Smart Meters Privacy Impact Assessment
Lockstep performed a major Privacy Impact Assessment (PIA) on smart electricity metering for the Victorian Department of Primary Industries. We believe this is one of the few smart meter PIAs that have been published to date.
- Victoria's smart meters involve no collections, disclosures or other flows of PII beyond the meters' legitimate purposes
- there is no need for operational changes to the way electricity retailers, distributors and the Australian Energy Marketplace Operator handle PII
- inadvertent privacy risks with Home Area Networks (HANs) such as exposure to drive-by snooping are unlikely
- however, new business processes will have to recognise and address potential privacy concerns before smart meter based HANs are widespread
- nevertheless, the electricity industry should do more to engage privacy issues, especially openness about use and disclosure, and the choices that consumers will have to control secondary usage in future
- little public information has been made available about smart meters
- community concerns abound and some are warranted; while many anxieties exceed the actual risks, corporate communications must be improved
- Lockstep recommends that all smart meter data be handled in accordance with the National Privacy Principles (NPPs), regardless of any fine arguments about whether metering data technically counts as PII; a uniformly high standard of care is appropriate given anxieties about smart metering, and the future potential value of the data.
Lockstep Consulting [in partnership with Salinger Privacy] was engaged by the Department of Primary Industries to undertake a Privacy Impact Assessment (PIA) of Victoria’s Advanced Metering Infrastructure (AMI) or “smart metering” program. The scope of this PIA is the smart metering program in general, with the objective of establishing whether the program as overseen by DPI has properly anticipated the privacy impacts of introducing interval metering, remote communication and control capabilities to domestic consumers, and whether the management and design of the new metering system provides for adequate controls over Personal Information, including the governance of new controls yet to be developed for potential broader usage of power consumption data.
The PIA uncovered no collections, disclosures or other flows of Personal Information concerning consumers that would go beyond the [smart meters'] legitimate purposes. We see no need for any operational changes to the way electricity retailers, distributors and [the Australian Energy Marketplace Operator] AEMO handle information flows. Security is generally very good, as required by Essential Services Commission licensing, the National Electricity Rules and the Minimum [smart meter] Functionality Specification, and there are high expectations of confidentiality imposed by industry codes. Technical security standards and conservative default settings mean that inadvertent privacy risks with Home Area Networks (HANs) such as exposure to drive-by snooping are unlikely. Business processes are not yet in place for the widespread establishment of HANs from smart meters, and it will be some time before they are, but these will have to recognise and address potential privacy concerns.
Yet the broader concerns of privacy―most notably openness about use and disclosure, and the choices that consumers will have to control secondary usage under a future AMI environment―are not well ingrained across the electricity industry. Relatively little public information has been made available about smart meters. A range of community concerns abound and some of them are warranted. While many of the public’s anxieties exceed the actual risks of privacy invasion, a much improved program of communications aimed at consumers and the general public is recommended. Communications to date have been limited to the mechanics of the meter rollout, and have done little to allay concerns relating to the broader sharing of metering data that will be made possible in the medium term. We recommend a fresh set of messages be designed by a reenergised AMI Communications Working Group, covering the reality of smart metering information flows, the limited extent to which they reveal behavioural patterns within households, and the choices that consumers have to control them. The sheer volume of meter data being retained now for many years should be reviewed, with consideration given to de-identification, aggregation and/or earlier deletion if there is not a compelling business need to retain all raw data well beyond two years.
We recommend that all metering data should be handled in accordance with the National Privacy Principles (NPPs). Regardless of any fine arguments about whether metering data technically counts as Personal Information, committing to and applying the NPPs will set a uniformly high standard of care, commensurate with the community’s broad anxieties about smart metering, and with the future potential value of the data.
All Retail Businesses and Distribution Businesses should review and update their privacy policies in this light, to articulate how they understand their obligations under the National Privacy Principles. Distribution Business especially should note that the legal definition of Personal Information is broader than customer records and the like. It appears that materials given to consumers to date have not included much information about the primary purpose of collecting smart meter data and the potential for secondary usage of the data. Nor has the industry clearly communicated the many safeguards that are already in place to protect consumer privacy, such as the National Electricity Rules, the ESC licence conditions and the ESC’s codes. All organisations handling metering data should therefore review and update their “Privacy Notices” or any other explanations provided in customer information about how their data is handled. The complexity and depth of metering information means that layered privacy notices are advisable.
The electricity industry anticipates a great deal of innovation to be enabled by smart metering, with many new services to help consumers better manage their energy efficiency, and the emergence of new third party services. Such rapid changes coming on the heels of the physical meter rollout may create further anxieties. Looking ahead, we believe the industry needs to do more than improve the way it explains these developments. To demonstrate good faith to consumers and the public, we recommend that the industry commit to an Opt-In model, such that secondary usage of smart meter data, to the greatest practical extent, is only made with express consent of the customer.
In summary, the present privacy shortcomings of the AMI program may be addressed by updating Privacy Policies, refreshing and extending customer communications, committing to the National Privacy Principles, and committing to an Opt-In model for managing secondary use of metering data. None of these recommendations should mean immediate operational changes, and no privacy response will change the license conditions of any Registered Participants. In the medium term, an Opt-In model will influence the design of business processes for HAN activation and for other sharing of metering data with third parties.
The full report is available online at http://www.smartmeters.vic.gov.au/about-smart-meters/reports-and-consultations/lockstep-dpi-ami-pia-report