Please note where we make you aware of a Privacy notice on our website in respect of a particular research project then that Privacy Notice continues to apply.
Background to our research
The FSA aims to conduct research to the highest standards of research integrity. Our research is underpinned by policies and procedures that ensure we comply with regulations and legislation that govern the conduct of research; this includes data protection legislation such as the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018).
The Food Standards Act 1999 sets out that the main objective of the FSA is to protect public health from risks which may arise in connection with the consumption of food (including risks caused by the way in which it is produced or supplied) and otherwise to protect the interests of consumers in relation to food.
In this context, the FSA uses personal data to conduct research to inform the decisions that we make.
What is research?
Research has a special status under data protection legislation. It is important therefore to specify what we mean by research.
The FSA undertakes research across a broad spectrum of areas including food eco-systems (consumer/business behaviour); food risks; targeted surveillance and regulation; and assessing the impact of innovative technologies on food systems. The rationale for this comes through improving public health, consumer confidence and developing more flexible approaches to regulation that deliver effective assurance.
The intended benefits from FSA research can be direct, such as developing and validating innovative testing technologies that are more efficient and cost effective for industry, or indirect and much harder to measure and attribute, such as more viable new food safety standards which have positive social impacts such as lives saved, reduction in food risks, enhancement in the quality of life for vulnerable groups such as the elderly and children.
As well as carrying out research studies ourselves, we often engage trusted research organisations to provide us with additional expertise as required to ensure we have the best research and analysis available to inform our decisions.
What is personal data?
‘Personal data’ means any information which relates to or identifies an individual. This includes information which may not explicitly identify you (e.g. where your name has been removed) but which does make it possible to identify you if it is combined with other information that is readily available. For example, this might be because the information available contains a postcode, your gender and date of birth; in these circumstances it might be possible to identify you by using other information available elsewhere. Therefore, in these circumstances, we would treat the details we hold as personal information and protect it accordingly.
How will we use your personal information?
We promise to respect the confidentiality of the personal information that you, as a participant in our research, provide to us or any organisations that we have engaged to perform research on our behalf.
The FSA, and those trusted research organisations, will provide you with a Participant Information Sheet and/or Privacy Notice informing you about the information we require for each study and how we are going to use it. We will usually ask you for your informed consent when we contact you directly to ask if you would like to take part. We will not do anything with your personal information that you wouldn’t reasonably expect. We will use your information only for the purpose of the research you are participating in and we will not usually use your information or contact you for any purpose other than that research study unless you have agreed to this. We commit to keeping your personal information secure.
The FSA usually defines the scope of the research and analysis that we need to inform our decisions. We will therefore usually be the Data Controller, which means that we will decide how information for a study is collected, used, shared, stored and deleted (processed). Where we engage a research organisation to carry out the research and analysis on our behalf, they will usually be a Data Processor carrying out the research under our instruction.
We will ensure that we, or any research organisation carrying out the research on our behalf as a Data Processor, only collect only what is appropriate and necessary. We will inform you of what we are collecting and why, and only use it in line with the objectives of the research, unless you have agreed otherwise.
There are instances where two or more Data Controllers work together on a research project. Each party may control data at different stages of a research project. An example of this is where the FSA is the Data Controller for the data you have provided into our research study, whilst a research partner may also be a Data Controller for your personal information where it has obtained your agreement to contact you more broadly about other research studies that may be of interest to you, which may include but not be limited to FSA research studies.
In addition, there may be circumstances where the FSA and a research partner have jointly got a legitimate interest in the research and define that research together. In these circumstances the FSA and its partner may be a Joint Data Controller for the personal data you provide into the research project.
In all circumstances where two or more controllers work together on a research project, the organisations have agreements and/or contractual arrangements in place which document how they have agreed to share their responsibilities and how they will safeguard your personal information. The involvement and respective responsibilities of the organisations will be detailed in the Participant Information Sheet or a project specific Privacy Notice made available to you by or on behalf of each Data Controller.
Special category personal data
The FSA, or any trusted research organisation carrying out research on our behalf, may process some information about you that is considered to be ‘sensitive’, this is called ‘special category personal data’. This may include information concerning your ethnicity; sexual orientation; gender identity; your religious beliefs; or details about your health or about past criminal convictions. This will, of course, be for a research project dedicated and relevant to that field.
Access to, and the sharing of, this more sensitive personal data is carefully controlled and you will be specifically informed about this in your Participant Information sheet or project specific Privacy Notice.
What safeguards do we have in place to protect your personal information?
In order to protect your rights and freedoms when using your personal information for research and to process special category information the FSA must have special safeguards in place to help protect your information. We have the following safeguards:
Policies and procedures that tell our staff how to collect and use your information safely.
