The National Institute for Standards & Technology formed a working group to study and recommend appropriate standards for protecting people’s privacy within a smart grid system. This group, called The Smart Grid Interoperability Panel–Cyber Security Working Group, issued a report in August 2010.
Here are some of their key recommendations that our utility companies and public service regulatory bodies are NOT adhering to:
- Notice and Purpose. An organization should provide consumers with meaningful, clear, and full notice in advance of the collection, use, retention, or sharing of energy usage data and personal information. Such notice should provide a detailed description of all purposes for which consumer data will be used, including any purposes for which affiliates and third parties will use the data. The notice should also include how long the data will be maintained by the organization and which third parties the data will be shared with. Clear, full, and accurate notice prior to data collection is essential to enabling other principles.
- Choice and Consent. An organization should clearly, fully, and accurately describe the choices available to individuals, and to the extent practicable, obtain explicit approval for the collection and use of their personal information. Consumers should have the option to forgo data collection and services that are not related to the core services provided by the organization.
- Collection and Scope. Only personal information that is required to fulfill the stated purpose specified under the Notice and Purpose principle should be collected. Treatment of the information should conform to these privacy principles.
- Use and Retention. Information should be used or disclosed only for the purpose for which it was collected and should be divulged only to those parties authorized to receive it. Personal information should be aggregated or anonymized wherever possible to limit the potential for revealing private information. Personal information should be kept only as long as is necessary to fulfill the purposes for which it was collected.
- Individual Access. Organizations should provide a process whereby individuals may ask to see their corresponding personal information and to correct inaccuracies. Individuals should be informed about parties with whom personal information has been shared.
- Disclosure and Limiting Use. Personal information should be used only for the purposes for which it was collected. Personal information should not be disclosed to any other parties except those identified in the notice for purposes identified in the notice, or with the explicit consent of the service recipient. Unless disclosure is compelled by a subpoena, warrant, or court order, organizations should seek prior consumer approval for disclosure of consumer data to third parties.