Adopted by Home Energy Analytics (HEA) from:
UNITED STATES DEPARTMENT OF ENERGY (US DOE)
DATA PRIVACY AND THE SMART GRID: A VOLUNTARY CODE OF CONDUCT (VCC)
Final: January 8, 2015
The purpose of the Privacy Voluntary Code of Conduct, facilitated by the United States Department of Energy’s Office of Electricity Delivery and Energy Reliability and the Federal Smart Grid Task Force, is to describe principles for voluntary adoption that:
encourage innovation while appropriately protecting the privacy and confidentiality of Customer Data and providing reliable, affordable electric and energy-related services;
provide customers with appropriate access to their own Customer Data; and
do not infringe on or supersede any law, regulation, or governance by any applicable federal, state, or local regulatory authority.
The VCC’s recommendations are intended to apply as high level principles of conduct for both utilities and third parties.
Overview of the Voluntary Code of Conduct:
CUSTOMER NOTICE & AWARENESS: How the customer learns what he or she needs to know to exercise informed choice.
CUSTOMER CHOICE AND CONSENT: How the customer controls his or her data and under what limitations.
CUSTOMER DATA ACCESS AND PARTICIPATION: How the customer’s data is accessed.
INTEGRITY AND SECURITY: How customer data is maintained.
SELF ENFORCEMENT MANAGEMENT AND REDRESS: How the VCC is followed.
HEA has adopted these principles in their entirety, and has added supplemental information regarding HEA’s application of these principles within this document.
The following elements, when identified with a specific customer, are considered to be Account Data:
NamesAll geographic subdivisions smaller than a state, including street address, city, county, precinct, census block, zip code, and their equivalent geo-codes;Dates of service provided to a customer by the utility or third party or information specific to identifying an individual’s utility service;Telephone or fax numbers;Electronic mail addresses;Utility or Third Party Account numbers (excluding financial account numbers, such as credit card numbers, bank account numbers, etc.); andDevice identifiers (e.g., meter numbers, HAN numbers, etc.) and serial numbers.
Aggregated Data is a combination of data elements for multiple customers to create a data set that is sufficiently anonymous so that it does not reveal the identity of an individual customer. HEA uses aggregated data to measure program savings.
A data set containing individual sets of information where all identifiable characteristics and information, such as, but not limited to, name, address, account number, or social security number, are removed (or scrubbed) so that one cannot reasonably re-identify an individual customer based on, for example, usage, rate class, or location. HEA uses anonymized data to conduct residential energy research (which may be published) and to improve our service.
An entity providing support to a Service Provider in the provision of service to the customer for a Primary Purpose (without consent) or Secondary Purpose (with consent) who: (1) has access to Customer Data; and (2) has contractually assumed obligations comparable to those of the Service Provider to protect and keep confidential Customer Data and to use it only for the identified Primary or Secondary Purpose. To the extent a Contracted Agent wishes to use Customer Data for its own independent Secondary Purpose, it is treated as a Third Party, meaning that it has to receive customer consent to use the data. In some programs HEA is a contracted agent to Service Providers.
The combination of customer energy usage data (CEUD) and Account Data. Customer Data is treated as private and has specific requirements outlined elsewhere in the VCC. CEUD without Account Data is considered anonymous data, which is discussed separately in the VCC, and referred to specifically as “anonymous data.” Aggregated CEUD is also discussed separately, and referred to specifically as “aggregated data.” Publicly available information about a customer is not treated as private, unless it is combined with other non-public information. HEA uses customer data to create an accurate home energy profile for every customer.
Customer Energy Usage Data (CEUD)
Customer Energy Usage Data reflects an individual customer’s measured energy usage but does not identify the customer. HEA analyzes CEUD in order to create home energy profiles.
The use of Account Data or CEUD that is reasonably expected by the customer: (1) to provide or reliably maintain customer-initiated service; and (2) including compatible uses in features and services to the customer that do not materially change reasonable expectations of customer control and third party data sharing. HEA’s primary purpose is to help customers save energy.
The use of Account Data and CEUD that is materially different from the Primary Purpose and is not reasonably expected by the customer relative to the transactions or ongoing services provided to the customer by the Service Provider or their contracted agent. HEA does not use customer data for any secondary purposes. Period.
A Service Provider is an entity that collects Customer Data directly from individuals to support a Primary Purpose. Where the Service Provider is a corporation, this definition includes all legal entities or agents within the corporation’s structure that are involved in fulfilling that Primary Purpose. In some programs HEA is the service provider. In others, the Service Provider may be a utility company like Pacific Gas & Electric (PG&E).
