Energy Performance of Buildings (Scotland) Regulations 2025: data protection impact assessment
Data protection impact assessment (DPIA) produced as part of our intention to lay updated Energy Performance Certificate (EPC) regulations in October 2025. This DPIA has considered the evidence to understand any potential data protection outcomes from the reform of EPCs.
Questions to identify data protection issues
Necessity, Proportionality and Justification
No personal data about the building owner is sent to the EPC Register.
EPCs are required by regulations and are a long-established feature of the property market, and provide information about the energy efficiency and emissions of a building. EPCs must be provided:
- When a building is advertised for sale or for let to a new tenant.
- On completion of construction of a new building.
- Displayed in certain buildings visited by the public:
- Over 250 square metres and occupied by public authority;
- Over 500 square metres and where a valid EPC exists.
Assessor information is stored on the EPC Register for the purpose of administering the Regulations.
Data collected for the purpose of completing EPC assessments is determined by a methodology of calculation that is approved by Scottish Ministers. This ensures that data is collected consistently and proportionately in relation to the legal requirement to ensure that a valid EPC is provided in the circumstances set out in the Regulations. The data collected and the methodology used to calculate and generate an EPC under the Energy Performance of Buildings (Scotland) Regulations 2025 (the Home Energy Model) follows largely the same approach as that adopted by the UK Government in England and Wales.
Involvement of multiple organisations
Current and prospective owners and tenants of buildings can use EPC data to help understand their building’s energy performance characteristics. EPC data can be used by local authorities as the enforcement authorities under the Energy Performance of Buildings (Scotland) Regulations 2025.
EPC data is used by Approved Organisations in the management of assessors.
The public extracts on our statistics platform are available to download to support the improvement of building energy efficiency through research and analysis - in line with the uses set out in the Regulations.
Anonymity and pseudonymity
Assessor Names are removed from publicly available extracts downloads of bulk datasets.
Green Deal information is not included in public downloads of bulk datasets.
Technology
Publicly available EPC data is published in CSV and Excel format and there are no restrictions or technical mechanisms that prevent anyone from accessing and further processing this data.
Identification methods
Every EPC has a unique Report Reference Number.
Sensitive/Special Category personal data – including biometric data
Not applicable, no special category data is collected or stored on the EPC Register.
Children or other vulnerable data subjects (people)
An EPC must not contain any information (except for the address of the building) from which a living individual, other than the energy assessors, can be
identified. In the case of non-domestic EPCs it may be possible to identify the organisation that owns or occupies the building from the address. The published EPC data includes the full postal address, which may include an organisation name associated with a building and so organisation that owns or occupies the building from the address. It may be possible to identify buildings occupied by children and vulnerable groups from the published data where this information is included in a building address. It should not be possible to identify any individual from the data.
Data matching or linkage
Not applicable.
Changes to data handling procedures
Not applicable.
Statutory exemptions/protection
Not applicable.
Automated decision making or profiling
Not applicable.
Other risks
Not applicable.
Contact
Email: EPCenquiries@gov.scot