Personal information charter

This personal information charter sets out the standards you can expect from the Fair Work Agency when we collect, hold or use your personal information. 

The Fair Work Agency (FWA) will treat all personal information in line with data protection legislation, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.  

What you are entitled to know 

When we (or our partner organisations working with us) collect, hold, use or otherwise process your personal information, you are entitled to be told:  

  • the purpose for using your information, and the lawful basis for processing it 

  • how long we will keep it and who we will share it with 

  • whether it will be transferred or accessed outside the UK (and what safeguards apply) 

  • what rights you have (including the right to access your information or object to certain uses) 

  • how to complain to the Information Commissioner’s Office (ICO) if you think your information has been mishandled 

  • how to contact our Data Protection Officer (DPO) (or data protection function)  

What you are entitled to expect 

You are entitled to have your personal information:  

  • protected and kept secure 

  • kept accurate and up to date 

  • used only for purposes that are compatible with why it was collected 

  • kept only for as long as it is needed (unless it must be kept as part of the historic record)  

Privacy notice

FWA is committed to protecting the privacy and security of your personal information. This privacy policy describes how we collect and use personal information about you in accordance with UK Data Protection legislation, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 and section 8 of the Data Protection Act 2018. 

We have a separate privacy notice which describes how we collect and use personal information about our staff in relation to their employment. 

We’re required under data protection legislation to notify you of the information contained in this privacy policy. It’s important that you read this policy so that you are aware of how and why we are using your information. 

In addition to this privacy policy, when you interact with us, we may provide you with more specific information about how we will process your personal data.  

What data we collect 

Personal information (sometimes called ‘personal data’) is any information that identifies and relates to a living person. This can include information that, when put together with other information, can then identify a person. 

Because personal information allows people to know things about you, we need to protect this information and only use it for certain purposes. 

Some information needs more protection. It might be information that you would not want widely known or that is very personal to you. This is sometimes also referred to as ‘sensitive personal data’ or ‘special categories of data’.  

We collect, store and use certain categories of personal information about you such as: 

  • personal contact details such as name, title, addresses, email addresses and phone numbers

  • job or role within your company 

  • National Insurance Number 

  • gender 

  • information about your employment 

  • information about your business activities 

  • information about your domestic and business properties 

  • passport and driving licence information 

  • use of assistive technology 

  • internet protocol (IP) address and details of which operating system and web browser you use 

We’ll also collect, store and use certain special categories of more sensitive personal information such as: 

  • information about criminal convictions, allegations and offences, where relevant in relation to our functions 

We are trialling artificial intelligence (AI) solutions to support the delivery of our functions, including the provision of additional business support information. Unless made expressly clear to you, we will not use AI to make or inform decisions about you. Unless made expressly clear to you, we will not use your personal data to train the large language models used by the AI solutions. 

We will apply effective data minimisation techniques to all such uses of your data. 

Why we need your data 

The data you provide will be processed by FWA in order to deliver our statutory functions including: 

  • regulating our licensed sectors  

  • supporting businesses and workers 

  • regulating employment agencies and businesses 

  • undertaking enforcement investigations under the Employment Rights Act 2025 

  • handling enquiries, complaints and reporting made to FWA 

  • providing guidance 

  • delivering programmes and services 

  • improving our services through feedback 

  • protecting our systems and detecting security issues 

Other purposes which may be relevant (to be considered on a case-by-case basis) are to: 

  • gather feedback to improve our services 

  • respond to any feedback you send us, if you have asked us to 

  • allow you to access government services and make transactions 

  • provide you with information about relevant services 

  • monitor use of the site to identify security threats 

Lawful basis for processing 

Our lawful basis for processing your personal data is that the processing is necessary: 

  • to perform a task in the public interest (Article 6(1)(e) of the UK GDPR and section 8 of the Data Protection Act 2018 

  • for the exercise of our functions as a government department 

In 2021, ICO issued guidance clarifying that promotional messages issued by public sector organisations would not be classed as direct marketing if those promotional messages are necessary for the performance of a public task or function. In view of this clarification, FWA relies on the ‘public task’ lawful basis when sending promotional messages to carry out FWA’s public tasks or functions. This is without prejudice to your right to object and to exercise other applicable rights available under the regulation. The full details of data subjects’ rights and how to contact us are provided below. 

Contacting you 

We will use your personal information to respond to your enquiry or to provide the service you have requested. 

We may also send you information about related services where this supports our public task. You can object to receiving these messages at any time, and details of your rights and how to contact us are provided below. 

How we obtain your personal information  

We collect personal information directly from you in circumstances such as: 

  • visiting our website, interacting with our tools and using our digital services 

  • creating a profile on our licensing portal 

  • through inspections and enforcement investigations 

  • populating our online forms and completing our surveys 

  • when you download documents from us 

  • any communications you make with us by phone, email, post, websites, social media or otherwise. We routinely record calls for quality, training and security purposes.  

  • when you apply for a job with us 

  • when you visit us at our buildings and premises 

Information we may obtain about you 

In some cases, we carry out checks on organisations and key individuals to meet legal and regulatory requirements, protect public funds, and ensure we can safely deliver our services. These checks help us fulfil our duties in the public interest, protect our employees and assets, and comply with obligations such as trade control, anti-money laundering, and bribery and corruption laws.

To do this, FWA may undertake checks on existing or potential commercial clients, both before entering into a contract and at intervals afterwards. We may verify information about key individuals associated with these organisations, such as directors, officers, sole traders, shareholders and other key stakeholders. We only collect and use the minimum information necessary and only where the law allows. 

