Designing for privacy


Published on

Creating meaningful choices for smart consumers. Read our thoughts on designing for privacy.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Designing for privacy

  1. 1. PRIVACY Creating meaningful choices for smart consumers
  2. 2. 02
  3. 3. 03SummaryPeople are pragmatic about privacy.Their acceptance of the deployment of Smart meters into their homes will be underpinned by thebenefits they perceive, their trust in the uses to which their data will be put and their confidence in itssecurity. This in turn is underpinned by the level of control people feel they have over their data.Our challenge, in the energy and utility sectors, is to ensure consumers understand the benefits, areprovided with meaningful options from which to choose, and are given the confidence they need inthe way we operate our businesses - putting customers, and their trust, as well as their needs at theheart of our organisational cultures.The time is, therefore, right for organisations to undertake a Privacy Impact Assessment for thehandling of Smart meter data, audit their existing data protection policies and procedures and tobegin building that confidence ahead of the mass deployment of Smart meters.SynopsisWe live in an increasingly data intensive and interconnected world. Many of us, through the choiceswe make, are choosing to re-define our shared communities through common interests rather thangeographic boundaries. We decide to share information about ourselves, our interests and ourpreferences in order to stay connected with our friends and colleagues around the globe. We chooseto do our shopping online, carry cards instead of cash, sign up to loyalty schemes that track ourpreferences in return for rewards and take mobile phones wherever we go.For many of us these are positive, conscious choices.For some of us these choices may not be so considered. The risks of sharing personal information, oreven the question of what is personal information, may not be fully understood. Nevertheless peopleperceive the benefits to outweigh the risks and choose to share their data.Others make a conscious choice not to sign up to these services.Equally, we may inadvertently agree to share the data we create through our use of electronic media– from where, how much and with what frequency we withdraw cash or use credit cards, to what wepurchase online and our browsing patterns on websites.When we tick the box to say that we’ve understood the terms and conditions, how many of usactually take the time to read them? And when we do, do we really understand what we are givingour consent for?Is it clear that the choices we make can be analysed by retailers who then offer us products andservices that they consider best meet our desires as well as our needs?CREATING MEANINGFUL CHOICES FOR SMART CONSUMERS
  4. 4. 04 So what does all this have to do with the deployment of an information and communication infrastructure for Smart metering and Smart grids? Firstly, a mandated deployment of such an infrastructure isn’t an individual choice. Unless people choose to opt out, everyone will have a Smart meter installed in their home at some stage in the near future. The challenge is not one of persuading consumers to have a Smart meter, but one of building their trust in, and acceptance of, their deployment. To achieve this we need to be clear about the difference between the capability to obtain data created by the deployment of Smart meters and the creation of Smart grids - and the use to which the data collected will be put. The extent to which consumers have choices in use of their data will be an important factor in their engagement in the programme. People’s trust in the organisations that have access to their data, their faith in the application of data protection principles, and their confidence in the strength of regulation will determine their willingness to accept Smart meters into their homes. There is rightly much focus on ensuring that people’s right to privacy and the protection of personal data is taken very seriously. But perhaps the first question we should ask is:“What happens if we don’t create this new infrastructure?” And further, what are the impacts on our economy of not having access to secure, reliable, affordable energy supplies? What are the wider societal costs associated with climate changes if we do not meet our energy needs more sustainably? If we accept that the creation of an information and communication infrastructure is integral to the transformation of how we meet our energy needs over the coming years, the next question then becomes:“How do we put the rights of the consumer at the heart of the programme and ensure that those rights are protected?” In this paper we will accept that the argument for Smart infrastructure has been won and look at the challenge of ensuring that consumers have trust in and acceptance of the programme. CREATING MEANINGFUL CHOICES FOR SMART CONSUMERS
