The Food Standards Agency (FSA) , is the ‘Data Controller’ of the personal information we collect from you or which is provided to us.
Please refer to our Personal Information Charter to understand further about how and why the FSA collects and processes information, what types of information that we collect, how and where we store your data and what your rights are.
We respect and value the privacy of everyone and only collect and use information in ways that are consistent with your rights and our obligations under the law, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA).
Why we need your personal information
We process your personal data in a number of ways to deliver our Public Services which are set out in law. Unless we tell you otherwise our legal basis for collecting this information under UK GDPR is our Public Task which includes but is not limited to collecting information:
- to regulate food by engaging with organisations both directly, and indirectly through Local Authorities and Other Competent Authorities, Government Agencies and Industry Bodies, both in the UK and Internationally, to ensure they conform to the standards that we set
- to analyse and evaluate risks around food generally
- to receive advice and information to formulate policy and consult on that policy so that is it fairly implemented
- to inform our policies and standards by understanding issues facing the general public and food business operators in relation to food and food safety, including issues around health, social or economic factors
- to raise awareness around food safety, for example by providing alerts around issues such as product recalls and allergies
- to help promote best practice through signposting information and providing training resources to interested and relevant parties
- to investigate and take enforcement action as necessary where we become aware of practices that are not carried out in the best interest of consumers and that contravene our policies, standards or the law
When we collect information from you, we:
- make sure you know why we need it and why we are allowed to hold it where we are required to do so by law
- only ask for what we need, and not to collect too much or irrelevant information
- protect it and make sure nobody has access to it who is not permitted to have access under the law
- make sure we don’t keep it longer than necessary
What information do we collect through our website?
When you register for a training account with us, we will collect personal data from you such as name, email address, job role, employers name and password.
We collect this information for the purpose of educating a range of stakeholders. We will only use this information to enable you to access our training and certificates, to administer your account, and to contact you to provide technical support should you request it. We may contract training providers to do this on our behalf. Please refer to the 'How and where we store your data and who we may share it with' section below for further information.
When you registered for an account, we may have made you aware one of our specific Privacy Notices relating to the training that you requested, which will be accessible on the training site or through a link at the end of this Policy.
On line food safety and food training providers
- Allergen and intolerance training is provided and supported by Indegu Ltd.
- Import, Labelling, Sampling, Root cause analysis and Traceability training is provided and supported by Desq Ltd.
In the Contact Us section of the website, we provide channels that you can use to raise a query, report a problem or receive assistance. When we collect information from you whether you are a Business or a Consumer, we will generally require your name and contact information and details of your query, request or any issue that you may be reporting. We need this information to understand why you are contacting us and respond accordingly in accordance with our Public Task. The following services are provided through the Contact Us section for Businesses and Consumers respectively:
For businesses – Report a food concern
This section of the website is only intended for use by operators of businesses related to the food sector or local authorities and other agencies that we work with so that they can meet their legal obligations. Consumers should not contact us using webforms or other contact details in this area of the Website.
Where you 'Report a Food Safety Incident' on behalf of your organisation – we will collect your name, role, email address and the address of the organisation that you work for as well as details of the Incident. This will be referred directly to our Incidents Team who will follow up the report with your business. We use Notify.gov.uk to confirm that we have received your report and provide you with a reference.
For businesses – Find business services
For businesses and consumers – Report a food crime
If you 'Report a food crime' then the information that you provide will be transferred to and dealt with directly by the National Food Crime Unit (NFCU), which is a dedicated law enforcement function of the FSA. Information about NFCU can be found on our website. NFCU will process your information safely and confidentially in accordance with GDPR and the Law Enforcement Directive as appropriate. You can access our Privacy notice - National Food Crime Unit and Privacy notice - Criminal Investigation and Prosecution Team through links at the end of this Policy.
For business and consumers – Give us feedback
Subscribe to News, Alerts and Consultations
You have a choice about being contacted for food alerts, allergy alerts, our news and consultations. We will collect certain information from you, for example, email and password, to create an account for you, and so that you are able to consent to what you would like to receive from us and how it is delivered.
