*Smart metering will bring with it an avalanche of data. Privacy and security must be an integral part of the rollout, say Ian Stevens and Adam Gillert.*

Increased data flows are at the heart of every smart metering programme. Data transferred from smart meters may include meter readings, consumption data and even payment details for pre payment meter customers. Recording, processing and transmitting significant quantities of data is something the energy industry does routinely and, following the introduction of market competition, to a greater degree today than ever before.

However, the introduction of smart metering will not only change the nature of the data generated, but will dramatically increase its volume, utility and commercial value. The challenge for suppliers and network operators is to demonstrate to consumers and regulators that they can and will process that data securely and lawfully.

*Central communications*

The government has confirmed that, for the domestic sector, the new communications backbone over which smart meters will transmit data will be co-ordinated centrally (the centralised communications model). Risks to this centralised network include the hacking of customer details, denial of service attacks and even infiltration by intelligence services and terrorist groups seeking to disrupt supplies. In its reply to the government's smart metering consultation, technology consultant Detica warned that we have already seen examples of security breaches involving smart meter technology. In the US, security firm IOActive recently sought to highlight the weaknesses of a smart meter network by successfully infiltrating systems with a worm.

*Security risks*

The highly detailed information that can be generated and communicated by smart meters will be of interest to a wide spectrum of third parties. For example, it has been suggested that monitoring and analysing household consumption profiles could:

* reveal the absence or presence of individuals in a household, enabling criminals to establish when it is most vulnerable to burglary;

* alert law enforcement authorities to potential illegal activities such as the growing of cannabis;

* provide unprecedented amounts of information on the personal movements of individuals and the life patterns of households, which would have significant commercial value to marketers and advertisers;

* identify energy inefficient consumers, facilitating the introduction by government of taxes and incentives to promote reduced consumption.

Worldwide, privacy concerns will likely only increase as smart grid technology delivers more near real-time information and improved communication with individual appliances in the home.

*Data sharing*

The potential for sharing data with third parties raises many concerns. There is likely to be considerable public concern regarding how data may be accessed on "public interest" grounds, for example public health, such as monitoring the vulnerable, or for combating crime. Many commentators have expressed the view that smart meters' capabilities raise serious Big Brother concerns. Following the recent rejection by the Dutch parliament of smart meter proposals, in part due to privacy concerns, the energy industry is generally well aware of the potential risks of a privacy backlash in relation to smart metering.

Currently, data protection and privacy regulation in Britain is principally implemented through the Data Protection Act 1998 and the Privacy and Electronic Communications Regulations 2003 and, in the context of the energy industry, other laws such as the Utilities Act 2000 are also relevant.

*High profile*

Against a backdrop of recent high-profile data losses, including by HM Revenue & Customs, and the explosive growth in the level of data held electronically by government and the private sector, the ownership, access rights, sharing and processing of the data generated by smart meters will no doubt prove to be one of the more heated and public issues to settle, and is likely to lead to specific regulation targeted at the use of smart meters and the data they generate.

The generation and transfer by smart meters and smart grids of large volumes of consumer data will require suppliers and network operators to reconsider carefully basic issues such as why data is collected, how long it should be stored, how it will be protected, how (and by whom) it will be accessed and processed and whether all appropriate consents have been obtained.

The Department of Energy and Climate Change (Decc) has long recognised that the key to realising the full benefits of smart metering is attaining the right level of data access within the energy industry, coupled with appropriate safeguards to regulate this access and protect consumers. Regulating access to and ownership of consumer data, and ensuring the system and smart grid as a whole are secure, will be fundamental to ensuring consumer trust in the smart meter system and its overall success.

*Government guidance needed*

Clearly the energy industry will benefit if government and regulators proactively provide clear rules and guidance on the protection, use, disclosure and commercialisation of smart meter data to assist businesses. The indications so far are that the government is aware of the importance of privacy issues and the potential for a public outcry if they are not properly addressed.

The implementation of the proposed centralised communications model should make uniform high standards of privacy protection achievable, although even under this model not all interactions will necessarily be routed through a central body. The amount of data and communications functions that will be handled centrally needs to be addressed as part of the detailed design work.

*Integral consideration*

Security also needs to be an integral consideration in the design of the meters themselves, the networks within which they operate and the data centres in which the data is stored. Key to an effective security strategy will be the establishing strong governance and imposing clear and compulsory guidance and standards at an early stage of the smart meter rollout. Retrofitting such security could be risky, ineffective and costly.

Looking ahead, in respect of data and privacy issues, Decc aims to take forward the overall detailed design and delivery of the project in close co-operation with the Ministry of Justice, the Information Commissioner and Ofgem, and will seek to implement a range of mechanisms to ensure the views of both consumers and industry participants are engaged. Decc hopes that the first phase of the implementation programme will be completed by summer 2010.

The energy industry will need to re-assess both now and during the implementation how data will be managed, how companies will remain compliant with laws and how they will provide adequate security and information to consumers. Only the industry's continued engagement with the government will ensure this happens.

Ian Stevens is a partner and Adam Gillert an associate of law firm CMS Cameron McKenna LLP.

This is the first in a series of articles on smart metering, in association with IBM.

View today's online discussion on smart metering - click here.