Balancing Privacy, Security, and Access Presented by Chris Villarreal Minnesota Public Utilities Commission October 16, 2015
Overview 1.Regulation and Policy – Protect customer privacy – Enable customer access and choice 2.Role and use of standards – Green Button/ESPI – Interoperability – Testing and certification 3. Conclusion 2
Policy Customers have a right to their data Customers can share that data with anyone they choose – Not up to the PUC to regulate the customer 3 rd parties that interact with utility subject to utility tariffs – Recognition of privacy and security requirements Utility tariffs, forms, processes, and rules consistent across utilities 3
Enabling Customer Access Get privacy policies in place up front California PUC 2011 decision on privacy and data access Directed IOUs to implement Green Button Connect and ESPI – Also directed IOUs to enable HAN upon customer request California PUC rules do not cover customer actions, only those interactions going through utility Consistent implementation across the state lowers costs and supports interoperability 4
Privacy Identifiable data is private Aggregated data subject to less protection – How to aggregate subject to lots of debate across the country Data custodians responsible for protecting privacy – Regulators have jurisdiction over part of market – Customers bear the risks for non-regulated entities (State AGs and FTC authority) PUC jurisdiction over utilities – Rules cover utilities and contracted agents of utility – 3 rd parties utilizing utility tariffs agree to rules – Customer actions not subject to PUC jurisdiction 5
Green Button National initiative to standardize data sharing Utilizes Energy Services Provider Interface (ESPI) – NAESB REQ 21 Two forms of Green Button – Download My Data – Connect My Data ESPI can be used for more than just electricity usage data – Power Quality – Water 6
Data Custodian Any entity that holds data or information NAESB definition: A Distribution Company or other authorized Entity that holds Retail Customer Information to be shared with Market Participants or Retail Customer Representatives. Data custodian can be regulated or unregulated Eliminates redundancies and reduces confusion between roles of entities 7
Example: California 2010: Declared access to data, ability to share data, and privacy of data as requirements 2011: CPUC passed rules on protecting privacy and availability of customer usage information – Additional legislation provides privacy guidance (Public Utilities Code Sec. 8380) 2012: CPUC issued decision on utilities data access proposals – Implement Green Button Connect – Timeframe for availability of customer usage information (information available next day, hourly format) – Rules for third parties obtaining data from utility – Process for CPUC investigation of third party violating utility tariffs 8
Example: California (cont.) Utility implementations – Drop down menu of available third parties – Consent forms – Leverages AMI investments (SDG&E asked for no additional funds to implement; SCE and PG&E asked for $18 million combined over 3 years) 9
More Work To Do Testing and Certification – Standard at NAESB, but unofficial versions available online – Inconsistent implementation of ESPI – Green Button Alliance work on developing Green Button Connect certification process States – Penetration of technology – Development of access policies – Consistency Perceptions – Data access not a partisan issue, but is a control issue – Privacy and access should enable each other, not be used against each other – Costly with few benefits 10
Thank You! Christopher Villarreal Minnesota Public Utilities Commission 11