B.C. Hydro not complying with customer notifications for smart meters: privacy commissioner
Dec 20 2011
B.C. Hydro hopes to have smart meters installed at all homes and businesses in the province by the end of next year.Photograph by: file photo, Delta Optimist
Victoria, B.C. - ANDREW A. DUFFY
The province’s privacy commissioner has told B.C. Hydro to improve its communication with customers about the $930-million smart meter project.
The recommendation was one of 14 handed down Monday by Elizabeth Denham following an investigation, launched in June, into the privacy and security of the project.
According to Denham, while Hydro is complying with privacy regulations with regard to the collection, use and protection of customer information, there’s plenty of room for improvement.
“We found Hydro did not meet the legal requirements for notifying customers about the smart meter project, and I think that is a serious contravention, especially when dealing with a new technology,” Denham said.
The smart meter program will see new digital meters replace the 1.8 million electro-magnetic meters at every house and business in the province by the end of 2012.
The new meters allow two-way communication through secure connections between homes and B.C. Hydro, and are designed to provide a more accurate picture of energy consumption, both to Hydro and the consumer.
Denham said Hydro is required by law to tell its customers the purpose of collecting personal information for the project, explain its legal authority to do so and provide contact information for reaching a B.C. Hydro employee who can answer questions.
“All of these are required under the Freedom of Information and Protection of Privacy Act, and B.C. Hydro was offside with that,” she said. “I think they thought their communication was sufficient and we found it was deficient. When a public body undertakes the application of new technology, they need to assuage the concerns of the public — and they have a legal requirement to do so.”
According to the commissioner, Hydro has committed to address the concerns in the next three months. She said improved contact between her office and Hydro will be established to ensure the utility meets all the recommendations.
Denham noted that while B.C. Hydro invested “quite heavily” in privacy policies and training, the training is not mandatory. “They are moving in the right direction but they could do a better job,” she said.
Hydro spokeswoman Cindy Verschoor said the utility plans to address the recommendations as soon as possible.
“We are pleased the report confirms B.C. Hydro is taking the right steps in protecting our customer’s information and confirms that we are taking privacy and security seriously. And, hopefully, that alleviates some of the questions that some members of the public have had,” she said.
Verschoor said the company is putting together an action plan to deal with improving communication with customers. It is also establishing an increased web presence.
She said B.C. Hydro already has a team dedicated to answering questions about smart meters. “What she is asking us to do is to have dedicated [people] just to answer privacy and security questions. And, absolutely, we will go ahead and implement that,” she said.
Verschoor said the company has worked with Denham’s office from the outset and will continue to do so.
Hydro started replacing the old meters in July and has installed more than 500,000 to date.
Concerns have been raised about privacy and security, the cost of the program and the health effects of wireless meters.
Denham said there’s little in her report that will assuage all the fears raised by the program. “But I do think it outlines what smart meters do at the present time, what plans are for the future and the fact that our office — from a privacy and security perspective — will be monitoring all phases of smart metering.”
Verschoor said the number of concerns expressed has been small and more than 99 per cent of customers has accepted the new meters. “We are working with the small fraction of a percentage that has concerns so they have the facts,” she said.
Recommendations to B.C. Hydro from the Office of the Information and Privacy Commissioner
As B.C. Hydro introduces new elements to the smart grid, or increases the functionality of existing elements of the grid, it should continue to complete privacy impact assessments in each instance and provide it to the OIPC for review and comment before implementation.
BC Hydro must develop more comprehensive web pages and paper notices for its customers for the SMI project regarding the purposes for collecting hourly electricity consumption data, the legal authority for collection, and the contact information for the person within B.C. Hydro who can answer questions regarding the collection.
Before any future secondary uses of electricity consumption information take place, B.C. Hydro should complete a privacy impact assessment and provide it to the OIPC for review and comment prior to implementation.
B.C. Hydro should follow through with its plans to document in detail its role-based access model for the SMI project. This model should include a comprehensive roles matrix that maps job functions with personal information and privileges required to perform those functions. Roles should be defined as specifically as possible. In accordance with the least privilege principle, BC Hydro should ensure each role only has access to the minimum amount of personal information necessary to perform their functions. BC Hydro should fully document the role-based access matrix and regularly check and update it as required. BC Hydro should also implement a monitoring/auditing plan to evaluate whether its staff is properly accessing and using information. Investigation Report F11-03 – Information & Privacy Commissioner for BC 36
If, in the future, B.C. Hydro becomes involved in offering its customers the option of disclosing their consumption information to third parties, it should take reasonable steps to ensure that the third parties are transparent about their personal information practices.
B.C. Hydro should ensure that it reviews all policies relating to information security and privacy on a regular basis to ensure that they remain current and relevant. BC Hydro should document this review process; including putting dates on policies to reflect BC Hydro’s most recent review.
B.C. Hydro should make annual privacy and information security training mandatory for all employees and contractors.
While it appears to be B.C. Hydro’s intention, it should ensure that it introduces read-access logging prior to commencing the collection of hourly electricity consumption information. BC Hydro should also implement a monitoring/auditing plan to evaluate the effectiveness of its read-access logging.
B.C. Hydro should archive SMI project records containing personal information that are no longer required for the delivery of customer services on a regular and ongoing basis. BC Hydro should develop a classification scheme to identify those records.
B.C. Hydro should not retain customer personal information indefinitely. BC Hydro should continue to develop and implement a records retention and disposition policy that sets out when the disposal of personal information of its customers and former customers will occur. Investigation Report F11-03 – Information & Privacy Commissioner for BC 37
B.C. Hydro should ensure that it has designated an individual to be responsible for privacy within the organization. This individual should have primary responsibility for privacy within BC Hydro and within the SMI project. This individual should be a member of BC Hydro’s executive team and/or should be fundamental to BC Hydro’s business decision-making process.
B.C. Hydro should develop annual and/or multi-year privacy performance plans for the SMI project.
B.C. Hydro should ensure it has reporting mechanisms regarding its privacy management framework and it should state these mechanisms in its privacy policies and procedures.
B.C. Hydro should develop policies relating to training of employees and service providers, audit and breach management
A link to the full report can be found at www.oipc.bc.ca