Data protection and smart meter data

Authors: Emily Judson, Faith Reynolds, Martin Chitty, Tim Johnson, Daniel Jenkins

An open-to-comment version of this document is available here


This research note outlines the policy and regulatory environment governing smart meter data in the UK. 

The two main governance frameworks consist of the General Data Protection Regulation (GDPR) [1] – implemented through the UK Data Protection Act (DPA) [2] – and the Data Access and Privacy Framework (DAPF) [3]. 

Access to aggregated, anonymised smart meter data is raised as an ongoing point of contention; explored in depth by the Public Interest Advisory Group (PIAG) [9] on smart meter energy data, convened by Sustainability First and the Centre for Sustainable Energy. The note concludes with a short section of FAQs that have been raised repeatedly in the course of the research. 


  • GDPR applies to any use of personal data, or any aggregated data through which it is possible to identify a living person (e.g. through dataset combination).
  • Data at the metering point and ‘behind the meter’ is considered personal data. This includes smart meter data and data related for example to smart home services, domestic disaggregation, smart appliances etc.
  • Data protected by GDPR generally requires opt-in consent to access, unless suitably aggregated or otherwise anonymised. Certain exceptions to opt-in consent for smart meter data access are outlined in the DAPF (see below).
  • Aside from obtaining individual consent, the GDPR contains certain provisions for accessing protected data if ‘substantial public interest’ can be demonstrated. Further research is required to ascertain whether any smart meter could be made available through this gateway. Substantial public interest is not in itself defined either in the GDPR or UK Data Protection Act, however a summary of conditions [4] is provided by the Information Commissioner’s Office (ICO).
    • Note: while certain conditions (e.g. statutory and government purposes) do not require upfront consent, the majority still do.


  • The DAPF is an additional framework governing access to smart meter data, designed to enhance public trust in the smart meter roll-out. It goes beyond GDPR stipulations regarding what data can be used for once consent is obtained. The DAPF is built from DECC smart meter privacy impact assessment conducted in 2012 [3].
  • Development of the DAPF reportedly responded to an absence of clear cross-sector agreement regarding what ‘legitimate purpose’ uses of smart meter data might look like at the beginning of the roll-out. In particular, there were concerns that regulated entities might be able to use the data for commercial gain rather than for facilitating customer benefit. Additional protections were therefore created and Ofgem’s role was strengthened.
  • The DAPF was reviewed by BEIS in 2018 and was upheld – further review will only be considered if more evidence is presented on use-cases requiring different data availability [5].

The DAPF defines consent processes and access rights to domestic and microbusiness smart meter data for three different types of actors:

  1. Suppliers can access:
  • Monthly data for billing processes – mandatory
  • Daily data for any purpose (except marketing) – opt-out
  • Half-hourly data for any purpose – opt-in only
  • Other data for marketing purposes – opt-in only (same as GDPR)
  • Note: to enable half-hourly settlement Ofgem may change these rules to ensure half-hourly data is universally accessible to suppliers (rather than the current opt-in arrangement).
  1. Distribution Network Operators (DNOs) can access smart meter data for ‘regulated purposes’ only. Prior to doing this, they must agree a privacy plan with Ofgem.
  1. Third parties who are Smart Energy Code (SEC) [6] signatories:
  • Can access smart meter data of any granularity – via opt-in consent only with regular reminders of that consent and based on confirmation that the request for the third party service comes from the individual.

