Module 8 of 15 · Applied

Who controls the data: governance and triage

30 min read 3 outcomes Quiz + triage exercise

By the end of this module you will be able to:

  • Apply the Data Triage Playbook to classify energy datasets into open, shared, or closed categories
  • Explain the FAIR principles (Findable, Accessible, Interoperable, Reusable) as applied to energy data
  • Assess governance maturity using the 5-level model and identify the maturity gap in GB energy

With the learning outcomes established, this module begins by examining data best practice guidance v3.5 in depth.

8.1 Data Best Practice Guidance v3.5

Ofgem's Data Best Practice Guidance (DBP) is the overarching framework for data governance in the GB energy sector. Version 3.5, published in 2024, builds on earlier versions and establishes principles that all licensed energy companies are expected to follow. The DBP is not a legally binding code in the same way as the BSC or SEC, but it is referenced in licence conditions, and compliance is assessed as part of RIIO price control reviews.

The presumed open principle

The most important principle in the DBP is “presumed open.” This means that all energy data should be published openly unless there is a specific reason not to. The burden of proof falls on the organisation holding the data to justify restricting access, not on the party requesting it. This is a deliberate inversion of the traditional default, which was to restrict data unless there was a reason to share it.

The presumed open principle does not mean that all data is published. Three categories of data may legitimately be restricted: personal data (protected by UK GDPR), commercially sensitive data (which could distort markets if disclosed), and security-sensitive data (which could create safety or cyber risks if made public). The Data Triage Playbook provides the structured process for determining which category applies.

The presumption should be that data should be made available to other parties unless there is a clear reason why not.

Ofgem, Data Best Practice Guidance v3.5 (2024)

This is the foundational principle of the DBP: the burden of proof falls on the data holder to justify restriction, not on the party requesting access. It inverts the traditional default of restricting data unless a reason to share exists.

The Data Triage Playbook: four steps

The Data Triage Playbook is a decision framework for classifying datasets. It consists of four sequential questions, each of which must be answered before proceeding to the next:

  1. Is it personal data? If the dataset contains information relating to an identified or identifiable natural person (UK GDPR), it cannot be published openly without anonymisation or aggregation that demonstrably prevents re-identification.
  2. Is it commercially sensitive? If publication would give a market participant an unfair advantage or reveal proprietary information (hedging positions, contract prices, forecasting algorithms), it may require restriction. Aggregate market data is generally not commercially sensitive even if it derives from sensitive inputs.
  3. Is it security-sensitive? If the dataset could identify vulnerabilities in critical national infrastructure or enable cyber or physical attacks (e.g., SCADA configurations, substation vulnerability assessments), it requires restriction based on material risk, not theoretical risk.
  4. Default to open. If the dataset passes all three tests - not personal, not commercially sensitive, not security-sensitive - it should be published openly. This includes network capacity data, aggregated demand profiles, and most operational planning data.

Five sensitivity levels

The DBP defines five sensitivity levels that refine the triage outcome:

Level 0, Open.Freely available to anyone without registration or conditions. Published on the organisation's website or a public data portal. Examples: Long-Term Development Statements, aggregated demand data, published network capacity maps.

Level 1, Shared (registered access). Available to anyone who registers and agrees to terms of use. No detailed vetting, but the organisation knows who has accessed the data. Examples: detailed network topology data, substation loading time series, granular weather data.

Level 2, Shared (vetted access). Available to organisations that have been assessed and approved. Access requires a data sharing agreement. Examples: individual meter point data used for network planning (pseudonymised), detailed asset condition data.

Level 3, Restricted. Available only to named individuals within approved organisations, with specific access controls and audit trails. Examples: customer personal data, commercially sensitive contract data.

Level 4, Closed. Not shared outside the holding organisation except under legal compulsion. Examples: active cybersecurity vulnerability data, ongoing investigation data, information subject to legal privilege.

Three exit branches, one default: the GB energy data triage

Four-question vertical tree. Yes answers exit to the right into personal, commercial or security branches; the no path lands at default-open.

