The use of consumers energy consumption data emanating from smart meters is governed by the Data Access Privacy Framework (DAPF).

Similar documents
The Information Commissioner s response to the Competition and Market Authority s Energy market investigation: notice of possible remedies paper.

Lords Bill Committee on Digital Economy Bill Information Commissioner s briefing

GDPR & Charitable Fundraising: Spotlight on Charitable Trust fundraising

THE GENERAL DATA PROTECTION REGULATION: GUIDANCE ON THE ROLE OF THE DATA PROTECTION OFFICER

General Data Protection Regulation (GDPR) Frequently Asked Questions

CBI Response to BEIS Call for Evidence

20 C 20 % Making electricity use smart & flexible. How consumers could cut down on electricity use during peak hours and benefit 20 C 22 C

Privacy notices, transparency and control

Consultation on extending the existing smart meter framework for data access and privacy to Smart-Type Meters and Advanced Meters

PREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER

Getting Ready for the GDPR

1

GDPR & Charitable Fundraising: Spotlight on corporate fundraising

Foundation trust membership and GDPR

GDPR Service Information Sheet

GDPR. Legalities, Policies and Process Part 3 of our series on GDPR and its impact on the recruitment industry

OECD Policy Guidance for Protecting and Empowering Consumers in Communication 1 Services

GDPR & Charitable Fundraising: Spotlight on community fundraising

EU Regulation 2016/679, GDPR. GDPR, the DPA98 on Steroids

How employers should comply with GDPR

GDPR factsheet Key provisions and steps for compliance

WHAT PAYROLL PROFESSIONALS NEED TO KNOW ABOUT THE GENERAL DATA PROTECTION

GDPR readiness for start-ups, technology businesses and professional practices Martin Cassey

General Data Protection Regulation (GDPR) A brief guide

A Parish Guide to the General Data Protection Regulation (GDPR)

General Data Protection Regulation. The changes in data protection law and what this means for your church.

12 STEPS TO PREPARE FOR THE GDPR

Data Protection. Policy

GDPR Webinar : Overview & practical compliance steps. 23 October 2017

The General Data Protection Regulation: What does it mean for you?

The EU General Data Protection Regulation (GDPR) A briefing for the digital advertising industry

Conducting privacy impact assessments code of practice

Data Protection Policy

COMMISSION STAFF WORKING PAPER

Find out about the General Data Protection Regulation (GDPR) and what your club will need to do to comply with the Law.

Regulates the way data controllers process personal data

GDPR. The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council 27 April

Depending on the circumstances, we may collect, store, and use the following categories of personal information about you:

Preparing for the General Data Protection Regulation (GDPR)

EU GENERAL DATA PROTECTION REGULATION

Commissioning Services from Community and Voluntary Sector

P315 Publication of Gross Supplier Market Share Data

THE DANISH ELECTRICITY RETAIL MARKET. Introduction to DataHub and the Danish supplier-centric model

Guidance on the General Data Protection Regulation: (1) Getting started

Heart of England NHS Foundation Trust

Telephone directory information obligations and regulations

EU General Data Protection Regulation (GDPR)

Guide to the GDPR. Contents. dbsdata.co.uk

TWELVE STEP PLAN TO BECOME COMPLIANT WITH THE GENERAL DATA PROTECTION REGULATION

GDPR Factsheet - Key Provisions and steps for Compliance

GDPR. Guidance on Employee Personal Data

Information Commissioner s Office. Consultation: GDPR consent guidance

Preparing for GDPR 27th September, Reykjavik

Personal information online code of practice

Council of the European Union Brussels, 19 February 2015 (OR. en)

Comments on Chapter IV Part I Controller and processor 25/08/2015 Page 1

GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges

In partnership with. GDPR for marketers: The essentials

ICT Security Certification 2017

The General Data Protection Regulation (GDPR): Getting in good shape for the deadline Copenhagen, 19 September 2017 Janus Friis Bindslev Partner,

General Data Protection Regulation

Are the 2020 renewables targets (for electricity and heat) achievable? If not, why not?

The Internal Energy Market

Data protection (GDPR) policy

Equality Act 2010: Obtaining Information

By to: Rachel Clark Programme Director, Switching Programme Ofgem 9 Millbank London SW1P 3GE.