An entity requesting access to Customer Data from a Service Provider for a Secondary Purpose. In some programs HEA is a third party to service providers like PG&E. Their primary purpose is energy delivery, so from their perspective HEA provides a secondary purpose: energy efficiency.
The VCC is expressed through five core concepts, as follows.
1.0 CUSTOMER NOTICE & AWARENESS
The concept that customers should be given notice about privacy-related policies and practices as part of providing service. Service Providers should provide materials in various formats that are easily understandable by the demographics they serve, and as may be reasonably appropriate. Notice should be given at the start of service [HEA highlights a link to this privacy page on our Registration pages], on some recurring basis thereafter [HEA’s privacy link appears at the bottom of all monthly emails], and at the customer’s request [HEA‘s privacy notice is always available on HEA’s public website and the full text can be requested by email to firstname.lastname@example.org]. Notice also should be given when there is a substantial change in procedure or ownership that may impact customer data [HEA will notify customers of substantial changes via email]. This could include, for example, timing disclosures to coincide with the time and place that customers have the ability to exercise choices regarding the use of their CEUD for new purposes materially different than those for which it was originally collected. Notice should be clear and conspicuous, and should address the following:
The specific types of Information that are being collected by the Service Provider (HEA may collect some or all of the following types of information: electric use and cost; natural gas use and cost; water use and cost; weather data; home characteristics; and occupancy), and containing a statement that the Service Provider has committed to only collecting that Customer Data needed to support a Primary Purpose. HEA only collects information that is relevant to providing residential energy efficiency, water efficiency, and greenhouse gas (GHG) emissions reduction services.
At a high level and in easy to understand language, the Service Provider should explain how the Customer Data is being used, and should specifically:
Explain the means by which Account Data is collected (application for service, online, consumer hotline, mail, credit report, etc.). HEA collects account data from utility web portals or from green button data, whichever is available.
Explain the means by which CEUD is collected. CEUD is collected via meters installed at your home for electricity, natural gas and water.
Provide an overview of the Primary and Secondary Purposes. HEA’s primary purpose is to help our users improve their energy efficiency, reduce their cost, and/or lower their GHG emissions. HEA does not pursue or support any Secondary Purposes.
Explain how individual level Customer Data will be used. HEA creates a customized energy and/or water profile to help each user understand where they can most easily improve their efficiency.
Explain that data they collect may be used in conjunction with or merged with other data to create Aggregated or Anonymized Data reports and under what circumstances those reports typically will be used and shared. HEA periodically runs reports to identify aggregate energy and water savings across different program groups. This helps us and our partners understand the actual impact of our service and improve it over time.
How the customer can access his or her Customer Data, and the process by which the customer can identify possible inaccuracies and request correction. Every HEA customer can access their data via their online account. The detailed usage and cost information obtained from utilities is shown under the “Usage history” section. Any inconsistencies between this data and data provided from your utility (via bills or their websites) should be immediately reported to email@example.com
The circumstances under which the Service Provider will share Customer Data without first obtaining consent. Specifically, the notice should:
Notify customers of the types of Contracted Agents with whom the Service Provider is sharing the data to support a Primary Purpose.
Notify customers of the types of supporting services with whom the Service Provider is sharing the data to support a Primary Purpose or as mandated by law/regulation.
Inform customers of instances where the Service Provider will release Customer Data without consent, as identified in concept #2, Customer Choice and Consent, Consent Not Required exceptions.
Inform customers of the purpose of sharing the data.
In some of our programs HEA provides detailed energy profiles to a limited number of Contracted Agents identified by the funder of the program. These agents provide supplemental services supporting energy efficiency, such as in-home audits or telephone support by home energy advisors. Customers may request (via email to firstname.lastname@example.org) a list of specific Contracted Agents, if any, for their particular program.
How the customer can approve Third Party access to their Customer Data for a Secondary Purpose, or revoke access previously granted. HEA does not pursue or support any Secondary Purposes.
How the data is secured
Service Providers should describe for customers how their Customer Data will be secured throughout its lifecycle, in accordance with any requirements of applicable regulatory authorities. HEA holds your data in strict confidence on secure servers and it will only be used to help you reduce your energy use. Our web application uses the same advanced data security methods as online financial services. We will close your account and delete your data upon request (send request to email@example.com). HEA protects your personal information in compliance with Title 20 of California's Code of Regulations, Sections 2505(a)(5)(A) and (B); n.b. 2505(a)(5)(B)(8).
Retention & Disposal
Customers should be informed that Customer Data will be retained and disposed of consistent with applicable local, state, and federal record retention rules and regulations, as well as applicable company policies. HEA complies with Title 20 of California's Code of Regulations, Sections 2505(a)(5)(A) and (B); n.b. 2505(a)(5)(B)(8).
