Electricity Authority urged to test privacy status of meter data
By Gavin Evans
June 18 (BusinessDesk) - The Electricity Authority has been urged to clarify the status of consumers’ meter data under the Privacy Act and how third-parties should be given access to it.
The regulator wants to streamline access to consumers’ historic usage data to speed up the process and lower costs for all parties. Among a collection of “quick” changes it proposed was establishment of an automated tool to communicate a customer’s authorisation of a third-party agent – such as a budget advisor, a switching agent, or an energy consultant – to their retailer.
Retailers including Meridian Energy and Contact Energy urged the authority to seek guidance from the Privacy Commission before it went any further so that processes could be developed that would meet their obligations under the Privacy Act to protect their customers’ data.
Mercury disputed the authority’s legal advice that the revised industry code would take precedence over the Privacy Act and said the proposals would be unworkable and would put it at risk of breaching the act.
Requiring a customers’ signature would not work as Mercury and other retailers don’t hold specimen signatures, it said.
“In our view, the procedure set out in the code creates a real risk that the agent may not actually have authority to access the data requested from retailers. The proposed process does not allow for a retailer to create a process which accurately verifies the customer’s identity, nor does it require the authorisation from the customer to be specifically for the information requested from the retailer,” Mercury says in a submission on the authority’s proposal.
The authority is acting because industry rule changes made in 2016 to speed up sharing of customer data haven’t been as effective as hoped. Firms have developed their own processes for handling information requests and many aren’t completed within the five-day target.
Privacy of meter data is not a new issue for the sector, even though it is most frequently handled only by a numerical identifier – rather than being personally identifiable – often relates to households of multiple individuals, so is not strictly ‘personal’ and is often used in planning and management situations only in aggregate and in anonymised ways.
Energy management consultancy Cortexo says its efforts on behalf of clients have been “severely hampered” by the lack of standardisation and the lack of adherence to the current prescribed process and information formats.
In the past eight months the firm requested data from more than 600 meters from 13 retail brands. “Our average wait time, over all retailers, is 17 working days, well outside the code stipulation of five working days after the day of receipt of the request.”
Managing Director Terry Paddy says his firm understands the need to protect private information and have good processes for managing its release.
But he says the level of protection and authorisation differs for different types of information, and the authority needs to seek a determination from the Privacy Commissioner on how “sensitive” electricity consumption data is and what “serious harm” would be done by its release.
“It seems that often the Privacy Act is used to block access to information that the holder considers valuable to themselves. This stifles innovation,” he said in Cortexo’s submission.
EmhTrade, a peer-to-peer operator, was disappointed it had taken three years for the authority to act when signs of problems with the new rules were clear after one year. Nor was it convinced the proposed arrangements would be as quick as the EA hopes.
It said it would be “naïve” to think that retailers will not seek copies of most, if not all, the authorisations customers make for third-parties to access their data.
“The industry has clearly demonstrated that left to their own devices, retailers will err towards their own self-interest - protecting against privacy breach risk - at the expense of a consumers’ data portability. “
Contact and Trustpower urged the authority to consider a scheme for accrediting third-party agents in order to speed their interactions with retailers and verify their authorisations. Nova Energy said agents should have to indemnify retailers against any use of data that has not been authorised by the customer.
Mercury said it already provides customers free 24/7 access to an online portal where individual consumption data can be accessed.
“Third-party agent requests are subject to a simple security token authorisation process by the customer which is secure and verifiable. Mercury would be pleased to discuss with the authority how this authorisation process operates and whether it could be an appropriate model for the wider sector.”