I recently had an opportunity to interview Dr Ann Cavoukian, the Information and Privacy Commissioner for Ontario, Canada about Smart Grid data privacy. Commissioner Cavoukian has written and presented extensively about Smart Grid privacy. She is also the author of a white paper on Smart Grid privacy called SmartPrivacy for the Smart Grid and Dr. Cavoukian partnered with two major utilities to develop a practical roadmap for utilities to achieve the gold standard in data protection (Privacy by Design: Achieving the Gold Standard in Data Protection for the Smart Grid).
Here is the full transcription of our chat:
Tom Raftery: Hi everyone, and welcome to the Smart Grid Heavy Hitter Series. My guest on the program, today, is Commissioner Ann Cavoukian, the Information and Privacy Commissioner for Ontario. Commissioner, I?m curious, why is the Information and Privacy Commissioner of Ontario concerned about Smart Grids?
Commissioner Cavoukian: Well, I always say that in order to protect the privacy of the citizens of Ontario, I have to protect the privacy of people anywhere in the world. Privacy knows no bounds and technology transcends jurisdiction. So, whatever new technologies arise that have privacy implications, we need to get right in there and ensure as much as we can that protections are built into, especially, new technologies and new developments like the smart grid. The ideal opportunity to protect privacy is at the outset and ideally embed privacy into the design of new technologies like the smart grid.
Tom Raftery: Why is there a concern at all about privacy and smart grids? What?s the danger?
Commissioner Cavoukian: Anytime that there?s the possibility of collecting personally identifiable information either directly or through some data linkage to it, privacy enters into the equation.
So, with the smart grid you start with smart meters. And I should tell you that here in Toronto, Ontario we are leading in the smart grid, smart meter applications. By the end of this year, all houses in Toronto will have smart grids and in Ontario by the end of 2012. So, it?s widespread application.
Now, what smart girds enable the utility to do is to on a real time basis go in to your home and give you a very clear indication of your electricity usage, which is very good because it will promote energy consumption reduction, and a number of other programs – this is all very positive. As long as the information is kept between the electrical utility and the consumer, there?s no issue. It?s no different than now so to speak.
However, with the possibility of third parties being interested in this information, the possibility of unauthorized data usage of this information there?s link to an identifiable individual and with the growth of smart appliances – your computer, your television, your refrigerator; everything is going to be telling you and telling the utility what you?re doing, when you?re doing at, at what times – this introduces a whole new element of potential profiling of a consumer?s activities within the household, which is after all your castle, right? Your home is sacrosanct.
No one has been able to peer into the activities within the home before now. They?ll be able to do that. So, we have to ensure that this information is protected like Fort Knox.
Tom Raftery: How widespread are the concerns? How many people are aware that this is an issue and how are people trying to deal with that issue?
Commissioner Cavoukian: And you are absolutely right. About a year, a year-and-a-half ago I did an article. And I call privacy the sleeper issue of the smart grid; because certainly last year not a lot of activity associated with this area, but I can tell you that in the past year the interest has grown dramatically.
In Canada, we have jurisdiction over electrical utilities. So, I?ve been working with Hydro One, here, in Ontario, Canada and Toronto Hydro and they not only understand the issues, of course, they?re regulated. I oversee complaints with these two utilities; however, I want to tell people – don?t rely on regulation.
I want to exceed regulation. I want appeal to electrical utilities that in order for the smart grid to work you need consumers to sign up and to become involved, you need to build trust and consumer confidence.
The way you do that is by ensuring that they know what you?re doing as an utility, they know what information you have from them, and most important, you are not going to disclose this information, you?re not going to share it with any third parties without their consent – this is big.
So, my appeal to utilities, and I?ve been working with utilities throughout North America and the US Smart Grid Alliance. I?m an active member there.
My pitch to them, is do this because it?s good for your utility, because you want to get the buy-in of consumers, you want to get their cooperation, you must have their trust, you must have their confidence.
So, by embedding privacy into the design of the smart grid you will be able to grow your smart grid in a way that attracts more consumers to it and that?s the win-win proposition of this.
Tom Raftery: It?s great that you?re telling utilities this. What are they actually doing? Are they taking what you say on board, are they saying, ?Oh! Commissioner, Cavoukian is a nut case and we?ll just put her concerns to one side,? or are there a range of reactions?
Commissioner Cavoukian: Well, I am sure it is some of them think I am a nut case, I give you that, but I think the majority the ones who have reached out to us have been actually quite positive about our approach.
They?ve actually given me a complement and they?ve said, ?You?re not like most regulators we know.? And I take that as a complement, because once there?s — my message to utilities and to everyone is do a positive-sum paradigm not a zero-sum paradigm.
By that, I mean, I definitely want you always to protect the privacy. I don?t care if you?re the private sector, the public sector. If you?re doing individual?s personally identifiable information you must protect that information.
However, I don?t say protected to the exclusion of your own interests, your business interests. You have a business model, it has to survive, and hopefully strive. In this case, with the smart gird electrical utilities want to grow this in an effort to promote conservation of energy, grow green programs, reduce reduction, consumption of energy, empowering your users your users. We are all for that; so we?re not doing this — we?re not saying protect the privacy to the exclusion of those interests, not at all.
We?re saying you can do both. We show you how to do both by embedding privacy into the design of the smart grid, and I should tell you it?s at the ideal time. This is the time to do it when you?re at the nascent stage. It?s at it?s infancy, the smart grid development, starting with the smart meters and I?m not giving you a pie in the sky. I?m telling you how to do it in a very defined way. We?ve worked with Hydro One, for example, and Toronto Hydro.
We have two papers that we?ve produced that are available on our website. This one, the latest one with Hydro One is called, ?Achieving the Gold Standard in Data Protection for the Smart Grid?.
So, we?re trying to get people to reach for the sky on this in terms of doing it now, embed privacy, and we tell you how to do it. This is best practices on exactly how to do it and we do it in partnership with an electrical utility. So, we give you the road map on how to do this and also respect privacy and enhance your business interests, positive-sum win-win.
Tom Raftery: Commissioner, we?re running low on time, so one final question. Is there anything about privacy on smart grids that I haven?t asked you that you would like to address?
Commissioner Cavoukian: Just one final point for the people listening to this. I would like them to view the smart grid and how to protect information in a way that is not the usual ?who owns the data?. The question of ownership often comes up and I?m going to suggest to you that?s the wrong language to frame this in.
When you talk about privacy and personally identifiable information, data protection you use the language sort of bundles of rights associated with that information. It?s the language of custody and control of the information as opposed to ownership; because it?ll be easy for the utility to say, ?You know, it?s our data, we collect it, and then you get mired into this whole legalese about who owns the data. It?s not one of ownership.
Of course, the utility is collecting the data, they?re providing a service to consumers, and there?s an exchange of information. I think it?s better to talk about what obligations and duties are associated with that.
So, for a utility, who has custody and control over the data they also have a duty of care and obligations with respect to protecting that data, they have a duty of care, confidentiality, and ensuring that the consumer not only knows what you?re doing. So, you?re transparent with respect to your practices, but they have access to their own data and ideally they have full ability to say no, no third party use of its data unless I consent to it.
That?s the Gold Standard and that?s what I?m hoping that, that language will be embraced in this area.
Tom Raftery: Commissioner, thanks a million for coming on the show.