Data privacy issues: Part II
A conversation with Ann Cavoukian, Ontario's privacy commissioner
If you missed the first part of this conversation with Ann Cavoukian, information and privacy commissioner for Ontario, Canada, please click on "Data Privacy Issues," before embarking on Part II. Cavoukian is the author of "Privacy by Design," a policy and a technical process to achieve protection of individually identifiable energy use data. This approach has been "operationalized" at Ontario's Hydro One utility.
Intelligent Utility: Let's talk about the ownership of data and related issues.
Cavoukian: A lot of utilities say they own the data. They collect it, they analyze it, they use it to operate the grid. I want to suggest that 'ownership' is not the best language to use. I'd prefer the language of 'custody' and 'control.' Who has custody of this information? Clearly the utility does. With that custody comes enormous control and a duty of care. If you are collecting this data, you have obligations to protect it. But if people insist on the concept of ownership, then it belongs to the individuals who are identified with it or by it.
Privacy is about control. People think it has to do with secrecy. Your customers have an existing trust relationship with their utility and they don't want that model to change. They don't want third parties entering into this relationship without their consent. If you want to provide access to third parties, who may have very valuable offerings, you ask the customer.
Intelligent Utility: In your view should 'Privacy by Design' be legislated or adopted as a self-imposed industry standard?
Cavoukian: You could do both. I'm okay with the self-imposed model because I think utilities understand this is good for business. In California, Senate Bill 1476, signed into law last September, says to utilities: 'Thou shalt not give this information to third parties without the individual's consent.' You've got examples of how this might be done in progressive states such as California. [Editor: The California Public Utilities Commission (CPUC) has also required disclosure of current practices and future plans from the state's largest utilities. The National Institute for Standards and Technology (NIST) issued security and privacy guidelines last September.]
Intelligent Utility: Who are your likely allies in the U.S. utility business?
Cavoukian: I'd love to work with a U.S. utility, just as I've partnered with Hydro One in Ontario, Canada. At DistribuTECH I spoke to executives from two U.S. utilities who were very receptive to my ideas. I've been delighted to find that several utilities I spoke with 'get it.'
Intelligent Utility: Perhaps for context, we should ask whether 'Privacy by Design' applies to other vertical industries or just the energy sector?
Cavoukian: One individual at DistribuTECH did question whether we're 'picking on the energy sector.' I had to shake my head. I didn't know about this field until a couple years ago. For the past 20 years we've focused on everything but energy. [Cavoukian mentioned health records, mobile communications data, banking, etc.] It was the introduction of smart meters to the smart grid that got our attention in Ontario. The government mandated that everyone must have a smart meter by the end of 2010. That's when we stepped in to ensure that privacy is embedded into that system. One of the concepts we use is 'positive sum' rather than 'zero sum.' That means it's not energy versus privacy or security versus privacy. Get rid of the 'versus' and substitute 'and.' When you approach people with that approach, they don't get their back up. We want energy management and conservation to grow, but with privacy protections included.
Intelligent Utility: In your latest report you use the term 'information life cycle.' Would you explain that term and how it applies to electric utilities?
Cavoukian: We first developed our thinking on this topic several years ago when we were approached by NAID, the National Association for Information Destruction [an international trade association for companies providing information destruction services], based in the U.S. You need a secure way to destroy information at the end of its life cycle.
Some sectors are mandated by law on how long they must maintain data. Invariably, however, there's an end to the lifecycle. When you reach that point, find a way to securely destroy the data. If you employ a third party to perform this service, make sure they're licensed to do secure destruction. Access to unauthorized information can cause as much trouble at the end of the lifecycle as it can at the beginning or middle of that lifecycle.
An electric utility executive told me, 'Rest assured, today we can provide a very detailed, granular picture of your energy use and your activities at home.' Fast forward 10 years from now when we have smart appliances. That picture will be much more granular and this issue will only grow in importance.
Intelligent Utility: How do you feel your message is being received?
Cavoukian: We're making inroads, slowly. Your home is the last domain of privacy. I'm very optimistic that we can modernize the grid and protect privacy. That will enhance consumer buy-in and therefore help energy conservation.
Intelligent Utility Daily