What privacy controls should be put in place to ensure customers’ information shared with energy suppliers remain confidential?
This question has been ongoing for a few years but it has reached a tipping point with the imminent wide-scale deployment of smart meters. Customers, energy suppliers and distributors who have historically relied on assessing domestic household energy usage through four readings a year are increasingly installing smart meters that are capable of taking readings every half hour – that’s around 17,520 readings each year!
But there’s more.
Dual fuel users could well be sending more than 35,000 readings annually to their energy suppliers.
The Data Communications Company (DCC) is responsible for ensuring meter readings are sent to the right supplier and the right distributor.
Customers with smart meters will soon be able to permit Other Users to access their energy consumption records directly from the DCC.
But what controls should be in place to ensure these Other Users respect customer privacy? And when might it be necessary to prevent Others Users from accessing energy consumption records on the grounds the privacy controls are not adequate?
These matters have recently been considered by the Smart Energy Code (SEC) Panel. In June 2015 it appointed an Independent Privacy Auditor (the Competent Independent Organisation or CIO) and tasked it with designing a Privacy Controls framework that meets the requirements of the SEC.
How does the assessment work?
Each Other User will be assessed against the Privacy Controls Framework so the SEC Panel will have a consistent level of review across all Other Users.
While the SEC only requires Other Users to undergo a full privacy assessment from the CIO every three years, they will be expected to carry out self-assessments during the other years. In addition, the SEC Panel reserves the right to instruct Random Sample Privacy Audits at any stage.
The framework, which has just been published, also provides a guide to the types of evidence that could be provided by an Other User to show its compliance with its obligations, which should help organisations prepare for their audits.
What areas will be examined?
Some of the questions Other Users must prepare themselves for are:
A copy of the Privacy Controls Framework is available here. As Other Users will not be able to access energy consumption records from the DCC until they have undergone a privacy audit, they should not delay in ensuring their privacy controls meet the required minimum standards.
Gemserv’s information security, data protection and data privacy practice Red Island has a wide range of experience providing assurance, governance, risk and compliance services within the energy and utilities sector in the UK and in Europe. If you would like further information or practical advice, please contact us at [email protected].
 “Other users” have been defined in the Smart Energy Code (SEC) as a User that is not a Responsible Supplier or the Electricity Distributor or the Gas Transporter or the Registered Supplier Agent during that period of or at that point in time.
Ian is the Head of Consultancy for Information Security at Gemserv, which supports government departments, regulators and industry to implement and operate transformational national schemes in the utility and environmental markets.
This is a sponsored article.