As access to customer data, and data security more generally, take on increasing importance in our community, they have become the subject of particular focus at AGL.

AGL strongly supports consumers having greater access to and control over data that directly relates to them. We consider that a well-designed regulatory regime should facilitate this access and control to allow customers to seek value from their data, while also preserving incentives for efficient investment and innovation in data from businesses, and fostering trust from the community in data use and privacy.

We believe that our customers should be provided with easy access to their own consumption data, and should retain direct control over who is permitted access to their data (other than regulated entities for market settlement and other regulated purposes). We also believe that the ability to harness insights from customers' data drives product and service innovation, which is in customers’ best interests. For example, see discussion of our innovative Energy Insights product in the Product innovation section.

Strengthened privacy protections

FY18 saw changes to the Privacy Act 1988 (Privacy Act) that introduced a new Mandatory Data Breach Reporting regime that took effect in February 2018. The changes replaced the voluntary notification system that previously existed, instead creating an obligation upon AGL (and other relevant entities) to notify the Office of the Australian Information Commissioner about any eligible data breach (as defined in the Privacy Act) that is likely to result in serious harm to the individuals affected by the breach.

AGL prioritises the appropriate treatment of customer data and information within the terms of the Privacy Act, and has set a target for FY19 that it will not have any reportable privacy incidents.

To date, we have had no notifiable breaches under the new Mandatory Data Breach Reporting regime. We have also demonstrated our focus on this area in FY18 with the appointment of a full-time Privacy Officer, reflecting our recognition of increasing community expectations about privacy protections.

Customer data and transparency

AGL has publicly articulated its views in this context, including advocating for a number of clear principles as they relate to open access to data, through the public submission processes associated with the Federal Government’s Review into Open Banking in Australia and the Productivity Commission’s report on its Inquiry into Data Availability and Use.

This followed on from the formalisation of our Data Principles in FY17, which drove our focus and policy development in this area. These Principles articulate our approach to dealing with customers’ data:

• AGL is committed to managing customer data³Privacy Act (Cth); (b) metering data within the meaning of the National Electricity Rules collected from, or generated by an electricity consumption meter. lawfully and responsibly, and to protecting its unauthorised access.

• AGL will provide customers (and their authorised representatives) easy access to their energy consumption data.
• AGL will continue to develop products and services that enable customers to ‘make sense’ of their energy consumption data and better monitor and manage their energy use.
• AGL will use customer insights obtained from data to create innovative products and services for customers that will enhance the customer experience.
• AGL operates as a custodian of customer data and will ensure that customers retain control over who else is permitted access to that data (other than regulated entities for market settlement and other regulated purposes).
• AGL is committed to responsibly engaging with all our stakeholders (customers, investors, communities, policy-makers and employees) to ensure that our business, and the broader energy industry, continue to collect, use and protect customer data in a manner that is consistent with community expectations, and is in the best interests of customers.
• Any data access rule change should impose minimum obligations for data provision that include format standardisation and data portability, but should not limit innovation or come at a cost to customers that does not realise sufficient benefits.

Further information including about how we comply with our legislative requirements can be found in the AGL Privacy Policy, and the Strong and ethical governance section of this report.

Data security and governance at AGL

We operate within a sophisticated data security framework and have implemented processes and protections to ensure data breach prevention. In particular, AGL’s Cybersecurity Framework follows a risk-based approach for managing cybersecurity risks for critical infrastructure, which allows us to consider cybersecurity risk as a priority similar to financial, safety and operational risk, while factoring in larger systemic risks inherent in the context of critical infrastructure. The framework we have adopted enables the identification and appropriate treatment of high priority cybersecurity issues such as:

• appropriately valuing our data for both AGL and our customers, which then determines the best way to protect it
• managing access to AGL data, internally and externally, in order to ensure that access is limited to those parties who appropriately value data security
• providing guidance to people on the most appropriate ways to access their data
• identifying the most secure forms of data storage, and
• ensuring that AGL data is being continuously protected.

AGL’s strict data security protocols operated successfully following a data security incident that impacted the data of one of our software suppliers, PageUp People, which AGL used to support our recruitment and employee career development processes. Following notification of the incident, AGL temporarily disabled access to our careers website, in order to minimise the impact of the incident on AGL’s systems and data held by AGL. We were one of a number of companies and organisations that used PageUp People. AGL conducted a collaborative investigation of the incident, and a comprehensive assessment of its impact on AGL and its data. It revealed that the incident may have affected data relating to AGL’s people and prospective employees, but not AGL’s customers. AGL takes these matters very seriously, and protecting the data in our systems is of high priority.

Related information

• Privacy Policy