  5. 5. 05Designing for privacy1. WHAT SORT OF DATA SHOULD I CONSIDER PERSONAL?If we want to get a baseline definition, then the best place to go is the governing legislation. Article2(a) of the European Directive (95/46/EC) on the protection of individuals with regard to theprocessing of personal data1 and on the free movement of such data defines ‘personal data’ as:“any information relating to an identified or identifiable natural person (‘data subject’); an identifiableperson is one who can be identified, directly or indirectly, in particular by reference to an identificationnumber or to one or more factors specific to his physical, physiological, mental, economic, cultural orsocial identity”Any data transmitted will have a unique identifier such as the Meter Point Administration Number(MPAN) or Meter Point Reference Number (MPRN). These reference numbers can be linked to theindividual account holder, meaning that under the Directive’s definition, all data transmitted from aSmart metering system in a home should be considered “personal data”.The Opinion on Smart Metering 12/20112 of the Working Party on the Protection of Individuals withRegard to the Processing of Personal Data, adopted during April 2011, stresses this point and goesfurther, identifying that load profile data provides insights into personal behaviour.Having established that data captured by the Smart metering system is personal, it will fall under thelegislative provisions of the locally enacted Data Protection legislation and the remit of the regulator,such as the Information Commissioner’s Office in UK.But, given that the means to collect this data is not an individual’s choice, we must address thequestion of whether simply being seen to comply with the letter of the law is sufficient to build trustin, and acceptance of, the deployment of Smart meters?We would argue that the levels of public resistance to the deployments of Smart meters in variousterritories around the globe is evidence that simple compliance with the letter of the law isn’tsufficient to secure people’s trust.In the case of the Netherlands, for example, the successful challenge to the mandated deploymentof Smart meters was not based on data protection legislation at all. The challenge was made underArticle 8 of the European Convention on Human Rights.1 The European Directive (95/46/EC) on the protection of individuals with regard to the processing of personal data and on thefree movement of such data, 24 October 19952 Opinion 12/2011 on Smart Metering, 4 April 2011CREATING MEANINGFUL CHOICES FOR SMART CONSUMERS
  6. 6. 06 2. IMPLICATIONS OF HUMAN RIGHTS ON ACCESS TO DATA The UK is a signatory to the UN Declaration and has incorporated the European Convention of Human Rights into law. Freedom from arbitrary interference with our privacy is therefore protected under the law. There are therefore three tests that should be applied: 1. Does the deployment of Smart meters, or the use to which the data they collect is put, have implications for an individual’s privacy? 2. Does it serve any interest defined within Article 8 of the ECHR? 3. Does it pass the test of necessity? Given the data collected by Smart meters falls within the classification of personal data, we should accept that there must be implications for an individual’s privacy. Indeed, the Netherlands experience provides precedent that this is the case. We have argued that the deployment of the Smart metering infrastructure is vital for the continued provision of secure, reliable and affordable energy to our homes and businesses. We’ve also argued that it is vital for addressing the wider societal implications of climate change by supporting the transformation of how we satisfy our energy needs. Given the correlation between the use of energy and economic security, it is clear that the deployment of Smart meters does serve the “economic wellbeing of the country” as defined within Article 8 of the ECHR. But what level of data collection and onward transmission passes the test of necessity? There are two principles against which necessity can be considered: Subsidiarity: Can the purpose be achieved by other means with lower impact on the people’s rights? Proportionality: Are the impacts on an individual’s privacy and the costs proportional to the benefits? The United Nations’ Universal Declaration of Human Rights. Article 12 states: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.” CREATING MEANINGFUL CHOICES FOR SMART CONSUMERS