East Riding of Yorkshire Council Data protection audit report. Executive summary March 2014

The Sage quick start guide for businesses

Information Sharing Agreements

Smart tariffs balancing innovation and complexity. GB Smart Customer Response Trials Workshop May 2011

Summary: Intervention and Options

Setting the Energy Bid Floor

THE EU GENERAL DATA PROTECTION REGULATION AND INTERNATIONAL AIRLINES SPECIAL UPDATE

GPS watches for children marketing and contract terms and conditions

Vendor Agreements and the New EU GDPR Steps to Take Now

General Data Protection Regulation (GDPR) Strategy

A European Electricity Market Design Fit for the Energy Transition

Energy Retail Markets. An International Review

Data Protection Principles for Connected Vehicles

Guidelines on the protection of personal data in IT governance and IT management of EU institutions

Information Governance Strategic Management Framework

IMPACT OF THE NEW GDPR DIRECTIVE ON OUTSOURCING ARRANGEMENTS

NECA response to Quality of VET in Assessment. Discussion Paper

10691/17 GW/ns 1 DGE 2B

The voice of the customer: information and education needs of consumers in transition to smart metering and smart grids

WSGR Getting Ready for the GDPR Series

Council of the European Union Brussels, 20 December 2017 (OR. en)

The (Scheme) Actuary as a Data Controller

Date: INFORMATION GOVERNANCE POLICY

Data Protection Policy. Data protection. Date: 28/4/2018. Version: 1. Contents

Tackling Tariff Design. Making distribution network costs work for consumers

PG&E s General Comments on Demand Response Vision Update. January 11, 2008

Colleges and public authority status under data protection legislation

Information Governance Policy

Data Protection Policy

The New EU General Data Protection Regulation and its Consequences for IT Operations and Governance

General Optical Council. Data Protection Policy

Demand based network tariffs offering a new choice

St Mark s Church of England Academy Data Protection Policy

Transcription:

The Information Commissioner s Office response to the Department of Business, Energy & Industrial Strategy and Ofgem s Call for Evidence on a Smart, Flexible Energy System. The Information Commissioner s Role The Information Commissioner has responsibility for promoting and enforcing the Data Protection Act 1998 ( DPA ), the Freedom of Information Act 2000 ( FOIA ), the Environmental Information Regulations ( EIR ) and the Privacy and Electronic Communications Regulations 2003 ( PECR ). She is independent from government and upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The Commissioner does this by providing guidance to individuals and organisations, solving problems where she can, and taking appropriate action where the law is broken. The Commissioner welcomes the opportunity to respond to the call for evidence on the future of the UK s energy grid. She recognises the importance of creating a smart and flexible energy network to cope with changing demands in the future. New technologies that use electricity in new ways, for example electric cars, and new ways of managing demand through flexible pricing and storage systems are important for managing the electricity network. However, with these changes, the impact on individuals and their privacy needs to be considered. As the Call for Evidence points out, these technologies will result in the generation, transmission and collection of significant quantities of data and that those data will likely constitute personal data and as such be covered by data protection law. The handling of this data needs to be done in compliance with current and impending data protection law, in ways that respect privacy. Respecting individuals privacy, and giving individuals genuine choices in the use of their data will not only ensure compliance with the law but also promote trust and confidence in these digital products and services. This response focuses on the aspects of the consultation which raise privacy concerns or impact on privacy. The use of consumers energy consumption data emanating from smart meters is governed by the Data Access Privacy Framework (DAPF). This January 2017 V1.0 1

framework was drawn up by Ofgem and places certain obligations on energy suppliers and network operators with regard to accessing consumption data. The granularity of data that can be accessed by energy suppliers depends on whether the consumer has opted in or opted out. The DAPF sets out the following requirements: Energy suppliers can have access to monthly consumption data by default for billing and account purposes Energy suppliers can access daily consumption data unless the customer has opted out Energy suppliers can access less granular data, down to half-hourly data, if the customer has opted in In most cases network operators are precluded from accessing half-hourly data unless it has been anonymised or aggregated such that it is no longer personal data. Any use of consumption data by energy suppliers or network operators must respect these restrictions on the use of data. In a number of places the call for evidence suggests that half-hourly settlement can place stronger incentives on suppliers to help customers use electricity when it is cheapest. Any attempt to nudge consumers into changing their usage patterns should not involve the profiling and targeting of specific customers unless they have opted in to the use of such data in line with the DAPF. The issue of the use of half-hourly data for settlement and beyond is especially concerning given that a large number of customers have had smart meters installed on the basis of the access rules set out in the DAPF and it would bring up issues of fairness if those rules were to be changed unilaterally. The call for evidence mentions the proposal for mandatory half-hourly settlement a number of times. The Commissioner has responded to consultations from Ofgem on mandatory half-hourly settlement previously. These were the open letter on mandatory half hourly settlement in December 2015 1 and the consultation on the aims and timetable for reform in January 2017. 2 This response will not attempt to cover the same ground, and will refer to those responses where halfhourly settlement is relevant. These responses highlighted the need to ensure that any changes to the DAPF are kept as narrow as possible to only allow for the use of half-hourly data for settlement and not to include further profiling to nudge consumers into better energy usage when they have not opted in. This response will now turn to the questions relevant to data protection. 1 https://ico.org.uk/about-the-ico/consultations/ofgems-half-hourly-settlement-the-wayforward/ 2 Will be available at: https://ico.org.uk/about-the-ico/consultations/ January 2017 V1.0 2

