Notice

Energy Company Obligation (ECO) / Great British Insulation Scheme (GBIS): privacy notice

Updated 25 March 2025

Update 24 March 2025

This privacy notice has been updated with the following:

• provision that DESNZ will be processing, sharing and retaining data for previous iterations of ECO as set out in the fraud and error sections
• included that data will be used across schemes and for assurance audit activity to understand fraud and error exposure and for the purposes of fraud reduction
• updated formatting and recipients to capture that data for fraud, error and non-compliance will also be shared with devolved administrations (including Welsh/Scottish Government and their local authorities/delivery agents and partners). Updated that local authorities’ delivery agents/partners (if necessary) may have access to the data, as well as the listed accreditation bodies, across schemes and DESNZ appointed suppliers
• amendments that were made to the retention periods to inform users that ECO data will be retained and shared proportionate to risk relevance and the retention period for data will therefore be based on an individual measure’s useful life expectancy

This notice sets out how the Department for Energy Security and Net Zero (the Department) will use your personal data for monitoring, evaluation and research purposes including the prevention and detection of fraud, error and non-compliance to support public tasks related to the Energy Company Obligation scheme (ECO4), and the Great British Insulation Scheme (GBIS).

In addition, personal data collected from previous iterations of the Energy Company Obligation scheme will also be processed, shared and retained as set out below for the purposes of understanding, managing, detecting, and preventing fraud, error and non-compliance.

This notice is provided to meet the requirements of the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA), to provide transparency in how we process and use personal data and to inform you of your rights. This privacy notice has been created in accordance with Articles 13 and 14 of the UK GDPR.

The Department will receive personal data from energy suppliers, TrustMark and the Office of Gas and Electricity Markets (Ofgem). The Department is an independent Data Controller in respect of the personal data we receive from energy suppliers, TrustMark and Ofgem.

Personal data

Within this privacy notice, ‘personal data’ refers to information that relates to an identified or identifiable individual and only includes information relating to natural persons who:

• can be identified or who are identifiable, directly from the information in question
• who can be indirectly identified from that information in combination with other information

This privacy notice applies to personal data we collect about:

• householders/occupiers who will have energy efficiency measures installed ECO4 and GBIS before the installation takes place
• householders / occupiers who have energy efficiency measures installed under previous iterations of the ECO scheme (ECO1, ECO2, ECO2t, ECO3.1), ECO4 and GBIS
• installers and other delivery partners who record project data carried out under the schemes via TrustMark’s Data Warehouse
• people who contact the Department with a query or right of access request regarding ECO4 or GBIS

Personal data will also be collected when you create a self-referral to energy suppliers through the Great British Insulation Scheme GOV.UK service.

Personal data collected by the Department through this method will be processed in accordance with a separate privacy notice.

The data

The personal data we may process comprises:

• address at which the measure(s) will be or have been installed, (including Unique Property Reference Numbers)
• the reason why the property was considered eligible for support under the scheme, such as:
  • if a person at the premises is in receipt of eligible benefits (the Department will not receive any data on which benefit or its amount)
  • if the household has been referred through the LA/ Supplier Flex route of eligibility
  • council tax band
  • energy efficiency rating of the household
  • confirmation of tenure type including owner occupied, privately rented or social housing
• installer name (for example sole trader name or company name), company location and registered office
• property data, such as whether new or self-build, whether in a rural or urban area, property type such as house, flat, bungalow, etc.
• household characteristics, such as the insulation and heating measures the property housed prior to installation under the Schemes, alongside what measures have been installed at a property, and their associated details such as type, size, manufacturer number etc
• the contribution amount collected from the householder
• lodgement certificate number, lodgement date, installations details from TrustMark and the Microgeneration Certification Scheme
• information about the property from the Energy Performance Certificate (EPC) such as the property rating, banding, features, floor area from any EPC recorded
• additional fields from the EPC may be processed such as assessor details, assessment date, heating, lighting and other related information

Householder names, addresses, email addresses and phone numbers will be received by the Department.

