Personal information charter

This charter sets out what customers, contractors and employees can expect from the Rural Payments Agency (RPA) when we ask for, or hold your personal information

Rural Payments Service

To find out how personal information is protected, Forestry Commission and Natural England customers should follow the links below.

Forestry Commission – Our Information Charter
Natural England - Personal Information Charter

RPA customers should read the information below.


The Defra group are committed to the responsible handling and security of personal data. Your privacy is important to us and protected in law through the General Data Protection Regulation (GDPR 2016) and the Data Protection Act (DPA 2018).

We must provide you with information showing how we process your personal data. This is set out below and in our Privacy Notices. It applies to any Defra group organisation website, application, product, software, or service that links to it (collectively, our “Services”). A Service will link directly to a specific Privacy Notice that shows the particular privacy practices of that Service.

When we make changes, we will update the relevant Privacy Notice and do our best to let you know. We can only do this if you let us have your contact details, your preferred forms of communication and you tell us about any changes to these.

Who controls your Rural Payments Agency personal data

The Department for Environment, Food and Rural Affairs (Defra) is the data controller for personal data you give to RPA.

The Defra group has adopted the Information Commissioner’s Office (ICO)s recommended approach to informing people about their rights.

This personal information charter details individual rights when we process your data and who to contact.

More detailed information on how we manage personal data for each of our functions is shown in the specific Privacy Notices.

Lawful basis for processing

RPA primarily processes personal data on the legal basis that a task is carried out in the public interest (GDPR Art 6(1)(e)). Section 8(d-e) of the DPA 2018 states that public interest processing includes processing that is necessary for the exercise of a function of the Crown, a Minister, or a Government department, or an activity that supports or promotes democratic engagement. Where RPA relies upon another legal basis, such as consent to exercise a function, the privacy notice will mention this.


The EU’s Article 29 Data Protection Working Party has issued guidance on transparency requirements needed to meet the GDPR.

Transparency applies to three areas under the GDPR:

1) giving information to data subjects about fair processing

2) how data controllers communicate with data subjects about their rights under the GDPR

3) how data controllers manage the exercise by data subjects of their rights

Transparency encourages trust in the processes which affect people so they can understand, and if necessary, challenge those processes. It is also about making sure data is processed lawfully and fairly and is accountable under the GDPR. The controller must be able to show that personal data is processed in a transparent manner for the data subject.

What is personal data?

Personal data, is data which identifies an individual directly or indirectly, particularly by using an identifier such as their name or a reference number.

Some personal data is more sensitive and needs more careful handling. These ‘special categories of personal data’ refer to a living person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning someone’s sex life or sexual orientation.

Who does the GDPR apply to?

The ICO has set out its view on who GDPR applies to:

  • The GDPR applies to ‘controllers’ and ‘processors’.
  • A controller determines the purposes and means of processing personal data.
  • A processor is responsible for processing personal data on behalf of a controller.
  • If you are a processor, the GDPR places specific legal obligations on you; for example, you need to keep records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
  • If you are a controller, you must make sure your contracts with processors meet the GDPR.
  • The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
  • The GDPR does not apply to processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.

Defra group

Defra and its four core agencies form a single legal entity and Data Controller. These four agencies are:

  • Animal and Plant Health Agency (APHA)
  • Centre for Environment, Fisheries and Aquaculture Science (CEFAS)
  • Rural Payments Agency (RPA)
  • Veterinary Medicines Directorate (VMD)

The wider Defra group also includes Non-Departmental Public bodies and Non-Ministerial Departments who are separate Data Controllers:

  • Board of Trustees of the Royal Botanic Gardens Kew
  • Environment Agency (EA)
  • Joint Nature Conservation Committee (JNCC)
  • Marine Management Organisation (MMO)
  • Natural England (NE)
  • Forestry Commission (FC)

What are my rights?

Your rights under GDPR/Data Protection Act 2018 are listed in full in the Information Commissioner’s website.

How we use your data?

We use your personal data to deliver Public Services as set out in the supporting Privacy Notices. They set out the reason(s) we need your information, how your information is being collected, what we will do with it and who we will share it with. In some cases we may pass it on to our agents/representatives to do these things on our behalf.

When we share personal data

We share personal data where we are legally required to do so or to provide services to meet our public task. This means the legislative requirements RPA has to meet, or assurance activity such as counter-fraud measures. We also share data about compliance functions RPA shares with other bodies, or to support the functions these bodies do to meet public tasks. If we need to do this, we will tell you why and who we will share your personal data with. We will also make sure that the data controller or data processor agrees to handle your data in a way that meets with your rights.

When we publish personal data

Public bodies need to be transparent about the use of money for example and in some cases this may mean the publication of personal information. Data published in these cases will balance the need for transparency with your privacy rights. Examples where we publish personal data are:

  • Senior Executive salaries
  • Public registers
  • Publication of beneficiary information
  • European legislation (Regulation 1306/2013) which requires RPA to publish certain information about you, if you receive any CAP scheme payments

We may have to release personal data and commercial information under the Environmental Information Regulations 2004 and the Freedom of Information Act 2000 and the Data Protection Act 2018. Anonymous or non-personal data may be shared in support of public tasks and where possible disclosed under an Open Government Licence.

