Energy Performance of Buildings (Scotland) Regulations 2025: data protection impact assessment

Data protection risks identified, likelihood, impact, severity score, solutions or mitigation controls proposed and residual risk

Risk Directing Marketing

Detail Risk of published EPC data being combined with other publicly available datasets to identify a person(s).

Likelihood Possible

Impact Low

Mitigations The Regulations do not allow for personal details of building owners or tenants to be included on an EPC. When accessing EPC data users will be required to sign-up to terms and conditions of use and licensing conditions which will make it clear that this type of use is prohibited.

Risk Property Security

Detail Publication of some features of a property such as its wall construction or external window specification could, theoretically, increase the threat of burglary for some properties where it is linked to an address.

Likelihood Low

Impact Very High

Mitigations No link has been identified between the release of Scottish EPC data and burglaries. Images of many properties are already viewable online for example at Google Street View or through sites offering buildings for sale or let.