This Charter will help you understand general principles about how and why the Food Standards Agency (referred to hereafter as we, us, our, FSA) collect and process information, what types of information that we collect, how and where we store your data and what your rights are.
We respect and value the privacy of everyone and only collect and use information in a manner consistent with your rights and our obligations under the law, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA).
Who does UK GDPR apply to?
The UK GDPR applies to ‘Data Controllers’ and ‘Data Processors’.
A Data Controller determines the purposes and means of processing personal data.
A Data Processor is responsible for processing personal data on behalf of a Data Controller.
Where we act as a Data Controller, we have an obligation to tell you how and why we will collect your data, how we use and store it, and your rights in respect of that data.
Where we act as a Data Processor or engage a processor to process data on our behalf we will do so in accordance with requirements in UK GDPR to ensure the necessary safeguards are in place to ensure your data is used appropriately and to keep your data safe.
The UK GDPR does not apply to certain activities including processing covered by Part 3 of the Data Protection Act 2018.
What is personal data?
Personal data identifies an individual directly, for example, a name, or indirectly, for example, a reference number when combined with identifying information held separately.
Some personal data is more sensitive in nature and requires more careful handling. UK GDPR defines 'special categories of personal data' which means data relating to a living person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning someone’s sex life or sexual orientation.
Why we need your personal information
Our main objective under the Food Standards Act 1999 ('the Act') is:
'to protect public health from risks which may arise in connection with the consumption of food (including risks caused by the way in which it is produced or supplied) and otherwise to protect the interests of consumers in relation to food.'
Functions and powers are provided to us by law so that we may collect personal information to fulfil our key objectives as follows:
- to regulate food by engaging with organisations both directly, and indirectly through Local Authorities and Other Competent Authorities, Government Agencies and Industry Bodies both in the UK and internationally to ensure they conform to the standards that we set.
- to analyse and evaluate risks around food generally.
- to receive advice and information to formulate policy and consult on that policy so that is it fairly implemented.
- to inform our policies and standards by understanding issues facing the general public and food business operators in relation to food and food safety, including issues around health, social or economic factors.
- to raise awareness around food safety, for example by providing alerts around issues such as product recalls and allergies.
- to help promote best practice through signposting information and providing training resources to interested and relevant parties.
- to investigate and take enforcement action as necessary where we become aware of practices that are not carried out in the best interest of consumers and that contravene our policies, standards or the law.
In order to fulfil our Public Task, we will also collect and process data about our staff, subcontractors, agencies, subject matter experts and other partners.
The above list of functions and powers is not exhaustive. From time to time there may be other reasons why we need to collect information to meet our statutory duties. But where we collect your information, and the UK GDPR requires it, we will always:
- make sure you know why we need it and why we are legally allowed to hold it
- only ask for what we need, and not to collect too much or irrelevant information
- protect it and make sure nobody has access to it who shouldn’t
- let you know if we share it with other organisations
- make sure we don’t keep it longer than necessary
What information do we collect?
The information that we may obtain to carry out our statutory functions and exercise our powers is broad. It is important under UK GDPR that we are transparent in what we collect. Therefore, we have set out in general terms the types of data we collect, and our processing, in the key areas outlined in the previous sections that help us meet our Public Task.
As a regulator, on an ongoing basis, we develop policy and standards and work with Local Authorities and Other Competent Authorities, Government Agencies and Industry Bodies, both in the UK and Internationally, to ensure standards are met. Examples of where we work collaboratively in this area include, but are not limited to:
- registering of food businesses and products
- approvals of food premises and products
- implementing official controls in Food Business Operators
We, therefore, may collect information about people and organisations to whom our regulatory processes apply in the UK and Internationally. This will include personal information such as name and contact details of people who represent Food Businesses that we or Local Authorities and Other Competent Authorities and Agencies regulate. We also collect commercially sensitive details of levels of compliance achieved by those businesses. Such information can be both personally sensitive and/or commercially sensitive depending on the nature of our regulatory processes and investigations.
