by Home Energy Analytics (HEA) from:
UNITED STATES DEPARTMENT OF ENERGY (US DOE)
DATA PRIVACY AND THE SMART GRID: A VOLUNTARY CODE OF CONDUCT
Final: January 8, 2015
The purpose of the Privacy Voluntary Code of
Conduct, facilitated by the United States Department of Energy’s
Office of Electricity Delivery and Energy Reliability and the
Federal Smart Grid Task Force, is to describe principles for
voluntary adoption that:
- encourage innovation while appropriately
protecting the privacy and confidentiality of Customer Data
and providing reliable, affordable electric and energy-related
- provide customers with appropriate access
to their own Customer Data; and
- do not infringe on or supersede any law,
regulation, or governance by any applicable federal, state, or
local regulatory authority.
The VCC’s recommendations are intended to
apply as high level principles of conduct for both utilities and
of the Voluntary Code of Conduct:
- CUSTOMER NOTICE & AWARENESS: How the
customer learns what he or she needs to know to exercise
- CUSTOMER CHOICE AND CONSENT: How the
customer controls his or her data and under what limitations.
- CUSTOMER DATA ACCESS AND PARTICIPATION:
How the customer’s data is accessed.
- INTEGRITY AND SECURITY: How customer data
- SELF ENFORCEMENT MANAGEMENT AND REDRESS:
How the VCC is followed.
HEA has adopted
these principles in their entirety, and has added
supplemental information regarding HEA’s application of
these principles within this document. Original DOE
information is in BLACK,
while information added by HEA appears throughout this
document in RED.
The following elements, when identified
with a specific customer, are considered to be Account Data:
- All geographic subdivisions
smaller than a state, including street address, city,
county, precinct, census block, zip code, and their
- Dates of service provided to a
customer by the utility or third party or information
specific to identifying an individual’s utility service;
- Telephone or fax numbers;
- Electronic mail addresses;
- Utility or Third Party Account
numbers (excluding financial account numbers, such as credit
card numbers, bank account numbers, etc.); and
- Device identifiers (e.g.,
meter numbers, HAN numbers, etc.) and serial numbers.
Aggregated Data is a combination of data
elements for multiple customers to create a data set that is
sufficiently anonymous so that it does not reveal the identity
of an individual customer. HEA uses
aggregated data to measure program savings.
A data set containing individual sets of
information where all identifiable characteristics and
information, such as, but not limited to, name, address,
account number, or social security number, are removed (or
scrubbed) so that one cannot reasonably re-identify an
individual customer based on, for example, usage, rate class,
or location. HEA uses anonymized data
to conduct residential energy research (which may be
published) and to improve our service.
An entity providing support to a Service
Provider in the provision of service to the customer for a
Primary Purpose (without consent) or Secondary Purpose (with
consent) who: (1) has access to Customer Data; and (2) has
contractually assumed obligations comparable to those of the
Service Provider to protect and keep confidential Customer
Data and to use it only for the identified Primary or
Secondary Purpose. To the extent a Contracted Agent wishes to
use Customer Data for its own independent Secondary Purpose,
it is treated as a Third Party, meaning that it has to receive
customer consent to use the data. In some programs HEA is a contracted agent
to Service Providers.
The combination of customer energy usage
data (CEUD) and Account Data. Customer Data is treated as
private and has specific requirements outlined elsewhere in
the VCC. CEUD without Account Data is considered anonymous
data, which is discussed separately in the VCC, and referred
to specifically as “anonymous data.” Aggregated CEUD is also
discussed separately, and referred to specifically as
“aggregated data.” Publicly available information about a
customer is not treated as private, unless it is combined with
other non-public information. HEA uses
customer data to create an accurate home energy profile for
Customer Energy Usage Data (CEUD)
Customer Energy Usage Data reflects an
individual customer’s measured energy usage but does not
identify the customer. HEA analyzes
CEUD in order to create home energy profiles.
The use of Account Data or CEUD that is
reasonably expected by the customer: (1) to provide or
reliably maintain customer-initiated service; and (2)
including compatible uses in features and services to the
customer that do not materially change reasonable expectations
of customer control and third party data sharing. HEA’s primary purpose is to help customers
The use of Account Data and CEUD that is
materially different from the Primary Purpose and is not
reasonably expected by the customer relative to the
transactions or ongoing services provided to the customer by
the Service Provider or their contracted agent. HEA does not use customer data for any
secondary purposes. Period.
A Service Provider is an entity that
collects Customer Data directly from individuals to support a
Primary Purpose. Where the Service Provider is a corporation,
this definition includes all legal entities or agents within
the corporation’s structure that are involved in fulfilling
that Primary Purpose. In some programs
HEA is the service provider. In others, the Service Provider
may be a utility company like Pacific Gas & Electric
An entity requesting access to Customer
Data from a Service Provider for a Secondary Purpose. In some programs HEA is a third party to
service providers like PG&E. Their primary purpose is
energy delivery, so from their perspective HEA
provides a secondary purpose: energy efficiency.
