Changes to the site mean you can have access without needing to register or to log in

OF&G & OF&G (Scotland) Privacy Notice

Date Published: 29/05/2018

On 25 May 2018, the way in which we are required to treat your personal data is changing, as a result of the EU General Data Protection Regulation (GDPR).

We take your privacy very seriously. Please read our privacy notice below or download it HERE.  It contains important information on how and why we collect, store, use and share your personal data. It also explains your rights in relation to your personal data and how to contact us or supervisory authorities in the event you have a complaint.

We use your personal data primarily to provide certification services to you, but also for related purposes, as described in our privacy notice.

Our use of your personal data is subject to your instructions, the GDPR, other relevant UK and EU legislation and our professional duty of confidentiality. Please contact us by post, email or telephone if you have any questions about the privacy notice or the information we hold about you.

Privacy Notice

OF&G Privacy Notice

Date of last revision: 25 May 2018


This Privacy Notice describes how OF&G and OF&G (Scotland) (collectively OF&G) uses and takes care of the personal information that we collect.

At OF&G we take the privacy and security of your personal information very seriously. We will never sell your information to third parties and the sensitive business information you provide will be treated as ‘commercial in confidence’ by us. We commit to protect and respect any personal information you share with us, or that we legitimately get about you from other organisations. We will be clear when we collect your information and not to do anything you wouldn’t reasonably expect.


1. Scope

2. Who we are and how you can contact us

3. What we use personal information for

4. Our lawful bases for processing personal information

5. Where we collect information about you from

6. What personal information we collect

7. Sharing of your personal information to third parties

8. How we keep your personal information safe

9. How we keep your information up to date

10. How long we retain personal information

11. Your choices and your rights

12. Changes to this Privacy Notice

1. Scope

This Privacy Policy only applies to OF&G’s activities and its website.

Where links are provided from our website to third party websites or partnership websites, OF&G is not responsible for those websites and a link to them does not imply endorsement.

This Privacy Policy shall be governed by the laws of England and Wales.

2. Who we are and how you can contact us

OF&G is a UK Control/Certification Body that is approved by the UK government (Defra) to inspect and certify converting/organic farms and food production facilities. OF&G is also appointed by the Renewable Energy Assurance Ltd to inspect and certify compost and anaerobic digestion facilities and appointed by the Forestry Commission and IUCN to validate and verify the Woodland Carbon Code and Peatland Code respectively. OF&G is a Community Interest Company that is funded through fees paid by its licensees. Our aim is to help support and develop the organic and sustainable land use businesses.

You can find out more about us at . Our office is in Shropshire, United Kingdom.

If you have a query and you think you know the team or person you want to contact then visit for further details.

Alternatively you can write to Angela Norman, Office Manager, OF&G, Old Estate Yard, Shrewsbury Road, Albrighton, Shrewsbury, Shropshire SY4 3AG or email to

The independent supervisory authority in the UK to uphold information rights is the Information Commissioner’s Office (ico). Details on how to contact the ico can be found at

3. What we use personal information for

At OF&G we collect and use personal information for the purpose of delivering a robust and effective certification control system.

Should we be unable to contact and communicate with our licensees we would be unable to fulfil our statutory responsibilities as a certification body.

We use the personal information we collect for the following:

Licensees/operators for certification and inspection purposes;

  • To enable OF&G to carry out its activities on behalf of Scheme Owners and Defra;
  • To contact our licensees and stakeholders to inform them about changes to the certification schemes we operate;
  • To contact our licensees and stakeholders to provide guidance and updates;
  • For business purposes to administer our contractual obligations.

OF&G employees and potential employees

  • For recruitment purposes prior to entering into an employment contract
  • During employment for normal employment contract purposes including the provision of contracted pay and benefits, and to meet the requirement of tax and employment laws
  • For health and safety, holiday, sickness and absence records
  • To keep employees informed about what is going on in the organisation

4. Our lawful bases for processing personal information

‘Certification’ – as a Control/Certification Body processing personal information is necessary in order to carry out our duties as required by the European Organic Regulation (EC) 834/2007 and other non-regulatory schemes that we operate.

‘Contract’ – where we have contractual relationships with suppliers, customers and employees processing is necessary to administer the pre-contract and contractual obligations for the performance of a contract

‘Legitimate Interest’ – where we use our employees personal information in ways they would reasonably expect to keep them informed and to run the business

‘Legal Obligation’ – we process and share some information because it is necessary to comply with laws and regulations to do with running an organisation and employing staff, such as health & safety legislation, tax laws, human rights and employment laws, etc.

‘Vital Interest’ – we process some sensitive information on health and disability provided to us by employees to enable us to respond in the most appropriate way in the event of a medical emergency.

‘Consent’ – the provision of information to consumers, which may include direct marketing, will be done when the data subject has consented to the processing of his or her personal data for one or more specific purposes. Consent will also be used for the main subject of photography and recording (video and audio).

5. Where we collect information about you from

We collect personal information in the following ways:

When you give it to us directly

You may give us your personal information as required by the certification schemes you are applying for, when you provide feedback or sign up on- or off-line to receive information, or when you apply to work for OF&G, when you complete your employee contract pack or when you join one of our committees, panels or boards.

From third party organisations

Your information may have been shared with us by third parties. These third parties may be public sector organisations such as the Rural Payments Agency and the Food Standards Agency or other Control/Certification Bodies, where information has been shared to help enable OF&G to fulfil our statutory functions. We may get data from third party organisations to whom you may have provided permission through your privacy settings or the responses you have given them. We will be passed personal information on potential employees or temporary staff by employment agencies.

When it is available publicly

We may supplement the information you provide with data from the public domain, such as Companies House and other public databases.

From social media

Depending on your settings for social media and messaging services like Facebook and Twitter, you might give us permission to access information from those accounts or services.

When you use our website

Like most websites, ours use ‘cookies’ to help us make our websites, and your user experience, better. Cookies mean that a website will remember you. They are small text files that sites transfer to your computer/tablet/smartphone and make interacting with a website faster and easier. There are more details in our Cookie Policy at

We will also track the Internet Protocol (IP) address used to connect your computer to the Internet; computer connection information such as browser type and version; and time zone setting, browser plug-in types and versions; operating system; download history, which we sometimes aggregate with similar information from other contacts to improve the navigation and services we provide. During some visits we may use software tools such as JavaScript to measure and collect session information, including page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page.

6. What personal information we collect

Personal Information” is information that identifies you as an individual or relates to an identifiable individual. Personal Information we may collect through certification activities, event booking and feedback forms, sign-up forms, surveys, websites, public databases and third parties includes:

  • Your title, first name, surname, business name, postal address and postcode, email address, telephone and mobile numbers
  • Your social media handles
  • Bank/direct debit details
  • Supplier bank details
  • Field locations, livestock details and ownership
  • Processing operations including locations and products
  • Information regarding your dealings with us including details of your attendance at events and engagement with our programmes
  • Any preference you have in relation to our publications and services
  • Any information you may voluntarily submit to us by completing any paper or web-based form or job application
  • Details of your visits to and usage of our websites
  • Details of whether you have opened our emails, clicked on a link or watched our videos
  • Membership of panels, committees, bodies and organisations
  • In some instances we may also request demographic information.
  • As an employee we collect and process information to enable us to fulfil our contract with you and to meet legislative requirements; this includes your home address and contact details, bank account information, CV and references, driving licence details, some medical information where appropriate, date of birth, sex, ethnicity, pay, sickness, next of kin.

7. Sharing of your personal information to third parties

OF&G will never sell your personal information to third parties and we will not release your personal information to any company outside of OF&G for mailing or marketing purposes, unless you have positively opted in to allow this.

