Data protection registration
The Foundation is registered under the Data Protection Act with no. Z7345445.
Purpose of processing
The National Energy Foundation will process personal data for the following purposes:
- Provision of advice and information on energy saving opportunities, energy management, renewable energy, the contribution of energy use to climate change, the purchase of energy and the alleviation of fuel poverty; collectively referred to as "sustainable energy"
- Processing of grants and subsidies relating to sustainable energy
- Monitoring energy consumption in buildings and vehicles and by lights, appliances and other equipment (where the habits or actions of individuals may have an effect on the energy consumption)
- Assessment of building energy performance, in order to produce certificates, labels or recommendations using proprietary or third party software such as SAP, IES or SBEM
- Research into, and innovation in the area of, sustainable energy
- Marketing our services in the area of sustainable energy
- Maintaining financial records, including invoices, bills and payments
- Maintaining employment records for staff, temporary employees, volunteers, Trustees, associates and sub-contractors, including individuals who were formerly associated with us, for such time as we believe it to be necessary to retain such data to meet our legal and other obligations
- Other purposes necessary to fulfil our charitable aims of through education, demonstration and research educating the public about the safe and efficient use of energy and, in relation to use, to the provision of energy.
Before we add you to a mailing list we will ensure that we have your consent, and that you have confirmed your understanding of the purpose of that list. We will not transfer people between mailing lists without seeking additional consent, nor use an informational list (eg. about the benefits of energy efficiency or renewable energy) for marketing. You may withdraw this consent at any time. We will maintain records of when and how we obtained this consent.
In general we will regard consent for general purposes to run for a period not exceeding six years. Consent given for a specific project or programme will be assumed to run for a period of two years after the completion of that programme or project. At the end of the consent period, we may contact you again seeking further consent or we may delete the relevant data. If we do not hear from you within six months' of a request for further consent, we shall assume that it has not been given and delete all relevant information, except as may be required under our legal obligations.
If you give us your data to enable us to fulfil contractual obligations to you, or have freely given it, then we may process the information as necessary for that purpose without seeking further consent.
We may also retain information given freely to us, for example on business cards or incoming e-mails, on manual or electronic systems. These may include files of paper business cards, printed copies of e-mails, our CRM database or electronic copies of saved e-mails. These will not be used to generate marketing lists, although we may, on occasion, approach individuals on a one by one basis. We will take reasonable measures to ensure such contact data is kept up to date and will not retain it beyond its likely period of validity. You have the right to ask us for such data to be deleted or destroyed (see under "Right to be forgotten").
Data will not be used for sales purposes
The data that you provide to us will not be used for selling purposes by third parties. If you suspect that it has been used by third parties in this way, please let us know so that we can investigate the circumstances.
Internal use of Data
We will ensure that personal data is only used internally by staff (including associates who have signed a non-disclosure agreement, temporary employees, volunteers and Trustees) who have had appropriate training in data protection and have a valid business reason for accessing such data.
Transfer of data to third parties – general
We may, on occasion, take part in collaborative projects or deliver contracts awarded from third parties that are intended to foster research & development in sustainable energy, or the alleviation of fuel poverty. In these cases, we may need to record personal data that is required for the successful delivery of the project, including matters such as residents' energy use, occupation patterns, benefits or health status, and other sensitive personal data. We will ensure that this data is only shared when necessary for the project, for example to enable a resident to access additional benefits, and we will not in general transfer such personal data to partners. Where we are contracted to deliver work on behalf of a UK public authority, such as a local council or NHS Trust, we may be required to transfer such data on completion of the project or programme. In these cases, if the authority believes that we have no need to maintain a separate copy of the data, we will ensure that it is promptly deleted.
Transfer of data to third parties – with consent
We may also on occasion run projects where, in order for you to benefit fully from advice given or an installation of an energy efficiency measure, we may make a "referral" to a third party. In these cases, we will only transfer your information to a body that agrees to use it for the limited agreed purposes and not for subsequent marketing, and for which we are confident is complying itself with the Data Protection Acts and GDPR. We will determine an appropriate level of security for transferring such data, based on the exact nature of that data.
Transfer of data from third parties
The National Energy Foundation will endeavour to ensure that data transferred to us from third parties, such as ECO installers or professional YouGen members, is only transferred with your consent or in accordance with your legitimate interests. If at any time you are of the opinion that data has been passed to us without your consent please inform as soon as possible so that we can take this up with the third party concerned and take the necessary steps in relation to the data we have received.
Right of access
You have the right to be supplied with a copy of the data which we hold about you. After we have made reasonable efforts to verify your identity (so that we know that you are asking about information relating to yourself), we will endeavour to provide this to you without delay and at the latest within one month of receipt of your request. Although we will not normally charge for this data, we may legally do so for requests that are repeated or vexatious.
Right of rectification
If you believe that we hold inaccurate or incomplete data relating to you, you have a right to rectification. You may request rectification by contacting the Data Protection Manager. We will then correct the data within a period of one month unless we believe that the information represents a valid opinion, or is accurate. If we are satisfied that the personal data is accurate, we will tell you that we will not be amending the data, giving you the reason for our decision, and inform you of your right to make a complaint to the ICO and your ability to seek to enforce your rights through a judicial remedy.
