Your data, your rights: privacy and security

The UK General Data Protection Regulation (UK GDPR), implemented through the Data Protection Act 2018, applies to all personal data processed in the energy sector. For smart meter data, the key provisions are:

“Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.”

UK GDPR, Article 5(1)(a)

This is the first principle of UK GDPR data processing. In the energy sector it means that smart meter data collection must have a valid lawful basis (Article 6), that consumers must be informed about how their data is used, and that processing must not be deceptive or harmful.

Lawful basis for processing

Article 6(1) requires a lawful basis for processing personal data. The energy sector uses several bases: consent (the customer agrees to their data being used for a specific purpose), contract (processing is necessary to fulfil the supply contract), legal obligation(processing is required by law, such as BSC settlement obligations), andlegitimate interests (processing is necessary for the data controller's legitimate interests, balanced against the individual's rights).

The choice of lawful basis matters enormously. Consent can be withdrawn, creating operational complexity. Contract is limited to what is strictly necessary for supply. Legal obligation only applies where specific legislation mandates the processing. Legitimate interests requires a balancing test that must be documented and can be challenged. The DUA Act 2025 introduces “recognised legitimate interests” that may simplify some of these decisions.

Data minimisation

Article 5(1)(c) requires that personal data be adequate, relevant, and limited to what is necessary for the purpose. This principle directly challenges the industry's desire for ever more granular data. Is half-hourly data necessary for settlement, or would daily data suffice? Is individual-level data necessary for network planning, or would aggregated data at the substation level be adequate? These are not technical questions — they are governance questions with no universally agreed answers.

Right to erasure and portability

Article 17 gives individuals the right to have their personal data deleted. Article 20 gives them the right to receive their data in a portable format and to transmit it to another controller. Both rights create practical challenges in the energy sector. Settlement data cannot simply be deleted because it is needed for reconciliation runs over 28 months (reducing to 4 months under MHHS). Portability requires standardised data formats that not all suppliers have implemented.

The right to erasure is particularly complex because energy data serves multiple purposes with different retention requirements. The same half-hourly reading may be needed for billing (retained until the bill is paid and the dispute period expires), settlement (retained for 28 months), network planning (retained indefinitely in aggregated form), and regulatory compliance (retained as Ofgem directs). Deleting the data for one purpose while retaining it for another requires sophisticated data management capabilities that many suppliers lack.

Data Use and Access Act 2025

The DUA Act received Royal Assent on 19 June 2025 and introduces two provisions with significant implications for energy data privacy. First, the Smart Data framework (Part 1) gives the Secretary of State power to require energy companies to share customer data with authorised third parties through secure APIs, provided the customer has given explicit consent. This creates a regulated data-sharing ecosystem similar to Open Banking in financial services.

Second, the Act introduces “recognised legitimate interests” as a streamlined lawful basis for processing. Certain processing activities can be pre-approved as legitimate interests without requiring a case-by-case balancing test. The Secretary of State will specify which activities qualify through secondary legislation. If settlement processing or network planning are designated as recognised legitimate interests, it would significantly simplify the legal basis for using smart meter data for these purposes.

“Processing of personal data shall be lawful where it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.”

UK GDPR, Article 6(1)(f)

The legitimate interests basis is the most contested lawful basis for smart meter settlement data. Ofgem argues it applies to half-hourly collection; the ICO has not definitively agreed. The DUA Act 2025's recognised legitimate interests provision may resolve this by pre-approving specific processing activities in secondary legislation.

DAPF tiered consent model

The Data Access and Privacy Framework (DAPF) was developed alongside the smart meter rollout to define consent requirements for different levels of data granularity. It establishes a tiered approach:

Monthly data — no consent required. Monthly consumption totals are considered necessary for billing and settlement. No additional consent is needed because the data is collected under the contract and legal obligation lawful bases. The granularity is too low to reveal behavioural patterns.

Half-hourly data for settlement — contested. This is the most contentious tier. Ofgem's position is that half-hourly data is necessary for accurate settlement under MHHS and can be collected under the legal obligation basis (BSC requirements). The ICO's position is that half-hourly data is personal data and requires either consent or a robust legitimate interests assessment. As of March 2026, this disagreement between the two regulators remains unresolved.

Half-hourly data beyond settlement — opt-in consent. If a supplier or third party wants to use half-hourly data for purposes beyond settlement (energy efficiency advice, time-of-use tariff design, appliance disaggregation), the customer must give explicit opt-in consent. This consent must be granular (specifying each purpose), informed (explaining what the data reveals), and withdrawable (the customer can change their mind at any time).

DNO access — privacy plan required. DNOs require access to consumption data for network planning and load management. Under the DAPF, DNOs must publish a privacy plan explaining what data they access, why they need it, how it is protected, and how long it is retained. The data must be pseudonymised or aggregated wherever possible.

