The Forestry Commission is committed to the responsible handling and security of personal data. Your privacy is important to us and is protected in law through the General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA) 2018.
We must provide you with information setting out how we process your personal data. This is set out below. This applies to any Forestry Commission website, application, product, software, or service that links to it (collectively, our “Services”). A Service will link directly to a specific Privacy Notice that outlines the particular privacy practices of that Service. When we make changes, we will update the relevant Privacy Notice.
The EU’s Article 29 Data Protection Working Party has issued guidance on transparency requirements necessary to comply with GDPR:
Transparency is an overarching obligation under the GDPR applying to three central areas, 1) the provision of information to data subjects related to fair processing, 2) how data controllers communicate > with data subjects in relation to their rights under the GDPR, 3) how data controllers facilitate the exercise by data subjects of their rights. Insofar as compliance with transparency is required in relation to data processing under Directive (EU) 2016/6803, these guidelines also apply to the interpretation of that principle.
Transparency is a long established feature of the law of the EU5 (France, Germany, Italy, Spain, and United Kingdom). It is about engendering trust in the processes which affect the citizen by enabling them to understand, and if necessary, challenge those processes. It is also an expression of the principle of fairness in relation to the processing of personal data expressed in Article 8 of the Charter of Fundamental Rights of the European Union. Under the GDPR (Article 5(1) (a) 6), in addition to the requirements that data must be processed lawfully and fairly, transparency is now included as a fundamental aspect of these principles. Transparency is intrinsically linked to fairness and the new principle of accountability under the GDPR. It also follows from Article 5.2 that the controller must be able to demonstrate that personal data is processed in a transparent manner in relation to the data subject.
What is personal data?
Personal data is data which identifies an individual directly or indirectly, in particular by reference to an identifier such as their name or a reference number.
Some personal data is more sensitive in nature and requires more careful handling. GDPR defines “special categories of personal data” which means data relating to a living person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning someone’s sex life or sexual orientation.
Who does the General Data Protection Regulation (GDPR) and Data Protection Act (DPA) 2018 apply to?
The Information Commissioner’s Office (ICO) has set out its view on who GDPR and DPA applies to:
- the GDPR and DPA applies to ‘controllers’ and ‘processors’
- a controller determines the purposes and means of processing personal data
- a processor is responsible for processing personal data on behalf of a controller
- the GDPR and DPA places specific legal obligations on both data controllers and data processors. Where the Forestry Commission uses data processors to provide elements of services for us, the law places further obligations on us to ensure that our contracts with processors comply with the GDPR and the DPA
- the GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU. The GDPR forms part of the data protection regime in the UK, together with the new Data Protection Act 2018
- the GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities. Part 3 of the Data Protection Act 2018 transposes the EU Data Protection Directive 2016/680 (Law Enforcement Directive) into domestic UK law
The Forestry Commission is the controller for the personal information we process, unless otherwise stated.
What are my rights?
You have rights under the General Data Protection Regulation and the Data Protection Act 2018. These are listed out in full on the Information Commissioner’s website.
How we use your data
We process your personal data in a number of ways to deliver Public Services. We will inform you at the point of collection via a Privacy Notice the reason(s) we need your information, how your information is being collected, what we will do with it and who we will share it with. In some cases we may pass it on to our agents/representatives to do these things on our behalf.
When we share personal data
We share or disclose personal data where we are required to so by law or to provide Services to fulfil our public task. In some circumstances we are legally obliged to share information. For example under a court order. We might also share information with other regulatory bodies in order to further their, or our, objectives. In any scenario, we’ll satisfy ourselves that we have a lawful basis on which to share the information and document our decision making and satisfy ourselves we have a legal basis on which to share the information. We will ensure that any data processor agrees to handle your data in conformity with your rights. We may also share your personal information where you have given us explicit consent to do so.
