SmartPrivacy for the Smart Grid

Catherine ThompsonOffice of the Information and Privacy

Commissioner

Ontario, Canada

Practical Smart Grid Security (SG-11)Miami Beach, Florida

January 22, 2010

Information and Privacy Commissioner Ontario (IPC)

• Ensure that government organizations (provincial and municipal) comply with freedom of information and privacy laws in Ontario

• Educate the public and raise awareness of Ontario’s access and privacy laws

• Conduct research on access and privacy issues

• Investigate privacy complaints and resolve appeals when the government refuses to grant access to government-held information

IPC Oversight of Ontario Utilities

• Hydro One (incl. all subsidiaries);• Ontario Energy Board;• Ontario Power Authority;• Ontario Power Generation (incl. all subsidiaries);• Independent Electricity System Operator (IESO)

– Smart Metering Entity;• Every corporation incorporated under section 142 of the

Electricity Act, 1998. www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_98e15_e.htm

Smart Grid impact on utilities• Transformation of the grid means distribution companies must

also transform, collecting much more personal information than before, and offering new types of services.

• Many will be retooling their skills, expanding the boundaries of what they do, and leverage smart grid technology to change their firm. Whole organizations will transform.

• One thing is certain: much more personal information than previously possible. This has major implications for security, making infrastructure a target to identity thieves and other criminals. Security will therefore be extremely important, but must be part of overall privacy protective approach.

Smart Grid:Where the IPC stands

•We must take care not to sacrifice consumer privacy amidst a sea of enthusiasm for electricity reform;

• Principles of Privacy by Design must be part of the overall design for smart grid data flows.

SmartPrivacy for the Smart Grid

• Released November 2009, with the Future of Privacy Forum.

• www.privacybydesign.ca

Privacy SecuritySecurity is, however, vital to privacy

Privacy and Security: The Difference

Information Privacy DefinedInformation privacy refers to the right or ability of individuals to exercise control over the collection, use and disclosure by others of their personal information.“Personal information” refers to any recorded information about an identifiable individual, such as name, contact, biographical information, individual preferences, transactional history, record of activities or travels, or any information derived from the above, such as a profile or score. In the context of the Smart Grid, the linkage of any personally identifiable information with energy use would render the linked data as personal information.

Fair Information Practices• Consent• Accountability• Purposes• Limiting Collection• Limiting Use and

Retention

• Openness• Safeguards• Accuracy• Access• Challenging

Compliance

A brief history: OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980); European Union Directive on Data Protection (1995/1998); CSA Model Code for the Protection of Personal Information (1996); United States Safe Harbor Agreement (2000); Global Privacy Standard (2006).

See www.ipc.on.ca/images/Resources/up-gps.pdf

• Authentication• Data Integrity• Confidentiality• Non-repudiation

Information Privacy = personal control

Organizational control of information through information systems

Security =

Privacy and Security: The Difference

Sharing PI with third parties• The minimal amount of information should be provided to third parties given

the nature of the relevant service. For example, partial location data such as the first few digits of a zip or postal code may be sufficient for services that allow for comparison of neighborhood averages, and other features such as weather statistics.

• Pseudonomyze identity, where possible. When sharing data with a third party, consider using a pseudonym such as a unique number, which the individual would be permitted to reset at any time.

• Third parties should not request information from the utility about consumers, rather, consumers must be able to maintain control over the type of information that is disclosed to third parties by the utility.

• When data is transmitted, the risk of interception arises. We recognize there are multiple channels of communication, such as home area networks, telecommunication systems, and internet protocols. Appropriate, secure channels of transmission are necessary to ensure strong privacy protection along the Smart Grid, commensurate with the type of data conveyed.

• Third parties should agree not to correlate data with data obtained from other sources or the individual, without the consent of the individual.

Positive-Sum Paradigm• A Zero-Sum Paradigm describes a concept or situation in which one

party’s gains are balanced by another party’s losses – win/lose; either/or; enhancing security often comes at the expense of privacy – the more you have of one, the less you can have of the other;

• A Positive-Sum Paradigm, in contrast, describes a situation in which all participants may mutually gain together (win-win);

• To achieve a positive-sum model, privacy must be proactively built into the system so that privacy protections are engineered directly into the technology, right from the outset;

• The effect is a minimization of the unnecessary collection and use of personal data by the system, while at the same time, strengthening data security, and empowering individuals to exercise greater control;

• This can result in technologies that achieve strong security and privacy, or privacy and functionality, delivering a “win-win” outcome.

Privacy by Design: “Build It In”• Commissioner Cavoukian first developed the concept of

“Privacy by Design” in the 90s, as a response to the growing threats to online privacy that were beginning to emerge;

• “Privacy by Design” seeks to build in privacy – up front, right into the design specifications; into the architecture; embed privacy into the technology used – bake it in;

• Data minimization is key: minimize the routine collection and use of personally identifiable information – use encrypted or coded information whenever possible;

• Use privacy-enhancing technologies (PETs) where possible: give people maximum control over their own data.

Privacy by Design:The 7 Foundational Principles

1. Proactive not Reactive; Preventative not Remedial

2. Privacy as the Default

3. Privacy Embedded into Design

4. Full Functionality: Positive-Sum, not Zero-Sum

5. End-to-End Lifecycle Protection

6. Visibility and Transparency

7. Respect for User Privacy

www.ipc.on.ca/images/Resources/7foundationalprinciples.pdf

Privacy & NIST Smart Grid work The NIST Framework and Roadmap for Smart Grid

Interoperability Standards, Release 1.0 (Draft):– “Legal and regulatory frameworks can be further harmonized and

updated as the Smart Grid becomes more pervasive.”– “PIAs of data collection, data flows and processing are also crucial…”

Draft Interagency Report (NISTIR) 7628: Smart Grid

Cyber Security Strategy and Requirements: – Advocates for the adoption of fair information practices.

“Take-aways”: • Privacy impact assessments are crucial• Fair information practices are key

Keep an eye on Ontario… The Information and Privacy Commissioner of

Ontario is working with the Ontario Ministry of Energy and Infrastructure on embedding Privacy by Design as a foundational element of Smart Grid policy in Ontario.

Conclusions• Lead with Privacy by Design – embed privacy into the design

specifications of information technologies, accountable business practices and operations;

• Take it a step further – change the paradigm from “zero-sum” to “positive-sum,” where both privacy and security can be delivered, thereby raising the overall level of protection;

• When you change the paradigm, you then change the mindset: you can deliver both privacy AND security, not as a mutually exclusive “either/or” (false dichotomy) but as the doubly enabling “win/win;”

• The future of privacy may very well depend on embedding privacy into Design – make it a reality!

How to Contact UsCatherine Thompson, LL.B.Regulatory and Policy AdvisorOffice of the Information & Privacy Commissioner2 Bloor Street East, Suite 1400Toronto, Ontario, CanadaM4W 1A8

Phone: (416) 326-3948 / 1-800-387-0073Web: www.ipc.on.caE-mail: info@ipc.on.ca

For more information on Privacy by Design, please visit: www.privacybydesign.ca