ICO advice on the status of EPCs as personal data

The Department for Levelling Up, Housing & Communities (DLUHC) publishes Energy Performance Certificates for properties in England and Wales as bulk downloads at epc.opendatacommunities.org.

The data is available for re-use as open data under the Open Government Licence (excluding the address fields and postcodes).

However, DLUHC also maintains that the EPC records are personal data:

Address level data concerning the energy performance of buildings constitute personal data for the purposes of the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA 2018). Anyone using personal data must comply with the data protection legislation.

In an earlier post, I highlighted the incompatibility of those two positions and argued that the EPC data is not personal data within the meaning of data protection law.

One of the points I made was that the Scottish Government does not consider its published EPC data to be personal data. It says:

Following advice from the Information Commissioner's Office, EPC and recommendations report are not considered to be 'personal data' and therefore the data 'opt-out' option is no longer in force. However, access will be restricted for the buildings where building owners used the 'opt-out', the restriction will remain in place until the EPC is updated or replaced.

I asked the Scottish Government for information about its correspondence with the ICO. The Scottish Government's Heat Networks & Investment Unit has kindly provided copies of emails, a meeting note, and written advice that the ICO provided in 2013 and 2015: EIR-202200286805.zip.

Context for the ICO advice

The background for the Scottish Government's request is set out in a note prepared by the Scottish Government's Building Standards Division (BSD).

In 2013, the BSD received a request from a BBC researcher for a copy of the Scottish Energy Performance Certificate Register for non-domestic properties, in a re-usable format.

DCLG (DLUHC's predecessor) received a similar request for data from the Non Domestic Energy Performance Register for England and Wales. DCLG dealt with the request under the Environmental Information Regulations 2004 (EIRs) and rejected it, citing regulation 6(1)(b) – that the information was publicly available and easily accessible. At that time, DCLG provided an online facility that enabled members of the public to access details of individual EPCs.

(In a decision notice the following year, the ICO said DCLG was mistaken. Regulation 6(1)(b) did not apply because the information could only be obtained by the onerous method of searching for each valid UK postcode.)

At that time, the Scottish Government did not maintain any online search facility for EPCs in Scotland. The BSD was not sure whether DCLG's facility was compatible with the Data Protection Act 1998:

We are not clear precisely how this has been taken forward nor how this is compatible with use of personal data under the DPA.

and was concerned that release of EPC data (in response to the request under EIR) would contravene data protection:

Although the EPC does not contain any details of the building owners, by using the address on publically available website such as electoral roles or the Scottish Assessors web portal, building owners can be identified, the purchase price of the building and also the business rates/council tax the building owner is liable for. Therefore any documentation which contains address details alongside other information is, to date, considered as personal data and would be subject to an exemption under Regulation 10 (3) of the EIR? Is this assertion considered valid?

Accordingly, the BSD sought and obtained advice on the status of EPCs as personal data from a Senior Policy Officer at the ICO.

Differing opinion at the ICO

From the correspondence between the BSD and the ICO, it is clear that DCLG had previously received advice from the ICO to the effect that EPC data was personal data:

Also now advised from our opposite number in DCLG that they still regard EPC data as personal data as confirmed by the Information Commissioner for England. Their policy contact in ICO is [redacted]. Would it be beneficial to catch up with [redacted] on his discussions with DCLG?

However, the ICO's policy officer was "uncomfortable" with the differing opinion the BSD has had on the matter, and said after making enquiries:

[Redacted], who was the contact at that time, could not find any documentation on the matter and his memory on the subject is that it was highly likely to have been advice provided verbally, either over the telephone or in a meeting. Fortunately, I managed to catch [Redacted] before he left the ICO last Friday but it does mean that he can no longer have an input into this discussion. In any event, it is not the first time, nor will it be the last, that the ICO has changed its view on a matter over time. The wonder of applying data protection legislation is that it is entirely contingent upon context and the concept of reasonableness. There is no doubt that with the change of Commissioners comes a change in how they interpret the legislation and we have come from the very strict interpretive regime under [Redacted] towards the more pragmatic, risk-based approach of [Redacted]. This can be seen across the organisation, both in terms of structure and culture, but it is particularly evident in the way the ICO’s view has evolved on what constitutes personal data and what is reasonable to expect in relation to processing. When you think about it pragmatically, it would be unrealistic to expect our view to remain static given the shifting nature of the legislative/policy environment and public acceptability but especially given the seemingly exponential growth and use of technology.

