Supply of customer data
Summary and Background
582.These sections reflect the Government’s desire for customers to have electronic access to details of transactions they enter into when buying goods and services, which they can then use to inform future purchasing and consumption behaviours.
583.The Government’s view is that a consumer who can make informed decisions about the goods and services they buy is more likely to seek better quality and value for their money, which in turn can help stimulate competition.
584.Existing legislation, notably the Data Protection Act 1998, gives customers access to their data but in a format to be determined by the provider, which may therefore be hard copy only. This does not allow them easily to use that information to compare prices or interrogate their consumption behaviour.
585.The Government has been working with suppliers in certain sectors to develop a voluntary programme for the release of electronic data to customers. These sections provide a backstop power for the Secretary of State to make regulations (a) requiring regulated persons to supply their customers, on request, with transaction data held in electronic form, and (b) providing an enforcement regime in the case of non-compliance.
Section 89: Supply of customer data
586.Subsection (1) contains the substantive power of the Secretary of State to make regulations. It enables provisions to be made compelling a “regulated person” (as defined in subsections (2) and (10)) to provide “customer data” (as defined in subsection (3)) to a customer at their request or to a person authorised by the customer to receive it (“the customer data regulations”).
587.Subsection (2) identifies four types of supplier who may be required to supply data (energy suppliers, mobile phone network providers, and financial services providers offering current accounts or credit cards). Subsection (2)(d) provides the power to designate other regulated persons although before doing so the Secretary of State has to have regard to a number of factors set out in subsection (7).
588.Subsection (3) defines “customer data” as information held electronically by or on behalf of the regulated person and that relates to transactions between the regulated person and the customer. For example this could be a customer’s purchasing history represented by a quarterly energy statement. It does not extend to data not already held in electronic form.
589.Subsection (9) describes what is meant by a customer for the purpose of this section. It covers persons who have at any time purchased goods or services from the regulated person or received them free of charge from them. The intention is that this should generally apply to consumers (subsection (9)(b)(i)) but subparagraph (ii) allows this to be extended to specified forms of business. This is most likely to be used to treat micro businesses (who, like consumers, may suffer difficulties in identifying their consumption behaviour) as customers for these purposes.
590.Subsections (4) and (5) make further provision about the scope of the power, including allowing the regulations to specify the format and timeframe in which the data is to be delivered and to permit the regulated person to charge for the supply of data (though any such charge could not exceed the cost borne by the supplier in providing the data).
591.Subsection (8) is included to give the Secretary of State the flexibility to apply the regulations in different ways depending on the types of regulated person, customer or customer data, but also depending on where in the UK those persons are located. It also enables regulations to provide for exceptions from any requirement imposed by them, including if the cost of compliance proves to be prohibitive (subsection (8)(d)).
Section 90: Supply of customer data: enforcement
592.This section empowers the Secretary of State to make provision for the enforcement of the customer data regulations. It provides for a model of civil enforcement as opposed to criminal penalties (subsection (2)) and enables regulations to be made allowing customers to bring their own actions for breach of the regulations before a court or tribunal (subsection (5)). By virtue of subsections (6) and (8) some of the provisions of section 89 apply to this section also.
593.Subsection (1) identifies the Information Commissioner as a potential enforcer but empowers the Secretary of State to designate other persons to act as enforcers. The regulations may also designate more than one enforcer and provide for their functions to be exercisable concurrently or jointly (see further the explanation of subsection (4) below).
594.Subsection (2)(a) and (b) set out the enforcement options referred to above. The regulations will be able to provide for enforcers to apply to a court (or tribunal) for an order that a regulated person comply with the regulations. Alternatively an enforcer may be allowed to serve an enforcement notice on a regulated person without a court order. In both cases breach of the order/notice could amount to a contempt of court.
595.Subsection (3) provides that regulations may confer on enforcers investigatory powers to enable them to fulfil their functions. The regulations may also set out sanctions for non-compliance with requirements made by an enforcer when exercising its investigatory powers (for example if a regulated person fails to provide information on request). The words in parenthesis in subsection (3)(b) make clear that the enforcement provisions should be comparable to those for breach of the customer data regulations (namely civil enforcement not criminal penalties).
596.As explained above, under subsection (4)(b) provision can be made for functions to be exercisable by more than one enforcer, whether concurrently or jointly. Where functions are exercised concurrently, subsection (4)(c) allows the regulations to make provision for a lead enforcer to take on a co-ordination role, namely to direct which enforcer can act in a particular case. To assist with that role, that subsection also allows the regulations to require the other enforcers to consult with the lead enforcer before exercising enforcement functions.
597.Finally, subsection (4)(a) enables regulations to be made requiring an enforcer (if not the Information Commissioner) to inform the Commissioner if they intend to exercise functions under the regulations. The intention is to make the Commissioner aware of potential breaches of the customer data regulations in case they raise wider subject access issues.
Section 91: Supply of customer data: supplemental
598.This section provides for supplemental matters including the power to make consequential amendments to legislation and to enable a person to exercise a discretion in a matter such as the exercise of the powers conferred by these sections (subsection (1)). It also describes the Parliamentary procedure for the regulations; those made under section 89 are subject to the negative resolution procedure, except where regulations are applied to persons by virtue of section 89(2)(d) in which case the affirmative resolution procedure is to be used. Regulations made under section 90 are also subject to the affirmative resolution procedure as are any instruments that make regulations under section 89(2)(d) or 90 together with any other provision under section 89.
