Data Protection BSC Controllers and BSC Processors |
Guidance Note |
|
BSC Controllers and BSC Processors
What is Relevant BSC Personal Data?
Processing Relevant BSC Personal Data under the BSC.
How a Party can determine whether it is a controller or a processor
Obligations on BSC Controllers and BSC Processors.
What is Relevant BSC Personal Data?
Personal data is defined under Data Protection Legislation as information relating to natural persons who:
can be identified or who are identifiable, directly from the information in question; or
who can be indirectly identified from that information in combination with other information.
Processing means taking any action with personal data. This includes making a record of information relating to an individual, using it, sharing it and storing it.
Under the BSC some kinds of personal data are processed for Settlement. This includes data about energy consumption of domestic or micro business consumers that is linked to meter identification data. With the introduction of MHHS, a significant volume of such data is processed for Settlement.
Relevant BSC Personal Data is defined in the BSC to mean:
Personal data (including MPAN core, MPAN address and Meter ID data) which Suppliers and/or Distribution System Operators are required to submit for Settlement purposes.
In this definition personal data has the same meaning as in the Data Protection Legislation.
Processing Relevant BSC Personal Data under the BSC.
In addition to obligations imposed under Data Protection Legislation, the BSC sets out intersecting requirements for Parties processing Relevant BSC Personal Data to carry out functions, roles or responsibilities under the BSC. For example, when performing its settlement functions under the BSC, Elexon is a BSC Processor processing Relevant BSC Personal Data on behalf of one or more BSC Controllers but when performing processing Relevant BSC Personal Data for its performance assurance functions under the BSC Elexon is a BSC Controller.
Under Data Protection Legislation, a data controller is the entity that is responsible for deciding how personal data is processed and protecting it from harm. If, as part of its business, a Party decides to collect personal data of certain individuals in order to process it, that Party will likely be a controller. For example, a Supplier will decide to collect customer personal data to process it for the purpose of supplying, and charging for, energy.
Data controllers can delegate the processing of personal data to data processors, but the responsibility for keeping it safe will still rest with the controller. The controller will meet that responsibility by ensuring that processors are contractually bound to keep the personal data secure.
Under the BSC, a BSC Controller means a Party that is acting as a controller in processing Relevant BSC Personal Data. A Party that is responsible for collecting personal data to have it processed for Settlement will be a BSC Controller. For example, Suppliers and DSOs are likely to be BSC Controllers.
Each Party is responsible for deciding whether it is a controller under Data Protection Legislation and a BSC Controller in relation to specific processing of Relevant BSC Personal Data.
What must a BSC Controller do?
The BSC sets out specific undertakings and responsibilities of BSC Controllers, which apply in addition to responsibilities imposed under Data Protection Legislation on data controllers generally.
Under the BSC, BSC Controllers give each BSC Processor general authorisation to appoint sub-processors as necessary to carry out functions required by the BSC, and the Panel has power to act on behalf of BSC Controllers collectively to object (on reasonable grounds) to the appointment of a sub-processer.
The BSC also sets out the nature, purpose and duration of processing that Elexon does on behalf of BSC Controllers in preforming its Settlement functions. Where another BSC Processor processes personal data for one or more BSC Controllers, the processing is for the purpose of meeting the BSC Controllers’ obligations under the BSC.
A Party that is a BSC Controller is responsible for complying with Data Protection Legislation requirements in respect of the Relevant BSC Personal Data and is also responsible for the compliance of BSC Processors that process Relevant BSC Personal Data on the controller’s behalf. BSC Controllers are responsible for ensuring that the individuals whose personal data is being processed can exercise their rights in relation to that data. They are responsible for giving those individuals privacy information - including clear, easy to understand, information on the purpose for processing, how long the personal data will be retained, and who it will be shared with.
Under Data Protection Legislation data controllers are responsible for informing the Information Commissioner about a personal data breach. BSC Controllers are responsible under the BSC for informing the Information Commissioner and data subjects about personal data breaches involving Relevant BSC Personal Data.
Under the BSC, if a BSC Processor becomes aware of a personal data breach involving Relevant BSC Personal Data it must notify BSC Controllers and the Panel. The Panel will act on behalf of all affected BSC Controllers to liaise with the BSC Processor and assist BSC Controllers to meet their obligations under Data Protection Legislation to notify the Information Commissioner and data subjects.
Under Data Protection Legislation, a data processor processes personal data on behalf of, and under the direction of, a data controller. A Party will likely be a processor if it processes Relevant BSC Personal Data on behalf of another Party.
Like a controller, a data processor must also protect people’s personal data, but the main responsibility rests with the controller - the processor only processes the personal data on behalf of the controller and would not otherwise have any reason to have it.
Under the BSC, a BSC Processor means a Party that is acting as a processor in processing Relevant BSC Personal Data on behalf of one or more BSC Controllers. A Party that processes personal data on behalf of a BSC Controller for the purpose of Settlement in accordance with the BSC will be a BSC Processor. For example, Elexon is a BSC Processor when it processes Relevant BSC Personal Data submitted to it by (or on behalf of) BSC Controllers for the purpose of Settlement.
What must a BSC Processor do?
The BSC sets out specific undertakings and responsibilities of BSC Processors, which apply in addition to responsibilities imposed under Data Protection Legislation on data processors generally.
Under the BSC, a BSC Processor must only process Relevant BSC Personal Data for purposes permitted by the BSC, with the BSC taken to be the documented instructions of each of the BSC Controllers on whose behalf the processor is processing. In addition, the BSC requires that a BSC Processor not process Relevant BSC Personal Data in a way that would be likely to cause a BSC Controller to be in breach of obligations under the Data Protection Legislation.
BSC Processors must take steps, which are set out in the BSC, to ensure that Relevant BSC Personal Data is kept confidential and secure, in accordance with the requirements of Data Protection Legislation. They must also assist BSC Controllers to comply with Data Subject Rights Requests in respect of Relevant BSC Personal Data. If a BSC Processor wants to transfer Relevant BSC Personal Data outside the UK and European Economic Area, it must ensure it meets the Data Protection Legislation requirements for cross-border transfer of personal data.
If a BSC Processor becomes aware of a personal data breach involving Relevant BSC Personal Data, the processor must notify BSC Controllers and the Panel to enable compliance with Data Protection Legislation obligations. In this situation, BSC Processors must only take instructions from, and provide information to, the Panel, acting on behalf of all relevant BSC Controllers.
Looking for more information?
Intellectual Property Rights, Copyright and Disclaimer The copyright and other intellectual property rights in this document are vested in Elexon or appear with the consent of the copyright owner. These materials are made available for you for the purposes of your participation in the electricity industry. If you have an interest in the electricity industry, you may view, download, copy, distribute, modify, transmit, publish, sell or create derivative works (in whatever format) from this document or in other cases use for personal academic or other non-commercial purposes. All copyright and other proprietary notices contained in the document must be retained on any copy you make. All other rights of the copyright owner not expressly dealt with above are reserved. No representation, warranty or guarantee is made that the information in this document is accurate or complete. While care is taken in the collection and provision of this information, Elexon Limited shall not be liable for any errors, omissions, misstatements or mistakes in any information or damages resulting from the use of this information or action taken in reliance on it. |