The Ofgem vs ICO consent dispute

The central unresolved question is whether half-hourly smart meter data can be collected for settlement without explicit consumer consent. Ofgem argues that settlement is a legal obligation under the BSC, and that accurate settlement requires actual half-hourly data. If consent is required, some consumers will refuse, leaving gaps in settlement data that must be filled with estimates, undermining the accuracy that MHHS is designed to achieve.

The ICO argues that half-hourly data is personal data (this is not disputed), that the legal obligation basis only applies if there is a specific statutory requirement to collect data at this granularity (which is debatable — the BSC requires settlement, but does not specify that all meters must provide half-hourly data), and that the legitimate interests basis requires a balancing test that has not been conclusively performed.

As of March 2026, this dispute has not been formally resolved. The MHHS programme is proceeding on the assumption that half-hourly collection is justified, but the legal basis remains contested. The DUA Act's recognised legitimate interests provision may eventually provide the resolution, but the relevant secondary legislation has not yet been laid before Parliament.

CCS consumer consent journey

Citizens Advice and the Department for Energy Security and Net Zero (DESNZ) have researched the consumer consent journey for smart meter data. Their findings are concerning: most consumers do not understand what half-hourly data reveals, many consumers believe their data is anonymous (it is not — it is linked to their MPAN and address), and the consent language used by suppliers is often unclear or buried in terms and conditions. Improving consumer understanding and consent quality is essential, regardless of which lawful basis ultimately prevails for settlement.

Privacy frameworks protect data from misuse by authorised parties. Cybersecurity protects data from unauthorised access entirely. In the smart metering ecosystem, the primary cybersecurity mechanism is the Public Key Infrastructure for Energy (PKI-E), operated by the DCC.

PKI-E four-tier certificate hierarchy

PKI-E uses a hierarchical certificate structure with four tiers:

Tier 1 — Root Certificate Authority. The top of the hierarchy. The root CA issues certificates to Tier 2 CAs. Its private key is held in a hardware security module (HSM) in a physically secured facility and is used extremely rarely (only to sign Tier 2 certificates). Compromise of the root CA would undermine the entire smart metering security model.

Tier 2 — Issuing Certificate Authorities. These CAs issue certificates to organisations (suppliers, DNOs, the DCC itself). There are separate issuing CAs for different purposes: one for device certificates, one for organisation certificates, and one for recovery certificates. This separation limits the blast radius of any single CA compromise.

Tier 3 — Organisation certificates. Each licensed energy company that communicates with smart meters via the DCC holds an organisation certificate. This certificate authenticates the organisation to the DCC and authorises it to send specific Service Requests to specific meters. The certificate is bound to the organisation's licence: if the licence is revoked, the certificate is revoked.

Tier 4 — Device certificates. Each SMETS2 smart meter holds a unique device certificate installed during manufacture. This certificate authenticates the meter to the DCC and encrypts the data in transit. Device certificates have a defined lifetime and must be renewed, though the renewal process is itself secured by the PKI-E hierarchy.

Every message between the DCC and a smart meter is encrypted and signed using certificates from this hierarchy. A supplier cannot read another supplier's meter data even if they intercept the communication, because the data is encrypted with keys that only the authorised parties hold.

NIS Regulations and CAF v4.0

The Network and Information Systems (NIS) Regulations 2018 designate energy as a critical national infrastructure sector. Operators of Essential Services (OES) in energy — including transmission and distribution network operators, NESO, and the DCC — must comply with the NIS Regulations, which require them to implement appropriate and proportionate security measures.

Ofgem, as the competent authority for energy under NIS, uses the Cyber Assessment Framework (CAF) version 4.0 to assess compliance. The CAF covers four objectives: managing security risk, protecting against cyber attack, detecting cyber security events, and minimising the impact of cyber security incidents. Each objective has contributing outcomes and indicators of good practice that Ofgem assesses.

The Cyber Security and Resilience Bill

The Cyber Security and Resilience Bill, introduced in 2025, will update the NIS framework to address evolving threats. Key provisions relevant to energy data include expanded scope (potentially covering more energy organisations beyond current OES designations), mandatory incident reporting within tighter timeframes, supply chain security requirements (ensuring that third-party IT providers meet minimum security standards), and enhanced enforcement powers for Ofgem.

The right to be forgotten: a cybersecurity dimension

The right to erasure under UK GDPR intersects with cybersecurity in a non-obvious way. When a customer exercises their right to be forgotten, the data controller must delete their personal data from all systems where it is held. But in a complex ecosystem like smart metering, data exists in multiple locations: the supplier's billing system, the DCC's communications logs, the DNO's network planning database, and potentially in backup systems and disaster recovery sites. Ensuring complete deletion across all these systems, while maintaining the integrity of aggregate data that depends on the individual records, is a significant technical challenge. Most organisations cannot currently guarantee comprehensive erasure across all data stores.