PIAG on Smart MeterEnergy Data

  • The PIAG explores potential use-cases legitimising access to smart meter data for ‘public interest’ purposes. Key points from phase 1 of the project are outlined below. Phase 2 of the project (in progress) focuses on:
    • The ‘additionality’ that greater access to more granular smart meter data could bring to public interest actors;
    • How greater smart meter data access could help meet decarbonisation challenges, particularly around heat. 
  • Key points from Phase 1 report [7]:
    • The PIAG does not attempt to define the public interest. Rather, it proposes a process for considering questions raised. It also focuses on public policy use-cases rather than provision of commercial services.
    • Phase 1 considered a range of public interest use-cases for smart meter data. In all cases, it concluded that data requirements would be satisfied by access to aggregated or anonymised data sets, reducing privacy risks.
    • Other challenges identified:
  • There is no central repository of smart meter data in the UK.
  • Privacy must be preserved in the processes of collecting and processing (e.g. aggregating) raw meter data.
  • Increased use of AI and machine learning pose risks for individual re-identification through dataset combination.
  • The PIAG considers the following potential sources of smart meter data:
  • Suppliers currently have access to at least monthly smart meter data and are ‘data controllers’ from a GDPR perspective. They could potentially act as a source of input data if legally obligated to share this. However, there is currently no legislation requiring suppliers to share data, even at an aggregated level. Furthermore, the potential for multiple supplier arrangements in future may pose data duplication risks. 
  • DNOs with Ofgem-approved privacy plans can access aggregated/anonymised half-hourly smart meter data. However, there is currently no legislation requiring suppliers to share data, even at an aggregated level. There are also concerns about a lack of standardised data management practices amongst DNOs.
  • In future, settlement reform could see Electralink and Elexon given access to smart meter data. However, there is currently no legal obligation for these entities to share smart meter data. Furthermore,  customers can currently opt out of half hourly settlement, reducing overall data quality even if access to market-wide data was granted.
  • Given restrictions present in directly obtaining smart meter data, the PIAG proposes the creation of a ‘trusted processor’ role to handle smart meter data collation, aggregation/anonymisation, and public interest data requests.
    • The Office for National Statistics (ONS) is proposed as the ‘obvious candidate’ for this role as: ‘it already fulfils that role in other sectors. It also has access to other household-level data which could be linked with smart meter data before then being aggregated or anonymised. The ONS could use its powers under the DEA to collect data from suppliers,or their agents, for statistical and research purposes (where suppliers already hold that data). Whether ONS would be in a position to take on that role will depend on their current priorities and resources’ [p.24].
    • BEIS or Electralink are proposed as alternative actors with potential capacity to take on the trusted processor role. 


  • Question: Who owns smart meter data in the UK?
  • Response: smart meter data is classified as personal data, owned by the consumer. The consumer is the source of consent for any onward data-sharing.
  • Question: who has access to smart meter data?
  • Response: this is outlined in the section on the DAPF above.
  • Question: how does settlement reform relate to smart meter data?
  • Response: the designated settlement body will eventually hold smart meter data in order to facilitate half-hourly settlement, however the body does not yet exist. 
  • Question: can the Smart DCC ‘see’ all smart meter data?
  • Response: Smart DCC has held the Smart Meter Communications License to build and maintain secure national infrastructure underpinning the smart meter roll-out since 2013. Smart DCC uses a ‘public key’ system to encrypt messages transmitted through its network. This means that the DCC does not store consumer data and it can only decrypt and access data with consent. Smart DCC has two key roles in providing data to external parties:
  1. Providing aggregated smart metering data to network operators
  2. Allowing authorised third parties to provide consumers with information they have requested, such as how they can reduce their energy usage.
  • Question: can Electralink ‘see’ smart meter data? 
  • Response: Electralink stores data on smart meter installation (numbers and location), supplier switching, and industrial and commercial consumption, among other datasets [8]. However, they do not have access to comprehensive domestic smart meter data.


  1. European Union (2018): General Data Protection Regulation. Available via: 
  2. UK Government (2018). Data Protection Act 2018. Available via: 
  3. DECC (2012: Smart Metering Implementation Programme Data access and privacy – government response to consultation. Accessible via: 
  4. Information Commissioner’s Office (no date). What are the substantial public interest conditions? Available via: 
  5. BEIS (2018). Smart metering implementation programme: review of the Data Access and Privacy Framework. Available via: 
  6. Gemserv (2020. Smart Energy Code. Current version available via: 
  7. Frerk, M., Ward, J., Roberts, S. and Hodges, N. (2019). Final Report Phase 1. Available via: 
  8. Electralink (no date). Open Data. Available via: 
  9. Public Interest Advisory Group on smart meter energy data (PAIG)