Three exit branches, one default: the GB energy data triage A four-step decision tree drawn vertically. Three question rows ask in turn: is it personal data, is it commercially sensitive, is it security sensitive. A yes answer on any row exits to the right into a brand-red outcome card (personal route, commercial route, security route). A no answer continues downward to the next question. Any dataset that survives all three tests lands in a brand-red default-open band at the bottom, publishing under the Data Best Practice Guidance v3.5 presumption. Q1 Is it personal data under UK GDPR? If yes, exit to the right; if no, continue downward YES · EXIT Personal route Lawful basis, consent, subject rights YES Q2 Is it commercially sensitive? If yes, exit to the right; if no, continue downward YES · EXIT Commercial route Restricted with audited access YES Q3 Is it security sensitive (CNI risk)? If yes, exit to the right; if no, continue downward YES · EXIT Security route Need-to-know, NCSC OT controls YES NO NO NO DEFAULT OUTCOME Open by default Publish under DBP v3.5 presumption built by ransfordsnotes.com

Personal, commercial, security: three exit branches. Everything else defaults to open. Source: Ofgem Data Best Practice Guidance v3.5 (2024).

Check your understanding

In the Data Triage Playbook, what happens if a dataset passes all three sensitivity tests (not personal, not commercially sensitive, not security-sensitive)?

The triage playbook tells you whether data can be shared and at what level. The FAIR principles tell you how it should be packaged and described so that sharing is actually useful, discoverable, and reusable.

8.2 FAIR principles and metadata standards

The FAIR principles originated in scientific data management but have been adopted by Ofgem as a standard for energy data governance. FAIR stands for Findable, Accessible, Interoperable, and Reusable. Each principle addresses a different dimension of data usability.

FAIR principles: four publisher tests for GB energy data

Two-by-two grid for Findable, Accessible, Interoperable, Reusable. Each principle states the requirement, the test, and one worked example.

FAIR principles: four publisher tests for GB energy data Two-by-two grid of four cards labelled F, A, I and R. Each card has a brand-red letter block on the left with the principle word, and on the right the requirement, the publisher test and one worked example from energy data. Findable and Interoperable are emphasised because CIM-aligned network data is the highest-leverage interoperability win for the LTDS programme. F FINDABLE Persistent identifier and rich metadata TEST Can a search find the dataset? EXAMPLE DBP catalogue entry with DOI or stable URL A ACCESSIBLE Open protocol with authentication when required TEST Can an authorised user retrieve the bytes? EXAMPLE OData or REST endpoint, no proprietary client I INTEROPERABLE Shared vocabularies, formal models TEST Does the data carry IEC 61970 or DCAT labels? EXAMPLE CIM-aligned network topology export R REUSABLE Clear licence and provenance, rich attribution TEST Does the licence permit the consumer's purpose? EXAMPLE OGL licence with method and lineage notes built by ransfordsnotes.com

F-A-I-R: four principles, four publisher tests. Source: Wilkinson et al. (2016) FAIR Guiding Principles; Ofgem DBP v3.5 metadata annex.

Findable

Data must be easy to discover. This requires persistent identifiers (every dataset has a unique, stable identifier that does not change over time), rich metadata (descriptions, keywords, dates, ownership, and update frequency), and registration in searchable catalogues. In the energy sector, findability is a major weakness. Many DNOs publish data on their websites, but there is no single catalogue of all published energy data. Finding a specific dataset often requires knowing which organisation holds it and navigating their specific data portal.

Accessible

Data must be retrievable through standardised protocols. This means using common data access methods (HTTPS, APIs, standard download formats), providing clear access conditions (who can access it and what steps are required), and ensuring the access mechanism is reliable and maintained. Accessibility also requires that metadata remains accessible even if the data itself has been removed or restricted.

Interoperable

Data must use shared vocabularies, formats, and standards so it can be combined with other datasets. In the energy sector, interoperability is undermined by the code fragmentation described in Module 7. The BSC, REC, SEC, and UNC each define their own data models with different field names, formats, and validation rules for overlapping concepts. The Common Information Model (CIM, covered in Module 13) is the international standard that could solve this, but adoption in GB is still partial.

