In this section we present a catalogue of privacy management issues, organised according to applicable NPP, and also according to the broad category of type of indicated action, which is one of the following:

  • New or improved communications to consumers and/or the general public.
  • Policy setting of DPI and/or the industry.
  • A change to selected technology.
  • New or modified regulation, rules, laws and so on.
  • Further investigation needed to refine any recommendation.

For reference, the National Privacy Principles are set out in an appendix.

Broad privacy issue Sub-issue Particular issue Possible responses and solutions
Definitions Definition of Personal Information Concern re whether the data can be related to an identifiable person.
  • Need to recognise privacy concerns are real and valid, regardless of legal technicalities about whether interval data may be interpreted differently from the definition of Personal Information.
  • Recognise and respect that consumption data represents information about behaviour in the home (both real time data from the HAN, and predictive data gleaned from half-hourly patterns), which poses increased privacy risks (safety and other risks).
  • All parties to agree to handle all metering data from/about residential meters in compliance with the NPPs.
Scope of what is a 'privacy issue' Concern re whether consumption data is behavioural data.
At the meter NPP 8 (Anonymity), NPP 1.3 (Notice)
What data is collected
Concern re identifiability and timeliness of data.
  • Consumer communications (e.g. brochure, web based FAQs) to clarify that no name or address data is held in the meter; data is identified only by NMI.
  • Consumer communications to clarify that consumption data is recorded in the meter every 30 minutes.
NPP 4.1 (Data Security)
Security of data in the meter
Risk of breach by direct attack on meter.
  • Consumer communications (FAQs) regarding security measures taken to protect meters, detect tampering at meters etc.
  • Note that the NER part 7.8.2(a) imposes a civil penalty if the "responsible person" fails to use "suitable password and security controls" to protect "energy data held in the metering installation" from "direct local or remote electronic access".
NPP 4.1 (Data Security)
Access to data in the meter
What can be read with the naked eye.
  • Consumer communications to explain what the flashing lights mean.
NPP 4.2 (Data Retention)
Retention of data in the meter (200 days)
Excessive data retention increases data security / misuse risks.
  • Consider this issue as part of the as yet undeveloped protocol for granting incoming residents access to previous residents' meter data.
In transmission NPP 8 (Anonymity), NPP 1.3 (Notice)
What data is transmitted
Concern re identifiability and timeliness of data.
  • Consumer communications (e.g. brochure, FAQs) to clarify that no name or address data is transmitted; data is identified only by NMI.
  • Consumer communications to clarify that data is not transmitted in real time, but is sent from meter in batches through the day, and from DB to AEMO and then RBs once per day.
NPP 4.1 (Data Security)
Security of data when in transmission from meter to network (DB)
Risk of breach by external attack.
  • Data is encrypted in transmission.
  • We assume that WiMax and Mesh Radio security is fit for purpose.
NPP 4.1 (Data Security)
Security of data when in transmission from DB to AEMO
Risk of breach by external attack.
  • We assume that DB-AEMO communications security is fit for purpose.
NPP 4.1 (Data Security)
Security of data when in transmission from DB to RB
Risk of breach by external attack.
  • We assume that DB-RB communications security is fit for purpose.
Primary use of data NPP 1.1 (Collection Necessity), NPP 3 (Data Quality)
Necessity of collection of non-consumption data from the meter for the DB

Justified:

  • Remote read saves money and improves accuracy by obviating estimated reads
  • DB can control supply to premises remotely (turn power on or off) for better change of residency
  • Capacity & voltage data from smart meters can
    indicate power outages, power quality problems, so DB can fix these faster.
  • Consumer communications need to explain this use of the data.
  • We note that greater accuracy is a privacy enhancement attributable to smart metering.
 NPP 1.1 (Collection Necessity), NPP 3 (Data Quality)
Necessity of collection of half-hourly consumption data for DB

Justified:

  • Half-hourly consumption data is useful for managing network infrastructure and daily load (can manage infrastructure efficiency by using TOU pricing to influence customers to shift load and thus flatten peaks in use).
  • DB charges to RB depend in part on actual consumption
    by the household; smart metering allows more accurate data hence more accurate billing.
  • Consumer communications need to explain this use of the data.
  • We note that greater accuracy is a privacy enhancement attributable to smart metering.
 NPP 4.2 (Data Retention)
Data retention period at DB

National Electricity Rules require at least seven years retention in accessible format.