Minimum Notice Inclusions:
An effective date for the initial notice and any subsequent policy changes. See revision date at the bottom of this document.
A point of contact for customer questions about the Service Providers privacy- related policies and data access procedures.
See email contact at the bottom of this document.
A summary of changes to the previous version, as applicable, or a means by which previous versions can be obtained.
See link to prior version at the bottom of this document.
Customers should be made aware of their responsibilities as a customer (e.g., providing accurate data, giving notification of changes in Account Data, etc.) in support of responsible data practices. HEA's analysis will only be as accurate as the information you provide, such as home occupancy. If you are unsure how to answer any question please send us an email at firstname.lastname@example.org
2.0 CUSTOMER CHOICE AND CONSENT
The concept that customers should have a degree of control over access to their Customer Data. Service Providers and their Contracted Agents require Customer Data to support Primary Purposes. For Secondary Purposes, however, customers should be able to control access to their Customer Data via a customer consent process which is convenient, accessible, and easily understood.
HEA does not pursue or support any Secondary Purposes.
Record Retention and Disposal:
Service Providers should retain Customer Data only as long as needed to fulfill the purpose it was collected for, unless they are under a legal obligation to do otherwise. HEA's algorithms are constantly being improved and changes are tested against actual Customer Data to ensure accuracy is not degraded for any homes. If you prefer to have your data deleted send us an email (email@example.com).
Service Providers should securely and irreversibly dispose of or de-identify Customer Data once it is reasonably determined by the Service Provider to be no longer necessary to achieve the purposes for which it was collected, unless they are under a legal obligation to do otherwise. HEA adheres to this principle: we maintain system backups for three months, but after that the data is gone.
Service Providers should maintain records identifying what type of Customer Data has been shared previously with Third Parties, when the sharing occurred and with whom the data was shared for as long as the data exists in the Service Providers’ systems or as long as legally required. HEA maintains records of all data transfers.
Consent Not Required: Prior customer consent is not required to disclose Customer Data in the case of:
Third Parties responding to emergencies that pose imminent threats to life or property;
Law enforcement or other legal officials to whom disclosure is authorized or required by law;
As directed by Federal or State law, or at the direction of appropriate regulatory authority; or
Aggregated or Anonymized Data. Service Providers can share Aggregated or Anonymized data with Third Parties without first obtaining customer consent if the methodology used to aggregate or anonymize Customer Data strongly limits the likelihood of reidentification of individual customers or their Customer Data from the aggregated or Anonymized data set.
Aggregated and Anonymized Data may be shared via a contract between the Service Provider and Third Party that requires that the Third Party not attempt to re-identify customers.
The service provider may decline a request for Aggregated or Anonymized Data release if fulfilling such a release would cause substantial disruption to the day-to-day activities of its personnel.
Activities conducted in order to preserve the safety and reliability of the electric grid and critical infrastructure or the integrity or security of other systems containing Customer Data.
HEA abides by these best practices.
Access to Data Other Than Customer Data: Except as required by law, Service Providers will not share with a Third Party the customer’s: social security number; state or federal issued identification number; financial account number in combination with any security code providing access to the account; Consumer report information provided by Equifax, Experian, TransUnion, Social Intelligence or another consumer reporting agency; individually identifiable biometric data; or first name (or initial) and last name in combination with any one of the following: (1) date of birth; (2) mother’s maiden name; (3) digitized or other electronic signature; and (4) DNA profile. Such information should be obtained directly from the customer. Of the data types listed in this paragraph HEA only has access to Customer's first and last name.
Data Access Exclusions:
Aggregated or Anonymized Data that is reasonably likely to allow identification of the Service Provider’s trade secrets, confidential or proprietary data even when aggregated or anonymized, may not be released. HEA abides by this exclusion.
Overlapping data requests from the same requestor should not be permitted if granting such requests is reasonably likely to compromise the aggregation and reveal information that could be used to identify or re-identify customers or Customer Data. HEA abides by this exclusion.
3.0 CUSTOMER DATA ACCESS AND PARTICIPATION
The concept that customers should have access to their own Customer Data and should have the ability to participate in its maintenance. The process by which customers access their Customer Data should have the following attributes:
Is reasonably convenient, timely, and cost-effective.
Allows the customer to identify possible inaccuracies and request that they be corrected.
Allows the Service Provider to charge a fee, subject to applicable laws and regulations, to the extent the Service Provider offers a method of data access that is different from the method it generally offers to its customers, or is not based on commonly used data formats or standards.
