Skip to main content
English Cymraeg

Privacy notice - National Food Crime Unit

Information on the National Food Crime Unit privacy notice, why we require data, what we do with the data and your rights. 

The Food Standards Agency is what is known as the ‘Controller’ of the personal data provided to us. 

Why we need it

When the Food Standards Agency processes your personal data for Law Enforcement Purposes it does so as a Competent Authority to prevent, investigate, detect or prosecute criminal offences or to execute criminal penalties relating to Food Crime, including the safeguarding against and prevention of threats to public health.

What information we hold

The personal information we hold consists of personal data relating to a wide variety of individuals including, but not limited to, data provided by people or organisations reporting or witnessing suspected food crime. This  may also include the personal data of individuals involved in, or necessarily identified, in the course of our investigations into suspected food crime (Personal data and special category personal data as defined in the Data Protection Act 2018).

We may also hold personal data relating to criminal convictions and offences or related regulatory measures, including data relating to the alleged commission of offences or proceedings for offences committed, or alleged to have been committed, by data subjects, or the disposal of such proceedings, including sentencing.

Where we get this information from

The Food Standards Agency obtains this information either from individuals themselves, third party individuals reporting information to us, or from third parties such as other public bodies, other law enforcement agencies and local authorities, both in the UK and Internationally, or through our risk monitoring and evaluation processes in accordance with broad powers provided by the Food Standards Act 1999. This includes combining and analysing information obtained in the course of our regulatory functions with information we have obtained from public, open sources and private sources. 

In observing compliance in relation to food regulations and exercising our powers to monitor and evaluate risks we will identify specific incidents that require prompt investigation in order to protect consumers. You can find out more information on 'Monitoring and Evaluation of Risks' in our Personal Information Charter.

We will collect whatever information is necessary in the course of these investigations for our Public Task. We do this in line with our statutory obligations under food hygiene, food safety and animal welfare legislation, for reasons of substantial public interest and under the authority of schedule 7 of the Data Protection Act 2018 and UK GDPR.

Where it becomes apparent to us either, through our own investigations or through information supplied to us, that criminal activity is suspected, our National Food Crime Unit (NFCU) will collect and use personal information in accordance with Part 3 of Data Protection Act 2018.

NFCU is a dedicated law enforcement function of the Food Standards Agency (FSA) and therefore has wide-ranging powers in the collection and use of information. The unit provides leadership on food crime across England, Wales and Northern Ireland. The unit works closely with the Scottish Food Crime and Incidents Unit within Food Standards Scotland.

Sensitive Processing is defined in section 35(8) of the Data Protection Act 2018 and includes processing of special categories of data and criminal convictions data. This processing shall occur where either the data subject has given consent to the processing for the law enforcement purpose or where the processing is strictly necessary for the law enforcement purpose and the processing meets at least one of the conditions in Schedule 8.

Your personal data will be collected for a specified, explicit and legitimate Law Enforcement Purpose, and any new processing will not be incompatible with the purpose for which it was originally collected. Processing will be carried out in accordance with the NFCU Appropriate Policy Document.

Food Fraud Resilience Self-Assessment tool

Personal information can be collected by the NFCU Prevention Team through the Food Fraud Resilience Self-Assessment tool. The tool can be completed anonymously but provides the option for the user to opt-in to further contact from the NFCU Prevention Team. On completion of the tool the user can provide a contact email address to receive an autogenerated email summary of responses. Users can further select to be contacted by the NFCU Prevention Team with further guidance and training relevant to building anti-food fraud resilience. 

If the user provides consent, the NFCU will receive the submitted contact email address along with the completed responses. If the user does not provide this consent, the NFCU will receive the anonymised completed responses without the contact email address. Personal information gathered through the Food Fraud Resilience Self-Assessment tool will only be used to contact consenting businesses in relation to further guidance and training offered by the NFCU.

What we do with it

We process the information to prevent, investigate, detect or prosecute criminal offences related to food crime.

No third parties have access to your personal data unless the law allows them to do so. In line with this commitment your information may be passed to other competent authorities such as government departments, public bodies and organisations which perform public functions for investigation or prosecution purposes or when it is in the substantial public interest. 

How and where we store your data and who we may share it with

For more information, please see the How and where we store your data and who we may share it with section in our Personal Information Charter.

We only hold your information for as long as necessary to perform our functions and in accordance with our retention schedule.

International transfers

Where we have a legal basis to process personal data for our Law Enforcement purposes, we may also transfer data outside the UK under the provisions of Part 3 of the Data Protection Act 2018.

Also, where we transfer information to authorities or organisations in the substantial public interest, for example, around preventing or detecting crime, or monitoring and evaluating risks to Food Safety, we seek to take appropriate steps to safeguard your information in accordance with UK GDPR. We may rely on the derogations in UK GDPR where necessary for this purpose.

For more information on international transfers, please see the International transfers section in our Personal Information Charter.

EU citizens

For more information on EU Citizens Privacy Notice, please see the EU citizens section in our Personal Information Charter.

Your rights

Your information rights in relation to your personal data processed for law enforcement purposes are:

Right to be Informed - This places an obligation upon us to tell you how we obtain your personal information and describe how we will use, retain, store and who we may share it with. We have written this Privacy Notice to explain how we will use your personal information and tell you what your rights are under the legislation.

Right of Access - This is commonly known as subject access and is the right which allows you access to your personal data and supplementary information, however it is subject to certain restrictions. Rights of access do not apply to the processing of ‘relevant personal data’ , we can limit confirmation that we are processing data and any access to personal data, if necessary and proportionate in order to:

  • Avoid obstruction to an official or legal inquiry, investigation or procedure;
  • Avoid prejudicing prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
  • Protect public security; or
  • Protect the rights and freedoms of others.

Relevant personal data’ means personal data contained in a judicial decision or in other documents relating to the investigation or proceedings which are created by or on behalf of a court or other judicial authority. Access to ‘relevant personal data’ is governed by the appropriate legislation  covering the disclosure of information in criminal proceedings, such as (in England and Wales) the  Criminal Procedure and Investigations Act 1996.

Right to Request Rectification - You are entitled to have personal data rectified if it is inaccurate or incomplete. We can refuse this request where the data is necessary and proportionate or relates to ‘relevant personal data’ i.e. to avoid obstructing an official or legal inquiry, investigation or procedure, or to avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties, as detailed above.

Right to Erasure and Right to Restriction - You have the right to request the deletion or removal of your personal data and/or the right to ‘block’ or restrict the processing of your personal data where there is no compelling reason for its continued processing. We can refuse such a request where it is necessary and proportionate or relates to 'relevant personal data', i.e. to avoid obstructing an official or legal inquiry, investigation or procedure or to avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties, as detailed above. The erasure of personal data relating to criminal offences cannot be considered until its full period of retention has been reached.

Rights Relating to Automated Decision Making - Automated individual decision making and profiling is a decision made by automated means without any human involvement.

Requests must be processed within one month. Where a request is refused the individual must be notified and where no action is taken individuals have the right to be informed of how to seek a judicial remedy.

Where we are processing your information for purposes other than law enforcement purposes, for example, in relation to or in support of other FSA functions such as those set out in our Personal Information Charter, it will be general processing under GDPR and for more information on your rights in relation to this processing, please see the Your rights section in our Personal Information Charter.

Contact us

If you have any queries concerning this Privacy Notice, your personal information or any questions on our use of the information, please email our Data Protection Officer in the FSA, who is the Information Management and Security Team Leader using the address below.