While data is a hot topic in farming regarding who owns it and how it’s used, the concept of adhering to best practice with personal data is a different kettle of fish altogether and can often be overlooked. CPM speaks to experts about its importance.
“If you don’t know what personal data you’re using, then how can you apply appropriate protection and handle it in accordance with the law?” TORI LETHABY
By Janine Adamson
As technology advances to enable greater data gathering and intelligence sharing in agriculture, questions arise regarding the potential risks associated with its security, sharing and associated liability.
From agronomic records and yield monitoring, to financial information and weather patterns, the amount of data that farms collect, use and generate, continues to build.
While the formation of Farm Data Principles (formerly the British Farm Data Council) strives to address concerns through a commonly recognised standard of data care, security and ownership, there’s another swathe of information being managed by growers – personal data.
And it’s this data pillar that legal experts believe is often overlooked or misunderstood when it comes to farm administration and management.
Kate Woolley is a senior associate at legal firm Knights and specialises in all aspects of data protection law. She says in the simplest sense, personal data is any information which identifies directly, or indirectly, an individual.
“It includes the obvious – name, home address, date of birth, email – but also involves business contact details, location data, CCTV footage, visitor badge information, job application details and employee information.
“Within farming especially, for the likes of harvest workers, it can feature proving right to work eligibility such as a copy of a visa or passport. This often involves the collection of special category data which can reveal race or ethnicity, adding an additional layer of complexity in how it should be handled and protected,” she explains.
But why does how personal data is managed matter at all? In short, because the UK has an existing legal framework for its protection, including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Data (Use and Access) Act 2025 (UK data protection laws).
Although growers may assume UK data protection laws only apply to large companies and visible brands, this isn’t the case. They apply to anyone who processes personal data, which includes collecting, recording, organising, using, storing, sharing or erasing personal data of any living person.
To be compliant with UK data protection laws, personal data must be:
- Used fairly, lawfully and transparently
- Used for specified, explicit purposes
- Used in a way that is adequate, relevant and limited to only what is necessary
- Accurate and, where necessary, kept up to date
- Kept for no longer than is necessary
- Handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage
If found to be in breach of UK data protection laws, Kate says the fines can be significant for cases of serious non-compliance. “But beyond this, a lot of money can be lost through interruption of service during an investigation by the Information Commissioners Office (ICO), which deals with UK-based breaches and complaints.
“For example, being unable to utilise a customer email database to invite the public to a farm event or open day, or to promote a special farm shop offer,” she points out.
Tori Lethaby, partner at Knights, adds that while there may be justifiable reason for why growers captured personal data in the first place, it’s how such data is handled after which is the critical part. Equally, when it comes to employees, what begins as good intention from an employer, can often incur risk if appropriate compliance measures haven’t been put in place.
“For example, the use of tracking or monitoring devices on machinery assets as crime deterrents, or CCTV on or within premises, could be viewed as privacy intrusive to members of staff who are being monitored or their image recorded as a consequence – even if unintentionally. In particular, if the monitoring data or CCTV footage reveals an incident of misconduct which results in disciplinary measures or worse.
“While this could be seen as key evidence from an employer’s perspective, if appropriate compliance measures aren’t in place – such as a data protection impact assessment, having a CCTV or monitoring policy, displaying visible CCTV signage, and providing an employee privacy policy which clearly explains the nature of the monitoring and its possible uses – then the employer may not be able to rely on the evidence at all.”
And of course, if personal data is stored incorrectly or without adequate security measures, it’s at risk of attack by third party hackers (see box), she suggests.
So what are some of the simplest actions farmers can take to improve the robustness of their personal data storage and handling? According to Tori, an easy step is to start keeping records. “We recommend that all of our farming clients keep records of the data being handled, often referred to as ‘records of processing activities’.
“Because if you don’t know what personal data you’re using,then how can you apply appropriate protection, handle it in accordance with the law, or, if the worst case scenario happens, deal with a potential personal data breach effectively?
“A record of processing activities is a core compliance document and more than likely one of the first things that the ICO will ask for during an investigation,” she says.
Kate adds that the lifecycle of personal data should also be understood. “With certain clients there can be a tendency to want to keep data forever, sometimes in paper format, but under the UK GDPR that could be perceived as unnecessary and exposing the business to risk.
“An example being job applications for seasonal work – these are something that can be archived and kept well beyond their means.”
Once all personal data being captured on-farm has been identified, subsequent core data protection-related policies and procedures can then be created, comments Tori. These include a data protection policy, external and employee privacy notices, a data retention policy/schedule, a data breach management policy, and a procedure and data subject requests policy.
While all of this may seem daunting and in some ways excessive, Tori says the ICO’s website has plenty of information and toolkits to assist with all aspects of UK data protection compliance, in particular, under its ‘advice for small and medium organisations’ section.
Equally, she explains that it’s something Knights regularly helps its farming clients with. “If you’re concerned or have identified a personal data-related problem, get some legal help, whether that’s us or other sources of assistance.
“At Knights particularly, we offer fixed packages for SMEs which help businesses to keep control of what they investment in this. All businesses will be processing personal data whichever sector they operate, so it’s critical that handling such data in accordance with UK data protection laws is made a priority.”
This article was taken from the latest issue of CPM. Read the article in full here.
For more articles like this, subscribe here.
Sign up for Crop Production Magazine’s FREE e-newsletter here.
