Data privacy issues
A conversation with Ann Cavoukian, Ontario's privacy commissioner
If you work in customer service, information technology (IT) or operations, here's an issue that is winging your way.
Ann Cavoukian, information and privacy commissioner for Ontario, is on a mission to raise awareness of the fundamental importance of consumer data privacy and to embed it into smart grid systems early on. She calls her approach, which has been "operationalized" at Hydro One in Ontario, "Privacy by Design."
We spoke at length with Cavoukian after meeting her at DistribuTECH in San Diego earlier this month. A two-part question-and-answer with Cavoukian runs today and tomorrow.
Intelligent Utility: Tell us your view of the fundamental notion of privacy and its importance.
Cavoukian: Privacy is considered a fundamental human right because it's at the core of all our freedoms. It's the ability to go about your business without fearing that someone, including the state, is looking over your shoulder. The first thing to go when a democracy sinks into a totalitarian state is privacy.
In the energy context, ask yourself, how is information going to be used? Let me be clear: security is essential to privacy. You can't have privacy without security. But you can have security without privacy when information is used in ways that hadn't been envisioned, without the consent of the individual to whom it belongs. Fast forward to today, with all the online social media. How can we control our data in this environment? That's a good question.
Let me draw this distinction for your readers. There's a big difference between user-generated information and people who choose, perhaps foolishly, to put information out there about themselves. That's their choice. They have control. They may regret it but you have to respect their choice. If it's not your information to give out, you should be held to a higher standard.
Intelligent Utility: How was your message received at DistribuTECH?
Cavoukian: This is a new area for the energy sector, so I try to be respectful in explaining the issues. For data relating to operating the power grid, you don't have to worry about privacy. The issue matters when there's linkage between energy usage and someone's name, address or personally identifiable information.
Fortunately, the smart grid is at a nascent stage, so it's the easiest possible time to build 'Privacy by Design' into what you're developing. You will not only save a lot of grief by avoiding data breaches, but you will gain the trust of your customers. And you need customer trust and buy-in for them to participate in energy conservation reform.
At a DistribuTECH dinner I sat next to a high-level executive from a California utility who said, after a lengthy discussion, 'Okay, Ann, I get it. What's it going to cost me?' I said 'Sir, that's the wrong question. You should be asking, 'How much is it going to save me?' If you do it now, it will save you a boatload of money down the road. If you don't, you will have data breaches and lawsuits and damage to your brand.
Intelligent Utility: Point well taken. However, managers of investor-owned utilities must report on how they spend or invest money. Are investments in privacy measures recoverable through rate cases?
Cavoukian: To be honest, I haven't explored that yet. That's why we'd like to partner with a major U.S. utility. For the most part, however, we're advising what not to do. First, preserve the status quo. Do an assessment on how data is used within your operation. Presumably that's documented. Then adopt a policy stating you're not going to release personally identifiable information to third parties without the customer's consent.
You can ask your customers whether they're interested in promotional offers; that's the opt-in model. The initial costs are minimal. You're not putting in expensive new equipment. You're assessing current practices and adopting a policy. Beyond that, I can't address the cost, but I'd love to do so.
Intelligent Utility: To be fair, you're not just advocating a policy. In your case study on Hydro One in Toronto, you're advocating an IT architecture and systems approach that would gather, store, analyze and, ultimately, dispose of customer energy use data in such a manner that the utility gets the granularity it needs to efficiently operate the grid while keeping individual usage data private.
Intelligent Utility: In one DistribuTECH session we both attended, a telecom executive said that 'Privacy by Design' was fine for Canada but implied that it didn't apply to the United States. Actually, you are a member of the Privacy Working Group at the National Institute of Standards and Technology (NIST) and other international groups.
Cavoukian: This is not just about Canada. This approach has been embraced by the U.S. International Trade Commission. 'Privacy by Design' was made the international privacy gold standard in October. In December, Federal Trade Commission Chairman Jon Leibowitz recommended three practices to businesses, one was 'Privacy by Design.'
George Arnold, the head of NIST, is a dear colleague and we've worked together on this. I have partners all around the world. The reason I'm in the U.S. a lot is that you don't have the kind of privacy oversight that we do in Canada, Europe, Australia and many other parts of the world. Because we are trusted neighbors, we're often called upon to consult with you on these matters in Washington.
Intelligent Utility Daily