These may include updates on:
- information relating to topic/s selected in user subscription preferences
- general website / service updates
- our user surveys
Where we are processing your information on the basis that we have your consent, you can withdraw your consent at any time by updating your subscription preferences in your account or by unsubscribing to the service.
The FSA provides a range of dashboards which we compile from information that we hold to inform stakeholders about various aspects of Food and Feed Regulation and Safety. We will collect information from you when you register to access those service including name, email address, job role, employers name and password and provide you with Terms and Conditions and a Privacy Notice at the Point of Service. You can access it on the The Privacy Notice for Users Registering for Access to FSA Dashboards page.
The information we present in a dashboard, and who we share that information with, is dependent on the purpose of the dashboard. We may combine and analyse information obtained in the course of our regulatory functions, for example about sole traders and businesses, both in the UK and Internationally, together with information we have obtained from public and private sources. We may gather information from publicly available sources such as websites and make use of web scraping software to carry out our legal powers including for the purpose of helping us evaluate risk.
We do this in line with the exercise of official authority vested in us under the Food Standards Act and the performance of a task carried out in the public interest.
Other services accessed through websites that we operate
From time to time we may provide access to other services through our websites or request feedback in survey linked to through our website. Where these involve the collection of personal information, we will provide you with a specific Privacy Notice at the point of service or we may update this Policy.
How and where we store your data and who we may share it with
We treat the security of your information very seriously and only process it in accordance with our Information Security Standards and Policies. All our staff get regular mandatory training about how to handle information properly and keep it safe.
The majority of information we collect is stored and processed in the UK or the European Economic Area (EEA).
For financial, organisational or technical reasons, we may engage third parties to process data on our behalf. We will not share your personal information with any such third party unless we are satisfied that they are able to provide an adequate level of protection in respect of your personal information. We do this by taking steps to ensure that these organisations have in place suitable technical and organisational safeguards either through contracts or agreements we hold with them and/or by obtaining robust assurances from them that they operate in accordance with the UK GDPR.
We also work closely with Local Authorities and Other Competent Authorities, Government Agencies and Industry Bodies both within and outside the UK and have broad powers to share information with those organisations where it is proportionate and necessary to meet our objectives. We will only share information where we have a legal basis to do so.
Where we have a legal basis for sending or transferring personal data to third parties based in countries outside the UK, including those that process data on our behalf, we will ensure appropriate safeguards are in place in accordance with UK GDPR.
We regularly process data with third parties in the EEA. The EEA has been deemed as having adequate safeguards to meet the requirements of UK GDPR.
Where we have a legal basis to process personal data for our Law Enforcement purposes, we may also transfer data outside the UK under the provisions of Part 3 of the Data Protection Act 2018.
Also, where we transfer information to authorities or organisations in the substantial public interest, for example, around preventing or detecting crime, or monitoring and evaluating risks to Food Safety, we seek to take appropriate steps to safeguard your information in accordance with UK GDPR. We may rely on the derogations in UK GDPR where necessary for this purpose.
You have a legal right to see a copy of the personal data that we keep about you and to require us to correct any inaccuracies, subject to certain exemptions. In some circumstances, you may also have the right to:
- request that we erase any personal data held about you
- restrict our processing of your personal data (for example to ask to suspend the processing of personal information to establish its accuracy or the reasons for processing it)
- data portability (i.e. to request the transfer of personal data to a third party)
- object to our processing of your personal data
If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law, you can complain to the Information Commissioner’s Office (ICO).
Where we process the personal information of data subjects located in the EU, including data collected before 1 January 2021, under provisions of the Withdrawal Agreement, we will do so in accordance with the requirements and obligations of the EU GDPR, including in relation to transfers to the extent that these are any different to those of the UK GDPR.
This privacy notice covers EU and UK citizens and will be reviewed and updated should those regulations diverge over time. Where any differences emerge we update this section to reflect how this affects the way we process your information and/or we will tell you in a specific privacy notice when we collect your data.
If you are not satisfied by the way we are processing your data or responding to a rights requests, you are entitled to raise a complaint with the ICO and/or the Supervisory Authority in your country of residence.
We provide privacy notices for the following services: