Warm Home Prescription - ScottishPower privacy notice

Warm Home Prescription – ScottishPower project privacy notice

Who we are

We are Energy Systems Catapult Limited, a company limited by guarantee, and registered in the UK under company number 08705784, whose main place of business is at 7th Floor, Cannon House, 18 Priory Queensway, Birmingham B4 6BS (“us”, “we”, “our”).

This privacy notice (the “Privacy Notice”) applies to the personal information processing activities carried out by us to deliver the Warm Home Prescription® service to you.

This policy (together with our terms of use) sets out the basis on which any personal data we collect from you, or that you provide to us (“data”), will be processed by us. By using our service, you are accepting and consenting to the practices described in this policy.

For the purposes of the Data Protection Act 2018 (the “Act”), we are the Data Controller.

What is the Warm Home Prescription service?

Warm Home Prescription is a service created by Energy Systems Catapult and is being trialled across England and Scotland, helping people who have severe health conditions made worse by the cold. The service allows participants to stay warm and well at home, and out of hospital in winter whilst reducing the energy consumption and carbon emissions of their home.

The service is paid for by ScottishPower and Energy Systems Catapult and delivered by a combination of local health authorities to refer patients (e.g. NHS Trusts or local authorities), energy advice organisations to offer energy advice and administer heating cost contributions, and retrofit contractors to deliver the home improvements.

Information we may collect from you

The terms in this Privacy Notice apply to the participants in the scheme, and to the participant’s nominated contact (“you, “yours”). To deliver, monitor and evaluate the Warm Home Prescription service we may collect the following types of information:

• Personal Identification Information: Name, address, contact details, date of birth, and any other information you provide when signing up for the service.
• Health Information: You will have been identified by your local health authority (either your NHS Trust or local authority health team) as having a health condition made worse by the cold. If you agree with your local health authority to take part in the service, they will only share that you have a health condition made worse by the cold, not what condition this is. Any health information disclosed will be protected under the UK GDPR, kept confidential, and will not be documented or shared beyond what is necessary.
• Information about your nominated representative: Name, address, phone number, email (if available), so we can contact them about the service on your behalf.
• Tenure type (whether you are an owner occupier), so we can confirm you can participate in the service.
• Information about the property you live in: Such as; type, number of bedrooms, house age, wall type, insulation type, heating system fuel type and age, Energy Performance Certificate (EPC) rating, loft accessibility. We will need this information so we can understand what home energy improvements can be offered and to calculate your heating bill payment accurately (if applicable).
• Information about your energy supply: Such as the name of your supplier, the meter type you have, and your energy account number. This is so that we can process any energy credit payments to your account.
• Information about your benefits: We will need to check that you are receiving a qualifying benefit so that we can check your eligibility for receiving our services. We will ask you to specify which of the qualifying benefits you receive. This information will be processed by Scarf, our Energy advice partners, using Energy Saving Trust’s Datamatch service, to make sure you meet the criteria.
• Temperature recordings: For those who receive a temperature logger, we will record the indoor temperature logged by the supplied recorders (we will only have access to this information after you have sent the temperature loggers back to us for evaluation purposes).
• Survey data: Self-reported health data, home energy circumstances and demographics as part of a survey Energy Systems Catapult will offer you the chance to take part in a survey for evaluation purposes).
• Anonymised data: We may use some of the data you provide us for evaluation purposes (to assess the success of the trial), but this will always be anonymised and untraceable back to an individual person.

Personal data and special categories of personal data

To establish your eligibility to be part of the cohort offered funding, your local health authority will have checked to see if you meet their health-based referral criteria (as outlined in their privacy statement). Whilst none of that information is being given to us or any other project partner, they will be aware that you have a health condition made worse by the cold. Therefore, this is classified as ‘Special Category’ data and will be protected in accordance with GDPR. In addition to this, the only information your local health authority will share with us is your name and telephone number, and only if you have told them that it’s okay to do so. We will then contact you to gain consent to engage with you as part of the Warm Home Prescription service.

