Notice

Use of energy data collected via the Energy Bills Discount Scheme in Great Britain and Northern Ireland: privacy notice

Published 25 September 2023

This notice sets out how we, the Department for Energy Security and Net Zero (DESNZ), will use your personal data, and your rights. It is made under Article 13 and 14 of the UK General Data Protection Regulation (UK GDPR).

Scope

We will collect and process personal data, related to non-domestic energy information, including electricity and gas meters for the Energy Bill Discount Scheme (EBDS) baseline discount, Energy and Trade Intensive Industries (ETII) discount, and Heat Network discount.

Personal data is information that relates to an identified or identifiable individual and only includes information relating to natural persons who:

  • can be identified or who are identifiable, directly from the information in question
  • who can be indirectly identified from that information in combination with other information

Your data

The EBDS supports businesses and may capture personal data for small or micro businesses, for example, those who are operating businesses as self-employed and not operating as a limited company.

The following personal data will be collected:

  • Meter Point Administration Number (MPAN or MPRN in NI) – electricity meter number
  • Meter Point Reference Number (MPRN or MPAN in NI) – gas meter number
  • business name
  • meter addresses
  • billing addresses
  • Unique Property Reference Number (UPRN)
  • aggregated meter consumption data
  • data about each meter (for example profile class, energisation status)
  • data about how the meter point is billed (for example contract start date, contract end date, billing cycle, tariff type, volume reading method and payment in arrears status)
  • energy bill amount
  • discount type eligibility (whether the meter belongs to an ETII or QHS)
  • subsidy provided on bills
  • data about the business (for example sector, turnover and organisation size)
  • data about the business from an overseas company database if needed (for example, to confirm a company director)

HM government will ensure that consumers’ privacy is safeguarded whilst enabling proportionate access to energy consumption data. Any changes to how consumer data is processed will be communicated via this privacy notice which is kept under regular review.

Purpose

We are processing these data for the following reasons:

  1. To enable DESNZ to deliver EBDS payments, conduct pre-check payment and post payment reconciliation.
  2. To conduct financial checks on EBDS payments including for assurance and the prevention, investigation, detection or prosecution of criminal offences including fraud.
  3. To enable DESNZ to monitor the progress and delivery of the EBDS.
  4. To inform the DESNZ Review which will focus in particular on identifying the most vulnerable non-domestic customers and how the government will continue assisting them with energy costs.
  5. To allow DESNZ to monitor and evaluate the scheme to understand its impact and to inform future government policy.

The legal basis for processing these personal data is public task.

Processing is necessary for the performance of a task carried out in the public interest, under Article 6(1)(e)) of GDPR and in the exercise of official authority vested in the Secretary of State for DESNZ. The specific public task is to allow for monitoring, assurance, fraud prevention, evaluation purposes, and scheme review of the EBDS.

Sources of your personal data

We are collecting this personal data from electricity and gas suppliers as well as the System Administrators (Elexon, Xoserve, NIEN, Northern Ireland Distribution Network Operators). We will use existing government datasets and the datasets provided by central data service providers for energy markets in Great Britain and Northern Ireland, including the Balancing and Settlement Code company (Elexon) and the Uniform Network Code company (Xoserve), to support the data, as is necessary to meet the purpose above.

Recipients

The data is being stored and used by DESNZ and will be shared with DESNZ operational partners and contractors (and if applicable their sub-contractors) where required for the delivery of the EBDS work and for the evaluation and monitoring of the scheme.

This personal data will be shared with our operational partners (for example Elexon, Xoserve, NIEN, Cabinet Office, Ofgem, Northern Ireland Authority for Utility Regulation, the Northern Ireland Regulator), Deloitte, Ernst & Young Global Ltd and auditors PWC (Price Waterhouse Cooper) under a data sharing agreement and corresponding privacy controls for the purposes of:

  • processing and assuring the validity of claims
  • pre-payment checks and post payment reconciliation
  • and forensic auditing and enforcement

Data will also be shared with contracted external evaluators (IFF Research, Technopolis and Cambridge Econometrics) for the purpose of evaluating the scheme. These contracted providers might also use this data to contact you to conduct research and evaluation about the service so we can deliver the scheme effectively and analyse the impact of the scheme. Any research is voluntary, and you would have the right to withdraw at any time using the contact details provided by the contracted provider at the time of the research request.

Data will also be shared with data processors Microsoft and Amazon Web Services.

We do not allow third parties to use this data.

We will not:

  • sell or rent these data to third parties
  • share these data with third parties for marketing purposes

We may share these data if we are required to do so by law, for example by court order or to prevent fraud or other crime.

Retention

We will only keep these data for as long as required to support the processing, compliance, reconciliation, monitoring, evaluation, scrutiny and review of the EBDS, as is in the public interest. These data will be securely deleted no later than 7 years after collection in line with our department policy. We recognise that this maximum retention period is longer than energy suppliers will hold these data, which reflects the additional purposes for which DESNZ is collecting and processing these data.

Automated decision making

The personal data will not be subject to automated decision making.

Security

We are committed to doing all that we can to keep these data secure. We will protect this personal information against unauthorised access, unlawful use, accidental loss, corruption or destruction.

We use technical measures such as firewalls and password protection to protect these data and the systems they are held in.

We limit access to this information to employees, agents, contractors and other third parties with a business need to know. They will only process this personal information in accordance with our instructions and are subject to a duty of confidentiality.

We have procedures in place to deal with any suspected data breach and will notify you and the Information Commissioner’s Office as required.

International transfers

As these personal data are stored on our IT infrastructure and shared with our data storage partners Microsoft and Amazon Web Services, they may be transferred and stored securely in the UK and European Economic Area. Where this personal data is stored outside the UK and EEA, it will be subject to equivalent legal protection through the use of model contract clauses.

Customer notice

Energy suppliers must:

  • make customers aware that DESNZ will be given access to these personal data and will store and securely process these data for the purposes laid out in this notice
  • provide a link to customers to this privacy notice on GOV.UK
  • process personal data in accordance with energy supplier licence conditions
  • provide evidence to DESNZ, if requested, of execution of the above points

Your rights

You have the right to request:

  • information about how these personal data is processed and to request a copy of that personal data
  • that anything inaccurate in these personal data is corrected
  • that any incomplete personal data are completed
  • that these personal data are erased if there is no longer a justification for them to be processed

You can also:

  • in certain circumstances (for example, where accuracy is contested) request that the processing of these personal data is restricted
  • object to the processing of these personal data

We must comply with a request without undue delay and at the latest within one month of receipt of your request. We can extend the time to respond by a further 2 months if the request is complex or we have received several requests from the individual. We will let you know within one month of receiving your request and explain why the extension is necessary.

To exercise any of your rights contact the DESNZ Data Protection Officer.

Updates to this notice

We will update this page if the way we handle your personal data changes in any way. Regularly reviewing this page ensures you are always aware of what information we collect, how we use it, and under what circumstances we will share it with other parties.

If we update the content, the date at the top of this page will change and the detail of the change will be available in the latest updates section. If these changes affect how your personal data is processed, we will take reasonable steps to let you know.

Complaints

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator.

Information Commissioner’s Office:

Email icocasework@ico.org.uk

Contact form https://ico.org.uk/global/contact-us/contact-us-public/

Telephone 0303 123 1113

Textphone 01625 545 860

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

Contact details

The data controller for your personal data is the Department of Energy Security and Net Zero (DESNZ).

Contact the Data Protection Officer (DPO):

DESNZ Data Protection Officer
Department of Energy Security and Net Zero
1 Victoria Street
London
SW1H 0ET

Email dataprotection@energysecurity.gov.uk