Warm Home Prescription - Standard privacy notice

Warm Home Prescription – Standard privacy notice

Who we are

We are Energy Systems Catapult Limited, a company limited by guarantee, and registered in the UK under company number 08705784, whose main place of business is at 7th Floor, Cannon House, 18 Priory Queensway, Birmingham B4 6BS (“us”, “we”, “our”).

This privacy notice (the “Privacy Notice”) applies to the personal information processing activities carried out by us to deliver the Warm Home Prescription® service to you.

This policy (together with our terms of use) sets out the basis on which any personal data we collect from you, or that you provide to us (“data”), will be processed by us. By using our service, you are accepting and consenting to the practices described in this policy.

For the purposes of the Data Protection Act 2018 (the “Act”), we are the Data Controller.

What is the Warm Home Prescription service?

Warm Home Prescription is a service created by Energy Systems Catapult and is being offering across parts of England and Scotland, helping people who have vulnerabilities to the cold as identified by the National Institute of Health and Care Excellence (NICE 6). The service allows participants to stay warm and well at home, and out of hospital in winter whilst reducing the energy consumption and carbon emissions of their home.

The service is delivered by Energy Systems Catapult and our partners including a combination of local organisations to refer patients (e.g. NHS Trusts or local authorities and community programs), energy advice organisations to offer energy advice and administer heating cost contributions, and retrofit contractors to deliver the home improvements.

Information we may collect from you

The terms in this Privacy Notice apply to the participants in the scheme, and where appropriate to the participant’s nominated contact (“you, “yours”). To deliver, monitor and evaluate the Warm Home Prescription service we may collect the following types of information:

• Personal Identification Information: Name, address, contact details, date of birth, and any other information you provide when signing up for the service.
• Health Information/Special Category Data: You will have been identified by your local referring organisation as having a vulnerability made worse by the cold. If your vulnerability is a health condition exacerbated by the cold and you agree to take part in the service, any health information disclosed will be protected under the UK GDPR, kept confidential, and will not be documented or shared beyond what is necessary.
  • While we and our project partners do not receive specific details about your vulnerability, the fact that you have a health condition exacerbated by the cold is classified as ‘Special Category’ data under UK GDPR. This information is recorded as a check mark to indicate the presence of a health condition and will be protected in accordance with data protection regulations.
  • The referring organisation will only share your contact information with us if you have provided explicit consent to do so. We will not store the specific health condition(s) that apply to your situation unless you explicitly disclose this information to us.
• Information about your nominated representative: Name, address, phone number, email (if available), so we can contact them about the service on your behalf.
• Tenure type (whether you are an owner occupier), so we can confirm your eligibility for onward referral for home energy improvements.
• Information about the property you live in: Such as; type, number of bedrooms, house age, wall type, insulation type, heating system fuel type and age, Energy Performance Certificate (EPC) rating, loft accessibility. We will need this information so we can understand how to calculate your heating bill payment accurately and what home energy improvements can be offered (if applicable).
• Information about your energy supply: Such as the name of your supplier, the meter type you have, and your energy account number. This is so that we can process any energy credit payments to your account.
• Information about your benefits: We may ask what benefits you receive to understand what benefit support and home energy improvements can be offered (if applicable).
• Temperature recordings: For those who receive a temperature logger, we will record the indoor temperature logged by the supplied recorders (we will only have access to this information after you have sent the temperature loggers back to us for evaluation purposes).
• Survey data: Self-reported health data, home energy circumstances and demographics as part of a survey. We will offer you the chance to take part in a survey to provide feedback on your service experience to help us make improvements.
• Anonymised data: We may use some of the data you provide us for analysis purposes (to assess the success of the service), this will always be anonymised and untraceable back to an individual person.

Lawful bases for processing your data

As part of the Warm Home Prescription service, we process your personal data to provide a beneficial service to NHS patients. The lawful bases for this processing under the UK GDPR are as follows:

1. Performance of a task carried out in the public interest (Article 6(1)(e) UK GDPR): The Warm Home Prescription service is designed to improve health outcomes by ensuring that patients have access to a warm home, which is essential for their well-being. The processing of your data is necessary to perform a task in the public interest, to deliver preventative healthcare services.
2. Consent (Article 6(1)(a) UK GDPR): In certain circumstances, we may request your explicit consent to process your personal data. For example, we may ask for your consent to share anonymised statistical data with third parties, such as your healthcare provider, to enhance the service we offer.

By relying on these lawful bases, we ensure that the processing of your personal data is conducted in a manner that respects your privacy while delivering essential services that benefit your health and well-being.

Uses made of the information you give us

We collect and use your personal information to provide, maintain, and improve our services, ensuring a personalised and effective experience for people who use our services.

Information we collect may be used for the following purposes:

• Service delivery: To provide the produce or services you have consented to.
• Communication: To contact you with updates and other information related to our services.
• Personalisation: To use your name at the start of all correspondence.
• Evaluation: To analyse room temperatures, perceived comfort, and your satisfaction levels to evaluate the service.
• Security: To protect the integrity and security of our Platform, systems, and users by detecting and preventing fraud, unauthorised access, or other harmful activities.
• Legal compliance: To comply with applicable laws, regulations, and legal processes, and to respond to lawful requests from public authorities.

We ensure that your personal information is handled with the utmost care and only used for the purposes outlined above. Your data will not be shared with third parties, except as required by law or as necessary to provide our services.

We may combine information we receive from other sources with information you give to us and information we collect about you. We may us this information and the combined information for the purposes set out above (depending on the types of information we receive).