Lawful bases for processing your data

As part of the Warm Home Prescription service, we process your personal data to provide a beneficial service to NHS patients. The lawful bases for this processing under the UK GDPR are as follows:

1. Performance of a task carried out in the public interest (Article 6(1)(e) UK GDPR): The Warm Home Prescription service is designed to improve health outcomes by ensuring that patients have access to a warm home, which is essential for their well-being. The processing of your data is necessary to perform a task in the public interest, specifically in collaboration with the NHS to deliver healthcare services.
2. Consent (Article 6(1)(a) UK GDPR): In certain circumstances, we may request your explicit consent to process your personal data. For example, we may ask for your consent to share specific health-related information with third parties, such as your healthcare provider, to enhance the service we offer.

By relying on these lawful bases, we ensure that the processing of your personal data is conducted in a manner that respects your privacy while delivering essential services that benefit your health and well-being. 

Uses made of the information you give us

We collect and use your personal information to provide, maintain, and improve our services, ensuring a personalised and effective experience for people who use our services.

Information we collect may be used for the following purposes:

• Service delivery: To process your requests, manage your account, and provide the products or services you have consented to.
• Communication: To contact you with updates and other information related to our services.
• Personalisation: To use your name at the start of all correspondence.
• Evaluation: To analyse room temperatures, perceived comfort, and your satisfaction levels to evaluate the service.
• Security: To protect the integrity and security of our Platform, systems, and users by detecting and preventing fraud, unauthorised access, or other harmful activities.
• Legal compliance: To comply with applicable laws, regulations, and legal processes, and to respond to lawful requests from public authorities.

We ensure that your personal information is handled with the utmost care and only used for the purposes outlined above. Your data will not be shared with third parties, except as required by law or as necessary to provide our services.

We may combine information we receive from other sources with information you give to us and information we collect about you. We may us this information and the combined information for the purposes set out above (depending on the types of information we receive).

Security

We take appropriate measures to ensure that personal data is kept secure, including security measures to prevent personal data from being accidentally lost, or used in an unauthorised way. We limit access to your personal data to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

How long we keep your personal data

Your data will be retained for the specified period in accordance with our data retention policy. After this period, it will be securely deleted or anonymised for further analysis and research purposes.

Energy Systems Catapult will retain your personal data (name, phone number, email, address, and energy account number) until April 1, 2028.

We will hold this information so that:

• Further research can be carried on participant’s data to improve the service in coming years
• Any identified opportunities for energy upgrades can be delivered in subsequent years to participants
• If the service is extended for another year, participants could be the first consideration for more improvements

Anonymised data will continue to be held for analysis and evaluation purposes. The anonymisation process ensures that all personally identifiable information, including names, phone numbers, email addresses, home addresses, and energy account numbers, is removed before storage. This anonymised data will be retained for analysis, evaluation, and research purposes to improve our services while maintaining the highest standards of privacy and data protection.

Where we store your personal data

Energy Systems Catapult will store your personal data securely on an encrypted folder within our Microsoft SharePoint system. We implement strict security measures to protect your data from unauthorised access, loss, or misuse.

Disclosure of your information

Energy Systems Catapult is the data controller. This means that the Catapult has decision-making rights and will determine what information is collected and how it is processed.

We will share your information with selected third parties who help deliver the Warm Home Prescription service, including:

• Benefits and tenure confirmation service (Energy Saving Trust – https://energysavingtrust.org.uk/)
• Installer managers (ScottishPower – https://www.scottishpower.co.uk/eco-scheme)
• Product development team (Performa IT – https://www.performa-it.co.uk/)
• Retrofit contractors (Everwarm – https://www.everwarmgroup.com/)

For patients based in Aberdeenshire, Aberdeen and Moray, your information will also be shared with:

• Energy advisors (Scarf – https://www.scarf.org.uk)

For patients based in Lambeth, your information will also be shared with:

• Energy advisors (National Energy Foundation – https://nef.org.uk)
• Payment processors (Scarf – https://www.scarf.org.uk)

These parties are known as data processors, meaning they handle personal information on behalf of, and under contract to, Energy Systems Catapult. They are not permitted to use the information for any purpose other than as instructed by us.

