Privacy notice: how we use your personal information
The Department for Environment, Food and Rural Affairs (including its agencies and public bodies) has a duty to protect the public funds it administers, and to this end may use the information provided by its customers and suppliers for the prevention and detection of fraud. It may also share this information with other bodies responsible for auditing or administering public funds for these purposes.
Purpose of this Privacy Notice
This notice is provided within the context of the changes required by the Article 13 & 14 of EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA). This notice sets out how we will use your personal data as part of our legal obligations with regard to Data Protection.
Our personal information charter (opens in a new tab) explains how we deal with your information. It also explains how you can ask to view, change or remove your information from our databases.
Why you need to create a new set of sign in details
We ask you to create a single set of sign in details to save you time. You will be able to use them to register with and access a number of different services provided by Defra and our related agencies and public bodies. We will store basic information about you (and your business, if relevant) so that you do not have to re-enter the information each time you want to use a new online service.
If you have administrator access, you will also be able to give other people (for example colleagues or agents you work with) access to one or more of the online services you use.
Your information will be shared with all the administrators associated with your account in order for them to manage the access to one or more of the online services you use.
When you create your new sign in details and register for Your Defra account, you will interact with two different government departments:
- HMRC to create a Government Gateway account (unless you already have one, in which case you will be directed to sign in)
- Defra to create your new sign in details and register for Your Defra account.
Who is collecting my data?
The Department for Environment, Food and Rural Affairs including its agencies and public bodies is collecting your data.
This is a specific privacy notice on the collection and processing of personal data as part of the Your Defra account.
In order to provide these services, we may need to process some personal data, including:
- your name, address(es), email address and telephone number(s)
- questions, queries or feedback you leave, including your email address if you contact us
- your Internet Protocol (IP) address, and details of which version of web browser you use
- information on how you use the site, using cookies and analytics
We are allowed to process your data because we have official authority as the UK government department responsible for safeguarding our natural environment, supporting our food and farming industry, and sustaining our rural economy. The legal basis for processing this data is to perform a task in the public interest that is set out in law.
If you do not give us this data we will not be able to process your registration and you will not be able to use the Defra and our related agencies, services.
What we do with your data
We use this personal data to create your sign in details.
We will share some or all of this data with Defra and our related agencies, so that you don't have to provide it again. The processing done by the service which you request and are given access to will be covered with a privacy notice specific to how they will manage your data which you will be provided with when you are given access.
When you create these sign in details, we will share your personal information with Defra and our related agencies. We do not use your data to make an automated decision or for automated profiling.
We may use the personal information you give us to contact you about our service. We will not contact you with any marketing information.
Where is your data processed and stored
We transfer your data through:
- Azure Web App Firewall
- Azure App Gateway
- Our Identity App
- Azure Cosmos
- SCP
- B2C
- Dynamics 365
The data will not be transferred outside the European Economic Area.
Legal obligation to process your data
Processing your personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.
The National Fraud Initiative is conducted using the data matching powers bestowed on the Minister for the Cabinet Office by Part 6 of the Local Audit and Accountability Act 2014 (LAAA). View further information on the Cabinet Office's legal powers and the reasons why it matches particular information (opens in a new tab).
The Cabinet Office conducts data matching exercises to assist in the prevention and detection of fraud. The processing of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under its powers in Part 6 of the Local Audit and Accountability Act 2014.
Our legal basis for processing your criminal convictions data is paragraphs 6 and 10 of schedule 1 to the Data Protection Act 2018.
Additional acts of law provide a duty to process information, these include: The EU Public Contracts Directive 2014, the Public Contracts Regulations 2015 and the Transparency Code 2015.
Who can see your data
Your personal data will be shared by us with all Government services that you can request access for via Your Defra account, bodies charged with a monitoring or inspection task in application of EU/UK law (e.g. internal audits, IT testing) and as necessary for the purposes of preventing and detecting fraud with other participants taking part in the NFI as listed on National Fraud Initiative privacy notice - GOV.UK (opens in a new tab).
International transfers
No personal data will be transferred outside the European Economic Area (EEA).
Data retention
You will start the registration process by signing in with your Government Gateway account, or creating a new Government Gateway account. If you do not finish creating your sign in details after that, we will delete your information from our database 3 days after you last signed in.
Where you have been invited by another user and do not complete your registration we will delete your email address from our database within 30 days.
Where you have requested to be associated with an organisation and your association is not confirmed within 30 days, we will delete all your information from our database.
Once you complete the registration process, your personal data will be kept by Defra for the periods set out by the services which you interact with in Defra and related agencies and public bodies.
What will happen if you don't provide the data?
Failure to provide the required information will mean that you are unable to use the services that Defra and related agencies and public bodies provide through Your Defra account.
What are your rights?
You have the right to request information about how your personal data is processed, and to request a copy of that personal data. You have the right to request that any inaccuracies in your personal data are rectified without delay. You have the right to request that any incomplete personal data is completed, including by means of a supplementary statement. You have the right to request that your personal data is erased if there is no longer a justification for it to be processed. You have the right in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted.
Where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller (such as the exercise of a function of the Crown, a Minister of the Crown, or a government department, the exercise of a function conferred on a person by an enactment, the exercise of a function of either House of Parliament or the administration of justice) you have the right to object to the processing of your personal data.
Complaints
If you believe that your personal data has been misused or mishandled, you can may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113
Email: casework@ico.org.uk
Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/ (opens in a new tab)
Contact details for the data controller
The data controller for your personal data is Defra. The contact details for the data controller are:
Data Protection Manager for core-Defra
Defra
Information Rights Team
1st Floor, NE Quarter
Seacole Block
2 Marsham Street
London
SW1P 4DF
Email: data.protection@defra.gov.uk
The contact details for the data controller's Data Protection Officer (DPO) are:
DPO
Defra
Department for the Environment, Food and Rural Affairs
2 Marsham Street
London
SW1P 4DF
Email: DefraGroupDataProtectionOfficer@defra.gov.uk