Data sensitivity classes

Our data infrastructure incorporates many categories of data that have varied levels of sensitivity. In order to handle this complexity, and to ensure data is appropriately protected we have developed a system of data sensitivity classifications.

Our work incorporates a variety of categories of data that have varied levels of sensitivity. In order to handle this complexity, and to ensure data is appropriately protected, we are developing a system of data sensitivity classifications within a Trust Framework (TF).

Table 1: data sensitivity classes (generalised, based on Open Energy research) v20210719

Data ClassDescriptionExample DatasetsPersonal SensitivityCommercial SensitivitySecurity Sensitivity
IB1-CClosed data – limited to internal organisational access only or limited, bespoke bilateral contracts under specific circumstances. May be subject to hard legal barriers to sharing. May be security-critical information relating to operational technology supporting critical national infrastructure owned by an Operator of Essential Services.
Never suitable to share within a data ecosystem or Trust Framework. 
Business-critical proprietary information or IP, critical asset locations, classified information.Very HighVery HighVery High
IB1-SPDatasets which include personal data, requiring appropriate consent to share, or other legal bases to data processing, as defined by the EU GDPR and brought into UK law via the DPA 2018.
Currently not suitable to share within an ecosystem, with future extensibility subject to consultation.
Smart meter data, home temperature preferences, protected characteristics or special category data (e.g. dependence on power due to health conditions), individual EV charging records, transaction data.Very HighMedium/
High
Medium/
High
IB1-SBDatasets which do not include personal data and which can/could be shared, but currently require bilateral contract negotiation. May include data currently shared on the basis of group-based, name-based or purpose-limited access. May include aggregated data about individuals, subject to best practice adherence (e.g. ICO anonymisation code.)
Anonymised data using non-aggregative techniques are currently not suitable to share within this sensitivity class due to complex risks related to individual re-identification. Future extensibility to sharing anonymised data is subject to consultation. 
Public EV charge-point performance, generation asset performance, aggregated smart meter data, aggregated microgeneration export profiles, ‘Investment grade’ data (e.g. suitable granularity for financial decision-making), sensitive asset data.MediumMedium/
High
Medium/
High
IB1-SAShared data – datasets which can/could be shared, but which require the user to agree to ‘light touch’ T&Cs to access and use (e.g. non-commercial clauses such as those under CC-BY-NC).Network capacity, outage data, weather predictions, European space agency data, daily smart meter installations, geolocation information for non-sensitive assets (e.g. Renewable Assets, EPC certificates).LowMediumLow
IB1-OOpen Data – full open access, under an open data licence. Free to use, by anyone, for any purpose.Lower Super Output Layer ID (LSOA), Digest of UK Energy Statistics, regulatory data (e.g. licensing categories, institutional charters or Terms of Reference, etc.)Very LowVery LowVery Low

Open Energy

This programme was initiated via Open Energy and has broad application. We are using this as the basis for our work across finance, transport, water, agriculture, and the built world.

Open Energy operates a system of five data sensitivity classes, graded across three dimensions of sensitivity: personal, commercial, and security. Personal sensitivity considers data defined as ‘personal data’ by the UK DPA 2018, and related privacy and consumer protection implications. Commercial sensitivity considers intellectual property, risk and commerciality. Security sensitivity includes critical national infrastructure and cybersecurity.

Classes are presented in Table 1. A definition, specification and dataset examples for each class will be provided in the Open Energy Operational Guidelines. Data Providers (organisations sharing data via the Open Energy ecosystem) will then assess their datasets using the Operational Guidelines and allocate them to a class, prior to sharing them via Open Energy. 

Open Energy data classes are designed to supplement, not replace, the Modernising Energy Data Best Practice Guidance (Point 12) determining whether data should be made Open, Shared or Closed. In particular, Open Energy data classes are designed to provide further nuance to the category of Shared data – identifying three different classes in this space, with different sensitivity profiles.

In Open Energy Phase 2 (September – December 2020), the Policy and Membership Advisory Group established that a system of data classes should be used to distinguish data of different sensitivities shared within the Open Energy ecosystem. This system has since been subject to further research and development, including opening to public and Advisory Group consultation in April 2021. Feedback has been incorporated and the final version of the policy is presented below. All terms used throughout this policy are defined in the glossary here.

Open document: Dataset sensitivity classes policy – Open Energy