Guidance

Energy Bill Relief Scheme (EBRS) and Energy Bills Discount Scheme (EBDS): privacy notice

Updated 11 September 2023

This applies in Great Britain and Northern Ireland.

Last updated: 17 May 2023

This notice sets out how we (DESNZ) will use your personal data, and your rights. It is made under Article 13 and 14 of the UK General Data Protection Regulation (UK GDPR).

1. Scope

We will collect and process personal data, related to each electricity and gas meter in Great Britain and Northern Ireland for the Energy Bill Relief Scheme Non-Standard (EBRS NS) (Non-Standard refers to customers who receive an unlicensed gas and electricity supply), and the Energy Bill Discount Scheme Non-Standard (EBDS NS).

The EBRS NS and EBDS NS Schemes will provide support for the electricity and gas costs of eligible non-domestic customers of license-exempt gas and electricity supply, including businesses, charities, and public bodies such as schools and hospitals. Support will be provided in respect of energy consumed between 1 October 2022 and 31 March 2023 under EBRS NS and between 1 April 2023 and 31 March 2024 under EBDS NS.

The EBRS NS and EBDS NS support business and may capture personal data for small or micro business, for example, those who are operating businesses as self-employed and not operating as a Limited Company etc.

2. Your data

The following personal data will be processed by DESNZ:

  • name, phone number and email address of applicants and/or energy suppliers (if an energy supplier applies for support, they will provide this data on their customers, if a customer applies directly for support, they will provide this data on their energy supplier)
  • Meter Point Administration Number (MPAN or MPRN in NI) – electricity meter number
  • Meter Point Reference Number (MPRN or MPAN in NI) – Gas meter number
  • meter addresses
  • billing addresses
  • data about each meter (for example profile class, energisation status)
  • data about how the meter point is billed (for example contract start date, contract end date, billing cycle, and payment in arrears status)
  • energy bill amount
  • tariff type (such as fixed vs variable tariff vs flex)
  • subsidy provided on bills
  • Standard Industrial Classification (SIC) information where available
  • data about the company (for example sector, turnover and organisation size)
  • Unique Property Reference Number (UPRN)
  • meter consumption data

DESNZ will ensure that consumers’ privacy is safeguarded, as outlined in the ‘Security’ section below, whilst enabling proportionate access to energy consumption data. Any changes to how consumer data is processed will be communicated via this privacy notice which is kept under regular review.

We will also process the following personal data provided by the individual submitting the application regarding claims from organisations operating in Energy and Trade Intensive Industries (ETIIs): Name, telephone number and email address of the individual submitting the application and the relationship of that individual to the organisation. The name of the Chief Financial Officer and the Chief Executive Officer of the applicant company.

We will also process personal data of the individual named in relation to the ETII, some of which includes business addresses, phone numbers and email addresses to enable auto verification, received from the following sources:

• Companies House

• Energy and Trade Intensive Industries (ETII) Scheme

• Arts Council database

• The list of higher education providers

• List of Society of College, National and University Libraries (SCONUL) members

• National Archives

• Find an Archive (FAA) list

• Arts Council database Accredited Museums

• Mapping museums project

• GB botanical gardens list

• GB Zoo Aquarium list

If you are applying on behalf of an ETII or Heat Network that does not have a direct relationship with its energy supplier(s), we will ask for the details [(name and email address)] of a contact at your intermediary provider, that is the provider who pays the energy supplier to enable the discount to be applied. Depending on the contact details provided, these may constitute personal data.

3. Purpose

We are processing these data:

  1. To enable DESNZ to deliver EBRS NS and EBDS NS payments, conduct pre-check payment and post payment reconciliation.
  2. To conduct financial checks on EBRS NS and EDBS NS payments including for assurance and the prevention, investigation, detection or prosecution of criminal offences including fraud
  3. To enable DESNZ to monitor the progress and delivery of the EBRS NS and EBDS NS cases.
  4. To allow DESNZ to evaluate the scheme to understand its impact and to inform future government policy.

The legal basis for processing these personal data is public task.

Processing is necessary for the performance of a task carried out in the public interest, under Article 6(1)(e)) of UK GDPR and in the exercise of official authority vested in the Secretary of State for DESNZ. The specific public task is to allow for monitoring, assurance, fraud prevention and evaluation of the EBRS NS and EBDS NS.

