14:54 PM, 22nd December 2022, About A year ago 6
Just come across something of interest and certainly a discussion point. You can opt out of the EPC register if you do not want other people to be able to see your EPC. (Contact the Department for Levelling Up, Housing and Communities (DLUHC).)
There has already been a debate about if an EPC is private information or not. I’m looking at it from the perspective of if an EPC was removed from the public register. If it’s not in the public domain, how can the Council for example access and see and any EPC? If the Local Authority decides to use its Council Tax or other records to collate a database of properties in the future for example that that do not have valid EPCs to C level, (with a view to contacting the owners of non-compliant properties to pursue prosecution) then surely this would be a breach of personal data?
ICO’s advice on the status of EPCs as personal data
Following is the ICO’s advice in substance, as set out in an email to the BSD dated 31 July 2013:
The issue of the extent to which information about a person’s property is the personal data of the person associated with it can be a difficult judgement. We can understand the logic behind the advice given previously about a property’s EPC certificate being the personal data of the property’s owner. However, our view in this case is that the EPC does not – in itself – constitute personal data. In short, our view is that information about things – for example houses – is only personal data about individuals where it is processed to learn, record or decide something about an identifiable living individual. We explain this for example at points 3.2 and 5 in our ‘Determining what is personal data’ guidance.
For the EPC certificate information to constitute personal data it would have to identify an individual in itself – it does not – or mean that it is reasonably likely that an individual could be identified from it. In our view, it is not reasonably likely that identification will take place. We concede that it would be possible for someone to take the EPC information and to use the Electoral Roll to deduce that ‘[Redacted] of 1 Blair St, Edinburgh lives in a property with an EPC certificate’. However, using our well-established tests of focus and context, we still would not say that the resultant information is the personal data of [Redacted]. It tell us nothing about [Redacted] himself, as the focus of the information is the energy performance of the house, not of [Redacted].
There could be cases where EPC information about [Redacted]’ house does constitute the personal data of [Redacted]. This could be the case where, for example, the Local Authority decides to use its Council Tax or other records to collate a database of houses that do / do not have EPC’s, with a view to contacting the owners of non-EPC properties to promote the scheme, or where a double-glazing company establishes a link between a property and its owner in order to market its products to him or her. However, this is not happening in the case under consideration here.
Drawing the definition of personal data too wide, and replacing the test in the law for one of the possibility of identification would mean, for example, that a newspaper publishing advertisements for houses for sale would be processing the personal data of the houses’ owners because, ultimately, it would be possible for the publisher or a reader to deduce – again using the Electoral Roll – that [Redacted] has a house worth X amount. This is an approach ICO would reject.
Further correspondence in 2015
The Scottish Government had some follow-up correspondence with the ICO in 2015. It was concerned that a 2014 decision notice about a similiar request for EPC data from the Department for Finance and Personnel for Northern Ireland (DFP NI) represented a change in the ICO’s position on when information will or will not be personal data.
The ICO’s policy officer confirmed the position had not changed. The DFP NI decision notice, which was upheld by the First Tier Tribunal, applied to “a very specific set of circumstances” and was mainly about the costs associated with obtaining the data.
The policy officer commented further:
As I understand it, the Scottish Government are approaching the use of EPC data in a different context. You publish the EPC data without reference to any individual owner or occupier on it. Therefore, from the certificate alone, it is not possible to identify any individual, it does not relate to any individual (the data relates to the building), the act of publication is not being done to learn, decide or record anything about individuals but about buildings, and if I’m correct that certificates are only to be updated every 10 years, then the data will be the same regardless of whether the occupier changes during that time so the certificate itself can’t be about an individual. There would need to be some linking of the EPCs by an organisation with other data held by that same organisation for it to become personal data, and only in their hands.
Is the ICO advice still current?
There is a slight possibility that the ICO might provide a different view on the status of EPCs as personal data, if it was asked for fresh advice.
The advice in 2013 and 2015 was given when the Data Protection Act 1998 was in force. The UK General Data Protection Regulation is now the main statutory basis for data protection law in the UK. The Information Commissioner has also changed twice since 2015.
However, the definition of personal data in UK GDPR is functionally identical to that in DPA 1998. The ICO’s ‘Determining what is personal data’ guidance is still in use and has not been updated since 2012.
The analysis in the ICO advice remains robust, as far as I can see.
DLUHC’s position isn’t tenable
The above ICO advice and correspondence confirms my view that DLUHC’s position – that address level data concerning the energy performance of buildings constitutes personal data – cannot be correct.
Unless DLUHC has some other arguments not considered by the ICO in the analysis given to the Scottish Government, it should clarify in its documentation that the EPC records do not contain personal data (in the form in which they are released as bulk data).
DLUHC’s current approach is confusing and serves to discourage re-use of the EPC data.