Guidance

Defra employee and contractor privacy notice

Updated 25 April 2024

This privacy notice explains how Defra collects and uses the personal data of current, former or prospective employees, workers and contractors for recruitment and employment purposes.

This privacy notice may be supplemented by additional privacy notices which will be provided on specific occasions.

Who collects your personal data

Department for Environment, Food and Rural Affairs (Defra) is the controller for the personal data we collect:

Department for Environment, Food and Rural Affairs
Seacole Building
2 Marsham Street
London
SW1P 4DF

If you need further information about how Defra uses your personal data and your associated rights, you can contact the Defra data protection manager. Email data.protection@defra.gov.uk.

The data protection officer for Defra is responsible for checking that Defra complies with legislation. You can contact them by email at DefraGroupDataProtectionOfficer@defra.gov.uk.

The personal data we collect

Defra or its service providers collect, store and use the following types of personal data:

• personal contact details, such as name, work and home addresses, telephone number and email address
• date of birth, marriage, civil partnership and divorce information
• gender, marital status, dependants, next of kin, emergency contact and death benefit nominee information
• socio-economic background, such as type of school attended, parents’ highest qualification and main job
• any caring responsibilities which might prevent you working your contracted hours if an event caused Defra to work in different ways
• National Insurance number
• bank account details and tax status information
• copy of driving licence, passport, birth and marriage certificates, decree absolute
• secondary employment, volunteering information and register of interests which may include business interests of you or your close family and friends
• recruitment information, such as right-to-work documentation, references and details in a curriculum vitae (CV) or other supporting documentation
• evidence of how you meet nationality rules, your right to work in the UK and immigration status, such as passport and nationality details
• photographs and videos

Defra or its service providers store and use the following types of personal data relating to your employment:

• salary, payroll records, annual leave, pension and benefits information
• confirmation of your security clearance
• start and leave dates including reasons for leaving
• location of workplace or employment, such as contractual homeworking location
• employment records, such as your contract, job title, working hours, attendance, training records and professional memberships
• performance, appraisal, disciplinary and grievance information
• information about your designation as a key or critical worker
• compensation history
• CCTV footage and other information obtained through electronic means, such as swipe-card records and Defra IT log-in information (location and system use).
• your use of Defra’s information and communications systems
• accident book, first aid records, injury at work and third-party accidents

Special category personal data

You may provide more personal data that needs more protection on a voluntary basis, such as:

• race or ethnicity
• religious beliefs
• sexual orientation
• political opinions
• trade union membership
• health data, such as medical conditions and sickness records, which may include genetic and biometric data

Criminal conviction data

Defra or its service providers only collect personal data about criminal convictions or allegations of criminal behaviour:

• where it’s appropriate to your role
• if it’s legally possible to do so
• as part of the recruitment process
• if you tell us during your employment or contract

How we collect your personal data

Defra or its service providers collect personal data about employees and contractors through the recruitment process. This personal data comes directly from candidates or sometimes from an employment agency or background check provider.

Defra or its service providers sometimes collect personal data from third-parties including:

• former employers
• credit reference agencies or other background check agencies
• doctors, medical and occupational health professionals
• Disclosure Barring Service
• United Kingdom security vetting
• UK visas and Immigration
• consultants and other professionals who advise us

Defra or its service providers may collect additional personal data during job-related activities throughout your employment. For example, for roles which need enhanced security checks. Where data is obtained from third parties we will notify you of this within one month or receipt of the data.

How we use your personal data

Defra or its service providers use your personal data to:

• manage your contract of employment
• make a decision about your recruitment or appointment, such as assessing qualifications for a role
• pay you and deduct tax and National Insurance contributions, as required by HM Revenue and Customs (HMRC)
• to check your eligibility to become and remain a civil servant
• provide you with employment-related benefits
• give information to your pension provider, such as a promotion or change in working hours
• conduct performance reviews, manage performance and set performance goals
• help plan your education, training and development requirements
• general administration of the contract we have entered into with you
• monitor equal opportunities and diversity
• comply with health and safety regulations
• monitor your use of Defra’s information and communication systems and check you follow its IT, security and acceptable use policies
• ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution
• provide IT advice and assistance to staff via the use of an IT Service Desk
• provide you with the security clearance appropriate for your role
• deal with Freedom of Information Act, Environmental Information Regulations and subject access requests
• monitor your location of work in Defra group offices to comply with Civil Services policies and frameworks

Defra or its service providers may also use your personal data to:

• make a decision about your promotion or suitability for level transfer to another role
• check you are legally entitled to work in the UK
• provide evidence for grievance or disciplinary matters
• assess whether your outside interests conflict with your role
• make decisions about your continued employment or engagement and termination of contract
• deal with legal disputes involving you and other employees or contractors, including accidents at work
• prevent fraud
• make decisions about salary reviews and compensation
• gather personal data to review and better understand employee retention and attrition rates
• carry out business management and planning, for example accounting, auditing or for business continuity

