A summary of findings
- Technically, privacy controls are relatively strong in the AMI program. Metering data is suitably protected in transit and at rest, and is subject to confidentiality provisions in the ESC's codes and licensing regime, as well as the NER. The industry has adopted good information security standards and practices. The security of smart meters themselves is well designed; in particular, the wireless communications links between meters and Distribution Businesses, and between meters and Home Area Networks, appear very sound. All wireless links are encrypted, and unlike domestic wifi networks which have proven problematic for drive-by snooping, smart meter encryption cannot be disabled. There are also strong security governance practices; it is not currently possible for third parties to obtain metering data without being licensed participants, or without having commercial arrangements with e.g. a Retail Business. For the time being, these barriers put a brake on metering data function creep.
- Yet there has been generally poor communications to consumers of the privacy realities of smart metering – a state of affairs that is part of a pattern of sparse and narrow communication focused on the mechanics of the rollout rather than the benefits and broader features of the system. A spectrum of privacy anxieties has been allowed to build up in the community, many of which prove not to be substantive, but all of which need to be treated seriously and respectfully.
- Industry participants, especially Distribution Businesses, tend to have a narrow understanding of Personal Information, namely believing that PI generally relates to explicit customer records. In reality the legal definition is much broader, covering any information where the identity of an individual is apparent or may be readily determined.
- While most metering data is keyed by NMI and does not contain explicit names and address details, we find that metering data can potentially be re-identified using other, albeit separate, databases which Distribution Businesses have in-house. It is difficult to make a case that metering data could not be Personal Information.
- Many retailers and distributors at this time are implementing new customer databases, in response to the need to handle vastly increased volumes of metering data.
- Historically, customer data seems suitably protected at Retail Businesses. All RBs interviewed for this PIA described similar internal regimes of customer service personnel training, privacy policies, and access controls over customer databases.
- In contrast with large government customer databases operated for health & welfare, driver licensing and the like, where the availability of high grade customer records inevitably leads to a finite level of abuse, RBs and DBs reported no known experience of abuse by insiders of Personal Information.
- Detailed interval data must be accessible to customer service personnel at Retail Businesses, in order to assist them to resolve customer billing inquiries and complaints. On the other hand, such access provides new opportunities for corruption because from now on it exposes detailed behavioural information about consumers, which may be useful to criminals.
- With a seemingly negligible incidence of abuse, not surprisingly interviewees were unsure of the auditing that may be conducted of how staff use the customer databases, nor of the inherent auditability of the systems. We infer that auditability of databases (to track which customer records are accessed by which staff at which times) may not be a high priority for RBs and DBs.
Suggested privacy considerations for DPI and the industry
To demonstrate good faith to consumers and the public, the AMI program in general should promote a precautionary approach to privacy.
- If metering data was handled in accordance with the National Privacy Principles, it would provide tangible acknowledgment by the industry of community concerns. Rather than debating technicalities around the precise definition of Personal Information, it may be better to concede that DBs in many cases are able to associate name and address with NMIs, and that metering data therefore merits a stronger duty of care than appears to be the case at present.
The infrastructure implications of adopting this stance should be relatively minor because there are reasonably high levels of security already in place. However, it would be wise for all players to refresh their Privacy Policies to more clearly explain how they treat and manage metering data.
- An Opt-In policy for all secondary usage of metering data would go a long way to improving the community's perceptions of privacy in the AMI program and would lay the foundations for safer sharing of data with the many third party services seeking to participate in smart metering.
- The need for such high volumes of redundant metering information to be retained across RBs and DBs as well as AEMO should be revisited.
- While information security management standards are well practised,the industry might do more to adopt minimum security policy settings for protecting interval data against misuse, such as auditing of customer database access (see also Other recommendations below).
- Without harming the competitive nature of the industry and the ability of businesses to differentiate themselves according to service and so on, the industry could consider crafting consistent text for inclusion in layered privacy notices, to help ensure that all consumers have the same basic appreciation of smart metering, especially if the NPPs are adopted, and if secondary use of metering data is agreed to be managed on an Opt-In basis.
Suggested privacy considerations for Distribution Businesses
- DBs should apply the precautionary principle to the way they handle data. While it can be argued that metering data keyed by NMI is not identified as such, it is not difficult for DBs to associate NMIs with consumers. Therefore DBs should strengthen the way they handle all metering data.
