Boiler Upgrade Scheme Privacy Notice - Installers


Publication date

Scheme name


This privacy notice explains how we will process the personal information of authorised representatives of installers and additional users of installers for the purposes of the Boiler Upgrade Scheme ('BUS'), administered by Ofgem. This privacy notice also sets out authorised representatives’ and additional users’ rights as data subjects.

It applies to information we process concerning:

  • the authorised representative of an installer
  • employees of installers who are users of the BUS service ('additional users')
  • authorised representatives and additional users who contact Ofgem with a query, for example, a right of access request, regarding the BUS
  • authorised representatives and additional users who sign up to receive newsletters and regular correspondence


The controller for the processing of any personal information as outlined in this privacy notice is the Gas and Electricity Markets Authority (GEMA). For ease of reference, this privacy notice refers to the administrative office of GEMA as ‘Ofgem’ throughout.

What personal information do we collect?

We will collect the following information directly from the authorised representative:

  • the name of the installer business
  • the authorised representative’s:
    • name
    • home address
    • email address and telephone number
    • date of birth
  • a digital copy of:
    • a recent bank statement (no older than 3 months) for the installer business
    • a digital copy of a document for the purpose of verifying the identity of the authorised representative which may be be one of:
      • full signature and photo page of a valid passport
      • valid UK driving licence (photocard or paper)
      • current UK firearms certificate or shotgun licence
      • current national identity card
  • a digital copy of a document for the purpose of verifying the home address of the authorised representative - this will be one of the following:
    • a domestic utility bill from the last three months
    • a council tax bill from the last three months

We will collect the following information directly from the authorised representatives or additional users who've been given permission to manage other users on their business’s installer account, and including the:

  • name of any additional users from the authorised representative’s business
  • work email addresses of any additional users
  • telephone number of any additional users

We will also collect information directly from users who sign up to our newsletter(s), respond to our customer satisfaction (CSAT) surveys or are part of any Ofgem working group related to the BUS. We will collect and store their name and email address in order to send these to them, as well as their responses to questions posed relating to our performance in administering the scheme.

Registered users can request for their information to be removed from the newsletter distribution list at any time by clicking unsubscribe within the newsletter.

We receive information directly and indirectly when the authorised representative:

  • has applied to create a BUS installer account
  • has applied to make amendments to an existing BUS installer account
  • or any additional user with user management permission instructs us to add new additional users to the installer account
  • or other employee of an installer has applied for receipt of the CSAT surveys

And in addition during audits or for an assurance report, we may receive information indirectly via a third party who we have contracted to undertake auditing or assurance work on our behalf (this may include further documentary evidence)

Why do we need to collect and process this information from the authorised representative and additional users?

We only collect information that we need in order to carry out our functions in relation to the BUS. Our primary functions to administer the BUS include, but are not limited to:

  • assurance as to the eligibility and key business details of installers creating BUS installer accounts
  • administering the scheme
  • assessing BUS voucher applications
  • confirming property owner consent
  • assessing BUS voucher redemption applications
  • making BUS payments
  • undertaking any actions against non-compliance, suspected or otherwise, scheme abuse and counter-fraud actions we deem necessary in accordance with the BUS regulations
  • reporting, if required, of non-compliance in BUS reporting arrangements

The personal information of authorised representatives or additional users on an installer account will not be used for profiling (that is, any computerised processing which may use personal information to evaluate certain things about an individual, for example any decision relating to their registration on the BUS digital portal).

In some cases, we use data analytics software to: 

  • identify suspected scheme abuse or fraud
  • improve the services we provide
  • monitor compliance with BUS regulations

In order to inform future policy development of our environmental and social schemes, authorised representatives’ and additional users' information will be used to review and improve our scheme administration.

When do we collect BUS user information?

We collect BUS users’ information when users:

  • visit our website - you can find out how we do this through the use of cookies by viewing ‘Cookies we use’ section at the end of this page
  • engage with us when we carry out our statutory and administrative functions 
  • create a BUS installer account
  • submit information and data to us via the BUS digital portal
  • use our services, for example subscribing to our RSS feeds, e-newsletters, social media sites, email alerts or requesting a publication from us
  • email, or telephone us, or send information to us in paper format
  • contact us in relation to information requests, complaints and general enquiries

How and when will we process and disclose authorised representative and additional user information?

We will process and disclosure users' personal information:

  • where the disclosure is required by law, statutory direction, court orders, or is necessary for the purposes of the administration or development of the BUS
  • where the user has given us explicit permission to disclose it
  • for the processing and sharing of relevant information during audits

We will only share authorised representative and additional user information with the following organisations or official bodies:

  • third-party auditors or other third party for the purposes of either auditing the information provided to us by the user or providing an assurance report (we will require such third parties to agree to treat the information in accordance with this privacy policy)
  • third-party suppliers appointed by us in connection with our scheme administration. This may include research companies or agencies appointed to conduct surveys on our behalf.  We will notify you of this in writing before any survey goes ahead and provide you with the opportunity to decline to take part.
  • Action Fraud or the police in England and Wales when we have found instances of suspected fraud
  • the property owner whom the authorised representative’s business is making an application on behalf of
  • The Department for Energy Security and Net Zero ("DESNZ"), formerly the Department for Business, Energy and Industrial Strategy (BEIS), who may issue Ofgem a notice that legally compels Ofgem to disclose specified information collected for the purposes of administering the BUS which include, but are not limited to:
    • surveys and statistical purposes (for example, to publish official statistics and to fully monitor the rollout and progress of the scheme)
    • quality assurance
    • forecasting expenditure
    • wider purposes connected with analysis, research, monitoring, evaluation, development and understanding of the BUS and DESNZ’ policies 

DESNZ will also share users' information with its contractors or sub-contractors for these purposes. 