  • NER 7.11.3 re "metering data providers" says data must be kept for 13 months online and archive for seven or more years.
  • Suggest review of NER to consider (a) whether same data really needs to be kept in triplicate at DB / AEMO / RB, and (b) if it is really necessary to keep all the data at the half-hourly granular level; some aggregation after 13 months would be more privacy-protective.
  • Suggest industry may require further prescription re disposal after seven years.
 

NPP 1.1 (Collection Necessity)

Necessity of collection for RB

Justified:

  • Wholesale market settles on 30 minute basis.
  • Allows more accurate billing to customer.
  • Consumer communications need to explain this use of the data.
  • We note that greater accuracy is a privacy enhancement attributable to smart metering.
 NPP 4.2 (Data Retention)
Data retention period at RB
Excessive data retention increases data security / misuse risks.
  • RB practice appears to be to also keep for seven or more years.
  • Suggest review of NER to consider (a) whether same data really needs to be kept in triplicate at DB / AEMO / RB, and (b) if it is really necessary to keep all the data at the half-hourly granular level; some aggregation after 13 months would be more privacy-protective
 NPP 1.1 (Collection Necessity)
Necessity of collection for AEMO

Justified:

  • Wholesale market settles on 30 minute basis.
  • Consumer communications need to explain this use of the data.
 NPP 4.2 (Data Retention)
Data retention period at AEMO
National Electricity Rules require at least seven years retention in accessible format.
  • Clause 27 of the Energy Retail Code requires retailers to provide up to two years of historical meter and billing data upon request..
  • Clause 7 of the Electricity Customer Metering Code also requires retailers and DBs to retain historical data for provision to customers upon request. The wording implies the request could relate to data that is more than two years old.
  • NER part 7.9.1(g) requires AEMO to keep metering data (i) online for 13 months and (ii) archived for at least seven years (no maximum period set).
  • Suggest review of NER to consider (a) whether same data really needs to be kept in triplicate at DB / AEMO / RB, and (b) if it is really necessary to keep all the data at the half-hourly granular level; some aggregation after 13 months would be more privacy-protective
  • Suggest industry may require further prescription re disposal after seven years.
Secondary uses of data NPP 2.1 (Use)
Use of metering connection by DB
Could offer customers "direct load control" - i.e. a remote way to switch appliances on or off (e.g. remotely control pool pump according to price signals).
  • Need policy decision re whether this use should be allowed. The answer is probably 'yes' given the systemic benefits, however we would suggest only with express customer consent.
  • Suggest consultation with consumer groups to inform policy decision and draft industry guidance (including that consent must be freely given, not conditional and not bundled into standard contract).
  • Consumer communications need to explain direct load control options - now and likely future.
NPP 2.1 (Use)
Use of consumption data by DB
DBs could use consumption data for marketing energy efficiency advice, products or services.
  • Review ESC Marketing Code (and incorporate into NECF): extend coverage to DBs.
NPP 2.1 (Use)
Use of consumption data by
RB
Can structure customer billing according to time of use.
  • Consumer communications need to explain TOU billing options - now and likely future.
Could offer more targeted
advice to customer re energy efficiency / cost saving measures (e.g. time-shift your appliance use to save $).
  • Need policy decision re whether this secondary use should be allowed - probably 'yes'.