When we publish personal data
Public bodies are required to be transparent about the use of money, for example, and in some cases this may require the publication of personal information. Data published in these cases will balance the needs for transparency compared to your privacy rights. Examples where we publish personal data are:
- Senior Executive salaries
- Public registers
- Publication of beneficiary information
- European legislation (Regulation 1306/2013) requires the Rural Payments Agency (RPA) to publish certain information about you, if you receive any payments from Common Agricultural Policy schemes, which includes most forestry grants
We may have to release personal data and commercial information under the Environmental Information Regulations 2004 and the Freedom of Information Act 2000.
Anonymised or non-personal data may be shared in support of public tasks, and where possible disclosed under an Open Government Licence.
How long we keep data
Public bodies retain information for various reasons, primarily to ensure accountability. When we no longer need personal data, arrangements are made to securely delete or destroy it. Records periods are set in line with statutory, regulatory, legal, security reasons or for their historic value. In most cases details will be on the relevant Privacy Notice.
What if my details are inaccurate or incomplete?
If you discover that the personal data we hold about you is inaccurate, or incomplete, please contact us (see ‘How to contact us’), so we can update your records. When doing so, please explain where you have seen it and what data you feel is inaccurate. We will aim to respond to you within one month but may extend this period to two if the request is complicated.
Where we maintain that the original information held was accurate, we will explain why. If you do not agree with our decision, you have the right to complain to the Information Commissioner’s Office, as detailed in this Personal Information Charter.
How do I ask to see the data you hold about me?
You can ask to see what data we hold about you. This is called a ‘subject access request’. Send your written request to the Forestry Commission’s Data Protection Officer.
On receipt of your request we will acknowledge it and may ask for proof of your identity.
We will respond within one month, and exceptionally extend this by up to two months in complex cases. When you ask to see information we hold it is helpful to include as much information as possible to help us find the data you want, for example, tell us the functions, schemes, or transactions and dates that you want to know about.
Do you transfer my personal data outside of the European Economic Area?
There are instances where personal data is stored outside the European Economic Area. In most cases personal data is not transferred or stored outside of the European Economic Area. If your personal data is processed outside the United Kingdom or European Economic Area, you will be informed of this and the safeguards that are in place.
Can I withdraw my consent or request my personal data be deleted?
You have the right to request that
- we no longer process your personal data
- we delete your personal data at any time
However, agreement may not be assumed as we may have to refuse your request should the data be required to comply with a legal obligation, performance of a contract or public interest task or exercise of official authority. We may also refuse for the purposes of public health purposes, exercise or defence of legal claims or archiving purposes in the public interest, scientific research, historical research or statistical purposes. Where this is the case and agreement is not required we will advise you of this. Prior to deletion we may anonymise and hold data for data analysis.
What are the consequences if I do not supply the requested personal data?
If you do not supply the requested personal data it is more than likely that the Service you are applying for or wish to use will not be available to you. This may have consequences in terms of non-compliance, for example not complying with specific legislation. We try to ensure that we only collect the minimum personal data that is necessary for us to offer the Service(s) to you.
Will my data be used for automated decision making?
Your personal data may be subject to automated decision making. You will be informed where automated decision making applies including profiling, and the envisaged consequences of such processing.
How do I make a complaint about how my personal data has been handled?
If you think your data has been misused or that the organisation holding it hasn’t kept it secure, you should contact the Forestry Commission’s Data Protection Officer.
For routine issues please contact the individual or team you are already in contact with. They are usually best placed to respond to general enquiries, update the accuracy of your data or provide you with additional information. However, if they cannot help you, or you have a complaint about how your data is being handled or you want to report a data breach then please contact the Forestry Commission’s Data Protection Officer. Unless there is good reason for not doing so then any complaint to the Forestry Commission should be made in writing.
If you are unhappy with our response to your complaint or if you need any advice you can contact the Information Commissioner’s Office (ICO) who is the supervisory authority. The Forestry Commission is registered as a data controller under the Data Protection Act 1998 (Registration No: Z6542658).
ICO Help Line: 0303 123 1113
Changes to the Personal Information Charter
We keep our Personal Information Charter under regular review. This Personal Information Charter was last updated on 31 July 2018.