  • The Welsh Government and their approved contractors for the Welsh Government to report on and monitor devolved heat policy in Wales
  • Department for Environment Food and Rural Affairs
  • Trading Standards and the Serious Fraud Office
  • local authorities in Great Britain (upon request), who require information for their net zero strategies, clean air obligations and other functions within their remit
  • the Microgeneration Certification Scheme (MCS), for the purpose of identifying suspected fraud and cases of non-compliance on the BUS, and for the purpose of facilitating MCS publishing on their website a list of installers who have a BUS account with Ofgem
  • renewable energy consumer codes, who assist us in the protection of consumers
  • The Home Insulation & Energy Systems Quality Assured Contractors Scheme, who assist us in the protection of consumers
  • Qlikview, where we use their software platform to conduct data analytics
  • Huddle or EGRESS, where we use their platform to securely share data with other organisations
  • we may share some registered users' personal information with electricity distribution network companies to verify information they have provided for purposes that include, but are not limited to, investigating suspected fraud
  • Universal Language Solutions Ltd should there be a requirement for the provision of written and/or spoken translation services from English into Welsh and from Welsh into English

What is the legal basis for processing users' information?

We collect and process users' information under the ‘public task’ legal basis for processing, as part of our remit as the BUS administrator (UK GDPR, Article 6(1)(e)), and for purposes arising from Ofgem’s functions conferred by law, including:

  • Utilities Act 2000 (as amended)
  • Energy Act 2008 (as amended)
  • The Boiler Upgrade Scheme Regulations 2022

We would not be able to fulfil our obligations as the administrator of the BUS without collecting and using users' information.

We may process your information for the purpose of conducting surveys. Where we do so, this is necessary for the purposes of legitimate interests pursued by us within the meaning of Article 6(1)(f) GDPR.  Where you agree to participate in a survey, we will also process your information based on your consent.

How long do we keep your information?

The digital copies of the proof of ID and proof of home address documents authorised representatives submit will be deleted when we no longer need them for our verification purposes. We aim to do this 3 months from the date we review them.

Users' personal information is deleted when we no longer need it for our functions in administering the BUS. As such, it is retained by Ofgem for the duration of the scheme, and for a period of 7 years thereafter.

Sharing users' information outside the European Economic Area

Any information users provide will not be transferred outside the European Economic Area.

Where we use cloud processing to support our data processing, the servers are located within the European Economic Area.

Users' rights

We hold information about BUS users who have the right to:

  • be informed about the data we hold about them
  • access the information we hold about them
  • have their personal information corrected if it is incomplete or inaccurate
  • ask us to restrict how we process their information
  • object to certain ways we use their information
  • in some circumstances, object to Ofgem processing their information

To see the full suite of new consumer rights available to users under UK GDPR, please refer to the Ofgem privacy policy or the ICO website.

Further information

To find out more information on how Ofgem processes personal data, please refer to the Ofgem privacy policy.

How to contact us

If you would like to:

  • make a Freedom of Information or Environmental Information Regulations request, see information requests
  • make a complaint about Ofgem, see complaints about Ofgem
  • make a subject access request, see information requests
  • exercise any of your rights and/or request information about Ofgem privacy policy please contact our Data Protection Officer by email on or alternatively write to us at:

The Data Protection Officer
10 South Colonnade
Canary Wharf
E14 4PU

Complaints to the Information Commissioner

Users of the BUS have a right to complain to the Information Commissioner.

If you want to raise a concern about how we have handled your information, you can report it direct to the Information Commissioner’s Office at the following address:

Information Commissioner's Office
Wycliffe House
Water Lane
Telephone: 0303 123 1113
Online: Live chat

Changes to this privacy notice

We keep our privacy policy under regular review. This privacy notice was last updated on 19 January 2024.

Cookies we use

Cookies are small files saved on users' phones, tablets or computers when they visit a website.

We use the following essential cookies to make the online BUS portal work for installers.






Stores technical and session-specific information, including user security roles.

24 hours


Stores Azure Active Directory Business To Consumer (ADB2C) user login information and session data.

14 days


Holds user membership data across tenants. The tenants a user is a member of and level of membership (Admin or User).

When you close your web browser


Used to route requests to the appropriate production instance.

When you close your web browser


Used for tracking the transactions (number of authentication requests to Azure AD B2C) and the current transaction.

When you close your web browser


Used for maintaining the SSO session.

When you close your web browser


Used for maintaining the request state.

When you close your web browser


Cross-Site Request Forgery token used for CRSF protection.

When you close your web browser


Used for Azure AD B2C network routing.

When you close your web browser



When you close your web browser


Used for storing membership data for the resource provider tenant.

When you close your web browser


Used for storing the relay cookie.

When you close your web browser


Used for tracking whether or not a user has dismissed the cookie banner.

365 days

Used to track whether or not a user has opted into analytics,

365 days


With your permission, we use Google Analytics to collect data about how you use the BUS digital service. This information helps us to improve our service. 

Google is not allowed to use or share our analytics data with anyone. 

Google Analytics stores anonymised information about: 

  • how you got to the BUS digital service 
  • the pages you visit on the BUS digital service and how long you spend on them
  • any errors you see while using the BUS digital service

You can choose whether to opt in or out of them after you’ve signed in.






These help us count how many people visit the BUS digital service and other government digital services by tracking if you’ve visited before

2 years


These help us identify and track an individual session on a user’s device.

2 years