Submission by the Australian Privacy Commissioner on the public consultation on new products and services in the electricity market

27 March 2015

COAG Energy Council Secretariat
GPO Box 9839
Canberra ACT 2601

energycouncil@industry.gov.au

Dear Secretary

Submission by the Australian Privacy Commissioner on the public consultation on new products and services in the electricity market

Thank you for the opportunity to comment on the Energy Market Reform Working Group paper ‘New Products and Services in the Electricity Market: Consultation on regulatory implications’ (the Consultation Paper), which examines the regulatory implications of new products and services in the electricity market.

In making the comments below, I recognise the benefit to consumers that might arise from the emergence of new products and services in Australian electricity markets. However, I am also mindful that some of these new services rely on having access to information about individuals’ energy usage (metering data), which may be personal information within the meaning of the Privacy Act 1988 (Privacy Act), and reveal detailed information about individuals’ lives.

My comments below highlight some of the privacy obligations contained in the Privacy Act that may apply to participants in the Australian energy market and, where those obligations do not apply, other ways to ensure that providers of new electricity products and services meet the privacy expectations of their customers.

The Australian Privacy Principles (APPs)

Participants in the Australian electricity market that are organisations within the meaning of s 6(1) of the Privacy Act are required to comply with the Australian Privacy Principles (APPs) when handling personal information. This is in addition to the requirements contained in the National Electricity Rules that those entities must also comply with.

The APPs are legally binding principles that regulate how personal information can be handled by most Australian Government agencies and some private sector organisations. The APPs are principle-based, thereby providing entities with the flexibility to tailor their personal information handling practices to their needs and business models, and to the needs of individuals. They are also technology neutral, thereby ensuring that they remain applicable in the face of continually changing and emerging technologies.

The APPs are also designed to ensure that individuals’ personal information is protected throughout the information lifecycle – that is, from the time the information is collected through to its destruction. For example, the APPs require organisations covered by the Privacy Act to:

  • be transparent about their personal information handling practices, including notifying individuals about how their personal information may be used or disclosed

  • only collect the minimum amount of personal information necessary to enable organisations to undertake their business activities

  • only use and disclose personal information for the primary purpose for which it was collected unless an exception applies, such as where the individual has consented to the information being used or disclosed for a secondary purpose

  • destroy or de-identify that information once it is no longer needed.

In these respect, the protections afforded by the APPs appear to go beyond those provided for in the National Electricity Rules. More information about how organisations can comply with the APPs can be found in the OAIC’s APP Guidelines.

Personal information

The APPs only regulate the handling of ‘personal information’. The Privacy Act defines ‘personal information’ as ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable’. The OAIC’s APP Guidelines explain that what constitutes personal information will vary depending on the particular circumstances. For example, an individual may be identifiable from information where it is able to be linked to other information that can identify the individual.

‘Smart’ technologies, such as smart meters and smart appliances, can reveal detailed information about individuals. As such, metering data, and other new types of data generated about individual’s electricity consumption, may be personal information and attract the protection of the APPs.

Application of the APPs to new entrants into the electricity market

Whilst the APPs regulate the handling of personal information by government agencies and many organisations, as noted in the Consultation Paper, the APPs generally do not apply to businesses with an annual turnover of less than $3m, unless an exception applies. I note that new entrants into any market, including the electricity market, are likely to be smaller businesses.

However, one of the exceptions to this general rule is in relation to businesses that trade in personal information. A business is ‘trading’ in personal information if it collects from or discloses to someone else, an individual’s personal information for a benefit, service or advantage. A benefit, service or advantage can be any kind of financial payment, concession, subsidy or some other advantage or service (for more information see the OAIC Privacy Topics: Business and small business).

To the extent that metering data is personal information, metering service providers that have an annual turnover of less than $3 million may nonetheless be required to comply with the Privacy if they are trading in personal information. Additionally, as new smart devices are developed and adopted by consumers, the businesses that trade in the data generated by those devices will need to comply with the APPs when handling that information.

Opting in

As identified in the Consultation Paper, customers may only be willing to fully engage with new products and services if they are confident that their privacy is being protected. In this respect, the Privacy Act provides a mechanism for small businesses that would otherwise not be covered by the APPs, to choose to be treated as organisations and required to comply with the APPs.[1]

In addition to increasing customer’s confidence in how their personal information will be handled and ensuring consistency in the protections that apply to the handling of metering data, businesses that opt to be treated as organisations (and, therefore, comply with the APPs) will have the practices and procedures in place to ensure that they are complying with the APPs if their business expands beyond the $3m minimum threshold.

Privacy Impact Assessments (PIA)

The best privacy outcomes are achieved when privacy is built into the design of a product or service. In contrast, building good privacy practices and procedures into established business practices can be complicated and costly. Ensuring that privacy is built into the design of a product or service can also help business build a reputation for good privacy practice and earn the confidence of its customers.

The best way to ensure that good privacy practices are built into the design of a new product or service is by undertaking a Privacy Impact Assessment (PIA) early in the design phase. A PIA is a useful tool that can assist a business to identify the impact that a project might have on the privacy of individuals and to take steps to manage, minimise or eliminate those impacts (for example, by building in appropriate privacy safeguards).

OAIC’s Guide to undertaking PIAs provides further information on undertaking a PIA.

Should the Joint Committee require any further information please contact Este Darin-Cooper, Director of Privacy Law and Practice, on [contact details removed].

Yours sincerely

Timothy Pilgrim
Australian Privacy Commissioner

27 March 2015

Footnotes

[1] See s 6AE of the Privacy Act 1988 (Privacy Act), which gives small business operators the option to choose to be treated as an organisation for the purposes of the Privacy Act by giving written notice to the Commissioner.

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au