21/11/2025

Written by Vicki Bowles and Ffion Benham.

This article summarises some of the key issues raised in our recent Points of Connection webinar – Managing Customer Data. Points of Connection is our series of webinars, articles and newsletters to support anyone operating in, or coming into, the district energy sector to learn more about heat networks. You can view our full Points of Connection webinar series or visit our Points of Connection hub.

Managing Customer Data 

When starting a District Energy project, there are often many moving parts with multiple aspects to consider, and personal data is often not a priority.  However, managing personal data will be important during the life-cycle of a District Energy project, and thinking about this towards the start of the project can help prevent issues down the line. In this article, Ffion Benham and Vicki Bowles look at why data is important, and what to ask at the outset of your project to ensure you have enough information to meet your requirements. 

When thinking about personal data, it can be helpful to ask some key questions.

What?

Firstly, consider what data is being collected at each stage of the project, and what information you (and those you are contracting with) will need.  As part of this process, it can be helpful to note why the data is being collected/used/disclosed, as this will help with other obligations under data protection law. 

For example, for metering and billing services, basic data such as a name and address will be required in order to bill a particular property.  Similar information may be needed to deal with complaints, or to carry out maintenance.  Secondly, you must consider why there is a need for collecting this data. It could be that you are providing a service, such as metering and billing, and therefore need to know the names and addresses of those being billed. It may be that this data is needed for when complaints are made by the end consumer, and this data is required to deal with the complaint. Similarly, it may be that there are regulatory requirements to collect and provide data to the regulatory authority, and in such cases, the individuals must be informed of this requirement and what data will be collected and shared. 

Although you cannot predict all the information that you will need and collect, it is worth thinking carefully about how and when you or others in the project will interact with individuals, and what they may encounter.  As an example, the organisation responsible for repairs will need to enter properties, and may encounter issues that need reporting – making sure that this is covered in contracts where information needs to be shared can be helpful in establishing that intention from the outset, and makes it easier for compliance. 

Who?

When reviewing the above, further questions will appear, including who owns, holds and collects the data, and when it will need to be shared. Third parties may be instructed to collect, sort and hold the data on an organisation’s behalf, however they will not necessarily be the “owner” of such data under data protection law, and ownership (including legal responsibility) may remain with the instructing organisation. This distinction should be drawn early on, as there are differences within data protection law on the requirements relating to the controller and the processor of personal data, and there are specific clauses that may need to be included in your contracts to cover this. 

Where?

Where the data is stored is another topic to consider. Where will data be held physically (in the UK or outside of the EEA), and what protections are needed to securely store the data? This may seem unimportant, however international servers may require specific contractual arrangements to be put in place, and sorting these arrangements early in the process will help reduce complications later down the line. 

Security

The security measures required to protect the data is a very important consideration. In the UK, it is a legal requirement to put in place “appropriate technical and operational measures” to protect personal data. This also requires demonstrating how and if this has been done. There are also additional security measures required when operating an energy network under the NIS Regulations.  When reviewing this topic, the following questions should be asked and dealt with as soon as possible: 

  • What data is being held/used/stored/disclosed?
  • What is the level of risk to individuals if this data is compromised?
  • What is the level of risk of an attack to your organisation?

A common mistake we see in this field, is when organisations assume that they are low risk because the data they hold is minimal, and/or they are small. However, working on a district heat network project means that you are linked to larger organisations, who may be more at risk.  It is also relevant that energy is an essential service, and therefore those seeking to cause disruption are more likely to target areas such as energy supplies to bring their cause to the public’s attention.  

Asking these questions will enable the organisations involved to understand what level of security might be required, and then technical experts can look at how to implement that, and whether any contractual requirements to meet certain standards are required.  

Sharing personal data

In order to share personal data of individuals, there must be a lawful basis to do so. Under the UK GDPR there are 6 bases that allow the sharing of personal data, with ‘consent’ being one. Whilst consent can seem like an appealing option, it would unlikely be practical in the context of District Energy projects as consent must be capable of being withdrawn at any time, in order to be legally valid.  In a situation where you need to be able to share data even if an individual does not consent – such as in order to bill them – consent is not appropriate. ‘Legitimate interest’ is another available option and may be more appropriate for such projects, as the organisations involved will usually have a legitimate interest in the data being shared in order to achieve their objectives. When sharing such data, transparency should also be considered, to meet the UK GDPR requirements around notification of individuals. 

Although the requirements on data protection seem stringent, an element of flexibility can be maintained where needed. Projects often change over time, and the heat network landscape may look very different at the end of a contract than it did at the outset. Therefore, when drafting your data protection clauses, it is important to build in some flexibility should there be changes that you need to make, to avoid having to sign new contracts. 

Data requests

Finally, it is important to consider the different requests for data that may be received and how these should be dealt with. 

Regulators often request data, and so you must be aware of who the appropriate regulator(s) is, what information they are currently requesting or might request in the future, and where that relevant data is being stored. It may be helpful to include terms in contracts that require assistance in the event that a regulator makes a request for information.  

Legally, individuals can request a copy of all the data held about them which must be provided within one month. Similarly, if and when complaints are made, personal data may need to be used and shared for this purpose.  Understanding who is legally responsible for what data in your project will help map out who is responsible for dealing with these issues and again where assistance may be required, including this in the contract can help ensure that happens down the line. 

Third parties may also request data, such as the police or local authorities, and preparations should be in place as to who will deal with the request and whether other areas of the project will need to be informed. This collaborative approach is also important when Freedom of Information of Environment Information Regulation requests are made. 

To summarise, as near to the start of a project as possible, it can be helpful to map out the data that will be needed, who will need it and why, in order to start to plan for relevant clauses to be put into contracts. When thinking about the movement of personal data, think about what you might need from others in the project, and how you can add that into the contracts to ensure that assistance becomes a contractual requirement. Being clear on this issue at the start of the project will mean less complications arise as you go through, and will put you in a good place to meet obligations towards individuals when you start providing the services.

If you would like to discuss any of the issues raised in this article please contact Vicki Bowles who will be happy to discuss. Or visit our District Energy web page.

Stay switched on with all our Energy and Resource Management news by following our dedicated LinkedIn showcase page.

 

Previous Editions

Our use of cookies

We use necessary cookies to make our site work. We'd also like to set optional analytics cookies to help us improve it. We won't set optional cookies unless you enable them. Using this tool will set a cookie on your device to remember your preferences. For more detailed information about the cookies we use, see our Cookies page.

Necessary cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytics cookies

We'd like to set Google Analytics cookies to help us to improve our website by collection and reporting information on how you use it. The cookies collect information in a way that does not directly identify anyone.
For more information on how these cookies work, please see our Cookies page.