Privacy Notice

Published March 2021

We ask that you read this privacy notice carefully as it contains important information on who we are, how and why we collect, store, use and share personal information, your rights in relation to your personal information and how to contact us and supervisory authorities in the event that you have a complaint.

Who we are

Xoserve understands the importance of protecting personal information and is committed to complying with the UK GDPR and UK Data Protection Act (DPA 2018). In order to operate as a business and provide our services to you and to the gas industry, we collect, use and are responsible for some personal information about you. We are committed to protecting your privacy and to ensuring that your personal information is used properly, lawfully and transparently.

This notice explains when and why we collect personal information about the people who work for our customers and for gas consumers. It explains how we use that information, the conditions under which we may disclose personal information to others and how we keep the personal information we collect and process secure.

This notice applies to Xoserve Limited (“Xoserve”, “we”, “our”, or “us”). We are registered in England and Wales under company number 5046877 and have our registered office at Lansdowne Gate, 65 New Road, Solihull B91 3DL.

As we are based in the UK, we process data according to the UK GDPR which is enacted in law by the UK Data Protection Act (DPA 2018).

The personal information we collect and use:

In the course of the services that we provide to you, we collect your personal information. The personal information that you provide and how we use it may differ depending on the service that we provide to you.

To understand what we collect and how we use the personal information, we have separated our processing in the Appendices based on different types of activities, these include:

Who we share your personal information with:

We set out above who shares your information with Xoserve and who we share your information with. However, we may also share personal information with law enforcement or other such authorities where required by applicable law. We will not share your personal information with any other third party, where we are not authorised to do so.

How long do we keep your information for?

We will keep your personal information only as long as is necessary to conclude the purpose for which it was collected, or to meet legislative requirements. Personal information will be securely destroyed or put beyond use when it is no longer required, in accordance with our data retention and information management policy.

Transfer of your information out of the UK

As set out above, we may transfer your personal information outside the United Kingdom to what are described as “third countries”.

These third countries do not/may not have the same data protection laws as the United Kingdom. Those that do may be afforded adequacy decisions by the UK government where it has been agreed that they provide an adequate level of data protection similar to those which apply in the United Kingdom. Xoserve will ensure any transfer of your personal information will be subject to suitable safeguards. We often rely on Standard Contractual clauses, as approved by the UK, unless otherwise stated. These clauses are designed to help safeguard your privacy rights and give you remedies in the unlikely event of a misuse of your personal information.

We will not otherwise transfer your personal data outside of the UK or to any organisation (or subordinate bodies) governed by public international law or which is set up under any agreement between two or more countries.

Your rights

Legally, you have a number of important personal data rights. It must be noted that certain rights may not apply to Xoserve where we are not the data controller of that data:

  • Fair processing of information and transparency over how we use your personal information
  • Access to your personal information and to certain other supplementary information that this Privacy Notice is already designed to address
  • Require us to correct any mistakes in the information which we hold
  • Require the erasure of personal information concerning you in certain situations
  • Receive the personal information concerning you which you have provided to us, in a structured, commonly used and machine
  • readable format and have the right to transmit those data to a third party in certain situations (data portability)
  • Object at any time to processing of personal information concerning you for direct marketing
  • Object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you
  • Object in certain other situations to our continued processing of your personal information
  • Otherwise restrict our processing of your personal information in certain circumstances

For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals rights under the General Data Protection Regulation.

If you would like to exercise any of those rights, please:

  • Email box.xoserve.data.protection@xoserve.com, or write to us at Xoserve Ltd, Lansdowne Gate, 65 New Road, Solihull, B91 3DL
  • Let us have enough information to identify you, for example let us know your name and the customer you work for
  • Let us have proof of your identity and address (the level of proof required will be dependent on your request type, but examples include a copy of a recent utility bill or a scan of your driver’s license), and
  • Let us have some information about your request, such as what it is you want to access or which data you object to us processing

Keeping your personal information secure

We are committed to taking all reasonable measures to ensure the confidentiality and security of personal information for which we are responsible, whether computerised or on paper.