The VCC is expressed through five core
concepts, as follows.
1.0 CUSTOMER NOTICE & AWARENESS
The concept that customers should be given
notice about privacy-related policies and practices as part of
providing service. Service Providers should provide materials in
various formats that are easily understandable by the
demographics they serve, and as may be reasonably appropriate.
Notice should be given at the start of service [HEA highlights a link to this privacy page on
our Registration pages], on some recurring basis
thereafter [HEA’s privacy link appears at
the bottom of all monthly emails], and at the
customer’s request [HEA‘s privacy notice
is always available on HEA’s public website and the full text
can be requested by email to firstname.lastname@example.org]. Notice
also should be given when there is a substantial change in
procedure or ownership that may impact customer data [HEA will notify customers of substantial
changes via email]. This could include, for example,
timing disclosures to coincide with the time and place that
customers have the ability to exercise choices regarding the use
of their CEUD for new purposes materially different than those
for which it was originally collected. Notice should be clear
and conspicuous, and should address the following:
- The specific types of Information that
are being collected by the Service Provider (HEA may collect
some or all of the following types of information: electric
use and cost; natural gas use and cost; water use and cost;
weather data; home characteristics; and occupancy), and
containing a statement that the Service Provider has committed
to only collecting that Customer Data needed to support a
Primary Purpose. HEA only collects
information that is relevant to providing residential energy
efficiency, water efficiency, and greenhouse gas (GHG)
emissions reduction services.
- At a high level and in easy to understand
language, the Service Provider should explain how the Customer
Data is being used, and should specifically:
- Explain the means by which Account Data
is collected (application for service, online, consumer
hotline, mail, credit report, etc.). HEA
collects account data from utility web portals or from
green button data, whichever is available.
- Explain the means by which CEUD is
collected. CEUD is collected via
meters installed at your home for electricity, natural gas
- Provide an overview of the Primary and
Secondary Purposes. HEA’s primary
purpose is to help our users improve their energy
efficiency, reduce their cost, and/or lower their GHG
HEA does not pursue
or support any Secondary Purposes.
- Explain how individual level Customer
Data will be used. HEA creates a
customized energy and/or water profile to help each user
understand where they can most easily improve their
- Explain that data they collect may be
used in conjunction with or merged with other data to create
Aggregated or Anonymized Data reports and under what
circumstances those reports typically will be used and
shared. HEA periodically runs reports
to identify aggregate energy and water savings across
different program groups. This helps us and our partners
understand the actual impact of our service and improve it
- How the customer can access his or her
Customer Data, and the process by which the customer can
identify possible inaccuracies and request correction. Every HEA customer can access their data via
their online account. The detailed usage and cost
information obtained from utilities is shown under the
“Usage history” section. Any inconsistencies between this
data and data provided from your utility (via bills or their
websites) should be immediately reported to email@example.com
- The circumstances under which the Service
Provider will share Customer Data without first obtaining
consent. Specifically, the notice should:
In some of our programs
HEA provides detailed energy profiles to a limited number of
Contracted Agents identified by the funder of the program.
These agents provide supplemental services supporting energy
efficiency, such as in-home audits or telephone support by
home energy advisors. Customers may request (via email to
firstname.lastname@example.org) a list of specific Contracted Agents, if any,
for their particular program.
- Notify customers of the types of
Contracted Agents with whom the Service Provider is sharing
the data to support a Primary Purpose.
- Notify customers of the types of
supporting services with whom the Service Provider is
sharing the data to support a Primary Purpose or as mandated
- Inform customers of instances where the
Service Provider will release Customer Data without consent,
as identified in concept #2, Customer Choice and Consent, Consent
Not Required exceptions.
- Inform customers of the purpose of
sharing the data.
- How the customer can approve Third Party
access to their Customer Data for a Secondary Purpose, or
revoke access previously granted. HEA
does not pursue or support any Secondary Purposes.
- How the data is secured
- Service Providers should describe for
customers how their Customer Data will be secured throughout
its lifecycle, in accordance with any requirements of
applicable regulatory authorities. HEA
holds your data in strict confidence on secure servers and
it will only be used to help you reduce your energy use.
Our web application uses the same advanced data security
methods as online financial services. We will close your
account and delete your data upon request (send request to
email@example.com). HEA protects your personal information
in compliance with Title 20 of California's Code of
Regulations, Sections 2505(a)(5)(A) and (B); n.b.
- Retention & Disposal
- Customers should be informed that
Customer Data will be retained and disposed of consistent
with applicable local, state, and federal record retention
rules and regulations, as well as applicable company
policies. HEA complies with Title 20 of
California's Code of Regulations, Sections 2505(a)(5)(A)
and (B); n.b. 2505(a)(5)(B)(8).
