Notice

Using home retrofit scheme data to manage fraud, error and non-compliance: privacy notice

Updated 15 November 2024

This notice sets out how we will use your personal data for the detection and prevention of fraud and error. This includes taking action to mitigate the risk of loss in relation to fraud against a public authority or Energy Company Obligation fund including:

  • preventing, detecting, investigating and assurance audit activity for fraud, error and non-compliance
  • progressing civil or criminal proceedings as a result of fraud
  • taking administrative action in connection with fraud, error or non-compliance including but not limited to debt recovery and prosecutions

It is made under Articles 13 and/or 14 of the UK General Data Protection Regulation (UK GDPR).

This will be data for instance from net zero and energy efficiency grant schemes, Energy Company Obligation schemes and local authority administered schemes that DESNZ or its predecessors provide grants for; and other data recorded about energy efficiency, low carbon measures and other related property characteristics.

Within this privacy notice, ‘personal data’ refers to information that relates to an identified or identifiable individual and only includes information relating to natural persons who:

  • can be identified or who are identifiable, directly from the information in question
  • who can be indirectly identified from that information in combination with other information

The data

We will process the following data:

  • the address and details of the property receiving or having received the measures (including Unique Property Reference Number) 
  • details about the measures installed including but not limited to type, size, date, manufacturer number and cost etc
  • lodgement certificate, lodgement date, measure details from TrustMark and other similar accreditation bodies such as Microgeneration Certification Scheme (MCS)
  • information of the property from Energy Performance Certificate such as the property rating, banding, features, floor area from any EPC Certificate recorded. Additional fields may be processed such as assessor details, assessment date, heating, lighting and other related information

Purpose and recipients

Data will be shared with Department for Energy, Security and Net Zero (DESNZ), and its partners for the delivery and administration of energy efficiency and low carbon schemes which will include but not be limited to statistical, audit, research and fraud and error analysis, detection and prevention purposes, including pursuit of sanctions against those committing fraud.

Your personal data may also be shared with:

  • other government departments, delivery partners (for example those contracted to provide administration or other services for the management and delivery of policies and grant schemes)
  • delivery administrators such as local authorities (including their delivery agents/partners if necessary), Ofgem
  • devolved administrators including Welsh/Scottish Government, their local authorities and delivery agents/partners etc.
  • relevant teams within the energy companies that are delivering a scheme on behalf of Ofgem, government or similar
  • TrustMark, Microgeneration Certification Scheme (MCS) and other accreditation bodies
  • and across schemes or DESNZ appointed suppliers where necessary for detection and prevention of fraud, error, and non-compliance debt recovery, prosecution and other related activities including assurance audit activity to understand fraud and error exposure and how to reduce it

The legal basis for sharing your data is for the delivery of public tasks as set out in UK GDPR Article 6 (1)(e).

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Such as mitigating fraud or error in connection with past, current and future energy efficiency and low carbon heat grant funding schemes.

Retention period

Your personal data for the purposes outlined above will be retained and shared proportionate to risk relevance and the retention period for data will therefore be based on an individual measure’s useful life expectancy:

  • short (5-10 years)
  • medium (11-19 years)
  • long (20-25 years)

An individual record may be kept longer if it relates to ongoing actions such as prosecution, appeals or debt recovery.

Your rights

You have the right to:

  • request information about how your personal data are processed, and to request a copy of that personal data
  • request that any inaccuracies in your personal data are rectified without delay
  • request that any incomplete personal data are completed, including by means of a supplementary statement
  • request that your personal data are erased if there is no longer a justification for them to be processed
  • in certain circumstances (for example, where accuracy is contested) request that the processing of your personal data is restricted
  • object to the processing of your personal data where it is processed for direct marketing purposes
  • object to the processing of your personal data

There are exceptions to these rights, for instance where data is relevant to ongoing counter-fraud activity.

International transfers

As your personal data is stored on our IT infrastructure and shared with our data processors Microsoft and Amazon Web Services, it may be transferred and stored securely outside the UK. Where that is the case, it will be subject to equivalent legal protection through an adequacy decision, the use of standard contractual clauses or a UK International Data Transfer Agreement.

How to contact the Data Protection Officer

The data controller for your personal data is the Department for Energy Security and Net Zero (DESNZ):

Contact the DESNZ Data Protection Officer (DPO):

Department for Energy Security and Net Zero
1 Victoria Street
London
SW1H 0ET

If you are unhappy with the way we have handled your personal data, please write to the department’s Data Protection Officer in the first instance using the contact details above.

Complaints

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an UK independent regulator: 

Contact the Information Commissioner's Office (ICO):

Email icocasework@ico.org.uk

Contact form https://ico.org.uk/mak...

Telephone 0303 123 1113

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

Updates to this notice

If this privacy notice changes in any way, we will place an updated version on this page. Regularly reviewing this page ensures you are always aware of what information we collect, how we use it, and under what circumstances we will share it with other parties. The ‘last updated’ date at the bottom of this page will also change.

If these changes affect how your personal data is processed, we will take reasonable steps to let you know.

Last updated: 15 November 2024

See all updates