Scope & Deliverables
This PIA was conducted on behalf of DPI in order to ascertain the overall state of consumer privacy protection within the AMI program, in parallel with the broader program reviews being undertaken by the new state government. The contracted PIA was required to deliver the following:
- Project description: Broadly describe the project, including the aims and whether any personal information will be handled.
- Mapping the information flows and privacy framework: Describe and map the project's personal information flows and document all relevant legislative and organisational rules.
- Privacy impact analysis: Identify and analyse the project's privacy impact.
- Privacy management: Consider how to manage any privacy impact, particularly options that will improve privacy outcomes and still achieve the project's goals.
- Recommendations: Produce a final PIA report covering the above stages and including recommendations
This report is structured accordingly.
This PIA is not a detailed assessment of the privacy compliance of any particular organisation involved in smart metering. It may be the case that electricity distributors and retailers will undertake separate PIAs of their respective businesses, in the same way as they undertake their own security evaluations. Moreover, our investigation of privacy and security practices at various participants was limited to relatively short interviews, to attain a general understanding of how RBs and DBs work with customer data across the board. We have had to generalise to a significant extent about security and customer service practices. We have tried to make clear in this report where we make assumptions and where such assumptions should be substantiated by further investigation.
The PIA was focused on the difference to privacy made by introducing smart metering. We do not seek to pass judgement on the privacy arrangements for customer data collected from older "accumulation" ("spinning disk") meters, nor to any other data handled by businesses.
The PIA does attempt to anticipate (as best we can at this stage) privacy issues arising in the medium term, when Home Area Networks (HANs) come to be activated, and when power consumption data may start to be shared with third parties which are not currently Licensed Participants.
This PIA was conducted primarily by means of desk top review of business analysis and technical documents and in-person interviews with selected stakeholders.
In summary, the desk top review covered:
- AMI project documentation
- NSMP project documentation
- Customer communications of the DBs and RBs
- ZigBee technical specifications
- ESC regulations and codes
- the National Electricity Rules (particularly chapter 7)
- selected stakeholder submissions to AMI program reviews.
The full list of documents in the desk-top review appears in the References section.
We conducted two waves of focused stakeholder meetings as detailed in the table below, in order to understand the AMI program from all angles, and to collaboratively explore and uncover privacy issues. The first wave of meetings (June 21-22) was with individuals for the most part selected by DPI to give us a fast start to the investigation stage, including consumer groups and advocates. We met informally1 with members of the Energy Networks Association (ENA) and the Electricity Retailers Association of Australia (ERAA) to discuss broad industry issues. During the first visit we were also able to make a few additional ad hoc appointments. The second wave (July 11-12) was an attempt to engage with a fuller and more representative set of industry stakeholders.
1 These meetings were "informal" in the sense that they were not conducted on the basis of anyone claiming to represent the official views of the respective associations. Rather, individuals were senior players in the industry and could be relied upon as authoritative insofar as they are deeply informed by the perspectives of retail and distribution business.
|9 June|| PIA engagement kickoff (tele conference)
|21 June|| Orientation meeting (DPI, 1 Spring St.)
|21 June|| Technical briefing (DPI, 1 Spring St.)
|21 June|| Consumer group briefing (DPI, 1 Spring St.)
|22 June|| Informal ENA briefing (DPI, 1 Spring St.)
|22 June|| Informal ERAA briefing (DPI, 1 Spring St.)
|22 June|| Marketplace briefing (AEMO, 530 Collins St.)
|22 June|| Consumer group briefing (DPI, 1 Spring St.)
|23 June|| Retailer meeting (Lumo, 575 BourkeSt.)
|11 July|| Consumer group briefing (98 Elizabeth St.)
|11 July|| AMI management briefing (DPI, 1 Spring St.)
|11 July|| Retailer meeting (DPI, 1 Spring St.)
|11 July|| Retailer meeting (DPI, 1 Spring St.)
|11 July|| BPPWG briefing (AEMO, 530 Collins St.)
|12 July|| Retailer meeting (tele conference)
|12 July|| Consumer group briefing (172-190 Flinders St.)
|12 July|| Follow-up technical questions(DPI, 1 Spring St.)
|12 July|| Regulatory meeting (ESC, 35 Spring St.)
|20 July|| Regulatory meeting (OPC, Sydney)
On July 27 we convened a three hour workshop in Melbourne with a wide range of stakeholders, to present interim findings and to discuss the ramifications of our initial recommendations. Attendees were as follows:
|Eleanor McCracken Hewson||Department of Primary Industries|
|Graham Dawson||Department of Primary Industries|
|Peter Clements||Department of Primary Industries|
|Michael Stoyanoff||Department of Primary Industries|
|Paula Cosgrove||Department of Primary Industries|
|Stephen Wilson||Lockstep Consulting|
|Peter Wallace||Citipower /Powercor|
|Jason Forte||Privacy Victoria|
|Tim McCoy||GE Energy|
|Miguel Brando||GE Energy|
|Sallie Proctor||AGL Energy Limited|
|Judy Anderson||Smart Grid Australia|
|Simon Vardy||Smart Grid Australia|
|Pia Herbert||Department of Business and Innovation|
|Alan Love||Simply Energy|
|Louizanne Diaz||Neighbourhood Energy Pty Ltd|
|Stephen Major||United Energy and Multinet Gas|
|David Calder||Origin Energy|
|Jo Benvenuti||Consumer Utilities Advocacy Centre|
|Stephen Grant||Red Energy|
|Chris Logie||Energy and Water Ombudsman of Vic|
|Susan Streeter||Energy Networks Association|
|Caroline McGeechan||Australian Power & Gas|
|Janine Rayner||Consumer Action Law Centre|
|Phil Waren||Essential Services Commission|
|Craig Memery||Alternative Technology Association|
|Dean Lombard||Victorian Council of Social Service|
|James Harris||SMS Management & Technology|
|Gary Campanella||AMI Program Office|
Terms of reference
The primary terms of reference for this PIA are the National Privacy Principles (NPPs), based on the fact that in Victoria all DBs and nearly all RBs are large privately owned enterprises. There are two types of exception to this rule.
Firstly, it is possible that the very smallest electricity retailers fall below the annual revenue limit that defines small-to-medium enterprises (namely $3M p.a.) which are exempt from the Privacy Act. While it is expected that any viable RB would generate revenues in excess of $3M eventually, it may be prudent during the early stages of such a business to clarify that it is expected to comply with the NPPs. One way to ensure this is for small retailers to expressly opt in to be bound by the NPPs, as can be done at http://www.privacy.gov.au/business/small/opting
Secondly, the ownership of one RBDnamely Red EnergyDmay be traced back to state governments via Snowy Hydro Limited. This means that Red Energy is neither a private business nor a federal government agency, and thus it falls outside the jurisdiction of federal privacy legislation. Nevertheless, we note that both Red Energy and Snowy Hydro have committed themselves to the NPPs:Red Energy is committed to compliance with the laws that protect your personal information, including the Privacy Act 1988 and the National Privacy Principles
http://www.redenergy.com.au/page.html?privacy accessed 6 July 2011)
Snowy Hydro Limited is committed to complying with the National Privacy Principles set out in the Privacy Act 1988 (Cth)
http://www.snowyhydro.com.au/utility.asp?pageID=7 accessed 6 July 2011.
We occasionally make additional reference to the Victorian Charter of Human Rights & Responsibilities, for it includes obligations with respect to individual privacy. Technically, the Charter only applies to the government of Victoria and not to private industry, yet because smart meters are mandated by government, there is an argument that the Charter may be relevant. We also note that the Victorian Privacy Commissioner made mention of the Charter in her submission to the ESC review  when she highlighted that people are concerned about smart metering representing a sort of intrusion into their homes. If the Charter does not hold sway formally, it still acts as a useful benchmark.
The Victorian Human Rights Commission notes that:The Charter ... requires that the Victorian Government, public servants, local councils, Victoria Police and other public authorities consider human rights when they make laws, develop policies and provide their day-to-day services.
That is, as an arm of government, DPI may need to refer to the Charter when developing policies in the AMI program, even though electricity market participants themselves are not themselves bound by it.
DPI should take heed also of the statement that "the Victorian Ombudsman can receive and investigate complaints about whether administrative actions taken by the Government, local councils and public authorities are in breach of, or have not properly considered human rights".
Page last updated: 10/06/17