Guidance

Defra and executive agencies employee and contractor privacy notice

Updated 4 November 2024

© Crown copyright 2024

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/defra-employee-and-contractor-privacy-notice/defra-employee-and-contractor-privacy-notice

This privacy notice applies to all current and former employees, workers and contractors of:

  • Department for Environment, Food and Rural Affairs (Defra)
  • Animal and Plant Health Agency (APHA)
  • Centre for Environment, Fisheries and Aquaculture Science (Cefas)
  • Rural Payments Agency (RPA)
  • Veterinary Medicines Directorate (VMD)

These organisations are collectively referred to as ‘Defra’ throughout this privacy notice. It’s stated clearly in the notice where a specific point does not apply to all 5 organisations.

This privacy notice describes how and why we collect and process personal data about you during and after your working relationship with us. This is in accordance with data protection laws, such as the UK General Data Protection Regulation and the Data Protection Act 2018.

‘We’ refers to Defra and our service providers throughout this privacy notice.

Who collects your personal data

Defra is the controller for the personal data we collect:

Department for Environment, Food and Rural Affairs
Seacole Building
2 Marsham Street
London
SW1P 4DF

Personal data we collect

We collect, store and use the following types of personal data:

  • personal contact details – such as name, title, home address, home telephone numbers, personal mobile numbers and personal email addresses
  • gender and date of birth
  • marital status, civil partnership, dependents, next of kin, emergency contact and death benefit nominee information
  • socio-economic background – such as type of school attended, parents’ highest qualification and main job
  • equality, diversity and inclusion data (which may include some special category data), if you choose to provide it to us
  • any caring responsibilities that might prevent you from working your contracted hours if an event caused Defra to work in different ways
  • National Insurance number
  • bank account details and tax status information
  • copy of driving licence, passport, birth and marriage certificates, and decree absolute
  • secondary employment, volunteering information and register of interests, which may include business interests of you or your close family and friends
  • recruitment information – such as right-to-work documentation, references and details in a curriculum vitae (CV) or other supporting documentation
  • evidence of how you meet nationality rules, your right to work in the UK and immigration status – such as passport and nationality details
  • photographs and videos

We store and use the following types of personal data relating to your employment:

  • salary, payroll records, annual leave, pension and benefits information
  • confirmation of your security clearance
  • start and leave dates including reasons for leaving
  • location of workplace or employment – such as contractual homeworking location
  • employment records – such as your contract, job title, working hours, attendance, training records and professional memberships
  • performance, appraisal, disciplinary and grievance information
  • information about your designation as a key or critical worker
  • compensation history
  • CCTV footage and other information obtained through electronic means – such as swipe-card records and Defra IT log-in information (location and system use)
  • your use of Defra’s information and communications systems
  • accident book, first aid records, injury at work and third-party accidents

Special category personal data

You may provide more personal data that needs more protection on a voluntary basis, such as:

  • race or ethnicity
  • religious beliefs
  • sexual orientation
  • political opinions
  • trade union membership
  • health data – such as medical conditions and sickness records, which may include genetic and biometric data

Criminal conviction data

We only collect personal data about criminal convictions or allegations of criminal behaviour:

  • where it’s appropriate to your role
  • if it’s legally possible to do so
  • as part of the recruitment process
  • if you tell us during your employment or contract

How we collect your personal data

We collect personal data about employees and contractors through the recruitment process. This personal data comes directly from candidates or sometimes from an employment agency or background check provider.

We sometimes collect personal data from third parties including:

  • former employers
  • credit reference agencies or other background check agencies
  • doctors, medical and occupational health professionals
  • Disclosure Barring Service
  • United Kingdom Security Vetting
  • UK visas and Immigration
  • consultants and other professionals who advise us

We may collect additional personal data during job-related activities throughout your employment. For example, for roles that need enhanced security checks. We notify you where data is obtained from third parties within one month of receipt of the data.

