On Personal Information
Data privacy is often framed in the commercial world in terms of explicit customer details and especially valuable information such as credit card numbers. Yet the legal definition of "Personal Information" under information privacy law is broad. According to the Privacy Act 1988 (Cth):
information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion (emphasis added) .
That is, any data that can feasibly be related to a customer counts as Personal Information and becomes subject to the NPPs. This includes data that is internally generated within an organisation, or which is indirectly collected from an entity other than the individual concerned.
Further, while the word "collection" tends to connote an interaction between a person and the collector of Personal Information, it is important to understand that information privacy law is largely blind to the manner in which PI comes to be present in a business. The automatic electronic transmission of data into a business by whatever means, where the data could be associated with an individual, generally counts as an act of collection under the Privacy Act.
We note there is a view that power consumption data generally relates to the aggregate behaviours of multiple members of a household rather than any one individual (excepting sole occupants of course). To some extent this aggregation serves to protect privacy, because even if the name of the electricity account holder was to be associated with the interval meter data, it wouldn't necessarily reflect that person's power usage compared with other members of their household. Lockstep on the other hand cautions that this might be an overly technical treatment, and may appear selfserving. We urge a precautionary approach (especially since DBs and RBs do not know for sure which of their customers are sole occupants) in which metering data from all residential premises would be handled in compliance with the National Privacy Principles.
The Australian Privacy Commissioner has also urged the development of privacy protections in relation to smart metering,8 notwithstanding the technical argument about data being associated with a small group of individuals (a household) rather than with one individual (the known customer).
8 See Energy meters could make burglars smarter, The Australian, 22 Nov 2010
http://www.theaustralian.com.au/news/nation/energy-meters-could-make-burglars-smarter/story-e6frg6nf-1225958013268 (accessed 22 July 2011).
On "ownership" of information
A number of consumer groups we interviewed suggested that there was uncertainty over who owns data generated by smart meters, and that this uncertainty should be resolved. There may well be other reasons to clarify this matter, but Lockstep advises that ownership is not actually a practical tool for managing privacy. No clear legal principles exist as yet for property rights over data (and some mooted mechanisms such as intellectual property protection are somewhat controversial and unattractive in online consumer affairs).
Moreover, in the Australian privacy regime, businesses are obligated to safeguard Personal Information regardless of who "owns" it. The concept of information ownership does not figure in the Privacy Act . We hope that the recommendations of this PIA, framed within existing regulations, prove satisfactory to consumer organisations without needing to appeal to the concept of ownership.
Perceived privacy problems
Smart metering here and overseas has attracted significant community concerns. It is worthwhile recapping what the major concerns are, ahead of making an objective analysis of the information privacy issues.
In general, Lockstep recommends that community concerns be taken seriously, and that they be fully investigated. Where the concerns are found to have substance, obviously the implications should be managed, via tools like this PIA. Where community concerns are not substantiated, it is nevertheless important that the AMI program undertake an awareness program to seek to put the majority of peoples' minds at rest.
Over the course of our investigation, we compiled the following catalogue of privacy concerns and related objections:
- smart metering may reveal householders' behaviour patterns
- smart metering may reveal times of absence from the house, either directly by observing the flashing lights from afar or by surreptitiously accessing back end data, and therefore create personal security risks (see e.g.  paragraph 7)
- smart metering may reveal whether home alarm systems exist, and are switched on or off, therefore presenting personal security risks
- smart metering may provide means for extra and unwanted direct marketing from electricity businesses; as the Victorian Privacy Commissioner put it, "if the usage data is shared beyond the electricity provider, this type of information could be used by other electricity companies, for research purposes or even by third parties for direct, targeted marketing based on usage" 
- smart metering may reveal other information to third parties such as the types of appliances in the home
- some find the flashing lights emotionally confronting, suggestive of "Big Brother" operating at a new level across neighbourhoods;9 some consumers feel anxious in the absence of clear education about what exactly the flashing lights are for.
Lockstep also sees parallels between the use of wireless communications in the Home Area Network and community sensitivities raised when it came to light that Google and other businesses were routinely surveying the presence of wifi installations detectable from the street, and inadvertently collecting network payload data at the same time. There is a significant political risk to consumer public acceptance of AMI should its use of wireless technology in the HAN be misunderstood by consumers as having the same vulnerabilities as regular wifi, or worse, if people thought HAN communications crossed-over with other wireless networks.
