With the growth of smart metering and the volume and application of consumer energy data, increasingly by third parties in addition to the traditional utility uses, concern has grown over the privacy of this data. While utilities have been responsible for protecting customers’ privacy, and will continue to do so, these concerns have led in the US to a revisiting of the privacy protections. This has resulted, after a 22-month effort, in a Voluntary Code of Conduct (VCC) for utilities and third parties on data privacy and the smart grid.
Principles of data privacy
The VCC is based on three principles:
● Encourage innovation while appropriately protecting the privacy and confidentiality of customer data and providing reliable, affordable electric and energy-related services
● Provide customers with appropriate access to their own customer data, and
● Do not infringe on or supersede any law, regulation, or governance by any applicable federal, state, or local regulatory authority.
The intention is for utilities and third parties to consider adopting the VCC in its entirety. However, it could be adopted with some limited exceptions (such as when laws, regulatory guidance or frameworks, governing documents, policies, and/or consensus-driven state, local, or utility industry business practices require a different approach).
It is also envisioned that the VCC also could be beneficial to either entities that are not subject to regulation by applicable regulatory authorities, or entities whose applicable regulatory authorities have not imposed relevant requirements or guidelines.
Core concepts of VCC
The VCC is expressed through five core concepts, as follows:
1. Customer notice and awareness, i.e. that customers should be given notice about privacy-related policies and practices as part of providing service. Service providers should provide materials in various formats that are easily understandable by the demographics they serve, and as may be reasonably appropriate, e.g. at the start of service, on some re-occurring basis (e.g., annually), and when there is a substantial change in procedure or ownership that may impact customer data.
2. Customer choice and consent, i.e. that customers should have a degree of control over access to their customer data. Service providers and their contracted agents require customer data to support primary purposes. For secondary purposes, however, customers should be able to control access to their customer data via a consent process which is convenient, accessible, and easily understood. This could include, for example, timing disclosures to coincide with the time and place that customers have the ability to exercise choices (e.g. push notifications for software downloads) regarding the use of their data for new purposes materially different than those for which it was originally collected.
3. Customer data access and participation, i.e. that customers should have access to their own customer data and should have the ability to participate in its maintenance.
4. Integrity and security, i.e. that customer data should be as accurate as reasonably possible and secured against unauthorized access. Data should be maintained in a reasonably accurate and complete form, considering the circumstances and environment in which it has been collected. Data should also be protected via a cybersecurity risk management program.
5. Self-enforcement management and redress, i.e. that there should be enforcement mechanisms to ensure compliance with the foregoing concepts and principles. Service providers who voluntarily adopt the VCC also commit to regularly reviewing their customer data practices, taking action to meet legal and regulatory data protection mandates, and providing means for addressing customer concerns. In addition, they will conduct regular training and ongoing awareness activities for relevant employees on the service provider’s privacy policies and practices.
Now the question will be which companies adopt the Code. But for those that do, its scope should go a considerable way in addressing consumer concerns about their data.