  • Need legal opinion (and consultation with Privacy Commissioner) regarding whether this is a directly related secondary use; if not, will need customer consent or legislative override to allow it.
  • Best privacy practice: (a) assume it is not a directly related secondary use, and (b) get specific customer consent to allow it.
  • Recognise slippery slope from targeted advice to direct marketing.
  • Suggest consultation with Privacy
    Commissioner and consumer groups to inform policy decision and draft industry guidance (including that consent must be 'free', not conditional or bundled into standard contract).
Could offer targeted products or services (e.g. X brand TV will use less energy than your current TV).
  • Recognise slippery slope from targeted advice to direct marketing.
  • Need policy decision re whether this secondary use would be allowed - probably 'no' except with specific consent from customer.
  • Suggest consultation with Privacy
    Commissioner and consumer groups to inform policy decision and draft industry guidance.
  • Note ESC Marketing Code only covers activities leading to a contract - we suspect this means just a contract for the sale of energy, so
    the Code may not cover marketing by incumbent retailer of extra services or products
    (IHDs, appliances, etc).
  • Review ESC Marketing Code (and incorporate into NECF): extend coverage to DBs; ensure coverage of "exempt" RBs; ensure coverage of marketing activities re extra services or products (IHDs, appliances etc); consider a ban on marketing messages delivered via IHD.
NPP 2.1 (Use)
Use of data by AEMO
Risk of secondary use.
  • AEMO appears unlikely to use the data for secondary purposes - no recommendation.
Misuse of data NPP 4.1 (Data Security)
Security of data when 'at rest' at DB
Risk of breach by external
attack.
  • At least some RBs store data offshore; many people in each DB and RB business can see
    consumption data; audit logging their access may not be industry-wide.
    • DPI to review options further for setting industry-wide minimum information security requirements (e.g. into a new Privacy Charter or Code), such as:
    • DBs: should quarantine customer names
      (used for RoLR events and ensuring physical site access) from interval data
    • DBs and RBs: should audit log all access by users to interval data
    • DBs and RBs: retention of data aged two to seven years to be subject to more limited access rights.
Risk of misuse by rogue insider.
NPP 4.1 (Data Security)
Security of data when 'at rest' at RB
Risk of breach by external
attack.
Risk of misuse by rogue insider.
NPP 4.1 (Data Security)
Security of data when 'at rest' at AEMO
Risk of breach by external
attack.
Risk of misuse by rogue insider.
Disclosures of data NPP 2.1 (Disclosure)
To parties partnered with
an RB
Disclosures beyond consumer expectations.
  • Privacy notices need to mention any routine disclosures.
NPP 2.1 (Disclosure)
To third party service providers (e.g. financial
counsellor, energy analyst,
demand aggregator or home automation service)
Disclosures beyond consumer expectations.
  • Note that current policy / regulatory setting (NER Ch 7) does not allow direct third party involvement. However consumers can request
    the data for themselves, and then pass it on to their chosen third party service provider.13
  • When in future consumption and/or appliance data is to be sent from RB to the third party service provider, specific consumer consent
    should be obtained, and only for the purpose of providing a service back to the consumer (this will require a change to NER Ch 7).
NPP 2.1 (Disclosure)
To researchers, auditors etc.
Poorly handled disclosures create new privacy risks and erode trust.
  • DBs and RBs to develop standard protocols for managing requests for data from researchers, auditors etc.
