Personal information charter

This charter sets out what, customers, contractors and employees can expect from RPA when we ask for, or hold, your personal information.

Rural Payments Service

To find out how personal information is protected, Forestry Commission and Natural England customers should follow the links below.

Forestry Commission – Our Information Charter
Natural England - Personal Information Charter

Rural Payments Agency (RPA) customers should read the information below.

Who controls your Rural Payments Agency personal data

The Department for Environment, Food and Rural Affairs (Defra) is the data controller for personal data you give to the Rural Payments Agency (RPA).

The Defra group has adopted the ICO’s recommendation of having a layered approach to informing people about their rights.

Customer facing communications RPA uses include a short form of words directing people to the personal information charter: “For information on how we handle personal data go to www.gov.uk and search Rural Payments Agency personal information charter.”

The personal information charter outlines individual rights when we processes your data. It is important to recognise that it only focuses upon the high level requirements and who to contact to exercise their rights.

More detailed information on how we manage personal data for each of our functions is shown within specific Privacy Notices.

Introduction

The Defra group are committed to the responsible handling and security of personal data. Your privacy is important to us and protected in law through the General Data Protection Regulation (GDPR) and the Data Protection Act/Bill (DPA 2018).

We must provide you with information setting out how we process your personal data. This is set out below and in our Privacy Notices. This is intended to apply to any Defra group organisation website, application, product, software, or service that links to it (collectively, our “Services”). A Service will link directly to a specific Privacy Notice that outlines the particular privacy practices of that Service.

When we make changes, we will update the relevant Privacy Notice and do our best to let you know. We can only do this, if you let us have your contact details, your preferred forms of communication and you inform us of any changes to these.

Transparency

The EU’s Article 29 Data Protection Working Party has issued guidance on transparency requirements necessary to comply with GDPR:

Transparency is an overarching obligation under the GDPR applying to three central areas: (1) the provision of information to data subjects related to fair processing; (2) how data controllers communicate with data subjects in relation to their rights under the GDPR; and (3) how data controllers facilitate the exercise by data subjects of their rights2. Insofar as compliance with transparency is required in relation to data processing under Directive (EU) 2016/6803, these guidelines also apply to the interpretation of that principle.

Transparency is a long established feature of the law of the EU5 [France, Germany, Italy, Spain, and United Kingdom]. It is about engendering trust in the processes which affect the citizen by enabling them to understand, and if necessary, challenge those processes. It is also an expression of the principle of fairness in relation to the processing of personal data expressed in Article 8 of the Charter of Fundamental Rights of the European Union. Under the GDPR (Article 5(1) (a) 6), in addition to the requirements that data must be processed lawfully and fairly, transparency is now included as a fundamental aspect of these principles. Transparency is intrinsically linked to fairness and the new principle of accountability under the GDPR. It also follows from Article 5.2 that the controller must be able to demonstrate that personal data are processed in a transparent manner in relation to the data subject.

What is personal data?

Personal data, is data which identifies an individual directly or indirectly, in particular by reference to an identifier such as their name or a reference number.

Some personal data is more sensitive in nature and requires more careful handling. GDPR defines “special categories of personal data” which means data relating to a living person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning someone’s sex life or sexual orientation.

Who does the GDPR apply to?

The ICO has set out its view on who GDPR applies to:

  • The GDPR applies to ‘controllers’ and ‘processors’.
  • A controller determines the purposes and means of processing personal data.
  • A processor is responsible for processing personal data on behalf of a controller. *If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
  • However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR. *The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
  • The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.

Defra group

Defra and its four core agencies form a single legal entity and Data Controller. These four agencies are:

  • Animal and Plant Health Agency (APHA)
  • Centre for Environment, Fisheries and Aquaculture Science (CEFAS)
  • Rural Payments Agency (RPA)
  • Veterinary Medicines Directorate (VMD)

The wider Defra group also includes the following Executive Non-Departmental Public bodies and Non-Ministerial Departments who are separate Data Controllers:

  • Board of Trustees of the Royal Botanic Gardens Kew
  • Environment Agency (EA)
  • Joint Nature Conservation Committee (JNCC)
  • Marine Management Organisation (MMO)
  • Natural England (NE)
  • Forestry Commission (FC)

What are my rights?

You have rights under GDPR/Data Protection Bill/Act 2018 they are listed out in full in the Information Commissioner’s website here:

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/

How we use your data?

We process your personal data in a number of ways to deliver Public Services. These are set out within the supporting Privacy Notices. They will set out the reason(s) we need your information, how your information is being collected what we will do with it and who we will share it with. In some cases we may pass it on to our agents/representatives to do these things on our behalf.

When we share personal data

We share or disclose personal data where we are required to so by law or to provide Services to fulfil our public task. Where we know there is a requirement to share your personal data we will tell you why and who we will share your personal data with. We will ensure that the data processor agrees to handle your data in conformity with your rights.

When we publish personal data

Public bodies are required to be transparent about the use of money, for example, and in some cases this may require the publication of personal information. Data published in these cases will balance the needs for transparency compared to your privacy rights. Examples where we publish personal data are:

  • Senior Executive salaries
  • Public registers
  • Publication of beneficiary information
  • European legislation (Regulation 1306/2013) requires RPA to publish certain information about you, if you receive any payments from CAP schemes.

We may have to release personal data and commercial information under the Environmental Information Regulations 2004 and the Freedom of Information Act 2000. Anonymized or non-personal data may be shared in support of public tasks, and where possible disclosed under an Open Government Licence.

Publication of beneficiary information

European legislation (Regulation 1306/2013) requires RPA to publish certain information about you, if you receive any payments from CAP schemes.

Depending on the legal structure of your business, this might include:

  • your name
  • your company name
  • your postcode and county
  • how much you were paid and reason for payment (for example, Basic Payment Scheme payments)

If you are paid €1,250 or less, the information will be anonymous.

The EU and member state bodies might use this data in their work to safeguard EU funds.

How long will we keep data?

Public bodies retain information for various reasons, primarily to ensure accountability. When we no longer need personal data, arrangements are made to securely delete or destroy it. Retention periods are set in line with statutory, regulatory, legal, security reasons or for their historic value. Details will be on the relevant Privacy notice.

Your personal data will be kept by us in line with our information retention schedules. Information on retention for each function are contained on individual Privacy Notices. However, this may be extended on a case by case basis, if RPA determines that it is remains necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller to issue.

Examples of where information may need to be retained longer include: appeal, audit activity, complaint, irregularity, has historic value, as determined by the Public Records Act, legal action, a formal request for information, or if it sets a precedent.

In these cases access to this information and processing of it will be limited to this narrower use and where possible personal data redacted, or if not its access restricted.

What if my details are inaccurate or incomplete?

If you discover that the personal data we hold about you is inaccurate, or incomplete, please contact us (see ‘How to contact us’), so we can update your records. When doing so, please explain where you have seen it and what data you feel is inaccurate. We will aim to respond to you within one month but may extend this period to two if the request is complicated.

Where we maintain that the original information held was accurate, we will explain why. If you do not agree with our decision, you have the right to complain to the Information Commissioner’s Office, as detailed in this Personal Information Charter.

How do I ask to see the data we hold about you?

You can ask to see what data we hold about you. This is called a ‘subject access request’. Send your written request to the RPA’s Information Rights Team (IRT). The address in the ‘How to contact us’ section below.

On receipt of your request we will acknowledge it and may ask for proof of your identity.

We will respond within one month, and exceptionally extend this by up to two months in complex cases. If we determine that the costs and or resources to provide you with all of the data requested, due to the volume, we may have to refuse your request or ask you to provide a contribution to meet these costs. When you ask to see information we hold it is helpful to include as much information as possible to help us find the data you want, for example, tell us the functions, schemes, or transactions and dates that you want to know about.

Do you transfer my personal data outside of the European Economic Area?

There are instances where personal data is stored outside the European Economic Area. In most cases Personal data is not transferred or stored outside of the European Economic Area. If your personal data is processed outside the United Kingdom or European Economic Area, it will be mentioned on the Privacy Notice, which will inform you of this and the safeguards that are in place.

You have the right to request that (1) we no longer process your personal data and (2) request that we delete your personal data at any time. However, agreement may not be assumed as we may have to refuse your request should the data be required to comply with a legal obligation, performance of a contract or public interest task or exercise of official authority. We may also refuse for the purposes of public health purposes, exercise or defence of legal claims or archiving purposes in the public interest, scientific research, historical research or statistical purposes. Where this is the case and agreement is not required we will advise you of this. Prior to deletion we may anonymise and hold data for data analysis.

What are the consequences if I do not supply the requested personal data?

If you do not supply the requested personal data it is more than likely that the Service you are applying for or wish to use will not be available to you. This may have consequences in terms of non-compliance, for example not complying with specific legislation. We try to ensure that we only collect the minimum personal data that is necessary for us to offer the Service(s) to you.

Will my data be used for automated decision making?

Your personal data may be subject to automated decision making. The relevant Privacy Notice will confirm where automated decision making applies takes place including profiling, and the envisaged consequences of such processing.

How do I make a complaint about how my personal data has been handled?

If you think your data has been misused or that RPA’s handling of your data was not secure, please go to section immediately below on contacting us.

How to contact us

For day to day use, please look to contact the team you are already communicating with. They are best placed to manage general enquiries or to update the accuracy of your data, or provide you with information. However, if they cannot help you, or you have a complaint about how your data is being handled, please use following contacts, making clear which right you wish to exercise:

You can call or email the Customer Service Centre or write to:

Rural Payments Agency,
PO Box 69,
Reading
RG1 3YD

Telephone: 0300 0200 301

How do I report a data breach

You can email the Security Team Security@rpa.gsi.gov.uk or write to:

The Security Team,
200 North Gate House,
Reading,
RG1 1AF

How do I ask to see the data we hold about you?

For day to day use, it will be quicker and easier to contact the team you are already communicating with. They are best placed to provide you with information we hold about you. However, if they cannot help you further, or you wish to formally request your personal information please use following:

Email requests for information to the Information Rights Team or write to:

RPA Information Rights Team,
Rural Payments Agency,
North Gate House,
21-23 Valpy Street,
Reading,
Berkshire
RG1 1AF

How do I make a complaint about how my personal data has been handled?

If you have concerns about the handling of request to exercise your rights, please follow the RPA’s complaints procedure:

Any complaint to the RPA, Defra or Information Commissioner is without prejudice to your right to seek redress through the courts. Should you wish to exercise that right full details are available on the Information Commissioner’s website here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/

If you have gone through the RPA’s formal complaints procedure, but remain unhappy about the outcome, you can contact the following:

Email to the RPA.DPAQueries@rpa.gsi.gov.uk or write to:

RPA Data Protection Manager,
Rural Payments Agency,
North Gate House,
21-23 Valpy Street,
Reading,
Berkshire
RG1 1AF

Email to the DefraGroupDataProtectionOfficer@defra.gsi.gov.uk or write to:

Defra Group Data Protection Officer,
Department for Environment,
Food and Rural Affairs,
SW Quarter,
2nd floor,
Seacole Block,
2 Marsham Street,
London
SW1P 4DF

Email to the casework@ico.org.uk or write to:

Information Commissioner's Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire
SK9 5AF

Changes to the Personal Information Charter

We keep our Personal Information Charter under regular review. This Personal Information Charter was last updated on 24 May 2018.