- While confidentiality is already required by ESC and is assured via security standards, DBs should take a broader view of privacy, and invest more effort in explaining to customers the purpose of smart metering, the ways in which metering data is used and disclosed, the regulatory and operational measures that protect the data, and the rights than consumers [will] have to control the flow of data.
- DBs should review and update their Privacy Policies accordingly. Such a review would constitute a good response to the ESC's final decision that requires development of "privacy principles" for HANs.
- Because the potential for abuse by rogue insiders of customer records is likely to rise when they come to include interval data and behavioural indicators, DBs should ensure that customer database use is auditable and is in fact routinely audited.
Suggested privacy considerations for Retail Businesses
- RBs should review their Privacy Policies in response to the ESC's final decision that requires development of "privacy principles" for HANs.
- Because the potential for abuse by rogue insiders of customer records is likely to rise when they come to include interval data and behavioural indicators, RBs should ensure that customer database use is auditable and is in fact routinely audited.
Suggested privacy considerations for future third parties
- Consider that all secondary use of metering data—regardless of how useful it may arguably be for efficiency advice, load management and so on—should be subject to express customer consent, and use this strict Opt-In model to engender consumer trust.
- Be sensitive to the fact that sections of the community are especially anxious about surreptitious re-use of Personal Information (given unfortunate experiences such as the covert collection of home wifi network data by Google Street View cars) and make an effort to offer explanations of how metering data moves through the system, and why.
The critical recommendations
- All metering data from or about residential meters should be handled throughout the AMI system in accordance with the NPPs, in order to safeguard it against potential abuse, better control future secondary usage by unregistered third party participants, and to more clearly demonstrate to customers and the public that the industry is committed to privacy.
- Privacy Policies of Distribution Businesses and Retail Businesses should be reviewed and updated to describe each organisation's commitment to the NPPs, including explanations of why smart metering data is collected, how it is used, under what circumstances is it disclosed, and the range of regulatory and operational safeguards that protect it.
- Even though details of how third party services and HANs will operate remain sketchy, it would be appropriate at this stage for RBs' and DBs' Privacy Policies to anticipate the sharing of data beyond their businesses and circumscribe access to metering data. Note that this action should satisfy the ESC's call for "privacy principles" to be developed before IHDs are deployed.
- The industry should adopt and promote an Opt-In policy of not putting metering data to any secondary purposes without express customer consent.
For the avoidance of doubt, and to maximise consumers' sense of control, such secondary uses should include even those that seem reasonably related to the primary purpose for collection, such as the provision of efficiency advice. The industry should ensure that consent to secondary uses is always freely given, is not conditional, and is never bundled into acceptance of an electricity supply contract.
The AMP Policy Committee should review any suggested exceptions to the Opt-In that might be put forward by Registered Participants, and if agreed, officially specify them.
- A fresh awareness campaign should be mounted to improve consumers' understanding of smart metering and privacy. The campaign should be centred on a commitment by all organisations involved in AMI to (a) complying with the NPPs in the handling of metering data, and (b) not putting metering data to any secondary use without the consumer expressly opting in.
Specific messages for consideration are provided under "Other recommendations" below.
- As and when DBs and RBs implement new databases as part of the AMI adoption, they should take care to keep raw metering data (keyed by NMI alone) separate from all other identifiable customer records in order to mitigate against ready re-identification. In general it is essential that teams implementing, configuring and maintaining databases are fully aware of the NPPs and the broad legal definition of Personal Information, to help them avoid inadvertent privacy problems.
- Consideration should be given to a review of the National Electricity Rules to consider (a) whether duplicate interval data really needs to be kept in triplicate at Distribution Businesses, AEMO and Registration Businesses, and (b) if it is really necessary to keep all the data at the half-hourly granular level. From a privacy perspective, some aggregation after two years would be preferable.
- Consideration should be given to clarifying what meter data may be (or should be) disposed of after seven years. From a privacy perspective, unless there is a clear reason to retain fine grain interval data at each Participant, it should be destroyed, or aggregated to the greatest reasonable extent.
