Great Britain’s energy sector gets a small but useful legal tweak next month. From 16 March 2026, companies will be able to share specified information for tightly defined purposes under a fresh amendment to section 105 of the Utilities Act 2000. The Statutory Instrument (SI 2026/149), published on legislation.gov.uk, was signed by Alan Whitehead, Minister of State at the Department for Energy Security and Net Zero, on 19 February and laid before Parliament on 23 February.

Section 105 imposes a general ban on disclosing protected information gathered under the gas and electricity regime, with a list of exceptions. The new Order adds two more. Disclosures are permitted where they are necessary to enable the Secretary of State’s functions under section 13 of the Energy Prices Act 2022, and to allow any person to perform functions conferred by regulations under section 19 of that Act. A separate carve‑out allows disclosures made to comply with a formal direction issued under section 22 of the Energy Prices Act.

For day‑to‑day operations, that means suppliers, networks and scheme delivery partners have clearer legal cover when government programmes require swift data flows. Think of a scenario where a delivery body needs meter point details to verify eligibility, or a licensed supplier is directed in writing to provide portfolio‑level information; if the disclosure is strictly for that purpose, section 105 will not bite.

The scope is Great Britain only. The Order extends to England, Wales and Scotland; it does not apply in Northern Ireland. Groups with GB‑NI operations should separate data pathways and governance accordingly, as the Energy Prices Act contains distinct Northern Ireland provisions.

Crucially, this is not a free‑for‑all. The underlying confidentiality duty remains, and unauthorised disclosure of protected information can still constitute an offence. The emphasis should be on necessity and proportionality: share only what is required for the statutory function or direction, nothing more.

On data protection, the most defensible approach is to rely on the ‘legal obligation’ basis under UK GDPR Article 6(1)(c) when a regulation or direction compels disclosure, or ‘public task’ for public authorities. Firms should refresh Article 30 records, update privacy notices to explain statutory sharing, and run data protection impact assessments where risk is non‑trivial.

Contracts now need tightening. Data‑sharing schedules should name the statutory gateway, define the exact purpose, set retention and deletion rules, and require auditable logs. Access should be role‑based, redactions should be the default where possible, and every disclosure should record who authorised it, which provision applied and when.

Timing matters for operations teams. With the instrument commencing on 16 March, organisations have a short window to map likely requests, pre‑approve a minimal disclosure pack and rehearse the request‑to‑release process. That preparation cuts response times and reduces error risk when directions land.

The Department has signalled no, or no significant, impact across sectors. Even so, we expect some modest one‑off costs as companies update data maps, amend contracts and train frontline teams. For boards and investors, the prize is less friction when government intervention depends on timely data-the legal plumbing is now clearer.

If your business supplies or processes energy market data, the practical test is simple: can you show a direct line from the requested fields to a section 13 or section 19 function, or to a section 22 direction? If yes, document it and proceed; if not, pause and seek clarification before you transmit.