  7. 7. 07 The European Convention on Human Rights (ECHR), Article 8 – Right to respect for private and family life, says: “Everyone has the right to respect for his private and family life, his home and his correspondence. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others”In terms of the potential for ‘subsidiarity’, it seems unlikely that an alternate solution to thedeployment of a Smart metering infrastructure could be established that would deliver the samebenefits.The challenge then becomes one of proportionality. What measures can be established that limit anyimpacts on an individual’s rights? When designing the end to end system and the governance andregulation that is applied to it, we suggest that two principles are applied:• The level of data transmitted beyond the individuals home should be the minimum required to fulfil the intended purpose; and• The parties with access to that data should be limited to those that require access to deliver the intended purpose.The Dutch Smart metering programme was judged to fail these criteria in an assessment by theTilberg Institute for Law and Technology (TILT) commissioned by the Dutch consumer groupConsumetenbond. The organisation found insufficient evidence to justify the necessity in ademocratic society for measurement and onward transmission to the DSO of interval and dailyvalues for energy use, and for the deployment being mandatory3.3 Source: Presentation to Consumer Focus privacy workshop by Consumetenbond, June 2010CREATING MEANINGFUL CHOICES FOR SMART CONSUMERS
  8. 8. 08 3. BUT WHAT REALLY MATTERS TO PEOPLE WHEN IT COMES TO PRIVACY AND DATA PROTECTION? Where people are given little choice over the collection of personal data it is reasonable to expect that they will have concerns over its security and seek assurance over the purpose of its collection and the uses to which it can be put. So what are the factors that concern the public the most? There are no hard or fast rules. The public doesn’t judge data to be personal based on lists of data items that are deemed personal by experts in a committee room, and therefore data that doesn’t appear in the list isn’t by definition personal. Indeed, it is not the data that the public consider to be personal. It is the use to which that data is put that is considered to define whether it is personal or not4. This is a powerful insight that can be useful in gaining people’s acceptance of the deployment of the Smart metering infrastructure and the move to designing and operating distribution networks with greater embedded intelligence. The public largely has no issue with the technology itself, more with how the technology – and specifically the data it collects - is used. As such, it is possible to identify three factors that underpin people’s trust: • Transparency: the need for people to understand what their data will be used for. • Control: the ability for people to make informed, meaningful choices about the purposes for which they allow their information to be used and the limits on that use. • Security: the confidence that people’s data is protected. “What emerges from the study is a fascinating picture of a public who certainly care about information rights, but who are by no means hysterical about perceived threats to liberty or privacy” Christopher Graham, Information Commissioner5. Transparency and security are relatively straightforward to address. But control is more of a challenge as it comes down to an individual’s perceptions. The British Government’s acceptance of the European Regulators’ Group for Electricity and Gas (ERGEG) principle that “it is always the consumer that chooses in which way consumption data shall be used and by whom, with the exception of metering data required to fulfil regulated duties and within the national market model6” empowers the consumer to take control of the use of their data. However, the level of data required to fulfil regulated duties is yet to be finally agreed. Without the definition of the level of data that will be deemed to be required to “fulfil regulated duties” it will be difficult for people to judge the level of control they have over their data. 4 Private Lives: A People’s Inquiry into Personal Information, P85, Peter Bradwell, Demos, 2010 5 Private Lives: A People’s Inquiry into Personal Information, Forward, Peter Bradwell, Demos, 2010 6 Final Guidelines of Good Practice on Regulatory Aspects of Smart Metering for Electricity and Gas Recommendation E/G1 CREATING MEANINGFUL CHOICES FOR SMART CONSUMERS
  9. 9. 09People’s perception of having control of their data should be considered to have two critical aspectswhen it comes to gaining their trust: transparency of how data will be used; and their clarity ofunderstanding of the benefits and risks to them as individuals. It is therefore vital to ensure that theyfeel empowered to take decisions about how their data is shared and used.People already make these types of choices every day.The other critical aspect is that these choices are perceived to be meaningful by consumers. Whenpeople are asked for access to their data but it is not transparent as to why that data is required,there are two possible scenarios. Either there is a lack of clarity in communication of why access tothe data is necessary or, if it is more than the minimum level of data required to achieve the Purpose,it is a divergence from the principles of data protection.If people feel coerced into consenting to the use of their data in order to gain the benefits they want,but without understanding why access to that data is necessary, then they are likely not to perceivethey have a meaningful choice to make7.Opinion 12/20118 of the Working Party on the Protection of Individuals with regard to theProcessing