RPA Privacy Notice for Employees, Workers and Contractors (UK)
This privacy notice describes how the Rural Payments Agency (RPA) collects and processes personal information about all prospective, current and former employees, workers and contractors.
Applies to England
RPA (an Executive Agency of Defra) is committed to protecting the privacy and security of your personal information.
The Department for Environment, Food and Rural Affairs (Defra) is the data controller for personal data you give to RPA.
This privacy notice describes how we collect and process personal information about you during and after your working relationship with us, in accordance with data protection laws (the UK General Data Protection Regulation 2020 and the Data Protection Act 2018).
It applies to all prospective, current and former employees, workers and contractors. However, this notice does not form part of any contract of employment or other contract to provide services.
It may be the case that additional privacy notices are provided on specific occasions that will inform you of how and why we are using such information.
You can also read our Personal Information Charter, which provides details about your privacy rights, how they are managed, and who to contact.
What type of information we hold about you
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
There are ‘special categories’ of more sensitive personal data which require a higher level of protection.
We may collect, store, and use the following categories of personal information about you when required:
- personal contact details such as name, title, addresses, telephone numbers, and personal email addresses
- information about your social economic background such as details about the type of school you attended and your parent’s highest qualification and main job, if you choose to provide them to us
- dates of birth, marriage and divorce
- gender
- marital status and dependants
- information about any caring responsibilities you may have where these might significantly affect your ability to work your contracted hours where an event causes RPA and or Defra to work in different ways
- next of kin, emergency contact and death benefit nominee(s) information
- National Insurance number
- bank account details, payroll records and tax status information
- salary, annual leave, pension and benefits information
- start date, leaving date and reason
- location of employment or workplace
- copy of driving licence, passport, birth and marriage certificates, decree absolute
- recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process)
- full employment records for your employment (including contract, terms and conditions, job titles, work history, working hours, promotion, absences, attendances, training records and professional memberships)
- information about your designation as a key or critical worker
- compensation history
- performance and appraisal information
- disciplinary and grievance information
- secondary employment and volunteering information
- CCTV footage and other information obtained through electronic means such as swipe card records
- information about your use of our information and communications systems
- photographs, videos
- accident book, first aid records, injury at work and third-party accident information
- evidence of how you meet the Civil Service nationality rules and confirmation of your security clearance. This can include passport details, nationality details and information about convictions/allegations of criminal behaviour
- evidence of your right to work in the UK/immigration status
We will also collect, store and use the following ‘special categories’ of more sensitive personal information:
- information about your race or ethnicity, religious beliefs, sexual orientation, and your political opinions, if you choose to provide them to us
- trade union membership
- information about your health, including any medical condition, health and sickness records, which may potentially include genetic information and biometric data
- information about criminal convictions/allegations and offences
How your personal information is collected
We typically collect personal information about employees, workers and contractors through the application and recruitment process, either directly from candidates or sometimes from an employment agency or background check provider. We will sometimes collect additional information from third parties including former employers, credit reference agencies or other background check agencies, including:
- employee’s doctors, medical and occupational health professionals (Duradiamond)
- DBS (Disclosure and Barring Service)
- Home Office – UK Visas and Immigration
- Home Office – UK Border Force
- consultants and other professionals who advise Defra or RPA generally
We will collect additional personal information in the course of job-related activities throughout the period of you working for us. Some information, such as the information about your social economic background, your race or ethnicity, religious beliefs, sexual orientation, and political opinions can be provided by you on a voluntary basis.
How we use information about you
We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:
- where it is necessary for performing the contract we have entered into with you
- where we need to comply with a legal obligation
- where it is in the public interest to do so, or for official purposes, or in the exercise of a function of the Crown, a Minister of the Crown or GLD as a government department
- where you have provided personal data on a voluntary basis and consent to Defra/RPA processing the data in the way agreed
- where it is necessary to protect your vital interests, or the vital interests of another person
The situations in which we will process your personal information are:
- making a decision about your recruitment or appointment
- determining the terms on which you work for us
- checking you are legally entitled to work in the UK and to provide you with the security clearance appropriate for your role
- for Civil Servants, to check eligibility to become and remain a Civil Servant
- paying you - or recovery of any overpayment - and if you are an employee, deducting tax and National Insurance contributions
- providing employment-related benefits to you including:
- all types of leave in line with organisational policy
- pension
- advances of salary
- liaising with your pension provider, providing information about changes to your employment such as promotions, changing in working hours
- general administration of the contract we have entered into with you
- business management and planning, including accounting, auditing and business continuity
- conducting performance reviews, managing performance and determining performance requirements
- making decisions about salary reviews and compensation
- assessing qualifications for a particular job or task, including decisions about promotions
- gathering evidence and any other steps relating to possible grievance or disciplinary matters and associated hearings
- making decisions about your continued employment or engagement
- making arrangements for the termination of our working relationship
- education, training and development requirements
- dealing with legal disputes involving you, or other employees, workers and contractors, including accidents at work
- ascertaining your fitness to work, managing sickness absence