- Minimum Notice Inclusions:
- An effective date for the initial
notice and any subsequent policy changes. See revision date at the bottom of
- A point of contact for customer
questions about the Service Providers privacy- related
policies and data access procedures.
contact at the bottom of this document.
- A summary of changes to the
previous version, as applicable, or a means by which
previous versions can be obtained.
See link to
prior version at the bottom of this document.
- Customers should be made aware of
their responsibilities as a customer (e.g., providing
accurate data, giving notification of changes in Account
Data, etc.) in support of responsible data practices. HEA's analysis will only be as accurate
as the information you provide, such as home occupancy.
If you are unsure how to answer any question please send
us an email at firstname.lastname@example.org
2.0 CUSTOMER CHOICE AND CONSENT
The concept that customers should have a
degree of control over access to their Customer Data. Service
Providers and their Contracted Agents require Customer Data to
support Primary Purposes. For Secondary Purposes, however,
customers should be able to control access to their Customer
Data via a customer consent process which is convenient,
accessible, and easily understood.
HEA does not pursue or
support any Secondary Purposes.
Record Retention and Disposal:
- Service Providers should retain
Customer Data only as long as needed to fulfill the
purpose it was collected for, unless they are under a
legal obligation to do otherwise. HEA's algorithms are
constantly being improved and changes are tested against
actual Customer Data to ensure accuracy is not degraded
for any homes. If you prefer to have your data deleted
send us an email (email@example.com).
- Service Providers should securely and
irreversibly dispose of or de-identify Customer Data once
it is reasonably determined by the Service Provider to be
no longer necessary to achieve the purposes for which it
was collected, unless they are under a legal obligation to
do otherwise. HEA adheres to this principle: we
maintain system backups for three months, but after that
the data is gone.
- Service Providers should maintain
records identifying what type of Customer Data has been
shared previously with Third Parties, when the sharing
occurred and with whom the data was shared for as long as
the data exists in the Service Providers’ systems or as
long as legally required. HEA maintains records of all data
Consent Not Required: Prior
customer consent is not required to disclose Customer Data
in the case of:
- Third Parties responding to
emergencies that pose imminent threats to life or
- Law enforcement or other legal
officials to whom disclosure is authorized or required by
- As directed by Federal or State law,
or at the direction of appropriate regulatory authority;
- Aggregated or Anonymized Data.
Service Providers can share Aggregated or Anonymized data
with Third Parties without first obtaining customer
consent if the methodology used to aggregate or anonymize
Customer Data strongly limits the likelihood of
reidentification of individual customers or their Customer
Data from the aggregated or Anonymized data set.
- Aggregated and Anonymized Data
may be shared via a contract between the Service
Provider and Third Party that requires that the Third
Party not attempt to re-identify customers.
- The service provider may decline
a request for Aggregated or Anonymized Data release if
fulfilling such a release would cause substantial
disruption to the day-to-day activities of its
- Activities conducted in order to
preserve the safety and reliability of the electric grid
and critical infrastructure or the integrity or security
of other systems containing Customer Data.
by these best practices.
Access to Data Other Than Customer
Data: Except as required by law, Service Providers
will not share with a Third Party the customer’s: social
security number; state or federal issued identification
number; financial account number in combination with any
security code providing access to the account; Consumer
report information provided by Equifax, Experian,
TransUnion, Social Intelligence or another consumer
reporting agency; individually identifiable biometric data;
or first name (or initial) and last name in combination with
any one of the following: (1) date of birth; (2) mother’s
maiden name; (3) digitized or other electronic signature;
and (4) DNA profile. Such information should be obtained
directly from the customer. Of the data types listed in this paragraph
HEA only has access to Customer's first and last name.
Data Access Exclusions:
- Aggregated or Anonymized Data that is
reasonably likely to allow identification of the Service
Provider’s trade secrets, confidential or proprietary data
even when aggregated or anonymized, may not be released. HEA abides by this
- Overlapping data requests from the
same requestor should not be permitted if granting such
requests is reasonably likely to compromise the
aggregation and reveal information that could be used to
identify or re-identify customers or Customer Data. HEA
abides by this exclusion.
3.0 CUSTOMER DATA ACCESS AND
The concept that customers should have
access to their own Customer Data and should have the ability
to participate in its maintenance. The process by which
customers access their Customer Data should have the following
- Is reasonably convenient, timely, and
- Allows the customer to identify
possible inaccuracies and request that they be corrected.
- Allows the Service Provider to charge a
fee, subject to applicable laws and regulations, to the
extent the Service Provider offers a method of data access
that is different from the method it generally offers to its
customers, or is not based on commonly used data formats or
- Allows the Service Provider to recover
costs for Aggregated Data requests that are different from
the method or format in which it generally offers aggregated
data, represents the fulfillment of multiple requests, or is
not based on commonly used data formats or standards.