Purpose

The purposes for which we are processing your personal data are listed below:

1. Monitoring and evaluation of the ECO4 and GBIS schemes. Your personal data will be processed for the following activities:

• monitoring approved installations
• monitoring delivery progress of the schemes and supplier costs
• the publication of Official Statistics relating to measures (personal data will not be published)
• data analysis – the activity of carrying out statistical activities on your personal data, either in isolation or combined with other datasets
• evaluation of the schemes – our external evaluation partners may receive names, email addresses, phone numbers, and addresses of households from the Department, which they will then use to contact some households to offer them the opportunity to participate in surveys and interviews to help us improve the schemes
• for the purposes of the prevention, investigation, detection, or prosecution of criminal offences including fraud by the department and its partners
• avoiding duplication of support through ECO or any other scheme
• to ensure measures have been lodged with relevant approving bodies such as TrustMark, Microgeneration Certification Scheme (MCS) or similar governing bodies

2. For analysis, research and future policy development, your personal data may be processed for the following activities:

• research for the development of future energy efficiency policies
• data analysis – the activity of carrying out statistical activities on your personal data, either in isolation or combined with other datasets
• monitoring insulation levels of housing stock in Great Britain
• conduct research and analysis to support related policies
• using data for testing purposes of departmental tools
• linking your anonymised data may be linked to other administrative datasets in which your data is stored for evaluation, monitoring, and research purposes

3. For the prevention and detection of fraud, error and non-compliance of ECO4, GBIS and previous iterations of the ECO (ECO1, ECO2, ECO2t, ECO3.1) scheme, the data listed above will be processed for activities including:

• preventing, detecting and investigating fraud, error and non-compliance
• conducting other activities such as linking data across schemes (to prevent/detect breaches of schemes rules) and assurance audit activity to understand fraud and error exposure and how to reduce it
• controls testing and assurance of oversight and delivery of the scheme to inform improvements
• taking administrative actions in connection with fraud
• debt recovery, prosecution and any other related activities

See the fraud and error privacy notice for further details.

Legal basis

The legal basis for processing your personal data is public task (Article 6(1)(e) UK GDPR). Processing is necessary for the performance of a task carried out in the public interest. The public task is set out in section 103A of the Utilities Act 2000, section 33BD of the Gas Act 1986 and section 41B of the Electricity Act 1989 in relation to the DESNZ Secretary of State’s duty to effectively administer the ECO4 and GBIS Schemes (and previous iterations of ECO).

These schemes support the installation of energy-saving measures to eligible households at reduced cost to householders, improving economic wellbeing of households reached by the schemes.

Another task which the Department needs to complete is an evaluation of the schemes. A proper evaluation of the schemes is required to assess the value-for-money of public spending, the extent to which the schemes have met their aims and whether they have resulted in the expected impacts. The Public Value Framework published by HM Treasury makes clear the necessity of evaluation to public policy (this is particularly clear in paragraph 4.72).

In addition, the Department needs to monitor the schemes and how they are functioning, from an operational, financial and policy development perspective. This is done by producing official statistics and other analysis, some of which will be released publicly. The statistics provide transparent information on the schemes, e.g., the number of recipients and approved measures.

Data sharing

Monitoring and research purposes

For monitoring and research purposes, personal data may be shared by us with:

• Welsh Government
• Scottish Government
• Office for National Statistics (ONS)
• other government departments and agencies as required for monitoring and research purposes, for example Department for Work and Pensions (DWP), DEFRA (Department for Environment, Food and Rural Affairs), Ministry of Housing, Communities and Local Government (MHCLG), Department of Health and Social Care (DHSC), Cabinet Office, Prime Minister’s Office
• HM Treasury (HMT)
• the National Audit Office
• local authorities (who opt into the schemes)
• any contractor or sub-contractor we appoint for undertaking evaluation, monitoring or research activities
• accredited researchers where access will be controlled by individually approved project requests

Evaluation purposes

For evaluation purposes, your personal data may be shared by us with any contractor or sub-contractor that we appoint for undertaking evaluation activities as part of scheme evaluation. These contractors and sub-contractors will not have the right to share your data more widely without the Department’s permission. They will not use your data for purposes other than carrying out the evaluation of the schemes.

