Guest Blog: Ian Davis – Smart meters: Getting the privacy controls right

What privacy controls should be put in place to ensure customers’ information shared with energy suppliers remain confidential? This question has been ongoing for a few years but it has […]

What privacy controls should be put in place to ensure customers’ information shared with energy suppliers remain confidential?

This question has been ongoing for a few years but it has reached a tipping point with the imminent wide-scale deployment of smart meters. Customers, energy suppliers and distributors who have historically relied on assessing domestic household energy usage through four readings a year are increasingly installing smart meters that are capable of taking readings every half hour – that’s around 17,520 readings each year!

But there’s more.

Dual fuel users could well be sending more than 35,000 readings annually to their energy suppliers.

The Data Communications Company (DCC) is responsible for ensuring meter readings are sent to the right supplier and the right distributor.

Customers with smart meters will soon be able to permit Other Users[1] to access their energy consumption records directly from the DCC.

But what controls should be in place to ensure these Other Users respect customer privacy? And when might it be necessary to prevent Others Users from accessing energy consumption records on the grounds the privacy controls are not adequate?

These matters have recently been considered by the Smart Energy Code (SEC) Panel. In June 2015 it appointed an Independent Privacy Auditor (the Competent Independent Organisation or CIO) and tasked it with designing a Privacy Controls framework that meets the requirements of the SEC.

How does the assessment work?

Each Other User will be assessed against the Privacy Controls Framework so the SEC Panel will have a consistent level of review across all Other Users.

While the SEC only requires Other Users to undergo a full privacy assessment from the CIO every three years, they will be expected to carry out self-assessments during the other years. In addition, the SEC Panel reserves the right to instruct Random Sample Privacy Audits at any stage.

The framework, which has just been published, also provides a guide to the types of evidence that could be provided by an Other User to show its compliance with its obligations, which should help organisations prepare for their audits.

What areas will be examined?

Some of the questions Other Users must prepare themselves for are:

  • What procedures and controls are in place to capture consent and opt out preferences from Energy Consumers? Do these apply across all mediums used to initiate collection of energy consumption data?
  • Are Energy Consumers provided with appropriate notifications concerning the collection of their personal data? How is this achieved? Are notifications provided prior to the collection of energy consumption data being initiated?
  • How does the Other User ensure that the processing undertaken on the data collected remains within the scope of the declared purpose for which consumer consent was obtained?
  • Is consent gathered prior to sending either a ‘Join Service’ or ‘Unjoin Service’ request?
  • Are Energy Consumers’ consent preferences clearly recorded and maintained within relevant systems?
  • Is the Other User able to comply with requests from Energy Consumers to withdraw their consent for the processing of energy consumption data? Is a formal process in place to receive and handle such requests?
  • What procedures are in place to verify that the individual who has given consent is the Energy Consumer at the premises at which the Smart Meter is located?
  • Are controls in place to ensure that energy consumption data is only accessed and used for the purposes of providing this data to the Energy Consumer?
  • What processes are in place to respond to any requests for personal data from either Energy Consumers or third parties?

A copy of the Privacy Controls Framework is available here. As Other Users will not be able to access energy consumption records from the DCC until they have undergone a privacy audit, they should not delay in ensuring their privacy controls meet the required minimum standards.

Gemserv’s information security, data protection and data privacy practice Red Island has a wide range of experience providing assurance, governance, risk and compliance services within the energy and utilities sector in the UK and in Europe. If you would like further information or practical advice, please contact us at [email protected].

[1] “Other users” have been defined in the Smart Energy Code (SEC) as a User that is not a Responsible Supplier or the Electricity Distributor or the Gas Transporter or the Registered Supplier Agent during that period of or at that point in time.

Ian is the Head of Consultancy for Information Security at Gemserv, which supports government departments, regulators and industry to implement and operate transformational national schemes in the utility and environmental markets.

This is a sponsored article.

Latest Podcast