of Personal Data on Smart Metering expresses “that data should remain within the HomeArea Network unless onwards transmission is necessary, and that the lowest possible data volumesshould be processed and transmitted”. This is consistent with the principles of proportionality thatwere discussed earlier, particularly in light of the lessons from the challenge to the Dutch mandatefor Smart metering.This is likely to place an onus on energy suppliers, network operators and third parties who areacting as Data Controller to ensure the data they obtain and process is limited to the minimumrequired to fulfil the purpose. This approach will go some way to addressing the challenge ofproviding people with meaningful choices and trade-off decisions to make.It is worth noting that there is scope within the Opinion to allow for the collection of personal datawhere there is a legitimate, wider societal benefit or is clearly in the interests of the public. However,the Opinion is also clear that this argument should not be used to legitimise every element ofprocessing. These wider benefits should not override an individual’s rights and interests in everycase. Indeed, actively seeking to legitimise access to people’s data has the real potential to reducethe opportunity to provide people with choices that they will perceive to be meaningful, risking theirpositive engagement with the deployment of Smart meters.It should also be noted that under the Data Protection Directive, data stored within the Smartmetering system in the home is considered to have been collected by the “Data Controller”– in mostcases the energy supplier. This presents an interesting regulatory challenge as the level of datacollected locally within the home will be defined by the Government policy and regulation, but theenergy supplier will carry the obligations under the Data Protection Directive, even though they maynot require the data to fulfil their regulated duties.The challenge is to balance all of these factors to ensure that consumers accept the deployment ofSmart meters. They must feel engaged through meaningful decision making about access to theirdata, and about the products and services they will have available to them on the basis of the accessthey grant to their data.7 After Private Lives: A People’s Inquiry into Personal Information, P79/80, Peter Bradwell, Demos, 20108 Opinion 12/2011 on Smart Metering, P16/17, 4 April 2011CREATING MEANINGFUL CHOICES FOR SMART CONSUMERS
  10. 10. 10 4. PROTECTING THE DATA Within the home For consumers to gain benefit from having Smart meters in their homes, it is important that they are able to access, via devices connected to the Smart metering system, the data collected and stored about their energy consumption. This creates two core challenges from the perspective of protecting people’s personal data from a Smart metering systemic perspective. Firstly, the devices that form part of the Smart metering system in the home must be connected to the correct home area networks. Data that is being displayed or downloaded locally must be the data of a specific, intended individual, and not of a neighbouring house or location. This challenge can be met with some level of authentication between the devices and the Smart metering system. Then, once the data has been downloaded from the Smart metering system or is visible within the home, it becomes the responsibility of the consumer to protect their data. The challenge for the Smart programmes is to ensure that consumers understand the potential risks of leaving data openly on display in their homes, storing it on personal devices with insufficient protection, or allowing third party access to their data. One question that must be answered is whether raw data stored locally on the Smart metering system in the home justifies the costs of implementing the best practice of being encrypted. This will require the use and management of keys or digital certificates to authenticate and pass encrypted data between the core system and devices connecting to it. Beyond the home Data being transmitted beyond the Smart metering system in homes will need to be held securely in the back office systems of those organisations accessing the data. These organisations, who will be acting as Data Controllers, should have access to only enough data to fulfil its purpose. It is the responsibility of these organisations to ensure that the data they store is held securely and retained for the minimum period. Beyond this, regulatory bodies in individual countries define how organisations should treat sensitive data. For example, The American National Institute for Standards and Technology (NIST9) outlines some principles to secure privacy, based on the OECD Privacy Principles1011, including: • Dissociation of collected data from data that identities the individual as far as is practicable. • Aggregate and anonymise data wherever possible where it does not compromise achieving the purpose, and ensure that anonymisation techniques are robust, verifiable and transparent. • Appropriate safeguards for the storage of data are in place based on a Privacy Impact Assessment, but include robust cryptographic standards. 9 Guidelines for Smart Grid Cyber Security: Vol 2, Privacy and the Smart Grid, NISTIR7628, August 2010 10 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data 11 TASK FORCE SMART GRIDS | EXPERT GROUP 2: REGULATORY RECOMMENDATIONS FOR DATA SAFETY, DATA HANDLING AND DATA PROTECTION, Feb 2011 CREATING MEANINGFUL CHOICES FOR SMART CONSUMERS
