Office of the Privacy Commissioner | Case Note 251185 [2015] NZ PrivCmr 3 : Use of smart meters by utility companies
We received several enquiries from members of the public who were concerned about the privacy implications of smart meters. We decided to look into the increasing use of smart, or advanced, meters by electricity companies, and any privacy issues that may arise.
All residential properties have meters which record total energy consumption at an address. Traditionally, these meters were analogue and needed to be manually checked each month by a meter reader.
Under the Electricity Industry Participation Code 2010, electricity companies must ensure existing metering equipment is recertified by 2015. Many companies are taking the opportunity to install advanced meters that collect data at frequent intervals and communicate that data directly to the electricity company.
We looked at the type of data being collected by advanced meters, whether this could identify users and, if so, what security safeguards were in place to protect that data.
‘Personal information’ in the Privacy Act is defined as information about an identifiable individual. It must tell the reader, or hearer, something about a particular person.
In its raw form, the data collected by advanced meters may not identify a particular person at all. The data collected in its raw form appears as a series of numbers like “20130542399”. No customer data is stored at the meter, ensuring that customers cannot be identified at the site.
Real time aggregate data is also useful to show when and where high and low demand for electricity, gas or water occur, and can assist in planning supply.
However, usage information collected from smart meters is personal information once it is associated with an account holder. This is particularly so if only one person lives at a residential address; any data collected from that address will also be about the resident/account holder. When more than one individual lives at an address the data is less likely to identify the power usage of one of those residents. However, it will be linked to the account holder. Power companies therefore will need to comply with the Privacy Act.
Once the raw data is translated to usage information, power companies need to ensure this information is appropriately stored and handled and access to the information is restricted to staff on a ‘need to know’ basis.
Advanced meters automate the collection process, and allow for the collection of more detailed information about electricity use. For example, it may show whether people are at home and may show when certain types of high energy appliances are used. We therefore consider that power companies need to take additional care in how they look after that information, and tell consumers how it will be used.
Even though power companies can collect more granular information about power usage, it doesn’t necessarily follow they can use that information for any purpose they choose. The Privacy Act still applies to personal information and the power companies should only be using the information for the purposes for which it was collected. Power companies should outline these purposes in their privacy policy.
They also need to have strong security standards to ensure information is transmitted safely online.
While the introduction of smart appliances and how this will interact with advanced metering technology is speculative at present, we believe that it has the potential to make the information from smart meters more valuable. We are keeping a watching brief as the technology develops and may adjust our view as necessary in future.
February 2015
Collection – personal information – use of smart meters – electricity – Privacy Act 1993