Housing Associations Must be Mindful of Flaws in Data Security or Face the Threat of Fines

By Peter Westwood, Managing Director of Insite Energy

The Heat Networks (Metering and Billing) Regulations 2014 were introduced with the objective of empowering end users of communal heating systems to better manage their energy use through the installation of individual heat energy meters and free access to consumption data.

Three years further on there is mounting concern that the regulations are posing a data security challenge to housing associations that must be addressed urgently.

I have been made aware of several instances of customer and consumption data being shared unwittingly with companies that should not have access to it and this is deeply worrying. Examples of data leaks that could be especially damaging could relate to information about vulnerable residents or payment history.

The introduction of these new regulations has brought with them a challenge that will not previously have been a concern to housing associations. My fear is that all this data, which in some cases will include minute detail such as what time tenants are taking a shower, is not always being safeguarded in the way that it should be – and this must be viewed as a real risk.

It is vital that housing associations and heat suppliers get to grips with the important issue of data protection. If they fail to do so, we can expect scenarios such as tenants being plagued by calls from marketing companies who may have gained access to personal data.

I do not want this to seem like a ‘scaremongering story’ but nor do I want the metering and billing sector to become embroiled in a row about data security. I believe education is key in addressing this issue.

We are talking about data that belongs to the customer as it is ‘their heat’ but the heat supplier must have that data to know what should be billed. Meter readings will be carried out by third parties who will also have access to this data. The role of heat supplier may be performed by a managing agent which means still more people have access to this information. With any communal heating system, there needs to be a clear understanding of who is using the data, for what purpose, and how it is being properly controlled.

One of the major concerns is that ultimately, if you have more advanced systems, you can tell if people are at home or perhaps on holiday, and the type of lifestyle they lead. Increasingly, this kind of data has a market value.

For those in our industry it is the accidental leaking of information that is the main concern now. I have no evidence of data being shared maliciously, but I am aware of several instances of data being shared without full consideration of the implications.

I am convinced that not everyone operating these systems may be aware of the obligations when handling heat data. This lack of understanding could trigger significant legal and reputational repercussions.

The important thing is to ensure compliance. Contracts must state specifically who is allowed to see the data and the analysis and billing purposes it can be used for. Data protection is a very important issue and people need to understand their obligations in connection with it. Housing associations have a duty of care to the people whose data they collect. With only housing associations and appointed heating and billing specialists needing access to data, there should be no excuse for it falling into the wrong hands.

The EU General Data Protection Regulation (GDPR) which comes into force in May next year represents one of the biggest changes to data protection laws and all organisations need to be extremely aware of these changes as they can face very strict fines if non-compliant. The GDPR is more extensive in scope and application than the current Data Protection Act (DPA), as it extends the data rights of individuals, and requires organisations to develop clear policies and procedures to safeguard personal data, and adopt stringent technical and organisational measures.

The Heat Network (Metering and Billing) Regulations 2014 require housing associations, where they have a role as a heat supplier for communal heating systems, to install heat energy meters in individual properties and provide residents with access to accurate price and energy consumption data. This applies to new developments commissioned since December 2014.

Since December 2014 housing associations are also obliged to provide residents of individually metered properties with actual price and energy consumption data, including comparisons with previous periods, alongside contact information for organisations providing advice on energy saving.

Insite Energy, which is authorised and regulated by the Financial Conduct Authority (FCA) and an associate member of the UK District Energy Association, is a provider of metering, billing and payment services to more than 120 communal and district heat networks and 15,000 end-customers across the UK. Insite’s energy analysts and metering specialists can help heat providers comply with all relevant legislation and regulations, and to maximise the payback on their metering and billing investments. Services include debt management, tariff setting, reviews and benchmarking, fuel procurement, metering best practice advice, advice on measuring energy efficiency, maintenance services, as well as resident communications.