I believe in most cases the energy supplier delegates the management and data collection to a third party (SMSO). Based on what I read, it seems Secure Meters, the manufacturer of Liberty 100, also provide such SMSO service to energy providers installing their meters. In this case, if you swap providers, your old energy provider might no longer have access to your meter readings (nor will the new provider), but the SMSO will remain having full control. Hence why moving the devices from SMSO to the DCC (regulated entity) becomes a more appealing prospect. I decided to switch providers and I can see that my device is still connected to the WAN (i.e. SMSO’s communications network). It is quite discomforting to know that a third party not linked in any way to me (or my energy supplier) still have access to my energy usage data. Not much I can do until my meter is either replaced or transitioned.
Do you have a list of all the SMSO companies?
I’d be intrigued as to the ICO’s take on this. I might just ask them if they regard energy data as ‘Personal Information’.
I do not have a full list, but you can see how the solution works on Secure Meters’ webpage: https://www.securemeters.com/index.php/products/residential/utility-retailers/smart-metering-gas/secure-smso/
I suspect we are not given much visibility on who our energy suppliers use to maintain our meters (i.e. act as SMSO on their behalf). Having said that, an easier route for them is to use the manufacturer’s own managed services (provided they provide such service). I assume this issue might eventually go away when old meters are finally transitioned to DCC. Even after this final enrolment, I am not entirely sure if SMSOs will still play a part though.
@borpin, I was able to find the following SMSOs from DCC development plans.
- CGI Instant Energy;
- Trilliant Networks;
- Secure Meters;
- Morrison Data Systems (MDS);
The document used as reference was:
This has really piqued my interest from a data privacy point of view. Next time I get a call trying to get me to install one, I may just ask some pertinent questions… In the meantime, an FOI to Ofgem for a list of SMSOs is a start.
I got the reply to my FOI today. Honestly it does not make good reading. The TL;DR is that
- The regulator has no idea what companies are acting as SMSOs
- There might be a convoluted way for an individual to discover who the SMSO is who manages your meter if you have left the original supplier (else the supplier should be able to tell you).
- The regulator has not considered any GDPR implications of Smart Meters.
- It is unclear if the original supplier continues to have a commercial relationship with the SMSO if the customer leaves that supplier. If there is no commercial relationship, who the Data Controller of the personal data that is probably still collected is unclear.
It is entirely possible that, once ‘dormant’ the SMSO is still collecting the personal data and processing it however it likes, with no oversight.
Reinforces my position that I will never have one in this house.
FOI Response from OFGEM
Reference number: FOI-1-2019
Thank you for your correspondence of 2 January 2019 where you requested information about smart meter system operators (SMSOs). We have considered your request under the Freedom of Information Act 2000 (“FOIA”).
For ease of reference each of your questions has been answered in turn.
"I would like all information on the regulation and management of SMSOs within the UK."
SMSOs remotely interact with meters on behalf of suppliers in order to provide reading and other services on a commercial basis. SMSOs can act as a third party on behalf a supplier by entering a commercial contract. Ofgem does not regulate commercial contracts, and does not directly regulate SMSOs. It is the responsibility of suppliers to ensure that any third party acting on their behalf is adhering to any relevant obligations. If an SMSO should breach regulations, the supplier is ultimately responsible, and we may consider taking action upon the relevant supplier in line with our organisation-wide Enforcement Guidelines, which can be found here: https://www.ofgem.gov.uk/publications-and-updates/enforcement-guidelines
"I would like a list of all registered companies that act as an SMSO within the UK."
We do not hold the information that you have requested. In the interests of being helpful, we have provided some relevant information below.
The Data Enquiry Service (DES), maintained by Xoserve, holds details of the Meter Asset Manager (MAM) and DCC/SMSO at gas meter points. Details for DES can be found here: https://www.xoserve.com/index.php/our-systems/data-enquiry/
Similarly, for electricity, ECOES (governed under the Master Registration Agreement, MRA) provides details of the Meter Operator (MOP), Data Collector (DC), Data Aggregator (DA), Meter Asset Provider (MAP) and DCC/SMSO for electricity meter points. Details for ECOES can be found here:https://www.mrasco.com/ecoes/
"I would like all information, including any discussions that may have taken place over this subject pertaining to the relationship of SMSOs and the personal data they collect, with respect of the Data Protection Act and GDPR."
We do not hold information relevant to your request.
As noted above we do not directly monitor the commercial contractual aspect of SMSOs. Nevertheless as third parties who process the relevant data they are also subject to the GDPR rules, and therefore must ensure that they comply with the applicable principles. Any data collected by third parties must not be processed in a way that is unduly detrimental, unexpected, or misleading to the individual concerned. Additionally, only the relevant data actually needed should be collected and must only be used for its intended limited purpose.
We note that suppliers are obligated to ensure any third party acting upon their behalf acts in accordance to all applicable regulations.
"How does an individual find out who the data controller of that data is especially when the customer moves away from the company that installed the SMETS1 meter."
The Data Protection Act 1998 and GDPR give individuals the right to request personal data that is being processed by a data controller, through Subject Access Requests. Consumers would continue to benefit from this right (and others) in parallel with the protections afforded by the government’s smart metering Data Access and Privacy Framework.
Customers should contact their supplier to make a Subject Access Request. Individuals have the right to find out if an organisation is using or storing their information, and they can request to know what the data is used for and with whom this data is shared with. Please note, you can only request access to your own information, and in some circumstances the organisation may refuse to grant assess. For further information please refer to ICO’s website and theirrights of access page which contains useful guidance on the topic.
Ofgem expects that suppliers provide information to consumers that is commensurate with the data they are accessing from the consumer’s smart meter.
You could make a Subject Access Request under the Data Protection Act 2018 to the old supplier asking for all personal data and ask specifically about the SMSO who collected your personal data on the suppliers behalf and ask when they last received data from that meter. It is entirely possible the old supplier is still collecting the data.
If that gets you nowhere, you could try the ICO.
I can’t really as I don’t have a Smart Meter