real time networks data protection plan - sgn protection plan 2 july 2016 1 introduction our...
TRANSCRIPT
Contents
Document Control ..................................................................................................................................... 1
1 Introduction ........................................................................................................................................... 2
2 The Data protection strategy .................................................................................................................. 2
3 Data to be collected ............................................................................................................................... 3
4 Participation from the customers ........................................................................................................... 4
5 The parties involved within the data and their roles ............................................................................... 5
5.1 Definitions ................................................................................................................................................... 5 5.2 Application of this strategy .......................................................................................................................... 5 5.3 SGN .............................................................................................................................................................. 7 5.4 Gas customers ............................................................................................................................................. 7 5.5 DNV GL ......................................................................................................................................................... 7 5.6 Socio‐economic data providers ................................................................................................................... 8 5.7 Logger installer ............................................................................................................................................ 8
6 Storage, security and protection of data ................................................................................................. 9
7 The demand model .............................................................................................................................. 11
8 Data retention, anonymisation and destruction phases ........................................................................ 11
9 References ........................................................................................................................................... 11
Data Protection Plan
1 July 2016
Document Control Key Contributors
Name Company Contact Detail
Alexander Webb SGN [email protected]
Angus McIntosh SGN [email protected]
SGN Real‐Time Networks Team SGN Real‐[email protected]
Mark Saunders DNV GL [email protected]
DNV GL Real‐Time Networks Team DNV GL Various
Version Control
Version Date Owner Action
A 2016‐04‐04 David Gower Proposed contents and notes
B 2016‐05‐25 David GowerInternal draft for review
Internal draft for review Update following SGN and legal review
C 2016‐06‐06 David Gower Updated following further legal review
D 2016‐06‐15 David Gower Updated following internal updates
E 2016‐07‐15 David Gower Update following Technolog review
F 2016‐07‐15 David Gower Amendments to document tone
G 2016‐07‐26 David Gower Proposed contents and notes
H 2016‐08‐08 David GowerSecondary amendments to document tone
Reviewers
Name Job Title
Alex Webb Real‐Time Networks Project Manager
Angus McIntosh Real‐Time Networks Project Director
Distribution List
Name Company Contact Detail
Angus McIntosh SGN [email protected]
SGN project steering group SGN Various
Paul Mitchell SGN [email protected]
Ian Bagworth Ofgem [email protected]
Networks Innovation Ofgem [email protected]
Ross Bibby SSE [email protected]
Data Protection Plan
2 July 2016
1 Introduction Our Real‐Time Networks (RTN) project aims to address key gas customer concerns; the cost, security, and carbon footprint of their supply.
We aim to create a real‐time gas network for the future that is flexible, secure, cost effective and safe by improving gas network design and network operation assumptions. Customer flow data will be logged over a two year period, and used to develop a novel real‐time energy demand model to update and enhance the current industry standards for design and operation of gas distribution systems. A random sample of customer meters will be drawn from across the south‐east England Local Distribution Zone (SE LDZ).
RTN will use a pilot trial methodology with the procurement and installation of different sensor technologies across pressure tiers in a gas distribution system in the Medway area of south‐east England. This enhanced demand model will be tested against our trial area.
The purpose of this document is to set out details of the customer Data Protection Strategy for the collection of customer flow data through the RTN project and its future use within SGN.
We are conducting the RTN research project in partnership with DNV GL who, have in turn appointed Technolog Ltd as a sub‐contractor for the installation of flow loggers at customers’ premises. The RTN project is funded through the 2016 Gas Network Innovation Competition (NIC) by Ofgem.
The customer data collected during our project will be considered as “personal data”. This document describes how this personal data will be collected, handled and stored to comply with the requirements of the Data Protection Act (1998) (the Act).
RTN will run from 1st April 2016 to 31st March 2019. Data collection from our participating customers is due to take place between 1st April 2017 to 31st March 2019 (the data collection period), with installation of flow loggers to capture data commencing in September 2016 and removal of the loggers as soon as possible at the end of the project.