This processing is carried out under the Public Task lawful basis, as it supports FWA’s statutory functions and our objectives to promote economic growth and support UK businesses (Article 6(1)(e) UK GDPR and section 8 of the Data Protection Act 2018). In some cases, where we are legally required to carry out specific checks, we will process personal data under the Legal Obligation lawful basis (Article 6(1)(c) UK GDPR). 

As part of these checks, we may review: 

  • publicly available information about your company or business activities 

  • government issued sanctions lists or blocklists 

  • media sources, including social media 

Where necessary and permitted by law, we may also review information relating to suspected or actual criminal behaviour, criminal records or related proceedings. This is done solely to ensure compliance with legal and regulatory requirements and only to the extent allowed under UK law and relevant overseas laws. 

You have the right to object to processing carried out under the Public Task lawful basis at any time. If you wish to object, please contact us at dataprotection@fairworkagency.gov.uk.

Who we share your information with

We may share your personal data with third parties where this is necessary to deliver our services or carry out our statutory functions. When we use third party data processors, they must follow our instructions and apply appropriate security measures. They are not permitted to use your personal data for their own purposes.

In addition to our processors, we may share your information with: 

  • government departments, public agencies or public bodies 

  • third party service providers (where they act independently of us) 

  • event partners and sponsors when you register for one of our events 

  • businesses or organisations as part of the services we provide 

  • law enforcement agencies and regulators 

  • the National Archives for archival purposes 

If we need to share your information with a third party not listed above, we’ll let you know unless we are prevented from doing so by law. Aggregated analysis of responses may also be shared with ICO, the Government Internal Audit Agency (GIAA) and the National Audit Office (NAO). 

We also collect, use and share aggregated or statistical data that does not identify individuals. Although this data may be derived from personal data, it’s not considered personal data in law as it cannot directly or indirectly identify you. For example, we may aggregate usage data to understand how people use particular website features. 

We rely on the Public Task lawful basis for sharing information where this supports our statutory functions. You may object to processing under this lawful basis at any time by contacting dataprotection@fairworkagency.gov.uk.

Where we are required to share information to comply with the law such as responding to FOI or Environmental Information Regulations (EIR) requests, meeting regulatory obligations, or responding to court orders, we do so under the Legal Obligation lawful basis. Under this basis, some rights (including the rights to object, erasure and portability) do not apply. 

We will never sell or rent your personal data, nor share it with third parties for their own marketing purposes. We may also share your information if required by law or regulation, for example to prevent fraud or other crime. 

How long we keep your data 

In line with our records management and retention and disposal policy, we will only retain your personal information for as long as: 

  • it’s needed for the purposes set out in this document 

  • the law requires us to 

Rights afforded to data subjects 

Lawful basis: Public Task (Article 6(1)(e) of the UK GDPR

Under the lawful basis of Public Task, which permits processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us, data subjects are afforded the following rights: 

  • Right to object. You have the right to object to the processing of your personal data at any time. 

  • Right to access. You have the right to request access to your personal data and obtain information about how it’s being processed. 

  • Right to rectification. You have the right to request the correction of any inaccurate or incomplete personal data. 

  • Right to restriction of processing. You have the right to request the restriction of processing of your personal data under certain circumstances, such as if you contest the accuracy of the data or object to the processing. 

  • Right to data portability. You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to request the transfer of this data to another controller, where technically feasible.

Lawful basis: Legal Obligation (Article 6(1)(c) of the UK GDPR

Under the lawful basis of Legal Obligation, which permits processing necessary to comply with a legal requirement, data subjects are afforded the following rights: 

  • Right to access. You have the right to request access to your personal data and obtain information about how it’s being processed. 

  • Right to rectification. You have the right to request the correction of any inaccurate or incomplete personal data. 

  • Right to restriction of processing. You have the right to request the restriction of processing of your personal data under certain circumstances, such as if you contest the accuracy of the data or object to the processing. 

Please note: under the lawful basis of Legal Obligation, data subjects do not have the following rights: 

  • Right to object. You do not have the right to object to the processing of your personal data. 

  • Right to erasure. You do not have the right to request the deletion of your personal data. 

  • Right to data portability. You do not have the right to request the transfer of your personal data to another controller. 

If you have any questions or wish to exercise your rights, contact dataprotection@fairworkagency.gov.uk.

How we protect your data and keep it secure 

We are committed to doing all that we can to keep your data secure. We have set up systems and processes to prevent unauthorised access or disclosure of your data. For example, we protect your data using varying levels of encryption. We process your personal data and information securely by using suitable technical and organisational controls to prevent unauthorised processing and against accidental loss, misuse, destruction or damage. We also ensure that any third parties keep all personal data they process on our behalf secure. 

Contact us 

If you have any requests relating to your rights or have questions about this privacy policy and how we handle your personal information, you can contact our Data Protection Officer, at dataprotection@fairworkagency.gov.uk  

You can also contact ICO for independent advice about data protection, privacy, and data-sharing issues. 

Information Commissioner’s Office
Wycliffe House 
Water Lane 
Wilmslow 
Cheshire 
SK9 5AF 

Phone, 0303 123 1113 
Textphone, 01625 545860 
Email, casework@ico.org.uk 

Changes to this privacy policy 

We reserve the right to update this privacy policy at any time and we will provide you with a new privacy policy when we make any substantial updates. 

Confidentiality 

Information provided while using this service, including personal information, may be disclosed in accordance with access to information regimes, primarily the Freedom of Information Act 2000 (FOIA). 

If you want the information you provide to be treated confidentially, please be aware that, in accordance with the FOIA, public authorities are required to comply with a statutory code of practice that addresses obligations of confidence, among other things.

Contents