- complying with health and safety obligations
- to prevent and detect fraud
- to monitor your business and personal use of our information and communication systems to ensure compliance with our IT policies
- to ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution
- to provide IT advice and assistance to staff via the use of an IT Service Desk and support
- to conduct data analytics studies to review and better understand employee retention and attrition rates
- equal opportunities and social economic background monitoring, if you choose to provide them to us. This will include the further processing of the data with the addition of other factors, such as your gender, age, pay grade, and working pattern
- dealing with Freedom of Information Act/Environmental Information Regulations requests, if data protection laws allow
How we use particularly sensitive personal information
‘Special categories’ of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We will, if necessary, process special categories of personal information in the following circumstances:
- where we need to carry out our legal obligations or exercise our employment-related legal rights and in line with our data protection policy
- where it is in line with our data protection policy, and deemed necessary, for example in performing our functions as a Government Department or a function of the Crown, equal opportunities monitoring (provided on a consent/voluntary basis), administering our pension scheme or preventing or detecting unlawful acts
- where it is needed to assess your working capacity on health grounds, subject to appropriate confidentiality safeguards
- where it is necessary to protect your vital interests, or the interests of another person
- where it is needed in relation to legal claims
We will use your particularly sensitive personal information in the following ways:
- we will use information relating to leaves of absence; this can include sickness absence or family related leave, to comply with employment and other laws
- we will use information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits
- we will use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual orientation, to ensure meaningful equal opportunity monitoring and reporting if you choose to provide them to us. This will include the further processing of the data with the addition of other factors, such as your gender, age, pay grade, and working pattern
This processing will be limited to individuals within HR and will; not be shared without an appropriate sign off process. Such sharing decisions are taken in accordance with advice provided by data protection colleagues, and also require the involvement of Defra’s Data Protection Officer.
Consent to use your special category data
In the case of information about your social economic background, your race or ethnicity, religious beliefs, sexual orientation, and political opinions, this information is provided on a voluntary basis and is also not a condition of your contract that you supply the information requested. As explained in the sections below covering your rights, you have the right to remove your consent for Defra/RPA to hold or process this personal data (and have the personal data already provided deleted) at any point.
What happens if you do not provide personal information
Some information you are required to provide in order for both parties to perform their requirements under your employment contract or because it is required to meet a legal requirement (for example, health and safety, tax information). In circumstances where we have asked you to provide your personal and special category data on the basis of consent, we will make this clear and that you can withdraw your consent at any time.
When we might use the information for a different purpose
We will only use your personal data in a way which complies with the lawful of basis of processing we set out when we collected it. If we need to use your personal information for an unrelated or new purpose, we will notify you and we will explain the legal basis which allows us to do so.
How we use information about criminal convictions
We will only use information relating to criminal convictions or alleged criminal behaviour where the law allows us to do so. This can arise when it is necessary for us to comply with the law or for another reason where there is a substantial public interest in us doing so.
Less commonly, we will, if necessary, use information relating to criminal convictions or alleged criminal behaviour where it is necessary in relation to legal claims, where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public
We will only collect information about criminal convictions or allegations of criminal behaviour where it is appropriate given the nature of the role and where we are legally able to do so. Where appropriate, we will collect information about criminal convictions/allegations as part of the recruitment process or if we are notified of such information in the course of you working for us. We will use information about criminal convictions/allegations and offences in the following ways:
-
to make decisions regarding suitability for the role, or in relation to possible grievance or disciplinary matters and associated hearings
-
the code of conduct and any contractual terms and conditions which form your contract of employment with Defra/RPA
We are allowed to use your personal information in this way where it is in line with our data protection policy and where one of the following reasons arises:
- where we need to carry out our legal obligations or exercise our employment-related legal rights;
- where it is substantially in the public interest to do so and necessary for performing our functions as a Government Department or a function of the Crown
Which third parties we might share your personal information with
We will in some circumstances share your data with third parties, including third-party service providers and other Civil Service bodies such as the: Civil Service Commission; Cabinet Office; Advisory Committee on Business Appointments and Office of the Commissioner for Public Appointments.
We require third parties to respect the security of your data and to treat it in accordance with the law.
We will share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you; where it is in the public interest to do so or where it is necessary for the performance of our functions as a Government Department or a function of the Crown or where we deem it appropriate or necessary to do so and when we can do so in a legally compliant way. This will, in some circumstances, involve sharing special categories of personal data and, where relevant, data about criminal convictions/allegations.
Where we are contacted by your new/prospective employer for an employment reference, or by a third party requesting a financial reference – for example to support tenant or mortgage applications, where necessary, we may also share your personal information. We may also share information on how your personal data relating to financial transactions may be used in counter-fraud and error data matching exercises.
‘Third parties’ includes third-party service providers (including contractors and designated agents) and other entities within the Civil Service. The following activities are carried out by third-party service providers: payroll, pension administration, benefits provision and administration, IT services, security vetting.
