processing Activities

The Record of Processing Activities (RoPA) records personal data processing activities and is linked to the Privacy Notices. It is available for reference by our people, and their IAOs collaborate in its upkeep.

Personal data collections in the context of a processing theme (and aligned against each Privacy Notice) are logged in the RoPA with the retention period specified as per the Defra KIM Policies.

9. Security

Personal data is stored and processed in a manner that ensures security of the data. This includes protection against unauthorised or unlawful processing, accidental loss, destruction, or damage. RPA uses a combination of technical and organisational measures. Personal data is held in information technology (IT) systems in accordance with the Defra Group Security Policies. In particular:

• restricted access to the personal data will be considered in line with the Government Security Classification

• Special Category Data will be identified and treated accordingly, and the Data Protection Lead notified in every case

• when engaging in sharing that is deemed to pose a higher degree of risk, data will be pseudonymised (elements exchanged for codes) where possible and necessary

10. Information Governance Training

A culture of awareness of, and care for, personal data is generated through training and assessment plus guidance and continuous assessment. People are trained to identify the personal data required for the task at hand and ensure they are collecting adequate and relevant information.

All RPA people must undertake annual mandatory Security and Data Protection training. All must achieve a set pass mark to ensure their understanding. The module is approved by the Information Commissioner and provided online through Civil Service Learning (CSL). It will:

• ensure that people can recognise a security incident and a personal data breach and know what steps to take in response

• make use of a variety of technologies and delivery methods

• contain content that evolves to reflect current ways of working and threats

• be designed for a general audience so that it has relevance to everyone in RPA whether they work in an office developing policy or in the field delivering services

• be promoted through internal communications mechanisms

People must complete an assessment at the end of the training. The assessment will show they understand the mandated course outcomes.

People who will be working with personal data must have completed at least the basic level of training before accessing personal data.

10.1 Further Training and Awareness for Senior Roles

The Agency’s data protection function has delivered training to the IAOs with the intention of embedding a culture of data protection by design and default, to ensure privacy, and to increase risk awareness.

11. Rights of Individuals

11.1 Introduction

The law empowers data subjects and gives them greater control over their personal information through the creation of several rights. RPA must, where necessary, facilitate the exercise of these rights. Active compliance with individuals’ privacy rights minimises the risks to individuals as well as to RPA and protects and improves the corporate reputation.

11.2 Subject Access Requests

People have a ‘data subject access right’ to find out what information is held about them. If a person contacts RPA to find out what information is held by RPA about them, the term used is a Subject Access Request (SAR).

All people are made aware of the data subject access right in the mandatory Security and Data Protection training module and there is supporting guidance available through internal communications channels.

RPA provides desk instructions for specialist people on how to handle SARs, including standard templates for acknowledgement of the SAR and for other correspondence. These instructions are updated on a regular basis.

Statistics on SARs are presented to the IGBUG, which can address any issues arising in terms of trend analysis and support should delays in processing be encountered.

Some types of information do not have to be released if covered by one or more of the exemptions set out in data protection legislation. Generally, whether an exemption will apply will usually depend on why personal data is being processed. The senior information rights practitioner will advise if an exemption applies and how it should be handled and may, if the need arises, liaise with the Data Protection Lead.

11.3 Disputes and Rectification of Inaccurate Data or Information

Anyone working with personal data and/or information in any area of RPA is expected to have taken reasonable steps to make sure the information or data held about an individual is accurate. If, for example, after a SAR has been responded to, the person tells us that they disagree with the information held about them, advice on handling must be sought from the senior information rights practitioner (and possibly the Data Protection Lead).

Customers of some schemes (including agents acting on clients’ behalf) can amend details themselves through the Rural Payments service. Where self-service is not possible, on being notified by the customer, the Customer Service Centre routes the required amendments to the business area for action.

11.4 Right of Erasure

RPA will maintain processes to delete, suppress or otherwise stop processing personal data or information if requested. These will cover live systems and, where reasonable, back-up systems. Any actual deletion would be performed by operational people.

If personal data has been made public in an online environment, reasonable steps must be taken to tell other controllers that if they are processing the data they must stop and erase links to copies or replication of that data.

11.5 Rights and Considerations Relating to Automated Decision-making and Profiling

RPA does not use any wholly automated decision-making at present. If this changes the use will be carefully considered, particularly in relation to ensuring:

• additional checks for vulnerable groups, such as children, are necessary for all automated decision-making and profiling

• only the minimum data needed for a decision is collected

• retention labels being assigned to any profiles created for automated decision-making

11.6 Individual Complaints

RPA has procedures to handle individuals’ complaints about data protection. These procedures can be found in the data protection section of the Agency’s internal communications channels and in the Personal Information Charter.

12. Accountability

RPA is accountable to the data subjects whose data it processes and to the ICO as the Supervisory Authority in the United Kingdom. RPA will demonstrate its commitment to good data protection practice through the steps outlined in this policy.

13. Publication, Review and Monitoring

Publication date: April 2024

Version: 1.0

Author: Data Protection & Governance (DP&G)

Review period: Annual

The policy is scheduled to be reviewed again during April 2025 unless significant developments in either RPA or the law necessitate that this be brought forward.

Compliance with the policy will be monitored via the Data Protection Lead and the SRO reporting to ET and the ARAC as required.

14. Recommended Further Reading

This policy should be read in conjunction with the following documents:

Appropriate Policy Document: Special Category Personal Data and Criminal Offence Data

Appropriate Policy Document: Sensitive Processing For Law Enforcement Purposes