Smart Grid Privacy
U.S. government announces new voluntary guidelines to address public concerns
BY PHILL FELTHAM, Editor-in-Chief
Electricity Today Magazine
Smart Grid equals innovation to many utilities and their customers, but not everyone shares that sentiment. In fact, many customers and media outlets perceive the Smart Grid as a way for utilities and third parties to invade their privacy (the negative publicity toward smart meters is one great example).
Luckily, governments in both Canada and the United States are listening and are actively introducing legislation for regulation on a variety of Smart Grid technologies. Twenty-one U.S. states are considering at least 61 enacted or pending bills to encourage innovation, to regulate emerging technologies, and to protect consumer interests and concerns.
More recently, U.S. President Barrack Obama announced that a voluntary code of conduct for utilities and third parties would be released to address privacy concerns over customer data used by Smart Grid technologies. Shortly after President Obama’s announcement, the Department of Energy (DOE) as well as the Federal Smart Grid Task Force released the “Data Privacy and the Smart Grid: A Voluntary Code of Conduct (VCC)”, which contain several guidelines designed to protect the privacy of customer information.
The VCC is designed to serve three main purposes:
(1) Encourage innovation while protecting the privacy of customer information as well as provide reliable and affordable power-related services;
(2) Give customers appropriate access to their own data, and
(3) not overrule any current law or regulation set forth by any regulatory authority or level of government.
Primarily, the VCC protects “customer data”, the combination of account data (that is, names, telephone numbers, email addresses, among other information), as well as customer energy usage data (CEUD), which reveals information on an individual’s measured energy usage without mentioning the customer name.
The new code of conduct attempts to balance the utility’s responsibility to collect and use data as well as protect customer privacy by using a consent model. The structure of this model is based on primary purposes (no consent required) and secondary purposes (permission required).
Electric utilities using account data and CEUD to provide customers with the basic service of supplying and maintaining power is considered primary purpose because it is actions that are “expected” by the customer. However, if utilities intend to use customer information for any “unexpected” reason other than what is considered primary purpose, the VCC categorizes this as secondary purpose.
According to the VCC, participating entities include service providers such as electric utilities, third parties, and contracted agents who can collect, use, and share customer data. Service providers collect data for primary purposes. Third parties request access from service providers for secondary purposes. Contracted agents provide services to customers on behalf of service providers.
Participating entities, according to the VCC, should give customers notice about privacy-related policies and practices. Customers should receive notices at the start of service, on a recurring basis (for example, annually), and “when there is a substantial change in procedure or ownership that may impact customer data”.
Notices should detail (1) the type of information collected, (2) how the data will be used, (3) how customers can access their information, (4) when the data will be shared for primary and secondary purposes, and (5) the service provider’s data security, retention, and disposal practices.
The VCC allows service providers and contracted agents to use customer data for primary purposes; however, the document recommends that they acquire customer consent for secondary purposes. Furthermore, the VCC advises that participating parties implement a consent procedure that alerts customers that specific entities wish to share such-and-such information for this purpose and for this duration. The consent procedure should outline clearly how customers can authorize disclosure and rescind granted authorizations to third parties.
Exceptions to any consent procedure would include information disclosure to law enforcement or regulatory authorities to “preserve the safety and reliability of the electric grid and critical infrastructure”. Service providers who choose to adopt the VCC must enforce the code of conduct by reviewing their customer data practices on a regular basis as well as supply regular training to relevant staff and adhere to applicable legal and regulatory data protection mandates.
THE BOTTOM LiNE The U.S. federal government’s voluntary code of conduct is another positive step forward in protecting the privacy of American citizens. Many states and provinces are continuing to move forward in adopting their own legislation and regulation. Electric utilities fully appreciate the importance of protecting their customers’ information—especially as physical and cybersecurity threats continue to arise. Utilities can help ease customer worries through continued Smart Grid education programs as well as complete transparency—especially to the media—about customer data usage protocols. Adopting the policies mentioned in DOE’s Smart Grid voluntary code of conduct is a great place to start.