Q28: Do you agree with the 4 principles for smart appliances set out [in the call for evidence] (interoperability, data privacy, grid security, energy consumption)? The Commissioner agrees that there will likely be concerns around data privacy with smart appliances and that it is vital that consumers are given enough information about the use of data to ensure that they can make informed choices over what services they wish to use. This approach should also act to promote consumer trust and confidence in the new goods and services the smart energy system is enabling. The ICO published an updated version of the Privacy Notices Code of Practice in 2016. 3 This provides guidance on how best to ensure consumers are given the necessary information in a way that is understandable and encourages innovative approaches such as the use of icons and multimedia. It is likely that any processing of personal data by smart appliances to alter consumption patterns will have to rely on consent as the legal basis for processing. From 25 th May 2018 the General Data Protection Regulation (GDPR) will apply, and this has made the definition of consent clearer and more specific. Under the GDPR consent must be freely given, specific, informed, and must involve an unambiguous indication of the of the data subject s wishes. Smart appliance manufacturers will have to ensure that any consent they gain from their customers for the use of smart appliances that process personal data will meet these requirements, and also be able to evidence that consent. Q29: What evidence do you have in favour or against any of these options set out to incentivise/ensure that these principles are followed? Option C sets out the potential for a requirement that all appliances be smart. This could negate the ability for consumers to consent to their data being processed as they would not have a choice to purchase an appliance that did not process their personal data. This option would seem to go against principle b set out in paragraph 6 of section 4.1 of the call for evidence on data privacy as well as being unlikely to comply with consent requirements under GDPR. This would have the knock on effect of meaning that the smart appliance manufacturers would require another legal basis for processing under data protection law. There could also be a significant impact on user trust and confidence in the smart energy system, and Internet of Things in general, if users feel they are being forced into using smart appliances that process their personal data. 3 https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-noticestransparency-and-control/ January 2017 V1.0 3

It could be that the smart functions of such appliances could be switched off by the consumer, however, this would likely lead to an increase in price of the appliance due to a facility that the consumer may not wish to use. Option A mentions the labelling of smart appliances. Manufacturers should refer to the ICO s Privacy Notice Code of Practice to ensure they are giving their customers the necessary information so they can make an informed choice about the processing of data. The Code of Practice also mentions the use of icons to communicate to the customer what data are being processed. The use of icons is something that is also mentioned in the GDPR as something that could be considered. For an icon based approach to be effective there is a need for understanding and recognition from consumers. Consideration would need to be given to how to build such an understanding to ensure they are an effective way to communicate data processing to consumers. To make the most of icons there would need to be universality across manufacturers. A fragmented use of different sets of icons would be unlikely to provide the level of recognition or understanding that would be required. Q32: Are there any other options that we should be considering with regards to mitigating potential risks, in particular with relation to vulnerable customers? It is important to ensure that vulnerable customers are not put at a disadvantage by any move towards a smart and flexible energy grid. Vulnerable customers may not be in a position to switch their usage patterns or tariffs. Extra care also needs to be taken when communicating how smart appliances will use the consumer s personal data to vulnerable customers to ensure that they are able to fully understand the processing that will take place. The topic of vulnerable customers and half-hourly settlement was covered in the Commissioner s response to Ofgem s consultation of the aims and timetable for mandatory half-hourly settlement 4. Q40: Please provide views on what interventions might be necessary to ensure consumer protection in the following areas: Data and Privacy. The call for evidence rightly highlights the importance of data privacy for a smart energy grid given the step change in the amount of data being processed. It highlights the Data Protection Act and the DAPF. However, in addition, parties involved should be considering the implications of the GDPR to the processing of personal data. As mentioned above, the GDPR 4 See notes 1 and 2 above January 2017 V1.0 4

will apply from May 25 th 2018, so many of the longer term proposals in the call for evidence will need to be considered in the light of this. As mentioned above, the GDPR makes the definition of consent more specific and places obligations on data controllers to be able to demonstrate that they have the consent of the data subject. Any written request for consent must be presented in a clearly distinguishable manner and it must be as easy for the data subject to withdraw consent as to give it. There are also more stringent requirements in the GDPR regarding transparency and what information must be given to data subject regards to and data processing. The Commissioner also highlights that security is of the utmost importance and that necessary technical and organisational measures must be in place to ensure that customers data is protected. In terms of interventions, however, it is not appropriate to provide any particular detail on how energy suppliers, network operators, smart appliance manufacturers, and other relevant parties should protect the data that is in their care. Those parties are under a duty to ensure that appropriate technical and organisational measures are taken in terms of the security of the data under their care - what is appropriate will depend on the organisation itself and technology available. The risk with mandating specific measures is that they can quickly become obsolete as technology develops and new risks and vulnerabilities are identified. Whilst it s not appropriate to mandate specific technical measures, a step change in the data being processed within the energy industry would be a good opportunity for industry to develop standards that would address concerns and vulnerabilities. January 2017 January 2017 V1.0 5

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback