Skip to main content

Cookies on Your Defra account

We use some essential cookies to make this service work.

We’d like to set additional cookies so we can remember your settings, understand how people use the service and make improvements.

View cookies

Customer identity privacy notice

This privacy notice explains how customer identity will use and manage your personal data in your Defra account. If you have any queries about the content of this privacy notice, please email GIOSharedPlatformservices@defra.gov.uk.

Who collects your personal data

Department for Environment, Food and Rural Affairs (Defra) is the controller for the personal data we collect.

Defra is also the controller for the personal data processed when acting through the Animal and Plant Health Agency and the Rural Payments Agency.

Defra is the processor for the personal data processed for the Environment Agency and Marine Management Organisation.

If you need further information about how we use your personal data and your associated rights, you can contact the data protection manager at: data.protection@defra.gov.uk.

The data protection officer for Defra is responsible for checking that Defra complies with legislation. You can contact them at DefraGroupDataProtectionOfficer@defra.gov.uk.

What personal data we collect and how it is used

We collect your:

  • name
  • contact details
  • account access information
  • questions, queries or feedback you leave
  • IP address

We use this personal data to create your sign in details for your Defra account, which will allow you to access multiple services offered by Defra group organisations. The processing done by the specific service(s) which you use will be covered by a privacy notice specific for that service.

We may use the personal data to contact you about our services.

We collect IP addresses in logs and use necessary cookies to provide authentication journeys and authentication sessions.

How your personal data has been obtained, if from a third party

Your name and email address have been obtained as part of the login process from Government Gateway (name and email address) or GOV.UK One Login (email address).

Lawful basis for processing your personal data

The lawful basis for processing your personal data is that it is necessary for the performance of a task carried out in the public interest under common law and the implied powers of a Government Department to have a robust customer identity process and account management service when accessing Government services.

We process your personal data using a lawful basis that doesn’t require your consent. This means you can’t withdraw consent for this processing.

Who we share your personal data with

Personal data is shared by us or to us by:

  • His Majesty's Revenue and Customs (HMRC) to allow you to create and use a Government Gateway account
  • Government Digital Service to allow you to create and use a GOV.UK One Login account and for us to use GOV.UK Notify for the purpose of sending emails/SMSs for user login verification
  • Animal and Plant Health Agency, Environment Agency, Marine Management Organisation and the Rural Payments Agency to enable access to end services that you have signed up to use that they provide

We respect your personal privacy when responding to access to information requests. We only share information when necessary to meet the statutory requirements of the Environmental Information Regulations 2004 and the Freedom of Information Act 2000.

How long we hold personal data

Your personal data will be kept by us for the periods set out by the services that Defra group organisations provide through your Defra account.

If you do not finish creating your account at first registration your personal data will be deleted 3 days after you last signed in.

Where you have been invited by another user and do not complete your registration or you have requested to be associated with an organisation and your association is not confirmed, your personal data will be deleted after 30 days.

What happens if you do not provide the personal data

If you do not provide the personal data, you will not be able to use the services that Defra group organisations provide through your Defra account.

The personal data you provide is not used for:

  • automated decision making (making a decision by automated means without any human involvement)
  • profiling (automated processing of personal data to evaluate certain things about an individual)

Transfer of your personal data outside of the UK

We will only transfer your personal data to another country that is deemed adequate for data protection purposes.

Your rights

Based on the lawful processing above, your individual rights are:

Public Task
  • the right to be informed
  • the right of access
  • the right to rectification
  • the right to restrict processing
  • the right to object
  • rights in relation to automated decision making and profiling

More information about your individual rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).

Complaints

You have the right to make a complaint to the Information Commissioner’s Office at any time.

Personal information charter

Our personal information charter explains more about your rights over your personal data.

This was last updated on 25 February 2026