Guidance

APHA employees, workers and contractors UK privacy notice

Updated 19 March 2024

Applies to England, Scotland and Wales

The purpose of this document

The Animal and Plant Health Agency (APHA) is committed to protecting the privacy and security of your personal information.

This privacy notice describes how we collect and process personal information about you during and after your working relationship with us, in accordance with data protection laws, (such as the EU General Data Protection Regulation 2020 and the Data Protection Act 2018).

It applies to all current and former employees, workers and contractors, however this notice does not form part of any contract of employment or other contract to provide services.

It may be the case that additional privacy notices are provided on specific occasions that will inform you of how and why we are using such information. This privacy notice will be updated on a regular basis, go to your intranet for an updated copy.

You can read details of our personal information charter.

Data protection team contact details

You can contact the Animal and Plant Health Agency’s Data Protection Manager at:

Data Protection Manager
Animal and Plant Health Agency County Hall
Spetchley Road
Worcester
WR5 2NP

Email enquiries@apha.gov.uk.

Any questions about how we are using your personal data and your associated rights should be sent to the above contact.

Defra have appointed a Data Protection Officer (DPO) to oversee compliance with this privacy notice. The DPO is responsible for monitoring that APHA is meeting the requirements of Data Protection legislation.

Contact details are in APHA’s personal information charter.

What kind of information we hold about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

There are “special categories” of more sensitive personal data which require a higher level of protection.

We may collect, store, and use the following categories of personal information about you when required:

• personal contact details such as name, title, addresses, telephone numbers, and personal email addresses
• information about your social economic background such as details about the type of school you attended and your parents highest qualification and main job, if you choose to provide them to us
• dates of birth, marriage and divorce
• gender
• marital status and dependants
• information about any caring responsibilities you may have where these might significantly affect your ability to work your contracted hours where an event causes Defra to work in different ways
• next of kin, emergency contact and death benefit nominee(s) information
• National Insurance number
• bank account details, payroll records and tax status information
• salary, annual leave, pension and benefits information
• start date, leaving date and reason
• location of employment or workplace
• copy of driving licence, passport, birth and marriage certificates, decree absolute
• recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process)
• full employment records for Civil Service employment (including contract, terms and conditions, job titles, work history, working hours, promotion, absences, attendances, training records and professional memberships)
• information about your designation as a key or critical worker
• compensation history
• performance and appraisal information
• disciplinary and grievance information
• secondary employment and volunteering information
• CCTV footage and other information obtained through electronic means such as swipe card records
• information about your use of our information and communications systems
• photographs, videos
• accident book, first aid records, injury at work and third party accident information
• evidence of how you meet the Civil Service nationality rules and confirmation of your security clearance - this can include passport details, nationality details and information about convictions/allegations of criminal behaviour
• evidence of your right to work in the UK/immigration status

We will also collect, store and use the following “special categories” of more sensitive personal information:

• information about your race or ethnicity, religious beliefs, sexual orientation and your political opinions, if you choose to provide them to us
• trade union membership
• information about your health, including any medical condition, health and sickness records which may potentially include genetic information and biometric data
• information about criminal convictions, allegations and offences

How your personal information is collected

We typically collect personal information about employees, workers and contactors through the application and recruitment process, either directly from candidates or sometimes from an employment agency or background check provider.

We will sometimes collect additional information from third parties including former employers, credit reference agencies or other background check agencies, including:

• employee’s doctors, medical and occupational health professionals (Duradiamond)
• Disclosure and Barring Service (DBS)
• Home Office – UK Visas and Immigration
• Home Office – UK Border Force
• consultants and other professionals who advise Defra generally

We will collect additional personal information in the course of job-related activities throughout the period of you working for us. Some information, such as the information about your social economic background, your race or ethnicity, religious beliefs, sexual orientation, and political opinions can be provided by you on a voluntary basis.

How we will use information about you

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

• where it is necessary for performing the contract we have entered into with you.
• where we need to comply with a legal obligation
• where it is in the public interest to do so, or for official purposes, or in the exercise of a function of the Crown, a minister of the Crown or Government Legal Services (GLD) as a government department
• where you have provided personal data on a voluntary basis and consent to Defra processing the data in the way agreed
• where it is necessary to protect your vital interests, or the vital interests of another person

The situations in which we will process your personal information are:

• making a decision about your recruitment or appointment
• determining the terms on which you work for us
• checking you are legally entitled to work in the UK and to provide you with the security clearance appropriate for your role.
• for civil servants, to check eligibility to become and remain a civil servant
• paying you - or recovery of any overpayment - and if you are an employee, deducting tax and National Insurance contributions
• providing employment-related benefits to you including:
  • all types of leave in line with organisational policy
  • pension
  • advances of salary
• liaising with your pension provider, providing information about changes to your employment such as promotions, changing in working hours
• general administration of the contract we have entered into with you
• business management and planning, including accounting, auditing and business continuity
• conducting performance reviews, managing performance and determining performance requirements
• making decisions about salary reviews and compensation
• assessing qualifications for a particular job or task, including decisions about promotions
• gathering evidence and any other steps relating to possible grievance or disciplinary matters and associated hearings
• making decisions about your continued employment or engagement
• making arrangements for the termination of our working relationship
• education, training and development requirements
• dealing with legal disputes involving you, or other employees, workers and contractors, including accidents at work
• ascertaining your fitness to work, managing sickness absence
• complying with health and safety obligations
• to prevent and detect fraud
• to monitor your business and personal use of our information and communication systems to ensure compliance with our IT policies
• to ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution
• to conduct data analytics studies to review and better understand employee retention and attrition rates
• equal opportunities and social economic background monitoring, if you choose to provide them to us. This will include the further processing of the data with the addition of other factors, such as your gender, age, pay grade, and working pattern
• dealing with Freedom of Information Act/Environmental Information Regulations requests, if data protection laws allow

How we use particularly sensitive personal information

“Special categories” of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information.

We will, if necessary, process special categories of personal information in the following circumstances:

• where we need to carry out our legal obligations or exercise our employment-related legal rights and in line with our data protection policy

• where it is in line with our data protection policy, and necessary for:

• performing our functions as a government department or a function of the Crown
• equal opportunities monitoring (provided on a consent/voluntary basis)
• administering our pension scheme
• preventing or detecting unlawful acts
• where it is needed to assess your working capacity on health grounds, subject to appropriate confidentiality safeguards
• where it is necessary to protect your vital interests, or the interests of another person
• where it is needed in relation to legal claims

We will use your particularly sensitive personal information in the following ways:

We will use information relating to leaves of absence; this can include sickness absence or family related leave, to comply with employment and other laws.

We will use information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits.

We will use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual orientation, to ensure meaningful equal opportunity monitoring and reporting if you choose to provide them to us. This will include the further processing of the data with the addition of other factors, such as your gender, age, pay grade, and working pattern.

In the case of information about your social economic background, your race or ethnicity, religious beliefs, sexual orientation, and political opinions – this information is provided on a completely voluntary basis and is also not a condition of your contract that you supply the information requested.

As explained in the sections below covering your rights, you have the right to remove your consent for Defra to hold or process this personal data (and have the personal data already provided deleted) at any point.

What happens if you fail to provide personal information?

If you fail to provide certain information when requested, we will not be able to fully perform the contract we have entered into with you (such as paying you or providing a benefit), or we could be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers). However, this does not apply where the information is collected on a voluntary (consent) basis.

Can we use the information for a different purpose?

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated or new purpose, we will notify you and we will explain the legal basis which allows us to do so.

Information about criminal convictions

We will only use information relating to criminal convictions or alleged criminal behaviour where the law allows us to do so. This can arise when it is necessary for us to comply with the law or for another reason where there is a substantial public interest in us doing so.

Less commonly, we will, if necessary, use information relating to criminal convictions or alleged criminal behaviour where it is necessary in relation to legal claims, where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

We will only collect information about criminal convictions or allegations of criminal behaviour where it is appropriate given the nature of the role and where we are legally able to do so. Where appropriate, we will collect information about criminal convictions/allegations as part of the recruitment process or if we are notified of such information in the course of you working for us.

We will use information about criminal convictions/allegations and offences in the following ways:

To make decisions regarding suitability for the role, or in relation to possible grievance or disciplinary matters and associated hearings.

Reference policy or operational instructions relevant to this:

• intranet guidance for recruiting managers
• the National Security Vetting information on the Defra intranet
• the code of conduct and any contractual terms and conditions which form your contract of employment with Defra

We are allowed to use your personal information in this way where it is in line with our data protection policy and where one of the following reasons arises:

• where we need to carry out our legal obligations or exercise our employment-related legal rights
• where it is substantially in the public interest to do so and necessary for performing our functions as a government department or a function of the Crown

Which third parties might we share your personal information with?

We will in some circumstances have to share your data with third parties, including third-party service providers and other Civil Service bodies such as the Civil Service Commission, the Advisory Committee on Business Appointments and the Office of the Commissioner for Public Appointments.

We require third parties to respect the security of your data and to treat it in accordance with the law.

