The introduction of smart technologies promises to revolutionise the sector by helping to improve energy efficiency, facilitate the introduction of new products and provide long-term opportunities for cost benefits. However, there is growing concern around how companies use consumers’ data to drive these changes. Moreover, following a spate of recent scandals, increasing numbers of consumers are beginning to raise questions around the ethics of big data and are querying what steps companies, regulators and legislators are taking to ensure their data is adequately protected.
Data ethics
Data ethics is primarily concerned with a number of key principles, including, data transparency, consent, ownership, privacy, and data availability. Previously, the energy sector rarely encountered issues concerning the principles of data ethics because traditional utility business models collected only rudimentary data relating to the levels of consumption on customer premises.
However, the introduction of smart meters, among other technologies, has meant energy utilities are accumulating more consumer data than ever before. As we have already reported there is potential for energy utilities to acquire unprecedented amounts of data about their customers. As utilities continue to develop novel practices to collect, analyse and monetise consumer data, there is the inherent risk that the digitisation of the energy industry will result in more instances of energy utilities encroaching on consumers’ data rights.
In the UK, the General Data Protection Regulation 2016/679 (GDPR) and the Data Protection Act 2018 (DPA) govern the processing of data. This covers all and any data which can be used to directly or indirectly identify natural persons. Detailed energy consumption data from smart meters is likely to be considered “personal data” for the purposes of the data protection legislation, meaning energy utilities that handle customer consumption data will be expected to comply with the GDPR.
One of the key principles of the GDPR is that personal data must be processed in a fair and transparent manner. In practice, this means energy utilities must provide a privacy note to individuals setting out how and why personal data is being processed. Energy utilities will need to make sure they keep their privacy policies updated as and when new purposes arise. This is not always straightforward because big data analytics often result in processing data for new and novel purposes.
In addition to the requirement to process data in a fair and transparent manner, energy utilities must also have a lawful basis for processing personal data. Out of the six available lawful basis, consent or legitimate interest are likely to be the most appropriate. Consent must be freely given, specific, informed and unambiguous to be valid under the GDPR. Consumers must have the right to withdraw consent at any time. Alternatively, energy utilities may seek to rely on legitimate interest. This is appropriate where energy utilities are processing data for a legitimate reason which the data subject could reasonably expect and is doing so in a manner that is likely to have minimal privacy implications.
Importantly, the GDPR makes clear that the ultimate owner of data is the individual. Individuals have the right to consent, to withdraw consent, to restrict processing, to access copies of personal data held, to correct inaccuracies and a right to be forgotten. Since the GDPR came into effect, the Information Commissioners Office (ICO) has shown that it is willing to enforce these consumer rights by issuing a number of large fines to companies in breach of the legislation.
One of the most challenging principles to protect is privacy. This is due to the intrinsic nature of big data; the more information a company has about a consumer, the more likely that company is to develop products that benefit the consumer. We have seen through a number of high-profile media stories how companies within the tech industry are able to obtain personal details about our lives and personalities. Until now, the energy industry was largely immune from this.
However, the large increase in the collection of data by utilities has left the consumer more exposed to these types of infringement of privacy. Based on consumption data alone a company is able to ascertain someone’s identity, their employment status and be able to glean information about their lifestyle and habits. In addition, and similarly to a number of other data-orientated industries, as we permit companies greater access to our personal lives we open ourselves up to increased security risks.
For example, burglars may be able to use the data from consumer smart systems to target empty households. Despite this, energy consumers appear willing to forgo aspects of their personal privacy in exchange for the benefits associated with data sharing – recent research undertaken on behalf of Smart Energy GB showed that only 5 per cent of the people surveyed raised privacy within the energy industry as a concern.
In addition to the requirements under the data privacy legislation described above, energy companies are also required to comply with the Data Access and Privacy Framework. The framework was designed to safeguard consumers’ interests, while enabling stakeholders proportionate access to data to facilitate innovation. It has been implemented through a range of regulatory requirements, including the smart energy code (SEC), energy supply licence conditions and the energy distribution standard licence conditions. The requirements under the framework can be broadly split into the following categories.
Energy supplier access to domestic consumption data
Energy suppliers are permitted to access monthly and daily energy consumption data from domestic customers in order to fulfil their regulated duties, for example, to provide the consumer with accurate bills or statements. Energy suppliers can only access energy consumption data that is more than daily, such as half-hourly data, providing they have the consumer’s consent to do so. As part of this process, the energy supplier must explain to the consumer how their data will be used and that they have a right to withdraw consent.
The government has claimed that the rules are designed to ensure that consumers are able to make informed choices about sharing their detailed consumption data. The onus is on the energy supplier to clearly explain why they wish to access consumer data and to incentivise the consumer into sharing their data by offering products and services in return.
Energy network operator access to domestic consumption data
Energy network operators are under more stringent requirements than suppliers. Under the framework, they are only able to obtain consumption data relating to periods of less than one month if they have obtained the consumer’s consent and have implemented Ofgem-approved procedures to ensure the data can no longer be associated with a customer at a particular premises. The exceptions to this are more limited than for energy suppliers and include where they have reasonable grounds to suspect theft.
Third party access to consumption data
The ability for consumers to share their data with unlicensed third parties is widely regarded as the biggest potential for innovation, permitting third parties to develop new products to help consumers manage their energy use. Under the GDPR, individuals have a right to data portability, which allows individuals to obtain and reuse their own personal data for different purposes across different services. This helps individuals take advantage of applications and services that help find a better deal or to develop a better understanding of their energy consumption habits. To further support this, the government established the smart energy code, which enables third parties to access energy consumption data directly from smart meters subject to a number of privacy safeguards, including acquiring the consumer’s consent.
This article first appeared in the latest edition of Utility Week’s Flex supplment, here.
Or download the full pdf of the latest issue of Flex, here