Privacy Notice CPCA
Privacy Notice CPCA
24 October 2022
This notice sets out how Cambridge & Peterborough Combined Authority (CPCA) as joint data controller with the Department for Energy Security and Net Zero (both referred to as “we”, “us” or “our(s)” in this document) will use, collect, process and protect your personal data, and what your rights are. It is made under Articles 13 and 14 of the UK General Data Protection Regulation (GDPR). This notice relates to data collected under the Sustainable Warmth scheme operated by CPCA in partnership with Greater South East Net Zero Hub. This project is funded by the Sustainable Warmth scheme and run by the Department for Energy Security and Net Zero.
WHAT IS PERSONAL DATA?
The data protection laws define Personal Data as “data relating to living, identifiable individuals”.
We will process the following personal data:
- Address and details of the property receiving the Sustainable Warmth installation(s)
- Details about the Sustainable Warmth installation(s) installed at the property, including type, size and cost
- Contact address (if not the same as the property receiving the Sustainable Warmth installation(s))
- Address and details of the property offered, but not receiving the Sustainable Warmth installation(s)
- Full name(s) and titles.
- Household income and any other scheme eligibility information, including household occupancy and tenure
- National Insurance Number(s)
- Property address data, including Unique Property Reference Number (UPRN) and pre and post Energy Performance Certificate (EPC) data, EPC xml data, Medium Term Retrofit Plans
- Details about any financial contribution you have made towards the Sustainable Warmth installation(s)
- Details about the expected energy, carbon and cost savings expected to be delivered by the installation, including pre- and post-installation.
- Property Energy Performance Certificate (EPC) details where appropriate.
- Email address (if available)
- Phone number (if available)
- Health referrals – agencies can refer households to the scheme if they have certain health conditions, the nature of the condition will not be shared by the health professional, but they will provide a declaration that the referral has an eligible condition. (This information will only be shared if we have obtained your explicit consent).
- Customer satisfaction surveys
- Any financial contribution made towards the Sustainable Warmth installation(s) for example from the owners, landlords or other third parties.
- Your name
- Relevant accreditation and registration information
- Contact address
- Registered office address where operating under a company
- Companies House Registration number where relevant
- Email address
- Phone number
- Details of Sustainable Warmth installations delivered
- Whether directly contracted or sub-contracted by LA to install Sustainable Warmth installations, sub-contractor invoices and details around this relationship where contractual confidentiality is not breached.
- The number, positions held, length of employment and contract types of employees in your organisation
The purpose(s) for which we are processing your personal data is to support the delivery and administration of Sustainable Warmth.
Delivery and administration of the Scheme may require linking of your data to other datasets held by the Department for Energy Security and Net Zero.
You may also be contacted to take part in customer satisfaction surveys, further research or other funding schemes. Where the research involves processing of personal data in addition to that already collected for delivery of the Scheme, you will be given the opportunity to opt in to that research at the point of contact.
Your data may also be used for statistical, research and fraud prevention purposes.
Legal basis of processing
The legal basis for processing your personal data is:
Public task: Processing is necessary for the performance of a task carried out in the public interest
The specific public task is the delivery, administration and evaluation of, as well as statistical, research and fraud prevention purposes relating to, the Scheme, a government funded scheme aiming to raise the energy efficiency of low energy performance homes (those rated at EPC Band D, E, F or G), including off-gas grid homes. Funding is provided to Local Authorities who engage consumers and manage the delivery of installations in homes.
Consent: Use of your personal data to contact you to take part in further research will be subject to your consent.
In certain cases we may collect information should a referral form be submitted by a relevant and qualified medical practitioner on your behalf. Your consent regarding the submission of this information will be addressed by your G.P. You will have the right to opt out at any time.
Your personal data will be shared with:
- The Department for Energy Security and Net Zero and its contractors for delivery, administration and evaluation of the scheme, statistical, research and fraud prevention purposes.
- The Office of Gas and Electricity Marketing (Ofgem) and delivery partners of central and local government home energy schemes such as the Energy Company Obligation and Renewable Heat Incentive
- Designated Managing Agents, who will collect the data on CPCA’s behalf
- A number of lead local authorities who are participating in the project.
- CPCA consortia partners in the Innovate UK Modernising Energy Data Applications, U:SMART:ZERO project (or its successor), this is a research and development project to identify households most in need of sustainable and affordable homes.
- Research organisations working on approved projects for public interest benefit research purposes. Your data will be stored securely at a data archive and made accessible through a secure environment to accredited UK researched working on approved research projects.
Your personal data may also be shared with other Government departments where necessary and as required in support of the Purpose of this Privacy Notice.
Some data relating to income may be shared with credit reference agencies. The Credit Reference Agency (CRA) Information Notice, the industry standard privacy information policy adopted by the leading UK CRAs can be found here: https://www.equifax.co.uk/crain).
We may share your data if we are required to do so by law, for example by court order or to prevent fraud or other crime.
Personal data shared with BEIS will be stored on their IT infrastructure and will therefore also be shared with their data processors Microsoft and Amazon Web Services.
How is personal data collected?
We may uses different methods to collect Personal Data including the following:
- you provide us with Personal Data directly, for instance by filling in online forms requesting this information.
- we obtain some Personal Data from other sources, including from other people and organisations, including some publicly available sources e.g. Companies House, Registrars and background and credit check providers.
If any of the Personal Data you have given to us changes, such as your contact details, please inform us without delay by contacting us using the contact details at the bottom of this notice.
What do we do to keep your Personal Data secure?
We have put in place appropriate physical and technical measures to safeguard the Personal Data we collect in connection with our services. Save where additional consent is obtained, we limit access to Personal Data to those employees, agents, contractors and other third parties who have a need to know in service of the Purpose. They will only process Personal Data on our instructions and are subject to a duty of confidentiality.
However, please note that although we take appropriate steps to protect Personal Data no device, computer system, transmission of data or wireless connection is completely secure and, therefore, we cannot guarantee the absolute security of Personal Data shared with us over the internet.
Your personal data will be stored securely for a maximum period of 25 years following the close of the Scheme.
You have the right to request information about how your personal data are processed, and to request a copy of that data.
You have the right to request that any inaccuracies in your personal data are rectified without delay.
You have the right to request that any incomplete personal data are completed, including by means of a supplementary statement.
You have the right to request that your personal data are erased if there is no longer a justification for them to be processed.
You have the right in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted.
You have the right to object to the processing of your personal data where it is processed for direct marketing purposes.
You have the right to object to the processing of your personal data.
You have the right to withdraw consent to the processing of your personal data at any time, where processing is based on your consent.
HOW TO MAKE A REQUEST
If you wish to make a request associated with any of the rights listed above, contact CPCA using the contact details at the bottom of this notice.
The data we collect will be stored on a Customer Relationship Management (CRM) system whose servers are based in the USA. To enable secure and legally compliant transfers of personal data outside the UK/European Economic Area we have agreed to a set of Standard Contractual Clauses (SCCs) with the supplier. For further details please contact the Authority’s Data Protection Officer.
You have the right to object to this processing.
Similarly, personal data shared with BEIS will be stored on their IT infrastructure, and shared with their data processors Microsoft and Amazon Web Services. This may also involve transfer and storage of data outside the European Economic Area. Where that is the case it will also be subject to equivalent legal protection through the use of Standard Contractual Clauses.
If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:
Information Commissioner's Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF 0303 123 1113 Email: firstname.lastname@example.org
Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.
You can contact the CPCA’s Data Protection Officer at: CPCA Data Protection officer at: CPCA, 72 Market Street, Ely, Cambridgeshire CB4 7LS Email: email@example.com