Personal information charter

This charter covers Defra, Animal Plant Health Agency, Centre for Environment, Fisheries and Aquaculture Science and Veterinary Medicines Directorate.


This charter covers the following organisations:

  • Department for Environment, Food and Rural Affairs (Defra)
  • Animal Plant Health Agency (APHA)
  • Centre for Environment, Fisheries and Aquaculture Science (Cefas)
  • Veterinary Medicines Directorate (VMD)

It sets out what customers, contractors and employees can expect when we ask for, or hold, your personal information.

It applies to any associated website, application, product, software or service.

Privacy notices

More detailed information on how we manage personal data for each of our functions is included within our privacy notices for:

When we make changes, we will update the relevant privacy notice.

Charters for other Defra group organisations

We have also published charters for the following Defra group organisations:

Who collects your personal data

Defra is the controller for the personal data you give us when acting through APHA, Cefas and VMD who are executive agencies and part of the Defra legal entity.

If you need further information about how we use your personal data and your associated rights you can contact the relevant data protection manager at:

The data protection officer for Defra, APHA, Cefas and VMD is responsible for checking that we comply with legislation. You can contact them at [email protected] or at the above address.

APHA also works closely with the Scottish and Welsh Governments. We are joint controllers for any relevant personal data.

What you can expect from us, and what we ask from you

We need to handle personal data about you so that we can provide better services.

Your personal data is protected by the Data Protection Legislation which is the collective term for the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).

High standards in handling personal data are important to us because they help us keep the confidence of everyone who deals with us.

So, when we ask you for personal data, we will process your personal data in line with our privacy notices.

In return, we ask you to:

  • provide us with accurate information
  • tell us as soon as possible if there are any changes, such as a new address
  • let us know, at time of writing, if you would like your correspondence or enclosed documents returned to you

This helps us to keep your personal data reliable and up to date, and ensures your correspondence is returned if requested.

What personal data we collect

The types of personal data that we processes will depend on the contact that you have with us. Types of personal data that we process include:

  • name and contact details
  • family, lifestyle and social circumstances
  • financial details
  • employment and education details
  • goods or services provided
  • education and training details
  • Sound and visual images
  • licenses or permits held
  • complaints
  • information relating to health and safety

We process sensitive information that may, where necessary include:

  • physical or mental health details
  • racial or ethnic origin
  • political, religious or other beliefs of a similar nature
  • trade union membership
  • sexual life
  • genetic data
  • biometric data

We also process information relating to criminal convictions and offences including:

  • offences and alleged offences
  • criminal proceedings, outcomes and sentences
  • criminal intelligence

How we use your personal data

We process your personal data in several ways to deliver public services. We will aim to inform you at the point of collection via privacy notices:

  • the reasons why we need your personal data
  • how your personal data is being collected
  • what we will do with it and who we will share it with

In some cases, we may pass it on to our service providers, agents or representatives to do these things on our behalf.

How we use personal data for law enforcement purposes

We regulate activities that may impact the natural environment and investigate environmental offences. As part of our role as an environmental regulator, we process personal data under Part 3 of the Data Protection Act 2018 to:

  • detect and prevent crime
  • take enforcement action
  • prosecute and apprehend offenders

We may collect and process personal data about you when investigating alleged environmental offences as a data controller. This may include special category personal data, such as health or ethnic origin, where it is necessary for our law enforcement purposes.

If we process your personal data for law enforcement purposes, we:

  • may include it in press releases about prosecutions
  • will not disclose it to any other party without your explicit consent unless it is lawful to do so
  • do not use it to make an automated decision or for automated profiling
  • retain it in line with our retention schedule - this takes into account the type, content and sensitivity of your personal data

Legislation governs our activities as the environmental regulator. This gives us authority to investigate suspected or alleged offending. Our lawful basis for processing your personal data under the data protection legislation is that it is necessary for performing tasks carried out for law enforcement purposes as a competent authority.

Who we share your personal data with

We share or disclose personal data where we are required to so by law or to provide services to fulfil our statutory duties and public tasks. Where we know there is a requirement to share your personal data, we will tell you, through privacy notices, why and who we will share your personal data with. We will ensure that the data processor agrees to handle your personal data in accordance with your rights.