We will share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you; where it is in the public interest to do so or where it is necessary for the performance of our functions as a government department or a function of the Crown. This will, in some circumstances, involve sharing special categories of personal data and, where relevant, data about criminal convictions/allegations.

Where we are contacted by your new/prospective employer for an employment reference, or by a third party requesting a financial reference – for example to support tenant or mortgage applications. We may also share information on how your personal data relating to financial transactions may be used in counter-fraud and error data matching exercises.

“Third parties” includes third-party service providers (including contractors and designated agents) and other entities within the Civil Service. The following activities are carried out by third-party service providers: payroll, pension administration, benefits provision and administration, IT services, security vetting.

These external parties include:

Third Party	Purpose
HM Revenue and Customs	Tax and pay
UKBA and UKSV	Visa applications and security vetting
Shared service providers	Administration of your HR, pay and pension records
Pension service providers, and any additional voluntary contributions providers	Pensions administration
The National Archives and any other holder of official records	If records are deemed to have historical interest
The Office of National Statistics	Data relating to special employment conditions, such as apprenticeships and fast-stream
External auditors	Variety of audit checks to assure compliance with process/policy
Third party service providers, such as childcare voucher schemes	Administration of benefits
Debt collection agencies	Collection of money owed post-employment
Occupational health providers	Legal obligation to support employees health and wellbeing
Outplacement support providers	Support for at risk employees
Lease and fleet car	Administration of lease and fleet car
Travel providers	Travel and accommodation arrangements
Offsite document storage providers	Storage of your HR, pay and pension records

All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

Which Civil Service organisations might we share your personal information with?

We will share your personal data with other Civil Service organisations as part of our regular reporting activities on departmental performance, in the context of a business reorganisation or restructuring exercise, for system maintenance support and hosting of data; business planning/talent management initiatives, succession planning, statistical analysis; and general management and functioning of the Civil Service.

Pseudonymised personal data - replacing most identifying fields within a data record by one or more artificial identifiers - is also shared with the Office for National Statistics, mainly for statistical purposes. The Office for National Statistics, along with other auditing bodies such as National Audit Office can also see and review personal data in an audit. As mentioned above, personal information sent to the Cabinet Office for equal opportunities and social economic background monitoring is also pseudonymised, and not anonymised (Defra still holds the information which includes the identifiable staff numbers).

As part of the National Fraud Initiative your data may be shared with the Audit Commission.

If required, we will need to share your personal information with a regulator or to otherwise comply with the law.

When will we process your information outside the EU?

We do not transfer data outside the EU however some of your personal data may be processed offshore by our services provider, Shared Services Connected Limited (SSCL).

SSCL use Centres of Excellence in the UK and in India to manage our back office services.

Your personal data receives the same level of protection when processed offshore as it does onshore. This protection is delivered by the use of standard data protection clauses adopted by the European Commission, and used in their entirety in the contract with SSCL.

A copy of the model contract clauses are published on the Commission website.

How is your personal information secure?

We have put in place measures to protect the security of your information. Details of these measures are available on the intranet.

Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

How long will you hold my personal information for?

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we will anonymise your personal information so that it can no longer be associated with you, in which case we will use such information without further notice to you. Once you are no longer an employee, worker or contractor of the company we will retain and securely destroy your personal information in accordance with our data retention policy.

What are my rights in relation to my personal information?

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.

Please contact the Data Protection team via enquiries@apha.gov.uk to exercise any of your rights in this section.

Under certain circumstances, by law you have the right to:

Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.

Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.

Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us to continue to process it. This can be where you have provided your personal data voluntarily and have then withdrawn your consent, or where you have objected to the processing of your personal data.

Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.

Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.

Request the transfer of your personal information to another party. If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party.

Request to withdraw your consent. Where you have provided your consent to the collection, processing or transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time, and as above you also have the right to ask that we delete the information held, (for example, where you have provided information voluntarily on your social economic background, your race or ethnicity, religious beliefs, sexual orientation, and political opinions you can withdraw your consent, delete any information that you have access to, and then ask that we delete any further personal information held). Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

How do I lodge a complaint with the Information Commissioner’s Office (ICO)?

If you are not satisfied with the way your personal information is being handled, you can contact the Data Protection Officer to review how your personal information is being used:

Defra Group Data Protection Officer
Department for Environment, Food and Rural Affairs
SW Quarter, 4th floor, Seacole Block
2 Marsham Street
London
SW1P 4DF

Email: DefraGroupDataProtectionOfficer@defra.gov.uk.

You have the right to lodge a complaint with the supervisory authority, the Information Commissioner’s Office (ICO) at any time.