Electricity Authority urged to test privacy status of meter data
By Gavin Evans
June 18 (BusinessDesk) - The Electricity Authority has been urged to clarify the status of consumers’ meter data under
the Privacy Act and how third-parties should be given access to it.
The regulator wants to streamline access to consumers’ historic usage data to speed up the process and lower costs for
all parties. Among a collection of “quick” changes it proposed was establishment of an automated tool to communicate a
customer’s authorisation of a third-party agent – such as a budget advisor, a switching agent, or an energy consultant –
to their retailer.
Retailers including Meridian Energy and Contact Energy urged the authority to seek guidance from the Privacy Commission
before it went any further so that processes could be developed that would meet their obligations under the Privacy Act
to protect their customers’ data.
Mercury disputed the authority’s legal advice that the revised industry code would take precedence over the Privacy Act
and said the proposals would be unworkable and would put it at risk of breaching the act.
Requiring a customers’ signature would not work as Mercury and other retailers don’t hold specimen signatures, it said.
“In our view, the procedure set out in the code creates a real risk that the agent may not actually have authority to
access the data requested from retailers. The proposed process does not allow for a retailer to create a process which
accurately verifies the customer’s identity, nor does it require the authorisation from the customer to be specifically
for the information requested from the retailer,” Mercury says in a submission on the authority’s proposal.
The authority is acting because industry rule changes made in 2016 to speed up sharing of customer data haven’t been as
effective as hoped. Firms have developed their own processes for handling information requests and many aren’t completed
within the five-day target.
Privacy of meter data is not a new issue for the sector, even though it is most frequently handled only by a numerical
identifier – rather than being personally identifiable – often relates to households of multiple individuals, so is not
strictly ‘personal’ and is often used in planning and management situations only in aggregate and in anonymised ways.
Energy management consultancy Cortexo says its efforts on behalf of clients have been “severely hampered” by the lack of
standardisation and the lack of adherence to the current prescribed process and information formats.
In the past eight months the firm requested data from more than 600 meters from 13 retail brands. “Our average wait
time, over all retailers, is 17 working days, well outside the code stipulation of five working days after the day of
receipt of the request.”
Managing Director Terry Paddy says his firm understands the need to protect private information and have good processes
for managing its release.
But he says the level of protection and authorisation differs for different types of information, and the authority
needs to seek a determination from the Privacy Commissioner on how “sensitive” electricity consumption data is and what
“serious harm” would be done by its release.
“It seems that often the Privacy Act is used to block access to information that the holder considers valuable to
themselves. This stifles innovation,” he said in Cortexo’s submission.
EmhTrade, a peer-to-peer operator, was disappointed it had taken three years for the authority to act when signs of
problems with the new rules were clear after one year. Nor was it convinced the proposed arrangements would be as quick
as the EA hopes.
It said it would be “naïve” to think that retailers will not seek copies of most, if not all, the authorisations
customers make for third-parties to access their data.
“The industry has clearly demonstrated that left to their own devices, retailers will err towards their own
self-interest - protecting against privacy breach risk - at the expense of a consumers’ data portability. “
Contact and Trustpower urged the authority to consider a scheme for accrediting third-party agents in order to speed
their interactions with retailers and verify their authorisations. Nova Energy said agents should have to indemnify
retailers against any use of data that has not been authorised by the customer.
Mercury said it already provides customers free 24/7 access to an online portal where individual consumption data can be
“Third-party agent requests are subject to a simple security token authorisation process by the customer which is secure
and verifiable. Mercury would be pleased to discuss with the authority how this authorisation process operates and
whether it could be an appropriate model for the wider sector.”