Allows the Service Provider to recover costs for Aggregated Data requests that are different from the method or format in which it generally offers aggregated data, represents the fulfillment of multiple requests, or is not based on commonly used data formats or standards.
HEA adheres to these best practices. No additional fees are charged for data access: individual HEA customers can access their raw data via the "Usage history" menu in their account.
4.0 INTEGRITY AND SECURITY
The concept that Customer Data should be as accurate as reasonably possible, and secured against unauthorized access. Data should be maintained in a reasonably accurate and complete form, considering the circumstances and environment in which it has been collected (e.g., recognizing the difference between raw meter data and bill-ready data). Data should be protected via a cybersecurity risk management program which has the following attributes:
Identifies, analyzes, and mitigates cybersecurity risk to the Service Provider’s organization with respect to Customer Data.
Implements and maintains process, technology, and training measures to preserve data integrity and reasonably protect against loss and unauthorized use, access, or dissemination.
Maintains a comprehensive data breach response program for the identification, mitigation and resolution of any incident that causes or results in the breach of Customer Data security.
Provides complete, accurate, and timely notice to customers whose Customer Data may have been compromised while within the Service Provider’s control or within the control of Service Provider’s Contracted Agent, and remedies those conditions which led to the breach.
In the event that a Service Provider has modified or enhanced data that it initially received from another source (e.g., a utility or a different third party), the customer receiving the enhanced or modified data should generally be made aware that such data may differ from the original data.
HEA developed and maintains security policies that address these best practices. In 2012 HEA passed a rigorous third party security audit funded by PG&E, as a prerequisite to HEA's participation in the launch of their initial Green Button Connect My Data program at the White House.
Aggregated Data Methodologies: When developing an Aggregation methodology that will meet the requirements of Concept 2.0 Customer Choice and Consent, subheading Consent Not Required, item (4), the following variables should be considered:
Customer Identifiers: the aggregated data set should not include an individual customer’s Account Data, or other identifying data.
Number of Customers: A sufficient number of customers should be included in the data set to reduce the ability to re-identify a customer.
Customer Load: If the load of a particular customer represents an outlier (e.g. greater or less than a percent of the ratio) when compared to other customers in the data set, consideration should be given to whether the size of the customer’s load can be masked to prevent identification or re- identification, or if not possible, that customer’s data should be excluded from the data set.
Customer Class: differences in energy usage patterns between customer classes should be considered when deciding whether to aggregate multiple classes into one aggregated data set.
Timescale: the ability to identify or re-identify customers or attribute to those customers specific Customer Data may vary based on the interval of energy reading, creating differences in methodologies used for hourly, monthly, quarterly and yearly data.
Geographic Identifiers: the relative size of the geographic area associated with the selection of customers for the data could result in reidentification.
Methods by which data can be aggregated should be reviewed every 2 years or more frequently if needed to account for changes in technology and risk related to data aggregation.
HEA adheres to these best practices whenever data is aggregated.
Anonymized Data Methodologies: When creating a methodology to anonymize Customer Data, the following variables should be considered as applicable to the specific situation:
Customer Identifiers: the Anonymized data should not include an individual customer’s Account Data, or other identifying data.
Customer Load and Energy Pattern: the customer’s load and/or energy pattern should be examined to determine if it is so unique among other customers that it could compromise the anonymization.
Customer Class: the data should be homogenous; mixing of residential, commercial, industrial or agricultural customers in the same data set could compromise the anonymity of individual customers.
Timescale: the customer’s time series data should be assigned a random identification number and listed randomly.
Energy Pattern: customers with unique energy patterns should be removed.
Masking Data: explore masking techniques that enhance the anonymity of data without negatively impacting the validity of the data set.
HEA adheres to these best practices whenever data is anonymized.
5.0 SELF ENFORCEMENT MANAGEMENT AND REDRESS
The concept that there should be enforcement mechanisms to ensure compliance with the foregoing concepts and principles. Service Providers who voluntarily adopt this Voluntary Code of Conduct commit to the following:
To regularly review their Customer Data practices, including customer notice practices, for accuracy, compliance, and process improvement opportunities.
To take action to meet legal and regulatory data protection mandates and, when necessary, to ensure compliance with the foregoing principles.
To provide a simple, efficient, and effective means for addressing customer concerns. Customer processes should be easily accessed, and should provide timely review, investigation, documentation, and resolution of the customer’s concerns. Existing procedures for addressing other types of customer complaints may be adequate.
To conduct regular training and ongoing awareness activities for relevant employees on the Service Provider’s privacy policies and practices.
HEA adheres to these best practices.
End of Document Version 1.1, updated February 2016, with DataGuard logo. Prior version here.
Please email any questions to firstname.lastname@example.org