We have put controls in place to prevent unauthorised access to, modification or destruction of your personal information.

We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Data retention

Xoserve must keep personal records for the everyday running of its business. Xoserve’s Data Retention Policy is a tool used to ensure the protection, maintenance and retention of personal information for as long as it is needed and explains what to do with it when it is no longer needed.

How to contact us or the ICO

We hope that we can resolve any query or concern you raise about our use of your information.

To exercise all relevant rights, queries or complaints, we ask that in the first instance you contact us at box.xoserve.data.protection@xoserve.com.

If we do not resolve your complaint to your satisfaction, you have the right to lodge a complaint with the Information Commissioners Office (ICO), or to seek a judicial remedy in the courts of England and Wales. The ICO can investigate your claim and take action against anyone who has misused personal data. Further details are available on their website https://ico.org.uk/concerns/ or via the ICO helpline: 0303 123 1113.

Lawful basis

In order to process your personal data we must do so under a valid lawful basis. In most cases Xoserve will use one of the following Lawful bases:

  • Contractual obligation
  • Legitimate interests
  • Legal obligation

Sub-processing

Our main sub processor is Correla. Correla is located in the UK and our lawful basis for processing personal data is Contractual obligation and Legitimate Interest.

Changes to this privacy notice

This privacy notice was last updated on 26 March 2021.

We may change this privacy notice from time to time, so please check this page regularly.

 

Appendices

Data Enquiry Service & UK Link

We will collect the following types of information:

We need you to provide your username and password. Your IP address will be collected to enable us to ensure that the service is being accessed in accordance with the relevant terms and conditions of the service.

We use this information to:

  1. To enable us to provide you access to the Data Enquiry Service, the UK Link Service or Access Controls
  2. To monitor your access to the Data Enquiry Service, the UK Link Service or Access Controls
  3. Undertake any processing that is required by appropriate laws or regulations and/or requested by regulatory bodies or law enforcement agencies

We will share this information:

Internally within Xoserve. We use MS Office Suite as our platform, who have servers within the EEA. We will also use SAP Cloud systems, with servers based within the EEA.

We rely on performance of contract and legitimate interests as our lawful basis.

 

Contact Management Service (CMS)

We will collect the following types of information:

  • Your user name and password
  • Your email address
  • Your telephone number

In some circumstances you may be required to provide personal information that relates to a gas consumer which may include the following:

  • Meter Point Reference Number
  • Gas consumer address
  • Gas Consumer name
  • Gas consumer telephone number

In the event that you wish to report a theft of gas you may be required to provide the following information which may include personal information:

  • Crime reference number
  • Details of the alleged theft of gas
  • Details of how the alleged theft of gas was detected

We use this information to:

To enable us to provide the Contact Management Service to you.
To ensure that the relevant network is notified to arrange a site visit where a site visit is required.
For any processing that is required by any law or regulation and/or requested by regulatory bodies or law enforcement agencies.
Personal information relating to an alleged theft of gas is provided to us and we will pass this onto the relevant party who will investigate the allegation.

We will share this information:

With Independent Gas Transporters (IGT), Distribution Networks, Utility Infrastructure Providers (UIP), Daily Meter Service Providers (DMSP) Meter Read Agencies (MRA), Gas Shippers who will all view contacts/challenges that they have raised themselves we will also share contacts between these stakeholders as required.

We rely on performance of contract and legitimate Interests as our lawful basis.

We have developed dashboards for Shippers and Ofgem. The Data Discovery Platform (DDP) uses interactive dashboards to provide an easy and secure way for our stakeholders to access, explore and bring your company data to life.

