As per Clauses 19.9 and 20.4 of the Main Body of the Retail Energy Code (REC), REC Parties are required to report a Personal Data Breach or a potential Personal Data Breach where there is an impact to REC Data.

A data breach is a situation where the confidentiality, integrity, and/or availability of REC data has been impacted. This can mean that data has been disclosed to an unauthorised individual such as being sent to the wrong person or it could be that data has been modified without authorisation such as address data being incorrectly updated.

A personal data breach occurs when Personally Identifiable Information (PII) relating to an individual has been impacted, for example, whether provided to an unauthorised party or modified through error or malicious actions. PII is data that relates to a living individual who can be identified from the information we hold. Examples of PII can include - name, address, date of birth, telephone number, passport number, MPxN, etc.

Data breaches can result in a negative impact to consumers as well as a risk of fines and regulatory censure against RECCo and the REC parties.

How to report a Centralised Registration Service linked Personal Data Breach

In the event of becoming aware of a potential Personal Data Breach concerning REC Data that relates to any Centralised Registration Service (CRS), including the Central Switching Service (CSS), CSS Certificate Authority and Switching Operator, you will without undue delay notify the CRS Provider and REC Data Protection Officer using the link below.

To report a Personal Data Breach to the CRS Provider, email the details to Smart DCC and REC Data Protection Officer via this link. Please provide a description of the compromised data, date and time that the impact was first noticed, how the data was compromised, and any other additional supporting information that may help the investigation.

It is also recommended that you inform the party that you believe has made the Personal Data Breach and that they also delete any personal data incorrectly received. If you have caused the breach by sending data to an unauthorised party, you must request that the party delete the data.

Where data has been received by an unauthorised party, it is recommended that you inform them and that they also delete any data incorrectly received. 

What happens next

RECCo Data Protection Officer and the CRS provider will contact the reporting individual and proceed to investigate the potential data breach. The REC Board will consider if there is a requirement to communicate the Personal Data Breach to other relevant parties as it sees fit.

How to report a non-CRS linked Personal Data Breach

In the event that you become aware of a Personal Data Breach, or a potential Personal Data Breach impacting REC Data not linked to the Centralised Registration Service (CRS), you must notify the REC Data Protection Officer within one working day.

To report a Personal Data Breach to the REC Data Protection Officer, email the details to infosec@retailenergycode.co.uk. Please provide a description of the compromised data, date and time that the impact was first noticed, how the data was compromised, and any other additional supporting information that may help the investigation.

Where data has been received by an unauthorised party, it is recommended that you inform them and that they also delete any data incorrectly received. 

What happens next

If requested by the REC Data Protection Officer then you shall provide such reasonable and timely assistance as the REC Board may require in order to conduct a data protection impact assessment in accordance with Data Protection Legislation.

The REC Data Protection Officer will consider each individual Personal Data Breach and determine what and if communication is required to REC Controllers.