NPP 2.1 (Disclosure)
To law enforcement
Poorly handled disclosures
create new privacy risks and
erode trust.
  • DBs and RBs could have standard protocols for managing requests for data from law
    enforcement agencies.
Disclosures beyond consumer
expectations.
  • Privacy notices (see below) need to mention potential disclosure for law enforcement purposes.
Customer access via RB NPP 6.1 (Access)
Authentication of the customer online
Risk of illegitimate access by someone other than authorised customer.
  • Protocols will need to be developed to allow appropriate authentication of customer online, when HAN binding processes are formalised.
NPP 6.1 (Access)
Accessibility of the data
Data must be meaningful and useful.
  • Protocols to be developed for RBs to give customers their data on request, in a standard format (e.g. Excel spreadsheet).
NPP 4.1 (Data Security)
Security of the online portal
Risk of breach by external
attack.
  • DPI could commission independent TRA of online portals, and communicate results through consumer channels.
The HAN NPP 4.1 (Data Security)
Security of data in transmission to the HAN
Risk of breach by external
attack: consumption data.
  • DPI could commission independent TRA of ZigBee system, and communicate results through consumer channels.
  • Consumer communications (e.g. FAQs) to note that smart meters' HAN functionality is off by default, and needs a special signal from the DB to activate.
NPP 4.1 (Data Security)
Security of the HAN
Risk of breach by external
attack: register of smart
appliances bound to HAN.
  • DPI could commission independent TRA of
    ZigBee system, and communicate results
    through consumer channels.
NPP 4.1 (Data Security)
Unauthorised access to data
in the HAN
Change of occupancy: risk that new customer may access old customer's data.
  • There are arguments for and against makingpast meter data available to new occupants. On one hand, meter data should be regarded as PI pertaining to old occupant; on other, new occupants have interests in efficiency indicators. There is some precedent in the way past electricity bills are now made available to
    buyers/renters. The AMI program should work with consumer groups to resolve the balance of interests.
    – Protocols must then be developed by BPPWG to control new customer accessing data (relating to old customer's consumption or
    appliances) retained in the meter or HAN - e.g. RB must tell DB on move-out; DB should delete data in the meter at some point.
  • Consider amending the NECF or NER to ensure this protocol is legislated.
Change of occupancy: risk that old customer may continue to access or control appliances.
  • Old customer must not be able to control HAN or appliances after moving out.
  • Protocols to be developed by BPPWG to ideally automatically un-bind devices from the meter when customer changes; e.g. RB must tell DB on vacancy; DB must change the access code for the HAN.
  • Consider amending the NECF or NER to ensure this is legislated.
NPP 4.1 (Data Security)
HAN to IHD or other
personal device (e.g. smart
phone or PC)
Risk of illegitimate access by someone other than authorised customer.
  • Protocols to be developed to allow binding of devices to the meter with appropriate authentication of customer, NMI and HAN /device, without compromising the security
    code held by the DB.
Consumer choice.
  • Consumer communications to explain different options re use of the HAN.
  • Consumer communications to explain if/when a DB or RB could tell if you have a home alarm system (only if you tell them or you bought it from them) or if the alarm is on or off (only if
    you also give them access to your real time data from the HAN).
NPP 1.1 (Collection
Necessity), NPP 4.1 (Data
Security)

