Licensed Distribution System Operators (LDSOs);
Unmetered Supplies Operators (UMSOs);
Supplier Meter Registration Services (SMRSs)
Data Aggregators (Half Hourly and Non-Half Hourly) (HHDAs and NHHDAs);
Data Collectors (Half Hourly and Non-Half Hourly) (HHDCs and NHHDCs);
Central Volume Allocation Meter Operator Agents (CVA MOAs); and
Meter Administrators (MAs).
Intellectual Property Rights, Copyright and Disclaimer
The copyright and other intellectual property rights in this document are vested in Elexon or appear with the consent of the copyright owner. These materials are made available for you for the purposes of your participation in the electricity industry. If you have an interest in the electricity industry, you may view, download, copy, distribute, modify, transmit, publish, sell or create derivative works (in whatever format) from this document or in other cases use for personal academic or other non-commercial purposes. All copyright and other proprietary notices contained in the document must be retained on any copy you make.
All other rights of the copyright owner not expressly dealt with above are reserved.
No representation, warranty or guarantee is made that the information in this document is accurate or complete. While care is taken in the collection and provision of this information, Elexon Limited shall not be liable for any errors, omissions, misstatements or mistakes in any information or damages resulting from the use of this information or action taken in reliance on it.
Description of Changes
Approved for use by the BSC Panel
February 2009 Release
1 September 2021 Non-Standard Release
Acronym / Term
Balancing and Settlement Code
Balancing and Settlement Code Company
Balancing and Settlement Code Procedure
Code Subsidiary Document
Central Volume Allocation
Central Volume Allocation Meter Operator Agent
Half Hourly Data Aggregator
Half Hourly Data Collector
Licensed Distribution System Operator
Non-Half Hourly Data Aggregator
Non-Half Hourly Data Collector
Party Service Line
Supplier Meter Registration System
Supplier Volume Allocation
Supplier Volume Allocation Agent
SVA Meter Operator Agent
Unmetered Supplies Operator
locked computer rooms;
restrictions on access to buildings containing computer equipment;
restricted access to asset moving documents relating to the computer hardware; and
fire protection and safety equipment to protect hardware.
password protection at system, application and program level, and if appropriate, at a more detailed level;
preventing users from accessing the operating system prompt;
monitoring of reports showing attempted and/or actual access violations;
tighter controls than those already stated over access to special system privileges;
authentication of remote access attempts;
controls to safeguard the confidentiality and integrity of data passing over public networks;
restricted access to documents/systems forming part of the security system;
hardware/software mechanisms that can be independently evaluated to provide assurance that the system enforces the requirements of the security policy; and
audit trails kept and protected so that actions affecting security can be traced and attributed to the responsible party.
a security policy communicated to all employees at the Market Participant’s organisation and strongly endorsed by management;
procedures in place to ensure periodic reviews of security policy;
clear data ownership and ownership of all significant information assets including information, software, and physical assets; and
compliance with legal, contractual and Qualification requirements.
restricting access to computer hardware, being tangible computer equipment such as terminals, cables, disk drives, servers, disks and magnetic media (e.g. tapes);
restricting access to software, being and computer programs and all user documentation in respect of such programmes, as well as systems level access, application level access and access to particular programs; and
restricting access to hard copy reports produced by the computer systems.
data is only made available to those parties legitimately entitled to receive it;
data is kept physically secure; and
data is adequately protected against risk of data loss against fire, water damage and theft.
ensuring that the correct versions of the application files are available at the appropriate time to allow efficient processing;
scheduling of processes to ensure that processing is performed in the correct sequence;
procedures to allow recovery in the event of a processing failure;
procedures to “back out” erroneous changes to data caused by rogue programs;
operational maintenance of the computer system to ensure that it is kept secure; and
scheduling of data processing to ensure that timetables are met and output data is available on-time.
a documented security policy, communicated throughout the Market Participant’s organisation to all employees;
procedures to ensure periodic reviews of security policy;
monitoring of the performance of data processing systems with procedures available to deal with problems;
formal employment policy, including adequate documentation of the employment procedure, formal terms and conditions of employment and disciplinary procedures;
adequate training of all staff; and
adequate documentation of procedures, processes and, where appropriate, systems.
virus detection and prevention measures, communicated to all users;
controls over computer operations to ensure that processing is executed in the correct sequence and that any dependencies between processes (e.g. waiting for a file to be available before starting a batch program) are correctly taken into consideration;
formal change control procedures;
appropriate maintenance arrangements for hardware and software;
system housekeeping procedures to maintain the integrity and availability of services;
support facilities, such as help desks; and
clear responsibilities and procedures for systems operation and maintenance.
ensuring that data is correctly recovered and processing correctly resumed; and
ensuring that processing is resumed as soon as possible.
a fully documented and tested disaster recovery plan in place (as described in Section 2.3); and
procedures for the periodic review and testing of disaster recovery plans, which should be performed at least annually.
backups of programs and data to ensure essential data and software can be restored in the event of a disaster;
periodic testing of restoration of backed up data;
features within the database management system software to safeguard data integrity in the event of a system failure (such as transaction logging); and
insurance policies to cover hardware and communications.
checking that the file has been completely transmitted and received;
ensuring that the file transmitted has not had errors introduced by the transmission process;
checking that the correct authorised party has received the file; and
ensuring that if more than one authorised party receives data from the Market Participant, then each recipient obtains an exact copy of the data submitted.
effectively meet the relevant control objective(s);
be operated effectively throughout the relevant period;
have documented procedure; and
have this operation recorded.
processes must be documented so that anyone wishing to verify the processing has a description of what it should be;
all processing must be recorded and these records must contain such cross references as are necessary to allow verification by tracing data through processing, forwards and backwards, conveniently; and
audit trails must be maintained as described in the BSC and relevant CSDs.