Reusable

Data must have clear usage licences and provenance information. Users need to know what they are allowed to do with the data (commercial use, redistribution, derivative works), where the data came from (provenance), and how reliable it is (quality metrics). In the energy sector, many datasets are published without clear licences, which creates legal uncertainty for third parties who want to build products and services on top of the data.

Personal data can only be used in a way that is fair and not likely to mislead the people it is about. You must tell people how you intend to use their data in a way that is clear and understandable.

ICO, Data Sharing Code of Practice (2021) - Chapter 1

The ICO code applies directly to energy data sharing. Smart meter readings, consumption profiles, and customer account data are personal data. The accessibility requirement under FAIR must be satisfied within the lawful basis requirements of UK GDPR.

Dublin Core metadata

The DBP recommends using Dublin Core as the metadata standard for energy datasets. Dublin Core is a simple, widely adopted standard that defines 15 core metadata elements: Title, Creator, Subject, Description, Publisher, Contributor, Date, Type, Format, Identifier, Source, Language, Relation, Coverage, and Rights. Each published energy dataset should include these elements at minimum, enabling consistent cataloguing and discovery.

DNO publishing decision process

When a DNO decides whether to publish a dataset, the recommended process combines the triage playbook with FAIR assessment. First, the dataset is triaged to determine its sensitivity level. If it can be shared, the DNO applies FAIR principles to determine the best format, metadata requirements, and access mechanism. The dataset is then published through the DNO's data portal with Dublin Core metadata, a clear licence, and a contact point for data users. Quality metrics (completeness, accuracy, timeliness) should be published alongside the data itself.

Common misconception

FAIR means free. If data is FAIR, anyone can access it without restriction.

FAIR is about discoverability and usability, not price or access rights. Data can be FAIR and still require registration, vetting, or payment. The 'Accessible' principle means that access conditions are clear and standardised, not that access is unrestricted. Even Level 3 (restricted) data should have FAIR metadata so that potential users can discover it exists and understand the access process.

The FAIR principles define what good data sharing looks like in theory. The maturity model shows how far most GB energy organisations are from achieving it in practice.

8.3 The maturity gap

The five-level maturity model introduced in Module 7 provides a useful lens for assessing governance reality versus aspiration. When Ofgem assessed DNO data governance maturity as part of RIIO-ED2, the results were sobering. Most DNOs self-assessed at Level 2 (Developing) or low Level 3 (Defined). None credibly claimed Level 4 (Managed) across all data domains. Level 5 (Optimising) remains aspirational for the entire sector.

Five maturity rungs and the GB energy data gap

Vertical ladder from accidental collection at the bottom to a FAIR-compliant catalogue at the top. Markers locate typical organisations, the DBP target and LTDS Stage 3.

Five maturity rungs and the GB energy data gap A vertical ladder of five maturity rungs. The bottom rung is accidental collection with no governance. The next is internal awareness with ad-hoc sharing. The middle is selected open publication. Above that is a catalogue with access process. The top is full FAIR compliance with API discovery. A brand-red marker labels which rung typical organisations occupy in 2024, which rung the DBP target sits on, and which rung LTDS Stage 3 reaches. A rising-maturity axis arrow runs up the left. RISING MATURITY LEVEL 5 FAIR-compliant catalogue with API discovery Persistent IDs, OGL licence, DCAT metadata, machine endpoints LTDS STAGE 3 LEVEL 4 Catalogue with metadata and access process Published catalogue, request workflow, refresh cadence DBP TARGET LEVEL 3 Selected datasets published openly Sporadic publication, manual updates, partial metadata TYPICAL · 2024 LEVEL 2 Known internally, shared on request Internal list, ad-hoc sharing, no consumer-facing catalogue LEVEL 1 Accidentally collected, governance absent Data exists in spreadsheets, ownership unclear built by ransfordsnotes.com

Five maturity rungs from accidental collection to FAIR catalogues with API discovery. Source: Ofgem DBP v3.5; ENA Data and Digitalisation assessments.