HAN to RB to customer
Necessity of additional
collection of appliance data by
the RB.
  • RB might need to know types of other 'smart' appliances connected to the HAN for doing direct load control.
  • Otherwise, the collection or generation of this information should be prohibited under industry protocols.
Necessity of additional
collection of real time
consumption data by the RB.
  • Any solution must recognise that complete customer benefits cannot be realised without a program which combines (i) real time consumption data (from the HAN rather than
    via the daily transfer from the DB) and (ii) real time tariff info (from the RB).
  • RBs get the consumption data anyway for wholesale and billing purposes, although delayed by a day.
  • Further investigation is needed of opportunity to develop software for consumers which retrieves consumption data from the HAN, and
    retrieves up-to-date tariff and other
    price/energy messages from the RB, without sending consumption data from the HAN to the RB.
  • If considered necessary to send consumption data from HAN to RB, specific consumer consent should be obtained, and only for the purpose of providing analytics back to the
    consumer.
Risk of illegitimate access by someone other than authorised customer.
  • Protocols to be developed by BPPWG to allow linking of HAN to RB.
NPP 2.1 (Use), NPP 4.1
(Data Security)

HAN to third party service
provider (analyst or home
automation service) to
customer
Additional risks (data security, misuse, secondary use, data mining etc) posed by allowing additional organisations (some
of which may not be
conventionally registered
market participants) to see any or real time consumption data.
  • Further investigation needed of opportunity to develop software for consumers which retrieves consumption data from the HAN, and
    retrieves up-to-date tariff and other
    price/energy messages from the RB, without sending consumption data from the HAN to any third party.
  • Note that current policy / regulatory setting does not allow third parties to receive data from industry, but they can get it from customers.
  • If considered necessary to send consumption data from HAN to third party analyst, specific consumer consent should be obtained, and only
    for the purpose of providing analytics back to the consumer.
Necessity of additional
collection of 'appliance' data by
the third party.
  • Further investigation needed of which third parties might need to know types of other 'smart' appliances connected to the HAN (e.g. perhaps home automation systems would need
    to know this, but not competing retailers, energy use analysts or financial counsellors)
  • If not needed, the collection or generation of this information should be prohibited under industry protocols.
Risk of illegitimate access by someone other than authorised customer.
  • Protocols to be developed to allow linking of HAN to third party analyst.
Accountability Coverage of NPPs Some participants may not be covered by NPPs (e.g. new market entrants with turnover <$3M pa).
  • Use some regulatory mechanism (e.g. NECF, NER, ESC Regs or Vic AMI Program Specs) to require all RBs to opt-in to NPPs if not already
    covered.
  • Note the ESC Code of Conduct for Marketing Retail Energy in Victoria (Jan 2009, part 6) already requires RBs to comply with the NPPs in relation to their marketing activites.
Enforcement of NPPs Consumer groups not happy with (lack of) enforcement of NPPs in other sectors.
  • Engage consumers further in development of other options; e.g. should complaints instead by dealt with through an industry code, industry ombudsman or the AER
  • Consumer communications to clarify
    complaint-handling options / processes /contact details.
NPPs are not prescriptive Industry and consumers will seek interpretation of the NPPs.
  • The current ESC Regulation requires each RB to develop its own "Privacy Principles"; this may lead to confusion re terminology (most are
    already bound by legislated Privacy Principles, the NPPs) and inconsistency in the detail.
  • An industry-wide "Privacy Charter" (policybased) or "Privacy Code" (an enforceable regulatory document created under the NPPs) may be a better option, or something under the
    NECF.
Transparency Consumer involvement Consumers not involved in technological trials.
  • Involve consumer groups (both tech-savvy and tech-wary) in trials of IHDs.
Consumers not involved in developing communications.
  • Involve consumer groups (both tech-savvy and tech-wary) in the AMI Communications Working Group.
  • Ask consumer groups to provide input reconsumer needs and concerns.
  • Use a professional communications firm to develop a draft communication strategy, including a staged approach and outreach via consumer NGOs.
  • Ask consumer groups to review draft communications strategy, and to review draft consumer messages.
Program is opaque Public not clear who does what or why program is necessary.

Written messages come from DBs but generate calls to the RBs.
  • Need uniform consumer/public-facing
    brochure to clearly explain the technology (the what), the program (the why: benefits to community now, individual benefits later), the rollout (the when/where/who), and the future (the what next) as well as who to contact for more info or with different types of complaints.
  • Need FAQs on privacy and security. Include diagram on data flows, and clarity that no identifiable data goes to government.
  • Communications to be Government-branded (rather than DB or RB-branded).
  • Refresh the smart metering website
    (http://new.dpi.vic.gov.au/smart-meters).
NPP 1.3 (Notice)
Notice
Lack of privacy notices to consumers re interval metering
as a new data collection.
  • Develop plain language layered privacy notices for consumers, to be included in ongoing rollout-date messages. Notice to refer to brochure, FAQs etc (see above).
  • Include brochure (see above) in mail-out re rollout-date message.
  • Need a program to send brochure to households where meters already installed (e.g. by RB with next bill).
NPP 5 (Openness)
Publication
Lack of transparency causes mistrust.
  • Consider publishing extracts of TRA reports.
  • Consider publishing PIA report in full, or
    extracts.
Choice Consent Customer choices must be freely made, and able to be changed at any time.
  • Protocols to be developed to allow customers to easily understand their choices (e.g. choice to turn on the HAN, use a third party service provider, etc), and to easily exercise / change those choices.

13 It would be privacy enhancing for consumers to be given the data themselves and to subsequently pass it on to third parties if desired, as this maximises transparency and control, yet it may not be practical. Experience of third party services [1] shows the attractiveness of automated data handling.

Page last updated: 09/06/17