Michael Roberts

6 March 2017

Michael Roberts

Chief Executive

Water UK

36 Broadway

London SW1H 0BH

Dear Michael,

Data Protection

Thank you for your letter of 1 March 2017 on the issue of data protection.

I understand the importance of statutory compliance by all companies, not just licensed entities, with respect to this important legislation, especially given the General Data Protection Regulations that come into force on 1 April 2018.

In considering this issue, I would note that:

• Data Protection Act compliance is a matter of law and all companies are required to comply;
• This is a non-household market which, by its very nature, is not focussed on individuals or households;
• Companies are required to have applied the eligibility criteria to ensure that only premises where the principle use is a non-household activity are included;
• The privacy impact assessment undertaken last year confirmed that the level of personal information held within the central market system is low, both in the number of data items (name, address and a non-specific health flag) and the number of premises to which it applies (i.e. only sole traders not operating as limited companies);
• Any personal data that has been provided will generally have been provided by individuals, on a voluntary basis, through their business or other non-household type activities;
• Companies having access to this data are licensed by Ofwat and have obligations over and above those of a normal unregulated business - they are therefore unlikely to put their ability to operate in this sector at risk through non-compliance with the law; and
• The industry codes set out clear obligations on trading parties to protect data, use it only for the agreed purposes and comply with the law and cover many areas of the data management protocol, albeit in a less joined up way.

As you are aware, we have been working with the industry to incorporate a data management protocol within the market arrangements code. This would have bound all parties to the agreement at the commencement of the market. There are clearly differences of opinion across the sector as to how far this should go and how prescriptive it should be. The result was the Interim Codes Panel not feeling able to support the change proposal and recommending that it be reconsidered after market opening.

There are clearly many parties with different opinions on this issue across the market. Since I attended Water UK, Peter Simpson has been working across the undertaker community to find consensus on this matter. There has been none to date.

When taking account of the likely range of views across the smaller companies and the new entrant retailer community, there is little time to build such a consensus, given the decision by the Secretary of State this week that the market will open on 1 April 2017 and the need to enact the retail exit regulations ahead of this date through the pre-switching window.

This therefore comes down to an assessment of risk.

Having considered this with my Board, we are of the opinion that, for us, the inherent risk of a serious breach is low given the factors set out above. We take comfort from the fact that companies with access to this data are licensed by Ofwat and that the codes are quite explicit with respect to the need for signatories to comply with the Data Protection Act and to control use and access to this data. Furthermore, detailed guidance has been issued to all trading parties on the matter, especially the use of free-form text fields, which was a general concern as you know.

We are therefore of the view that the current version of the Wholesale Retail Code (WRC), the Market Arrangements Code (MAC) and the wholesale contract, together with the wider licensing regime under the Water Industry Act 1991, provides a sufficient legal framework, appropriate protection and secures compliance of the parties under the DPA for market opening. This means that the current data management protocol will remain in force until 31 March 2017 and the codes take legal effect from 1 April 2017.

We are not complacent, however. As with our recent correspondence on emergency contact details, we know that work will be required after market opening to improve the market and build greater confidence in how it operates. The General Data Protection Regulations (GDPR) that come into force next year means there will be a need to revisit data protection in the first year of the market.

Our proposal is therefore to work with the new enduring Panel to establish a GDPR issues group to prepare for this important legislation. This approachwould put the issue under the formal governance of the market and the new market processes and provide the necessary mechanisms to bring it to a resolution.

In the meantime, your members can be assured that we will continue to operate in line with the requirements of the current Data Management Protocol, with the same controls in place as we have had through shadow market operations.

Your members will each need to take their own opinion on this matter. However, we believe that this is a sensible and pragmatic way forward.

Yours sincerely

Ben Jeffs

CEO, MOSL