Data protection policy

Publication date
4th July 2009
Information type
Policy area


The Data Protection Act 1998 (the Act) regulates the use of personal data relating to individuals. The Act applies to both automated and manual data, i.e. computerised and paper records. Ofgem's policy is to fully comply with the Act and any other related legislation. Ofgem is committed to protecting personal data and respecting the rights of individuals.

Ofgem will ensure that it has mechanisms in place to meets its obligations under the Act. Ofgem will, where necessary, provide written guidance and training to help employees understand their data protection rights, duties and responsibilities and comply with this Policy.

Ofgem will ensure that it has procedures in place to:

a) maintain an accurate and up-to-date notification1 with the Information Commissioner.

b) adhere to the eight Data Protection Principles (see below).

Notification is the process by which Ofgem details, as a data controller, are added to the public register maintained by the Information Commissioner. Each register entry includes the name and address of the data controller and a general description of the processing of personal data by Ofgem. Individuals can consult the register to find out what processing of personal data is being carried out by a particular data controller. The Data Protection Act 1998 requires every data controller who is processing personal data to notify unless they are exempt.

The Information Commissioner is the regulator responsible for data protection and freedom of information.

A data controller is a legal person who determines the purpose for which, and the manner in which, personal data will be processed. The Act imposes a number of obligations on data controllers.

The Commissioner maintains a public register of data controllers. Each notification entry includes the name and address of the data controller, and a brief description of the personal data processed by the data controller.

It is the responsibility of each employee to comply with this Ofgem Data Protection Policy. A breach of this Policy and/or associated procedures may result in disciplinary action.


As a data controller, Ofgem is required to notify the Information Commissioner on an annual basis about the purposes for which it processes (collecting, holding, recording, using) personal data. The Data Protection Officer is responsible for ensuring that Ofgem meets its notification requirements.

The Eight Data Protection Principles

The Data Protection Principles specifically require that Ofgem shall :

  1. process personal data fairly and lawfully and, in particular, will not process personal data unless specific conditions are met
  2. obtain personal data for one or more specified and lawful purpose and will not further process the data in any manner incompatible with the original purpose(s)
  3. ensure personal data are adequate, relevant and not excessive in relation to the purpose for which they are processed
  4. keep personal data accurate and where necessary, up-to-date
  5. retain personal data for no longer than is necessary
  6. process personal data in accordance with the rights of individuals under the Act (see "Individual’s Rights below" )
  7. put in place appropriate technical and organisational measures to prevent any unauthorised or unlawful processing, accidental loss, destruction of, or damage to, the personal data
  8. not transfer personal data outside the European Economic Area (EEA) without an adequate level of protection for the rights and freedoms of individuals in relation to the processing.

The European Economic Area (EEA) includes the 15 European Union Member States and Iceland, Norway and Liechtenstein.

Individual's Rights

The Act gives specific rights to individuals as set out in the Sixth Data Protection Principle (see paragraph 6f above). These are:

a) Right of subject access

An individual may request a copy of the data held about them by Ofgem. The request must be made in writing, and the individual must provide sufficient information to enable Ofgem to identify them and locate the data. Ofgem has 40 days to comply with such a request. All requests must be referred to the Data Protection Officer immediately.

b) Right to take action in relation to inaccurate data

An individual may request that Ofgem rectifies, blocks, erases, or destroys inaccurate data relating to them. This includes any expression, or opinion, which is based on inaccurate data. Data are considered inaccurate if they are misleading or incorrect as to any matter of fact.

c) Right to prevent direct marketing

Individuals have the right to request that Ofgem does not use their data for direct marketing purposes.

d) Right to prevent processing which causes damage or distress

An individual may write to Ofgem to request that it ceases, or does not begin, processing personal data (of which that individual is the subject) which may cause, or is causing, damage or distress.

e) Rights in relation to automated decision making

An individual is entitled to require that Ofgem will not base a decision, which significantly affects them, solely on automated means.

f) Right to compensation

An individual has the right to request compensation through the Courts if Ofgem causes him/her damage or damage and distress by any contravention of the Act.

g) Right to request an assessment by the Information Commissioner

An individual has the right to ask the Commissioner to assess whether processing has been, or is being, carried out in compliance with the Act.

Liabilities of Staff under the Act

8. Any person, including any employee of Ofgem, may be prosecuted as an individual under the Act for knowingly or recklessly, without the consent of Ofgem:

(a) obtaining or disclosing personal data, or the information contained in the personal data; or

(b) procuring the disclosure of the information contained in the personal data to another person.

9. Any employee who intentionally obstructs a person in the execution of a warrant6 issued under the Act, or fails without reasonable excuse to give any person executing such a warrant such assistance as they may reasonably require for the execution of the warrant , is guilty of an offence under the Act.

A warrant issued under the Act authorises the Commissioner or any of his officers or staff at any time within seven days of the date of the warrant to enter the premises, to search them, to inspect, examine, operate and test any equipment found there which is used or intended to be used for the processing of personal data and to inspect and seize any documents or other material found there which may be used in evidence.

Departmental Liabilities under the Act

Government departments are not liable for prosecution under this Act. However, as referred to in paragraph f) above, Ofgem may be liable through civil proceedings to pay compensation for damage, or damage and distress, by any contravention of the Act. Ofgem may also be mentioned in the Commissioner's Annual Report to Parliament for any failure to comply with the Act and may also incur adverse publicity.

Further Information

For further information and advice on complying with the Act, please refer to:

Alternatively, please refer any queries to the Data Protection Officer:

Paul Kitcher

Telephone: 0207 901 7011


Subsidiary documents