We may disclose your personal information to third parties for the following reasons:

  • As part of the certification service we deliver
    • To provide information as required to Department for Environment, Food and Rural Affairs (Defra) or its equivalents in the Devolved Administrations as required by the European Organic Regulation (834/2007)
    • To provide information to the ‘scheme owners’ within the framework of the various certification schemes we deliver
  • As part of the service delivery involving reputable suppliers
    • To help deliver of our events, for example to facilitate registration or payment. If it is a joint event and delegate contact information is to be made available to the other organisation you will be asked to consent to the proposed uses at the time you register for that event
    • To deliver employee services and benefits such as pensions, life insurance, private health schemes, occupational health schemes, vehicle leasing and insurance
    • OF&G requires all such third parties to treat your personal information as fully confidential
  • If required, for regulatory or animal/plant health purposes, we will share information with the Chemicals Regulation Division (CRD), Health & Safety Executive (HSE), Animal & Plant Health Agency (APHA), Food Standards Agency (FSA), The Rural Payments Agency (RPA) and the Environment Agency (EA) to enable them to assess risk and contact you accordingly
  • If required to respond to requests from courts or law enforcement agencies

8. How we keep your personal information safe

We ensure that there are appropriate and proportionate controls in place to protect your personal information. For example we use encryption, where appropriate, and we store data within OF&G’s secure network and cloud environment. Both of these are independently audited. We also limit and control who has access to the personal information we hold.

Where we use third party suppliers or partners to process personal data we put a contract in place that sets out our expectations and requirements, especially regarding how they manage and securely transfer the personal information and fully comply with all applicable UK Data Protection.

OF&G’s own systems and storage are within the European Economic Area (EEA). Some of our suppliers or partners process personal information on our behalf outside the EEA, where a recognised data security protocol is in place between the EU/UK and the third country (eg the EU-US Privacy Shield). 

9. How we keep your information up to date

We use information you provide to us through your various interactions with OF&G to keep your personal information up to date.

We also use sources such as postcode look-up to ensure we have the correct address for you, Companies House, and information provided to us by other organisations as described in section 5 to maintain and improve the information we hold.

We really appreciate it if you let us know if your contact details change by emailing us at

10. How long we retain personal information

We will retain your personal information for no longer than necessary for the purpose it was obtained, unless a longer retention period is required or permitted by law.

It is our intention to publish our Personal Information retention schedule before the end of September 2018 as an annex to this Privacy Notice.

11. Your choices and your rights

By law you have certain rights over your personal data that we hold about you and these are summarised below. Some of the rights are complex and not all the detail is included in our summaries, you should therefore read the relevant guidance on the Information Commissioner’s Office website:

To enquire about exercising any of these rights please contact the Data Protection Officer using the details given in section 2. We may need to verify your identity before implementing your request. We will try to comply with your request as soon as reasonably practicable.

Access: You (data subjects) have the right to ask for a copy of the personal information held about you – known as a Subject Access Request (SAR). Responses are usually made within 30 days, unless an extension is required.

Rectification: You have the right to ask us to correct any errors in the personal information held about you.

Objection: You have the right to make an objection (based on your specific situation) to how we are processing or profiling your personal information.

Erasure: Please note that the personal information we hold for ‘public task’ purposes is not eligible for erasure. Personal information obtained through consent is eligible and each request we receive will be treated on a case-by-case basis. It should be noted that we will retain enough information to ensure the individual is not contacted again. On occasion, some data may also have to be retained for legal record-keeping purposes and we will always inform you when this is the case.

Withdraw consent: Where processing information is based on your consent, then that consent can be withdrawn at any time. However, OF&G is required within certainly regulatory frameworks to provide information regarding its licensees.

Make a complaint: You also have the right to lodge a complaint with the UK’s independent supervisory authority for upholding information rights – the Information Commissioner’s Office (ico). Details on how to contact the ico can be found at

12. Changes to this Privacy Notice

We may change this Privacy Notice from time to time. The effective date of this Privacy Notice, given at the beginning, indicates the last time this Notice was revised. If we make any significant changes in the way we treat your personal information we will communicate this to you.