We will determine the use of the demand models developed from the project, and the data which these are based on, following completion of the project. We are committed to assessing the potential paths to implementation of the demand models produced through our project following its completion. We anticipate that we will implement and maintain the demand model, using the personal data which will be retained securely for the continued maintenance and adjustment of the demand model for a defined period after completion of our project.
Our strategy helps to protect all the parties who will use and store personal data as a result of the RTN project from data security risks, including:
Breaches of confidentiality
Failure to offer choice
Reputational damage
2 The Data protection strategy Our data protection strategy covers key questions for how all the parties within the RTN project will handle
customer data, from the initial data capture to the end of the use of the demand models to be developed. It
outlines the data security mechanisms being implemented to ensure the safeguarding of data within our
project and during the use of the demand models, both personal and otherwise.
The data collected by us, and the parties acting on our behalf, is considered to be personal information, for
which we have responsibility to process in accordance with the Act. As part of our project to collect data, we
Data Protection Plan
3 July 2016
will engage with project stakeholders and our customers to inform them of the principles and benefits of the
project and provide channels for discussion and feedback to inform and assist delivery.
The roles of all parties who collect, use and store the data are to be understood and recorded through this
strategy to ensure the protection of that data.
If any significant aspects of the data protection strategy change during the lifecycle of the RTN project, a
request for the change with a revised version of the data protection strategy will be submitted for review by
Ofgem and internal stakeholders. Where a change to the data protection strategy has a direct effect on our
customers, we will notify our customers directly.
3 Data to be collected The data to be collected during the project includes:
The addresses of the sample of customers’ premises
The contact details for the occupiers of the premises
Details of the customers’ use of energy
The Annual Quantity (AQ) of gas consumed by the customer as recorded by Xoserve1
The flow data collected from the customers’ gas meter
The volume of gas used in every 6 minute period of every day across the whole data collection period
The set of customers from whom data will be collected consists of a random sample of:
600 domestic customers stratified by location, house type/size and customer socio‐economic segment.
600 non‐domestic customers stratified to cover the whole span of commercial and industrial gas customers including schools and hospitals and similar institutions.
The whole sample will be spread, geographically, across the population centres of the SE LDZ.
The sample of customer’s addresses, where loggers will be fitted to collect flow data, will be identified in two
ways:
Customers who:
a. Under no obligation, have volunteered to participate following a general appeal to our employees and their friends and family; and
b. Fall within a predetermined criteria for location and house type/size
Customers, who have been identified by DNV GL from our Demand Derivation System (DDS)2 and other data as fitting within the required criteria, and who will be requested, under no obligation, to volunteer to participate in the data collection
Details of the methods to be used in approaching customers are given in our Customer Engagement Plan (CEP)
/1/.
1 Xoserve are the body which fulfils the role of the common service provider for services to gas shippers, who supply and record customers use of gas, on behalf of the Network companies such as SGN. The AQ is a critical piece of data which is used by the Distribution Networks like SGN to understand customer’s use of gas. 2 DDS contains details of all connected gas demands for the SGN business, provided by Xoserve to the Distribution Networks
Data Protection Plan
4 July 2016
Addresses will be used by ourselves and DNV GL (and its nominated contractor Technolog) to engage with
customers and receive permission to attach the logger to their gas meter. Participating customers may provide
name and contact details, such as a telephone number.
A Customer Questionnaire will be provided to participating customers in order to further inform the
development of the demand model. Completion of the Questionnaire will be voluntary and follow‐up contact
with the customers will only be done with their specific agreement.
No sensitive personal data will be collected at any point.
4 Participation from the customers Customers asked to participate to provide data will be offered an opportunity to allow or refuse access and use of their data and their data will not be collected or used without this expressed agreement.