  11. 11. 11For many organisations, it will be necessary to audit and review existing data managementpolicies and procedures. The increase in the volumes of data being handled and the increasedpersonalisation of the data being held will introduce new risks. It is worth noting that existingprocesses are often designed to handle personal and financial data as part of the customer serviceprocess. As such, many organisations will find that they have the foundation for robust security ofSmart data already evident with their business.What is not in doubt is the increasing level of cyber-attacks on utilities and critical nationalinfrastructure12. The potential for reputational damage to utilities if there were to be a breach of theirsystems, as well as impacts on the public’s trust in the Smart metering programme, should not beunderestimated.ConclusionThe Smart meter roll-out is continuing apace and soon most consumers will be part of theprogramme, whether by selection or design. The challenge now is to provide people with meaningfulchoices and the confidence that, when they entrust their data to organisations, it will be heldsecurely and used for legitimate purposes. There are also trade-offs for the Smart meteringprogrammes to make.Designing an end-to-end Smart metering system that is specifically designed to support privacy, andcreating a regulatory regime where the obligations and rights are aligned with privacy principles, willhave cost implications. But a failure to address the public’s perceptions could lead to the deploymentof the Smart metering infrastructure being delayed due to legal challenge. This not only jeopardisesthe realisation of benefits for consumers, but also society as a whole. Even without a legal challenge,resistance from consumers could lead to access rates falling for meter installations, leading to theprogramme costs increasing.Addressing the public’s confidence in Smart metering is crucial to the programme’s success. Webelieve that ensuring that consumers perceive they have meaningful choices to make about howthey gain benefit from the programme is vital to winning their trust. Smart meters will revolutionisethe energy landscape, but it doesn’t have to be at the expense of consumer’s trust.If data privacy is observed and consumers are educated about their rights, their responsibilities, theopportunities to benefit and the risks, we can all gain from a Smart future.12 In the Dark | Crucial Industries Confront Cyber Attacks, McAfee, April 2011CREATING MEANINGFUL CHOICES FOR SMART CONSUMERS
  12. 12. Copyright © 2012 Logica All rights reserved. This document is protected by international copyright law and may not be reprinted, reproduced, copied or utilised in whole or in part by any means including electronic, mechanical, or other means without the prior written consent of Logica. Whilst reasonable care has been taken by Logica to ensure the information contained herein is reasonably accurate, Logica shall not, under any circumstances be liable for any loss or damage (direct or consequential) suffered by any party as a result of the contents of this publication or the reliance of any party thereon or any inaccuracy or omission therein. The information in this document is therefore provided on an “as is” basis without warranty and is subject to change without further notice and cannot be construed as a commitment by Logica. Logica is a business and technology service company, employing 41,000 people. It provides business consulting, systems integration and outsourcing to clients around the world, including many of Europe’s largest businesses. Logica creates value for clients by successfullyLogica integrating people, business and technology. It is committed to long term collaboration, applying insight to create innovative answers to250 Brook Drive clients’ business needs. Logica is listed on both the London Stock Exchange and Euronext (Amsterdam) (LSE: LOG; Euronext: LOG). More information is available at The company is a public company incorporated and domiciled in the UK. The address ofGreen Park its registered office is 250 Brook Drive, Green Park, Reading RG2 6UA, United Kingdom.Reading RG2 6UAUnited Kingdom. AUSTRALIA / BELGIUM / BRAZIL / CANADA / CHILE / COLOMBIA / CZECH REPUBLIC / DENMARK / EGYPT / ESTONIA / FINLAND / FRANCE / GERMANY / HONG KONG / HUNGARY / INDIA / INDONESIA / KUWAIT / LUXEMBOURG / MALAYSIA / MOROCCO / NETHERLANDS / NORWAY / PERU / PHILIPPINES / POLAND / PORTUGAL / RUSSIA / SAUDI ARABIA / / SLOVAKIA / SPAIN / SWEDEN / SWITZERLAND / TAIWAN / UKRAINE / UNITED ARAB EMIRATES / UK / USA / VENEZUELACODE 5347 0612