Introduction
This Policy ensures that all handling of assessment data and personal information is done in strict accordance with UK GDPR/Data Protection Act 2018 requirements and the Energy Assessor Scheme Operating Requirements. The Policy explains how Vulcan and its members may share data with third parties, and how long data is retained and stored. Compliance with this Policy is part of the Member Code of Conduct.
Home Energy Foundry Limited’s current Data Protection Officer is its CEO Baz Iyer. Please note also the Data Privacy Policy outlined on our website.
Data Collection & Ownership
When conducting assessments Members collect various data: building details, plans, photographs, calculations, personal information of the client (name, address, etc), and Green Deal plan and funding eligibility. Under Energy Performance of Buildings regulations, assessment data is considered the intellectual property of the Secretary of State (MHCLG) both once lodged and while being collected (eg, pre-lodgement). Address-level data is the intellectual property of Royal Mail. Members and Schemes are custodians of this data. Assessors and Vulcan staff must not treat EPC datasets as their own to use freely; there are specific rules for using and sharing this information.
Purpose Limitation
EPC data cannot be shared, sold, or disclosed except for the purposes of issuing an Energy Performance Certificate or as otherwise legally permitted. For example, a member cannot take the data from an EPC they did and sell it to a marketing company – that would violate both GDPR and Energy Performance of Buildings regulations. Likewise, Vulcan will use data submitted by members (e.g. evidence for audits, or personal details for membership) strictly for scheme administration and compliance.
Data Sharing
By default, Vulcan and its assessors will not share personal or assessment data with any third party without a lawful basis. The primary “third party” is the MHCLG Energy Performance of Buildings team that maintain the ECaaS (Energy Calculations as a Service) API. When an assessor submits a Building Regulations assessment, the data is transmitted to this Register – this is fully within the legal expected use of the data. Beyond using ECaaS, data sharing can only occur in defined scenarios:
To the Client/Building Owner: The person commissioning the assessment (e.g., the builder, developer, or owner) has the right to the outputs and recommendations that come with this. Vulcan Members are free to discuss and share data with their client.
To the Regulator: Vulcan will share relevant data with MHCLG and other regulatory bodies as required under the lawful basis of legal obligation or legitimate interest in preventing fraud. Schemes are obliged to report certain info to MHCLG. If there is suspected fraud, Vulcan may share an assessor’s EPC data or evidence with MHCLG, the Police, and Trading Standards (Local Weights & Measures Body). We will document these disclosures and ensure only necessary information is shared.
Between Accreditation Schemes: Data may be shared between Schemes, under the legitimate reason of maintaining standards. This sharing will be limited to necessary information to ensure shared oversight.
With Consent: Data may be shared more widely with explicit consent. For example, a Member might ask a client if they consent to using their data as a case study or for research.
Research Access: Vulcan can share data for the purposes of publicly useful research that is fully anonymised, or where consent has been obtained from data subjects. We suggest Members refer research-related third party requests to Vulcan.
The following data will never be shared:
The names of any individuals.
“Excluded Buildings” as defined in the Energy Performance of Buildings Regulations.
Green Deal information.
Data Storage, Retention & Security
All personal data and assessment records are stored securely. Digital data is stored on encrypted servers with access controls. Members should similarly secure their data. For example, an assessor who keeps survey photos on a laptop must ensure the device is password-protected.
We will observe following specific retention requirements:
Assessment evidence (held by Members): Members must retain evidence used to complete assessments for fifteen (15) years in a resilient and secure place. This ensures original data can be reviewed, in case any issues arise and to meet Vulcan’s audit requirements.
Audit evidence (held by Vulcan): We will store evidence provided by a Member for audit purposes for no longer than 10 years (from the date of audit) in accordance with Data Protection legislation. We will store the outcome of the audit (e.g., pass or fail) beyond this timeframe.
Accreditation Records (held by Vulcan): Vulcan maintains a register of current and former members and their accreditation history. This includes application details, qualification proof, insurance proof, CPD logs, audit and complaints history, and status changes. We will retain former member records at least for the duration of any potential liabilities - typically at least 15 years, since a member’s actions could be scrutinised long after they’ve left. In practice, Vulcan may keep summary records indefinitely (for instance, noting that “Assessor X was revoked in year Y for reason Z”) to uphold scheme integrity and inform future decisions.
Client Personal Data: Personal data of property owners or other individuals collected in the course of producing Building Regulations assessments should generally be limited (e.g., name, address, perhaps a phone/email to arrange a visit). Identifying data beyond address is not lodged. Members can delete personal contact data of clients after an assessment is completed, unless needed for receipts or business records. Vulcan recommends to members to not hoard client personal data without purpose. Any personal data that Vulcan holds (say a complaint submission from a homeowner with contact info) is retained only as long as necessary to address the issue and for legal/statistical purposes thereafter.
Rights of Data Subjects and Transparency
Under GDPR, individuals have rights regarding their personal data: access, rectification of error, erasure and objection to processing (note this does not apply to general access or assessment data). Vulcan will facilitate these rights. For example, if a homeowner contacts Vulcan to inquire what data we have about them, we will respond and provide this if applicable (most often, we might only have what’s on their EPC which is public, or correspondence they sent us). If a data subject asks Vulcan to delete personal data, we will do so if we have no legal need to keep it.
Vulcan will respond within 1 month of receiving all requests. We will aim to rectify inaccurate data as soon as possible. Longer Subject Access Requests may need to be extended by up to 2 months. We will notify applicants accordingly of timelines, and use our case management system to track response and resolution timelines.
Data Breach Protocol
Any confirmed personal data breach must be reported to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach, unless it is unlikely to result in a risk to individuals’ rights and freedoms. For more information seehttps://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/personal-data-breaches-a-guide/.
Affected individuals must be notified without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
"Without undue delay" means as soon as reasonably possible, taking into account the need to gather facts, assess the risk, and determine notification content — typically within a few days.
Members are required to notify Vulcan immediately upon suspecting or confirming any breach involving personal data related to assessments.
What Constitutes a Risk to Individuals’ Rights and Freedoms
Examples include:
Loss of data (e.g., full name, address, contact details) that could be used for identity fraud.
Disclosure of sensitive data (e.g., personal situations noted in site notes or assessment comments).
Circumstances where an assessor’s report includes information about vulnerable occupants.
Repeated system breach indicating negligence in protecting personal data.
Such events may cause harm including discrimination, reputational damage, financial loss, loss of confidentiality, or distress to individuals. Vulcan considers the context, nature, scope, and severity of each breach when assessing its risk.
Please note that Regulation 9 of the Energy Performance of Building Regulations states that *(3) An energy performance certificate must not contain any information or data (except for the address of the building) from which a living individual (other than the energy assessor or his employer) can be identified. *Capturing sensitive data may breach this requirement.
Breach Detection and Assessment
The Data Protection Officer (DPO) will log the incident, conduct an initial impact assessment, and determine whether it meets the threshold for reporting.
Each breach log will include:
Nature of the breach (e.g. accidental loss, unauthorized access)
Categories and number of individuals/data records affected
Likely consequences
Measures taken or proposed to address the breach
Response Actions
Secure and isolate affected systems or data.
Notify internal teams (engineering, legal, support).
Communicate with affected individuals if required.
Implement corrective actions and preventive controls.
Record-Keeping and Oversight
All personal data breaches will be recorded in Vulcan’s internal breach register, regardless of whether they are reportable to the ICO.
The DPO will review breach trends quarterly to identify systemic issues.
An annual data protection summary will be shared with the Board and included in MHCLG reporting where relevant.