During 2025, conversations with RIIO-2 licensee members of Open Energy surfaced uncertainty about how best to comply with the “presumed open” requirement of Ofgem Data Best Practice Guidance while also having access controls on data. Open Energy undertook a short workstream to collaboratively develop a clear position with its members.
A draft of this position paper was circulated ahead of a licensee working group meeting held on November 26, 2025. Following input from the workshop, this updated draft is being circulated for further feedback from wider energy data stakeholders.
Open Energy members hope that all RIIO-2 licensees, and the users of their data, will benefit from a clearly-articulated position on Open Data classification and access control. They would particularly welcome feedback from licensees who use third-party data platforms.
The Google version of the position paper is open to comments. Alternatively, interested parties may download a Word version.
Please send comments or feedback to openenergy@ib1.org before February 2, 2026.
Key points from the position paper
RIIO-2 licensees that are members of Open Energy will:
- Adopt and enact an updated Assured Open Data definition that includes purposes for registration:
- D1.5.3 Anonymous downloads of open data is strongly preferred, but where the dataset requires compulsory registration before download:
- D1.5.3.1 Registration is only conditional on completion of a lightweight challenge necessary for technical measures to minimise spam and bot abuse, such as verifying receipt of an email
- D1.5.3.2 Acceptance of registration is automatic and immediate
- D1.5.3.3 Registration may only be denied or withdrawn for misuse
- D1.5.3.4 The registration process does not introduce any barriers to automated downloads or API access. Access to data is identical in all respects to a simple HTTP download of a published URL or API, except for the addition of a static credential or token that does not need renewing
- D1.5.3.5 Require additional opt-in consent to use registration data for any further purpose. Data access must not be made conditional on obtaining any additional consents (e.g. use of registration data for analytics)
- D1.5.3.6 If registration is only available via a third party platform (Data Controller), the third party must also comply with conditions D1.5.3.1 – D 1.5.3.5
- D1.5.3.7 Third parties must transparently provide privacy policies and terms and conditions to the user if/where these differ from those of the Data Publisher.
- Apply the definition to metadata and data, meaning either or both may require registration
- Classify data requiring this form of registration as Open
- Licence data requiring this form of registration with either CC-BY-4.0 or OGLv3
- Implement information on registration forms/access gating screens making clear the purpose of this form of registration to end users and work with other licensees to align this language
- As required for compliance with UK GDPR, ensure privacy policies correctly reflect the use and protection of registration data, the length of time the data will be held, the situations where it would be disclosed
- Ensure terms of service for data portals do not contradict the Open Data licence being asserted for datasets on the portals
- Provide information in the registration process and/or the dataset listings that clearly separates Open Data “lightweight” registration from Shared Data registration requirements where registration may be used for other purposes, including limitations on access or use of the data
- Use registration as an opportunity, on a strictly opt-in basis, to provide additional benefits to users such as subscription to dataset update notifications or notifications of training opportunities