The above parties will have access to your data to deliver, monitor, and evaluate the Warm Home Prescription service.

Energy Systems Catapult instructs the energy advisors to enter the following information into the Energy Saving Trust’s Datamatch service: your surname, forename, date of birth, and home address. This is to efficiently check your eligibility against qualifying benefits and tenure criteria without energy advisors having to view and store your benefits letters.

The Datamatch service will provide the energy advisor with either a green light or red light to confirm whether you are eligible for a Warm Home Prescription, without sharing any information about your qualifying benefit.

Energy Systems Catapult and ScottishPower will share your name and contact details, and those of your nominated representative, plus information gathered about your building, with the retrofit contractors (contracted by Scottish Power) to book your assessment and installation, and with government departments, including Ofgem (the energy regulator) for monitoring purposes.

Sharing data with your local health authority

Should you take part in the service and receive warm home improvements and a contribution to your winter heating costs, we will share your name and postcode with the local health authority who referred you to the service (either your NHS Trust or local authority). This is so they can evaluate the impact of the service against health outcomes.

In addition, anonymised results from this trial will be shared with the relevant authorities to support the Warm Home Prescription service.

This data will not include any information that could directly identify you, or any other person, ensuring your privacy and confidentiality are fully protected at all times.

The information provided will only be used for analysis and reporting purposes to help improve public health services and outcomes.

Your rights

Under the UK GDPR, you have the following rights as a data subject:

1. Right to be informed: You have the right to be informed about how your personal data is being collected, used, stored, and shared. This includes being provided with clear and transparent information in the form of a privacy notice.
2. Right of access: You have the right to access the personal data we hold about you. You can request a copy of this information, along with details on how we process it.
3. Right to rectification: If the personal data we hold about you is inaccurate or incomplete, you have the right to request that it be corrected or updated.
4. Right to erasure (right to be forgotten): In certain circumstances, you have the right to request the deletion of your personal data, for example, if it is no longer necessary for the purposes for which it was collected or if you withdraw your consent.
5. Right to restrict processing: You have the right to request that we limit the processing of your personal data in specific situations, such as if you contest the accuracy of the data or if you need the data for legal claims.
6. Right to data portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format. You can also request that we transmit this data directly to another data controller where technically feasible.
7. Right to object: You have the right to object to the processing of your personal data in certain circumstances, including processing for direct marketing purposes or processing based on our legitimate interests.
8. Rights related to automated decision making and profiling: When decisions are made about you without people being involved, this is called ‘automated individual decision-making and profiling’ or ‘automated processing’, for short. In many circumstances, you have a right to prevent automated processing.
9. Right to withdraw consent: If we are processing your personal data based on your consent, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal. If we process your personal data based on your consent, you have the right to withdraw that consent at any time. This will not affect the legality of any processing that occurred before your withdrawal. However, if you withdraw your consent before your participation in the scheme ends, we may be unable to continue providing the service. We are happy to discuss this with you further if needed.
10. Right to lodge a complaint: If you believe that we have not complied with the requirements of the UK GDPR concerning your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection issues.

If you wish to exercise any of these rights or discuss anything related to our processing of your personal data, please contact our Data Protection Officer (details below).

Changes to our privacy policy

Any future changes to our privacy policy will be communicated to you through your preferred contact method.

Who can I speak to if I have any questions about the use of my personal data?

If you have any questions or concerns about this Privacy Notice or how we handle your personal information, please contact us:

F.A.O Data Protection Officer
Energy Systems Catapult Limited
Cannon House,7th Floor
18 Priory Queensway
Birmingham
B4 6BS

Or via email: dataprotectionoffice@es.catapult.org.uk.