Guidance

Use of electricity meter and gas meter personal data collected through the Energy Price Guarantee scheme in Great Britain and Northern Ireland: privacy notice

Updated 28 October 2024

This notice is provided to meet the requirements of the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA) to provide transparency in how we process and use personal data collected from energy suppliers for the Energy Price Guarantee (EPG), and your rights. It is made under Articles 13 and 14 of the UK GDPR.

Your data

We will collect and process the following personal data*, related to each electricity and gas meter in Great Britain and Northern Ireland:

  • Meter Point Administration Number (MPAN) – electricity meter number
  • Meter Point Reference Number (MPRN) - gas meter number
  • postcode
  • electricity consumption
  • gas consumption
  • data about each meter (for example profile class, energisation status)
  • data about how the meter point is billed (for example billing cycle, payment type)
  • energy tariff data

In limited circumstances where potential fraud or error is detected during the final assurance of energy suppliers’ claims to DESNZ, we will collect and process the following personal data* of only the affected customers to further investigate: 

  • names 
  • addresses 

The Department for Energy Security and Net Zero (DESNZ) does not hold or process other personal data such as; date of birth, communication data, email address.

HMG will ensure that consumers’ privacy is safeguarded, while enabling proportionate access to energy consumption data. Any changes to how consumer data is used will be communicated via this privacy notice which is kept under regular review.

*Personal data is information that relates to an identified or identifiable individual and only includes information relating to natural persons who:

  • can be identified or who are identifiable, directly from the information in question
  • who can be indirectly identified from that information in combination with other information.

Purpose

We are processing these data:

1. To enable DESNZ to monitor the progress and operational delivery of the EPG.

2. To conduct financial checks on EPG payments including for assurance and the prevention, investigation, detection, or prosecution of criminal offences including fraud.

3. To allow DESNZ to evaluate the scheme to understand its impact and to inform future government policy.

The legal basis for processing these personal data is public task.

Processing is necessary for the performance of a task carried out in the public interest, under Article 6(1)(e)) of UK GDPR and in the exercise of official authority vested in the Secretary of State for DESNZ. The specific public task is to allow for monitoring, assurance, fraud prevention and evaluation purposes of the EPG.

Collection of energy consumption data for the purposes of the EPG scheme is in compliance with the Data Access and Privacy Framework which is an extension to UK GDPR. The Department has confirmed that suppliers have ensured that necessary consents are in place and that any opt-outs are acted upon.

Sources

We are collecting these personal data from electricity and gas suppliers as well as the Scheme Administrators (Elexon and Xoserve). We will use existing government datasets and the datasets provided by the Balancing and Settlement Code company (Elexon) and the Uniform Network Code company (Xoserve) to support these data, as is necessary to meet the purpose.

Recipients

These data are being used by DESNZ and will be shared with third parties such as other government departments, regulatory bodies (Ofgem and UREGNI) and independent evaluation contractors where required for the delivery and evaluation of the EPG work.

These personal data may be shared with external auditors appointed on behalf of DESNZ for the purpose of detection and prevention of fraud and error.

We will not:

  • sell or rent these data to third parties
  • share these data with third parties for marketing purposes

We may share these data if we are required to do so by law, for example by court order or for the prevention, investigation, detection or prosecution of criminal offences including fraud or other crime.

Retention

We will only keep these data for as long as required to support the evaluation and scrutiny of the EPG, as is in the public interest. These data will be securely deleted no later than 3 years after collection in line with our department policy. We recognise that this maximum retention period is longer than energy suppliers will hold this data, which reflects the additional purposes for which DESNZ is collecting and processing this data.

Automated decision making

These personal data will not be subject to automated decision making.

Security

We are committed to doing all that we can to keep these data secure. We will protect this personal information against unauthorised access, unlawful use, accidental loss, corruption or destruction.

We use technical measures such as firewalls and password protection to protect these data and the systems they are held in.

We limit access to this information to employees, agents, contractors and other third parties with a business need to know. They will only process this personal information in accordance with our instructions and are subject to a duty of confidentiality.

We have procedures in place to deal with any suspected personal data breach and will notify you and the Information Commissioner’s Office, as required.

International transfers

As these personal data are stored on our IT infrastructure and shared with our data processors, they may be transferred and stored securely in the UK and EEA. Where this personal data is stored outside the UK and EEA, it will be subject to equivalent legal protection through the use of model contract clauses.

Your rights

You have the right to request:

  • information about how these personal data are processed, and to request a copy of that personal data
  • that anything inaccurate in these personal data is corrected
  • that any incomplete personal data are completed, including by means of a supplementary statement.
  • that these personal data are erased if there is no longer a justification for them to be processed

You can also:

  • in certain circumstances (for example, where accuracy is contested) request that the processing of these personal data is restricted
  • object to the processing of your personal data where it is processed for direct marketing purposes
  • object to the processing of these personal data

We must comply with a request without undue delay and at the latest within one month of receipt of your request. We can extend the time to respond by a further 2 months if the request is complex or we have received several requests from the individual. We will let you know within one month of receiving your request and explain why the extension is necessary.

To exercise any of your rights contact the DESNZ Data Protection Officer.

Complaints

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:

Information Commissioner’s Office
- email: icocasework@ico.org.uk - contact form - phone: 0303 123 1113 - textphone: 01625 545 860

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

Contact details

The data controller for your personal data is the Department for Energy Security and Net Zero (DESNZ).

Contact the DESNZ DPO:

DESNZ Data Protection Officer
Department for Energy Security and Net Zero
3-8 Whitehall Place
London
SW1A 2EG

Updates to this notice

If this privacy notice changes in any way, we will place an updated version on this page. Regularly reviewing this page ensures you are always aware of what information we collect, how we use it, and under what circumstances we will share it with other parties. The ‘last updated’ date at the bottom of this page will also change and the revision to the Privacy Notice will be recorded alongside the date of change. If these changes affect how your personal data is processed, we will take reasonable steps to let you know.

Last updated 17 August 2023 to reflect that in line with the Data Access and Privacy Framework, energy consumption data is being collected more frequently than monthly.

Previously updated 14 April 2023 to reflect the scope of data being collected and the legal basis for doing so.