Publication of beneficiary information

RPA may have to publish certain information about you if you receive any CAP scheme payments. This may include:

  • your name
  • your company name
  • your postcode and county
  • how much you were paid and reason for payment (for example, Basic Payment Scheme payments)

If you are paid €1,250 or less, the information will be anonymous.

The EU and member state bodies may use this data in their work to safeguard EU funds.

How long will we keep data

Public bodies keep information to make sure they are accountable. When we no longer need personal data, it is securely deleted or destroyed. Retention periods are set in line with statutory, regulatory, legal, security reasons or for their historic value. Details are shown on the relevant Privacy notice.

Your personal data is kept by us in line with our information retention schedules. Information on retention is included in individual Privacy Notices and may be extended on a case by case basis if necessary.

Examples of this include: appeal, audit activity, complaint, irregularity, has historic value, as determined by the Public Records Act, legal action, a formal request for information, or if it sets a precedent.

In these cases access to this information and processing of it will be limited to this specific use and where possible, personal data redacted, or its access restricted.

What if my details are inaccurate or incomplete

If you discover that the personal data we hold about you is not correct, please contact us (see ‘How to contact us’). You will need to tell us where you have seen it and what data you feel is inaccurate. We will try to respond to you within one month (two months if the request is complicated).

Where we think that the original information held was accurate, we will explain why. If you do not agree with our decision, you have the right to complain to the Information Commissioner’s Office, as detailed in this Personal Information Charter.

How do I ask to see the data you hold about me?

You can ask to see what data we hold about you. This is called a ‘subject access request’. Send your written request to RPA’s Information Rights Team (IRT) at the address in the ‘How to contact us’ section below.

We will acknowledge your request and may ask for proof of your identity.

We will respond within one month (two months in complex cases). We may have to refuse your request if the cost is too expensive, or ask you to contribute towards these costs. Include as much information in your request as possible, for example, the functions, schemes, or transactions and dates that you want to know about.

Do you transfer my personal data outside of the European Economic Area?

In most cases, personal data is not transferred or stored outside of the European Economic Area. If your personal data is processed outside the United Kingdom or European Economic Area, it will be noted on the Privacy Notice, along with the safeguards that are in place.

You have the right to request that:

1) we no longer process your personal data

2) we delete your personal data at any time

However, we may have to refuse your request if the data is needed to meet a legal obligation, performance of a contract or public interest task or exercise of official authority. We may also refuse your request for public health purposes, exercise or defence of legal claims or archiving purposes in the public interest, scientific research, historical research or statistical purposes. If this is the case, we will advise you of this.

We may hold and make your data anonymous for data analysis before we delete it.

What will happen if I do not supply the requested personal data?

If you do not supply the requested personal data it is likely that the service you want may not be available to you. This may mean that you don’t meet with specific legislation. We try to make sure that we only collect the minimum personal data necessary for us to offer the service(s) to you.

Will my data be used for automated decision making?

Your personal data may be subject to automated decision making. The relevant Privacy Notice will confirm where this happens and the expected consequences of this processing.

How do I make a complaint about how my personal data has been handled?

If you think your data has been misused or that RPA’s handling of your data was not secure, please contact us using the details below.

How to contact us

For general enquiries, please contact the team you are already communicating with. They can update your data or give most of your information. If they cannot help you, or you have a complaint about how your data is being handled, please use following contacts:

You can call or email the Customer Service Centre or write to:

Rural Payments Agency
PO Box 69

Telephone: 0300 0200 301

How do I report a data breach

You can email the Security team or write to:

The Security Team
200 North Gate House

How do I ask to see the data you hold about me?

For general enquiries, contact the team you are already communicating with. However, if they cannot help you further, or you wish to formally request your personal information, please email the Information Rights Team or write to:

RPA Information Rights Team
Rural Payments Agency
North Gate House
21-23 Valpy Street

How do I make a complaint about how my personal data has been handled?

If you have concerns about the handling of a request to exercise your rights, please follow RPA’s complaints procedure.

Any complaint to RPA, Defra or Information Commissioner is without prejudice to your right to seek redress through the courts. Full details are available on the Information Commissioner’s website

If you have gone through RPA’s formal complaints procedure and are still unhappy with the outcome, you can email or write to:

RPA Data Protection Manager
Rural Payments Agency
North Gate House
21-23 Valpy Street

Or you can email or write to:

Defra Group Data Protection Officer
Department for Environment
Food and Rural Affairs
SW Quarter
2nd floor
Seacole Block
2 Marsham Street

Or email or write to:

Information Commissioner's Office
Wycliffe House
Water Lane

Changes to the Personal Information Charter

We keep our Personal Information Charter under regular review. This was last updated on 9 May 2018.