Skip to main content

Privacy notice – notification of a prohibited person database

Information on the privacy policy for notification of a prohibited person database, why we require data, what we do with the data and your rights.

The Food Standards Agency is known as the ‘Controller’ of the personal data provided to us.

What personal data do we hold?

The personal data we hold on you consists of: (name, business name, business type, premises address, date of order, date of offences and penalties, details of assumed names)

Where we get this personal data from?

The Food Standards Agency obtains this data from the relevant Competent Authority (CA), (local authority) taking the prosecution.

Why we need it

We collect this personal data for the purposes of enforcing the Food Law Code of Practice:

  • In England: section 7.2.6 Action when a Hygiene Prohibition Order (HPO) has been made against a person (Regulation 7(4)).
  • In Wales: section Action when a Hygiene Prohibition Order has been made against a Person
  • In Northern Ireland: section 6.2.6. Action when a hygiene prohibition order (HPO) has been made against a person (regulation 7(4))
  • In Scotland: section 3, sub section 16.5 Action when a Hygiene Prohibition Order has been made against a Person (Regulation 7(4))

We do this in line with the performance of our statutory duties (Article 6 (1)(e) of GDPR and Section 8 of DPA 2018. We will not collect any personal data on you which we do not need.   

Where we process the data relating to convictions we do so, for reasons of substantial public interest in the exercise of our function as a government department and in line with our Data Protection policy and Schedule 1, Part 2 paragraphs (6) and (36) Data Protection Act 2018.

We may also analyse the data along with other information we hold about you and information we have obtained from public and/or private sources for the purpose of helping us evaluate risk. We do this in line with the exercise of official authority vested in us under the Food Standards Act and the performance of a task carried out in the public interest.

What we do with it

We retain personal data only for as long as necessary to carry out these functions, and in line with our retention policy. This means that this data will be retained until:

  • we have confirmed that the prohibition order is no longer in force; and
  • any legal time limits relating to offences in connection with the order have expired.  

All the personal data we process is located on servers within the European Union. Our cloud-based services have been procured through the government framework agreements and these services have been assessed against the national cyber security centre cloud security principles.

This personal data will be made available for CAs in compliance with FLCOP 7.2.6. The Food Standards Agency will sometimes share the data with other government departments, public bodies, and organisations which perform public functions to assist them in the performance of their official duties or when it is in the public interest.  We may share the data as part of risk evaluation and analysis with public bodies or other organisations, such as Trading Standards and Port Health Authorities, for the same reasons.

Personal data will only be accessed by third parties where there is a legal right for them to do so.

We use or work with contractors and other third-party service providers, such as IT service providers, who will process your personal data on our behalf.  These third parties are our data processors and can only process your personal data on our instruction or with our agreement for a specified purpose to enable us to maintain, improve and provide our services in order to fulfil our public task.

What are your rights?

You have a right to see the information we hold on you. If at any point you believe the information we process on you is incorrect you can request to have it corrected. You may have other rights, including the right to restrict processing and the right to object to processing. If you wish to exercise any of your rights or raise a complaint on how we have handled your personal data, you can contact our Data Protection Officer.

If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the Information Commissioner’s Office (ICO).

Our Data Protection Officer in the FSA is the Information Management and Security Team Leader who can be contacted at the following email address.