Monitoring and evaluation of risks
One of our statutory functions is to make observations to keep food safe. We may combine and analyse information obtained in the course of our regulatory functions with information we have obtained from public and private sources.
For example, we may collect information from, and share information with Local Authorities and Other Competent Authorities, Government Agencies and Industry Bodies in the UK and Internationally. We may gather information from publicly available sources, such as websites, and make use of web scraping software to carry out our legal powers including for the purpose of helping us evaluate risk.
These processes of collecting data, adding value to it by combining it with other data, and acting as a central point to share data about real and potential risks relating to unsafe food, support our remit to ensure food and feed is safe in the interest of consumers. These risk analyses and evaluation processes also help inform our Policy and Standards as do the activities that we set out in the next section.
Informing policy and standards
We undertake a number of activities that help us to inform food policy, guidelines, standards and regulation as follows:
- Consultations and surveys – we have a legal duty to ensure that policy that we formulate can be applied fairly. We may engage with organisations including sole traders and partnerships and collect your personal information in order to consult with you. Generally, we would not expect to collect sensitive data but where we do so we will give you assurances around how it will be collected and held in accordance with UK GDPR.
- Advisory Committees – we collect personal information to administer the work subject matter experts do advising us in a number of key areas around food regulation across the UK. For more information see our Privacy Notice for Appointments to Advisory Committees, The Science Council and associated subgroups. We also maintain a Register of Specialists who can support us on an ad hoc basis in the appraisal of project proposals and evaluation of final reports. For more information see our Privacy Notice for Register of Specialists.
- Research – we either engage in research directly or more commonly we use trusted and reputable research companies to carry out studies and research on our behalf. We commission these studies in relation to health, social or economic factors that we need to consider to shape our policies and standards and improve our food regulation. We, or our research partners, may collect both personal and special category information in accordance with high ethical standards and UK GDPR. For more on our approach to research see our Privacy Notice for Research participants.
Raising awareness and promoting best practice
- Alerts – we collect personal and commercial information, including sensitive information, as described in the Charter in accordance with our Statutory Powers. Where we become aware of any Food Safety issues that may impact on Consumers then we will publish alerts around these issues in the interest of public safety. For example, we may publish Alerts around Product Recalls or related to Allergies. The Alerts will be published through our website and also notifications will be provided to people and organisations who subscribe to, or are required to, receive them.
- Training and Awareness – we may collect your information to offer a range of training opportunities to help Food Businesses and other interested parties implement best practice in relation to Food Safety. This training may be available through our website or other events that we organise, and we will inform you how we will use your information when you sign up.
Investigations and enforcement
In observing compliance in relation to food regulations and exercising our powers to monitor and evaluate risks we will identify specific incidents that require prompt investigation in order to protect consumers. We will collect whatever information is necessary in the course of these investigations in accordance with our Public Task lawful basis under UK GDPR and where the incident is not a criminal activity it will be concluded by our Incidents Team. Appropriate action, including enforcement action, will be taken and we will publish alerts and notifications to people and organisations as we are required by law in order to keep food safe.
Where it becomes apparent to us either, though our own investigations or through information supplied to us, that criminal activity is suspected, our National Food Crime Unit (NFCU) will collect and use personal information in accordance with Part 3 of Data Protection Act 2018. NFCU is a dedicated law enforcement function of the Food Standards Agency (FSA) and therefore has wide-ranging powers in the collection and use of information. The unit provides leadership on food crime across England, Wales and Northern Ireland. The unit works closely with the Scottish Food Crime and Incidents Unit within Food Standards Scotland. More information about NFCU can be found on our website.
This information is often both personally and commercially sensitive, and we apply the highest possible safeguards in relation to its collection and any subsequent processing. Our specific privacy notices in relation to this activity are on the following links:
FSA staff, Board members and sub-contractors, agencies and other partners
We cannot carry out our Public Task without the ongoing support of our staff, Board members, subcontractors, agencies and other partners.
