Back

Blogs

A Net Zero NHS: How heat networks can help transform our health service

View All

Case Studies

Securing Cyber-Physical Systems for a Defence Manufacturer

View All

Upcoming Events

Utility Week Awards 2024

View All

Webinars

The Future of Security: Convergence of Physical and Cyber Domain 2/3

View All

Thoughts

Ensuring privacy in smart meters: What energy market participants need to know

2nd Aug, 2022

Energy bills are rising rapidly, piling pressure on consumers. Smart meters have the potential to help consumers manage their costs and energy companies predict the ways their choices will affect demand.

However, smart meters collect a large amount of personal data – including sensitive ‘special category’ data that requires extra protection. For consumers to have the trust and confidence necessary to adopt and use smart meters, it is essential that this personal data is protected. This article examines some of the privacy challenges facing Great Britain’s smart meter roll out and suggests actions energy market participants can take to address them.

What kind of personal data is collected by smart meters?

Smart meters collect at least two categories of personal data. They collect personal data that is explicitly provided to the meter, such as MPAN and MPXN numbers, which are used as unique customer identifiers. They also can collect implicit or inferred data through consumption information. Data collected from the latest generation SMETS2 meters can be used to identify characteristic profiles of energy use associated with particular appliances to identify individual appliance usage such as kettles, TVs and electric vehicle charging. This information can reveal lifestyle habits based on those patterns of consumption.

When these patterns are combined with other information, such as usage metadata and postcode information, sophisticated profiles can be developed by inferring information energy consumers’ age, marital status and employment status. If medical devices are used, then information about medical conditions disabilities could also be ‘revealed’ from the device profile. This is classified as ‘special category personal data’ under the GDPR and requires extra protections due to the additional risks individuals face when this kind of information is collected. It is important to note that organisations only need to be capable of inferring this kind of information – not actually doing so – for them to need to implement appropriate technical and organisational controls to protect it.

This kind of information has the potential to offer significant benefits. Consumers have more knowledge, choice and control over their energy usage and costs. Energy providers are better able to forecast demand and can provide personalised tariffs and other energy products for different households. They may also be able to use the information to influence consumer behaviour, for example by encouraging households to smooth demand across the day.

What are the privacy risks associated with collecting these types of data?

The GDPR gives energy consumers rights and requires energy market participants to protect the security and confidentiality of their data.

Consumers have the right to be informed about how their data is used and if they are not informed, collecting and using the data may not be lawful. It is unlikely that the granularity of these inferences will be within energy consumers’ expectations and so information provision is particularly important.

In an increasingly complex energy market, multiple entities other than energy suppliers (eg local energy system operators, price comparison websites, etc) are likely to access a household’s smart meter data. These organisations – and consumers – need to navigate a web of privacy notices to understand all the ways data may be processed. This usage also presents a security risk, with multiple real-time access points and storage locations for this sensitive consumer data.

What should energy market participants do to address these risks?

A recent report by Imperial University’s Energy Futures Lab, entitled, ‘Balancing Privacy and Access to Smart Meter Data’, examines several technical and governance tools that could address these privacy concerns. These include:

  • Data Dashboard
    The Energy Futures Lab and Citizens Advice have proposed a ‘Data Dashboard’, available on an energy consumer’s in-home device (IHD), that would allow various organisations to display their privacy notices. This would also provide consumers with a centralised platform to manage permissions as to how their smart meter data is used.
  • Data Aggregation
    Aggregation techniques can make certain smart meter data sufficiently high level to prevent individual households being identified. For example, personal data used for tracking trends such as demand on energy networks could be collected at postcode level.
  • Encryption and access controls
    Encryption and other privacy-preserving technologies can be used to limit access to consumer information. Smart meters are encrypted with Zigbee communications, so the focus here would be on data transferred to other repositories such as within smart home systems. This is particularly important as an increasingly diversified and data-enriched energy sector will lead to more types of organisations (ranging from switching and comparison websites to smart home app developers) wishing to access consumers’ smart meter data).

Energy suppliers are required by their licence conditions to comply with the Smart Metering Installation Code of Practice (SMICoP), which sets out obligations for consumer transparency and consent. Several of these measures will need to be coordinated through energy suppliers, such as the changes to consumer privacy information displayed on the IHD.

Network operators and research organisations using smart meter data could move to an aggregate data collection model where possible.

Smart home device providers and price comparison websites, which rely on more specific consumer insights and profiling, should implement encryption and other privacy engineering techniques.

The Data Communication Company (DCC) will need to implement changes to the smart metering infrastructure to facilitate these improvements. These changes, along with their high expense, could have been avoided if a data privacy strategy had been more thoroughly executed from the start.

Final Thoughts

The energy industry is in a crisis, with bills rising by 54% year-on-year to April 2022. The energy price cap is forecast to rise again in October, piling pressure on consumers to keep up with rising costs. Smart meters are an essential tool to support consumers to deal with the cost of living. Yet with the media raising concerns that  smart meters may be spying on consumers, it is imperative that smart metering companies have robust privacy practices and maintain trust in their products.

Energy market participants need to maintain a balance between the collection of consumption information for data-driven innovation and protecting consumer welfare. Ensuring privacy remains at the forefront of their concerns will allow all these market participants to maintain consumer confidence, and the reputational and customer loyalty benefits that come with it.

Authors

Kaveh Cope-Lahooti

Principal Consultant - Data Privacy

Read Bio