Use of special category personal data

Defra or its service providers may use your special category personal data that needs more protection on a voluntary basis to:

• meet our legal obligations or employment-related legal rights
• manage leave of absence
• carry out our statutory duties or for other official purposes
• decide if you’re fit to work or to manage sickness absence and providing reasonable adjustments for you to meet any special or medical needs that you have
• ensure your health and safety in the workplace, provide appropriate workplace adjustments and administer benefits
• register the status of a protected employee and to comply with employment law obligations
• administer our pension scheme
• prevent or detect unlawful acts
• protect your vital interests or those of another person

Defra or its service providers will carry out equal opportunities monitoring and reporting using personal data you’ve provided on a voluntary basis about your:

• race or national or ethnic origin
• religious, philosophical or moral beliefs
• sexual orientation

This will include further processing of your personal data alongside other information, such as your gender, age, pay grade and working pattern.

This processing will be limited to a small number of individuals within Defra group Human Resources and Defra group Corporate Services Data and Analytics Team and will not be shared without an appropriate sign off process. Such sharing decisions are taken in accordance with advice provided by data protection colleagues, and the involvement of the Defra group data protection officer.

Use of criminal conviction data

Defra or its service providers will use personal data about criminal convictions or allegations:

• to make decisions regarding suitability for a role with Defra
• in possible grievance or disciplinary matters and associated hearings

Defra or its service providers will also use this personal data to refer to relevant policy or operational instructions, the code of conduct and any terms and conditions which form your contract of employment. Defra or its service providers only use your personal data in these ways, where one of the following applies:

• Defra or its service providers need to carry out our legal obligations or employment-related legal rights
• where it is substantially in the public interest to do so and is necessary for official purposes
• to carry out our statutory duties

Use of data for a different purpose

Defra or its service providers may need to use your personal data for a purpose that we did not identify when first collected. If this is the case, we will tell you, and explain the legal basis for using it for an unrelated or new purpose, for example by updating this privacy notice.

If there is a change of use that is compatible with the original purpose, then Defra or its service providers will not notify you of this.

Defra or its service providers will process your personal data without your consent where we are required or permitted to do so by law.

Legal basis for processing your personal data

Defra or its service providers will only use your personal data when the law allows and most commonly use your personal data:

• for the performance of a contract, such as your contract of employment
• when it’s in the public interest to do so for official purposes. For example, provide information to Civil Service Learning
• to carry out its statutory duties to comply with a legal obligation. For example, provide information to HMRC
• when you’ve provided personal data on a voluntary basis and consent to Defra processing it in the agreed way. For example, your socio-economic background
• to protect your vital interests or those of another person. For example, health and safety information
• where you provide consent for Defra to process your personal data. For example, special category data
• where necessary for Defra’s legitimate interests, such as providing IT services to staff via third-party contractors, except where such interests are overridden by the interests or fundamental rights and freedoms of staff

We comply with the following legislation:

• UK General Data Protection Regulations 2021
• Data Protection Act 2018
• Employment Rights Act 1996
• Equality Act 2010
• Equality Act 2010 (Specific Duties and Public Authorities) Regulations 2017
• Health and Safety at Work Act 1974
• Immigration, Asylum and Nationality Act 2006
• National Minimum Wage Act 1998
• Pension Act 2008
• Trade Union and Labour Relations (Consolidation) Act 1992
• Transfer of Undertakings (Protection of Employment) Regulations 2006
• Working Time Regulations 1998

Legal basis for processing special category personal data

Defra or its service providers must have further justification for processing your special category personal data. We rely on the processing conditions in the Data Protection Act 2018 which relate to the processing of special category data for employment, statutory and regulatory purposes to:

• carry out our obligations or exercise our employment related legal rights
• safeguard your employment rights
• protect your vital interests or those of another person where you are incapable of giving your consent
• establish, exercise, or defend legal claims
• archive items that are in the public interest

Legal basis for processing criminal conviction data

Defra or its service providers may process personal data relating to criminal convictions and offences or related security measures.  We rely on the processing conditions in the Data Protection Act 2018 which relate to processing of criminal conviction to:

• meet our legal obligations, such as employment law, social security law or the law relating to social protection
• exercise our employment-related legal rights
• to protect your interests or those of another person

Consent to process your personal data

Defra or its service providers do not always need your consent to use your personal data to meet their legal obligations or for another reason described in this notice.

Defra or its service providers may ask for your written consent to allow us to process certain data that needs more protection. Defra or its service providers will provide you with details of the personal data required and why it is needed. You can consider if you wish to give consent, but it is not a condition of your contract of employment that you agree to give your consent.

Providing personal data about your socio-economic background, race or ethnicity, religious beliefs, sexual orientation, and political opinions and caring responsibilities is voluntary. It is not a condition of your contract that you provide this data. You have the right to:

• remove consent at any time for us to hold or process this personal data
• ask us to delete any of this data that you have already provided

Who we share your personal data with

Defra or its service providers share your personal data with third-parties when:

• required by law
• requested by a regulator
• necessary to manage its working relationship with you
• it’s in the public interest to do so
• necessary for the performance of its functions as a government organisation
• contacted by a new or prospective employer for an employment reference
• asked for a financial reference, such a tenancy or mortgage application
• necessary for fraud and data error investigations

This may involve sharing special category personal data if you chose to provide it.

The third-parties referred to may include service providers, contractors, agents and other government bodies. See below for examples - this is not exhaustive list.

Third-party	Purpose
Other government organisations	Regular reporting activities on organisational performance, system maintenance support and hosting of data, business planning and talent management initiatives, succession planning, statistical analysis and general management and functioning of the Civil Service.
HM Revenue and Customs	Tax and pay
Disclosure and Barring Service, United Kingdom Security Vetting and UK Visas and Immigration	Visa applications and security vetting
Service providers	Administration of your HR, pay, pension records and wider employee benefits to provide IT support and enable staff to manager their IT and to use additional or differing IT solutions where needed
Pension service providers, and any additional voluntary contributions (AVCs) providers	Pensions administration
The National Archives and any other holder of official records	Where records are of historical interest
The Office of National Statistics	Data relating to special employment conditions, such as apprenticeships and fast-stream
The National Audit Office and Government Internal Audit Agency	Audits
External auditors	Variety of audit checks to assure compliance with process/policy
Cabinet Office	Equal opportunities and socio-economic background monitoring where the data is pseudonymised. Also to prevent and detect fraud as part of the National Fraud Initiative.
Debt collection agencies	Collection of money owed post-employment
Occupational health providers	Legal obligation to support employee health and wellbeing
Outplacement support providers	Support for at risk employees
Lease and fleet vehicles	Manage lease and fleet vehicles
Travel providers	Travel and accommodation arrangements
Offsite document storage providers	Storage of your HR, pay and pension records

Defra requires all our third-party service providers to take appropriate security measures to protect personal data, in line with Defra’s policies.

Defra does not allow third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for purposes we have specified.

When responding to requests for information under the Environmental Information Regulations and the Freedom of Information Act, Defra usually releases the following details for staff at Senior Civil Service (SCS) and above:

• name
• role
• pay range
• office location
• email address

Defra does not release staff details if the work is considered sensitive.

How we keep your personal data secure

Defra and its service providers have put in place measures to keep your personal data secure.

Third parties will only process your personal data if we ask them to and if they have agreed to treat the data confidentially and to keep it secure.

We have appropriate security measures to prevent your personal data from being accidentally lost, used, altered, disclosed, or accessed in an unauthorised way.

We limit access to your personal data to employees, agents, contractors and other third parties who have a business need to know. If they need to process your personal data, they must do it in accordance with our instructions and this privacy notice.

We also have procedures to deal with a suspected data security breach. If there is a suspected breach, we will notify you and any applicable regulator if we are either legally required to or think it is appropriate to tell you.

Information requests

Defra respects your personal privacy when responding to access to information requests. It will only share information when necessary to meet the statutory requirements of the Environmental Information Regulations and the Freedom of Information Act.

Data that has been made anonymous

Normally, Defra makes anonymous any data it shares with third parties. This may involve removing your personal data or combining it with other data. Anonymised data may be shared in the form of:

• processed data
• reports
• presentations
• academic publications

How long Defra holds personal data

Defra and its service providers only retain personal data for as long as necessary to fulfil the purposes they collected it for, such as employment, legal, accounting or reporting requirements.

All data personal data is held in accordance with Defra’s retention schedule. If you would like more details, email data.protection@defra.gov.uk.

What happens if you do not provide personal data

If you do not provide certain data when requested, Defra may not be able to:

• fulfil its contractual obligations with you, such as to pay you or provide benefits
• meet its legal obligations, such as your health and safety

Use of automated decision-making or profiling

The personal data you provide is not used for:

• automated decision making (making a decision by automated means without any human involvement)
• profiling (automated processing of personal data to evaluate certain things about an individual)

Use of artificial intelligence

Your personal data may be processed using artificial intelligence (AI). Where AI processing is being considered, data protection impact assessments screening questions are compulsory, and a privacy notice will be published or amended to ensure transparency.

The processing of personal data by AI will only be permitted where alignment with the data protection legislation can be evidenced and appropriate safeguards are in place to protect your rights and freedoms.

Transfer of your personal data outside of the UK

Defra will only transfer your personal data to another country that is deemed adequate for data protection purposes.

Your rights

Find out about your individual rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Complaints

The ICO would prefer complaints to be made to the organisation in the first instance, however, you have the right to make a complaint to the Information Commissioner’s Office at any time.

Defra’s personal information charter

Defra’s personal information charter explains more about your rights over your personal data.