These external parties include:
| Third party | Purpose |
|---|---|
| HM Revenue and Customs | Tax and pay |
| UKBF and UKSV | Visa applications and security vetting |
| Shared service providers | Administration of your HR, pay and pension records |
| Pension service providers, and any additional voluntary contributions providers | Pensions administration |
| The National Archives and any other holder of official records | If records are deemed to have historical interest |
| The Office of National Statistics | Data relating to special employment conditions, such as apprenticeships and fast-stream |
| External auditors | Variety of audit checks to assure compliance with process/policy |
| Third party service providers, such as childcare voucher schemes | Administration of benefits |
| Debt collection agencies | Collection of money owed post-employment |
| Occupational health providers | Legal obligation to support employees health and wellbeing |
| Outplacement support providers | Support for at risk employees |
| Lease and fleet car | Administration of lease and fleet car |
| Travel providers | Travel and accommodation arrangements |
| Offsite document storage providers | Storage of your HR, pay and pension records |
| IT suppliers | To provide IT support and to enable staff to manage their IT and to use additional or differing IT solutions, where needed |
All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
Which Civil Service organisations we might share your personal information with
We will share your personal data with other Civil Service organisations in a number of situations, for example, as part of our regular reporting activities on departmental performance, in the context of a business reorganisation or restructuring exercise, for system maintenance support and hosting of data; business planning/talent management initiatives, succession planning, statistical analysis; and general management and functioning of the Civil Service. In each circumstances the sharing will only occur if it is compliant with data protection legislation and is justified.
Pseudonymised personal data - replacing most identifying fields within a data record by one or more artificial identifiers - is also shared with the Office for National Statistics, mainly for statistical purposes. The Office for National Statistics, along with other auditing bodies such as National Audit Office can also see and review personal data in an audit. As mentioned above, personal information sent to the Cabinet Office for equal opportunities and social economic background monitoring can also be pseudonymised, and not anonymised (i.e. Defra/RPA still holds the information which includes the identifiable staff numbers).
As part of the National Fraud Initiative your data may be shared with the Audit Commission.
If required, we may need to share your personal information with a regulator or to otherwise comply with the law.
When we might process your information outside the UK
We do not transfer personal data outside the UK, however some of your personal data may be processed offshore by our services provider, Shared Services Connected Limited (SSCL). This is limited to RPA’s use of the Ministry of Justice casework where SSCL use Centres of Excellence in the UK and in India to manage our back-office services, and some of our IT suppliers also have support provided outside of the UK, which also includes India.
Your personal data receives the same level of protection when processed offshore as it does onshore. This protection is delivered by the use of standard data protection clauses required by the data protection legislation.
How your personal information is made secure
We have put in place measures to protect the security of your information.
Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They are directed to only process your personal information in accordance with our instructions.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are either legally required or deem it appropriate to do so.
What your personal information rights are
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us. Further details on exercising your rights and who to contact are set out in our Personal Information Charter
How long we hold your personal information for
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we will anonymise your personal information so that it can no longer be associated with you, in which case we will use such information without further notice to you. Once you are no longer an employee, worker or contractor of the company we will retain and securely destroy your personal information in accordance with appropriate security policies.
Details of retention periods for different aspects of your personal information are set out below:
| Employee Records | Retention Period | |
|---|---|---|
| Employment and Career (including): | “Written particulars of employment” | More than 7 years |
| - Employment history | More than 7 years | |
| - Overseas service history | More than 7 years | |
| - Performance Management System (PMS) reports | 7 years | |
| - Previous service records | More than 7 years | |
| - Qualifications and references | 7 years | |
| - Travel and subsistence | 7 years | |
| - Annual Leave (A/L) | 3 years | |
| - Recruitment campaigns advertisements | 1 year | |
| - Recruitment campaigns interview notes | 2 years | |
| - Resignation, termination and/or retirement letters | More than 7 years | |
| - Variation of hours (calculation formula) | 1 year | |
| - Working Time Directive opt out forms | 3 years | |
| Incidents (including): | - Investigation reports | More than 7 years |
| Pay and Pension: | - Added years and Additional Voluntary Contributions (AVC) | More than 7 years |
| - Advances (e.g. for bicycles, Christmas/holidays, housing, season tickets) | 7 years | |
| - Bonus nominations | 7 years | |
| - Death Benefit Nomination (and Revocation) | More than 7 years | |
| - Death certificate copy (i.e. where original is returned to provider) | More than 7 years | |
| - Decree absolute copy (i.e. where original is returned to provider) | More than 7 years | |
| - Housing advance | 7 years | |
| - Marriage/civil registration documentation copies (i.e. where originals are returned to provider) | More than 7 years | |
| - Overpayment information | 7 years | |
| - Papers relating to disciplinary action which has resulted in any changes to terms and conditions of service, salary, performance pay or allowances | More than 7 years | |
| - Pension entitlement, estimate and award | More than 7 years | |
| - Personal payroll history | More than 7 years | |
| - Statutory maternity pay documents | 7 years | |
| - Unpaid leave periods | More than 7 years | |
| - Investigation reports | More than 7 years | |
| Sensitive Posts | - Sensitive Posts Review | Keep “live” file and papers for two previous years for audit |
| HR “Local” (i.e. held by line managers) records | - Annual Leave (A/L) records | 3 years |
| - Disciplinary records (such as verbal warning) | 3 years | |
| - Recruitment campaigns (and job advertisements) | 1 year |