5. Sources of your personal data

We are collecting this personal data from electricity and gas suppliers as well as the System Administrators (Elexon, Xoserve, Northern Ireland Authority for Utility Regulation) and Northern Ireland Distribution Network Operators). We will use existing government datasets and the datasets provided by the Balancing and Settlement Code company (Elexon) and the Uniform Network Code company (Xoserve) to support the data, as is necessary to meet the purpose.

6. Recipients

The data is being stored and used by DESNZ and will be shared with DESNZ contractors (when appointed) (and if applicable their sub-contractors) where required for the delivery of the EBRS and EBDS work that DESNZ has contracted out and for the evaluation and monitoring of the scheme.

Data relevant to administering the discount will be shared with the Energy Suppliers who are responsible for making the EBDS payments to consumers.

This personal data will be shared with our operational partners, (Elexon, Xoserve, NEIN, Cabinet Office, Ofgem, Northern Ireland Authority for Utility Regulation, and auditors PWC (Price Waterhouse Cooper) under a data sharing agreement and corresponding privacy controls for the purposes of:

  • processing and assuring the validity of claims.
  • pre-payment checks and post payment reconciliation.
  • and forensic auditing and enforcement.

Data will also be shared with any external evaluator appointed for the purpose of evaluating the scheme.

We may share your name, address and phone number with a contracted provider to contact you to conduct research and evaluation about the service so we can deliver the scheme effectively and analyse the impact of the scheme. Any research is voluntary, and you would have the right to withdraw at any time using the contact details provided by the contracted provider at the time of the research request.

A third party, to be procured at time of writing, will be assessing the eligibility of applicants to the scheme. We do not allow any other third parties to use this data.

We will not:

  • sell or rent these data to third parties
  • share these data with third parties for marketing purposes

We may share these data if we are required to do so by law, for example by court order or to prevent fraud or other crime.

7. Retention

We will only keep these data for as long as required to support the processing, compliance, reconciliation, monitoring, evaluation and scrutiny, as it is in the public interest.  These data will be securely deleted no later than 7 years after collection in line with our department policy.  We recognise that this maximum retention period is longer than energy suppliers will hold this data, which reflects the additional purposes for which DESNZ is collecting and processing this data.

8. Automated decision making

The personal data will not be subject to automated decision making.

9. Security

We are committed to doing all that we can to keep these data secure.  We will protect this personal information against unauthorised access, unlawful use, accidental loss, corruption, or destruction.

We use technical measures such as firewalls and password protection to protect these data and the systems they are held in.

We limit access to this information to employees, agents, contractors and other third parties with a business need to know. They will only process this personal information in accordance with our instructions and are subject to a duty of confidentiality.

We have procedures in place to deal with any suspected data breach and will notify you and the Information Commissioner’s Office as required.

10. International transfers

As these personal data are stored on our IT infrastructure and shared with our data storage partners Microsoft and Amazon Web Services, they may be transferred and stored securely in the UK and European Economic Area. Where this personal data is stored outside the UK and EEA, it will be subject to equivalent legal protection through the use of model contract clauses.

11. Your rights

You have the right to request:

  • information about how these personal data is processed and to request a copy of that personal data.
  • that anything inaccurate in these personal data is corrected.
  • that any incomplete personal data are completed.
  • that these personal data are erased if there is no longer a justification for them to be processed.

You can also:

  • in certain circumstances (for example, where accuracy is contested) request that the processing of these personal data is restricted.
  • object to the processing of these personal data.
  • object to the processing of your personal data where it is processed for direct marketing purposes.

To exercise any of your rights contact dataprotection@beis.gov.uk

12. Complaints

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an UK independent regulator. The Information Commissioner can be contacted at:

Information Commissioner’s Office Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Email icocasework@ico.org.uk

Telephone 0303 123 1113

Textphone 01625 545 860

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

13. Contact details

The controller for your personal data is the Department for Energy Security and Net Zero (DESNZ).

Contact the DESNZ DPO:

DESNZ Data Protection Officer
Department for Energy Security and Net Zero
3-8 Whitehall Place
London
SW1A 2EG

14. Updates to this notice

We will update this page if the way we handle your personal data changes in anyway. Regularly reviewing this page ensures you are always aware of what information we collect, how we use it, and under what circumstances we will share it with other parties. If we update the content, the date at the top of this page will change and the detail of the change will be available in the latest updates section. If these changes affect how your personal data is processed, we will take reasonable steps to let you know.