Boiler Upgrade Scheme Privacy Notice - Installers


Publication date

Scheme name


This privacy notice explains how we will process personal information of installers for the purposes of Boiler Upgrade Scheme (“BUS”), administered by Ofgem. This privacy notice also set out installers’ rights as a data subject.

It applies to information we process concerning:

  • the authorised representative of an installer;
  • employees of installers who are users of the BUS Service;
  • individuals who contact Ofgem with a query, for example, a right of access request, regarding the BUS;
  • individuals who sign up to receive newsletters and regular correspondence.


The Controller for the processing of any personal information as outlined in this privacy notice is the Gas and Electricity Markets Authority, (GEMA). For ease of reference this privacy notice refers to the administrative office of GEMA, “Ofgem” throughout.

What personal information do we collect?

We will collect information directly from the authorised representative:

  • the authorised representative’s name;
  • the authorised representative’s home address;
  • the authorised representative’s work email address and telephone number;
  • the authorised representative’s date of birth;
  • the work email addresses of additional users from the authorised representative’s business;
  • a digital copy of a recent bank statement (no older than 3 months) for the Installer business;
  • a digital copy of a document for the purpose of verifying the identity of the authorised representative – this will be one of:
    • the full signature and photo page of a valid passport
    • your valid UK driving licence (photocard or paper)
    • your current UK firearms certificate or shotgun licence
    • your current national identity card.
  • a digital copy of a document for the purpose of verifying the home address of the authorised representative, this will be one of the following:
    • a domestic utility bill from the last three months;
    • a council tax bill from the last three months.

We will also collect information directly from users who sign up to our newsletter(s), respond to our customer satisfaction (CSAT) surveys or are part of any Ofgem working group related to the BUS. We will collect and store your name and email address in order to send these to you, as well as your responses to questions posed relating to our performance in administering the scheme(s).
Registered users can request for their information to be removed from the newsletter distribution list at any time by clicking unsubscribe within the newsletter.

We receive information directly and indirectly when:

  • the authorised representative has applied for BUS account creation;
  • the authorised representative or other employee of an installer has applied for receipt of the CSAT surveys;
  • during audits or for an assurance report we may receive information indirectly via a third party who we have contracted to undertake auditing or assurance work on our behalf. This information may include further documentary evidence.

Why do we need to collect and process the information from the authorised representative?

We only collect information that we need in order to carry out our functions in relation to the BUS. Our primary functions to administer the BUS which include, but are not limited to, the functions below:

  • assurance as to the eligibility and key business details of installers creating BUS accounts;
  • administering the scheme;
  • assessing BUS voucher applications;
  • confirming property owner consent;
  • assessing BUS voucher redemption applications;
  • making BUS payments;
  • undertaking any actions against non-compliance, suspected or otherwise and counter-fraud actions we deem necessary in accordance with the BUS regulations;
  • reporting if required of non-compliance in BUS reporting arrangements;

Authorised representatives’ personal information will not be used for profiling, i.e. any computerised processing which may use personal information to evaluate certain things about an individual e.g. any decision relating to your registration on the BUS portal.
In some cases, we use data analytics software to: 

  • identify suspected fraud;
  • improve the services we provide;
  • monitor compliance with BUS regulations.

In order to inform future policy development of our Environmental and Social Schemes authorised representatives’ data may be shared internally within Ofgem.

How do we collect information of all BUS users?

We collect BUS users’ information when you:

  • visit our website to allow you to make repeat visits. You can find out how we do this through the use of cookies by viewing our information page on the Ofgem website;
  • engage with us when we carry out our statutory and administrative functions; 
  • create a BUS installer account;
  •  submit information and data to us via the BUS Portal;
  • use our services, for example subscribing to our RSS feeds, e-newsletters, social media sites, email alerts or requesting a publication from us;
  • email, fax, or telephone us, or send information to us in paper format;
  • contact us in relation to information requests, complaints and general enquiries.

How and when will we process and disclose authorised representative information?

  • where the disclosure is required by law, statutory direction, court orders, or is necessary for the purposes of the administration or development of the BUS;
  • where you give us explicit permission to disclose it;
  • for the processing and sharing of relevant information during audits.