Prior to requesting access, our customers will be fully informed of;
To whom they are giving their data / information
The purpose and use of the data (both the logged flow data and information given in the Customer Questionnaire)
The nature of data collection and method
With whom the data may be shared
The security of the data whilst is being collected, transmitted and used
The length of time it will be retained before its destruction or anonymisation, and
Their right to withdraw from participating at any time
The wording of the above information to be provided to the customers will form a privacy policy for our
customers to either accept or decline. This agreement will be formally requested through a Participation
Request document which will be issued by us.
Our customers may respond via a paper form, via a website or verbally by phone3. The words of this document
will be used appropriately in each context.
3 Verbal agreement by phone will only be used where:
1. SGN presents the words of the participation request during the phone call and records the customer’s acceptance.
2. The call is in response to a letter where the customer has had the participation request available to read and it may be assumed that they are aware of the details of the request. Customer’s acceptance will be recorded as well, confirming having received and understood the letter.
Data Protection Plan
5 July 2016
5 The parties involved with the data and their roles
5.1 Definitions Data Controller
The person who determines the purposes for which, and the manner in which, any personal data are, or are to
be processed. Unless otherwise stated, SGN is the Data Controller.
Data Processor
SGN and DNV GL are the Data Processors. The Data Processor, in relation to personal data, means any person
(other than an employee of the Data Controller) who processes the data on behalf of the Data Controller.
Data processing of information or data means obtaining, recording or holding the information or data or
carrying out any operation or set of operations on the information or data, including:
Organisation, adaptation, or alteration of the information or data
Retrieval, consultation or use of the information or data
Disclosure of the information or data by transmission, dissemination or otherwise making available or
Alignment, combination, blocking, erasure or destruction of the information or data
Data Sub‐processor
Technolog is the Data Sub‐processors carrying out some Data Processing on behalf of DNV GL and have the same roles and responsibilities as DNV GL as Data Processor.
Whilst Technolog is used throughout this document, the work of installing gas flow loggers will be carried out by Technolog’s subsidiary company Utilitec and the requirements of this document also apply in full to that company.
Data Subject
Data subject means an individual who is the subject of personal data. In this case the data subjects are the
customers of SGN whose gas meters are being logged.
5.2 Application of this strategy This strategy applies to all staff, contractors, suppliers and other individuals working for or on behalf of SGN
and DNV GL in relation to the RTN project and the personal data involved.
It applies to all data that the parties hold in relation to the RTN project even if that information technically falls
outside of the Act. Everyone who works for or with DNV GL or their sub‐contractors has some responsibility for
ensuring the data is collected, stored and handled appropriately.
The paths for acquiring and handling data between the parties involved are shown in the diagram below.
Data Protection Plan
7 July 2016
5.3 SGN For the purposes of the Act, we shall act as the Data Controller and Data Processor for all gas customer
information and all contact with our customers will be carried out in accordance with the Ofgem approved CEP
/1/.
Below we list the activities that will be undertaken by us acting as Data Controller and Processor:
We will use gas customer data in order to engage with customers on our project and request participation
We will engage with volunteers for loggers to be fitted through contact with staff, friends and family
We will use customer names and addresses in order to provide incentives to participating customers following meter logger installation
We will publish the Customer Questionnaire on a website and in document format for completion by customers
We will share customer data with DNV GL and Technolog
We and partners will not disclose information to any external sources
We will have access to the data feeds from individual customers during the period of data gathering
5.4 Gas customers The gas customer, as the Data Subject, has rights in respect of personal data that is processed about them and
will be able to make access requests and has the right to object to processing of the data at any time. This
relates to all personal data collected by RTN via electronic and paper records, regardless of source.