(The above suggests the advice to DCLG was given before Christopher Graham took over from Richard Thomas as Information Commissioner, which was in 2009.)

ICO's advice on the status of EPCs as personal data

Following is the ICO's advice in substance, as set out in an email to the BSD dated 31 July 2013:

The issue of the extent to which information about a person’s property is the personal data of the person associated with it can be a difficult judgement. We can understand the logic behind the advice given previously about a property's EPC certificate being the personal data of the property's owner. However, our view in this case is that the EPC does not – in itself – constitute personal data. In short, our view is that information about things – for example houses – is only personal data about individuals where it is processed to learn, record or decide something about an identifiable living individual. We explain this for example at points 3.2 and 5 in our 'Determining what is personal data' guidance.

For the EPC certificate information to constitute personal data it would have to identify an individual in itself – it does not – or mean that it is reasonably likely that an individual could be identified from it. In our view, it is not reasonably likely that identification will take place. We concede that it would be possible for someone to take the EPC information and to use the Electoral Roll to deduce that '[Redacted] of 1 Blair St, Edinburgh lives in a property with an EPC certificate'. However, using our well-established tests of focus and context, we still would not say that the resultant information is the personal data of [Redacted]. It tell us nothing about [Redacted] himself, as the focus of the information is the energy performance of the house, not of [Redacted].

There could be cases where EPC information about [Redacted]' house does constitute the personal data of [Redacted]. This could be the case where, for example, the Local Authority decides to use its Council Tax or other records to collate a database of houses that do / do not have EPC's, with a view to contacting the owners of non-EPC properties to promote the scheme, or where a double-glazing company establishes a link between a property and its owner in order to market its products to him or her. However, this is not happening in the case under consideration here.

Drawing the definition of personal data too wide, and replacing the test in the law for one of the possibility of identification would mean, for example, that a newspaper publishing advertisements for houses for sale would be processing the personal data of the houses' owners because, ultimately, it would be possible for the publisher or a reader to deduce – again using the Electoral Roll – that [Redacted] has a house worth X amount. This is an approach ICO would reject.

Further correspondence in 2015

The Scottish Government had some follow-up correspondence with the ICO in 2015. It was concerned that a 2014 decision notice about a similiar request for EPC data from the Department for Finance and Personnel for Northern Ireland (DFP NI) represented a change in the ICO's position on when information will or will not be personal data.

The ICO's policy officer confirmed the position had not changed. The DFP NI decision notice, which was upheld by the First Tier Tribunal, applied to "a very specific set of circumstances" and was mainly about the costs associated with obtaining the data.

The policy officer commented further:

As I understand it, the Scottish Government are approaching the use of EPC data in a different context. You publish the EPC data without reference to any individual owner or occupier on it. Therefore, from the certificate alone, it is not possible to identify any individual, it does not relate to any individual (the data relates to the building), the act of publication is not being done to learn, decide or record anything about individuals but about buildings, and if I'm correct that certificates are only to be updated every 10 years, then the data will be the same regardless of whether the occupier changes during that time so the certificate itself can't be about an individual. There would need to be some linking of the EPCs by an organisation with other data held by that same organisation for it to become personal data, and only in their hands.

Is the ICO advice still current?

There is a slight possibility that the ICO might provide a different view on the status of EPCs as personal data, if it was asked for fresh advice.

The advice in 2013 and 2015 was given when the Data Protection Act 1998 was in force. The UK General Data Protection Regulation is now the main statutory basis for data protection law in the UK. The Information Commissioner has also changed twice since 2015.

However, the definition of personal data in UK GDPR is functionally identical to that in DPA 1998. The ICO's 'Determining what is personal data' guidance is still in use and has not been updated since 2012.

The analysis in the ICO advice remains robust, as far as I can see.

DLUHC's position isn't tenable

The above ICO advice and correspondence confirms my view that DLUHC's position – that address level data concerning the energy performance of buildings constitutes personal data – cannot be correct.

Unless DLUHC has some other arguments not considered by the ICO in the analysis given to the Scottish Government, it should clarify in its documentation that the EPC records do not contain personal data (in the form in which they are released as bulk data).

DLUHC's current approach is confusing and serves to discourage re-use of the EPC data.