Privacy positives of the program
Several aspects of the AMI program and smart metering technology provide distinct privacy benefits. We identify and commend the following as privacy enhancing features:
- The working groups of AMI and the National Smart Metering Program provide a pre-existing governance skeleton and decision making forum in which to resolve many of our recommendations. In particular, the refreshed AMI Communications Working Group10 in principle should be able to "own", review and implement any of our findings.
- As a result of the ESC's review, ESC Registered Participants have already been tasked to develop "privacy principles"11 specific to the dissemination of consumption information from smart metering through IHDs, before IHDs are utilised .
- Smart metering should result in an improvement in the quality of customers' consumption data held by RBs (thanks mainly to the elimination of estimated reads). Enhancing the accuracy and quality of Personal Information is intrinsically good for privacy (as per the Quality Principle NPP 3; see Appendix).
- In the longer term, the ability for customers to access their own metering data (via IHDs and/or third parties) is intrinsically good for privacy (as per the Openness Principle NPP 5; see Appendix).
- There is evidently a strong information security culture at Registered Participants, and security obligations also bind Participants pursuant to the Minimum AMI Functionality Specification  and Chapter 7 of the NER . The international information security standard ISO 27001 has been adopted across the sector. At least one DB appears to routinely do security TRAs.
- Use of NMIs means that some degree of de-identification is built in to raw power consumption data (although we hasten to add that in itself this protection is not at all absolute and should only be viewed as being a privacy 'aid').
- Smart meters' HAN connectivity is turned off by default, and can only be turned on by active intervention from the DB on request from a customer (potentially via their retailer). Procedures fpor same have been identified by the BPPWG but not yet written; inadvertent activation is highly unlikely until procedures are put in place.
- When networking is activated, all HAN traffic is always encrypted. Unlike regular wifi networks, it is not possible to de-activate HAN encryption. "Drive-by" snooping on HAN network information or power consumption is not practicable.
- As and when the new HAN binding procedures are developed, there is an opportunity to ensure that connection to third party services is made on an opt-in basis, with consumers needing to take express steps with their meter provider to consent to and services devices joining the HAN.
- Smart metering does not provide DBs and RBs with real time visibility into a customer's behaviour. Data is uploaded from smart meters with a delay of several hours, up to 24 hours. This ameliorates to some extent the concern that smart meters expose householders to increased security concerns, although the fact remains that behaviour patterns might be inferred. Instantaneous real time data will be available only to devices connected directly to the meter over the ZigBee network.
9 One consumer advocate related the unusual and off-putting sight of lights blinking all the way down a street of terrace houses, "like Christmas lights". We appreciate the impression that may be given of houses being networked together in surreptitious ways without householders' consent.
10 This group, made up of industry, consumer advocates and other relevant organisations, was established by the AMI Policy Committee to provides advice to government on communications aspects of the program.
11 We actually understand this to mean what are better called privacy policies.
We also identified the following positive features of the Victorian electricity industry in general, which serve to improve the prospects of implementing the recommendations of this PIA:
- Smart metering is being implemented in a highly regulated industry, with a rich management controls environment. Registered Participants are strictly licensed. No entity can gain access to power consumption data without going to substantial efforts.
- There are several existing binding codes of practice overseen by the ESC, including electricity metering in general, and the marketing of retail energy. These codes help to protect privacy. Furthermore, the existence of such elaborate codes points to a culture and a governance framework in which additional privacy measures can be implemented as need be.
- All electricity metering data is already specifically classified as "Confidential" under the Electricity Customer Metering Code (see  section 7.2) which brings obligations to protect its privacy.
- The ESC's licence conditions for Participants entail information security standards compliance.
- All Participants are also bound by the National Electricity Rules  which (in chapter 7 particularly) set down detailed rules around the collection of metering data, entitlement to handle and access that data, security and confidentiality provisions .
- There needs to be an appreciation that even though the fact of electricity consumption data collection has not changed, the dramatically increased frequency of collection—from once every three months to once every 30 minutes—significantly changes the value and meaning of the data. The richness of the data can yield information about behavioural patterns within each household. It is this richness which creates the most important new privacy risks for householders.
- Smart metering also introduces the theoretical potential for collection of a new instance of Personal Information concerning specific appliances used in the home. Widespread activation of HANs is contingent on the development of business processes and technical protocols for the exchange of security codes between the meter and the DB; this development is identified in the BPPWG work plan but has yet to commence. In the absence of activation processes, some small scale HAN pilots have been conducted and may continue. Ideally such pilots would provide useful information on potential new PI flows and issues, for consideration by the BPPWG when formalising HAN arrangements.