In order to provide this service,

We will collect the following types of information:

  • For Company login/accounts: Name
  • For Company login/accounts: Email address
  • MPRN – end customer

We use this information to:

To enable us to provide Winter Annual Ratio (WAR) Bands, Shipper Management Information (MI), Networks Management Information (MI), Performance Assurance Framework Administrator (PAFA) Management Information (MI), Shipper Management Information (MI)

We will share this information:

With Shippers and Ofgem

We rely on Contractual obligation and Legitimate Interests as our lawful basis.

In order to fulfil your Service Desk Requests to CMS, UK Link, Data Enquiry Service (DES), Services Portal, Gemini, UK Link Query Submission.

We will collect the following types of information (as required):

  • Contact name
  • Contact number
  • Email address
  • User ID
  • Attachment

We use this information:

To enable us to respond to your request or to process your application for a specific service
For any processing that is required by any law or regulation and/or requested by regulatory bodies or law enforcement agencies.

We will share this information:

This information is shared internally within Xoserve. We keep and process data in line with the requirements of key business processes and the treatment of personal data is in line with UK GDPR

We rely on performance of contract and legitimate interests as our lawful basis.

We will collect the following types of information:

  • Your name
  • Your email address
  • Your contact number
  • Meter Point Annual Quantity (AQ)
  • Full postal address of premises
  • Gas Consumer name
  • Gas Consumer telephone number
  • Gas Consumer email address
  • Meter Point details if present

We use this information to:

To enable us to provide the service to you.

To enable us to create a Meter Point Reference Number for you.

For any processing that is required by any law or regulation and /or requested by regulatory bodies or law enforcement agencies.

We will share some of this information:

Data Enquiry Service, UK Links which is where Shipper Network and Suppliers can access this according to their access rights.

We rely on the need to take steps to enter into a contract with you as our lawful basis for processing this data.

We will collect the following types of information:

Contact information such as Name, telephone number and email address. As well as MPRN and Gas Consumer Address.

We use this information to:

  1. Enable the management of external relationships including meetings and correspondence etc. with suppliers, shippers and transporters, but excluding any consumer interactions
  2. Work with customers to understand their potential future needs and assist the planning for future changes
  3. Provide customers with updates and information about the services offered by Xoserve
  4. Liaise with cross business parties and customers to identify requests for change and to prioritise the change against the existing portfolio of change
  5. Enable the management of queries or complaints submitted to Xoserve

We will share this information:

Internally within Xoserve. We use MS Office Suite as our platform, who have servers within the EEA. For use 3, we also use the application Mail Chimp. We have put in place safeguards to ensure that your data is protected as if it were processed in the UK. The safeguards in this circumstance are Standard Contractual Clauses (SCC). For use 4, we share your requests internally, but it is classified with top confidentiality, and so sharing will be limited.

We rely on performance of contract as our lawful basis for uses 1 and 2 and for uses 3, 4 and 5, we rely on our legitimate interests to send you respond to queries, send service updates and to prioritise initiatives.

PEGA is a workflow and CRM tool used to support relationship management.

For Contact Queries and Complaints,

We will collect the following types of information:

  • First Name
  • Last Name
  • Telephone
  • Email addresses
  • MPRN number
  • Supply address
  • Organisation name/short code
  • Attachments can be added
  • Reference numbers related to the issue (particularly for complaints)

We will share this information:

We use this information internally within Xoserve in order to respond to the query. For gas consumer queries we may contact the Shipper to bring the matter to their attention.

We rely on Our legitimate interest to process your information in this way as it enables us to improve our service offering.

We will collect the following types of information:

Names, contact details and financial data (so far as it relates to the procurement process).

We use this information to:

  1. Identify potential new suppliers and gather information to demonstrate that the supplier can meet the organisation’s needs
  2. Approve contracts of less than £100k value where the procurement is initiated outside of the commercial department

We will share this information:

Internally within Xoserve. We use MS Office Suite as our platform, who have servers within the EEA. We will also use SAP Cloud systems, with servers based within the EEA.

We rely on the need to take steps to enter into a contract with you as our lawful basis for processing this data.

We will collect the following types of information:

IP Addresses, names and email addresses.

We use this information to:

  1. Monitor usage of the Xoserve website and identify which areas of the site are being utilised (IP address only)
  2. Gather feedback from website users on functionality of the website
  3. Gather feedback from customers on events which have been run by Xoserve

We will share this information:

Internally within Xoserve. We use MS Office Suite as our platform, who have servers within the EEA. For uses 1 and 2, we also share this data for analysis with Site Improve and Google Analytics, both of which have servers within the EEA. For use 3, we use Survey Monkey, which is based outside of the EEA and we have put in place safeguards to ensure that your data is protected as if it were processed in the UK. The safeguards in this circumstance are Standard Contractual Clauses (SCC).

We rely on our legitimate interest to process your information in this way as it enables us to improve our service offering.

We will collect the following types of information:

Names, contact details, MPRN, sensitive and confidential data, such as data on expenses use and accusation details from whistleblowing including names of accused and accuser.

We use this information for:

  1. Management of legal cases or potential legal action - This includes the gathering of sensitive legal information to build a defence or legal case
  2. Whistleblowing - To allow employees to register a whistleblowing incident, which might involve external stakeholders
  3. Auditing - To undertake internal audits on sensitive business process or data to ensure that business operating policy is being adhered to and to identify improvements

We will share this information:

Internally within Xoserve. We use MS Office Suite as our platform, who have servers within the EEA. For use 1, we may also share externally with legal counsel. For use 2, we may also share with Anderson, Anderson, Brown LLP, who are based in the UK. They may share whistleblowing data with us through their third party provided system.

We rely on our legal and regulatory requirements for use 2, and our contract terms for uses 1 and 3. Where special category data is involved, we rely (for use 1) on necessity for exercising a legal claim, or (for use 2) on the accuser’s consent, or for use 3, on our legal obligations/ rights in the field of employment law.

There are some activities which Xoserve undertake on behalf of our customers (gas shippers, transporters and networks) which includes processing personal data relating to the gas consumer. Xoserve’s customers are the data controller for many of these elements but Xoserve, in the interest of transparency, also set out this information here.

We will collect the following types of information:

To enable us to ensure that the service is being accessed in accordance with the relevant terms and conditions of the service, MPRN Number, Consumer Address, consumer health data (where it relates to access requirements), Gas Supplier, Gas Transporter, customer data (login credentials/IP address).

We use this information to:

  1. Ensure that a consumer can identify their MPRN number and supplier via the telephone and online services
  2. Ensure that a customer can perform their duties to the consumer as per their licence conditions, via the telephone service and online portal
  3. Ensure that a customer can raise concerns and questions as per the Data Service Contract to raise specific queries about their services
  4. Ensure that a customer can raise a request for an ad-hoc report via the telephone or via the Customer Data System
  5. Enable the switching process
  6. Ensure that customers are able to raise individual service or billing issues and have them resolved by liaison with Xoserve

This information is shared with Xoserve from our customers:

  • The information in use 1 (which includes MPRN and consumer data) is publicly available
  • For use 1, and 2, we also process this data on UK Link (for customers) and on Find My Supplier (for consumers)
  • For use 2, this information is processed on Information Exchange (IX) which is necessary to interact with the Gemini System
  • For uses 3, 4 and 6, we process data on our Customer Data System
  • For uses 4 and 6 we also may use tooling included in out MS Office Suite, which has servers based in the UK

In order to provide the services to our customers, we also sub-process and/ or share some information with:

  • Use 1: Transmission and Distribution Networks
  • Use 2: Sunguard Data Centre, WIPRO Management
  • Uses 3, 4 and 6: Gas suppliers, transporters and shippers
  • Use 5: Switching Services and Gas Suppliers

We rely on our customers’ legal obligations under their licensing conditions and legislation and our legal obligations to our customers to process information in this way. We rely on our customers’ obligations under data protection laws to process any health data.

Thank you for your feedback