HEA adheres to these best practices. No
additional fees are charged for data access: individual HEA
customers can access their raw data via the "Usage history"
menu in their account.
4.0 INTEGRITY AND SECURITY
The concept that Customer Data should be as
accurate as reasonably possible, and secured against
unauthorized access. Data should be maintained in a reasonably
accurate and complete form, considering the circumstances and
environment in which it has been collected (e.g., recognizing
the difference between raw meter data and bill-ready data). Data
should be protected via a cybersecurity risk management program
which has the following attributes:
- Identifies, analyzes, and mitigates
cybersecurity risk to the Service Provider’s organization with
respect to Customer Data.
- Implements and maintains process,
technology, and training measures to preserve data integrity
and reasonably protect against loss and unauthorized use,
access, or dissemination.
- Maintains a comprehensive data breach
response program for the identification, mitigation and
resolution of any incident that causes or results in the
breach of Customer Data security.
- Provides complete, accurate, and timely
notice to customers whose Customer Data may have been
compromised while within the Service Provider’s control or
within the control of Service Provider’s Contracted Agent, and
remedies those conditions which led to the breach.
- In the event that a Service Provider has
modified or enhanced data that it initially received from
another source (e.g., a utility or a different third party),
the customer receiving the enhanced or modified data should
generally be made aware that such data may differ from the
and maintains security policies that address these best
practices. In 2012 HEA passed a rigorous third party security
audit funded by PG&E, as a prerequisite to HEA's
participation in the launch of their initial Green Button
Connect My Data program at the White House.
Aggregated Data Methodologies:
When developing an Aggregation methodology that will meet
the requirements of Concept 2.0 Customer Choice and Consent,
subheading Consent Not Required, item (4), the
following variables should be considered:
- Customer Identifiers:
the aggregated data set should not include an individual
customer’s Account Data, or other identifying data.
- Number of Customers:
A sufficient number of customers should be included in the
data set to reduce the ability to re-identify a customer.
- Customer Load: If
the load of a particular customer represents an outlier
(e.g. greater or less than a percent of the ratio) when
compared to other customers in the data set, consideration
should be given to whether the size of the customer’s load
can be masked to prevent identification or re-
identification, or if not possible, that customer’s data
should be excluded from the data set.
- Customer Class:
differences in energy usage patterns between customer
classes should be considered when deciding whether to
aggregate multiple classes into one aggregated data set.
- Timescale: the
ability to identify or re-identify customers or attribute
to those customers specific Customer Data may vary based
on the interval of energy reading, creating differences in
methodologies used for hourly, monthly, quarterly and
- Geographic Identifiers:
the relative size of the geographic area associated with
the selection of customers for the data could result in
Methods by which data can be
aggregated should be reviewed every 2 years or more
frequently if needed to account for changes in technology
and risk related to data aggregation.
HEA adheres to
these best practices whenever data is aggregated.
Anonymized Data Methodologies:
When creating a methodology to anonymize Customer Data, the
following variables should be considered as applicable to
the specific situation:
- Customer Identifiers:
the Anonymized data should not include an individual
customer’s Account Data, or other identifying data.
- Customer Load and Energy
Pattern: the customer’s load and/or energy
pattern should be examined to determine if it is so
unique among other customers that it could compromise
- Customer Class:
the data should be homogenous; mixing of residential,
commercial, industrial or agricultural customers in
the same data set could compromise the anonymity of
- Timescale: the
customer’s time series data should be assigned a
random identification number and listed randomly.
- Energy Pattern:
customers with unique energy patterns should be
- Masking Data:
explore masking techniques that enhance the anonymity
of data without negatively impacting the validity of
the data set.
to these best practices whenever data is anonymized.
5.0 SELF ENFORCEMENT MANAGEMENT AND
The concept that there should be enforcement
mechanisms to ensure compliance with the foregoing concepts and
principles. Service Providers who voluntarily adopt this
Voluntary Code of Conduct commit to the following:
- To regularly review their Customer Data
practices, including customer notice practices, for accuracy,
compliance, and process improvement opportunities.
- To take action to meet legal and
regulatory data protection mandates and, when necessary, to
ensure compliance with the foregoing principles.
- To provide a simple, efficient, and
effective means for addressing customer concerns. Customer
processes should be easily accessed, and should provide timely
review, investigation, documentation, and resolution of the
customer’s concerns. Existing procedures for addressing other
types of customer complaints may be adequate.
- To conduct regular training and ongoing
awareness activities for relevant employees on the Service
Provider’s privacy policies and practices.
to these best practices.
of Document Version 1.1, updated February 2016, with
DataGuard logo. Prior version here.
Please email any questions to firstname.lastname@example.org