Prevention and detection of fraud, error and non-compliance

For the purposes of prevention and detection of fraud, error and non-compliance, your personal data may also be shared with:

• other government departments
• delivery partners (e.g. those contracted to provide administration or other services for the management and delivery of policies and grant schemes)
• delivery administrators such as local authorities (including their delivery agents/partners if necessary), Ofgem
• devolved administrations including Welsh/Scottish Government, their local authorities and delivery agents/partners etc.
• relevant teams within the energy companies that are delivering a scheme on behalf of Ofgem, government or similar
• TrustMark, Microgeneration Certification Scheme (MCS) and other accreditation bodies
• across schemes (including past, present and future energy efficiency and low carbon heat schemes)
• DESNZ appointed suppliers where necessary for detection and prevention of Fraud, error, and non-compliance debt recovery, prosecution and other related activities including assurance audit activity to understand fraud and error exposure and how to reduce it

The Department will limit the sharing of your personal data to what is necessary and relevant. We will limit the data sharing to those who require it to undertake their contractual obligations in completing work as part of the research, evaluation or monitoring of the Scheme.

As part of our IT infrastructure, your personal data will be stored on systems provided by our data processors - Microsoft and Amazon Web Services. This does not mean we actively share your personal data with these entities; rather, they are technical service providers who host infrastructure supporting our IT systems.

Retention of data

Your personal data will be kept by the Department for no longer than 10 years to fulfil our functions in evaluating and monitoring the ECO 4 and GBIS Schemes. Extracts of property-level data may be retained for as long as required to support the reproduction of official statistics that are generated using this data. Such statistics are required for analysing long-term trends in energy consumption and efficiency, as well as research and policy development.  

Your personal data for the purposes of prevention and detection of fraud, error and non-compliance will be retained and may be shared proportionate to risk relevance and the retention period for data will therefore be based on an individual measure’s useful life expectancy, short (5 to 10 years) / medium (11 to 19 years) / long (20 to 25 years). An individual record may be kept longer if it relates to ongoing actions such as prosecution, appeals or debt recovery.

International transfers

As your personal data is stored on our IT infrastructure and shared with our data processors Microsoft and Amazon Web Services, it may be transferred and stored securely outside the UK. Where that is the case, it will be subject to equivalent legal protection through UK Adequacy Regulations, the use of Standard Contractual Clauses or a UK International Data Transfer Agreement.

Your rights

You have the right to:

• request information about how your personal data is processed, and to request a copy of that personal data
• request that any inaccuracies in your personal data are rectified without delay
• request that any incomplete personal data are completed, including by means of a supplementary statement
• request that your personal data are erased if there is no longer a justification for them to be processed
• in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted
• object to the processing of your personal data

We will not use your data for direct marketing purposes.

To exercise your rights please contact the Data Protection Officer using the contact details below.

Contact details

The controller for your personal data is the Department for Energy Security and Net Zero (DESNZ). You can contact the DESNZ Data Protection Officer at:

DESNZ Data Protection Officer
Department for Business, Energy and Industrial Strategy
3-8 Whitehall Place
London
SW1A 2EG

Email: dataprotection@energysecurity.gov.uk

Complaints

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is a UK independent regulator. The Information Commissioner can be contacted at:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Email: icocasework@ico.org.uk
Webpage: Make a complaint
Telephone: 0303 123 1113
Textphone: 18001 followed by 0303 123 1113

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

Updates to this notice

If this privacy notice changes in any way, we will place an updated version on this page. Regularly reviewing this page ensures you are always aware of what information we collect, how we use it, and under what circumstances we will share it with other parties. The ‘last updated’ date at the bottom of this page will also change.

If these changes affect how your personal data is processed, we will take reasonable steps to let you know.

Last updated: 25 March 2025