Collaborate to Protect Data, Safeguard Privacy

Collaborate to Protect Data, Safeguard Privacy

This piece was originally published in the April 2018 issue of electroindustry.

Witold Bik, Vice President of Advanced Development, S&C Electric Company, and Mr. Bik has more than 25 years of experience in distribution automation, smart grid technologies, and communications.

The use, ownership, and privacy of equipment data are the subject of debate, particularly in highly regulated industries.

Responsibilities, beliefs, and practices are highly varied as customers determine whether and how evolving regulations apply to their manufacturing suppliers. This situation can impair collaboration, complicate contracting, and increase costs. Manufacturers with effective data policies, practices, and guidelines will foster effective relationships with their customers and enable those customers to meet their own regulatory and end-customer commitments.

In the ongoing digitization of the world, electromechanical equipment is being rapidly displaced by microprocessor-based, communicating intelligent devices that offer new functionality and generate substantial amounts of data and telemetry. It is becoming more obvious that such data have significant value to various stakeholders, and that leads to a question of ownership.

Ownership of equipment data has been highly debated, but we believe data generated by equipment owned and operated by a customer is owned by that customer. That said, there are notable limitations to ownership.

First, ownership is not a free license to decompile or reverse-engineer equipment, extract source code, or download proprietary information. Second, the data owned by the customer is limited to what we refer to as “published” data, which represent available data officially described and made accessible by means of manufacturer-provided (published) interfaces.

The customer may use the published data under the terms and limitations of contractual agreements and software licenses. In addition to published data, most devices generate and store data not made accessible to the customer, which we call “unpublished” data.

As an example, unpublished data may include diagnostics codes, internally computed values, or simply data not visible through the software version or software module licensed to the customer. In this case, the customer is not free to reverse-engineer the product to access and/or share the unpublished data without specific permission from the supplier. Together, the published and unpublished data represent great value to both the customer and the supplier.

As an example, unpublished data may include diagnostics codes, internally computed values, or simply data not visible through the software version or software module licensed to the customer.

Data and the resulting information are valuable not only to customers and suppliers but also to third parties (e.g., consultants and other manufacturers), and each party is interested in getting access to data.

Suppliers can utilize these data to improve products, identify product-performance trends, and offer services to customers to complement their products. Customers can use the data for operational information, operational efficiency improvement, and calculations of long-term benefits. Consultants and other manufacturers can create new products and offer add-on services that further enhance the value of the product. It is imperative that the customer and the supplier collaborate to maximize the value from all available data.

Negotiating Access and Security

For suppliers to provide support and value-added services, customers must grant them access to equipment data. Unlike consumer electronics—where device data are frequently collected through direct access to the installed applications—gathering industrial data is often more complicated because of restrictions driven by limited access and security concerns. Many modern devices already have built-in communication/networking capabilities that provide remote access to collect data. Instead of expecting customers to create their own tools, leading suppliers provide optional, effective software and data-collection systems to acquire, store, secure, and share equipment data.

Besides offering their customers tools for data collection, suppliers can also obtain access to data by providing services that may include consulting, product support, commissioning, software support, remote monitoring, return-product support, and software- and data-hosting.

Data access raises privacy and confidentiality concerns for customers and suppliers, so both must develop adequate policies to ensure the data are handled properly.

Customers must make sure access to device data is controlled and secure, and that data collection is performed in accordance with applicable software-license and supply agreements. In many cases, customers providing services to their own group of customers must follow their own existing privacy policies to ensure any personally identifiable customer data are protected and remain confidential. Disclosure of such data to third parties must meet the requirements of a customer’s internal policies—and when it comes to unpublished data, it must also comply with the manufacturers’ software-license and supply agreements.

What data can be shared with third parties can be debated, and while there are diverse views on the topic, no clear standards exist that address all concerns of both parties. It is best that both the customer and the manufacturer agree to limitations of such data transfer or disclosure.

One of the most important things for equipment manufacturers is to develop effective systems and internal practices and publish their data policies. Manufacturers should define how specifically they will use data and reference these policies in supply agreements.

For example, a policy could state that data provided by customers to suppliers are to be used only to

  • provide support, design, monitoring, or engineering services to the customer; or
  • support product improvement, safety, or research.

Moreover, the policy could state that no data can be shared with third parties without prior customer authorization. Manufacturers also should develop safeguards to maintain data integrity and to protect the information from improper exposure. They should make sure data are properly stored in a secure location, with access limited to authorized users. Data identified by customers as private or sensitive should be anonymized before the information is analyzed or shared.

Unlike consumer electronics users who do not have time or simply do not care about reviewing lengthy agreements, industrial customers are more sophisticated users that often require elaborate arrangements and agreements. Given the potential risk and exposure, industrial applications are more likely to demand more complex, customized agreements and internal policies.

In highly regulated industries, there may be a natural tendency to propose a boilerplate data agreement irrespective of scope and to impose end-customer data regulations on manufacturers. Situations where the customer becomes highly prescriptive regarding a manufacturer’s internal data-handling policies should be avoided.

It would be exceedingly expensive for a manufacturer to apply unique and custom data policies for each customer. A well-stated, thoughtful data policy will provide manufacturers with an opportunity to offer an alternative to a customer-imposed boilerplate policy and will help in negotiations in response to overly restrictive terms that would be counterproductive to potential benefits.

In conclusion, customers and manufacturers will both benefit from increased data collaboration. The best approach for manufacturers is to transition from debating data ownership to developing and providing effective data policies and practices.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.