We will only share authorised representative information with the following organisations or official bodies:

  • third-party auditors or other third party for the purposes of either auditing the information provided to us by you or providing an assurance report (we will require such third parties to agree to treat the information in accordance with this privacy policy);
  • Action Fraud or the Police in England and Wales when we have found instances of suspected fraud;
  • the property owner whom the authorised representative’s business is making an application on behalf of;
  • The Department for Business, Energy and Industrial Strategy (BEIS), who may issue Ofgem a notice that legally compels Ofgem to disclose specified information collected for the purposes of administering the BUS which include, but are not limited to:
    • surveys and statistical purposes (e.g. to publish official statistics and to fully monitor the rollout and progress of the scheme);
    • quality assurance;
    • forecasting expenditure;
    • wider purposes connected with analysis, research, monitoring, evaluation, development and understanding of the BUS and BEIS’ policies. 
  • BEIS will share your information with its contractors or sub-contractors for these purposes. 
  • The Welsh Government and their approved contractors for the Welsh Government to report on and monitor devolved heat policy in Wales;
  • Department for Environment Food and Rural Affairs;
  • Trading Standards and the Serious Fraud Office
  • Local Authorities in Great Britain (upon request), who require information for their Net Zero Strategies, clean air obligations and other functions within their remit;
  • The Microgeneration Certification Scheme, for the purpose of identifying suspected fraud and cases of non-compliance on the BUS; 
  • Renewable Energy Consumer Codes, who assist us in the protection of consumers; 
  • The Home Insulation & Energy Systems Quality Assured Contractors Scheme, who assist us in the protection of consumers;
  • Qlikview, where we use their software platform to conduct data analytics;
  • Huddle, where we use their platform to securely share data with other organisations;
  • We may share some registered user personal information with Electricity Distribution Network companies to verify information you have provided for the purposes including, but not limited to, investigating suspected fraud;
  • BEIS have also published a privacy notice covering how they use personal data.

What is the legal basis for processing your information?

We collect and process your information under the ‘Public Task’ legal basis for processing as part of our remit as the BUS administrator (UK GDPR, Article 6(1)(e)), and for purposes arising from Ofgem’s functions conferred by law, including:

  • Utilities Act 2000 (as amended);
  • Energy Act 2008 (as amended);
  • The Boiler Upgrade Scheme Regulations 2022.

We would not be able to fulfil our obligations as the administrator of the BUS without collecting and using your information.

How long do we keep your information?

The digital copies of the proof of ID and proof of home address documents you submit will be deleted when we no longer need them for our verification purposes. This will be 3 months from the date we review them.

Your personal information is deleted when we no longer need it for our functions in administering the BUS. As such, it is retained by Ofgem for the duration of the scheme, and for a period of 7 years thereafter.

Sharing your information outside the European Economic Area

Any information you provide will not be transferred outside the European Economic Area.

Where we use cloud processing to support our data processing, the servers are located within the European Economic Area.

Your rights

We hold information about BUS users who have the right to:

  • be informed about the data we hold about you;
  • access the information we hold about you;
  • have your personal information corrected if it is incomplete or inaccurate;
  • ask us to restrict how we process your information;
  • object to certain ways we use your information;
  • in some circumstances, you may have a right to object to Ofgem processing your information.

To see the full suite of new consumer rights available to you under UK GDPR, please refer to the Ofgem Privacy Policy or the ICO website.

Further information

To find out more information on how Ofgem processes personal data, please refer to the Ofgem Privacy Policy.

How to contact us

If you would like to:

The Data Protection Officer
10 South Colonnade
Canary Wharf
E14 4PU

Complaints to the Information Commissioner

Authorised representatives have a right to complain to the Information Commissioner. If you want to raise a concern about how we have handled your information, you can report it direct to the Information Commissioner’s Office at the following address:

Information Commissioner's Office
Wycliffe House
Water Lane
Telephone: 0303 123 1113
Online: Live chat

Changes to this privacy notice

We keep our privacy policy under regular review. This privacy notice was last updated on 11 April 2022.