- Staff – information is collected about staff as is necessary to carry out duties in respect of your employment contract, in accordance with our HR Policies and Procedures, ICO Employment Practices Code and Employment Law and other statutory purposes. For further information please read our specific privacy notice HR Staff data.
- Board Members - information is collected about Board Members to make an appointment to and administer appointments to our Board. For further information please read our specific privacy notice for Board Members.
- Sub-contractors, Agencies and other Partners - Information is collected to assess bids for work, appoint and administer relationships relating to subcontractors, agencies and other partners. The types of information we collect will be dependent on the goods or services procured. Privacy expectations will be defined by contractual terms and/or specific privacy notices in relation to those goods and services.
How and where do we store your data and who may we share it with?
We treat the security of your information very seriously and only process it in accordance with our Information Security Standards and Policies. All our staff get regular mandatory training about how to handle information properly and keep it safe.
The majority of information we collect is stored and processed in the UK or the European Economic Area (EEA).
For financial, organisational or technical reasons, we may engage third parties to process data on our behalf. We will not share your personal information with any such third party unless we are satisfied that they are able to provide an adequate level of protection in respect of your personal information. We do this by taking steps to ensure that these organisations have in place suitable technical and organisational safeguards either through contracts or agreements we hold with them and/or by obtaining robust assurances from them that they operate in accordance with the UK GDPR.
We also work closely with Local Authorities and Other Competent Authorities, Government Agencies and Industry Bodies both within and outside the UK and have broad powers to share information with those organisations where it is proportionate and necessary to meet our objectives. We will only share information where we have a legal basis to do so.
We may have to process and release personal information to meet our obligations under the Freedom of Information Act 2000. We will only do so when data protection privacy laws are met.
Where we have a legal basis for sending or transferring personal data to third parties based in countries outside the UK, including those that process data on our behalf, we will ensure appropriate safeguards are in place in accordance with UK GDPR.
We regularly process data with third parties in the EEA. The EEA has been deemed as having adequate safeguards to meet the requirements of UK GDPR.
Where we have a legal basis to process personal data for our Law Enforcement purposes, we may also transfer data outside the UK under the provisions of Part 3 of the Data Protection Act 2018.
Also, where we transfer information to authorities or organisations in the substantial public interest, for example, around preventing or detecting crime, or monitoring and evaluating risks to Food Safety, we seek to take appropriate steps to safeguard your information in accordance with UK GDPR. We may rely on the derogations in UK GDPR where necessary for this purpose.
You have a legal right to see a copy of the personal data that we keep about you and to require us to correct any inaccuracies, subject to certain exemptions. In some circumstances, you may also have the right to:
- request that we erase any personal data held about you
- restrict our processing of your personal data (for example to ask to suspend the processing of personal information to establish its accuracy or the reasons for processing it)
- data portability (i.e. to request the transfer of personal data to a third party)
- object to our processing of your personal data
If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law, you can complain to the Information Commissioner’s Office (ICO).
Where we process the personal information of data subjects located in the EU, including data collected before 1 January 2021, under provisions of the Withdrawal Agreement, we will do so in accordance with the requirements and obligations of the EU GDPR, including in relation to transfers to the extent that these are any different to those of the UK GDPR.
This privacy notice covers EU and UK citizens and will be reviewed and updated should those regulations diverge over time. Where any differences emerge we update this section to reflect how this affects the way we process your information and/or we will tell you in a specific privacy notice when we collect your data.
If you are not satisfied by the way we are processing your data or responding to a rights requests, you are entitled to raise a complaint with the ICO and/or the Supervisory Authority in your country of residence.
If you have any queries concerning this Personal Information Charter, your personal information or any questions on our use of the information, please email our Data Protection Officer in the FSA, who is the Information Management and Security Team Leader using the address below.