How we use your personal data

We only use your personal information when the law allows us to. We most commonly use your personal information to:

  • manage your contract of employment
  • make a decision about your recruitment or appointment – such as assessing qualifications for a role
  • pay you and deduct tax and National Insurance contributions, as required by HM Revenue and Customs (HMRC)
  • check your eligibility to become and remain a civil servant
  • provide you with employment-related benefits
  • give information to your pension provider – such as a promotion or change in working hours
  • conduct performance reviews, manage performance and set performance goals
  • conduct investigations into serious disciplinary or criminal matters
  • help plan your education, training and development requirements
  • general administration of the contract we have entered into with you
  • monitor equal opportunities and diversity
  • comply with health and safety regulations
  • monitor your use of Defra’s information and communication systems and check you follow its IT, security and acceptable use policies
  • ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution
  • provide IT advice and assistance to staff via the use of an IT Service Desk
  • provide you with the security clearance appropriate for your role
  • deal with Freedom of Information Act, Environmental Information Regulations and subject access requests
  • monitor your location of work in Defra group offices to comply with Civil Service policies and frameworks

We may also use your personal data to:

  • make a decision about your promotion or suitability for level transfer to another role
  • check you are legally entitled to work in the UK
  • provide evidence for investigations, grievances or disciplinary matters
  • assess whether your outside interests conflict with your role
  • make decisions about your continued employment or engagement and termination of contract
  • deal with legal disputes involving you and other employees or contractors, including accidents at work
  • prevent fraud
  • make decisions about salary reviews and compensation
  • gather personal data to review and better understand employee retention and attrition rates
  • carry out business management and planning – for example, accounting, auditing or for business continuity

Use of special category personal data

‘Special category data’ is particularly sensitive personal information that requires higher levels of protection. We always need to have further justification for collecting, storing and using this type of personal information.

We may use your special category personal data on a voluntary basis to:

  • meet our legal obligations or employment-related legal rights, in line with our data protection policy
  • manage leave of absence – this can include sickness absence or family-related leave to comply with employment and other laws
  • carry out our statutory duties or for other official purposes
  • decide if you’re fit to work and providing reasonable adjustments for you to meet any special or medical needs that you have
  • ensure your health and safety in the workplace, provide appropriate workplace adjustments and administer benefits
  • register the status of a protected employee and to comply with employment law obligations
  • administer our pension scheme
  • prevent or detect unlawful acts
  • protect your vital interests or those of another person

We carry out equal opportunities monitoring and reporting using personal data you’ve provided on a voluntary basis about your:

  • race or national or ethnic origin
  • religious, philosophical or moral beliefs
  • sexual orientation

This includes further processing of your personal data alongside other information – such as your gender, age, pay grade and working pattern.

This processing is limited to a small number of individuals within Defra group Human Resources (HR) and Defra group Corporate Services Data and Analytics team. It is not shared without an appropriate sign-off process. Such sharing decisions are taken in accordance with advice provided by data protection colleagues, and the involvement of the Defra group data protection officer.

Use of criminal conviction data

We use personal data about criminal convictions or allegations:

  • to make decisions regarding suitability for a role with Defra
  • in possible grievance or disciplinary matters and associated hearings

We also use this personal data to refer to relevant policy or operational instructions, the code of conduct and any terms and conditions that form your contract of employment. We only use your personal data in these ways where one of the following applies:

  • we need to carry out our legal obligations or employment-related legal rights
  • where it’s substantially in the public interest to do so and is necessary for official purposes
  • to carry out our statutory duties

Use of data for a different purpose

We may need to use your personal data for a purpose that we did not identify when first collected. If appropriate, we will tell you and explain the legal basis for using it for an unrelated or new purpose. For example, by updating this privacy notice.

If there is a change of use that is compatible with the original purpose, then we will not notify you.

We will process your personal data without your consent where we are required or permitted to do so by law.