More work may need to be done (within the BPPWG) to delineate and if necessary control the possibility of DBs compiling registers of appliances bound to each HAN. It is important that the community's anxieties about HANs not be exacerbated by any sudden increase in HAN activations, and that it is made clear that consumers will be in control of their home networks.
- While some of the more common privacy concerns (such as worries about hacking or eavesdropping on the wireless transmissions from the meter) are not substantiated, the program has not yet systematically dealt with these concerns. In an environment where overall the AMI program receives significant attention in the media, the program needs to carefully separate and deal with privacy concerns and other issues, to avoid conflation.
- In the industry there seems to be an under-appreciation of what constitutes Personal Information. In particular, some DBs appear to believe that "Personal Information" is confined to customer furnished data such as credit card details, or that metering data intrinsically doesn't qualify as PI as it is associated with a NMI only (and not a name or address) at time of collection and transmission. It is not uncommon for private sector businesses to develop a narrow view of privacy, informed by such topical issues as identity theft and credit card fraud, yet the legal definition of PI is actually much broader, as discussed above. It seems likely that some subsets of metering data held at DBs would constitute Personal Information because that data may be linked to identifiable persons; if so, businesses may be unaware of the full range of obligations that go with holding PI.
- Furthermore, it would be difficult for a DB to show that metering data it holds cannot be linked to a named individual, given the proximity in the same organisation of RoLR and other data which links names and addresses to NMIs. Therefore trying to make a case that metering data is definitely not Personal Information would be challenging.
- Privacy Policies of DBs seem mainly concerned with PI collected on the websites of the Participants. It is less obvious what policies that have around metering data and the potential for authorised disclosure to third parties.
- DBs' interests in smart metering are not totally aligned with RBs', and communications to date have not proactively covered consumers' privacy concerns; instead they have tended to describe essentially mechanical issues to do with the installation of the meters. Yet it is RBs that hold the main customer relationship and some tend to find themselves fielding consumer questions and concerns, despite not owning the meters, and not having been responsible for the limited information provided to consumers to date. The broader implications of meter data sharing—though largely to do with perception at this stage than substantive privacy risks—are nevertheless of great concern to consumers, and more attention needs to be paid by DBs and RBs jointly to allay public anxieties.
- There is some tension between "innovation" and privacy (though this hasn't yet taken shape as a explicit conflict as it has in certain sectors of the digital economy). On the one hand, the industry is leaning towards getting some experience with HANs and developing procedures as they go, whereas consumer groups would prefer to see firm privacy protections put in place beforehand. HANs are inherently more privacy protective than consumers may realise (because all HAN traffic is encrypted, the network is inactive by default, no devices can automatically join, there is no realistic possibility of drive-by snooping, and the limited ZigBee bandwidth will restrict IHDs from becoming advertising screens) and the tension might be eased if people were made more aware of HAN properties.
- A new type of interaction between RB and DB appears necessary in future to manage consent to bind new HAN devices. The security codes that must be presented to the smart meter (as HAN controller) are known by the DB (or potentially in future by a separate Metering Provider) but the customer who is to authorise binding is known definitively by the RB. Some type of authentication must be performed—presumably by the RB—on requests to bind new HAN devices, and the fact of authentication then handed over to the DB. This may require careful design to prevent unnecessary disclosure of customer PI to the DB, but it does not appear to be a major challenge.
Other high level privacy issues
Availability of previous occupants' metering data
We understand there is an unresolved standing issue about how interval data in the meter should be scrubbed when new occupants take over the electricity account. There would appear to be competing interests in this data. On the one hand, previous occupants may feel that it is private. On the other hand, incoming householders may have an interest in the power efficiency of a premises, and real estate agents may feel it important to make relevant information available in some way.
We do not feel that it is in-scope for this PIA to make a clear ruling on this issue. Instead we recommend that the AMI program (and also the BPPWG) work with consumer groups to strike a reasonable balance between these potentially conflicting interests.
RBs' and DBs' customer database security
From interviews we found there to be a historically reasonable security culture at Retail Businesses, in line with their customer focus. There appears to be consistently serious training of customer service personnel, appropriate internal privacy practices, and commensurate database security. However, we did not find much, if any, regular audit being done of the way the customer databases are used. We suspect that customer databases would not be typically configured for detailed auditability of potential misuses of customer information. Yet we believe that the presence of detailed interval data will provide new opportunities for criminal abuse by a rogue insider and even ad hoc access to records out of curiosity by the odd unscrupulous staff member. If so, then more rigorous auditing may need to be instigated.
Distribution Businesses have understandably not had as much customer focus as the RBs. Distributors do however treat all metering data as confidential, as required by the ESC, and appear to follow strong security practices including compliance with ISO 27001 and in at least one case, regular internal Threat & Risk Assessment. It is important to ensure that access to DBs' databases is also tightly controlled and audited.
We understand that the various data stores at DBs that hold RoLR related information and other customer details are separate from the interval data stores, as they should be. It is important that re-identification of NMIkeyed metering data by linking to name-and-address records is deliberately made difficult.
Meter Data Management systems and billing systems are being revamped at various businesses, to cope with the enormous volumes of interval data being collected. During this PIA we could not see how these systems are configured. We simply observe (without knowing whether this is the case or not) that care is needed to restrict access to interval data on a need to know basis.
The interviews, our review of the communications provided by DBs (in the main) to consumers, and our sampling of DBs' and RBs' privacy policies indicate that the concept of Privacy Notices is not well ingrained in this industry. In general, any organisation collecting Personal Information should provide appropriate notice to individuals concerned, particularly in order to satisfy NPP 5, the Openness Principle (see Appendix). Privacy notices generally set out a summary of why, how and when Personal Information is collected, cite any applicable legislation that authorises collection, and provide contact details so individuals can make inquiries. There have been opportunities for such notice to be given to smart meter customers, but presumably because metering data is not regarded as Personal Information, no details like these have been disseminated in AMI.
Providing understandable and actionable information about information privacy can be challenging in complex settings like electricity metering. As discussed, the reasons for collecting metering data are multi-facetted and quite technical. Such information needs to be presented in different ways, if it is not by turns going to confuse some readers and fail to meet the questions of others.
The UK Information Commissioner's Office has produced excellent advice on layered privacy notices. They describe the challenge as follows:
When collecting personal information you should be realistic about how interested the public is in the way you are going to handle it. Many individuals will be more concerned with receiving the goods, services or benefits that they have applied for. They are unlikely to read a detailed privacy notice, or to make a complaint about the way you handle their personal information, unless they feel their personal information has been handled badly. This is why a 'layered notice' can be useful. 
We informally discussed with the Privacy Commissioner12 a privacy notice for smart metering structured along the following lines:
- Provide reassurance as to the legislation and codes under which all electricity businesses operate, and other high level mechanisms that help to protect consumer information.
- Explain what control consumers have over how metering data is used, and what policies [will] apply to protect future uses.
- Explain why smart metering has been introduced, from all applicable perspectives (including economics, price signalling, infrastructure planning, efficiency, reduction of cost of reading meters, new functions for remote control, and new services for consumers).
- Set out more detail for interested readers to follow through if desired, and detailed cross references. Beyond these high level considerations, this PIA was not scoped to develop privacy notices, but we do include below a recommendation that a reasonably consistent industry-wide form of notice be developed and promulgated.
Other individuals contracting for third party services
In the historical domestic metering setting, there has been little if any commercial concern with anyone other than the electricity account holder, who may for all intents and purposes have been regarded as the 'head of the household'. But now with a wealth of information being available about power consumption and efficiency, and many new ways to communicate about appliance usage and energy efficiency, the potential arises for retailers or third parties to wish to engage with more individuals than just the 'head of the household' or electricity account holder. It was suggested to us by DPI during this study that energy efficiency related contracts might in future be struck between individuals in a household and retailers or third parties, involving IHDs or smart appliances.
From a privacy point of view we must remember that the metering data itself aggregates the power drawn by all appliances and does not indicate individual behaviour (where more than one person is in the household). And yet interval meter data does merit more protection than does accumulation meter data. As discussed elsewhere in this report, it may be prudent to safeguard smart meter data in line with the National Privacy Principles (NPPs). If this were the case, then there should be constraints on the way that anyone including others in the household make use of meter data.
Accordingly, when in future the possibility arises that individuals in a household wish to enter into third party contracts relating to energy efficiency or other use of smart meter data, we would recommend that consent of the main electricity account holder be necessary. That is, such third party contracts should be signed by both the individual and the main electricity account holder.
12 Reference: interview with Timothy Pilgrim., 20 July 2011.
Page last updated: 09/06/17