Data security
24.
Member States should ensure that personal data security is designed in at an early stage as part of the architecture of the network, within a data protection by design process. This should encompass measures to protect personal data against accidental or unlawful destruction or accidental loss and to prevent any unlawful forms of processing, in particular any unauthorised disclosure, dissemination, access to or alteration of personal data.
25.
The use of encrypted channels is recommended as it is one of the most effective technical means against misuse.
26.
Member States should take into account that all present and future components of smart grids ensure compliance with all the ‘security-relevant’ standards developed by European standardisation organisations, including the smart grid information security essential requirements in the Commission’s standardisation mandate M/490. The international security standards should also be taken into account, in particular the ISO/IEC 27000 series (‘ISMS family of standards’).
27.
Member States should ensure that network operators identify security risks and the appropriate security measures to guarantee the adequate level of security and resilience of the smart metering systems. In this regard, network operators, in cooperation with national competent authorities and civil society organisations, should apply existing standards, guidelines and schemes and where not available develop a new one. Relevant guidelines published by the European Network Information and Security Agency (ENISA) should also be taken into account.
28.
Member States should ensure that in accordance with Article 4 of Directive 2002/58/EC, in the event of a personal data breach, the controller notifies without undue delay (preferably not later than 24 hours after the breach has been established) the supervisory authority and the data subject, if the breach is likely to have an adverse effect on protection of his or her personal data.
Information and transparency on smart metering
29.
Without prejudice to the obligations of data controllers, in accordance with Directive 95/46/EC Member States should require that network operators develop and publish an accurate and clear information policy for each of their applications. The policy should include at least the items mentioned in Articles 10 and 11 of Directive 95/46/EC.
Where personal data relating to a data subject are collected, the controller should also provide the data subject with at least the following information:
(a) the identity and the contact details of the controller and of the controller’s representative and of the data protection officer, if any;
(b) the purposes of the processing for which the personal data are intended, including the terms and general conditions and the legitimate interests pursued by the controller if the processing is based on Article 7 of Directive 95/46/EC;
(c) the period for which the personal data will be stored;
(d) the right to ask the controller for access to and rectification or erasure of the personal data concerning the data subject or to object to the processing of such personal data;
(e) the right to lodge a complaint with the supervisory authority referred to in Article 28 of Directive 95/46/EC and the contact details of the supervisory authority;
(f) the recipients or categories of recipients of the personal data;
(g) any further information necessary to guarantee fair processing in respect of the data subject, having regard to the specific circumstances in which the personal data are collected.
II.
METHODOLOGY FOR THE ECONOMIC ASSESSMENT OF THE LONG-TERM COSTS AND BENEFITS FOR THE ROLL-OUT OF SMART METERING SYSTEMS
30.