Privacy Notice

Published January 2021

We ask that you read this privacy notice carefully as it contains important information on who we are, how and why we collect, store, use and share personal information, your rights in relation to your personal information and how to contact us and supervisory authorities in the event that you have a complaint.

Who we are

Xoserve understands the importance of protecting personal information and is committed to complying with the UK Data Protection Act (DPA 2018). In order to operate as a business and provide our services to you and to the gas industry, we collect, use and are responsible for some personal information about you. We are committed to protecting your privacy and to ensuring that your personal information is used properly, lawfully and transparently.

This notice explains when and why we collect personal information about the people who work for our customers and for gas consumers. It explains how we use that information, the conditions under which we may disclose personal information to others and how we keep the personal information we collect and process secure.

This notice applies to Xoserve Limited (“Xoserve”, “we”, “our”, or “us”). We are registered in England and Wales under company number 5046877 and have our registered office at Lansdowne Gate, 65 New Road, Solihull B91 3DL.

As we are based in the UK, we process data according to the Data Protection Act 2018.

To keep things simple for you, we maintain separate privacy notices for job applicants; and for gas consumers on Find My Supplier; and for people who work or who have worked for us. Please contact data.protection@xoserve.com for any queries. 


The personal information we collect and use:

In the course of the services that we provide to you, we collect your personal information. The personal information that you provide and how we use it may differ depending on the service that we provide to you.


To understand what we collect and how we use the personal information, we have separated our processing based on different types of activities.

Who we share your personal information with:

We set out above who shares your information with Xoserve and who we share your information with. However, we may also share personal information with law enforcement or other authorities if required by applicable law. We will not share your personal information with any other third party.


How long do we keep your information for? 

We will keep your personal information only as long as is necessary to conclude the purpose for which it was collected, or to meet legislative requirements. Personal information will be securely destroyed or put beyond use when it is no longer required, in accordance with our data retention and information management policy.


Transfer of your information out of the UK

As set out above, we may transfer your personal information outside the United Kingdom to what are described as “third countries”. 

These third countries do not/may not have the same data protection laws as the United Kingdom. Whilst the UK government has not as yet given a formal decision that such countries provide an adequate level of data protection similar to those which apply in the United Kingdom, any transfer of your personal information will be subject to suitable safeguards. We often rely on Standard Contractual clauses, as approved by the UK, unless otherwise stated. These clauses are designed to help safeguard your privacy rights and give you remedies in the unlikely event of a misuse of your personal information.

We will not otherwise transfer your personal data outside of the UK or to any organisation (or subordinate bodies) governed by public international law or which is set up under any agreement between two or more countries.


Your rights

Legally, you have a number of important personal data rights, free of charge. In summary, those include rights to:

  • Fair processing of information and transparency over how we use your personal information
  • Access to your personal information and to certain other supplementary information that this Privacy Notice is already designed to address
  • Require us to correct any mistakes in the information which we hold
  • Require the erasure of personal information concerning you in certain situations
  • Receive the personal information concerning you which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to a third party in certain situations (data portability)
  • Object at any time to processing of personal information concerning you for direct marketing
  • Object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you
  • Object in certain other situations to our continued processing of your personal information
  • Otherwise restrict our processing of your personal information in certain circumstances
For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals rights under the General Data Protection Regulation.

If you would like to exercise any of those rights, please:


  • Email data.protection@xoserve.com, or write to us at Xoserve Ltd, Lansdowne Gate, 65 New Road, Solihull, B91 3DL.
  • Let us have enough information to identify you, for example let us know your name and the customer you work for.
  • Let us have proof of your identity and address (the level of proof required will be dependent on your request type, but examples include a copy of a recent utility bill or a scan of your driver’s license), and
  • Let us have some information about your request, such as what it is you want to access or which data you object to us processing.

Keeping your personal information secure

We are committed to taking all reasonable measures to ensure the confidentiality and security of personal information for which we are responsible, whether computerised or on paper. 

We have put controls in place to prevent unauthorised access to, modification or destruction of your personal information. 

We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.


How to contact us or the ICO

We hope that we can resolve any query or concern you raise about our use of your information.

To exercise all relevant rights, queries or complaints, we ask that in the first instance you contact us at data.protection@xoserve.com. If you feel like we are not adequately responding to your request, you have the right to reach out to our Data Protection Officer by emailing data.protection@xoserve.com please mark your correspondence FAO DPO.

If we or our Data Protection Officer do not resolve your complaint to your satisfaction, you have the right to lodge a complaint with the Information Commissioners Office (ICO), or to seek a judicial remedy in the courts of England and Wales. The ICO can investigate your claim and take action against anyone who has misused personal data. Further details are available on their website https://ico.org.uk/concerns/ or via the ICO helpline: 0303 123 1113. 


Changes to this privacy notice

This privacy notice was published on 25 May 2018 and last updated on 19 January 2021.

We may change this privacy notice from time to time, so please check this page regularly.

 

Data Enquiry Service/UK Service/Access Controls 

We will collect the following types of information:

We need you to provide your username and password to enable us. Your IP address will be collected to enable us to ensure that the service is being accessed in accordance with the relevant terms and conditions of the service.

We use this information to:

1. To enable us to provide you access to the Data Enquiry Service, the UK Link Service or Access Controls
2. To monitor your access to the Data Enquiry Service, the UK Link Service or Access Controls
3. Undertake any processing that is required by appropriate laws or regulations and/or requested by regulatory bodies or law enforcement agencies


Contact Management Service

We will collect the following types of information:

1. Your user name and password
2. Your email address
3. Your telephone number

In some circumstances you may be required to provide personal information that relates to a gas consumer which may include the following:

1. Meter Point Reference Number
2. Gas consumer address
3. Gas Consumer name
4. Gas consumer telephone number

In the event that you wish to report a theft of gas you may be required to provide the following information which may include personal information:

1. Crime reference number
2. Details of the alleged theft of gas
3. Details of how the alleged theft of gas was detected

We use this information to:

1. To enable us to provide the Contact Management Service to you 
2. To ensure that the relevant network is notified to arrange a site visit where a site visit is required
3. For any processing that is required by any law or regulation and/or requested by regulatory bodies or law enforcement agencies

Personal information relating to an alleged theft of gas is provided to us and we will pass this onto the relevant party who will investigate the allegation.


Request/Application Forms

We will collect the following types of information:

We need you to provide your contact details to enable us to respond to you.

1. Contact name
2. Contact number
3. Email address

We use this information to:

1. To enable us to respond to your request or to process your application for a specific service
2. For any processing that is required by any law or regulation and/or requested by regulatory bodies or law enforcement agencies

M Number Creation Form

We will collect the following types of information: 

Your name
Your email address
Your contact number
Meter Point Annual Quantity (AQ)
Full postal address of premises
Gas Consumer name
Gas Consumer telephone number
Gas Consumer email address
Meter Point details if present

We use this information to:

1. To enable us to provide the service to you.
2. To enable us to create a Meter Point Reference Number for you
3. For any processing that is required by any law or regulation and /or requested by regulatory bodies or law enforcement agencies


Xoserve to Customer Relationship Management

We will collect the following types of information:

Names and contact information such as telephone number and email address. 

We use this information to: 

1. Enable the management of external relationships including meetings and correspondence etc… with suppliers, shippers and transporters, but excluding any consumer interactions.
2. Work with customers to understand their potential future needs and assist the planning for future changes.
3. Provide customers with updates and information about the services offered by Xoserve.
4. Liaise with cross business parties and customers to identify requests for change and to prioritise the change against the existing portfolio of change.

We will share this information: 

Internally within Xoserve. We use MS Office Suite as our platform, who have servers within the UK. For use 3, we also use the application Mail Chimp. We have put in place safeguards to ensure that your data is protected as if it were processed in the UK. The safeguards in this circumstance are Standard Contractual Clauses (SCC). For use 4, we share your requests internally, but it is classified with top confidentiality, and so sharing will be limited.

We rely on performance of contract as our lawful basis for uses 1 and 2. For uses 3 and 4, we rely on our legitimate interest to send you service updates and to prioritise initiatives.

Xoserve to Potential new suppliers

We will collect the following types of information:

Names, contact details and financial data (so far as it relates to the procurement process). 

We use this information to: 

1. Identify potential new suppliers and gather information to demonstrate that the supplier can meet the organisation’s needs.
2. Approve contracts of less than £100k value where the procurement is initiated outside of the commercial department.

We will share this information:

Internally within Xoserve. We use MS Office Suite as our platform, who have servers within the UK. We will also use SAP Cloud systems, with servers based within the UK.

We rely on the need to take steps to enter into a contract with you as our lawful basis for processing this data. 

Xoserve Website Users 

We will collect the following types of information:

IP Addresses, names and email addresses.

We use this information to: 

1. Monitor usage of the Xoserve website and identify which areas of the site are being utilised (IP address only). 
2. Gather feedback from website users on functionality of the website.
3. Gather feedback from customers on events which have been run by Xoserve. 

We will share this information:

Internally within Xoserve. We use MS Office Suite as our platform, who have servers within the UK. For uses 1 and 2, we also share this data for analysis with Site Improve and Google Analytics, both of which have servers within the UK. For use 3, we use Survey Monkey, which is based outside of the UK and we have put in place safeguards to ensure that your data is protected as if it were processed in the UK. The safeguards in this circumstance are Standard Contractual Clauses (SCC). 
We rely on our legitimate interest to process your information in this way as it enables us to improve our service offering.

Miscellaneous

We will collect the following types of information: 

Names, contact details, MPRN, sensitive and confidential data, such as data on expenses use and accusation details from whistleblowing including names of accused and accuser.

We use this information for: 

1. Management of legal cases or potential legal action 
a. This includes the gathering of sensitive legal information to build a defence or legal case.
2. Whistleblowing 
a. To allow employees to register a whistleblowing incident, which might involve external stakeholders. 
3. Auditing 
a. To undertake internal audits on sensitive business process or data to ensure that business operating policy is being adhered to and to identify improvements. 

We will share this information:


Internally within Xoserve. We use MS Office Suite as our platform, who have servers within the UK. For use 1, we may also share externally with legal counsel. For use 2, we may also share with Anderson, Anderson, Brown LLP, who are based in the UK. They may share whistleblowing data with us through their third party provided system. 
We rely on our legal and regulatory requirements for use 2, and our contract terms for uses 1 and 3. Where special category data is involved, we rely (for use 1) on necessity for exercising a legal claim, or (for use 2) on the accuser’s consent, or for use 3, on our legal obligations/ rights in the field of employment law.

Gas Consumer Information Processing

There are some activities which Xoserve undertake on behalf of our customers (gas shippers, transporters and networks) which include personal data relating to the gas consumer. Xoserve’s customers are the data controller for many of these elements but Xoserve, in the interest of transparency, also set out this information here.

We will collect the following types of information:

MPRN Number, Consumer Address, consumer health data (where it relates to access requirements), Gas Supplier, Gas Transporter, customer data (such as login credentials and IP address).

We use this information to: 

1. Ensure that a consumer can identify their MPRN number and supplier via the telephone and online services. 
2. Ensure that a customer can perform their duties to the consumer as per their licence conditions, via the telephone service and online portal.
3. Ensure that a customer can raise concerns and questions as per the Data Service Contract to raise specific queries about their services.
4. Ensure that a customer can raise a request for an ad-hoc report via the telephone or via the Customer Data System.
5. Enable the switching process.
6. Ensure that customers are able to raise individual service or billing issues and have them resolved by liaison with Xoserve.

This information is shared with Xoserve from our customers.

The information in use 1 (which includes MPRN and consumer data) is publicly available.
  • For use 1 and 2, we also process this data on UK Link (for customers) and on Find My Supplier (for consumers). 
  • For use 2, this information is processed on Information Exchange (IX) which is necessary to interact with the Gemini System. 
  • For uses 3, 4 and 6, we process data on our Customer Data System. 
  • For uses 4 and 6 we also may use tooling included in out MS Office Suite, which has servers based in the UK. 
In order to provide the services to our customers, we also sub-process and/or share some information with:

  • Use 1: Cadent Gas
  • Use 2: Sunguard Data Centre, WIPRO Management 
  • Uses 3, 4 and 6: Gas suppliers, transporters and shippers 
  • Use 5: Switching Services and Gas Suppliers
We rely on our customers’ legal obligations under their licensing conditions and legislation and our legal obligations to our customers to process information in this way. We rely on our customers’ obligations via social protection laws to process any health data.

Our Systems
The systems we use are;

1. UK Link

Only Authorised Users can use UK Link:
a. Authorised User Groups
b. Authorised User groups of the UK Link system include:
c. Ofgem
d. UNC Parties
e. Meter Readers
f. User Agents
g. Delivery Facility Operators and Connected System Operators
h. Meter Asset Providers
i. Meter Asset Managers

2. Contact Management Service (CMS)

a. The CMS is a secure two-way communication system for operational and invoicing contacts.

3. Data Enquiry Service

a. The DES is used to examine a range of data relating to Supply Meter Points and allows Authorised Users to:
i. access details about Supply Meter Points within their portfolio
ii. view details of particular Supply Meter Points associated with their properties

4. The Gemini System

a. Gemini is a suite of online applications used by National Grid and its business associates to manage the transport of gas through pipelines.

5. Information Exchange (IX)


a. Information Exchange (IX) is the communications system that lets Users work with each other.

6. Extranet Secured Sites


Authorised Users in the gas industry have use of Extranet Secured Sites. These sites are used to:
a. Control access to our critical business systems
b. Protect commercially sensitive data

Thank you for your feedback