5.5 DNV GL For the purposes of the Act, DNV GL, and where applicable its contractors, are the data processors or Sub‐
processors. Below we have listed all of the activities that DNV GL will undertake as data processor:
DNV GL will have access to the data feeds from individual loggers and will use the gas customer data in conjunction with commercially available socio‐economic data to create and test aggregated and anonymised demand models
DNV GL will arrange for the transmission of gas consumption data as anonymised information which will require a separate tokenisation key for the identification of the gas customer’s addresses
DNV GL will arrange for the use of encrypted storage of data in databases via cloud solution(s)
DNV GL will ensure, through the management of systems and staff, limited access to the use of non‐encrypted data to only the authorised staff necessary for the conduct of the work whilst it is being analysed and that the data is not copied or moved to less secure storage
DNV GL will use gas customer data in order for us to engage with our customers on our project and request participation
Gas consumption data will be used only for the development and maintenance of the demand modelling approaches initiated through this project and will not be used for any other purpose
The gas consumption data will be used by DNV GL alone for the purposes of this project and the subsequent maintenance and update of the demand models
Data Protection Plan
8 July 2016
Results of data analysis will be published in an anonymous form and only with the express permission of SGN
DNV GL will identify the sample of customers where loggers will be targeted to be fitted from our DDS data and the rules for acceptance of other volunteers
DNV GL will purchase and use socio‐economic data which will be used to identify differing consumer use patterns which may form the basis of the demand modelling
Widely used commercially available domestic and non‐domestic segmentation / lifestyle data
Known to be used in similar published studies of customer electricity use
DNV GL may use the customers contact details for any follow‐up needed to the Customer Questionnaire with the specific agreement of the customer and provided that the customer has been fully informed by us
5.6 Socio‐economic data providers Socio‐economic Data Providers will be contracted by DNV GL for the commercial provision of categorisation
and demographic segmentation data relating to customers. This data will be analysed alongside the gas flow
data obtained from the loggers to identify distinct gas use patterns, which may then be used to define generic
customer types, which may be used in modelling the overall population of gas customers.
5.7 Logger installer For the purposes of the Act, the logger installer (Technolog) will be a Data Sub‐processor. The logger installer,
whose installation activities are undertaken by Utilitec Services, will be contracted by DNV GL. Below we have
detailed what activities the logger installer will undertake as Data sub‐processor:
The logger installer will be responsible for the installation of loggers and the secure transmission of data from the logger to DNV GL. The logger installer will use tokenisation to identify customers for the transmission and any short term storage of data.
The logger installer will arrange for any maintenance of the meter loggers that may be required over the duration of the project. Any maintenance may require a visit to the customer’s premises.
The logger installer will arrange for the removal of the loggers following project completion or following the request of the customer. Any data that remains in any logger will automatically be overwritten within 90 days of its removal. Once a logger is removed from its site, the link between the meter and the logger is deleted from the Technolog database. Technolog will provide a confirmation of the removal of the logger to DNV GL.
The logger installer will be responsible for the short term storage of data during the project.
The logger installer will ensure the security of the data to an appropriate standard during the project (see Section 6 below).
Data Protection Plan
9 July 2016
6 Storage, security and protection of data Throughout the data gathering process we will ensure that every precaution necessary is taken to ensure that
our customers’ data is stored and protected securely. Below we have listed the steps that will be taken before,
during and after the data collection part of the project:
Meter Logger
Loggers will include a tamper detection system, which provides a remote warning of interference.
Logger installer storage of data
The meter logger installer Technolog (under the Utility Data Services group), is certified under ISO 27001:2013 Information technology – Security techniques – Information security management systems ‐ Requirements. Accreditation to ISO 27001 covers the context of the organisation, leadership, planning, support, operation, performance evaluation and improvement. This includes the use of encryption for transmission of the data and encryption for all database backup storage. The live databases are in a dedicated subnet protected by a firewall and only accessible via the required authentication and authorisation mechanisms.
The data will not to be transferred to any storage and will not be accessible outside the European Economic Area (EEA), provided the UK remains within the EEA.
The logger installer provider will not access the data apart from through automated means to check its validity and to raise warnings where faults occur. Access to the data will be restricted and auditable.
Data will only be retained as described in Section Error! Reference source not found. above.