Right of erasure (to be forgotten)
You have the right to be "forgotten". This can be exercised by writing to our Data Protection Manager. If we receive such a request, we will remove all information that we have about you from our systems, including our e-mail server, other than certain information that we believe we are required to hold for legal reasons. This retained information may include:
- full employment records for current employees and those employees who have left within the previous six years;
- basic data relating to past employees, limited to full name, date of birth, job title, final salary, dates of employment, and evidence of the right to undertake employment within the UK;
- matters relating to taxation (including payments to past or present employees, associates or other suppliers matters relating to that may evidence or lead to a liability for income tax, national insurance, VAT or other UK or European taxes);
- invoices received from, or issued to, you in the normal course of business, for a maximum period of six years following the end of the financial year to which they relate;
- information required to be retained under the terms of grants that we have received from programmes of the European Commission, the UK Government or its devolved authorities, or UK local authorities or county councils. This data will be retained in accordance with each programme's specified requirements, which may be up to 20 years in the case of EU programmes;
- information relating to the installation of a measure funded through the Energy Company Obligation (ECO) or other grant funding managed by us including a self-declaration for ECO Flex, grant application, documents evidencing eligibility, customer sign off and any warranties or guarantees.
- details of applications for, and/or payment of, grants or similar incentives to you or to other residents at the same UK address;
- any information related to matters that we have been requested to retain by a competent authority, such as the police, a Court of Law or, in matters relating to housing, a public sector landlord;
- information that we have reasonable cause to believe may be required for the enforcement of the law in the future.
Where possible in law, we will also add a destruction date to any records that we maintain under these exemptions. We will ensure that any information retained is only used for the specific purposes for which we are legally required to retain it, and will not be used for other purposes such as marketing.
We may generate certain data, such as your hourly energy consumption, as part of a project or programme. In these circumstances, you have the right to request the data for transmission to a third party; we may need to agree with you a suitable transfer format.
Website – General
The National Energy Foundation's website is designed to help you find out about the work of the Foundation, how to improve the use of energy in buildings, and more generally provide an introduction to sustainable energy. Our policy is only to collect and retain data from website users when it is necessary to ensure the smooth functioning of the website, or to store data temporarily that will enable user requests to be met.
The National Energy Foundation site does not automatically capture or store personal information, other than logging the user's IP address and session information such as the duration of the visit and the type of browser used. This is collected automatically by our web hosting company and is only used for system administration and to provide statistics which help us to evaluate use of the site.
Website – Cookies. The National Energy Foundation site's web hosts might set cookies in accordance with their normal practice in order to ensure the smooth operation of the site, specifically the following:
|Sets the date and time that the user last visited the site.|
|Tracks the last 5 pages viewed by the user, and is used primarily for redirection after performing an action e.g. searching.|
|Every time the state is updated (the page reloaded) the last activity is set to the current date and time. Used to determine expiry of cookies and sessions.|
|A uniquely generated ID that corresponds to the user's browsing session ID.|
|A flag set to determine if a user is listed in the online users.|
|Determines the length of the session for a user.|
Websites – Projects
In addition to the main National Energy Foundation website, we may establish or maintain project-related websites, including ones associated with the Yougen, SuperHomes, Assured Performance Process and Energiesprong projects. Our data protection policy will apply equally to data on those sites, but the exact nature of the cookies and other automatic data may vary with the operating system and web host selected. You are referred to those sites for further details.
Websites – Adverts
From time to time websites operated by the National Energy Foundation may carry paid for advertisements. Although we will strive to ensure that adverts and links that are directly placed with us comply fully with data protection, we cannot be responsible for the content of third party websites, nor for any adverts that are served through service providers such as Google, Microsoft or Amazon.
Websites – Newsletters
From time to time the National Energy Foundation publishes one or more project-related newsletters (e.g. for YouGen). Subscription is via the project website and the only data required for a subscription to take effect will be your first name, last name, e-mail address and (if applicable) company name and (for paper newsletters) address details. Provision of this data is deemed as consent to continue to sending the selected newsletter, but no other communications. Subscribers can unsubscribe at any time by following the unsubscribe link at the bottom of the newsletter, but basic details may be retained by our e-mail service provider as evidence of past subscriptions. We may use trusted third parties, such as Mail Chimp or Envirosend, to manage our mailing lists.
Breaches of this policy
In the event that we have reason to believe that there has been a breach of the policy we will investigate the circumstances impartially and on a timely basis, and take such actions to remedy the breach as may be possible.
If you wish to complain about the service you have received or any other matter concerning our data policy, please contact our Data Protection Manager either by e-mail to the Data.Protection.Manager@nef.org.uk or at our office address of The National Energy Foundation, Davy Avenue, Knowlhill, Milton Keynes, MK5 8NG. If you are not satisfied with our response, you have a right to complain to the Information Commissioner's Office (ICO).