When we publish personal data

As a public body we are required to be transparent about the use of money, for example, and in some cases, this may require the publication of personal data. Personal data published in these cases will balance the needs for transparency compared to your privacy rights.

Examples where we publish personal data are:

  • senior executive salaries
  • public registers
  • publication of information related to recipients of public funding such as grants, direct payments, agri-environment and financial assistance schemes

We may have to release personal data and commercial information under the Environmental Information Regulations 2004 and the Freedom of Information Act 2000.

Anonymised or non-personal data may be shared in support of public tasks, and where possible disclosed under an Open Government Licence.

How long do we hold personal data

As a public body we retain personal data for assorted reasons, primarily to ensure accountability. When we no longer need personal data, arrangements are made to securely delete or destroy it. Retention periods are set in line with statutory, regulatory, legal, security reasons or for their historic value.

What happens if your do not provide the personal data

If you do not supply the requested personal data, it is more than likely that the service you are applying for or wish to use will not be available to you. This may have consequences in terms of non-compliance, for example, not complying with specific legislation.

We try to ensure that we only collect the minimum personal data that is necessary for us to offer the services to you.

Use of automated decision-making or profiling

Your personal data may be subject to automated decision making. You will be informed, through privacy notices, where automated decision making applies including profiling, and the possible consequences of such processing.

Use of artificial intelligence (AI)  

Your personal data may be processed using AI. Where AI processing is being considered, data protection impact assessments screening questions are compulsory. A privacy notice will be published or amended to ensure transparency. 

  • the processing of personal data by AI will only be permitted where alignment with the data protection legislation can be evidenced
  • appropriate safeguards are in place to protect your rights and freedoms.

Transfer your personal data outside of the United Kingdom

Defra will only transfer your personal data to another country that is deemed adequate for data protection purposes. If your personal data is processed outside the United Kingdom, you will be informed, through privacy notices of this and the additional safeguards that are in place.

Your rights

Find more detail about your individual rights under the Data Protection Legislation.

My details are inaccurate or incomplete

If you discover that the personal data, we hold about you is inaccurate, or incomplete, contact us using the contact details in the How to contact us, so we can update your records.

When doing so, explain where you have seen it and what data you feel is inaccurate. We will aim to respond to you within one month but may extend this period by an extra 2 months if the request is complicated.

Where we maintain that the original personal data held was accurate, we will explain why. If you do not agree, you can ask us to reconsider or you have the right to complain directly to the Information Commissioner’s Office (ICO).

Please provide the personal data you hold on me

You can ask to see what data we hold about you. This is called a ‘subject access request’:

On receipt of your request we will acknowledge it and may ask for proof of your identity.

When you ask to see personal data we hold, it is helpful to include as much personal data to help us find the data you want. For example, tell us the functions, schemes, or transactions and dates that you want to know about.

We will respond within one month but may extend this period by an extra 2 months, if the request is complicated. If we decide that the costs or resources to provide you with all the data requested is excessive, due to its volume, we may have to refuse your request.

You have the right to request that we stop processing your personal data and that we delete the personal data that we hold at any time.

However, we may not be able to agree to your request should the data be required to comply with a legal obligation, performance of a contract, public interest task or exercise of official authority.

We may also refuse your request for the purposes of public health purposes, exercise or defence of legal claims or archiving purposes in the public interest, scientific research, historical research or statistical purposes.

Where this is the case, we will advise you of this. Prior to deletion we may anonymise and hold data for data analysis.

How to contact us

For day-to-day use, please contact the team you are already communicating with. They are best placed to manage general enquiries or to update the accuracy of your personal data or provide you with information.

However, if they cannot help you, or you have a complaint about how your data is being handled, please use the following contact, making it clear which right you wish to exercise:

Make a complaint

If you’re unhappy with our response or if you need any advice you should contact the Information Commissioner’s Office (ICO) who are regulators.

Authorise a third party to access your data or act as your representative

We keep our Personal Information Charter under regular review. This Personal Information Charter was last updated on 19 December 2024.