Security

We take appropriate measures to ensure that personal data is kept secure, including security measures to prevent personal data from being accidentally lost, or used in an unauthorised way. We limit access to your personal data to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

How long we keep your personal data

Energy Systems Catapult will retain your personal data for the duration of your engagement with our Warm Home Prescription service and for 24 months after the service ends.

During this time, your data will be securely stored and used only for purposes directly related to the service, including:

• Follow-up communications.
• Service evaluation.
• Fulfilling our legal and contractual obligations.

After this retention period, your data will be securely deleted or anonymised in line with our data retention policy.

We will hold this information to:

• Conduct further research on participant data to improve the service in future years.
• Enable delivery of any identified opportunities for energy upgrades to participants in subsequent years.
• Prioritise participants for repeat engagement if the service is extended.

Anonymised data

Anonymised data may continue to be held for analysis and evaluation purposes. The anonymisation process ensures all personally identifiable information, such as names, phone numbers, email addresses, home addresses, and energy account numbers, is irreversibly removed before storage. This anonymised data will be retained to enhance our services while maintaining the highest standards of privacy and data protection.

If you have any questions about how your data is managed or wish to withdraw your consent, or exercise any of your rights under the UK-GDPR then please contact us to discuss (details below).

Where we store your personal data

Energy Systems Catapult will store your personal data securely on an encrypted folder within our Microsoft SharePoint system. We implement strict security measures to protect your data from unauthorised access, loss, or misuse.

Disclosure of your information

Energy Systems Catapult is the data controller. This means that the Catapult has decision-making rights and will determine what information is collected and how it is processed.

We will share your information with selected third parties who help deliver the Warm Home Prescription service, including:

• Technology development – Performa IT (https://www.performa-it.co.uk/)
• Energy advisors – SCARF (https://www.scarf.org.uk/)
• Energy advisors – SELCE (https://selce.org.uk/)
• Local community programme – Impact Initiatives (https://impact-initiatives.org.uk/)
• Payment services provider – Fuelbank foundation (https://www.fuelbankfoundation.org/)

The above parties will have access to your data to deliver and monitor the Warm Home Prescription service.

Energy advisors may enter your information into the Energy Saving Trust’s Datamatch service: your surname, forename, date of birth, and home address. This is to check your eligibility against qualifying benefits and tenure criteria for home retrofit (energy efficiency improvement) services without energy advisors having to view and store your benefits letters. We only provide data to the Datamatch service with your consent. 

The Datamatch service does not share any information about your qualifying benefit(s). It provides a yes or no confirmation of your eligibility. 

Energy Systems Catapult and our Energy Advisor partners may share your name and contact details, and those of your nominated representative, plus information gathered about your building, with the retrofit contractors (identified by the Energy Advisor partner) to book your assessment and installation of home energy efficiency improvements.

The same information will be shared with government departments, including Ofgem (the energy regulator) for monitoring purposes.

Sharing data with your local health authority

If you are referred to the service by a local health authority and receive warm home interventions, we will share your name and postcode with the local health authority who referred you to the service (either your NHS Trust or local authority). This is so they can evaluate the impact of the service against health outcomes.

This data will not include any information that could directly identify you, or any other person, ensuring your privacy and confidentiality are fully protected at all times.

The information provided will only be used for analysis and reporting purposes to help improve public health services and outcomes.

Your rights

Under the UK GDPR, you have the following rights as a data subject:

1. Right to be informed: You have the right to be informed about how your personal data is being collected, used, stored, and shared. This includes being provided with clear and transparent information in the form of a privacy notice.
2. Right of access: You have the right to access the personal data we hold about you. You can request a copy of this information, along with details on how we process it.
3. Right to rectification: If the personal data we hold about you is inaccurate or incomplete, you have the right to request that it be corrected or updated.
4. Right to erasure (right to be forgotten): In certain circumstances, you have the right to request the deletion of your personal data, for example, if it is no longer necessary for the purposes for which it was collected or if you withdraw your consent.
5. Right to restrict processing: You have the right to request that we limit the processing of your personal data in specific situations, such as if you contest the accuracy of the data or if you need the data for legal claims.
6. Right to data portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format. You can also request that we transmit this data directly to another data controller where technically feasible.
7. Right to object: You have the right to object to the processing of your personal data in certain circumstances, including processing for direct marketing purposes or processing based on our legitimate interests.
8. Rights related to automated decision making and profiling: When decisions are made about you without people being involved, this is called ‘automated individual decision-making and profiling’ or ‘automated processing’, for short. In many circumstances, you have a right to prevent automated processing.
9. Right to withdraw consent: If we are processing your personal data based on your consent, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal. If we process your personal data based on your consent, you have the right to withdraw that consent at any time. This will not affect the legality of any processing that occurred before your withdrawal. However, if you withdraw your consent before your participation in the scheme ends, we may be unable to continue providing the service. We are happy to discuss this with you further if needed.
10. Right to lodge a complaint: If you believe that we have not complied with the requirements of the UK GDPR concerning your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection issues.

If you wish to exercise any of these rights or discuss anything related to our processing of your personal data, please contact our Data Protection Officer (details below).

Changes to our privacy policy

Any future changes to our privacy policy will be communicated to you through your preferred contact method and published on our website.

Who can I speak to if I have any questions about the use of my personal data?

If you have any questions or concerns about this Privacy Notice or how we handle your personal information, please contact us:

F.A.O Data Protection Officer
Energy Systems Catapult Limited
Cannon House,7th Floor
18 Priory Queensway
Birmingham
B4 6BS

Or via email: dataprotectionoffice@es.catapult.org.uk.