The gap between current maturity and the level needed to support the energy transition is significant. Net zero requires data-driven decisions about network investment, flexibility procurement, EV charging infrastructure, and heat pump deployment. These decisions depend on data that is accurate, timely, interoperable, and accessible. A sector operating at Level 2-3 maturity cannot reliably provide this.

Root causes of the maturity gap

Several structural factors explain why maturity is low despite years of regulatory attention. First, data has historically been a byproduct of network operations, not a strategic asset. Network engineers collected data to operate the network, not to publish or share it. The skills, processes, and systems designed for operational use do not translate directly into data governance capabilities.

Second, the regulatory framework has been fragmented. Data obligations are scattered across multiple codes, licence conditions, and guidance documents. No single person or team in most organisations has visibility of all their data obligations, let alone the capability to manage compliance holistically.

Third, investment has been inadequate. RIIO-ED2 included digitalisation funding, but much of it was directed at specific technology projects (monitoring equipment, data platforms) rather than the organisational capabilities (people, processes, governance structures) needed to sustain good data management over time. You can buy a data platform in a year; building a data culture takes a decade.

Fourth, there is no meaningful enforcement mechanism for data governance quality. Ofgem can audit compliance with specific licence conditions, but assessing overall governance maturity is subjective. There is no equivalent of the BSC Performance Assurance Framework for data governance more broadly.

Closing the gap

RIIO-3's inclusion of explicit data quality metrics as regulated outputs is the most promising development. If network companies are assessed and rewarded based on measurable data quality improvements, the incentive structure shifts from compliance to excellence. The Energy Data Taskforce's recommendations also point toward a sector-wide data catalogue and common metadata standards, which would address the findability dimension of FAIR.

But technology and metrics alone will not close the gap. The hardest part is cultural change: convincing network engineers that data is as important as cables, convincing boards that data governance is a strategic capability, and convincing regulators that maturity assessments need teeth. Without all three, the maturity gap will persist even as the technology improves.

Check your understanding

What is the 'presumed open' principle in Ofgem's Data Best Practice Guidance?

Key takeaways

  • Ofgem's Data Best Practice Guidance v3.5 establishes the 'presumed open' principle: all energy data should be published openly unless it is personal, commercially sensitive, or security-sensitive. The Data Triage Playbook provides a 4-step classification process (personal? → commercial? → security? → default open).
  • Five sensitivity levels (Level 0 Open through Level 4 Closed) refine the triage outcome. Each level specifies different access conditions, from unrestricted public access to no sharing outside the holding organisation.
  • FAIR principles (Findable, Accessible, Interoperable, Reusable) define data usability standards. FAIR does not mean free - data can be FAIR and still require registration or vetting. Dublin Core provides the recommended 15-element metadata standard.
  • Most GB energy organisations operate at maturity Level 2-3 against the 5-level model. The gap is driven by historical culture (data as byproduct, not asset), regulatory fragmentation, inadequate governance investment, and weak enforcement. RIIO-3 data quality metrics may help, but closing the gap requires cultural change alongside technology.

Standards and sources cited in this module

  1. Ofgem, Data Best Practice Guidance v3.5 (2024)

    Presumed open principle and Data Triage Playbook

    Source for the triage framework, sensitivity levels, and presumed open principle. Referenced throughout Section 8.1.

  2. GO FAIR Initiative, FAIR Principles

    Findable, Accessible, Interoperable, Reusable definitions

    Original source for the FAIR principles adopted by Ofgem for energy data governance. Referenced in Section 8.2.

  3. Energy Data Taskforce, A Strategy for a Modern Digitalised Energy System (2019)

    Recommendations on data governance, cataloguing, and the Digital Spine

    Source for the sector-wide data governance recommendations and maturity assessment framework. Referenced in Section 8.3.

Previous: The rulebookNext: Your data, your rights

Module 8 of 15 · Energy System Data Applied