Cloud solution for data historian
The Cloud solution for the gathering of data in a data historian will adhere to the following internal SGN Information Security Policies:
‐ PO‐SEC‐001 Information Security Policy ‐ PO‐SEC‐002 SGN Access Control
‐ PO‐SEC‐004 SGN Information Security Compliance Policy
‐ PO‐SEC‐006 Information Classification Policy
‐ PO‐SEC‐009 SGN Network Security Management Policy
‐ PO‐SEC‐011 SGN Information Security Risk Management Policy
The data will not to be transferred to any cloud storage and will not be accessible outside the EEA provided the UK remains within the EEA.
Access to data, which is not encrypted, will be controlled and will only be allowed if a user has sufficient privilege to do so. Systems and management processes will be put in place in DNV GL and SGN to ensure that on the required staff are allowed the privileges required for access to the data. Non‐anonymised data will not be copied or transferred to other storage locations.
Encrypted databases will be used for all backup storage purposes.
The personal data stored will be retained as described in section Error! Reference source not found. below.
Data storage and access in DNV GL (via a cloud solution)
With regard to the security of data storage and use internally, DNV GL Software‐ who will handle the data associated with the project‐ have a Global Shared Service Information Technology (GSS IT) function that are responsible for the safety of DNV GL’s IT perimeter, our IT infrastructure and our programme for achieving ISO/IEC 27001 accreditation. DNV GL is currently in the later stages of achieving this accreditation.
Data Protection Plan
10 July 2016
The data will not to be transferred to any storage and will not be accessible outside the EEA, provided the UK remains within the EEA.
Encrypted databases will be used for all backup storage purposes. The live databases will be in a dedicated subnet protected by a firewall and only accessible via the required authentication and authorisation mechanisms.
Access to data which is not encrypted will be controlled and will only be allowed if a user has sufficient privilege to do so. Systems and management processes will be put in place in DNV GL to ensure that only the required staff are allowed the privileges required for access to the data. Non‐anonymised data will not be copied or transferred to other storage locations.
The personal data stored will be retained as described in section Error! Reference source not found. below.
Demand modelling development
The development of demand models will involve the identification of commonalities in behaviour patterns between different gas customers against various identifying classifications. The modelling produced from the process will involve the aggregation of multiple customers into defined groups. Users of the demand models will not have access to the base data on which the models will be built and will therefore not be able to identify individual customers’ data.
Data Protection Plan
11 July 2016
7 The demand model The demand model produced through the RTN project will only allow the users of the model to see aggregated
and anonymised details of demand for application within network modelling. The data, which underpins the
demand model, will not be visible to users, but will continue to be of use to us and DNV GL for the on‐going
maintenance and update of the demand model.
8 Data retention, anonymisation and destruction phases
Following project completion, the Data Processor, DNV GL, will provide us with guidance and information to
ensure that we achieve all the valid learning and outputs from our project.
The personal data will be retained securely by us and DNV GL for a period of 6 years from the first date of
substantive data collection (1st April 2017). Any minimal amount of data collected before this date is for
testing the equipment and communications purposes only.
The logger installer will retain the data for no longer than the period of the project and will delete all data
within 3 months of the project completion.
Should any of our project partners or participants wish to publish the results from this project, they will be
obliged to ensure that the results are aggregated and anonymised. To share the content (results and
accompanying analysis) authorisation in advance of publication must be obtained from us.
The demand model to be produced from the project will provide only anonymised and aggregated data for use
within network modelling.
At the end of the retention period any personal data will be destroyed. Personal data will not be retained on
the Data Controllers or Data Processors premises or infrastructure beyond the retention period. To achieve
this, the specific addresses used against the flow data will be anonymised and any data identifying the
customers or their contact details will be removed. The Data Processor(s) must provide us with written
confirmation that the destruction of personal data has been carried out in accordance with this agreement.
The flow and related data will be retained in an anonymised form as the on‐going basis for the demand model.
9 References /1/ Real Time Networks Customer Engagement Plan. July
2016