High-level Smart Grid Consumer-to-Utility Privacy Impact Assessment Report

Citation

Cyber Security Coordination Task Group, High-level Smart Grid Consumer-to-Utility Privacy Impact Assessment Report (PIA) (Aug. 2009).

Overview

The PIA examines privacy implications and related information security safeguards within the planned U.S. Smart Grid, particularly issues involved with consumer-to-utility data items collected and how they are used. This analysis was performed in accordance with numerous U.S. federal data protection requirements and with Organization for Economic Cooperation and Development (OECD) privacy principles^[1] as outlined within the American Institute of Certified Public Accountants (AICPA) Generally Accepted Privacy Principles (GAPP).

The scope of this PIA included a review of available documentation and information obtained from a variety of utility and industry contacts and experts.

Summary of PIA Findings

The results of a high-level PIA of the consumer-to-utility metering data-sharing portion of the Smart Grid revealed that significant areas of concern must be addressed within each localized region of the Smart Grid.

Most states have general laws in place regarding privacy protections. However, these laws are most often not specific to the electric utility industry. Furthermore, enforcement of state privacy-related laws is often delegated to agencies other than public utility commissions, who have regulatory responsibility for electric utilities.

Research indicates that, in general, state utility commissions currently lack formal privacy policies or standards related to the Smart Grid. Some, individual utility implementations of the Smart Grid are currently at an early stage, while others are more fully developed. Utilities at an early stage of implementation may have not yet documented or implemented privacy policies, standards, or procedures for the data collected throughout the Smart Grid. Comprehensive and consistent definitions of personally identifiable information (PII) do not typically exist at state utility commissions, at FERC, or within the utility industry.

The lack of consistent and comprehensive privacy policies, standards, and supporting procedures throughout the states, government agencies, utility companies, and supporting entities that will be involved with Smart Grid management and information collection and use creates a privacy risk that needs to be addressed.

Preliminary set of principles

The following preliminary set of principles was developed using the GAPP, which form the basis of most international, national, and local data protection laws. In addition, safeguards specified in the international information security standard ISO/IEC 27001,^[2] were considered. The consumer-to-utility smart meter data gathering documentation included in the NIST Roadmap was reviewed against these principles in the development of this section. These principles can be used by authorities and organizations as a starting point for the development of appropriate protections for PII collected and/or used within the Smart Grid.

1. Management and Accountability: An organization should formally appoint personnel to ensure that information security and privacy policies and practices exist and are followed. Documented requirements for regular training and ongoing awareness activities should exist and be followed. Audit functions should be present to monitor all data accesses and modifications.
2. Notice and Purpose: A clearly-specified notice should exist to describe the purpose for the collection, use, retention, and sharing of PII. Data subjects should be told this information at or before the time of collection.
3. Choice and Consent: The organization should describe the choices available to individuals and obtain explicit consent if possible, or implied consent when this is not feasible, with respect to the collection, use, and disclosure of their PII.
4. Collection and Scope: Only PII that is required to fulfill the stated purpose should be collected from individuals. Treatment of the information must conform to fair information processing practices. Information should be collected directly from each individual unless there are justifiable reasons why this is not possible.
5. Use and Retention: Information should only be used or disclosed for the purpose for which it was collected, and should only be divulged to those parties authorized to receive it. PII should be aggregated or anonymized wherever possible to limit the potential for computer matching of records. PII should only be kept as long as is necessary to fulfill the purposes for which it was collected.
6. Individual Access: Organizations should provide a process for PII data subjects to allow them to ask to see their corresponding PII and to request the correction of perceived inaccuracies. PII data subjects must also be informed about parties with whom PII has been shared.
7. Disclosure and Limiting Use: PII should be used only for the purposes for which it was collected. PII should not be disclosed to any other parties except for those identified in the notice, or with the explicit consent of the individual.
8. Security and Safeguards: PII, in all forms, must be protected from loss, theft, unauthorized access, disclosure, copying, use, or modification.
9. Accuracy and Quality: Every effort should be made to ensure that the PII is accurate, complete, and relevant for the purposes identified in the notice, and remains accurate throughout the life of the PII while within the control of the organization.
10. Openness, Monitoring and Challenging Compliance: Privacy policies should be made available to PII data subjects. PII data subjects should be given the ability and process to challenge an organization’s compliance with their state privacy policies as well as their actual privacy practices.

References

1. See generally OECD, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data and OECD, Making Privacy Notices Simple.
2. ISO/IEC 27001 Information technology — Security techniques — Information security management systems Y— Requirements (widely used for data protection regulatory compliance).