25 May 2012
The Eco means utilities need to put processes in place now to manage sensitive customer data, says John Skipper.
One consequence of the Energy Company Obligation (ECO) that comes into force later this year is the need to maintain large volumes of information about customers. This aspect has not been given much airtime, but the information could include sensitive details about a customer's ability to pay bills, their vulnerability and the condition of their property.
This will be in addition to the data on payment plans, home ownership and home installations that is required under the Green Deal, and the information on consumption gathered from smart meters. While utilities already manage some customer data, these developments represent a major change in the level of detail and sensitivity of information they will have to deal with.
The first challenge is to meet customer concerns about privacy and security. This is particularly important in the management of new data relating to health and income. These are categorised as sensitive personal data under the Data Protection Act and have defined security requirements that will have to be reflected in utilities' processes.
Further challenges in this area will arise when the European Data Protection Directive is strengthened. This will give customers the right to have instant electronic access to data held on them, and give the regulator powers to punish breaches with fines of up to 2 per cent of global revenue.
Energy suppliers will need to ensure their approach to data security covers people, systems, the supply chain and the active management of customer data requests. Poor management of any of these aspects could result in the organisation being fined, as well as suffering significant reputational damage and potentially damaging the successful implementation and acceptance of smart meters and Green Deal.
There are a number of actions they can take to mitigate these risks. The first is closer control of employees' ability to access and use customer information. This will potentially require changes in the ways staff behave and operate, meaning education and training on specific data management tasks. For example, storing private information in freely available fields, such as call notes, could breach system security controls and undermine privacy. Equally, data captured through informal mechanisms will need to be easily traceable and retrievable to ensure requirements of customer data requests can be met.
That means processes and systems will need to provide different levels of access. For example, temporary staff may not have the clearance to access sensitive data. This could have significant implications and may result in them being more constrained in the nature of queries they can address. Formal vetting or screening of staff may be necessary for some roles.
Companies will also need to look at separating data to avoid breaching privacy. A member of staff providing advice based on a customer's detailed consumption information might not be able to access the customer's address because combining the information may enable them to know when the property is empty.
Another challenge is to control access to data that is stored and managed on systems. This is especially important in mobile applications. For example, a mobile application for field workers conducting assessments or installations should provide only the data needed to complete the work required. If it is not necessary for them to know private information, such as payment arrangements or details of the customer's personal situation, to complete work then it should not be made available and accessible by the mobile application.
Mechanisms to manage the potential loss of a mobile device will also be needed. This means encrypting data and protecting it with strong passwords, reinforced by system administration tools to enable remote disablement and remote data wiping from the mobile device.
These principles will apply whether a utility is providing the service or is using a partner to deliver their obligations. Customers and regulators will not distinguish between the utility and its supply chain, so this will require data that is handled externally, through systems or processes, to be suitably robust and secure.
Utilities will also need to ensure that their partners adhere to the same standard of security. This will require agreeing security principles that are then contractually agreed and regularly audited and assessed for compliance. In addition, clients will have to take a greater role in controlling and approving change in suppliers' internal systems and processes.
There are then further challenges under the European Data Protection Directive. Providing customers with direct access to information held on internal systems will not only present a security risk, but also is a technically demanding challenge because it is likely that data will be held in a number of different ¬databases.
In addition, processes and controls will be required to ensure that customers do not inadvertently gain access to additional information they do not have rights to. For example, they should not be provided with information that relates to previous owners or occupants of their property or to data about other members of their household.
As a result, responding to customer data requests will require a specialist team that can ensure that regulatory commitments are met. This team will need supporting IT tools to enable both the controlled retrieval of data and deletion of that data at customer request.
These changes have significant implications for the way utilities operate. They should be looking to conduct assessments now so that they can understand the implications of the new requirements. If utilities put the right actions in place to manage sensitive data effectively they will be able to meet the changing regulatory and legal obligations successfully.
John Skipper is a security expert at PA Consulting Group