Guidance

Microchip adverse events reporting: privacy notice

Published 18 December 2024

Applies to England, Scotland and Wales

This privacy notice explains what data is being collected through the Microchip Adverse Events Reporting Programme, and the purposes of collection within the Department of Environment, Food and Rural Affairs (Defra).

We are committed to the responsible handling and security of personal data. Your privacy is important to us and protected in law through the General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA 2018), and the Law Enforcement Directive.

If you do not provide the personal data Defra will be unable to contact you for information about adverse microchipping events.

Who collects your personal data

Defra is the controller for the personal data collected.

Department for Environment, Food and Rural Affairs
Seacole Building
2 Marsham Street
London
SW1P 4DF

If you need further information about how Defra uses your personal data and your associated rights you can contact the Defra data protection manager at data.protection@defra.gov.uk or:

Department for Environment, Food and Rural Affairs
Nobel House
17 Smith Square
London
SW1P 3JR

The data protection officer for Defra is responsible for checking that Defra complies with legislation. You can contact them at DefraGroupDataProtectionOfficer@defra.gov.uk or:

Department for Environment, Food and Rural Affairs
Seacole Building
2 Marsham Street
London
SW1P 4DF

What personal data we collect and how it is used

Defra currently collects and processes the following personal data for the purposes of communicating with the individual whose personal data is held to provide more information around the circumstances of an adverse event:

• names and contact details

• job titles

• business names and addresses

• animal owner names and addresses

• professional organisation membership numbers and status

How we get your personal data

Most of the personal information we process is provided to us directly by you because:

• you have provided it to help demonstrate regulatory compliance

• you have reported an adverse event by downloading and completing an online form and have submitted it to Defra at microchipping@defra.gov.uk

We also receive personal information indirectly, usually because:

• business associates have provided your contact details

• we receive reports of adverse events from members of the public and veterinary professionals

Why we have it

We use the information given to us to:

• carry out our functions, services, or research

• provide information that may be of interest or relevance

• evaluate suspected adverse reactions

Under the General Data Protection Regulation (GDPR), the lawful bases we rely on for processing this information is: we need it to perform a public task.

Use of automated decision-making or profiling

The personal data you provide is not used for:

• automated decision-making (making a decision solely by automated means without any human involvement)

• profiling (automated processing of personal data to evaluate certain things about an individual)

We will tell you if that changes.

Who can see it

Bodies charged with auditing, monitoring, or inspecting our compliance with applicable law and other standards, as necessary, and for the purposes of preventing and detecting fraud.

Who we share it with

The data you provide will not be transferred outside the EEA. We may share your information with the Royal College of Veterinary Surgeons (RVCS) as a statutory regulatory body, for the purposes of regulatory evaluation.

Personal information provided as part of a suspected adverse event will not be shared with anyone outside Defra without your expressed permission. Contact details are only used if we need more information. If you do not wish to be contacted, you can tell us when you report the adverse event.

We may have to release personal data and commercial information to execute our enforcement strategy, or under the Environmental Information Regulations 2004 and the Freedom of Information Act 2000.

How long Defra holds personal data

Information that you provide, or that is provided about you, will be kept for the length of time needed to complete that function or service. Some information will be kept for the length of time that an account, registration, certification, approval, or authorisation remains in place.

Defra will keep your personal data for 5 years for the purposes of monitoring and evaluating anyone who reports adverse events. After which time we will either anonymise or permanently delete it.

Update your details, or exercise your rights

If you discover that the personal data we hold about you is inaccurate, or incomplete, please tell us where you have seen it and what it should be, so we can update your records.

You can request that we a) no longer process your personal data and b) delete your personal data c) restrict the processing of your personal data.

However, agreement may not be assumed as we may have to refuse your request should the data be required to comply with a legal obligation, performance of a contract or public interest task or exercise of official authority. Where this is the case, we will tell you.

Contact the Data Protection Manager at data.protection@defra.gov.uk if you wish to make any request and we will respond within one month. You will not be charged for exercising your rights.

Your rights

Find out about your individual rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).

Complaints

You have the right to make a complaint to the Information Commissioner’s Office the independent regulator using their helpline number 0303 123 1113 or through the ICO website.

Defra’s personal information charter

Our personal information charter explains more about your rights over your personal data.