Skip to main content

Privacy Notice for COVID-19 Plant and FBO Incidents

Information on the COVID-19 Plant and Food Business Organisation (FBO) Incidents privacy policy, why we require data, what we do with the data and your rights.
Last updated

The Food Standards Agency will be what is known as the ‘Controller’ of the personal data you have provided to us, for example your name and contact details.  

The Public Health Authority leading the incident will be ‘Controller’ for any information that you provide them with directly and any test data including your results.  

The Department of Health and Social Care privacy notice provides detailed information on privacy implications of testing processes carried out by Health Authorities. 

Department of Health and Social Care privacy notice also contains links to the Privacy notices of Health Authorities in Wales, Scotland and Northern Ireland.  

Introduction 

Plants have an obligation have to self-report COVID-19 cases involving their own staff to the Public or Local Health Authority who will then take a lead on the incident.  

The Lead Health Authority, depending on local circumstances, may require the FSA to provide names and contact details of FSA staff who are established to have been on site in the relevant timescale to the Lead Health Authority so that they can coordinate the testing and results. 

We would ordinarily expect the Lead Health Authority to communicate test results back directly to staff and provide the FSA only with anonymised data, however it may be possible in some incidents that, where the communication of the results is delayed, we may request that the Health Authority provides the FSA with the individual results so that we can inform staff of their results for their own well-being and the well-being of their family members and colleagues and also so the FSA can continue to meet its statutory obligations of attending FBO’s premises.     

This notice is intended to deal with such incidents and supplements the HR COVID-19 Manager and Staff Information Pack on the FSA intranet and the “Privacy notice - HR staff data” on the FSA website all of which continue to apply in setting out how data is otherwise collected and used. 

Why we need it 

We need your name and contact information and will provide them to the Lead Health Authority where required so they can identify results associated with the incident, contact you with your result and take urgent measures to contain the incident as required.  

In the event, or where there is any likelihood, of a delay by the Lead Health Authority in communicating test results back directly to staff, we may request that the Lead Health Authority provides the FSA with the individual results so that we can inform staff promptly. 

We would do this for the following reasons: 

  1. In the interests of the safety and well-being of our own staff and subcontractors we have to be mindful to act quickly to minimize the risk of an outbreak among our own staff and subcontractors and minimize the disruption to our staff in their daily life. 

    Once staff have taken a test this can have implications such as:
    • having to self-isolate themselves
    • whether household members can go to work, or children are permitted to attend school
    • impact on well-being as the situation clearly can be stressful
       
  2. In adherence of the advice and guidance of the Public Health Authorities in respect of the incident and public duty obligations that that places us under.    

     

  3. So that we may fulfill our ongoing statutory obligations to regulate Plants/FBO’s. 

     

  4. To minimise uncertainty for staff and the FSA for reasons outlined above and in circumstances where an incident may quickly attract media coverage. 

     

Where we process the data as described we do so to fulfill our legal obligations in carrying out our public task, for reasons of public interest in the area of public health, for employment purposes and in line with our Data Protection and Human Resources Policies and HR COVID-19 Manager and Staff Information Pack on the FSA intranet. 

What we do with it 

We provide your name and contact details to the Lead Health Authority, where required for the reasons set out above. 

We would ordinarily expect the test results to be communicated directly by Public Health to Staff but any test results we receive will be communicated to the individual concerned through line management in the best interest of the individual and enabling the FSA to safeguard its staff and continue with its public duties as set out above.  Once the test results are received processes around self- isolation, updating HR systems, sickness and absence are outlined in the HR COVID-19 Manager and Staff Information Pack on the FSA intranet.  

Where results are communicated directly to staff by Public Health and we receive only anonymised information then we will use that information to evaluate what safeguarding measures the FSA may be required to take and liaise with staff in accordance with HR guidance.  

We retain the personal information only for as long as necessary to carry out these functions, and in line with our retention policy.  

All the personal data we process is located on servers within the European Union. Our cloud-based services have been procured through the government framework agreements and these services have been assessed against the national cyber security centre cloud security principles. 

No third parties have access to your personal data unless the law allows them to do so.  

The Food Standards Agency will sometimes share data with other government departments, public bodies, and organisations which perform public functions to assist them in the performance of their statutory duties or when it is in the public interest. 

Your rights 

You have a right to see the information we hold on you by making a request in writing to the email address below. If at any point you believe the information we process on you is incorrect you can request to have it corrected. You may also in certain circumstances ask for your data to be erased. If you wish to raise a complaint on how we have handled your personal data, you can contact our Data Protection Officer who will investigate the matter. 

If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law, you can complain to the Information Commissioner’s Office (ICO).