Utility Week

16 | 4TH - 10TH OCTOBER 2019 | UTILITY WEEK T he introduction of smart technologies promises to revolutionise the sector by helping to improve energy efficiency, facilitate the introduction of new products and provide long-term opportunities for cost benefits. However, there is growing concern around how companies use consumers' data to drive these changes. Moreover, following a spate of recent scandals, increasing numbers of consumers are beginning to raise questions around the ethics of big data and are querying what steps companies, regulators and legislators are taking to ensure their data is adequately protected. D a t a e t h i c s Data ethics is primarily concerned with a number of key principles, including, data transparency, consent, ownership, privacy, and data availability. Previously, the energy sector rarely encountered issues concerning the principles of data ethics because traditional utility business models collected only rudimentary data relating to the levels of consumption on customer premises. However, the introduction of smart meters, among other technologies, has meant energy utilities are accumulating more consumer data than ever before. As we report in the previous feature (see p15) there is potential for energy utilities to acquire unprecedented amounts of data about their customers. As utilities continue to develop novel practices to collect, analyse and monetise consumer data, there is the inherent risk that the digitisation of the energy industry will result in more instances of energy utilities encroaching on consumers' data rights. In the UK, the General Data Protection Regulation 2016/679 (GDPR) and the Data Protection Act 2018 (DPA) govern the processing of data. is covers all and any data which can be used to directly or indirectly identify natural persons. Detailed energy consumption data from smart meters is likely to be considered "personal data" for the purposes of the data protection legislation, meaning energy utilities that handle customer consumption data will be expected to comply with the GDPR. One of the key principles of the GDPR is that personal data must be processed in a fair and transparent manner. In practice, this means energy utilities must provide a privacy note to individuals setting out how and why personal data is being processed. Energy utilities will need to make sure they keep their privacy policies updated as and when new purposes arise. is is not always straightforward because big data analytics often result in processing data for new and novel purposes. In addition to the requirement to process data in a fair and transparent manner, energy utilities must also have a lawful basis for processing personal data. Out of the six available lawful basis, consent or legitimate interest are likely to be the most appropriate. Consent must be freely given, specific, informed and unambiguous to be valid under the GDPR. Consumers must have the right to withdraw consent at any time. Alternatively, energy utilities may seek to rely on legitimate interest. is is appropriate where energy utilities are processing data for a legitimate reason which the data subject could reasonably expect and is doing so in a manner that is likely to have minimal privacy implications. Importantly, the GDPR makes clear that the ultimate owner of data is the individual. Individuals have the right to consent, to withdraw consent, to restrict processing, to access copies of personal data held, to correct inaccuracies and a right to be forgotten. Since the GDPR came into effect, the Information Commissioners Office (ICO) has shown that it is willing to enforce these consumer rights by issuing a number of large fines to companies in breach of the legislation. One of the most challenging principles to protect is privacy. is is due to the intrinsic nature of big data; the more information a company has about a consumer, the more likely that company is to develop products that benefit the consumer. We have seen through a number of high-profile media stories how companies within the tech industry are able to obtain personal details about our lives and personalities. Until now, the energy industry was largely immune from this. However, the large increase in the collection of data by utilities has left the consumer more exposed to these types of infringement of privacy. Based on consumption data alone a company is able to ascertain someone's identity, their employment status and be able to glean information about their lifestyle and habits. In addition, and similarly to a number of other data-orientated industries, as we permit companies greater access to our personal lives we open ourselves up to increased security risks. For example, burglars may be able to use the data from consumer smart systems to target empty households. Despite this, energy consumers appear willing to forgo aspects of their personal privacy in exchange for the benefits associated with data sharing - recent research undertaken on behalf of Smart Energy GB showed that only 5 per cent of the people surveyed raised privacy within the energy industry as a concern. In addition to the requirements under the data privacy legislation described above, energy companies are also required to comply with the Data Access and Privacy Framework. e framework was designed to safeguard Transparency, consent, ownership, privacy…" ...when it comes to data utilities firms must protect consumer rights. By Alex Underwood and Jeremy Godley amongst other technologies, has meant that energy data than ever before. As we report in the previous feature to acquire unprecedented amounts of data about their customers. develop novel practices to collect, analyse and monetise consumer data, there that the digitisation of the energy industry will result in more instances of energy encroaching on consumers' data rights. In the UK, the General Data Protection Regulation 2016/679 (GDPR) and the Data Protection Act 2018 (DPA) govern the processing of data. is covers all and any data which can be used to directly or indirectly identify natural persons. Detailed energy consumption data from smart meters is likely to be considered 'personal data' for the purposes of the data protection legislation, meaning energy utilities who handle customer consumption data will be expected to comply with the GDPR. One of the key principles of the GDPR is that personal data must be processed in a fair and transparent manner. In practice, this means that energy utilities must provide a privacy note to individuals which sets out how and why personal data is being processed. Energy utilities will need to make sure that they keep their privacy policies updated as and when new purposes arise. is is not always straightforward as big data analytics often results in processing of data for new and novel purposes. In addition to the requirement to process data in a fair and transparent manner, energy utilities must have a lawful b must have the right to withdraw consent at any time. Alternatively, enct could reasonably expect and is doing so in a manner that is likely to have minimal privacy implications. Importantly, the GDPR makes clear that the ultimate owner of data is the individual. Individuals have the right to consent, to withdraw consent, to restrict processing, to access copies of personal data held, to correct inaccuracies and a right to be forgotten. Since the GDPR came into effect, the Information Commissioners Office (ICO) has shown that it is willing to enforce these consumer rights by issuing a number of large fines to companies who are in breach of the legislation.

• Cover