According to a report published earlier this year by SecurityScorecard, 90% of the world’s largest energy companies experienced a third-party data breach in a year.
Energy projects can be complex commercial exercises, with many different moving parts. Focus is often on development of infrastructure and operational delivery of utilities. One aspect that can be overlooked is the data protection implications of supplying to individual customers.
A single data protection breach could lead to a fine of up to £17.5 million or 4% of annual global turnover if greater, meaning that not being aware of data protection obligations can present a significant risk to a project. In this article, we summarise some key elements of data protection obligations that can impact on utility supply contracts.
What is personal data?
Personal data is any data which relates to a living, identifiable individual. In the energy context, this is likely to mean customer names, customer identification numbers, addresses, and meter numbers.
Energy suppliers typically collect customers’ financial information, such as payment information, results of any credit checks, and details of any deficits, payment plans, or benefits relevant to the customer – this data is clearly particularly sensitive.
Of even greater sensitivity are details about vulnerable customers, such as where someone has a chronic health condition which would mean they would be particularly impacted if their supply was interrupted, or details of suspected fraud.
What are you doing with the personal data?
Once you have an understanding of what personal data you may collect, knowing what you are doing with that data is the second step in establishing any data protection compliance programme. However, you also need to understand what any sub-contracted suppliers are doing with any personal data you provide to them, or which they collect on your behalf.
If you use a metering and billing agent, you need to understand what they are doing with the customer data you provide to them and where they are storing that data. For example, a potential risk arises where a supplier is using cloud storage for the data and, perhaps unwittingly, sending it overseas without proper protections. In this scenario, you could be liable for their data protection breach if you cannot demonstrate that you asked the right questions and put in place the right agreements and instructions before sharing data.
Can personal data stop being personal?
When dealing with customers who are individuals, understanding the difference between personal data, pseudonymised personal data, and anonymised personal data is key. Personal data is protected under legislation. Anonymised data (data by which an individual can’t be identified) is not specifically protected.
This means that a property’s energy usage is likely to be personal data if the property the usage relates to, or the customer, can be identified. However, if that data is aggregated, or the address/meter name/customer name is stripped out, you can then use the data for analysing network usage and calculating efficiency improvements without data protection concerns.
As a middle ground, data can be pseudonymised – this means the personal data has been treated in such a way that the data subject cannot be identified, unless you have the key to do so. For example, customer identification numbers are pseudonymised data, and therefore has more practical protection, because you can only identify an individual customer from their identification number if you have access to the customer database. However, pseudonymised data is still personal data, and is fully subject to statutory protections and obligations.
Loss or misuse of raw personal data as opposed to loss of personal data that has been anonymised or pseudonymised can therefore be the difference between facing a potentially major personal data breach and fine from the Information Commissioner’s Office or, simply losing some commercial data.
Understanding how you currently use, or your new project intends to use, personal data and what personal data you, or your suppliers, collect and hold, is a key part of any energy project. Utility suppliers may be collecting a wide array of sensitive personal data (such as financial or health-related) from their customers and should take particular care to understand how that data is being used, and take the necessary steps to protect it.
If you have any questions about data protection in the energy context, please contact Carrie Davies, Associate in the firm’s Energy team, or Alastair Turnbull, Solicitor in the firm’s Information law team.