Privacy notice – notification of a prohibited person database

Information on the privacy policy for notification of a prohibited person database, why we require data, what we do with the data and your rights.

The Food Standards Agency is known as the ‘Controller’ of the personal data provided to us.

What information do we hold?

The personal information we hold on you consists of: (name, business name, business type, premises address, date of order, date of offences and penalties, details of assumed names)

Where we get this information from?

The Food Standards Agency obtains this information from the relevant Competent Authority (CA), (local authority) taking the prosecution.

Why we need it

We collect this information for the purposes of enforcing the Food Law Code of Practice:

  • In England: section 7.2.6 Action when a Hygiene Prohibition Order (HPO) has been made against a person (Regulation 7(4)).
  • In Wales: section Action when a Hygiene Prohibition Order has been made against a Person
  • In Northern Ireland: section 6.2.6. Action when a hygiene prohibition order (HPO) has been made against a person (regulation 7(4))
  • In Scotland: section 3, sub section 16.5 Action when a Hygiene Prohibition Order has been made against a Person (Regulation 7(4))

We do this in line with the performance of our statutory duties (Article 6 (1)(e) of GDPR and Section 8 of DPA 2018. We will not collect any personal data on you which we do not need.   

Where we process the data relating to convictions we do so, for reasons of substantial public interest in the exercise of our function as a government department and in line with our Data Protection policy and Schedule 1, Part 2 paragraphs (6) and (36) Data Protection Act 2018.

What we do with it

We retain personal information only for as long as necessary to carry out these functions, and in line with our retention policy. This means that this information will be retained until:

  • we have confirmed that the prohibition order is no longer in force; and
  • any legal time limits relating to offences in connection with the order have expired.  

All the personal data we process is located on servers within the European Union. Our cloud-based services have been procured through the government framework agreements and these services have been assessed against the national cyber security centre cloud security principles.

This information will be made available for CAs in compliance with FLCOP 7.2.6. The Food Standards Agency will sometimes share data with other government departments, public bodies, and organisations which perform public functions to assist them in the performance of their official duties or when it is in the public interest. Information may be accessed by third parties only when there is a legal right to do so.

What are your rights?

You have a right to see the information we hold on you by making a request in writing to the email address below. If at any point you believe the information we process on you is incorrect you can request to have it corrected. If you wish to raise a complaint on how we have handled your personal data, you can contact our Data Protection Officer who will investigate the matter.

If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law, you can complain to the Information Commissioner’s Office (ICO).

Our Data Protection Officer at the FSA is the Information Management and Security Team Leader who can be contacted at the following email address: