Privacy policy

Most of the personal data we process is provided by you as part of your interactions with us. It usually
includes the following items:

• your name(s), title and employer details;
• your address, email address and/or telephone number;
• your billing details if you are an end user customer of ours; and
• any information about your health or living conditions that we collect when you sign up to the Priority Services Register.

We may also process information we obtain or are provided by third parties (such as Glenigans Lead Generation Database) in order to send direct marketing material to our current or prospective clients and customers.

If you are one of our employees, we will collect some additional personal data in relation to your employment with us, which will include:

• your gender and date of birth;
• your health information;
• your driving licence details;
• your right to work information, which may include passport or birth certificate and biometric permit or work visa where applicable;
• your bank account number and sort code;
• your CV; and
• name(s), address(es), email address(es) and telephone number(s) of family contact(s) (for example, for emergency contact details).

We will usually collect some or all of this information in relation to job applicants and new employees, too. We might also retain some of this information in relation to former employees for record-keeping purposes.

Your personal information is likely to be contained in:

• updates to your contact details (such as address, email address and telephone number);
• emails and other correspondence that you sent to us, or that were sent to you by us;
• records of conversations and meetings;
• website contact forms and marketing preferences;
• project-related documents such as tenders and responses, contact lists, approvals and similar
  paperwork;
• internal business systems such as HR, payroll and finance systems; and
• CCTV that we control on our business premises for the purposes of safety and security.

Our regulated businesses are also legally required to access industry-wide databases that contain personal data in the form of names, addresses, and alphanumeric identifiers such as “Meter Point Reference Numbers” (MPRNs) and “Meter Point Address Numbers” (MPANs). Some of these databases might also indicate whether a person is vulnerable for health or other reasons. This information is used to identify the end users of our energy networks and, in relevant cases, any special or additional support they might need.

Priority Services Register

We are required by the Heat Trust to establish and maintain a Priority Services Register with details of our customers who may require additional support or who are otherwise in a vulnerable situation. There is no cost to joining the Register.

We will contact you to ask if you would like to be added to the Register. If you are eligible, we will add you to the Register which will be used for giving you information on planned and unplanned interruptions to your heat supplies and advice about what precautions to take in the event of any interruption.

To sign-up to the Register, we will ask you to give us information about yourself and your household which will include details of any health conditions and other information about your living conditions (Special Circumstances Data). We process this information to comply with our legal obligations.

Signing-up to the Register will also allow us to share your contact information with other energy companies that supply and deliver electricity, heat and gas so that they can also contact you if they experience any issues with supplies to your home.

Most personal data is kept within the Last Mile Infrastructure Group of companies but shared between the data controllers named at the bottom of this notice. Personal data might be shared with third parties where that is necessary to comply with the law, protect our rights and operate our usual business practices. For example:

• some of our systems are cloud-based, so some personal data may be transferred to servers controlled by the providers of these cloud-based systems (who have no direct access to the personal data);
• some employees are insured to drive our fleet vehicles, so their personal data will be sent to the providers of those vehicles and any related insurance provider;
• some of our employee benefits are provided by third parties (such as pensions and health insurance), so their personal data will be sent to those providers;
• personal data might be included in records sent to our professional advisers, such as lawyers, accountants and insurance brokers;
• where we might engage with an external customer billing partner, we will need to share billing and payment history data;
• our outsourced IT providers may have access to personal data on our IT systems if such access is required to enable them to resolve problems with our IT systems;
• some employees are lone workers and have agreed to use a lone working app, so their personal data will be shared with the developers of this mobile app;
• we might need to provide personal details to subcontractors or emergency service providers who perform services on our behalf – for example, details of contacts on site;
• clients will receive employee personal data during routine communications in the form of contact details (and vice versa);
• we will have to provide personal data to some of our regulators and auditors – for example, HMRC, the Home Office (for sponsored employees) Ofgem, the Heat Trust, the HSE, the Environment Agency, the Drinking Water Inspectorate and Lloyds Register – to fulfil our legal obligations and/or to assist them in fulfilling their regulatory or oversight functions; and
• potential purchasers of our business, subject to those persons entering into strict confidentiality obligations with us and only to the extent permissible under data protection law.

We review all contractual arrangements we have in place with third parties who receive personal data from us to ensure such third parties have robust systems and procedures to ensure compliance with Data Protection Legislation.

Personal data we collect may be transferred to third parties outside of the United Kingdom. If we do so, we will comply with applicable law regarding such transfers. Where such transfers require appropriate or suitable safeguards recognised under UK data protection laws, we may rely on them.

Typically, these include:

• Adequacy decision: We may transfer your personal information to countries which the ICO or UK Government has approved as providing adequate protection to personal information (for example the decision of adequacy attaching to the EU for transfers from the UK).
• Approved contracts: We may be entitled to put in place a contract with the recipient of your information which requires them to protect that information to the same standards as if the information were being processed within the UK.
• By contract: In respect of certain cross-border transfers, we will transfer your personal information outside the UK if the transfer is necessary to the performance of a contract between you and us, or if the transfer is necessary to the performance of a contract between us and a third party, and the contract was entered into in your interest.
• With your consent: In respect of certain transfers, we will obtain your consent to transfer your personal information outside the UK after first informing you about the possible risks of such a transfer.

The safeguards we use will depend on the location of the recipient, the function they are performing, and the personal information being transferred. You can request more information by contacting us.

We only keep your personal data for so long as it is reasonably necessary. When setting our data retention periods, we consider the amount, nature and sensitivity of the data we hold, the potential risk of harm from unauthorised use or disclosure of the data and the purposes for which we process the data. Most personal data will be kept for the duration of our relationship with you plus an additional six (6) years (or any longer period required by law). The reason for this is that if we have to respond to a legal claim, we might need to use records that contain your personal data and most legal claims have to be brought within six (6) years.

You have the following rights in respect of your personal data:

• Access to your personal data – you have the right to a copy of any personal data we hold in relation to you, as well as information about how we process that personal data (which is already set out in this notice). This is known as a “Subject Access Request” and all Subject Access Requests should be made in writing and sent to the email or postal address shown below. To make this as easy as possible for you, a Subject Access Request Form is available for you to use which, while you do not have to use this form, it is the easiest way to tell us everything we need to know to respond to your request as quickly as possible.
• Rectification of your personal data – you have the right to have any inaccurate personal data about you corrected. You also have the right to have any incomplete personal data completed.
• Right to erasure / “right to be forgotten” – in certain circumstances, you have the right for personal data about you to be erased. We are not required to erase your personal data if we need to keep it in order to comply with legal obligations or to establish, exercise or defend legal claims.
• Right to restrict processing – in certain circumstances, you have the right to restrict how we process your personal data. There are some purposes for which we can continue to process your personal data even if you ask for it to be restricted. These include storage; the establishment, exercise or defence of legal claims; or for the protection of the rights of another legal or natural person (which includes companies).
• Right to object – if we process your personal data on the basis of our legitimate interests, you can object to that processing. If you object, we may have to stop processing that personal data (and this may mean we are no longer able to interact with you in ways that rely on that personal data). However, we are not required to stop processing your personal data where our legitimate grounds for processing it override your interests, rights or freedoms, or are necessary to establish, exercise or defend legal claims.
• Right to data portability – if we process your personal data on the basis of a contract you have with us as an individual, and that data is automatically processed, you have the right to receive that personal data from us in a commonly-used and machine-readable format so that you can transmit it to another data controller (or you can ask us to transmit it for you where technically feasible)

Requests to exercise any these rights should be sent to dataprotection@lastmile-group.com.

If requests are manifestly unfounded, excessive or repetitive we are allowed to charge a reasonable fee for fulfilling the request or refuse to fulfil the request.

We will always store your digital information on secure servers. Unfortunately, however, the transmission of information via the internet is not completely secure. Although we will do our best to protect your information, we cannot guarantee the security of your information transmitted to our site or otherwise to our servers (such as by e-mail). Any such transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

We may use cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our site and also allows us to improve our site from time to time. We also use cookies in order to ensure page continuity and for the interactive sections of our site. Visitors to our website who do not wish to have cookies placed on their IT equipment should set their browsers to refuse cookies before using our website. This will mean that some features of our site may not function properly without the aid of cookies. Please see our full Cookie Policy for more information.

Our websites may contain links to other websites. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy notice. You should exercise caution and look at the privacy notice applicable to the website in question.

The appointed representative for each of the Last Mile Infrastructure Group data controllers is:

Data Protection Officer
Last Mile Infrastructure Group
Fenick House
Lister Way
Hamilton International Technology Park
Glasgow
G72 0FT

Queries for the appointed representative should be sent to dataprotection@lastmile-group.com
If you are not satisfied by our response, you may lodge a complaint directly to the Information Commissioner’s Office (www.ico.org.uk). The Information Commissioner is the UK regulator for data
protection.

The following Last Mile Infrastructure Group companies are data controllers processing personal data under this privacy notice:

• Last Mile Heat Limited
• Last Mile Asset Management Limited
• Icosa Water Limited
• Icosa Water Services Limited

This notice was last updated on 5 December 2022. We may change this Notice from time to time. This may be necessary, for example, if the law changes, or if we change our business in a way that affects personal data protection.

A copy of our Privacy Notice is also available on request from our Data Protection Officer.