Use of energy data collected via the Energy Bill Relief Scheme in Great Britain and Northern Ireland: privacy notice
Published 8 November 2022
This notice sets out how we will use your personal data, and your rights. It is made under Article 13 and 14 of the UK General Data Protection Regulation (UK GDPR).
Scope
We will collect and process personal data, related to non-domestic energy information, including electricity and gas meters in Great Britain and Northern Ireland for the Energy Bill Relief Scheme (EBRS).
Personal data is information that relates to an identified or identifiable individual and only includes information relating to natural persons who:
- can be identified or who are identifiable, directly from the information in question
- who can be indirectly identified from that information in combination with other information
Your data
The EBRS supports businesses and may capture personal data for small or micro businesses, for example, those who are operating businesses as self-employed and not operating as a limited company.
The following personal data will be:
- Meter Point Administration Number (MPAN or MPRN in NI) – electricity meter number
- Meter Point Reference Number (MPRN or MPAN in NI) – gas meter number
- business name
- meter addresses
- billing addresses
- Unique Property Reference Number (UPRN)
- aggregated meter consumption data
- data about each meter (for example profile class, energisation status)
- data about how the meter point is billed (for example contract start date, contract end date, billing cycle, tariff type and payment in arrears status)
- energy bill amount
- subsidy provided on bills
- data about the business (for example sector, turnover and organisation size)
HM Government will ensure that consumers’ privacy is safeguarded whilst enabling proportionate access to energy consumption data. Any changes to how consumer data is processed will be communicated via this privacy notice which is kept under regular review.
Purpose
We are processing these data for the following reasons:
- To enable DESNZ to deliver EBRS payments, conduct pre-check payment and post payment reconciliation.
- To conduct financial checks on EBRS payments including for assurance and the prevention, investigation, detection or prosecution of criminal offences including fraud.
- To enable DESNZ to monitor the progress and delivery of the EBRS.
- To inform the EBRS Review which will focus in particular on identifying the most vulnerable non-domestic customers and how the government will continue assisting them with energy costs.
- To allow DESNZ to monitor and evaluate the scheme to understand its impact and to inform future government policy.
Legal basis of processing
The legal basis for processing these personal data is public task.
Processing is necessary for the performance of a task carried out in the public interest, under Article 6(1)(e)) of GDPR and in the exercise of official authority vested in the Secretary of State for DESNZ. The specific public task is to allow for monitoring, assurance, fraud prevention, evaluation purposes, and scheme review of the EBRS.
Sources of your personal data
We are collecting this personal data from electricity and gas suppliers as well as the System Administrators (Elexon, Xoserve, NIEN, Northern Ireland Distribution Network Operators). We will use existing government datasets and the datasets provided by central data service providers for energy markets in Great Britain and Northern Ireland, including the Balancing and Settlement Code company (Elexon) and the Uniform Network Code company (Xoserve), to support the data, as is necessary to meet the purpose above.
Recipients
The data is being stored and used by DESNZ and will be shared with DESNZ operational partners and contractors (and if applicable their sub-contractors) where required for the delivery of the EBRS work and for the evaluation and monitoring of the scheme.
This personal data will be shared with our operational partners (for example Elexon, Xoserve, NIEN, Cabinet Office, Ofgem, Northern Ireland Authority for Utility Regulation, the Northern Ireland Regulator) and auditors PWC (Price Waterhouse Cooper) under a data sharing agreement and corresponding privacy controls for the purposes of:
- processing and assuring the validity of claims
- pre-payment checks and post payment reconciliation
- and forensic auditing and enforcement
Data will also be shared with any external evaluator appointed for the purpose of evaluating the scheme, and data processors Microsoft and Amazon Web Services.
We do not allow third parties to use this data.
We will not:
- sell or rent these data to third parties
- share these data with third parties for marketing purposes
We may share these data if we are required to do so by law, for example by court order or to prevent fraud or other crime.
Retention
We will only keep these data for as long as required to support the processing, compliance, reconciliation, monitoring, evaluation, scrutiny and review of the EBRS, as is in the public interest. These data will be securely deleted no later than 7 years after collection in line with our department policy. We recognise that this maximum retention period is longer than energy suppliers will hold these data, which reflects the additional purposes for which DESNZ is collecting and processing these data.
Automated decision making
The personal data will not be subject to automated decision making.
Security
We are committed to doing all that we can to keep these data secure. We will protect this personal information against unauthorised access, unlawful use, accidental loss, corruption or destruction.
We use technical measures such as firewalls and password protection to protect these data and the systems they are held in.
We limit access to this information to employees, agents, contractors and other third parties with a business need to know. They will only process this personal information in accordance with our instructions and are subject to a duty of confidentiality.
We have procedures in place to deal with any suspected data breach and will notify you and the Information Commissioner’s Office as required.
International transfers
As these personal data are stored on our IT infrastructure and shared with our data storage partners Microsoft and Amazon Web Services, they may be transferred and stored securely in the UK and European Economic Area. Where this personal data is stored outside the UK and EEA, it will be subject to equivalent legal protection through the use of model contract clauses.
Customer notice
Energy suppliers must:
- make customers aware that DESNZ will be given access to these personal data and will store and securely process these data for the purposes laid out in this notice
- provide a link to customers to this privacy notice on GOV.UK
- process personal data in accordance with energy supplier licence conditions
- provide evidence to DESNZ, if requested, of execution of the above points
Your rights
You have the right to request:
- information about how these personal data is processed and to request a copy of that personal data
- that anything inaccurate in these personal data is corrected
- that any incomplete personal data are completed
- that these personal data are erased if there is no longer a justification for them to be processed
You can also:
- in certain circumstances (for example, where accuracy is contested) request that the processing of these personal data is restricted
- object to the processing of these personal data
We must comply with a request without undue delay and at the latest within one month of receipt of your request. We can extend the time to respond by a further 2 months if the request is complex or we have received several requests from the individual. We will let you know within one month of receiving your request and explain why the extension is necessary.
To exercise any of your rights contact the DESNZ Data Protection Officer.
Updates to this notice
We will update this page if the way we handle your personal data changes in anyway. Regularly reviewing this page ensures you are always aware of what information we collect, how we use it, and under what circumstances we will share it with other parties. If we update the content, the date at the top of this page will change and the detail of the change will be available in the latest updates section. If these changes affect how your personal data is processed, we will take reasonable steps to let you know.
Complaints
If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator.
Information Commissioner's Office
Email icocasework@ico.org.uk
Contact form https://ico.org.uk/glo...
Telephone 0303 123 1113
Textphone 01625 545 860
Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.
Contact details
The data controller for your personal data is the Department for Energy Security and Net Zero (DESNZ).
Contact the DESNZ DPO:
DESNZ Data Protection Officer
Department for Energy Security and Net Zero
3-8 Whitehall Place
London
SW1A 2EG