- The ESC should consider reviewing the Electricity Marketing Code with a view to extending it to cover Distribution Businesses and other parties potentially making use of metering data. In particular, the Code may need to clarify a broader meaning of "marketing" beyond the formation of new retail contracts. The review should come before the possible incorporation of the Code into the NECF.
- The recommended awareness campaign could be coordinated by a reenergised AMI Communications Working Group. The campaign might include fresh letters to householders, new FAQs and other materials that would best be defined in detail by communications professionals.
- New messaging about smart metering privacy should probably come from government, to lend it authority and credibility, and because there is not a widespread understanding in the community of the role of electricity distributors and retailers, or even awareness of all the players. Further, the new government's past undertakings to review the AMI program makes it logical for an appropriate Minister to lead the new messaging.
- The awareness campaign should consider promoting the following privacy positive features of AMI:
- existing regulations and sanctions under the NERs, ESC and so on that protect consumers against abuse of metering data
- the purpose of interval data collection
- how TOU pricing works
- the meaning of the flashing lights
- the policy of Recommendation 4 (to be confirmed) that all secondary uses of metering data shall be subject to express consent
- how direct load control works
- security measures taken to protect meters, detect tampering etc.
- security measures taken to protect access to consumption data
- the absence of name and address details in transmitted metering data, which is identified only by NMI
- the governance measures that control HANs and restrict access
- the extent to which any party can tell if a home alarm system is present
- the fact that all meter-to-DB communications and all HAN traffic is encrypted.
- Processes may need to be developed, with assistance from consumer groups, for granting incoming residents access to defined aspects of past previous residents' meter data. Technical protocols will be needed to inform DBs and to delete old meter data at some point. This action should take into account NPP 4.2 (Security: Data Retention). Some amendment to the NECF or NER may also be needed.
- Review "Privacy Notices" provided to smart meter customers— whether they be explicit or implicit (as is often the case where passages of legal text are incorporated into other customer communications)— and ensure that the notices properly anticipate the potential secondary uses of metering information (such as providing energy efficiency advice direct to consumers, supporting third party services on an opt-in basis and so on).
- Consider developing a common skeletal layered Privacy Notice that all organisations involved in AMI can use as a basis for their own notices, setting out the industry's regulatory protections, the reasons and uses for smart meter data collection, and the controls that consumers have over how meter data is used.
- Require that small Retail Businesses that might otherwise fall below the SME criterion for the Privacy Act expressly opt in to the NPPs with the Office of the Privacy Commissioner.
- Consider industry-wide minimum security policy settings for protecting interval data against misuse, including the following possibilities:
- DBs should quarantine all data containing customer names from raw interval data
- DBs and RBs should audit log all access by users to interval data
- retained interval data aged between two and seven years should be subject to more limited access rights than more recent data that might be needed to resolve billing issues.
- In order to support future options for sending consumption and/or appliance data from Retail Businesses to third party service providers (with specific consumer consent as recommended above) a change to NER Chapter 7 should be considered.
- In order to give consumers access to their interval data (as required by the Access & Correction Principle NPP 6), protocols should be developed for providing data in standard forms such as Excel spreadsheets.
- In order to boost consumer confidence in the security of the system, DPI should consider commissioning an independent Threat & Risk Assessment (TRA) of any new online portals. We note that very recent regulatory developments in California have raised security standards for smart meters, with new requirements coming to conduct regular security audits .
- Protocols will need to be developed for preventing old occupants from still having access to and/or control over the HAN after they vacate premises. Ideally, when a smart meter's customer changes, there should be an automatic unbinding of devices from the HAN, and the access code for establishing a HAN on that meter should be changed. It may be prudent to amend the NECF or NER to legislate these measures.
- When the BPPWG comes to develop business processes and protocols for HAN activation, it should enact the Opt-In policy of Recommendation 4 above (to be confirmed) that all secondary uses of metering data shall be subject to express consent. Further, the BPPWG should consider enforceable requirements that data is handled across all HANs in accordance with the NPPs.
- If in future individuals within a household enter into third party contracts relating to use of smart meter data, such contracts should be signed by both the individual and the main electricity account holder.
- The ESC should amend the wording of its decision to refer to Privacy Policies or Codes, rather than "Privacy Principles" because the latter term has a technical meaning in legislation.
Page last updated: 09/06/17