Friday, August 26, 2016

DOE’s DataGuard: A Way to Manage Consumer Data

If you missed our SGCC Peer Connect Webinar on “DataGuard: Energy Data Privacy and Security” last month, I’d like to update you on what was discussed on the data privacy front.

Data is an ongoing topic in this space and an important one. Smart meters and other digital upgrades to the grid have produced vast amounts of data for utilities to manage. One super important type of data is customer data. Every time a customer gets a digital meter, the amount of data produced goes from one data point a month from their analog meter read to dozens of data points every day. Depending on how often the utility is receiving data from the meter, it could be hundreds every day. If the meter sends one data point per hour, that is a 700-fold amount of data over previously held consumer data of 12 meter data reads per year. That’s if the utility meter transmits data every hour: many meters transmit data in 15 minute intervals, which is a nearly 3000% increase in consumer data information being received by the utility.

Moving on to a bigger picture, according to the Gardner 2016 Big Data report, 90% of the world’s data today has been created in the last two years. This shows the magnitude of the scale of data being created now. It’s not just utilities experiencing a huge increase in data. It’s every single sector of the economy, thanks to the digitization of information. While managing this data often means creating a new data warehouse or data center, it also provides a myriad opportunities for utilizing the data in ways to create value for the customer and for the business. This is as true for utilities as it is for any other sector.

So, the question we wanted to answer from our webinar was how can utilities protect this vast amount of new data to the benefit of consumers and their business interests? Is there a way to protect consumer privacy while realizing and adding value to all of this data? Utilities have always done a great job protecting consumer data – in fact it’s one of the few sectors of the economy that has not experienced a serious data breach. Now that consumer data has increased a thousand-fold as a result of AMI deployment, utilities need a way to address their consumer’s interest in data privacy, while also enabling consumers to access their data and use it for a beneficial purpose. Enter DataGuard.

Guest speaker, Eric Lightner is Director of the Federal Smart Grid Task Force for the U.S. Department of Energy. The webinar began with a poll on whether audience members had heard of DataGuard and found that knowledge was low: 68% of the webinar audience said they had not heard of DataGuard at all while 21% were somewhat familiar with DataGuard.

Eric began the discussion by asking this question: Why did we decide to pursue a program on data privacy?

DataGuard is a framework for the handling, sharing and protecting of customer energy use data. Eric shared with the audience a view that everyone shares: protecting consumer privacy is important. We are all aware of the many breaches and privacy issues with companies that handle consumer data. With major corporations such as Target, Walmart, JP Morgan Chase, eBay and even the Department of Energy and U.S. federal government recent victims, it’s a huge concern for a lot of people.

In fact, SGCC plans to delve into this issue with an upcoming consumer research study, Recognizing and Responding to Consumer Concerns. In doing this research, we’ll explore the concerns consumers have that may inhibit their adoption of smart grid technologies or deter them from participating in energy savings programs offered by their utility. The intent of this research is to shed light on how consumers feel about privacy, cyber security, data ownership and digital safety while examining which of these concerns, if any, are preventing consumers from taking action.

Back to the webinar, the DataGuard program is a voluntary code of conduct and is intended as a way for consumers to know that their utility is helping to secure their personal data by following the guidelines of a certification program. And DataGuard is also a way for utilities to communicate their commitment to consumers in handling their data, which is an extremely credible very important way to build consumer reassurance.

A program such as DataGuard was thought to be more credible than a traditional small pamphlet mailed once a year to consumers assuring them of data privacy in small type - not very informative nor very reassuring. Eric and the stakeholders for DataGuard think that the program is a demonstrable way for utilities to show customers that their privacy is respected and being proactively handled. It’s critical for utilities to be able to communicate their actions regarding consumer data privacy in a simple, easy way. A DataGuard commitment allows the utility to communicate to consumers, “You can trust us with your information and data.” However, Eric made sure to note that DataGuard is not meant to conflict or supersede any laws or regulations. If there is a conflict current laws and regulations take precedence. It is meant only to be complimentary.

Another driver besides communicating privacy protections for consumers is that DataGuard can help facilitate and grow innovation. By helping companies handle, but more importantly, safely share consumer data, they help spur on the creation of new products and services while protecting consumer privacy. Right now, it’s difficult for 3rd parties to access consumer data. So, the vast amount of it being collected about consumer energy usage is locked up and not shared - either with the consumer or with 3rd parties that might be able to create new programs or services or technologies that could benefit consumers.

Eric shared that the creation of DataGuard’s principles was a two year-long process. The process was open and transparent and involved a variety of stakeholders. DOE made a call out to industry for anyone interested to participate and DOE staff were gratified that so many industry stakeholders responded. Indeed – as meetings commenced it became challenging to balance all of the goals with all of the views about privacy, access, innovation, etc. when developing the code. The goal was to create a principled approach that doesn’t tell industry how to do things, but helps them reach their desired outcome. In the end, everyone involved was pleased with the results.

In terms of history, the idea of needing something like Data Guard began in 2012, a year of widespread consumer data breaches. The White House released a consumer bill of rights for data and challenged each industry to make them relevant for each industry. For the utility industry, the framework was initially developed under the name, Voluntary Code of Conduct for Smart Grid Data Privacy, which was a little long and cumbersome, and not too descriptive. So, the DataGuard working group, formed after the White House announcement, gave it a more consumer-friendly name. DataGuard. One important note is that DataGuard, while facilitated by the DOE, was completely industry-led and industry-written.

The principles and concepts resulting from DataGuard provide a framework for companies to develop their own privacy policies and act as a type of best practices. This framework allows maximum flexibility in implementation - as the stakeholders wanted. Not only is the program voluntary but it is an industry, self-certifying program - DOE does not certify a company’s compliance.

To view the concepts and principles of DataGuard and learn more about the stakeholder process to develop the code visit www.smartgrid.gov/privacy. To learn about the DataGuard program, visit www.dataguardprivacyprogram.org.

Eric went on to share the key tenets of the DataGuard Energy Data Privacy Program as follows:
  • Consumer Notice and Awareness: Customers should be given prior notice about privacy-related policies and practices by service providers.
  • Customer Choice and Consent: Customers should have a degree of control over access to their own Customer Data.
  • Customer Data Access and Participation: Customers should have access to their own Customer Data and should have the ability to participate in its maintenance.
  • Integrity and Security: Customer data should be as accurate as reasonably possible and secured against unauthorized access.
  • Self-Enforcement Management and Redress: Enforcement mechanisms should be in place to ensure compliance with the foregoing principles.
  • Privacy program for utilities and third parties: Challenge to strike balance for how to create something applicable to both regulated and non-regulated entities.

Each of these key tenets is fully described on the DataGuard website. Adopting companies are expected to publicly commit to the DataGuard tenets and are expected to adopt each key tenant. For more information, please attend our 2017 Consumer Symposium on January 30th in San Diego, CA where there will be a panel of stakeholders discussing the DataGuard program and where Eric will be in attendance to provide more information.


No comments:

Post a Comment