Lawful basis for processing your personal data

We only use your personal data when the law allows. We most commonly use your personal data:

  • for the performance of a contract – such as your contract of employment
  • when it’s in the public interest to do so for official purposes – for example, provide information to Civil Service Learning
  • to carry out our statutory duties to comply with a legal obligation – for example, provide information to HMRC
  • when you’ve provided personal data on a voluntary basis and consent to Defra processing it in the agreed way – for example, your socio-economic background data
  • to protect your vital interests or those of another person – for example, we may need to share health information in the event of a health emergency
  • where you provide consent for Defra to process your personal data – for example, special category data
  • where necessary for Defra’s legitimate interests – such as providing IT services to staff via third-party contractors, except where such interests are overridden by the interests or fundamental rights and freedoms of staff

We comply with the following legislation:

  • UK General Data Protection Regulations 2021
  • Data Protection Act 2018
  • Employment Rights Act 1996
  • Equality Act 2010
  • Equality Act 2010 (Specific Duties and Public Authorities) Regulations 2017
  • Health and Safety at Work Act 1974
  • Immigration, Asylum and Nationality Act 2006
  • National Minimum Wage Act 1998
  • Pension Act 2008
  • Trade Union and Labour Relations (Consolidation) Act 1992
  • Transfer of Undertakings (Protection of Employment) Regulations 2006
  • Working Time Regulations 1998

Lawful basis for processing special category personal data

We must have further justification for processing your special category personal data. We rely on the processing conditions in the Data Protection Act 2018 that relate to the processing of special category data for employment, statutory and regulatory purposes to:

  • carry out our obligations or exercise our employment-related legal rights
  • safeguard your employment rights
  • protect your vital interests or those of another person where you are incapable of giving your consent
  • establish, exercise or defend legal claims
  • archive items that are in the public interest

Lawful basis for processing criminal conviction data

We may process personal data relating to criminal convictions and offences or related security measures.  We rely on the processing conditions in the Data Protection Act 2018 that relate to processing of criminal conviction to:

  • meet our legal obligations – such as employment law, social security law or the law relating to social protection
  • exercise our employment-related legal rights
  • to protect your interests or those of another person

We do not always need your consent to use your personal data to meet our legal obligations or for another reason described in this notice.

We may ask for your written consent to allow us to process certain data that needs more protection.

We will provide you with details of the personal data required and why it’s needed. You can consider if you wish to give consent, but it is not a condition of your contract of employment that you agree to give your consent.

It’s voluntary to provide personal data about your socio-economic background, race or ethnicity, religious beliefs, sexual orientation, political opinions and caring responsibilities. It is not a condition of your contract that you provide this data. You have the right to:

  • remove consent at any time for us to hold or process this personal data
  • ask us to delete any of this data that you have already provided

Who we share your personal data with

We share your personal data with third parties when:

  • required by law
  • requested by a regulator
  • necessary to manage our working relationship with you
  • it’s in the public interest to do so
  • necessary for the performance of our functions as a government organisation
  • contacted by a new or prospective employer for an employment reference
  • asked for a financial reference, such a tenancy or mortgage application
  • necessary for investigations – including criminal investigations such as fraud and efficiency investigations such as data error

This may involve sharing special category personal data if you chose to provide it.

The third parties may include service providers, contractors, agents and other government bodies. The following table includes examples of third parties. This is not an exhaustive list.

Third-party Purpose of sharing data
Other government organisations Regular reporting activities on organisational performance, system maintenance support and hosting of data, business planning and talent management initiatives, succession planning, statistical analysis, and general management and functioning of the Civil Service. Investigations work, including fraud
HM Revenue and Customs Tax and pay
Disclosure and Barring Service, United Kingdom Security Vetting and UK Visas and Immigration Visa applications and security vetting
Service providers Administration of your HR, pay, pension records and wider employee benefits to provide IT support and enable staff to manager their IT and to use additional or differing IT solutions where needed
Pension service providers, and any additional voluntary contributions (AVCs) providers Pensions administration
National Archives and any other holder of official records Where records are of historical interest
Office of National Statistics Data relating to special employment conditions, such as apprenticeships and Fast Stream
National Audit Office and Government Internal Audit Agency Audits
External auditors Variety of audit checks to assure compliance with process or policy
Cabinet Office Equal opportunities and socio-economic background monitoring where the data is pseudonymised. Also to prevent and detect fraud as part of the National Fraud Initiative
Debt collection agencies Collection of money owed post-employment
Occupational health providers Legal obligation to support employee health and wellbeing
Outplacement support providers Support for at-risk employees
Lease and fleet vehicles Manage lease and fleet vehicles
Travel providers Travel and accommodation arrangements
Offsite document storage providers Storage of your HR, pay and pension records

We require all our third party service providers to take appropriate security measures to protect personal data, in line with our policies.

We do not allow third party service providers to use your personal data for their own purposes. We only permit them to process your personal data for purposes we have specified.

When responding to requests for information under the Environmental Information Regulations and the Freedom of Information Act, we usually release the following details for staff at Senior Civil Service (SCS) and above:

  • name
  • role
  • pay range
  • office location
  • email address

How we keep your personal data secure

We’ve put measures in place to keep your personal data secure.

Third parties only process your personal data if we ask them to and if they have agreed to treat the data confidentially and to keep it secure.

We have appropriate security measures to prevent your personal data from being accidentally lost, used, altered, disclosed, or accessed in an unauthorised way.

We limit access to your personal data to employees, agents, contractors and other third parties who have a business need to know. If they need to process your personal data, they must do it in accordance with our instructions and this privacy notice.

We also have procedures to deal with a suspected data security breach. If there is a suspected breach, we will notify you and any applicable regulator if we are either legally required to or think it’s appropriate to tell you.

Information requests

We respect your personal privacy when responding to access to information requests. We only share information when necessary to meet the statutory requirements of the Environmental Information Regulations and the Freedom of Information Act.

Data that has been made anonymous

We normally make anonymous any data we share with third parties. This may involve removing your personal data or combining it with other data. We may share anonymised data in the form of:

  • processed data
  • reports
  • presentations
  • academic publications

How long we hold personal data for

We only retain personal data for as long as necessary to fulfil the purposes we collected it for – such as employment, legal, accounting or reporting requirements.

All personal data is held in accordance with our retention schedule. If you would like more details, email data.protection@defra.gov.uk.

What happens if you do not provide personal data

If you do not provide certain data when requested, we may not be able to:

  • fulfil our contractual obligations with you – such as to pay you or provide benefits
  • meet our legal obligations – such as your health and safety
  • exercise public task functions

Use of automated decision-making or profiling

The personal data you provide is not used for:

  • automated decision making (making a decision by automated means without any human involvement)
  • profiling (automated processing of personal data to evaluate certain things about an individual)

Use of artificial intelligence

Your personal data may be processed using artificial intelligence (AI). Where AI processing is being considered, data protection impact assessments screening questions are compulsory. A privacy notice will be published or amended to ensure transparency.

The processing of personal data by AI is only permitted where:

  • alignment with the data protection legislation can be evidenced
  • appropriate safeguards are in place to protect your rights and freedoms

Transfer of your personal data outside of the UK

We only transfer your personal data to another country that is deemed adequate for data protection purposes.

Some of our service providers may also process data in other countries on our behalf, such as Shared Services Connected Limited (SSCL).

We carry out all the necessary checks to ensure your personal data receives the same level of protection when processed in another country as it does in the UK.

Your rights

Find out about your individual rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Queries and complaints

If you need further information about how we use your personal data and your associated rights, contact the Data Protection team from the organisation you are employed by or contracted to.

The Data Protection Officer for Defra is responsible for checking that we comply with data protection legislation. You can contact them by email at DefraGroupDataProtectionOfficer@defra.gov.uk or at:

Department for Environment, Food and Rural Affairs
Seacole Building
2 Marsham Street
London
SW1P 4DF

The Information Commissioner’s Office (ICO) prefers complaints to be made to the organisation in the first instance. But you have the right to make a complaint to the ICO at any time.

Organisational personal information charters

Find out more about your rights over your personal data in your organisation’s personal information charter:

Back to top