Training which ensures our staff understand the importance of data protection and how to protect your data.
Security standards and technical and organisational measures as required by the DPA 2018 that ensure your information is stored safely and securely.
Established ethical standards for scrutinising our research objectives.
Procurement policies and processes that ensure third parties engaged by us in relation to research studies adhere to appropriate standards.
Contracts with organisations carrying out research on behalf of the FSA including confidentiality clauses to set out each party’s responsibilities for protecting your information.
Data protection impact assessments on high risk projects to ensure that your privacy, rights as an individual or freedoms are not affected.
We endeavour to always use research organisations based in the UK or Europe. However, where this is not possible for financial, technical or organisational reasons, we will ensure that they have adequate safeguards in place and engage them under contractual clauses or ensure they are part of privacy and security schemes such as the Privacy Shield in the US.
In addition to the above safeguards the DPA 2018 also require us to meet the following standards when we conduct research with your personal information:
(a) the research will not cause damage or distress to someone (e.g., physical harm, financial loss or psychological pain).
(b) the research is not carried out in order to do or decide something in relation to an individual person, unless the processing is for medical research approved by a research ethics committee.
The lawfulness of using your personal data
Research undertaken by the FSA is compatible with our statutory functions:
The Food Standards Act 1999 s8 (1) denotes that the FSA has the function of “obtaining, compiling and keeping under review information about matters connected with food safety and other interests of consumers in relation to food.”
The Food Standards Act 1999 s8 (1) para 2) denotes “That function includes (among other things)—
(a) monitoring developments in science, technology and other fields of knowledge relating to the matters mentioned in subsection (1);
(b) carrying out, commissioning or co-ordinating research on those matters.”
The lawful basis for the FSA processing personal data for research is therefore established in GDPR Article 6(1)(e) as necessary for the exercise of a Public Task and where we collect sensitive personal information in Article GDPR 9(2)(g) and the DPA 2018 Schedule 1 Part 2 s.6 (2) Government Purposes (Substantial Public interest condition).
Furthermore, because our research purposes are compatible with our statutory functions then the we are also able to rely on GDPR Article 9(2)(j) where processing is necessary for archiving in the public interest, scientific or historical research purposes or statistical purposes.
Should any of the research specifically relate to criminal convictions or offences then GDPR Article 10 and corresponding principles in DPA 2018 would also apply to our processing as an official authority.
Who will my personal information be shared with?
Members of the FSA research team who conduct research with you directly are likely to get the your information primarily in a way that we can identify you as a participant, for example when you complete a survey or take part in an interview. However most personal information used in research will be pseudonymised before sharing more widely, or anonymised before publishing the research outcomes.
Where we engage a research organisation to do the research on our behalf, usually as a Data Processor, reports and information that are passed to us by them will generally be anonymised, unless you have been made aware and agreed that your personal information will be passed to us. For example, where we would like to follow up any research performed on our behalf directly with you, we will only do this with your agreement.
Where it is necessary to work with other researchers for the purpose of achieving the research outcomes, you will be provided with information about this in your Participant Information Sheet or project specific Privacy Notice, which will describe how your data will be used and shared. Information shared will be on a need to know basis, not excessive and with all appropriate safeguards in place to ensure the security of your information.
If you have any further questions about the way an FSA research project will be carried please contact the research team that you are involved with.
Under data protection legislation you have individual rights in relation to the personal information we hold about you. The extent to which these rights apply to a particular research study may vary and that in sometimes rights may be restricted. Examples are where such individual rights would seriously impair research outcomes or after a point at which the research has been anonymised and published.
However, where restrictions do not apply you have the right to:
access your personal information
correct any inaccurate information
erase any personal information
restrict or object to our processing of your information
move your information (portability)
It is important to understand that if it is considered necessary to refuse to comply with any of your individual rights, you will be informed of the decision within one month and you also have the right to complain about our decision to the Information Commissioner.
For how long is my information kept?
All our researchers/research organisations are asked to de-identify (anonymise), pseudonymise (remove identifiers such as your name and replace this with a unique code or key) or delete personal information collected as part of their research at the earliest opportunity.
On some research projects we cannot de-identify the information as it is necessary for achieving the outcome of the research. For such projects, we store your personal information as part of the research for the duration of the project and for a defined period after the project has ended.
Information where you can be identified will, as such, be kept for a minimum amount of time and in accordance with the research objectives.
You will be informed in the Participant Information Sheet or project specific Privacy Notice about the retention of your information.
Who can I contact?
Our Data Protection Officer in the FSA is the Information Management and Security Team Leader who can be contacted at the email address below.